Cisco MDS SanOS Troubleshooting Guide -- Troubleshooting RADIUS and TACACS+

From DocWiki

(Difference between revisions)
Jump to: navigation, search
(Verifying TACACS Configuration Using Fabric Manager)
(Verifying TACACS Configuration Using the CLI)
Line 242: Line 242:
----
----
-
'''Step 1 '''[[Image:blank.gif]]Use the '''show''' <span style="font-style: normal">'''<font color="Black">tacacs</font>'''</span>'''-server''' command to display configured TACACS parameters.
+
1. Use the '''show''' <span style="font-style: normal">'''<font color="Black">tacacs</font>'''</span>'''-server''' command to display configured TACACS parameters.
 +
<pre>
 +
switch# show tacacs-server
 +
Global TACACS+ shared secret:***********
 +
timeout value:30
 +
total number of servers:3
 +
following TACACS+ servers are configured:
 +
        11.5.4.3:
 +
                available on port:2
 +
        cisco.com:
 +
                available on port:49
 +
        11.6.5.4:
 +
                available on port:49
 +
                TACACS+ shared secret:*****
 +
</pre>
-
<div class="pEx1_Example1">
+
2. Use the <span style="font-style: normal">'''<font color="Black">tacacs-server host </font>'''</span><span style="font-weight: normal">''<font color="Black">ip-address</font>''</span><span style="font-style: normal">'''<font color="Black"> key </font>'''</span>command to<span style="font-style: normal">'''<font color="Black"> </font>'''</span>set the preshared key to match what is configured on your TACACS server.
-
switch# '''show tacacs-server
+
3. Use the <span style="font-style: normal">'''<font color="Black">tacacs-server host </font>'''</span><span style="font-weight: normal">''<font color="Black">ip-address</font>''</span><span style="font-style: normal">'''<font color="Black"> port </font>'''</span>command to<span style="font-style: normal">'''<font color="Black"> </font>'''</span>set the communications port to match what is configured on your TACACS server.
-
'''
+
-
</div>
+
4. Use the <span style="font-style: normal">'''<font color="Black">tacacs-server timeout </font>'''</span>command to<span style="font-style: normal">'''<font color="Black"> </font>'''</span>set the<span style="font-style: normal">'''<font color="Black"> </font>'''</span>period in seconds for the switch to wait for a response from all TACACS servers before the switch declares a timeout failure.
-
<div class="pEx1_Example1">
+
5. Use the <span style="font-style: normal">'''<font color="Black">tacacs commit </font>'''</span>command to commit any changes and distribute to all switches in the fabric.
-
 
+
-
Global TACACS  shared secret:<span style="font-style: normal">'''<font color="Black"><nowiki>***********
+
-
</nowiki></font>'''</span>
+
-
 
+
-
</div>
+
-
 
+
-
<div class="pEx1_Example1">
+
-
 
+
-
timeout value:<span style="font-style: normal">'''<font color="Black">30
+
-
</font>'''</span>
+
-
 
+
-
</div>
+
-
 
+
-
<div class="pEx1_Example1">
+
-
 
+
-
total number of servers:3
+
-
 
+
-
</div><div class="pPreformatted">
+
-
 
+
-
+
-
<br />
+
-
 
+
-
</div>
+
-
 
+
-
<div class="pEx1_Example1">
+
-
 
+
-
following TACACS  servers are configured:
+
-
 
+
-
</div>
+
-
 
+
-
<div class="pEx1_Example1">
+
-
 
+
-
        11.5.4.3:
+
-
 
+
-
</div>
+
-
 
+
-
<div class="pEx1_Example1">
+
-
 
+
-
                available on port<span style="font-style: normal">'''<font color="Black"><nowiki>:2
+
-
</nowiki></font>'''</span>
+
-
 
