Tacacs+ server dead issue

Similar Messages

• CSACS TACACS Server 5.0 Timeout and Latency

  Hi,
  I have successfully configured a new Linux based Cisco Secure ACS server (version is 5.0.0.21 and Internal build: B.2757) and integrated it with AD. Both the internal users and the AD users are authenticating ok and are successfully logged onto the end devices on privilege level 15. The issue that I am getting is that for some strange reason AD users are taking too long (approx 38 secs) to get authenticated/authorised etc. Infact this was causing authentication issues previously as the tacacs timeout on the end device was set too low and thus the TACACS server response was timing out. I rectified this by increasing the TACACS timeout to around 25 secs which then resulted in successful TACACS authentication/authorisation.
  The high response time is however very frustrating. We have an existing Windows based (4.2) TACACS server and when I point my end devices (routers, switches) to this old server it takes only a few seconds for authentication but with the new ACS server it takes close to 38 secs. I am suspecting it might be to do with AD integration as the internal users on the new server are working fine. There are no latency or networking issues with the new server as the pings are looking ok.
  I have pasted my debug tacacs output obtained from the end device below. The first is with the new server (y.y.y.y) and the second is with the old (working) server (x.x.x.x) :
  New Server:
  4d09h: TAC+: send AUTHEN/START packet ver=192 id=64484812
  4d09h: TAC+: Using default tacacs server-group "tacacs+" list.
  4d09h: TAC+: Opening TCP/IP to y.y.y.y/49 timeout=25
  4d09h: TAC+: Opened TCP/IP handle 0x80CCF630 to y.y.y.y/49
  4d09h: TAC+: y.y.y.y (64484812) AUTHEN/START/LOGIN/ASCII queued
  4d09h: TAC+: (64484812) AUTHEN/START/LOGIN/ASCII processed
  4d09h: TAC+: ver=192 id=64484812 received AUTHEN status = GETUSER
  4d09h: TAC+: send AUTHEN/CONT packet id=64484812
  4d09h: TAC+: y.y.y.y (64484812) AUTHEN/CONT queued
  4d09h: TAC+: (64484812) AUTHEN/CONT processed
  4d09h: TAC+: ver=192 id=64484812 received AUTHEN status = GETPASS
  4d09h: TAC+: send AUTHEN/CONT packet id=64484812
  4d09h: TAC+: y.y.y.y (64484812) AUTHEN/CONT queued
  4d09h: TAC+: (64484812) AUTHEN/CONT processed
  4d09h: TAC+: ver=192 id=64484812 received AUTHEN status = PASS
  4d09h: TAC+: Closing TCP/IP 0x80CCF630 connection to y.y.y.y/49
  4d09h: TAC+: using previously set server y.y.y.y from group tacacs+
  4d09h: TAC+: Opening TCP/IP to y.y.y.y/49 timeout=25
  4d09h: TAC+: Opened TCP/IP handle 0x80CCFAC4 to y.y.y.y/49
  4d09h: TAC+: Opened y.y.y.y index=1
  4d09h: TAC+: y.y.y.y (1028597070) AUTHOR/START queued
  4d09h: TAC+: (1028597070) AUTHOR/START processed
  4d09h: TAC+: (1028597070): received author response status = PASS_ADD
  4d09h: TAC+: Closing TCP/IP 0x80CCFAC4 connection to y.y.y.y/49
  4d09h: TAC+: Received Attribute "priv-lvl=15"
  jontest#
  Old (Working) Server:
  4d09h: TAC+: send AUTHEN/START packet ver=192 id=1150277789
  4d09h: TAC+: Using default tacacs server-group "tacacs+" list.
  4d09h: TAC+: Opening TCP/IP to x.x.x.x/49 timeout=25
  4d09h: TAC+: Opened TCP/IP handle 0x80CD10D4 to x.x.x.x/49
  4d09h: TAC+: x.x.x.x (1150277789) AUTHEN/START/LOGIN/ASCII queued
  4d09h: TAC+: (1150277789) AUTHEN/START/LOGIN/ASCII processed
  4d09h: TAC+: ver=192 id=1150277789 received AUTHEN status = GETUSER
  4d09h: TAC+: send AUTHEN/CONT packet id=1150277789
  4d09h: TAC+: x.x.x.x (1150277789) AUTHEN/CONT queued
  4d09h: TAC+: (1150277789) AUTHEN/CONT processed
  4d09h: TAC+: ver=192 id=1150277789 received AUTHEN status = GETPASS
  4d09h: TAC+: send AUTHEN/CONT packet id=1150277789
  4d09h: TAC+: x.x.x.x (1150277789) AUTHEN/CONT queued
  4d09h: TAC+: (1150277789) AUTHEN/CONT processed
  4d09h: TAC+: ver=192 id=1150277789 received AUTHEN status = PASS
  4d09h: TAC+: Closing TCP/IP 0x80CD10D4 connection to x.x.x.x/49
  4d09h: TAC+: using previously set server x.x.x.x from group tacacs+
  4d09h: TAC+: Opening TCP/IP to x.x.x.x/49 timeout=25
  4d09h: TAC+: Opened TCP/IP handle 0x80CD1568 to x.x.x.x/49
  4d09h: TAC+: Opened x.x.x.x index=1
  4d09h: TAC+: x.x.x.x (551069827) AUTHOR/START queued
  4d09h: TAC+: (551069827) AUTHOR/START processed
  4d09h: TAC+: (551069827): received author response status = PASS_ADD
  4d09h: TAC+: Closing TCP/IP 0x80CD1568 connection to x.x.x.x/49
  4d09h: TAC+: Received Attribute "priv-lvl=15"
  Any suggestions would be much appreciated.

