Cisco Secure Access Control Server for Windows

Document ID: 99449

PDF Downloads Secure Access Control Server (ACS) Troubleshooting

Introduction

This document describes how to troubleshoot Cisco Secure Access Control Server (ACS) and resolve error messages.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on the Cisco Secure Access Control Server (ACS) version 3.3 and later.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Problem: Resources needed by the CiscoSecure Install are locked

You can experience this problem when you upgrade your ACS server.

Solution

If you have too many old log files, you need to clear the "Local Logging Configuration" logs.

Modify the logging of ACS to keep the last three files.

1. On the ACS GUI, choose System Configuration > Service Control. Check the Manage Directory box and select to keep only the last three files. Then restart ACS and test the upgrade.

2. If option #1 does not work, you can try to manually remove some log files.

   You must always copy the files to a dedicated folder before you delete them.

   1. On the local drive of the Windows server, where ACS for Windows is installed, choose Program Files > Cisco Secure ACS folder.

   2. Delete all the logs under each of these folders:

      • * CSAuth

      • * CSLog

      • * CSDbsync

      • * CSAdmin

      • * CSRadius

      • * CSTacacs

      • * CSMon

   3. Restart the PC and retest the upgrade.

Problem: Cannot Delete AAA Server, AAA Server is a Synchronization Partner

The Cannot Delete AAA Server, AAA Server is a Synchronization Partner error message can appear when you delete the entry under Network Configuration.

Solution

Complete these steps in order resolve this issue:

1. Choose Interface Configuration, and check the RDBMS Synchronization check box

2. Choose System Configuration > RDBMS Synchronization and remove the AAA server that cannot be deleted from the AAA group that is on the Synchronization Partner

3. You can now delete the AAA server group.

Problem: 127.0.0.1 is a reserved address

You have two units of ACS SE 1113 and want to replicate the internal database from primary to secondary, but you notice this error message in the secondary unit:

Inbound database replication from ACS <secondary ACS unit name> denied - shared
    secret mismatch

When you try to modify the key of AAA Server Self under Network Configuration the error message is returned.

Solution

In order to resolve the 127.0.0.1 self problem, you can backup and restore the .DMP files on a fresh installation of ACS for Windows 4.2 and modify the 127.0.0.1 entry with the desired IP address.

Note: Cisco bug ID CSCso36620 (registered customers only) states that the toggle nic command changes the AAA server IP address to 127.0.0.1 in the GUI. In order to restore the original IP address on the appliance, issue the set ip command.

Problem: Authentication failure for Nexus Switch

Nexus 5010 authentication does not work with TACACS+. This error message can also appear:

Message-Type : Authen failed
Authen-Failure-Code : Key Mismatch

Solution

The shared secret defined under the NDG takes precedence over the individually configured device. Look at the shared secret configured under the NDG Century PROD FSW, and make sure it matches with the one configured on Nexus switch.

Problem: ACS 1113 SE - Unable to Assign Static IP Address

This issue occurs when you are unable to configure the static IPaddress on ACS 1113 SE.

Solution

In order to resolve this issue, install the applACS-4.1-set-ip-CSCsm73656-Patch.zip patch, which is available from Cisco Downloads (registered customers only) . The patch suits all ACS SE 4.1 versions.

Problem: Primary Server is not Prempt

When the primary ACS servers goes down, you authenticate users with the secondary server. When the primary is up again, your users are still authenticated against the secondary, even though the primary is running again.

Solution

By default, the ASA works in depletion mode. Change it to timed mode so that when the primary ACS server becomes active you can return the authentication to the primary.

You can use:

host(config)# aaa-server <tag> protocol radius
host(config)# reactivation mode timed
host(config)# aaa-server acsgroup deadtime 0

Optional: Specify the amount of time in minutes with the deadtime, between zero and 1440, that elapses between when the last server in the group is disabled and when all the servers are re-enabled. The default is ten minutes.

Problem: Cannot Set New NIC Configuration

This issue occurs when you configure the static IP address on ACS 1113 SE.

Solution

In order to resolve this issue, try to reimage the software.

Problem: ACS Folder is Locked by Another Application

The ACS Folder is Locked by Another Application error message appears during an ACS software upgrade, such as the upgrade from version 3.3 to 4.0

Use these solutions in order to solve the problem.