+
-
</div>
+
-
 
+
-
<div class="pEx1_Example1">
+
-
 
+
-
        cisco.com:
+
-
 
+
-
</div>
+
-
 
+
-
<div class="pEx1_Example1">
+
-
 
+
-
                available on port:49
+
-
 
+
-
</div>
+
-
 
+
-
<div class="pEx1_Example1">
+
-
 
+
-
        11.6.5.4:
+
-
 
+
-
</div>
+
-
 
+
-
<div class="pEx1_Example1">
+
-
 
+
-
                available on port:49
+
-
 
+
-
</div>
+
-
 
+
-
<div class="pEx1_Example1">
+
-
 
+
-
                TACACS  shared secret:*****
+
-
 
+
-
</div><div class="pPreformatted">
+
-
 
+
-
+
-
<br />
+
-
 
+
-
</div>
+
-
 
+
-
'''Step 2 '''[[Image:blank.gif]]Use the <span style="font-style: normal">'''<font color="Black">tacacs-server host </font>'''</span><span style="font-weight: normal">''<font color="Black">ip-address</font>''</span><span style="font-style: normal">'''<font color="Black"> key </font>'''</span>command to<span style="font-style: normal">'''<font color="Black"> </font>'''</span>set the preshared key to match what is configured on your TACACS server.
+
-
 
+
-
'''Step 3 '''[[Image:blank.gif]]Use the <span style="font-style: normal">'''<font color="Black">tacacs-server host </font>'''</span><span style="font-weight: normal">''<font color="Black">ip-address</font>''</span><span style="font-style: normal">'''<font color="Black"> port </font>'''</span>command to<span style="font-style: normal">'''<font color="Black"> </font>'''</span>set the communications port to match what is configured on your TACACS server.
+
-
 
+
-
'''Step 4 '''[[Image:blank.gif]]Use the <span style="font-style: normal">'''<font color="Black">tacacs-server timeout </font>'''</span>command to<span style="font-style: normal">'''<font color="Black"> </font>'''</span>set the<span style="font-style: normal">'''<font color="Black"> </font>'''</span>period in seconds for the switch to wait for a response from all TACACS servers before the switch declares a timeout failure.
+
-
 
+
-
'''Step 5 '''[[Image:blank.gif]]Use the <span style="font-style: normal">'''<font color="Black">tacacs commit </font>'''</span>command to commit any changes and distribute to all switches in the fabric.
+
----
----

Revision as of 12:27, 26 July 2010

Contents



Troubleshooting RADIUS and TACACS

The authentication, authorization, and accounting (AAA) mechanism verifies the identity of, grants access to, and tracks the actions of users managing a switch. All Cisco MDS 9000 Family switches use the Remote Access Dial-In User Service (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS ) protocols to provide solutions using remote AAA servers.

This section includes the following sections:

  • AAA Overview
  • Initial Troubleshooting Checklist
  • AAA Issues
  • Troubleshooting RADIUS and TACACS+ With Cisco ACS

AAA Overview

Based on the user ID and password combination provided, switches perform local authentication or authorization using the local database or remote authentication or authorization using AAA server(s). A preshared secret key provides security for communication between the switch and AAA servers. This secret key can be configured as a global key for all AAA servers or on a per AAA server basis. This security mechanism provides a central management capability for AAA servers.


Note Note: Users authenticated through a remote AAA server cannot create jobs using the command scheduler.

Initial Troubleshooting Checklist

Begin troubleshooting AAA issues by checking the following issues:

Checklist
Check off

Use the test aaa server CLI command to verify connectivity to your AAA server.

Verify that you have assigned appropriate attributes on your AAA server for user roles.

Verify that the preshared key is the same on both the switch and the AAA server.

Verify that you have no all-numeric users or passwords configured.


Common Troubleshooting Tools in Fabric Manager

Use the following Fabric Manager procedures to troubleshoot AAA issues:

  • Choose Switches > Security > AAA > RADIUS to view the RADIUS configuration.
  • Choose Switches > Security > AAA > TACACS to view the TACACS configuration.
  • Choose Switches > Security > AAA to view server group and AAA monitor deadtime values.

Common Troubleshooting Commands in the CLI

Use the following CLI commands to troubleshoot AAA issues:

  • show aaa authentication
  • show user-account
  • show radius status
  • show radius-server
  • show tacacs status
  • show tacacs-server

Use the following debug commands to determine the root cause of an issue:

  • debug radius aaa-request
  • debug radius aaa-request-lowlevel
  • debug tacacs aaa-request and
  • debug tacacs aaa-request-lowlevel

AAA Issues

This section describes common AAA issues and includes the following topics:

  • Switch Does Not Communicate with AAA Server
  • User Authentication Fails
  • User Is Not in Any Configured Role
  • User Cannot Access Certain Features

Switch Does Not Communicate with AAA Server

Multiple misconfigurations can result in an AAA server that the Cisco SAN-OS switch does not communicate with.

