WLC 7.2.103.0 RADIUS Accounting

Hello,
I recently upgraded WiSM2 controllers to the 7.2 release and have found that quite a few Accounting Start and Stop packets arrive at the RADIUS server without the Framed-IP-Address.. We use it to login the wireless user into SCE so they are not prompted to login to use the Internet each time... So it's a very important piece of info for us.
Has anyone noticed that as well? Any workarounds or special builds available?

Just in case anyone continuously searched for a similar problem to this - Cisco TAC recommended switching off IPv6 globally on the controller. This seemed to resolve the issue. 
I believe it has something to do with this:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_radatt/configuration/15-s/sec-usr-radatt-15-s-book/sec-rad-8-accss-req.html#GUID-B4D675F6-9B34-49FF-AB3E-FDAFC0FE43BB
Thanks
-N

Similar Messages

  • ISE 1.2 - WLC 5508 - NAS sends RADIUS accounting update messages too frequently

    I'm getting this error in ISE referring to my Cisco 5508 WLC.  I'm not sure how to turn down the frequency.  Any ideas?
    NAS sends RADIUS accounting update messages too frequently
    Verify NAS configuration. Verify known NAS issues.

    I opened up a TAC case with Cisco yesterday and this is the response i got from them:
    There is bug on the WLC side to reduce the number acct updates:
    CSCug14713- WLC sends acct-update twice in the same millisecond
    This is fixed in 8.x on the WLC.
    So, it looks at though we just have to deal with it until they release an 8.x version for the WLC. In the meantime, you can disable the alerts in ISE.
    Administration>Settings>Alarm Settings>Misconfigured Network Device Detected
    Edit that alarm and set it to disabled

  • WLC 5508 Radius accounting issue

    I have a WLAN configured with 802.1x PEAP pointing to an external RADIUS server.  It works fine for the most part, but I'm having problem closing accounting sessions in RADIUS.  I've found this is related to the client table in the WLC.  The user session does not end in RADIUS unless the WLC officially removes the client from the db, which takes 5-6 minutes from what I can see (probably due to the default idle timeout of 300 seconds). 
    For example:
    1.  I connect my tablet to the test WLAN.  It associates and authenticates successfully and the WLC sends the accounting info to my RADIUS server, opening up a user session.  If I turn off the wifi in the tablet, the client entry stays in the WLC client table until it times out.  The WLC removes my tablet from the client table after 5-6 minutes, and then the session closes in the accounting table.  I can force the session to close much earlier by manually removing the client from the WLC.
    2.  Same as #1, but this time instead of turning of the wifi in the tablet, I choose to connect to a different WLAN in the WLC.  The user session in the accounting DB never closes.  If I reconnect back to the original test WLAN with 802.1x, it opens up yet another user session in RADIUS accounting.  Now I have a "dead" user session in accounting that is going to be open forever unless I delete it from SQL.
    Is this an issue with the end user client not sending the disassociation frame properly, or a config problem with the WLC?  How can I make it so that every time a client drops from an AP or moves to a different WLAN, the WLC would immediately send accounting updates to my RADIUS server and close the user session properly?
    Thanks,
    Wil

    Well like you said, the WLC will keep the client in the DB until the idle timer expires. This is normal and I don't think you will be able to change this unless you set the idle timer to a lower value.
    Sent from Cisco Technical Support iPhone App

  • WLC with Multiple RADIUS Accounting Servers

    If a WLC has multiple accounting servers defined for a WLAN, will accounting packets be sent to all accounting servers ?
    The operation of authentication servers is that the WLC will only send authentication requests to a single RADIUS server. If that RADIUS server becomes unavailable, then the WLC will start to send authentication requests to the next available RADIUS server in the list configured for the WLAN.
    Is it the same mode of operation for accounting servers? Or, does the WLC send accounting records to all accounting servers that are defined against a WLAN?
    Thanks
    Nigel.

    So the WLC would use the priority list for the Radius servers for accouting.
    I have a setup that I need to send accounting to two different servers for different reasons. can this be done on the WLC?
    if not, does anyone know a good forking server for radius accounting?

