Escolar Documentos
Profissional Documentos
Cultura Documentos
Troubleshooting
This appendix provides information about certain basic problems and describes
how to resolve them.
Scan the column on the left to identify the condition that you are trying to resolve,
and then carefully go through each corresponding recovery action offered in the
column on the right.
This chapter contains the following topics:
• Administration Issues, page A-2
• Browser Issues, page A-4
• Cisco IOS Issues, page A-5
• Database Issues, page A-6
• Dial-in Connection Issues, page A-8
• Debug Issues, page A-12
• Proxy Issues, page A-13
• Installation and Upgrade Issues, page A-13
• MaxSessions Issues, page A-14
• Report Issues, page A-14
• Third-Party Server Issues, page A-16
• PIX Firewall Issues, page A-16
• User Authentication Issues, page A-17
• TACACS+ and RADIUS Attribute Issues, page A-18
Administration Issues
Note For information on using the command line interface to execute administrative
commands, see the “Administering the ACS Appliance” chapter of the
Installation and Setup Guide for Cisco Secure ACS Appliance.
Browser Issues
Condition Recovery Action
The browser cannot bring up the Open Internet Explorer or Netscape Navigator and choose Help >
Cisco Secure ACS HTML About to determine the version of the browser. See System
interface. Installation Requirements, page 2-2, for a list of browsers
supported by Cisco Secure ACS and the release notes for known
issues with a particular browser version.
For information about various network scenarios that affect remote
administrative sessions, see Network Environments and
Administrative Sessions, page 1-27.
The browser displays the Java Check the Session idle timeout value for remote administrators.
message that your session This is on the Session Policy Setup page of the Administration
connection is lost. Control section. Increase the value as needed.
Administrator database appears The remote Netscape client is caching the password. If you specify
corrupted. an incorrect password, it is cached. When you attempt to
re-authenticate with the correct password, the incorrect password is
sent. Clear the cache before attempting to re-authenticate or close
the browser and open a new session.
Remote administrator Make sure that the client browser does not have proxy server
intermittently can’t browse the configured. Cisco Secure ACS does not support HTTP proxy for
Cisco Secure ACS HTML remote administrative sessions. Disable proxy server settings.
interface.
The correct syntax for the arguments in the text box is permit argument or
deny argument.
Administrator has been If you have a fallback method configured on your AAA client, disable
locked out of the AAA connectivity to the AAA server and log in using local/line username and
client because of an password.
incorrect configuration Try to connect directly to the AAA client at the console port. If that is not
set up in the AAA client. successful, consult your AAA client documentation or see the Password
Recovery Procedures page on Cisco.com for information regarding your
particular AAA client.
IETF RADIUS attributes Cisco incorporated RADIUS (IETF) attributes in Cisco IOS Release 11.1.
not supported in However, there are a few attributes that are not yet supported or that require
Cisco IOS 12.0.5.T a later version of the Cisco IOS software. For more information, see the
RADIUS Attributes page on Cisco.com.
Unable to enter Enable Check the failed attempts log in the ACS. If the log reads “CS password
Mode after doing aaa invalid,” it may be that the user has no enable password set up. Set the
authentication enable TACACS+ Enable Password within the Advanced TACACS+ Settings
default tacacs+. section.
Getting error message If you do not see the Advanced TACACS+ Settings section among the user
“Error in authentication setup options, go to Interface Configuration > Advanced Configuration
on the router.” Options > Advanced TACACS+ Features and select that option to have
the TACACS+ settings appear in the user settings. Then select Max
privilege for any AAA Client (this will typically be 15) and enter the
TACACS+ Enable Password that you want the user to have for enable.
Database Issues
Condition Recovery Action
RDBMS Synchronization Make sure the correct server is listed in the Partners list.
is not operating properly.
Database Replication not • Make sure you have set the server correctly as either Send or Receive.
operating properly. • On the sending server, make sure the receiving server is in the
Replication list.
• On the receiving server, make sure the sending server is selected in the
Accept Replication from list.
• Make sure that the replication schedule on the sending Cisco Secure
ACS is not conflicting with the replication schedule on the receiving
Cisco Secure ACS.
• If the receiving server has dual network cards, on the sending server
add a AAA server to the AAA Servers table in Network Configuration
for every IP address of the receiving server. If the sending server has
dual network cards, on the receiving server add a AAA server to the
AAA Servers table in Network Configuration for every IP address of
the receiving server.