Symptom Switch does not communicate with AAA server.

Table 17-1 Switch Does Not Communicate with AAA Server
Symptom
Possible Cause
Solution

Switch does not communicate with AAA server.

Incorrect authentication or accounting port configured.

Reconfigure the authentication or accounting ports to match those configured on the AAA server.

For RADIUS servers, see the "Verifying RADIUS Configuration Using Fabric Manager" section or the "Verifying RADIUS Configuration Using the CLI" section.

For TACACS servers, see the "Verifying TACACS Configuration Using Fabric Manager" section or the "Verifying TACACS Configuration Using the CLI" section.

Incorrect preshared key configured.

Reconfigure the same preshared key on the switch and the AAA server.

For RADIUS servers, see the "Verifying RADIUS Configuration Using Fabric Manager" section or the "Verifying RADIUS Configuration Using the CLI" section.

For TACACS servers, see the "Verifying TACACS Configuration Using Fabric Manager" section or the "Verifying TACACS Configuration Using the CLI" section.

AAA server monitor deadtime set to high.

Set the deadtime lower to bring AAA servers active more quickly.

For RADIUS servers, see the "Verifying RADIUS Server Monitor Configuration Using Fabric Manager" section or the "Verifying RADIUS Server Monitor Configuration Using the CLI" section.

For TACACS servers, see the "Verifying TACACS Server Monitor Configuration Using Fabric Manager" section or the "Verifying TACACS Server Monitor Configuration Using the CLI" section.

Timeout value too low.

Change server timeout value to ten seconds or higher.

For RADIUS servers, see the "Verifying RADIUS Server Monitor Configuration Using Fabric Manager" section or the "Verifying RADIUS Server Monitor Configuration Using the CLI" section.

For TACACS servers, see the "Verifying TACACS Server Monitor Configuration Using Fabric Manager" section or the "Verifying TACACS Server Monitor Configuration Using the CLI" section.


Verifying RADIUS Configuration Using Fabric Manager

To verify or change the RADIUS configuration using Fabric Manager, follow these steps:


1. Choose Switches > Security > AAA > RADIUS and select the Servers tab. You see the RADIUS configuration in the Information pane.

2. Highlight the server that you need to change and click Delete Row to delete this server configuration.

3. Click Create Row to add a new RADIUS server.

4. Set the KeyType and Key fields to the preshared key configured on the RADIUS server.

5. Set the AuthPort and AcctPort fields to the authentication and accounting ports configured on the RADIUS server.

6. Set the TimeOut value and click Apply to save these changes.

7. Select the CFS tab and select commit from the Config Action drop-down menu and click Apply Changes to distribute these changes to all switches in the fabric.


Verifying RADIUS Configuration Using the CLI

To verify or change the RADIUS configuration using the CLI, follow these steps:


1. Use the show radius-server command to display configured RADIUS parameters.

switch# show radius-server 
Global RADIUS shared secret:*******
retransmission count:5
timeout value:10
following RADIUS servers are configured:
        myradius.cisco.users.com:
                available for authentication on port:1812
                available for accounting on port:1813
        10.1.1.1:
                available for authentication on port:1812
                available for accounting on port:1813
                RADIUS shared secret:******
        10.2.2.3:
                available for authentication on port:1812
                available for accounting on port:1813
                RADIUS shared secret:******

2. Use the radius-server host ip-address key command to set the preshared key to match what is configured on your RADIUS server.

3. Use the radius-server host ip-address auth-port command to set the authentication port to match what is configured on your RADIUS server.

4. Use the radius-server host ip-address acc-port command to set the accounting port to match what is configured on your RADIUS server.

5. Use the radius-server timeout command to set the period in seconds for the switch to wait for a response from all RADIUS servers before the switch declares a timeout failure.

6. Use the radius commit command to commit any changes and distribute to all switches in the fabric.


Verifying TACACS Configuration Using Fabric Manager

To verify or change the TACACS configuration using Fabric Manager, follow these steps:


1. Choose Switches > Security > AAA > TACACS and select the Servers tab. You see the TACACS configuration in the Information panel.

2. Highlight the server that you need to change and click Delete Row to delete this server configuration.

3. Click Create Row to add a new TACACS server.

4. Set the KeyType and Key fields to the preshared key configured on the TACACS server.

5. Set the AuthPort and AcctPort fields to the authentication and accounting ports configured on the TACACS server.

6. Set the TimeOut value and click Apply to save these changes.

7. Select the CFS tab and select commit from the Config Action drop-down menu and click Apply Changes to distribute these changes to all switches in the fabric.