  • WLC 4400 and RADIUS accounting

    Have trawled what docs there are and cant find out if the RADIUS accounting messages from the 4400 include the name of the lightweight AP handling the user session.
    I'm guessing there might be a new Cisco VSA for it.
    Anyone know?
    Thanks

    The error message could be because of any unused protocol.

  • After ISE 1.2 upgrade I get "5413 RADIUS Accounting-Request dropped."

    Hello,
    I have a two admin node setup for ISE. I just upgraded one of my two ISE Admin nodes to Version 1.2. I still have one of my admin  nodes at 1.1.4. When I disable my Version 1.1.4 node and allow wireless authentications to be handled by the Version 1.2 node I get the message..."5413 RADIUS Accounting-Request dropped". None of my wireless edge devices will be allowed on the network during this time. When I re-enable my 1.1.4 node my wireless devices are then allowed on the network.
    I am currently using ISE to authenticate wireless connectivity.
    I also get the failure reason... "11038 RADIUS Accounting-Request header contains invalid Authentication field".
    Any ideas?
    Bob

    The 5413 RADIUS Accounting-Request dropped may be because the session was active on ISE1 and is now sending update messages to ISE2. Also, verify your shared secret radius key matches on both the wlc and ISE servers. I would try clearing the WLC connection for the test user when switching.  Just turning off wireless and back on doesn't do it.  Also, are you using PEAP-MSChapv2 or EAP-TLS for authenticating the clients.  What type of certificate is presented, public or private?

  • ISE 1.2 - Error 12929 NAS sends RADIUS accounting update messages too frequently

    We are currently running Cisco ISE 1.2, and every day under the "Misconfigured Network Devices" section on the main ISE Page, I have a huge list of different devices that are all being flagged with the following error message:
    "12929 NAS sends RADIUS accounting update messages too frequently." " NAS sends RADIUS accounting update messages too frequently
    Verify NAS configuration. Verify known NAS issues."
    The list of devices seems to all be Cisco switches; albeit different models, IOS versions, ect.  
    i have searched on this issue, and the closest thing to a fix I can find is that it would be fixed in a WLC update, but that was 9 months ago.    I would like to know what causes this issue, and what needs to be altered in ISE, or on the switches to resolve this.
    Thank You.

     CSCuh20269    WLC sends acc updates too frequently, indicates user roams to itself  is the defect specifically on the WLC that is fixed in one of the 7.6 releases.
    Along with the config Jatin mentioned, you may want to try pulling an Accounting report from ISE periodically and analyze the traffic/isolate the endpoints/supplicants that may be causing  a lot of activity (For ex frequent IP changes ) which results in frequent accounting updates.
    Regards,
    Gurudatt
    Escalation engineer, SAMPG | CCIE#28227
    Cisco systems

  • Cisco ISE 1.2.1 - "12929 NAS sends RADIUS accounting update messages too frequently" error message

    Hello,
    Running ISE 1.2.1 Patch 1, we get following error message: "12929 NAS sends RADIUS accounting update messages too frequently" on all NAS Devices (i.e. C-4500s running SPA.03.04.00.SG.151-2.SG.bin).
    There was a previous post on this forum (RE: https://supportforums.cisco.com/discussion/11894006/ise-12-wlc-5508-nas-sends-radius-accounting-update-messages-too-frequently) that stated that the "aaa accounting update newinfo" command doesn't solve this problem even though bug CSCuh01760 "Misconfigured NAS criteria needs to be changed" is resolved in ISE 1.2.1 as per the release notes.
    Could you please advise us on that to do now? Thank you. 
    Regards.  

    For the WLC side:
    1. You are probably hitting this bug CSCug14713
    2. You can also change the "Interim Update" located under the SSID > Security AAA Servers
    For the Switch side:
    1. You might be hitting this bug:CSCuh01760
    2. Make sure that you have the following command in your config "aaa accounting update newinfo"
    Thank you for rating helpful posts!