  Richard, Kashif,
  1) 10.2.100.100 is a dummy IP to be sure we have a correct test scenario :
  tacacs-server host 10.2.100.100
  tacacs-server host 10.2.17.203
  2) We have defined 2 testswitches with this config :
  C3560 (12.2(53))
  C3750 (12.2(55))
  with our 3560, it hits the timeout counter of 5s of the dead tacacs server, once logged in, all other tacacs commands are treated by 10.2.17.203
  Failed connect attemps raises by 1
  with our 3750, with each tacacs command, it hits the timeout counter of 5s of the dead tacacs server everytime, before going to the 10.2.17.203, so all commands are executed but each time with a timeout delay of 5s.
  Failed connect attemps raises by number of tacacs commands typed
  Many thanks,
  Lieven Stubbe
  Belgian Railways

• TACACS+ Server not logging events.

  Hi all,
  I am having an issue with the tacacs+ server not logging login requests or commands entered. I am running the tac_plus.F4.0.4.alpha release that cisco provides for free on a mandrake 10.1 linux box. I am able to use the server to authenticate logins to the routers but it is not logging those requests.
  Here is the config I used on one of our routers.
  aaa group server tacacs+ prego
  server xxx.xxx.xxx.xxx
  aaa authentication login default group tacacs+ enable
  aaa authentication enable default group tacacs+ enable
  aaa accounting exec default start-stop group prego
  aaa accounting commands 15 default start-stop group tacacs+
  aaa session-id common
  ip subnet-zero
  Also here is a sh verion
  Cisco Internetwork Operating System Software
  IOS (tm) 3700 Software (C3725-IS-M), Version 12.2(15)ZJ3, EARLY DEPLOYMENT RELEASE SOFTWARE (fc2)
  TAC Support: http://www.cisco.com/tac
  Copyright (c) 1986-2003 by cisco Systems, Inc.
  Compiled Thu 25-Sep-03 22:23 by eaarmas
  Image text-base: 0x60008954, data-base: 0x61C2C000
  ROM: System Bootstrap, Version 12.2(8r)T2, RELEASE SOFTWARE (fc1)
  ROM: 3700 Software (C3725-I-M), Version 12.2(8)T10, RELEASE SOFTWARE (fc1)
  PRVGW3725 uptime is 10 weeks, 1 day, 7 hours, 35 minutes
  System returned to ROM by power-on
  System image file is "flash:c3725-is-mz.122-15.ZJ3.bin"
  cisco 3725 (R7000) processor (revision 0.1) with 121856K/9216K bytes of memory.
  Processor board ID JMX0749L1XC
  R7000 CPU at 240Mhz, Implementation 39, Rev 3.3, 256KB L2 Cache
  Bridging software.
  X.25 software, Version 3.0.0.
  SuperLAT software (copyright 1990 by Meridian Technology Corp).
  2 FastEthernet/IEEE 802.3 interface(s)
  2 Serial network interface(s)
  DRAM configuration is 64 bits wide with parity disabled.
  55K bytes of non-volatile configuration memory.
  31360K bytes of ATA System CompactFlash (Read/Write)
  Configuration register is 0x2102
  Any help would be great.
  Thank you
  Joseph Jackson

