Authentication in the chain DUN-AAA client-ACS-NMAS-NDS

Similar Messages

• How to count the number of AAA clients

  Hi,
  As we know, ACS5.2 is required with a base license-- supporting 500 network devices.
  Sometimes there are lots of AAA clients or network devices that are authenticating simultanious. So my question is, how to count the network devices allowed to auth on ACS5.2? Does that only include network devices, or including both any network devices or AAA clients?
  Rgds,
  Laowu5017

  Hi,
  ACS 5.x counts the number of AAA clients that are configured on the ACS.
  Please note that AAA clients and networks devices is the same and they comply switches, routers, WLCs, or whatever other device configured under
  Network Resources >
  ... >
  Network Devices and AAA Clients
  AAA Clients are NOT the AAA suplicants.
  The end user clients PCs are the AAA suplicants, and for this there is no limit number.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• EAP Chaining with Cisco ACS 5.x and the Cisco Anyconnect NAM Client

  Hi Guys,
  Whilst I’m well aware of the limitations of the built in the windows Wireless 802.1x supplicant. Is there a way, using the NAM client to authenticate both a computer and a user simultaneously, when used for authentication to wireless networks?
  As has been posted many times before on this forum, this isn’t possible due to windows not authenticating with the 'computer account' whilst the user is logged in, but with the NAM client it seems possible to do both user and computer authentication based on the options it gives you with EAP-Fast and 'EAP Chaining'.
  Can anyone validate this is possible? I have the design guide for exactly this for Cisco ISE but i need it to work on ACS (5.x).
  Thanks in advance.
  SteveH

  Bobby, I ran into the same issue with the "15015 Could not find ID Store" issue.  It turned out to be an issue with communication between the ACS and AD.  It looked like AD was connected successfully, but until I rebooted ACS, I kept getting the same error.  It was like it couldn't see the AD security groups even though it could scan the AD tree successfully.
  So, try rebooting ACS if you haven't already and see if that resolves the error.

• Configuring AAA network client on ACS v5.1 using the same RADIUS atributes from ACS v3.3

  Hello,
  I was wondering if i should use the same RADIUS VSA attribute on ACS v5.1 to authenticate AAA clients as those i was using on my old     ACS v3.3 server.
  Exemple : under ACS v3.3 i was using RADIUS (Cisco Aironet) attribute to authenticate AP & WLC, should i do the same under ACS v5.1 ?
  Best regards.

  Hello,
  When defining AAA client on the new ACS 5.x server you just select TACACS+ or RADIUS. We no longer define the RADIUS "vendor"/"VSA" when creating the AAA Client entry. All AAA client would be defined as RADIUS or TACACS+ only.
  If you were using specific VSA Attributes then you need to send those attributes back configuring Authorization Profiles on the ACS 5.x. You will find the specific VSA attributes there. Refer to the following screenshots:
  And here are the available attributes for the ACS for RADIUS Aironet:

• How to stop ACS intergated AD users to login in AAA clients(network device)

  I have ACS 4.2 Appliance which is integrated with Active directory.
  AD users are able to login in network devices. Is there any so that I can stop AD user and other local users to login in AAA clinets (network devices).

  These types of configurations are a two-way street. ACS must be configured to actually perform the authentication/authorization, and the AAA clients must also be configured for authentication/authorization. I would look at the AAA client configurations, first.
  What kind of AAA clients are we talking about? Cisco switches, Cisco WLC's? Swicthing gear from other companies?
  For Cisco switches, lines like the following will tell them to use your ACS server for administrative user auth (RADIUS ro TACACS+, respectively):
  aaa group server radius rad_admin
  server xxx.xxx.xxx.xxx
  aaa group server tacacs+ tac_admin
  server xxx.xxx.xxx.xxx
  If your AAA client is a WLC, then you need to uncheck the "Management" box where the RADIUS server is defined for authentication (Security -> AAA -> RADIUS -> Auth).