  • How to identify used AP in RADIUS Accounting

    We are using 5508 WLC with 3602 APs.
    Looks like in RADIUS Authentication Called-Station-Id is the MAC address of the AP,
    but in RADIUS Accounting Called-Station-Id is the MAC address of the WLC.
    How can we change that behaviour so that Called-Station-Id will always be the MAC address of the AP?
    Or is there some other way to identify the actual AP to which the user is connected?
    Regards
    Timo

    Hmm, I did some trial and error and solved the problem.
    On the WLC, go to Security > AAA > RADIUS > Authentication and set the Call Station ID Type to "AP MAC Address:SSID". Even tho that seems to be for RADIUS Authentication, it changes the Called-Station-Id also for RADIUS Accounting.
    Thx anyway
    Timo

  • 2504 WebAuth and IPv6 RADIUS Accounting (IPv6-Framed-Address)

    Hi Board,
    I'm playing around with RADIUS Accounting in combination with local web authentication on the wireless LAN controller.
    So far so good - everything works well, but I'm missing the "IPv6-Framed-Address" in the RADIUS accounting messages.
    The only thing I can see is the v4 framed IP address and the "Framed-IPv6-Prefix". According to the configuration guide
    http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_0101001.html#ID807
    the "IPv6-Framed-Address" should be sent by the WLC. I took a capture on a span port of the WLC to verify this. Anybody else experiencing this behavior or is it a simple misconfiguration on my side? In the client details I can see the global IPv6 addresses and the link-local.
    I tested it on a WLC 2504 with 8.0.100.0 code.
    Cheers
    Johannes

    Hi Board,
    I'm playing around with RADIUS Accounting in combination with local web authentication on the wireless LAN controller.
    So far so good - everything works well, but I'm missing the "IPv6-Framed-Address" in the RADIUS accounting messages.
    The only thing I can see is the v4 framed IP address and the "Framed-IPv6-Prefix". According to the configuration guide
    http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_0101001.html#ID807
    the "IPv6-Framed-Address" should be sent by the WLC. I took a capture on a span port of the WLC to verify this. Anybody else experiencing this behavior or is it a simple misconfiguration on my side? In the client details I can see the global IPv6 addresses and the link-local.
    I tested it on a WLC 2504 with 8.0.100.0 code.
    Cheers
    Johannes