  If you are able to authenticate via TACACS I would believe that this indicates that there is not a problem with your configuration of the TACACS server(s) (addresses are correct, keys are correct, etc) and that the TACACS server recognizes the router ok.
  So I assume that either there is some problem on the router generating the accounting records. Or that there might be a problem on the server and receiving and processing the accounting records.
  As a next step in investigating this issue I suggest that you run two debugs on the router:
  debug aaa accounting
  debug tacacs accounting
  While the debug is running have someone access the router and login, access privilege mode, and execute several commands. Then post any debug output.
  HTH
  Rick

• ACE ACS TACACS+ Key Mismatch issue

  Goodday,
  I have an issue when trying to setup ACE Modules for TACACS+ and AAA autentication whereby the Failed Authentication reports, state the reason as "Key Mismath".
  We have confirmed that the key we are using is the same on the ACE and on the ACS.
  The question I have is as follows:
  Should the key we enter on the ACE remain as we have typed it, so if we enter mysharedkey as the key should this show as such in the running config or should it show as encrypted? Currently it shows in the running as we have entered it but just adds the 7 before the key and places the key in inverted commas.
  So config entered something like this:
  tacacs-server host 10.10.10.10 key mysharedkey
  aaa group server tacacs+ acs_pri
  server 10.10.10.10
  aaa authentication login default group acs_pri local none
  BTW, we are running version 2.1.4(a).
  Thanks for any assitance with this.
  Paul

  Hi Kevin,
  Thanks for the reply. I can confirm we have the "ssh key rsa 1024 force". I even tried removing and re-issueing the command.
  On the point of the show run revealing the something encrypted instead of the actual TACACS key, this is not what we see, we see the actual key we entred.
  This is my concern.
  We managed to get his working by checking on the production ACE modules and production ACS, using the "encryped" key we see in that "show run" and locating the key in the production ACS config (which was not under the ACE NDG, but under the ACS server itself's config, which also looks like something encrypted) and using this in the NDG config as the key for our ACE NDG on the test ACS.
  The problem arises that every six months or so, securiy requirement, the keys change, and how will we then know what to apply on the ACE if it does not apply the encyption of the key we enter itself.
  See my problem...
  Thanks again for the assistance and any further guidance would be appreciated.
  Paul.

• PIX AAA To tacacs server not reliable

  I've got a couple of different platforms of PIX, 535s and FWSMs mainly all running the latest code. I have them all configured similarly with regards to AAA via tacacs:
  aaa-server TACACS protocol tacacs+
  aaa-server TACACS host <Removed> key <removed>
  username <removed> password <removed> encrypted privilege 15
  aaa authentication enable console TACACS LOCAL
  aaa authentication ssh console TACACS LOCAL
  aaa authentication telnet console TACACS LOCAL
  aaa accounting command TACACS
  Now, sometimes I can get in with my tacacs account but other times I have to use the local backup account. There seems to be no reason behind it. My routers all pointing to the same TACACS server have no issues like this. The PIX's however are totally unreliable in this regard.
  Anyone experiencing this?

  Hello mlipsey,
  This shouldn't be. Do the ACS logs reveal anything? What about
  debug tacacs
  debug aaa authentication
  Can you send 1000 pings to the tacacs server from your FWs without issue? Any packet loss?
  Hope this helps! If so, please rate.
  Thanks!

• Tacacs-server key working in some Cisco switches for AAA, but not in other switches???

  Good day,
  Has anyone experienced this before?  I am using Cisco ACS 5.2.  I have a very simple word (no, not cisco ) for my tacacs-server key.  I've used the same key within the ACS and on two other Cisco switches, and AAA is working fine between the two switches; however, in setting up the key via the ACS and on a third Cisco switch and using PuTTY, I'm getting the error of "Access Denied.  Using keyboard-interactive authentication."
  I've re-entered the simple tacacs key multiple times within the ACS and on the switch making sure to not fat finger or misspell it.
  I don't think there is a problem with the AAA setup I have within the switches as all of the AAA configs are the same on every switch we have.
  Any other possible ideas anyone can suggest? 
  Cliffs:
  -tacacs-server key is a  simple key and is the same for every switch and within ACS
  -AAA config is the same on every switch, so I do not believe it to be a AAA config issue
  -Running config on switch that is not working is pretty much the same as the other two working switches
  Any advice is greatly appreciated.
  Thanks,
  Y

  Hi, and thank you for your reply back; however, when I got into the Authentication logs, I see nothing, like it's not even logging the failed attempts.