The external user database The external database has not been configured in External User Databases
is not available in the or the username and password have been typed incorrectly. Make sure the
Group Mapping section. username and password are correct. Click the applicable external database
to configure.
External databases not Make sure a two-way trust (for dial-in check) has been established
operating properly. between the Cisco Secure ACS domain and the other domains. Check the
csauth service log file for any debug messages beginning with [External
DB]. See Setting Up Event Logging, page 8-20.
Unknown users are not Go to External User Databases > Unknown User Policy. Select the
authenticated. Check the following external user databases option. From the External
Databases list, select the database(s) against which to authenticate
unknown users. Click —> (right arrow button) to add the database to the
Selected Databases list. Click Up or Down to move the selected database
into the desired position in the authentication hierarchy.
If you are using the Cisco Secure ACS Unknown User feature, external
databases can only authenticate using PAP.
Debug Issues
Condition Recovery Action
When you run The configurations of the AAA client or Cisco Secure ACS are likely to be at
debug aaa fault.
authentication on From within Cisco Secure ACS confirm the following:
the AAA client,
Cisco Secure ACS • Cisco Secure ACS is receiving the request. This can be done by viewing the
returns a failure Cisco Secure ACS reports. What does or does not appear in the reports may
message. provide indications that your Cisco Secure ACS is misconfigured.
From the AAA client, confirm the following:
• The command ppp authentication pap is entered for each interface if
authentication against the Windows User Database is being used.
• The command ppp authentication chap pap is entered for each interface if
authentication against the CiscoSecure user database is being used.
• The AAA and TACACS+ or RADIUS configuration is correct in the AAA
client.
When you run This problem occurs because authorization rights are not correctly assigned.
debug aaa From Cisco Secure ACS User Setup, confirm that the user is assigned to a group
authentication and that has the correct authorization rights. Authorization rights can be modified
debug aaa under Group Setup or User Setup. User settings override group settings.
authorization on
the AAA client, If a specific attribute for TACACS+ or RADIUS is not displayed within the
Cisco Secure ACS Group Setup section, this might indicate it has not been enabled in Interface
returns a PASS for Configuration: TACACS+ (Cisco IOS) or RADIUS.
authentication, but
returns a FAIL for
authorization.
Proxy Issues
Condition Recovery Action
Proxy fails Make sure that the direction on the remote server is set to Incoming/Outgoing or
Incoming, and that the direction on the authentication forwarding server is set to
Incoming/Outgoing or Outgoing.
Make sure the shared secret (key) matches the shared secret of one or both
Cisco Secure ACSes.
Make sure the character string and delimiter match the stripping information
configured in the Proxy Distribution Table, and the position is set correctly to either
Prefix or Suffix.
One or more servers is down, or no fallback server is configured. Go to Network
Configuration and configure a fallback server. Fallback servers are used only under
the following circumstances:
• The remote Cisco Secure ACS is down.
• One or more services (CSTacacs, CSRadius, or CSAuth) are down.
• The secret key is misconfigured.
• Inbound/Outbound messaging is misconfigured.
MaxSessions Issues
Condition Recovery Action
MaxSessions over VPDN is The use of MaxSessions over VPDN is not supported.
not working.
User MaxSessions Services were restarted, possibly because the connection between the
fluctuates or is unreliable. Cisco Secure ACS and the AAA client is unstable. Click to clear the
Single Connect TACACS+ AAA Client check box.
User MaxSessions not Make sure you have accounting configured on the AAA client and you
taking affect. are receiving accounting start/stop records.
Report Issues
Condition Recovery Action
The You changed protocol configurations recently.
lognameactive.csv Whenever protocol configurations change, the existing lognameactive.csv
report is blank. report file is renamed to lognameyyyy-mm-dd.csv, and a new, blank
lognameactive.csv report is generated
A report is blank. Make sure you have selected Log to reportname Report under System
Configuration: Logging: Log Target: reportname. You must also set Network
Configuration: servername: Access Server Type to Cisco Secure ACS for
Windows NT.
No Unknown User The Unknown User database was changed. Accounting reports will still
information is included contain unknown user information.
in reports.
Two entries are logged Make sure that the remote logging function is not configured to send
for one user session. accounting packets to the same location as the Send Accounting Information
fields in the Proxy Distribution Table.