Debug issues – Cisco 3.3 User Manual

Appendix A Troubleshooting

Debug Issues

A-14

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Debug Issues

Condition

Recovery Action

When you run debug aaa
authentication on the AAA
client, Cisco Secure ACS returns
a failure message.

The configurations of the AAA client or Cisco Secure ACS are
likely to be at fault.

From within Cisco Secure ACS confirm the following:

Cisco Secure ACS is receiving the request. This can be done by
viewing the Cisco Secure ACS reports. What does or does not
appear in the reports may provide indications that your
Cisco Secure ACS is misconfigured.

From the AAA client, confirm the following:

•

The command ppp authentication pap is entered for each
interface if authentication against the Windows user database is
being used.

•

The command ppp authentication chap pap is entered for
each interface if authentication against the CiscoSecure user
database is being used.

•

The AAA and TACACS+ or RADIUS configuration is correct
in the AAA client.

When you run debug aaa
authentication and debug aaa
authorization on the AAA
client, Cisco Secure ACS returns
a

PASS

for authentication, but

returns a

FAIL

for authorization.

This problem occurs because authorization rights are not correctly
assigned.

Examine the following:

•

Check failed attempts reports under Reports and Activities to
see if any services/protocols are being denied for the user.

•

From User Setup, confirm that the user is assigned to a group
that has the correct authorization rights. Authorization rights
can be modified under Group Setup or User Setup. User settings
override group settings.

•

If a specific attribute for TACACS+ or RADIUS is not
displayed within the Group Setup section, this may indicate that
it has not been enabled in Interface Configuration: TACACS+
(Cisco IOS) or RADIUS.