  • Radius accounting for QoS pppoe policy-map

    Hi folks
    I have a radius pushing an AVPAIR ip:sub-qos-policy-out to a virtual template for clients connected to a BRAS through PPPOE.
    The AVPAIR is correctly applied to each and every pppoe session but the following link  http://www.cisco.com/c/en/us/td/docs/ios/12_2sb/feature/guide/sbbbrs1c.html  is indicating that I should be able to push back to the RADIUS some traffic info per class-map/policy map. This would allow some Quota stuff and getting some info about traffic used per customer
    From what I have been able to configure, i'm not getting any of this stats back to the RADIUS
    the debug radius accounting :
    *Mar 12 05:29:00.419: RADIUS/ENCODE(0000000E):Orig. component type = PPPoE
    *Mar 12 05:29:00.419: RADIUS/ENCODE(0000000E): Acct-session-id pre-pended with Nas Port = 0/0/3/0
    *Mar 12 05:29:00.419: RADIUS(0000000E): Config NAS IP: 0.0.0.0
    *Mar 12 05:29:00.419: RADIUS(0000000E): sending
    *Mar 12 05:29:00.419: RADIUS/ENCODE: Best Local IP-Address 192.168.38.133 for Radius-Server 192.168.38.131
    *Mar 12 05:29:00.419: RADIUS(0000000E): Send Accounting-Request to 192.168.38.131:1813 id 1646/55, len 299
    *Mar 12 05:29:00.419: RADIUS:  authenticator ED 94 CF EE BD 73 30 7E - 93 07 A4 C3 50 A6 03 DE
    *Mar 12 05:29:00.419: RADIUS:  Acct-Session-Id     [44]  18  "0/0/3/0_00000005"
    *Mar 12 05:29:00.419: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
    *Mar 12 05:29:00.419: RADIUS:  Framed-IP-Address   [8]   6   10.10.10.2
    *Mar 12 05:29:00.419: RADIUS:  User-Name           [1]   9   "olivier"
    *Mar 12 05:29:00.419: RADIUS:  Vendor, Cisco       [26]  35
    *Mar 12 05:29:00.419: RADIUS:   Cisco AVpair       [1]   29  "connect-progress=LAN Ses Up"
    *Mar 12 05:29:00.419: RADIUS:  Vendor, Cisco       [26]  29
    *Mar 12 05:29:00.419: RADIUS:   Cisco AVpair       [1]   23  "nas-tx-speed=10000000"
    *Mar 12 05:29:00.419: RADIUS:  Vendor, Cisco       [26]  29
    *Mar 12 05:29:00.419: RADIUS:   Cisco AVpair       [1]   23  "nas-rx-speed=10000000"
    *Mar 12 05:29:00.419: RADIUS:  Acct-Session-Time   [46]  6   2582
    *Mar 12 05:29:00.419: RADIUS:  Acct-Input-Octets   [42]  6   7232
    *Mar 12 05:29:00.419: RADIUS:  Acct-Output-Octets  [43]  6   7232
    *Mar 12 05:29:00.419: RADIUS:  Acct-Input-Packets  [47]  6   517
    *Mar 12 05:29:00.419: RADIUS:  Acct-Output-Packets [48]  6   517
    *Mar 12 05:29:00.419: RADIUS:  Acct-Authentic      [45]  6   RADIUS                    [1]
    *Mar 12 05:29:00.419: RADIUS:  Acct-Status-Type    [40]  6   Watchdog                  [3]
    *Mar 12 05:29:00.419: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
    *Mar 12 05:29:00.419: RADIUS:  Vendor, Cisco       [26]  15
    *Mar 12 05:29:00.419: RADIUS:   cisco-nas-port     [2]   9   "0/0/3/0"
    *Mar 12 05:29:00.419: RADIUS:  NAS-Port            [5]   6   50331648
    *Mar 12 05:29:00.419: RADIUS:  NAS-Port-Id         [87]  9   "0/0/3/0"
    *Mar 12 05:29:00.419: RADIUS:  Vendor, Cisco       [26]  41
    *Mar 12 05:29:00.419: RADIUS:   Cisco AVpair       [1]   35  "client-mac-address=aabb.cc00.6430"
    *Mar 12 05:29:00.419: RADIUS:  Service-Type        [6]   6   Framed                    [2]
    *Mar 12 05:29:00.419: RADIUS:  NAS-IP-Address      [4]   6   192.168.38.133
    *Mar 12 05:29:00.419: RADIUS:  Ascend-Session-Svr-K[151] 10
    *Mar 12 05:29:00.419: RADIUS:   37 39 38 32 45 41 38 30          [ 7982EA80]
    *Mar 12 05:29:00.419: RADIUS:  Acct-Delay-Time     [41]  6   0
    *Mar 12 05:29:00.419: RADIUS(0000000E): Started 5 sec timeout
    *Mar 12 05:29:00.419: RADIUS: Received from id 1646/55 192.168.38.131:1813, Accounting-response, len 20
    *Mar 12 05:29:00.419: RADIUS:  authenticator A7 0E 79 40 C5 B5 CF DC - 09 46 27 48 52 BE 01 7D
    What I get in the freeradius log :
    Tue Mar 11 22:30:04 2014
            Acct-Session-Id = "0/0/3/0_00000005"
            Framed-Protocol = PPP
            Framed-IP-Address = 10.10.10.2
            User-Name = "olivier"
            Cisco-AVPair = "connect-progress=LAN Ses Up"
            Cisco-AVPair = "nas-tx-speed=10000000"
            Cisco-AVPair = "nas-rx-speed=10000000"
            Acct-Session-Time = 2646
            Acct-Input-Octets = 7428
            Acct-Output-Octets = 7428
            Acct-Input-Packets = 531
            Acct-Output-Packets = 531
            Acct-Authentic = RADIUS
            Acct-Status-Type = Interim-Update
            NAS-Port-Type = Virtual
            Cisco-NAS-Port = "0/0/3/0"
            NAS-Port = 50331648
            NAS-Port-Id = "0/0/3/0"
            Cisco-AVPair = "client-mac-address=aabb.cc00.6430"
            Service-Type = Framed-User
            NAS-IP-Address = 192.168.38.133
            X-Ascend-Session-Svr-Key = "7982EA80"
            Acct-Delay-Time = 0
            Acct-Unique-Session-Id = "523eac6ae326a778"
            Timestamp = 1394602204
            Request-Authenticator = Verified
    user config in the users file on the freeradius server :
    olivier Cleartext-Password := "olivier"
            Service-Type = Framed-User,
            Cisco-AVPair += "ip:addr-pool=pppoepool",
            Cisco-AVpair += "ip:sub-qos-policy-out=TEST"
    I see that the policy map name is pulled correctly from the radius server and applied to the session :
    #sh policy-map session uid 14
     SSS session identifier 14 -
      Service-policy output: TEST
        Class-map: TEST (match-all)
          0 packets, 0 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: any
          police:
              cir 8000 bps, bc 1500 bytes
            conformed 0 packets, 0 bytes; actions:
              transmit
            exceeded 0 packets, 0 bytes; actions:
              drop
            conformed 0 bps, exceed 0 bps
        Class-map: class-default (match-any)
          0 packets, 0 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: any
    Any input very welcome