• ACS 4.2.1: adding new AAA clients through odbc import

  Hello,
  we have added the user defined vendor RADIUS_HUAWEI to our Cisco ACS 4.2.1  Windows Server.
  Unfortunately there is a problem with importing network devices through odbc  connection using the accountactions table with the action code 220.
  The documentation tells us :
  220
  ADD_NAS
  VN, V1, V2, V3
  Adds a new AAA client (named in VN) with an IP address (V1), shared secret key  (V2), and vendor (V3). Valid vendors are:
  •VENDOR_ID_IETF_RADIUS—For IETF RADIUS.
  •VENDOR_ID_CISCO_RADIUS—For Cisco IOS/PIX RADIUS.
  •VENDOR_ID_CISCO_TACACS—For Cisco TACACS+.
  •VENDOR_ID_AIRESPACE_RADIUS—For Cisco Airespace RADIUS.
  •VENDOR_ID_ASCEND_RADIUS—For Ascend RADIUS.
  •VENDOR_ID_ALTIGA_RADIUS—For Cisco 3000/ASA/PIX 7.x+ RADIUS.
  •VENDOR_ID_AIRONET_RADIUS—For Cisco Aironet RADIUS.
  •VENDOR_ID_NORTEL_RADIUS—For Nortel RADIUS.
  •VENDOR_ID_JUNIPER_RADIUS—For Juniper RADIUS.
  •VENDOR_ID_CBBMS_RADIUS—For Cisco BBMS RADIUS.
  •VENDOR_ID_3COM_RADIUS—For Cisco 3COMUSR RADIUS.
  The new user defined vendor is:
  C:\Program Files\CiscoSecure ACS v4.2\bin>CSUtil.exe -listUDV
  CSUtil v4.2(1.15), Copyright 1997-2009, Cisco Systems Inc
  UDV 0 - RADIUS (RADIUS_HUAWEI)
  Our action code and variables look like:
  A=220
  VN="xxx"
  V1="10.10.10.10"
  V2="blabla"
  V3="VENDOR_ID_RADIUS_HUAWEI"
  Error Code is as following:
  06/22/2010,10:21:12,W03P-3413,ERROR,Parse Error: Reason - Host vendor is unknown   [A=220 UN="" GN="" AI="" VN="xxx" V1="10.10.10.10" V2="blabla"  V3="VENDOR_ID_RADIUS_HUAWEI"]
  Does anybody knows the correct name for the V3-variable to import the network  device in a correct way?
  Best regards
  Torsten Waibel

  Hello,we
  have a new acs appliance (1113) with version 4.2.1.15 and we want to
  authenticate user through ssh from routers with ios xr software.
  unfortunately this doesn't work.Here ist our configuration of the router:##################################################line template VTY
  access-class ingress abcd!tacacs-server host x.x.x.x port 49 single-connectiontacacc-server key 7 test!tacacs source-interface Loopback13!ssh server v2
  ssh timeout 60! AAA config
  aaa accounting exec default start-stop group tacacs+
  aaa accounting network default start-stop group tacacs+
  aaa accounting commands default start-stop group tacacs+
  aaa authorization exec default group tacacs+ none
  aaa authorization commands default group tacacs+ none
  aaa authentication login default group tacacs+ local##################################################does anybody has a solution for this problem?thnx and best regardsTorsten Waibel
  Hi Torsten Waibel,
  For ssh to support you should have a cryptography ios image in router and check the following command in line vty that transpot input ssh under line vty cofiguration.
  If helpful do rate the post
  Ganesh.H