• Not able to login to router using ssh when TACACS server is down

  When TACACS server is not reachable router is not allowing the local password to login using ssh. Router's SSH debug says authentication is successful but ssh client gets % Authorization failed meassage and disconnects.
  kindly see below debug output and config
  SSH server end:
  Sep 1 13:25:10.161: SSH1: starting SSH control process
  Sep 1 13:25:10.165: SSH1: sent protocol version id SSH-1.5-Cisco-1.25
  Sep 1 13:25:10.241: SSH1: protocol version id is - SSH-1.5-Cisco-1.25
  Sep 1 13:25:10.241: SSH1: SSH_SMSG_PUBLIC_KEY msg
  Sep 1 13:25:10.397: SSH1: SSH_CMSG_SESSION_KEY msg - length 112, type 0x03
  Sep 1 13:25:10.397: SSH: RSA decrypt started
  Sep 1 13:25:10.925: SSH: RSA decrypt finished
  Sep 1 13:25:10.925: SSH: RSA decrypt started
  Sep 1 13:25:11.165: SSH: RSA decrypt finished
  Sep 1 13:25:11.197: SSH1: sending encryption confirmation
  Sep 1 13:25:11.197: SSH1: keys exchanged and encryption on
  Sep 1 13:25:11.269: SSH1: SSH_CMSG_USER message received
  Sep 1 13:25:11.269: SSH1: authentication request for userid rao
  Sep 1 13:25:16.297: SSH1: SSH_SMSG_FAILURE message sent
  Sep 1 13:25:17.313: SSH1: SSH_CMSG_AUTH_PASSWORD message received
  Sep 1 13:25:17.317: SSH1: authentication successful for rao
  Sep 1 13:25:17.413: SSH1: requesting TTY
  Sep 1 13:25:17.413: SSH1: setting TTY - requested: length 25, width 80; set: le
  ngth 25, width 80
  Sep 1 13:25:17.525: SSH1: SSH_CMSG_EXEC_SHELL message received
  Sep 1 13:25:17.525: SSH1: starting shell for vty
  Sep 1 13:25:25.033: SSH1: Session terminated normally
  SSH Client end Log:
  % Authorization failed.
  [Connection to 10.255.15.2 closed by foreign host]
  COnfig:
  aaa authentication login default group tacacs+ line local
  aaa authentication login NO_AUTH line
  aaa authorization config-commands
  aaa authorization exec default group tacacs+ if-authenticated
  aaa authorization commands 15 default group tacacs+ if-authenticated
  aaa authorization configuration default group tacacs+
  aaa accounting exec default start-stop group tacacs+
  aaa accounting connection default start-stop group tacacs+
  ip domain-name cbi.co.in
  crypto key generate rsa
  ip ssh time-out 60
  ip ssh authentication-retries 3
  line vty 0 4
  password xxxx
  transport input telnet ssh
  Kindly reply your views

  I believe that the key to understanding your problem is to recognize the subtle difference between authentication and authorization. The authentication process appears that it does succeed but the authorization process has failed according to your error message:
  % Authorization failed.
  I see that most of your authorization commands include the parameter if-authenticated. But this command does not:
  aaa authorization config-commands
  I would suggest that you add the if-authenticated parameter to this command and see if it does not fix your problem.
  HTH
  Rick

• Installation with Raid, etc... [dead issue, don't bother reading]