Verifying TACACS Configuration Using the CLI

To verify or change the TACACS configuration using the CLI, follow these steps:


1. Use the show tacacs-server command to display configured TACACS parameters.

switch# show tacacs-server
Global TACACS+ shared secret:***********
timeout value:30
total number of servers:3
following TACACS+ servers are configured:
        11.5.4.3:
                available on port:2
        cisco.com:
                available on port:49
        11.6.5.4:
                available on port:49
                TACACS+ shared secret:*****

2. Use the tacacs-server host ip-address key command to set the preshared key to match what is configured on your TACACS server.

3. Use the tacacs-server host ip-address port command to set the communications port to match what is configured on your TACACS server.

4. Use the tacacs-server timeout command to set the period in seconds for the switch to wait for a response from all TACACS servers before the switch declares a timeout failure.

5. Use the tacacs commit command to commit any changes and distribute to all switches in the fabric.


Verifying RADIUS Server Monitor Configuration Using Fabric Manager

To verify or change the RADIUS server monitor configuration using Fabric Manager, follow these steps:


Step 1 File:Blank.gifChoose Switches > Security > AAA > RADIUS and select the Servers tab. You see the RADIUS configuration in the Information panel.

Step 2 File:Blank.gifHighlight the server that you need to change and click Delete Row to delete this server configuration.

Step 3 File:Blank.gifClick Create Row to add a new RADIUS server.

Step 4 File:Blank.gifSet the KeyType and Key fields to the preshared key configured on the RADIUS server.

Step 5 File:Blank.gifSet the AuthPort and AcctPort fields to the authentication and accounting ports configured on the RADIUS server.

Step 6 File:Blank.gifSet the Idle Time to configure the time that the switch waits for a RADIUS server to be idle before sending a test message to see if the server is still alive.

Step 7 File:Blank.gifSet the TimeOut value and click Apply to save these changes.

Step 8 File:Blank.gifSelect the CFS tab and select commit from the Config Action drop-down menu and click Apply Changes to distribute these changes to all switches in the fabric.

Step 9 File:Blank.gifChoose Switches > Security > AAA and click Create Row to create a server group.

Step 10 File:Blank.gifCheck the list of switches that you want to configure server groups on.

Step 11 File:Blank.gifSet the Server List field to a comma-separated list of RADIUS servers.

Step 12 File:Blank.gifSet the Deadtime field to configure the time that the switch waits before retesting a dead server. and click Apply to save these changes.


Verifying RADIUS Server Monitor Configuration Using the CLI

To verify or change the RADIUS server monitor configuration using the CLI, follow these steps:


Step 1 File:Blank.gifUse the show running-config command to view the RADIUS configuration for the server monitor.

switch# show running-config | begin radius

radius-server deadtime 40

radius-server host 10.1.1.1 key 7 "VagwwtFjq" authentication accounting timeout 20 
retransmit 5
radius-server host 10.1.1.1 test idle-time 30



Step 2 File:Blank.gifUse the radius-server host ip address test idle-time command to configure the time that the switch waits for a RADIUS server to be idle before sending a test message to see if the server is still alive.

Step 3 File:Blank.gifUse the radius-server deadtime command to configure the time that the switch waits before retesting a dead server.

Step 4 File:Blank.gifUse the radius commit command to commit any changes and distribute to all switches in the fabric.


Verifying TACACS Server Monitor Configuration Using Fabric Manager

To verify or change the TACACS server monitor configuration using Fabric Manager, follow these steps:


Step 1 File:Blank.gifChoose Switches > Security > AAA > TACACS and select the Servers tab. You see the TACACS configuration in the Information panel.

Step 2 File:Blank.gifHighlight the server that you need to change and click Delete Row to delete this server configuration.

Step 3 File:Blank.gifClick Create Row to add a new TACACS server.

Step 4 File:Blank.gifSet the KeyType and Key fields to the preshared key configured on the TACACS server.

Step 5 File:Blank.gifSet the AuthPort and AcctPort fields to the authentication and accounting ports configured on the TACACS server.

Step 6 File:Blank.gifSet the Idle Time field to configure the time that the switch waits for a TACACS server to be idle before sending a test message to see if the server is still alive.

