Troubleshooting CSACS for Windows

As with any hardware or software product, sometimes you need to troubleshoot issues. Depending on the type of failure, there are procedures to help with your troubleshooting.

Authentication Failures

Figure 5.9 shows the main reports window that you can use to access the Failed Attempts report.

The first place to check when troubleshooting is the failed attempts report.

If there is no entry in the failed attempts report, you will have to do a little bit more digging. First, ensure that you have connectivity from the NAS to the ACS. If using an external database server, ensure that you have connectivity from the ACS to the external database server. Have you configured AAA accounting on the router? Have you configured the NAS correctly by defining the ACS with the tacacs-server command or the radius-server command? Have you configured the NAS in the ACS?

Check connectivity by pinging and ensure that AAA accounting on the router is configured.

Authorization Failures

Ensure that you have properly configured the ACS to provide for service authorization. The "proxyacl" entries define the user access privileges on the ACS. You configure these proxyacl entries, and these entries are similar to access lists in format. A sample entry in the ACS might be proxyacl#1=permit tcp any any eq 80 . Figure 5.10 shows a sample configuration using proxyacls for a group. Users can then be placed in this specific group and be authorized to perform only specific activities that you define with the proxyacl statements.

You can only configure proxyacl s that use the permit keyword. All users must be configured with a privilege level equal to 15.