• ACS 5.0 having issues with different subnet AAA Clients

  Dear All,
  I am getting weird issue. My ACS 5.0 is in subnet 10.1.1.0/24. All the AAA clients which are in the same subnet can communicate with the ACS but different subnet cannot.
  I have checked the firewall between them, Its allow any any with all services.
  One more thing I have faced today is that now from only one switch (10.1.2.10) can access ACS but switches in the same subnet (10.1.2.0/24) cant access ACS as same previous issue.
  Following are the logs of one switch(10.1.2.10) in different subnet can access ACS :
  Working Switch with Same configuration:
  SW-A#test aaa group tacacs+ test cisco legacy
  Attempting authentication test to server-group tacacs+ using tacacs+
  User was successfully authenticated.
  SW-A#
  *Nov 17 00:05:52.041: AAA: parse name=<no string> idb type=-1 tty=-1
  *Nov 17 00:05:52.041: AAA/MEMORY: create_user (0x1B1FD04) user='test' ruser='NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
  *Nov 17 00:05:52.041: TAC+: send AUTHEN/START packet ver=192 id=3237327729
  *Nov 17 00:05:52.041: TAC+: Using default tacacs server-group "tacacs+" list.
  *Nov 17 00:05:52.041: TAC+: Opening TCP/IP to 10.1.1.2/49 timeout=5
  *Nov 17 00:05:52.041: TAC+: Opened TCP/IP handle 0x1B44D48 to 10.1.1.2/49
  *Nov 17 00:05:52.041: TAC+: 10.1.1.2 (3237327729) AUTHEN/START/LOGIN/ASCII queued
  SW-A#
  *Nov 17 00:05:52.243: TAC+: (3237327729) AUTHEN/START/LOGIN/ASCII processed
  *Nov 17 00:05:52.243: TAC+: ver=192 id=3237327729 received AUTHEN status = GETPASS
  *Nov 17 00:05:52.243: TAC+: send AUTHEN/CONT packet id=3237327729
  *Nov 17 00:05:52.243: TAC+: 10.1.1.2 (3237327729) AUTHEN/CONT queued
  *Nov 17 00:05:52.444: TAC+: (3237327729) AUTHEN/CONT processed
  *Nov 17 00:05:52.444: TAC+: ver=192 id=3237327729 received AUTHEN status = PASS
  *Nov 17 00:05:52.444: AAA/MEMORY: free_user (0x1B1FD04) user='test' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 vrf= (id=0)
  Logs from the same subnet switch (10.1.2.20) which cannot access ACS:
  SW-B#test aaa group tacacs+ test cisco legacy
  Attempting authentication test to server-group tacacs+ using tacacs+
  No authoritative response from any server.
  SW-B#
  *Oct 20 00:54:12.834: AAA: parse name=<no string> idb type=-1 tty=-1
  *Oct 20 00:54:12.842: AAA/MEMORY: create_user (0x1A6F3F0) user='test' ruser='NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
  *Oct 20 00:54:12.842: TAC+: send AUTHEN/START packet ver=192 id=3281146755
  *Oct 20 00:54:12.842: TAC+: Using default tacacs server-group "tacacs+" list.
  *Oct 20 00:54:12.842: TAC+: Opening TCP/IP to 10.1.1.2/49 timeout=5
  *Oct 20 00:54:12.842: TAC+: Opened TCP/IP handle 0x1B1E888 to 10.1.1.2/49
  *Oct 20 00:54:12.842: TAC+: 10.1.1.2 (3281146755) AUTHEN/START/LOGIN/ASCII queued
  SW-B#
  *Oct 20 00:54:12.943: TAC+: (3281146755) AUTHEN/START/LOGIN/ASCII processed
  *Oct 20 00:54:12.943: TAC+: received bad AUTHEN packet: type = 0, expected 1
  *Oct 20 00:54:12.943: TAC+: Invalid AUTHEN/START/LOGIN/ASCII packet (check keys).
  *Oct 20 00:54:12.943: TAC+: Closing TCP/IP 0x1B1E888 connection to 10.1.1.2/49
  *Oct 20 00:54:12.943: TAC+: Using default tacacs server-group "tacacs+" list.
  *Oct 20 00:54:12.943: AAA/MEMORY: free_user (0x1A6F3F0) user='test' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 vrf= (id=0)
  Waiting for your responses.
  Regards,
  Anser