Step 7 File:Blank.gifSet the TimeOut value and click Apply to save these changes.

Step 8 File:Blank.gifSelect the CFS tab and select commit from the Config Action drop-down menu and click Apply Changes to distribute these changes to all switches in the fabric.

Step 9 File:Blank.gifChoose Switches > Security > AAA and click Create Row to create a server group.

Step 10 File:Blank.gifCheck the list of switches that you want to configure server groups on.

Step 11 File:Blank.gifSet the Server List field to a comma-separated list of TACACS servers.

Step 12 File:Blank.gifSet the Deadtime field to configure the time that the switch waits before retesting a dead server. and click Apply to save these changes.


Verifying TACACS Server Monitor Configuration Using the CLI

To verify or change the TACACS server monitor configuration using the CLI, follow these steps:


Step 1 File:Blank.gifUse the show running-config command to view the TACACS configuration for the server monitor.

switch# show running-config | begin tacacs

tacacs-server deadtime 40

tacacs-server host 11.6.5.4 key 7 "VagwwtFjq" 
tacacs-server host 11.6.5.4 test idle-time 30



Step 2 File:Blank.gifUse the tacacs-server host ip address test idle-time command to configure the time that the switch waits for a TACACS server to be idle before sending a test message to see if the server is still alive.

Step 3 File:Blank.gifUse the tacacs-server deadtime command to configure the time that the switch waits before retesting a dead server.

Step 4 File:Blank.gifUse the tacacs commit command to commit any changes and distribute to all switches in the fabric.


User Authentication Fails

Symptom   User authentication fails.

Table 17-2 User Authentication FailsÂ
Symptom
Possible Cause
Solution

User authentication fails.

Incorrect AAA method configured.

Verify that the AAA method configured lists the appropriate RADIUS or TACACs server-group as the first one.

For RADIUS servers, see the [#wp36461 "Verifying RADIUS Configuration Using Fabric Manager" section] or the [#wp42906 "Verifying RADIUS Configuration Using the CLI" section].

For TACACS servers, see the [#wp43284 "Verifying TACACS Configuration Using Fabric Manager" section] or the [#wp42914 "Verifying TACACS Configuration Using the CLI" section].

Incorrect authentication port configured or incorrect server timeout value.

Reconfigure the authentication port to match those configured on the AAA server or set a higher timeout value.

For RADIUS servers, see the [#wp36461 "Verifying RADIUS Configuration Using Fabric Manager" section] or the [#wp42906 "Verifying RADIUS Configuration Using the CLI" section].

For TACACS servers, see the [#wp43284 "Verifying TACACS Configuration Using Fabric Manager" section] or the [#wp42914 "Verifying TACACS Configuration Using the CLI" section].

User not configured on the AAA server.

Add the user name, password, and role to the AAA server. Refer to your server documentation.

AAA server not configured in the server group.

Add the appropriate AAA server to the configured server group.

For RADIUS servers, see the [#wp44556 "Verifying RADIUS Server Groups Using Fabric Manager" section] or the [#wp44561 "Verifying RADIUS Server Groups Using the CLI" section].

For TACACS servers, see the [#wp44573 "Verifying TACACS Server Groups Using Fabric Manager" section] or the [#wp44578 "Verifying TACACS Server Groups Using the CLI" section].


Verifying RADIUS Server Groups Using Fabric Manager

To verify or change the RADIUS server groups using Fabric Manager, follow these steps:


Step 1 File:Blank.gifChoose Switches > Security > AAA and click Create Row to create a server group.

Step 2 File:Blank.gifCheck the list of switches that you want to configure server groups on.

Step 3 File:Blank.gifSet the Server List field to a comma-separated list of RADIUS servers.

Step 4 File:Blank.gifSet the Deadtime field to configure the time that the switch waits before retesting a dead server. and click Apply to save these changes.


Verifying RADIUS Server Groups Using the CLI

To verify or change the RADIUS server groups using the CLI, follow these steps:


Step 1 File:Blank.gifUse the show running-config command to view the RADIUS configuration for the server groups.

switch# show running-config | begin aaa

aaa group server radius RadiusGroup
    server 10.1.1.1
    server 10.2.3.4



aaa group server tacacs TacacsGroup
    server 11.5.4.3
    server 11.6.5.4



Step 2 File:Blank.gifUse the aaa group server radius command to configure the RADIUS servers that you want in this server group.