  I'm trying to install arch using RAID and LVM, following the wiki procedure in Installing with Software Raid or LVM.
  I am able to get to the point where I install the kernel.  When I install it, the bottom of the screen flashes the "wrong fs type, etc" error, then the installer acts as though it is installing it anyway, going through the installation, configuration, and fallback configuration stuff.
  If I continue, when I get to grub installation, I get the error that the drive doesn't exist.  I've found some forum threads on this which indicate (I think) that I need to run makedevs before going to grub installation.  If I type, makedevs, I get a command not found error.
  The filesystem seems to be up and working, so I'm not sure what next steps I take to troubleshoot this.
  bump:
  So I tried the quickinstaller for some better control, which seems to help.  I also found this in the forums, it allows me to run makedevs.  /dev/md0 is already mounted at /mnt are my root, so I skipped the first line, not sure what else I could do there.
  mount /dev/hdxY /mnt
  chroot /mnt /bin/bash
  mount -t sysfs none /sys
  mount -t proc none /proc
  makedevs
  mount -a
  Then vi /boot/grub/menu.lst :
  kernel /vmlinuz26 root=/dev/md2 ro md=2,/dev/hda3,/dev/hdb3
  Then launched grub as quoted in the wiki
  Now, it doesn't say to exit the chroot to go on to grub - but it must be required because there is no /mnt/dev unless you do.  Once out, if I use
  mount -o /dev /mnt/dev, I get a new error:
  mount: can't find /mnt/dev in /etc/fstab or /etc/mtab
  Which it isn't, but /mnt/dev does certainly exist.
  I'm working on the very edge of my linux knowledge here, and suspect I'm making a fundamental error, but (obviously) don't know what it is.:(
  bump:
  Found this in discussion about the current iso, no access to the computer today but this will be my next approach.   
  ok bug indetified:
  i really apologize for this because it's something that shouldn't happen at all, but im only a human too.
  /dev is not correctly mounted in installation system (during archboot cleanup i thought this is not needed sad )
  --> setup cannot bind /dev to installed system.
  --> autodetection of filesystem will fail, which will cause the default initrd to fail on boot.
  2 workarounds:
  First workaround before entering setup:
  mount -t ramfs none /dev
  /etc/start_udev
  now setup works as it should!
  Second workaround:
  while using setup:
  edit /etc/mkinitcpio to not include autodetect in HOOKS= array
  1 workaround if you already installed and system doesn't boot:
  use the kernel26-fallback.img as initrd in your bootloader
  after successfull boot just fix the ramdisk:
  mkinitcpio -p kernel26
  bump:
  I backed out and started all over a couple times, finally installed via Duke with updates.  Found that I had to reinstall filesystems to my hard drive; something obviously got messed up, and ultimately found a couple of "typos" that had managed to mess me up.  Because I fixed so many things on the way to installation, I can't tell you exactly what I did, so I'm marking this thread as a dead issue so people don't bother reading it.
  Last edited by timm (2007-10-05 02:25:54)

  I've been using LSR (Linux Software RAID) with Arch for a while now and it's never given me any trouble: I don't even know how that works since all I have to do is make sure the md module and the appropriate module for your RAID-type (in my case raid0.ko) is loaded: when these are compiled into the kernel, the md-module automagically finds my RAID-partitions and starts the correct md-devices in /dev.
  I don't have any md-daemon running (I didn't even know there was one until I read your post).
  And still everything just works.
  What I think you need to do is repartition both of your RAID-1 discs and make sure your partition's type is "Linux raid autodetect" (type fd). Once you've done that, create the md-device and put a filesystem on it. Edit /etc/rc.conf and put "md" and "raid1" in the list of modules to be loaded at boottime, get rid of the mdadm service since it doesn't exist anyway.
  Now after rebooting, once the RAID-modules are loaded they should detect and start up your RAID-array automagically. Check this with dmesg.

• Acrobat Connect Pro LMS 7.5 server cache issue - displaying old content

  Our Adobe Acrobat Connect Pro server is showing old Captivate-created content from about 4-6 weeks ago.
  I loaded 35+ sets of Captivate 3 (SCORM 1.2, HTML, zipped) content onto our Acrobat Connect Pro LMS about 6 weeks ago.
  I converted all training content from Captivate 3.0.1 to 4.0.1, 4 weeks ago by opening each file in Captivate 4 and following prompts to "Save As" new files with different file names.
  I reloaded all content 4 weeks ago, and again 2 weeks ago.
  I reloaded about half of all content again last week.
  End User Acceptance testing performed this week showed that most of the courses are showing old content, ranging from 2-6 weeks old
  Attempted fixes and workarounds:
  Deleting content entirely and reloaded from scratch - this will not work long term, as we lose usage data each time we reload completely new files.
  Contacted Adobe, provided times to track incidents of the issue.  We reached Tier 2 - who told us it was our problem and that everything appeared to be working fine from their side.
  New workaround - load new content and reattach course to new content.  This presents the same long term issue as the first workaround, but enables us to retain older versions of content in the system, should we need to revert or report on it.
  Gaining server side access is a bit challenging due to the hosting situation we have, so I am looking (ideally) for a solution that can be performed from the Administrator/Author Frontend.  However, I want to learn the real cause of the problem, wherever it might reside, so that it can be properly corrected and avoided in the future.  I am calling this a server cache issue, as it seems the server has somewhere retained unwanted old versions of content, preventing current content from being displayed to end users.  Viewing content as an end user = see old content.  Viewing content from the Content area (Author view) shows the current files, so I know they are on the server and are loading correctly, up to a point.
  I am preparing all content for another round of loading/reloading due to other issues and updates, so republishing and reloading all 35+ files into the LMS is unavoidable at this point.
  This issue is keeping our LMS from launching to several thousand users across the country, so any suggestions or helpful tips are much appreciated.