Solution 1

Complete these steps:

1. In the ACS Window, check the System Configuration > Service Control > Check the Manage Directory check box.

2. Enter a value, such as 3, in the Keep only the last __ files box.

3. Restart. The upgrade is likely to work.

   

Solution 2

If Solution 1 does not resolve the issue, complete these steps:

1. Backup the current ACS database.

   Refer to the Cisco Secure ACS Backup section of User Guide for Cisco Secure ACS for Windows Server for more information on how to perform the backup of the ACS database.

2. Run the clean.exe file in order to uninstall ACS 3.3 (or your existing version). This file is located on the CD under ACS Utilities/support/clean.

3. Reinstall ACS 3.3 from the CD.

4. Restore your database from the file that you saved in Step 1.

   Refer to the Cisco Secure ACS System Restore section of User Guide for Cisco Secure ACS for Windows Server for more information on how to restore the ACS database.

5. Upgrade the ACS to version 4.0.

   Refer to Installation Guide for Cisco Secure ACS for Windows Server Version 4.0 for more information on upgrade procedures.

Problem: Event Error

During startup, the ACS SE receives the At least one service or driver failed during startup. use event viewer to examine the event log for details error message.

Solution

This error on the ACS SE does not affect any of the ACS functionalities. It is a Microsoft Windows error. This error appears because the monitor, mouse and keyboard cannot be used on the appliance and are disabled by default.

The ACS appliance is a hardened, locked-down system and is designed with security in mind. The appliance uses windows strengthen image, which has all redundant services and connections stopped. It is made to keep all viruses, worms, and DDOS attackers out. Hence there is no VNC, DOS prompt, or any other way to reach the windows configuration. Services like the mouse, keyboard and monitor are closed.

On rare occasions, it indicates that something is corrupted on the appliance image. If you re-image the appliance, it fixes the issue in the majority of instances. You can try to re-image the ACS as well.

Problem: Bad request from NAS

This error message appears:

Bad request from NAS
OR
Authen-Failure-Code=Invalid message authenticator in EAP request 

Solution

This error message usually appears because of a mismatch in the shared secret key or like in this case NDG defined with a key overriding the AAA client key.

Problem: Unable to install ACS version 3.3.3 on ACS 1113

Unable to install images earlier than version 4.0 on ACS SE 1113.

Solution

Only ACS 4.0 and later can run on ACS SE 1113. Refer to Upgrading and Migrating to Cisco Secure ACS Solution Engine for more information on how to upgrade ACS SE.

Problem: Reason: is currently being edited elsewhere

When you open the ACS page, you can receive this error: Reason: is currently being edited elsewhere..

Solution

Restart the ACS services in order to resolve this issue.

Problem: Remote agent service will not start

The user is not able to run the remote agent service.

Solution

The user must be a local admin user for the service to start.

Problem:"Error:Auth type not supported by External DB" during user authentication

The Auth type not supported by External DB error appears during user authentication.

Solution

This error appears because the CHAP Authentication protocol is not supported on the Microsoft Windows database Active Directory (AD) when you use ACS version 3.3. In order to resolve this issue, use PAP instead of CHAP. Refer to Authentication Protocol-Database Compatibility for more information on Protocol-Database Compatibility for ACS version 3.3.

Problem: Unable to enable ping to ACS

Unable to ping ACS SE.

Solution

Turn off the CSA Agent in System Configuration --> Appliance Configuration in order to enable ping response on ACS SE versions earlier to 4.2. For ACS versions 4.2 and later download and install the patch available from Cisco.com. Refer to Turning Ping On and Off for more information.

Problem: "Appliance upgrade in progress" message is shown even after the ACS upgrade is complete.

The Appliance upgrade in progress message appears, even after the ACS upgrade is complete.

Solution

ACS is struck after upgrade and cannot start or stop any services.

In order to resolve this issue, complete these steps:

1. Log into the ACS Appliance with a different Admin account.

2. On the Appliance Upgrade present under the System Configuration tab, press the Refresh or the Download button.

   Refer to Cisco bug ID CSCsg89042 (registered customers only) for more information.

   If you are unable to use the GUI, try to reboot the ACS appliance in order to resolve the issue.