Note File:Blank.gifCFS does not distribute AAA server groups. You must copy this configuration to all relevant switches in the fabric.



Verifying TACACS Server Groups Using Fabric Manager

To verify or change the TACACS server groups using Fabric Manager, follow these steps:


Step 1 File:Blank.gifChoose Switches > Security > AAA and click Create Row to create a server group.

Step 2 File:Blank.gifCheck the list of switches that you want to configure server groups on.

Step 3 File:Blank.gifSet the Server List field to a comma-separated list of TACACS servers.

Step 4 File:Blank.gifSet the Deadtime field to configure the time that the switch waits before retesting a dead server. and click Apply to save these changes.


Verifying TACACS Server Groups Using the CLI

To verify or change the TACACS server groups using the CLI, follow these steps:


Step 1 File:Blank.gifUse the show running-config command to view the TACACS configuration for the server groups.

switch# show running-config | begin aaa

aaa group server radius RadiusGroup
    server 10.1.1.1
    server 10.2.3.4



aaa group server tacacs TacacsGroup
    server 11.5.4.3
    server 11.6.5.4



Step 2 File:Blank.gifUse the aaa group server tacacs command to configure the TACACS servers that you want in this server group.


Note File:Blank.gifCFS does not distribute AAA server groups. You must copy this configuration to all relevant switches in the fabric.



User Is Not in Any Configured Role

Symptom   User is not in any configured role.

Table 17-3 User Is Not In Any Configured RoleÂ
Symptom
Possible Cause
Solution

User is not in any configured role.

User configuration on AAA server does not have role attributes set.

For RADIUS, configure the vendor-specific attributes on the server for the role using:

Cisco-AVPair = shell:roles="rolename1 rolename2".

For TACACS , configure the attribute and value pair on the server for the role using:

roles="rolename1 rolename2".

Verify that all roles are defined on the switch.


User Cannot Access Certain Features

Symptom   User cannot access certain features.

Table 17-4 User Cannot Access Certain FeaturesÂ
Symptom
Possible Cause
Solution

User cannot access certain features.

User is assigned incorrect role.

For RADIUS, configure the vendor-specific attributes on the server for the role using:

Cisco-AVPair = shell:roles="rolename1 rolename2".

For TACACS , configure the attribute/value pair on the server for the role using:

roles="rolename1 rolename2".

Verify that all roles are defined on the switch.

Role is not configured for appropriate access.

See [ts_roles.html#wpxref83960 Chapter 18, "Troubleshooting Users and Roles."]


Troubleshooting RADIUS and TACACS With Cisco ACS

To troubleshoot RADIUS and TACACS issues with Cisco ACS, follow these steps:


Step 1 File:Blank.gifChoose Network Configuration using Cisco ACS and view the AAA Clients table to verify that the Cisco SAN-OS switch is configured as an AAA client on Cisco ACS.

Step 2 File:Blank.gifChoose User Setup > User Data Configuration to verify that the user is configured.

Step 3 File:Blank.gifView the Cisco IOS/PIX RADIUS Attributes setting for a user. Verify that the user is assigned the correct roles in the AV-pairs. For example, shell:roles="network-admin".


Note File:Blank.gifThe Cisco IOS/PIX RADIUS Attributes field is case-sensitive. Verify that the role listed in the AV-pair exists on the Cisco SAN-OS switch.


Step 4 File:Blank.gifIf the Cisco IOS/PIX RADIUS Attributes field is not present, follow these steps:

a. File:Blank.gifChoose Interface > RADIUS (Cisco IOS/PIX).

b. File:Blank.gifCheck the User and Group check boxes for the cisco-av-pair option and click Submit.

c. File:Blank.gifChoose User Setup > User Data Configuration and add the AV-pair to assign the correct role to each user.

Step 5 File:Blank.gifChoose System Configuration > Logging to activate logs to look for reasons for failed authentication attempts.

Step 6 File:Blank.gifChoose Reports and Activity to view the resulting logs.

Step 7 File:Blank.gifOn the Cisco SAN-OS switch, use the show radius-server command to verify that the RADIUS server timeout value is set to 5 seconds or greater.


Refer to the User guide for Cisco Secure ACS at the following website for more information:

http://cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_list.html










Back to Main Page: Cisco MDS SAN-OS Troubleshooting Guide

Rating: 5.0/5 (1 vote cast)

Personal tools