  Ok, cool,
  So this usually means that the switch is sourcing the requests from a difernet interface that is configured on the ACS.
  I would guess that the ACS is reporting unknown NAS...
  Can you please use the "ip tacacs source-interface" command to make sure the switch will source the Tacacs+ packets from the interface with the IP address for which you have the ACS configured to?
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

  issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

  issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

• The SMTP server requires a secure connection or the client was not authenticated. The server response was: 5.5.1 Authentication Required.

   try
                  MailMessage mail = new MailMessage();
                  SmtpClient SmtpServer = new SmtpClient("smtp.gmail.com");
                  mail.From = new MailAddress("[email protected]");
                  mail.To.Add("[email protected]");
                  mail.Subject = "Test Mail..!!!!";
                  mail.Body = "mail with attachment";
                  System.Net.Mail.Attachment attachment;
                  attachment = new System.Net.Mail.Attachment(@"C:\Attachment.txt");
                  mail.Attachments.Add(attachment);
                  SmtpServer.Port = 587;
                  SmtpServer.UseDefaultCredentials = true;
                  SmtpServer.Credentials = new System.Net.NetworkCredential("userid", "Password");
                  SmtpServer.EnableSsl = true;
                  SmtpServer.Send(mail);
  Catch(Exception exception)
  When i m run this part of code it throw an Ecxeption                                                          
          Given Below is the Error.. 
      The SMTP server requires a secure connection or the client was not authenticated. The server response was: 5.5.1 Authentication Required.
  Bikky Kumar

   try
                  MailMessage mail = new MailMessage();
                  SmtpClient SmtpServer = new SmtpClient("smtp.gmail.com");
                  mail.From = new MailAddress("[email protected]");
                  mail.To.Add("[email protected]");
                  mail.Subject = "Test Mail..!!!!";
                  mail.Body = "mail with attachment";
                  System.Net.Mail.Attachment attachment;
                  attachment = new System.Net.Mail.Attachment(@"C:\Attachment.txt");
                  mail.Attachments.Add(attachment);
                  SmtpServer.Port = 587;
  SmtpServer.UseDefaultCredentials = true;    ///Set it to false, or remove this line
                  SmtpServer.Credentials = new System.Net.NetworkCredential("userid", "Password");
                  SmtpServer.EnableSsl = true;
                  SmtpServer.Send(mail);
  Catch(Exception exception)
  Given Below is the Error..      The SMTP server requires a secure connection or the client was not authenticated. The server response was: 5.5.1 Authentication Required.
  Solution:
  The error might occur due to following cases.
  case 1: when the password is wrong
  case 2: when you try to login from some App
  case 3: when you try to login from the domain other than your time zone/domain/computer (This
  is the case in most of scenarios when sending mail from code)
  There is a solution for each
  solution for case 1: Enter the correct password.
  Recomended: solution for case 2: go to
  security settings at the following link https://www.google.com/settings/security/lesssecureapps and
  enable less secure apps . So that you will be able to login from all apps.
  solution 1 for case 3: (This might be helpful) you need to review the activity. but reviewing the activity will not be helpful due to latest security
  standards the link will not be useful. So try the below case.
  solution 2 for case 3: If you have hosted your code somewhere on production server and if you have access to the production server, than take remote
  desktop connection to the production server and try to login once from the browser of the production server. This will add exception for login to google and you will be allowed to login from code.
  But what if you don't have access to the production server. try
  the solution 3
  solution 3 for case 3: You have to enable
  login from other timezone / ip for your google account.
  to do this follow the link https://g.co/allowaccess and
  allow access by clicking the continue button.
  And that's it. Here you go. Now you will be able to login from any of the computer and by any means of app to your google account.
  Regards,
  Nabeel Arif

• Denying AAA Clients to a specific user group in ACS v4.1

  Using 4.1 is there a "simple" method of simply denying a usergroup the ability to even login to specific AAA clients? Customer has a telephony group that they want to allow them to telnet and check into all the voice routers, but no other routers, they have the command sets and all that setup but wanted to see if a way to push that group simply to voice routers only ??
  thanks in advance,
  dave