Problem : Password Reset after Replication

After the replication, the new password gets reset to the old password.

Solution

This issue occurs because users do not authenticate to the primary ACS. Once the replication occurs, the primary pushes its policies to the secondary ACS because the replication is not bidirectional. This causes the password to be reset to the old password.

In order to resolve this issue, authenticate the user to the primary ACS, if possible.

Problem: DST Issue on ACS

DST issues are seen on ACS.

Solution

In order to resolve the Daylight Saving Time (DST) issue with ACS, download and install these patches:

1. applAcs-4.1.4.13.7-CSUpdate.zip

2. applAcs-4.1.4.13.7.zip

   Note: Apply the csupdate patch first. Then install the cumulative patch.

Problem:"Error: Failed to get NIC configuration: (null) (FFFFFFFF)" on ACS appliance

The Error: Failed to get NIC configuration: (null) (FFFFFFFF) error appears on the ACS appliance.

Solution

This error usually appears if the right version of the ACS image is not used on ACS appliance. It is more of a compatibility issue. Re-image the ACS appliance in order to resolve this issue.

Refer to Re-Imaging the Appliance Hard Drive for more information on how to re-image the ACS appliance.

Problem: "% Application upgrade failed, Error - -999. Please check ADE logs for details, or re-run with - debug application install - enabled" on ACS appliance during upgrade

The % Application upgrade failed, Error - -999. Please check ADE logs for details, or re-run with - debug application install - enabled error appears while an attempt is made to upgrade an ACS Express from 5.0 to 5.0.1.

Solution

This error occurs when the repository used is TFTP and the file size is greater than 32MB as ACS Express cannot handle files greater than 32MB. Use FTP as repository in order to resolve this issue even if the file size is more than 32MB.

Problem: Unable to disable SSHv1 enable only SSHv2 on the ACS appliance

Unable to disable SSHv1 and leave only the SSHv2 enabled on the ACS appliance.

Solution

Right now it is not possible to disable SSHv1 and leave only SSHv2 enabled. Both SSHv1 and SSHv2 are enabled together and cannot be disabled individually.

Problem: "Error: Saved the running configuration to startup successfully % Manifest file not found in the bundle" on ACS appliance during appliance upgrade

The Error: Saved the running configuration to startup successfully % Manifest file not found in the bundle error appears when an attempt is made to upgrade an ACS Express from 5.0 to 5.0.1.

Solution

Complete these steps in order to upgrade the ACS appliance without any issue:

1. Download patch 9 (5-0-0-21-9.tar.gpg) and ADE-OS (ACS_5.0.0.21_ADE_OS_1.2_upgrade.tar.gpg ) from:

   Cisco.com > support > download software > Security > Cisco Secure Access Control System 5.0 > Secure Access Control System Software > 5.0.0.21

2. After you install the two files, install the ACS 5.1 upgrade ACS_5.1.0.44.tar.gz, available from the same path.

3. Use this command in order to install the upgrade:

   application upgrade <application-bundle> remote-repository-name
   

This completes the upgrade procedure.

Refer to Upgrading an ACS Server from 5.0 to 5.1 for more information on how to upgrade the ACS appliance.

Problem: Unable to Reset ACS Appliance to Factory Default

This section details what to do if you are unable to reset the ACS appliance to factory default settings.

Solution

The acs reset-config command includes an option to reset the configuration that, when issued, resets all ACS configuration information, but retains the appliance settings such as network configuration. If you want it to look exactly like the factory default, you need to re-image the appliance.

Problem: Unable to Restart ACS Server 5.x from GUI

This section explains why you are unable to restart the ACS server version 5.x from the GUI.

Solution

There is no option available to restart the ACS 5.x server from the GUI. ACS can only be restarted from the CLI.

Problem: Failed TACACS+ Authentication with ACS with the NDG Issue

This section explains why authentication fails with TACACS+ when a Network Device Group (NDG) is configured..

Solution

The same AAA client is mapped to two different NDGs, one as a RADIUS client and the other as a TACACS client, and NDG level external database authentication is enabled for the NDG with the RADIUS client.

TACACS+ users are configured in the ACS internal database. When the TACACS+ authentication request comes, ACS looks in the NDG, where the same client is configured as RADIUS.

In order to avoid this problem, remove the external database authentication check box from the RADIUS NDG.