  I think I have isolated the source of this problem. It's the Pitstop Professional 9 plug in. I un-installed this, and everything opens quicker than greased lightning. I re-installed it and it's back to slowsville.
  Unfortunately Pitstop is essential to my workflow.
  Until recently I did my pre-press on a Mac G5 with Acrobat Pro 7 and Pitstop 6.5. I never had this problem with slow file opening. But it seems that the delays would occur when I used the plug-in with large complex files.. So it would open files as fast as you'd expect from an elderly machine. But starting to use Pitstop would result in a prolonged period of staring at a spinning beachball.
  I wonder is there any way to stop the Pitstop plug-in from initializing until it is used? So the plug-in stays inert until you select the tool from from the menus.

• IP address sent to TACACS server

  Setup a TACACS server on out network to control console and telnet access to routers and switches. Most of our remote routers have multiple wan paths to the TACACS servers and may present a different IP address depending on which path is available or least busy. This causes an authentication failure that denies access to the equipment. Is there a way to configure the router to always send a specific address, either a loopback or internal LAN IP?

  Hi
  FYI,
  Device  Filter—Filters a network device (AAA client) that acts as a Policy  Enforcement Point (PEP) to the end station based on the network device's  IP address or name, or the network device group that it belongs to.
  The  device identifier can be the IP address or name of the device, or it  can be based on the network device group to which the device belongs.
  The  IP address is a protocol-agnostic attribute of type IPv4 that contains a  copy of the device IP address obtained from the request:
  –In a RADIUS request, if Attribute 4 (NAS-IP-Address) is present,  ACS obtains the IP address from Attribute 4; otherwise, if Attribute 32  (NAS-Identifier) is present, ACS obtains the IP address from Attribute  32, or it obtains the IP address from the packet that it receives.
  –In a TACACS request, the IP address is obtained from the packet that ACS receives.

• IOS 15 not working with my TACACS server

  Hi All,
  I recently made some changes to the way my Tacacs server (ACS4.2) handled groups etc..
  This all works fine and when I log onto my devices I get prompted for my credentials, which authenticate against AD. However, since I made these changes none of the devices on IOS 15 now authenticate. I am immediately prompted for a local password rather than a username and password..
  I understand that the commands for Tacacs changeda bit in IOS15 but from what I have read and changed I'm still having trouble. Config below from once of the routers I'm having trouble with...
  Am I missing something?
  aaa new-model
  aaa group server tacacs+ ACS1
  server name AUTH
  aaa authentication login ACS-List group ACS1 local
  aaa authorization exec ACS-List group ACS1 local
  aaa accounting commands 15 ACS-List
  action-type start-stop
  group ACS1
  aaa session-id common
  acacs-server directed-request
  tacacs server AUTH
  address ipv4 172.x.x.x
  key 7 xxxxxxxx
  and on my VTY Lines...
  privilege level 15
  password 7 151619050826222A2F
  authorization exec ACS-List
  accounting commands 15 ACS-List
  accounting exec ACS-List
  login authentication ACS-List
  length 0
  transport input telnet ssh