    Cisco sever is working fine. When you do use non-standard or non-RFC requests from your NAS to the AAA server for instance, you have to configure your server accordingly to instruct it how to handle this kind of requests.
    This is typically done with something called "dictionary", which should be included in your radius server. The server typically decodes all RFC 2865 VSAs (or should), but when a new NAS model is introduced into the network, you can modify it to add any VSAs not appearing in the dictionary, which is your case.
    As an example, imagine you want to change the attribute cisco-vsa-port-string to tagged-string, your dictionary will look somethign similar than:
    And finally you will have to modify with a text editor, or XML editor and change type="tagged-string" supposing your device comply with RFC 2868. Probably
    the AAA server will have to restarted for taking this
    changes into account.
    Also,since this does apply to all devices for this vendor, you've got other option more, which is define your own dictionary for a specific vendor, or even if you wish for a specific NAS or group or NASes.
    In NavisRadius you could associate a dictionary to a
    device adding a client-class:
    # Client-IP Client-Secret Client-Class
    10.0.0.1 secret taos-old
    And then specifying the dictionary later in client_properties for this device:
    # This file contains information about client classes # and is used to set per-client specific information.
    # TAOS Devices in OLD mode with RFC conflicts
    taos-old
    Client-Dictionary=max_dictionary
    # Other devices now, etc.
    Hope it helps

  • No RADIUS accounting with SF 302?

    Hello all,
    I have configured my SF 302-08P switch to perform 802.1X & MAC authentication. This works fine in both cases but I cannot get the switch to send accounting requests to my RADIUS server. Even when the server sends back an Acct-Interim-Interval attribute in the Access-Accept message, the switch doesn't generate accounting requests. Is it a known restriction or am I missing something?
    I'm a little bit surprised since the datasheet claims that both RADIUS authentication and accounting are supported for 802.1X. The switch version is 1.0.0.27.
    Regards,
    Simon

    Hi Simon,
    Yep according to the RFC2866 it states"
    When a client is configured to use RADIUS Accounting, at the start of
       service delivery it will generate an Accounting Start packet
       describing the type of service being delivered and the user it is
       being delivered to, and will send that to the RADIUS Accounting
       server, which will send back an acknowledgement that the packet has
       been received.  At the end of service delivery the client will
       generate an Accounting Stop packet describing the type of service
       that was delivered and optionally statistics such as elapsed time,
       input and output octets, or input and output packets.  It will send
       that to the RADIUS Accounting server, which will send back an
       acknowledgement that the packet has been received."
    The delay in my response was trying to simulate the scenario, but I don't have all the pieces here.
    Have a Chat to the boys/gals at SBSC to get some clarification.
    http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html
    regards Dave