Problem: Windows External Database not Operational

This section explains why some user authentication fails with external​ a database not operational error.

Solution

Here is a list of possible causes and their solutions:

• The Remote Agent (RA) version dies not match the ACS version. Install the correct version of RA.

• The Remote Agent services are stopped. Restart the RA services.

• Upgrade the ACS to the latest available version.

Problem: External DB user invalid or bad password

This section explains why you receive the External DB user invalid or bad password error for authentication on ACS.

Solution

Review these troubleshooting tips in order to resolve this issue:

• If any changes related to the AD membership or the system name are made on the ACS server, make sure to reboot it for changes to take effect.

• Check the connectivity between the ACS and the Domain Server.

• Security policies on the Domain Server must allow the ACS to Query Username on the Active Directory.

• Make sure that there is a two-way trust that exists between the ACS and the Domain Server.

• Make sure that the ACS is installed on a server that has Local and DomainAdmin Privileges.

• Make sure the username and password is correct.

Problem: Error on ACS when accessed using IE8

The faultCode:Server.Error.Request faultString:'HTTP request error' faultDetail:'Error: [IOErrorEvent type="ioError" bubbles=false cancelable=false eventPhase=2 text="Error #2032"]. URL: /acsview/LoadAuthenticationTrendsPortlet.do' error occurs on the ACS when the ACS is accessed using Internet Explorer 8 (IE8).

Solution

This error occurs because IE8 is not supported by ACS. Use another browser in order to resolve this issue.

Problem: Error "Authentication failed : 12308 Client sent Result TLV indicating failure"

The Authentication failed : 12308 Client sent Result TLV indicating failure error occurs on the ACS when you try to authenticate for the first time. Authentication works fine the second time.

Solution

This error can be resolved if you disable Fast Reconnect. An upgrade to patch 2 of ACS version 5.2 will help to resolve the issue without the Fast Reconnect being disabled.

This error can also be resolved if you disable Forced cryptobinding on the supplicant. Refer to Cisco bug ID CSCtj31281 (registered customers only) for more details.

Problem: Error "eap_peap type not configured"

The eap_peap type not configured error occurs on the ACS when you attempt to perform a wireless authentication.

Solution

This error occurs on the ACS due to one of these reasons:

1. The supplicant requesting for EAP-PEAP authentication is not configured on the ACS. Enable EAP-MSCHAPv2 and EAP-GTC from the Global Authentication page, and disable NAP on the primary server in order to resolve the issue.

2. When a wireless user tries to authenticate through the ACS server, the login fails and the error message is EAP_PEAP Type not configured. This occurs when authenticating with a user configured in the Microsoft Windows AD database, as well as when authenticating with a user in the local ACS database.

3. When the WLC uses key-wrap for FIPS, but the ACS has not been configured for the same. Configure the same on the ACS in order to resolve the issue.

Problem: "ACS runtime process is not running on this instance at this time."

Users cannot login to the ACS GUI and this error message is received:

"The ACS runtime process is not running on this instance at this time. Changes can be made to the ACS configuration (these will be saved in the database), but changes will not take effect until the runtime process is restarted."

Solution

Manually restarting the runtime process from the CLI and rebooting the appliance resolves this issue. This is a minor issue and does not create any performance issue for the ACS. There are two minor bugs filed to observe this behavior. For more information, refer to Cisco bug IDs CSCtb99448 (registered customers only) and CSCtc75323 (registered customers only) .

In order to restart the runtime processes manually, issue these commands from the ACS CLI:

• acs stop runtime

• acs start runtime

Problem: Issue setting up Active Directory authentication with ACS 5.2

When setting up Active Directory (AD) authentication for a new 5.2 ACS service, this error message is received:

Unexpected RPC Error: Access Denied due to unexpected configuration or network error. Please try the --verbose option or run "adinfo --diag".

Solution

The ACS needs to write permissions in order to authenticate with the Active Directory. In order to resolve this issue, provide temporary write permissions to the service account.

Problem: Failure Reason : 24428 Connection related error has occurred in either LRPC, LDAP or KERBEROS

This error message is received on the ACS:

Failure Reason : 24428 Connection related error has occurred in either LRPC, LDAP or KERBEROS This RPC connection problem may be because the stub received incorrect data

Solution

In order to resolve this issue, upgrade the ACS to version 5.2.