  I ran those debugs, then tried to login on another telnet session -
  Jul  2 15:01:57.278: TPLUS: Queuing AAA Accounting request 1781 for processing
  Jul  2 15:01:57.278: TPLUS: processing accounting request id 1781
  Jul  2 15:01:57.278: TPLUS: Sending AV task_id=1997
  Jul  2 15:01:57.278: TPLUS: Sending AV timezone=SIN
  Jul  2 15:01:57.278: TPLUS: Sending AV service=shell
  Jul  2 15:01:57.278: TPLUS: Sending AV start_time=1372777317
  Jul  2 15:01:57.278: TPLUS: Sending AV priv-lvl=15
  Jul  2 15:01:57.278: TPLUS: Sending AV cmd=terminal monitor
  Jul  2 15:01:57.278: TPLUS: Accounting request created for 1781(admin)
  Jul  2 15:01:57.278: TPLUS: using previously set server 172.x.x.x from group ACS1
  Jul  2 15:01:57.278: TPLUS(000006F5)/0/NB_WAIT/3120C74C: Started 5 sec timeout
  Jul  2 15:01:57.630: TPLUS(000006F5)/0/NB_WAIT: socket event 2
  Jul  2 15:01:57.630: TPLUS(000006F5)/0/NB_WAIT: wrote entire 144 bytes request
  Jul  2 15:01:57.630: TPLUS(000006F5)/0/READ: socket event 1
  Jul  2 15:01:57.630: TPLUS(000006F5)/0/READ: Would block while reading
  Jul  2 15:01:57.990: TPLUS(000006F5)/0/READ: socket event 1
  Jul  2 15:01:57.990: TPLUS(000006F5)/0/READ: read 0 bytes
  Jul  2 15:01:57.990: TPLUS(000006F5)/0/READ: socket event 1
  Jul  2 15:01:57.990: TPLUS(000006F5)/0/READ: errno 254
  Jul  2 15:01:57.990: TPLUS(000006F5)/0/3120C74C: Processing the reply packet
  Jul  2 15:02:11.658: AAA/BIND(000006F9): Bind i/f
  Jul  2 15:02:11.658: AAA/AUTHEN/LOGIN (000006F9): Pick method list 'ACS-List'
  Jul  2 15:02:11.658: TPLUS: Queuing AAA Authentication request 1785 for processing
  Jul  2 15:02:11.658: TPLUS: processing authentication start request id 1785
  Jul  2 15:02:11.662: TPLUS: Authentication start packet created for 1785()
  Jul  2 15:02:11.662: TPLUS: Using server 172.x.x.x
  Jul  2 15:02:11.662: TPLUS(000006F9)/0/NB_WAIT/3120C74C: Started 5 sec timeout
  Jul  2 15:02:12.014: TPLUS(000006F9)/0/NB_WAIT: socket event 2
  Jul  2 15:02:12.014: TPLUS(000006F9)/0/NB_WAIT: wrote entire 38 bytes request
  Jul  2 15:02:12.014: TPLUS(000006F9)/0/READ: socket event 1
  Jul  2 15:02:12.014: TPLUS(000006F9)/0/READ: Would block while reading
  Jul  2 15:02:12.366: TPLUS(000006F9)/0/READ: socket event 1
  Jul  2 15:02:12.366: TPLUS(000006F9)/0/READ: errno 254
  Jul  2 15:02:12.366: TPLUS(000006F9)/0/3120C74C: Processing the reply packet
  Jul  2 15:02:24.474: AAA/AUTHEN/LOGIN (000006F9): Pick method list 'ACS-List'
  Jul  2 15:02:24.474: TPLUS: Queuing AAA Authentication request 1785 for processing
  Jul  2 15:02:24.474: TPLUS: processing authentication start request id 1785
  Jul  2 15:02:24.474: TPLUS: Authentication start packet created for 1785()
  Jul  2 15:02:24.474: TPLUS: Using server 172.x.x.x
  Jul  2 15:02:24.474: TPLUS(000006F9)/0/NB_WAIT/3120C74C: Started 5 sec timeout
  Jul  2 15:02:24.826: TPLUS(000006F9)/0/NB_WAIT: socket event 2
  Jul  2 15:02:24.826: TPLUS(000006F9)/0/NB_WAIT: wrote entire 38 bytes request
  Jul  2 15:02:24.826: TPLUS(000006F9)/0/READ: socket event 1
  Jul  2 15:02:24.826: TPLUS(000006F9)/0/READ: Would block while reading
  Jul  2 15:02:25.178: TPLUS(000006F9)/0/READ: socket event 1
  Jul  2 15:02:25.178: TPLUS(000006F9)/0/READ: errno 254
  Jul  2 15:02:25.178: TPLUS(000006F9)/0/3120C74C: Processing the reply packet

• VPDN static IP address assign by TACACS server (ACS 2.3 for UNIX)

  Is it possible assign static IP address for VPDN users by TACACS server ?
  If yes, please give me some ideas how to do it?
  thanks,
  bm

  I think that is possible only while using CSACS for windows but not with CSACS for UNIX. Atleast I couldn't find anything in the documentation. (CiscoSecure ACS 2.3 for UNIX User Guide http://www.cisco.com/en/US/products/sw/secursw/ps4911/products_user_guide_book09186a00800eb438.html)