  • Cisco 5508-WLC using MS NPS as RADIUS Server for EAP-TLS

    Has anyone experienced a problem getting a Cisco WLC to work with MS NPS server? We've done it before albeit with differnt code versions.
    I have a Cisco 5508 WLC running 7.0.116.0 code hosting a WLAN configured for WPA2 with 802.1x for authentication.  I have two Windows NPS servers configured as the RADIUS servers for EAP-TLS authentication. Via debug info on the WLC I can see the 802.1x handshake take place with the wireless client and the WLC as well as a successful transmission of an Authentication Packet from the WLC to one of the RADIUS servers. However on the WLC I see repeated RADIUS server x.x.x.x:1812 deactivated in global list and on the NPS server I'm seeing event log errors indicating "The Network Policy Server discarded the request for a user"  along with the pertinent auth request info that I would expect the NPS server to receive from the WLC.
    Based on the WLC debug info I'm never actually getting to the EAP-TLS certificate authentication part. It seems the NPS servers don't like the format of the initial RADIUS authentication request coming from the WLC and so don't respond whcih in turn casues to WLC to switch to the other NPS server which produces the same issue.
    Any ideas of what might be the issue or misconfiguration?

    Jim,
    I wanted to know if you can setup wireshark on both of the boxes and see if your are hitting the following bug:
    http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCti91044
    It looks as if the WLC is retransmitting the client traffic from one radius session with primary over to the secondary in which the radius state attribute that was assigned from the primary server is probably hitting the secondary server. Therefore if the state attribute isnt assigned from the secondary server it will discard the packet.
    May need to open a TAC case to see if this issue is on the 550x controllers also.
    Thanks,
    Tarik

  • AAA Radius accounting command is not taking in 3750 switch

           Hi Cisco Support community,
    I am facing a issue with radius accounting in Cisco 3750 switch with version 12.2. I am unable to start accounting for radius server.
    This is the config that is on the switch for Radius.
    aaa authentication login default group radius local
    aaa authentication dot1x default group radius
    aaa authorization exec my-authradius group radius if-authenticated.
    radius-server attribute 6 on-for-login-auth
    radius-server dead-criteria time 20 tries 5
    radius-server host 10.100.1.225 auth-port 1645 acct-port 1646 key 7 14341A5801103F3904266021
    radius-server host 10.100.1.226 auth-port 1645 acct-port 1646 key 7 05280E5C2C585B1B390B4406
    When i try to add the following command for accounting, this is not saving.
    (aaa accounting commands 0 default start-stop group radius
    aaa accounting commands 1 default start-stop group radius
    aaa accounting commands 15 default start-stop group radius)
    If i do paste this command one by one after start-stop group it is showing only two options either tacacs+ or server, no radius option is there as well.
    I  tried to create a server group and add the radius server  in the group.  Even then when i am trying to implement the aaa accounting command with the server command it is not showing in show run.
    Can anyone please help me with this issue.

    Hi,
    thanks for your reply but the thing is that  i want to see the command that are being run by a user on  this particular device. If i use the network command it will only show me the  network-related service requests, including Serial Line Internet Protocol (SLIP), PPP, PPP Network Control Protocols (NCPs), and AppleTalk Remote Access Protocol (ARAP).
    I have read the document from this link and it is stating that we can use command accounting. Below is the link
    http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a1.html. 
    Can anyone please tell me if this a version issue because even in version 15.4 i was not seeing the radius option in the end
    aaa accounting commands 15 default start-stop group (radius)- in radius place it was showing only Tacacs+ or group.

  • TACACS auth and RADIUS accounting with ACS

    I am having RADIUS accounting issues with an ASA 5520 that uses TACACS for authentication. Both are hosted on the same ACS server. I can send RADIUS info to my Microsoft IAS box but get Syslog ID 113022 errors when trying to send to the ACS RADIUS. A packet capture shows the RADIUS accounting request getting to the ACS box (Windows Server 2003 R2) but syslog shows failedauth. Any ideas?

    Thank you for the response. I did verify the syslog explanation you gave below and the AAA server is online as TACACS message are getting to it. My configuration for the ASA for RADIUS is as follows
    Server Group - RADIUS
    Protocol - RADIUS
    Accounting Mode - Simultaneous
    Reactivation Mode - Timed
    Max Failed attempts - 3
    Two servers in the Server Group
    ACS - Not working
    Microsoft IAS - Working
    I have tried removing the IAS server and changing the accounting mode to single and still getting auth failures.
    ACS is configured as follows
    Network Configuration
    AAA Clients - ASA authenticate using TACACS+
    AAA Servers - None listed. When I tried to add the ACS machine the error said the server already existed (In another Network Device Group)

Maybe you are looking for