Problem: Unable to do local logging on Cisco Secure ACS Solution Engine instead of using the remote logging capability of the Cisco Secure ACS remote agent

The issue is the inability to perform local logging on the Cisco Secure ACS Solution Engine instead of using the remote logging capability of the Cisco Secure ACS remote agent.

Solution

It is possible to perform local logging on the Cisco Secure ACS Solution Engine instead of using the remote logging capability of the Cisco Secure ACS remote agent. However, local logging on the Cisco Secure ACS Solution Engine is constrained in size. This forces log files to be recycled after seven days. The Cisco Secure ACS remote agent provides full, unconstrained logging capability to a remote server.

Problem: How do you generate the complete list of all the users along with their current method of password authentication?

With ACS 4.2, the users are authenticated by different methods such as Windows/LDAP/OTP. Is there a way to prepare a complete list of the users with their password authentication methods?

Solution

This is time-consuming if performed manually. There is a way to perform this automatically with ACS release 4.2.1.15.

Complete these steps:

1. Take the backup of the ACS internal database.

2. Run the CSUtil.exe -dumpUSERS command.

   This generates a text file "userauditinfo.txt" that contains the password authentication method used for all the available users.

Problem: Cannot view more than 100 pages in the accounting report

When attempting to generate a custom AAA accounting report with ACS version 5.1, you cannot view more than 100 pages. This does not cover several older reports. How do you change this setting to see all the pages?

Solution

You cannot change the number of pages on the ACS because the maximum number of pages displayed is only 100 by default. In order to overcome this limitation and view older statistics, you need to change the filtering options so that more specific matches can be made. For example, if you try to generate the report for the last thirty days, it contains a large volume and the last 100 pages might show the activity for only the last hour. Here, using the filtering options is advised. Taking the filtering option as a user ID and specifying the time-range will yield much older reports also.

Problem: Unable to generate pass/fail authentication report for a group of devices

This issue occurs when attempting to generate the authentication report only for a group of six routers/switches, not for all the devices. ACS version 4.x is used.

Solution

This is not possible with ACS 4.x. You need to migrate to ACS 5.x because this feature is available with that version. You can extract reports for the specific group of devices by generating the Catalog Reports.

Refer to this image for a better understanding:

Problem: ACS is unable to control the delimiter of the mac-address

The ACS is unable to control the delimiter of the mac-address. The delimiter cannot be changed or added.

Solution

The ACS is not designed to control the delimeter of the mac-address and it cannot change or add delimeter. The client or the WLC controls the delimiter.

Problem : "Failed to export user database. Please check there is sufficient disk space then rerun setup. Set up will now exit."

The problem is the backup database cannot be restored when upgrading the ACS for Windows. An insufficient disk space error message is received.

Solution

Complete this workaround:

1. Collect a backup from your database.

2. Uninstall the ACS software by using the clean utility which is available on the FULL packages of the installation files of the ACS version.

3. Reinstall the software with the same version.

4. Perform a restore of the database.

5. Upgrade the ACS version again.

Problem: ACS is unable to join the Active Directory domain and User unable to Authenticate

The ACS cannot join the Active Directory domain and the user cannot authenticate. A clock skew error is received.

Solution

This issue can be resolved by changing the time-zone and time on the ACS to match the time-zone and time on the Active Directory.

Problem: Could not generate valid password to perform the Auth test

The Could not generate valid password to perform the Auth test error message appears on the ACS.

Solution

In order to resolve this issue, go to System Configuration and click Local Password Management. Make sure the password length is not more than 9 characters. If it is then make sure to change the length to between 4 and 8 characters.

Problem: The monitoring and reports database is currently unavailable. Attempting to reconnect in 5 seconds.

When you click the Launch Monitoring and Report Viewer from ACS 5.X, this error message is received: The monitoring and reports database is currently unavailable. Attempting to reconnect in 5 seconds. If problem persist, please contact your ACS administrator.

Solution

Perform one of these workarounds in order to resolve this issue.

• Restart the ACS services from CLI by issuing these commands:

  application stop acs
  application start acs

• Upgrade to the latest available patch. Refer to Applying Upgrade Patches for more information about this.