• WLS 7.0.4 - JMS Connection Factory - Server Affinity - issues in log file

  <b>WLS 7.0.4 - JMS Connection Factory - Server Affinity - issues in log file</b>
            We are using WLS 7.0.4 - One of JMS connection factory setting in admin console we selected "Server Affinity" options.
            We see this messages appear in Weblogic log file,
            ####<Apr 24, 2006 1:56:53 AM EDT> <Error> <Cluster> <liberatenode4.dc2.adelphia.com> <node4_svr> <ExecuteThrea
            d: '4' for queue: '__weblogic_admin_rmi_queue'> <kernel identity> <> <000123> <Conflict start: You tried to bi
            nd an object under the name sbetrmi2 in the JNDI tree. The object you have bound from liberatenode2.dc2.adelp
            hia.com is non clusterable and you have tried to bind more than once from two or more servers. Such objects ca
            n only deployed from one server.>
            and then,
            ####<Apr 24, 2006 1:58:12 AM EDT> <Error> <Cluster> <liberatenode5.dc2.adelphia.com> <node5_svr> <ExecuteThrea
            d: '7' for queue: '__weblogic_admin_rmi_queue'> <kernel identity> <> <000125> <Conflict Resolved: sbetrmi2 for
            the object from liberatenode5.dc2.adelphia.com under the bind name sbetrmi2 in the JNDI tree.>
            Should we use 'load balancing option' instead of 'server affinity' ?
            Any thuoghts?
            Thanks in adv.
            Vijay

  Test Reply
            <Vijay Kumar> wrote in message news:[email protected]..
            > <b>WLS 7.0.4 - JMS Connection Factory - Server Affinity - issues in log
            > file</b>
            >
            > We are using WLS 7.0.4 - One of JMS connection factory setting in admin
            > console we selected "Server Affinity" options.
            >
            > We see this messages appear in Weblogic log file,
            > ####<Apr 24, 2006 1:56:53 AM EDT> <Error> <Cluster>
            > <liberatenode4.dc2.adelphia.com> <node4_svr> <ExecuteThrea
            > d: '4' for queue: '__weblogic_admin_rmi_queue'> <kernel identity> <>
            > <000123> <Conflict start: You tried to bi
            > nd an object under the name sbetrmi2 in the JNDI tree. The object you have
            > bound from liberatenode2.dc2.adelp
            > hia.com is non clusterable and you have tried to bind more than once from
            > two or more servers. Such objects ca
            > n only deployed from one server.>
            >
            > and then,
            > ####<Apr 24, 2006 1:58:12 AM EDT> <Error> <Cluster>
            > <liberatenode5.dc2.adelphia.com> <node5_svr> <ExecuteThrea
            > d: '7' for queue: '__weblogic_admin_rmi_queue'> <kernel identity> <>
            > <000125> <Conflict Resolved: sbetrmi2 for
            > the object from liberatenode5.dc2.adelphia.com under the bind name
            > sbetrmi2 in the JNDI tree.>
            >
            >
            > Should we use 'load balancing option' instead of 'server affinity' ?
            >
            > Any thuoghts?
            >
            > Thanks in adv.
            > Vijay

• Can't configure tacacs-server port

  We're unable to configure a specific port, which is required for our customer for the tacacs-server.   One of the devices is a 7604 router running this image -
  c7600rsp72043-adventerprisek9-mz.122-33.SRD6.bin.  The other device is a 2960 switch with the following image - c2960-lanbasek9-mz.122-35.SE5.bin.
  We don't get the option to add a port after the tacacs-server host x.x.x.x command. 
  Any ideas would be greatly appreciated!
  Regards..

  Hi
  Please go through this link, this will be helpful regarding TCSACS Authentication and Fortigate configuration:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/acsuserguide.html

• Access with ISE server dead

  Hello there,
  I´d like to know how to give access for users when ISE is dead.
  I´m asking that because I´m using pre authentication ACL, so even with the command authentication event server dead action authorize vlan XX the access will be limited, will not it?
  My pre authentication acl allow access only to ISE, DNS and DHCP requests.
  Regards.

  Andre-
  I am afraid you don't have many options here. I have faced this problem before during my deployments. The problem is that ISE is needed in order to signal the switch to remove the pre-auth ACL by applying a dACL. However, since ISE is not available, the switch can authorize the endpoints to a VLAN but no you need another method to remove the pre-auth ACL. In the past I have accomplished this via one of the following:
  1. EEM script that re-configures the switch and sets the pre-auth ACL to "permit ip any any" (or remove the pre-auth ACL all together) when/if the ISE servers become unavailable. I thought this feature required IP Services but looking at the following doc it looks like you could do it with IP Base too. I guess you can give it a try and see what happens :)
  http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-software-releases-12-2-special-early-deployments/product_bulletin_c25-614546.html
  eem script example:
  http://www.alcatron.net/Cisco%20Live%202013%20Melbourne/Cisco%20Live%20Content/Security/BRKSEC-3040%20%20Advanced%20ISE%20and%20Secure%20Access%20Deployment.pdf
  2. The second method requires a converged access switch (3850, 3650). Those switches can be configured with profiles where the pre-auth ACL can be replaced with a critical ACL in the event of an ISE outage. 
  I hope this helps!
  Thank you for rating helpful posts!