  Hi,
  Why don't you use NAR (Network access restriction)
  Under the network config > simply create one NDG and assign all the voice router under it.
  After that go to the group/user where you want to put this restriction
  You need to check that what are we getting in calling station id. If we are getting ip address then
  [1] To accomplish above we would configure the group with following
  NAR (network access restriction)
  Define IP based Network Access Restriction
  Permitted Calling Point
  AAA client: VOICE NDG created
  Port *
  Src IP Address *
  Subit the changes and try.
  Here is more on configuring Network Access Restriction:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.
  2/user/guide/GrpMgt.html#wp478900
  HTH
  JK
  Plz rate helpful posts-

• The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server

  wireless authentication not working 
  I found the following in the radius
  Log Name:      Security
  Source:        Microsoft-Windows-Security-Auditing
  Date:          1/15/2014 2:07:57 AM
  Event ID:      6273
  Task Category: Network Policy Server
  Level:         Information
  Keywords:      Audit Failure
  User:          N/A
  Computer:     NAP01.test.local
  Description:
  Network Policy Server denied access to a user.
  Contact the Network Policy Server administrator for more information.
  User:
   Security ID:   doamin \user.a
   Account Name:   user.a
  Client Machine:
   Security ID:   NULL SID
   Account Name:   -
   Fully Qualified Account Name: -
   OS-Version:   -
   Called Station Identifier:  00-0F-7D-C4-45-20:staff
   Calling Station Identifier:  0C-74-C2-EF-Dd-0B
  NAS:
   NAS IPv4 Address:  192.168.9.10
   NAS IPv6 Address:  -
   NAS Identifier:   -
   NAS Port-Type:   Wireless - IEEE 802.11
   NAS Port:   497
  RADIUS Client:
   Client Friendly Name:  wcont1
   Client IP Address:   192.168.9.10
  Authentication Details:
   Connection Request Policy Name: Wireless
   Network Policy Name:  wism
   Authentication Provider:  Windows
   Authentication Server:  NAP01.test.local
   Authentication Type:  EAP
   EAP Type:   -
   Account Session Identifier:  -
   Logging Results:   Accounting information was written to the local log file.
   Reason Code:   22
   Reason:    The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
  Please help

  Hi,
  Anything updates?
  In addition, this issue may also because your client didn't have CA certificate of your domain. Please make sure that your client has CA certificate.
  Besides, the error "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server" may be due to that the default maximum transmission unit that NPS uses for EAP payloads is 1500
  bytes. You can lower the maximum size that NPS uses for EAP payloads by adjusting the Framed-MTU attribute in a network policy to a value no greater than 1344:
  Configure the EAP Payload Size
  Best regards,
  Susie

• OS Lion of Apple don't authentication in the Secure ACS

  Hello my friends!!!!
  I'm with one problem, my OS Lion don't authentication in the Secure ACS Version: 5.2.0.26.10.
  For the Mac Lion operating system to work you must put in execeção the MAC Address of your computer. I wonder how it could cause the OS to authenticate the ACS Lion.
  Thank you!

  Hi,
  Are you using wpa2 authentication, also are you using MAR (machine access restrictions) in your global dot1x configuration? If that is the case, then you will not be able to authenticate. Please describe a little bit more about your issue.
  thanks,
  Tarik Admani
  *Please rate helpful posts*