Problem: Cannot login to Cisco ACS, All Administration ports are currently in use

When authenticating as an administrator, a successful message is received. Then, you are quickly forwarded to a page that shows Cannot login to CiscoSecure ACS, all Administration ports are currently in use. Contact the System Administrator for more details. This occurs in ACS 4.X.

Solution

This error message indicates that the range of ports allocated for GUI auto redirect are totally reserved and being used by others. In order to resolve this, complete this procedure:

1. Stop the csadmin service and then try to login.

2. Verify the HTTP port allocation policy for the Administrator. The complete path is shown here:

   Administration Control > Access Policy > HTTP port Allocation > Restrict Administration Sessions to the following port range From Port n to Port n

3. Increase the range of the ports as per the requirement. For more information, refer to HTTP Configuration.

4. Specify a lesser Session idle-time-out in the Session Policy. The complete path is shown here:

   Administration Control > Session Policy > Session idle timeout

   For more information, refer to Session Policy.

5. Sometimes, reloading the ACS can also help to resolve this issue.

Problem: 22056 Subject not found in the applicable identity store(s)

Active directory users are not getting authenticated with ACS version 5.X and receive this error message: 22056 Subject not found in the applicable identity store(s).

Solution

This error message occurs when the ACS failed to find the user in the first listed database that is configured in the Identity store sequence. This is an informational message and does not affect the performance of the ACS. The way that ACS 5.x performs the authentication for internal or external users is different than the previous 4.x version. With the 5.x version, there is an option called "Identity Store Sequence" to define the sequence of user databases to be authenticated. For more information, refer to Configuring Identity Store Sequences.

If you receive this error when you are using the ACS to authenticate requests against a Child Domain, then you have to add a UPN suffix or NETBIOS prefix to the username. For more information, refer to the Notes in the Microsoft AD section.

Problem: ODBC operation failed with following information: message=[Sybase][ODBC Driver][Adaptive Server Anywhere].....

This error is received on ACS version 4.X: ODBC operation failed with following information: message=[Sybase][ODBC Driver][Adaptive Server Anywhere]......

Solution

ACS version 4.0 does not install properly if the Sybase server is installed on the same machine. In certain cases, when CiscoWorks and the ACS are used on the same machine, this error message appears and ACS installation problems arise. This occurs because CiscoWorks uses the Sybase for a database. In order to avoid this error, you need to ensure there is no other application that uses SQL Anywhere on that PC in order to successfully install the software. Refer to the Notes section in Preparation for Install or Upgrade ACS for more information.

Problem: Unable to integrate ACS with Active Directory

Unable to integrate ACS with Active Directory, and the Samba Port Status Error error message is received.

Solution

In order to resolve this problem, make sure these ports are open to support Active Directory functionality:

• Samba Port - TCP 445

• LDAP - TCP 389

• LDAP - UDP 389

• KDC - TCP 88

• kpasswd - TCP 464

• NTP- UDP 123

• Global catalogue - TCP - 3268

• DNS - UDP 53

ACS needs to be able to reach all the DCs in the domain in order for the ACS-AD integration to be complete. Even if one of the DCs is not reachable from the ACS, the integration would not happen. Refer to Cisco bug ID CSCte92062 (registered customers only) for more information.

Problem: Unable to integrate ACS with LDAP

We are using ACS 5.2 as a AAA RADIUS server for 802.1X implementation. We can successfully use 802.1X with ACS using the internal user store, but are having issues integrating ACS and LDAP. This error message is displayed:

Radius authentication failed for USER: example MAC:
UU-VV-WW-XX-YY-ZZ AUTHTYPE: PEAP(EAP-MSCHAPv2)
EAP session timed out : 5411 EAP session timed out

Solution

In this instance, LDAP is being used with the PEAP and the internal authentication method used is eap-mschap v2. This will fail because LDAP is not supported for PEAP (eap-mschap v2). It is recommended you use eap-tls or the AD.

Problem: CSCOacs_Internal_Operations_Diagnostics ERROR Could not start message bus

Why do I receive the CSCOacs_Internal_Operations_Diagnostics ERROR Could not start message bus error message on ACS?

Solution

This is a cosmetic error and it is not a serious problem as long as none of the authentication/authorizations/ACS performance is affected and it only indicates that the internal message bus connection is being re-established.

