| Troubleshooting can be a difficult task as your network grows and your ACS configuration becomes more complex. This section provides tips to help minimize the difficulty of troubleshooting extended configurations. When troubleshooting a new configuration, the steps you might take sometimes differ from the steps taken in troubleshooting an existing configuration. Because a new configuration has never worked, you often times have more points of origin for the error. Thus, the following subsections give you hints for situations including both new and existing configurations. Troubleshooting New Downloadable ACL Configurations If you experience difficulties when configuring downloadable ACLs for the first time, here is a list of possible issues and verification checks you should make: Verify that you have communication between ACS and the firewall. Verify that the firewall and the ACS device are using the RADIUS protocol for communications. Downloadable ACLs depend on this. Verify that the downloadable ACL is applied to the user or group profile. Ensure that once applied to a group the ACS service was restarted. Use the debug radius all command on the firewall to gain valuable information. Ensure that the user can authenticate through ACS without a downloadable ACL applied. Use the show uauth command to ensure that the ACL is applied to the user that is authenticated. If the ACL is being downloaded and the user is unable to access the desired service, ensure that the ACL is created properly. Also ensure that an ACL on an interface is not conflicting with the downloaded ACL. Ensure that AAA authentication is configured on the firewall.
NOTE You do not need to configure AAA authorization. Authorization is a function that is performed during authentication in RADIUS. If you attempt to configure authorization with RADIUS, you receive the following error message: "Authorization is not supported in RADIUS."
Troubleshooting Existing Downloadable ACL Configurations If you are troubleshooting an existing configuration of downloadable ACLs, here are some tips and steps that you can use: - Verify that you have communication between ACS and the firewall.
- Verify that the username and password entered are correct.
- Ensure that the downloadable IP ACL is still applied to the user or group.
- Use the debug radius all command on the firewall to gain valuable information.
- Use the show uauth command to ensure that the ACL is applied to the user that is authenticated.
- If the ACL is being downloaded and the user is unable to access the desired service, ensure that the ACL allow that service.
Troubleshooting New NAR Configurations If you experience difficulties when configuring NARs for the first time, here is a list of possible issues and verification checks you should consider: Ensure that the IP address in the NAR match that of the AAA client, and not the user that attempts authentication. If you are using non-IPbased NARs, ensure that the CLID and DNIS match that of the AAA client, and not the user that attempts authentication. Ensure that the NAR is assigned to the group of which the user authenticating is a member. If applying a NAR to a user, ensure that the option is configured in the user profile.
Troubleshooting Existing NAR Configurations If troubleshooting an existing configuration of NARs, here is a list of possible issues and verification checks you should make: Ensure that the AAA client still has connectivity to the ACS device. Ensure that the secret keys match on both the AAA client and ACS. Ensure that the user is authenticating through the correct AAA client.
Troubleshooting New Command Authorization Set Configurations When configuring command authorization for the first time, you have a great chance of getting locked out of your network devices. In this section, you can find a number of tips to help minimize the risk of needing to perform password recovery procedures: - If you are on a router and the router is remote, set the configuration register value to 0x2002. This allows you to issue a break into ROMMON if you do get locked out of the device. Do not leave the configuration register set to this value. This is a potential security risk.
- Try to use a lab or nonproduction network to configure command authorization. A PIX 501 or Cisco 800 series router provides an economical means for testing features of both the Cisco IOS and PIX OS.
- Don't save your AAA configuration until after command authorization is successful.
- Ensure that the AAA server has connectivity to ACS.
- Ensure that the secret key matches on both the AAA client and ACS.
- If configuring PIX command authorization, ensure that you are using shell command authorization sets, and not PIX command authorization sets.
- Ensure that the authorization set is applied to the group profile.
- If performing command authorization for a specific user, ensure that the authorization set is applied to the user profile.
- Authorization must be configured on the AAA client.
Troubleshooting Existing Command Authorization Set Configurations If you are troubleshooting an existing configuration of command authorization sets, here are tips to assist in troubleshooting: Ensure that the authorization set is applied to the group profile. If performing command authorization for a specific user, ensure that the authorization set is applied to the user profile. Ensure that the AAA server has connectivity to ACS. Ensure that the secret key matches on both the AAA client and ACS. Ensure that the AAA commands are configured on the AAA client. It is a good idea to refrain from saving your configuration during command authorization configurations until command authorization is successful. If you make a mistake, you can recover by reloading.
|