• 802.1x RADIUS authentication problem with Cat 2950 to CiscoSecure ACS 3.3

  I wondered if anyone can help or shed any light on the following problem.
  I am getting an authentication error when doing a RADIUS authentication to CiscoSecure ACS 3.3 running on a Windows 2003 server, the authentication request is coming from a Catalyst 2950 switch which is doing 802.1x for Windows XP clients. This problem only happens when the XP client connects to 2950 switches, Cat 3550s and 3560s work fine.
  The Cat2950 is running 12.1.20 (EA1) which is more or less the latest IOS.
  The error I get from ACS 3.3 is "Invalid message authenticator in EAP request" when the 2950 tries to authenticate an XP client for 802.1x to the ACS server using RADIUS.
  Doing a RADIUS and 802.1x debug on the 2950 I see a message about 'Unknown EAP type', I am using PEAP on the XP client doing EAP-MS-CHAPv2 authentication, the same XP client authenticates fine with 3550 and 3560 switches problem only affects 2950s. Can anyone confirm the 2950 supports EAP-MS-CHAPv2?
  I have checked and re-checked the shared secret and it definitely matches on 2950 and ACS.
  One thing I noticed in the RADIUS debug is the 2950 sends 18 bytes for attribute 79 when the RFC defines attribute 79 should be 3 bytes or less, I don't know if this is related to the problem or is correct behaviour.

  Hi, I am new with 802.1x, and was hoping that someone would help with these queries:
  1. How is a certificate requested without being allowed on a network that is not authenticated with 802.1x. I had to first connect to an active network, retrieve a certificate with the proper username and password, and then physically connect to the port on the 2950 switch which was enabled to do 802.1x
  2. My config is as below:
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authenication login default group radius
  dot1x system-auth-control
  interface f0/1
  switchport mode access
  dot1x port-control auto
  end
  I able to login using the radius server, so radius is working (on ports other than f1/0). However when connecting to f1/0, the port on the 2950 remains blocked.
  3. The certificate is issued by the ca server, is viewable via Internet explorer,and is issued to the correct username which is on the active directory.
  I even tried using local authenication with 802.1x, this did not work
  4. If I have a certificate, will this automatically give me access to the 802.1x port?
  5. I have windows 2000, and authenication is set to 'Smart Card or other certificate.
  Am I missing anything?
  Any advise will be greatly appreciated
  Chris

• 13017 Received TACACS+ packet from unknown Network Device or AAA Client

  I am adding new routers to our Corporate network for a new MPLS network.  I am getting 13017 Received TACACS+ packet from unknown Network Device or AAA Client  errors for these new routers.  They are added to ACS 5.4.0.30 correctly just like all of our other devices.  We have never had real routers on the network before, just switches and access points.  Is there something special I need to set in ACS for these to work and authenticate correctly?  I can only access the currently with built in login locally.
  One of the new router configs
  Current configuration : 2370 bytes
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname T666
  boot-start-marker
  boot-end-marker
  enable secret 5 $1$h7b3$.T2idTKb9H98BQ8Op0MAC/
  aaa new-model
  aaa authentication login default group tacacs+ local
  aaa authentication enable default group tacacs+ enable
  aaa authorization exec default group tacacs+ local if-authenticated
  aaa accounting exec default start-stop group tacacs+
  aaa session-id common
  clock timezone CST -6
  clock summer-time CDT recurring
  ip cef
  ip auth-proxy max-nodata-conns 3
  ip admission max-nodata-conns 3
  voice-card 0
  crypto pki trustpoint TP-self-signed-2699490457
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-2699490457
   revocation-check none
   rsakeypair TP-self-signed-2699490457
  username netadmin privilege 15 secret 5 $1$SIR2$A3MpShVNeAOlTPyLZESr..
  interface FastEthernet0/0
   ip address 10.114.2.1 255.255.255.0
   ip helper-address 10.30.101.4
   duplex auto
   speed auto
  interface FastEthernet0/1
   no ip address
   shutdown
   duplex auto
   speed auto
  interface Serial0/1/0
   ip address X.X.X.X 255.255.255.252
   no fair-queue
   service-module t1 timeslots 1-24
   service-module t1 remote-alarm-enable
   service-module t1 fdl ansi
   no cdp enable
  router bgp 65065
   no synchronization
   bgp log-neighbor-changes
   network 10.114.2.0 mask 255.255.255.0
   neighbor X.X.X.X remote-as 209
   neighbor X.X.X.X default-originate
   default-information originate
   no auto-summary
  ip forward-protocol nd
  ip bgp-community new-format
  ip http server
  ip http authentication aaa
  ip http secure-server
  ip tacacs source-interface FastEthernet0/0
  no logging trap
  tacacs-server host 10.30.101.221 key 7 1429005B5C502225
  tacacs-server host 10.30.101.222 key 7 1429005B5C502225
  tacacs-server directed-request
  control-plane
  banner exec ^CC
  C
  Login OK
  ^C
  banner motd ^CC
  C
  **  UNAUTHORIZED ACCESS TO THIS SYSTEM IS PROHIBITED.  USE OF
  **  THIS SYSTEM CONSTITUES CONSENT TO MONITORING AT ALL TIMES.
  **  RUAN Transport Corporation
  **  Network Services
  **  [email protected]
  **  515.245.2512
  ^C
  line con 0
  line aux 0
  line vty 0 4
   exec-timeout 30 0
   transport input all
  line vty 5 15
   exec-timeout 30 0
  scheduler allocate 20000 1000
  end
  T666#