Problem: 13017 Received TACACS+ packet from unknown Network Device or AAA Client

Why do I receive the 13017 Received TACACS+ packet from unknown Network Device or AAA Client error message on ACS?

Solution

This error usually comes up when either the right interface is not configured as the AAA client on ACS, or when the IP address configured on ACS is getting natted. In other words, the right IP address is not contacting ACS which is causing this error. This can also come up if the ip tacacs source-interface <interface-name/id> command is issues on the router, but some other IP address is used on ACS as the AAA client address. Also, disabling single-connect on IOS might help resolve this problem.

Problem: "csco acs_internal_operations_diagnostics error: could not write to local storage file" Error Message

During replication of ACS, primary ACS is not replicating properly and displaying this error message:

csco acs_internal_operations_diagnostics error: could
	 not write to local storage file

Solution

Restart the ACS services and make sure critical logging is disabled. For more details, refer to Cisco bug ID CSCth66302 (registered customers only) . If this does not help, contact Cisco TAC in order to get the latest ACS patch suitable to resolve this problem.

Problem: Unable to integrate the ACS 5.1 with Active Directory

When trying to implement Active Directory (AD) integration, this error message is received:

Error while configuring Active Directory:Using writable
	 domain controller:test1.test.pvt Authentication error due unexpect
	 configuration or network error. Please try the --verbose option or run 'adinfo
	 -diag' to diagnose the problem. Join to domain 'test.pvt', zone 'null'
	 failed.

Solution

Try this work-around in order to fix this problem:

1. Delete the existing machine account on AD.

2. Create a new OU.

3. Go to Properties of the OU and uncheck inherit permissions.

4. Create a new machine account for ACS in the new OU.

5. Allow AD to replicate.

6. Try to join AD from the ACS GUI.

In some cases, it is also helpful if you could try to contact Microsoft and apply the Hot Fix .

Problem: Unable to delete Authentication History (RADIUS Successes or Failures) and the syslogs from the ACS

Unable to delete Authentication History (RADIUS Successes or Failures) and the syslogs from the ACS.

Solution

It is not possible to delete the Authentication History from the ACS. Also, the logs that are sent as syslogs to the ACS itself cannot be deleted.

Problem: Management process in not running and shows "running (HTTP is nonresponsive)"

The management process is not running and the management process shows running (HTTP is nonresponsive).

Solution

This issue can be resolved by restoring an older backup of the configuration followed by reimaging and reloading the ACS.

Problem: Unable to configure ACS 5.x to recognize regular expressions in the service selection rules

Solution

This is not possible as it is not yet supported in ACS 5.x.

Problem: SFTP backup is not working when using Cisco Works as the SFTP server

When the network resource is on the CiscoWorks server, the backup scheduler works fine with other SFTP clients, but not ACS 5.2. Specifically, when trying to connect to the SFTP server from ACS, the Unable to negotiate a key exchange method error message is received.

Solution

In this case, the SFTP server is not a FIPS compliant device using the DH 14 group. ACS only supports servers with DH 14 support as it is FIPS compliant. For more information regarding this issue, refer to Known Limitations in ACS 5.2.

Problem: Can I use a secure ID token with SFTP to backup the ACS database?

Solution

No, this is not possible. SFTP needs a static user name/password. When using a secure ID, it cannot provide a static user name/password.

Problem: "Invalid EAP payload dropped"

The Error: Invalid EAP payload dropped error message is received while authenticating the wireless users to ACS 5.0 patch 7.

Solution

This is an observed behavior and addressed in Cisco bug IDs CSCsz54975 (registered customers only) and CSCsy46036 (registered customers only) .

In order to resolve this issue, upgrade to ACS 5.0 patch 9, which is required as part of the upgrade to 5.1 or 5.2. Refer to Upgrading the Database for complete details. This also includes the information on how to upgrade to patch 9.

Problem: Unable to filter the reports using Interactive Viewer

When trying to filter ACS reports using the Interactive Viewer; all the buttons are greyed out and the right-click menu options are not populated properly. Internet Explorer 8 is the browser used.

Solution

This could be a browser related problem. Try other browsers like Firefox in order to get this to work. You could also try to enable the "Compatitibility View" on IE8 to make things appear properly.