  AAA Protocol > TACACS+ Authentication Details
  Date :
  September 19, 2014
  Generated on September 19, 2014 10:21:27 AM CDT
  Authentication Details
  Status:
  Failed
  Failure Reason:
  13017 Received TACACS+ packet from unknown Network Device or AAA Client
  Logged At:
  Sep 19, 2014 10:21 AM
  ACS Time:
  Sep 19, 2014 10:21 AM
  ACS Instance:
  acs01
  Authentication Method:
  Authentication Type:
  Privilege Level:
  User
  Username:
  Remote Address:
  Network Device
  Network Device:
  Network Device IP Address:
  10.114.2.1
  Network Device Groups:
  Access Policy
  Access Service:
  Identity Store:
  Selected Shell Profile:
  Active Directory Domain:
  Identity Group:
  Access Service Selection Matched Rule :
  Identity Policy Matched Rule:
  Selected Identity Stores:
  Query Identity Stores:
  Selected Query Identity Stores:
  Group Mapping Policy Matched Rule:
  Authorization Policy Matched Rule:
  Authorization Exception Policy Matched Rule:
  Other
  ACS Session ID:
  Service:
  AV Pairs:
  Response Time:
  Other Attributes:
  ACSVersion=acs-5.3.0.40-B.839 
  ConfigVersionId=359 
  Device Port=59840 
  Protocol=Tacacs
  Authentication Result
  Steps
  Received TACACS+ packet from unknown Network Device or AAA Client
  Additional Details
  DiagnosticsACS Configuration Changes

• TACACS+ packet from unknown Network Device or AAA Client

  Hi all,
  I can't perform login using the credential set at ACS server, From the log it shown:
  "Failure Reason: 13017 Received TACACS+ packet from unknown Network Device or AAA Client"
  I know there's some changes on TACACS+ part for new catalyst IOS, so i refer the guide and this is my config snipet:
  aaa group server tacacs+ TAC_PLUS
  server name AUTH
  tacacs server AUTH
  address ipv4 10.10.21.251
  key xxxxxx
  aaa authentication login TAC_PLUS group tacacs+ local line
  aaa authorization exec TAC_PLUS group tacacs+ none
  aaa authorization commands 15 default if-authenticated
  aaa accounting update periodic 1
  aaa accounting exec TAC_PLUS start-stop group tacacs+
  aaa accounting network TAC_PLUS start-stop group tacacs+
  aaa accounting connection TAC_PLUS start-stop group tacacs+
  My platform is
  - C6500 running on IOS 12.2 (33) SXJ1
  - ACS 5.2.0.26
  Need guidance on this, thanks
  Noel

  Hello,
  Is the appropriate IOS IP address defined on the Network Devices and AAA Clients for the ACS? If yes, which IP address is reported on the ACS Failure that includes the error "TACACS+ packet from unknown Network Device or AAA Client"? Is the ACS reporting the IP address as unknown when it is already defined appropriately?
  Regards.