Problem: Unable to export the users with the Password

I can export and import the user database to another ACS 5.x with a CSV file, but it does not include the user password field (appears blank). How do I move a local user's Identity store from one ACS to another that includes the password information?

Solution

This is not possible as this will become a security breach. In this case, one workaround is to perform a backup and restore procedure. However, the limitation to this workaround is that the backup and restore only work for another ACS with a similar configuration.

Problem: Authentication prompt appears only for the first connection and not for subsequent connections

When a Windows XP host sends across an 802.1x requests to the ACS via a 3750G switch, there is an authentication prompt only the first time the device attempts to connect to the switch. All subsequent connections are made without an authentication. Why does this happen and how can the authentication prompt be made to appear each time a connection is made?

Solution

In order to resolve the issue, go to Network Connections > Local Area Connection > Properties > Authentication, and make sure the Cache user information for subsequent connections to this network option is unchecked.

Problem: Authorization prompt appears when using Apple devices with ACS

Why does an Authorization prompt to validate the certificate appear while using Apple devices with ACS? Can I stop this authorization prompt from appearing?

Solution

The Authorization prompt is generated by Apple iDevices and not the ACS. There is no way to configure the ACS in such a way that the Apple device will stop showing the Authorization prompt.

Problem: ACS internal users are disabled intermittently

ACS users are disabled intermittently with a "Password expired" message. The password expiration policy is set for 60 days, but these users must be manually enabled in order for them to get access.

Solution

This behavior is observed and filed in Cisco bug ID CSCtf06311 (registered customers only) . This issue can be resolved by applying patch 3 to ACS 5.1. In order to view all resolved issues under patch 3, refer to Resolved Issues in Cumulative Patch ACS 5.1.0.44.3. For related information on how to upgrade the patch, refer to Applying Upgrade Patches.

Problem: ACS Error Message - Not all user Active Directory groups are retrieved successfully...

Why is the Not all user Active Directory groups are retrieved successfully. One or more of the group's canonical name was not retrieved error message seen on ACS?

Solution

This issue occurs because unicode characters are used in the group name on AD. Since ACS sees AD groups as ASCII text, the unicode characters are not translated correctly. As a result, the group membership is not retrieved. Remove the unicode character from the AD configuration in order to resolve this issue.

Problem: ACS does not log proxy authentication requests

ACS does not log proxy authentication requests even though Radius proxying has been enabled.

Solution

ACS does not log proxy authentication requests. ACS only takes the request and forwards it to the proxy server. The logs will only be visible on the proxy radius server. ACS does not contribute anything to the processing of authentication/accounting of the packet. As a result, no messages are logged on ACS for proxied packets.

Problem: ACS loses the configuration when repository is created from the GUI

ACS loses the configuration when repository is created from the GUI after modifications are done on the CLI.

Solution

If you create the repository from the GUI, after modifications are done using CLI, ACS loses the configuration and this is the expected behavior. When you stop and start ACS, the repository will be recreated based on the configuration stored by the GUI. The modifications made on the CLI to a repository created by the GUI will not be transported to the ACS application configuration.

Problem: "TACACS+ authentication request ended with error"

ACS authentication report shows the TACACS+ authentication request ended with error error message.

Solution

This occurs when the TACACS authentication has the Service Type set to PPP. Refer to Cisco bug ID CSCte16911 (registered customers only) for more information.

Problem: "Radius Authentication Request Rejected due to critical logging error"

Radius authentication is rejected with the Radius Authentication Request Rejected due to critical logging error error message.

Solution

This error is detailed in Cisco bug ID CSCth66302 (registered customers only) .

Problem: Unable to use an SSH session for the RADIUS IETF attribute "Login-Service"

Unable to use an SSH session for the RADIUS IETF attribute "Login-Service".

Solution

It is not possible to use an SSH session for the RADIUS IETF attribute "Login-Service" as ACS IETF attributes are a per-RFC standard and there is no way any changes can be made in it.

Cisco Support Community - Featured Conversations

Related Information

• Cisco Secure Access Control Server for Windows Support Page
• Configuration Guide for Cisco Secure ACS 4.1
• Cisco Secure ACS Online Troubleshooting Guide, 4.1
• Technical Support & Documentation - Cisco Systems