This section provides a table that lists some basic problems and how to resolve them.
Scan the column on the left to identify the condition that you are trying to resolve; then, slowly and carefully go through each of the corresponding recovery actions offered in the column on the right.
Problem
| Recovery Action and Problem Explanation
|
---|
A dial-in user is unable to make a connection to the network access server.
No record of the attempt is displayed in either the Daily Accounting Reports (clicking Accounting within Reports & Activity) or Failed Attempts Reports (clicking Failed Attempts within Reports & Activity).
| Examine the EasyACS Reports or NAS Debug windows to help narrow the problem to a system error or a user error. Confirm the following:
- The dialin user was able to ping the Windows NT server before CiscoSecure EasyACS was installed. If the dialin user could not, then the problem is related to a network access server/modem configuration, not CiscoSecure EasyACS.
- LAN connections for both network access server and the Windows NT Server supporting CiscoSecure EasyACS are physically connected.
- IP address of the network access server in the CiscoSecure EasyACS configuration is correct.
- IP address of CiscoSecure EasyACS in network access server configuration is correct.
- TACACS+ key in both network access server and EasyACS are identical (case sensitive).
- The command
ppp authentication pap is entered for each interface if the Windows NT User Database is being used.
- The command
ppp authentication chap pap is entered for each interface if the CiscoSecure EasyACS Database is being used.
- The AAA and TACACS+ commands are correct in the network access server (the necessary commands are listed in \EasyACS\NASCONFIG.TXT and README.TXT files).
- All three CiscoSecure EasyACS Services are running (CSAdmin, CSAuth, CSTACACS) on the Windows NT Server.
|
A dial-in user is unable to make a connection to the network access server.
The Windows NT User Database is being used for authentication.
A record of a failed attempt is displayed in the Failed Attempts Report (clicking Failed Attempts within Reports & Activity).
| The user information is not properly configured for authentication in Windows NT or EasyACS.
Confirm the Windows NT user database resides on the same machine as CiscoSecure EasyACS.
From the Windows NT User Manager, confirm:
- The username and password are configured in the Windows NT User Manager.
- The User Properties window does not have "User Must Change Password at Login" turned on.
- The User Properties window does not have "Account Disabled" turned on.
- The User Properties for Dialin window does not have "Grant dialin permission to user disabled" turned off.
- The Windows NT Group User Right that the user is assigned to has "Log in Local" privileges, typically the default is not assigned when running CiscoSecure EasyACS on a PDC/BDC.
From within CiscoSecure EasyACS confirm:
- The first option for "NT User Database Authentication Options" in EasyACS Configuration (titled: "Check the NT User Database for authentication for EVERY first time dialin user") is turned on if Windows NT names are not going to be manually entered.
- If the username has already been entered into CiscoSecure EasyACS, the "Password Authentication" under User Setup has "Use Windows NT User Database" selected.
- If the username has already been entered into CiscoSecure EasyACS, the CiscoSecure EasyACS "Group" the user is assigned to has the correct authorization enabled (such as IP/PPP, IPX/PPP or Exec/Telnet). Be sure to click Submit if a change has been made.
- Expiration information hasn't caused failed authentication, set to "Expiration: Never" for troubleshooting.
|
A dial-in user is unable to make a connection to the network access server.
The EasyACS Database is being used for authentication.
A record of a failed attempt is displayed in the Failed Attempts Report (clicking Failed Attempts within Reports & Activity).
| From within CiscoSecure EasyACS confirm:
- The username has been entered into CiscoSecure EasyACS.
- The "Password Authentication" under User Setup has "Use EasyACS Database" selected and a password entered.
- Both options for "NT User Database Authentication Options" in EasyACS Configuration are turned off.
- The CiscoSecure EasyACS "Group" the user is assigned to has the correct authorization enabled (such as IP/PPP, IPX/PPP or Exec/Telnet). Be sure to click Submit if a change has been made.
- Expiration information hasn't caused failed authentication, set to "Expiration: Never" for troubleshooting.
|
When running debug aaa authentication on the NAS, a "FAIL" is returned from CiscoSecure EasyACS.
| The configurations of the network access server or CiscoSecure EasyACS are likely to be at fault.
From within CiscoSecure EasyACS confirm:
- CiscoSecure EasyACS is receiving the request. This can be done by viewing the CiscoSecure EasyACS reports. Based on what does/doesn't appear in the reports and which database is being used, troubleshoot CiscoSecure EasyACS based on one of the first three listings in this matrix.
From the network access server, confirm:
- The command
ppp authentication pap is entered for each interface if the Windows NT User Database is being used
- The command
ppp authentication chap pap is entered for each interface if the CiscoSecure EasyACS database is being used.
- The AAA and TACACS+ configuration is correct in the network access server (the necessary commands are listed in /EasyACS/NASCONFIG.TXT or README.TXT files).
|
When running debug aaa authentication and debug aaa authorization on the NAS, a "PASS" is returned for authentication, but a "FAIL" is returned for authorization
| This problem occurs because authorization rights are not correctly assigned.
- From CiscoSecure EasyACS User Setup, confirm the user is assigned to a group that has the correct authorization rights. Authorization rights can be modified under Group Setup.
|
A dial-in user is unable to make a connection to the network access server, however, a Telnet connection can be authenticated across the LAN.
| This isolates the problem to one of three areas:
- Line/modem configuration problem. Review the documentation that came with your modem and verify that the modem is properly configured.
- Confirm that the user is assigned to a group that has the correct authorization rights. Authorization rights can be modified under Group Setup.
- The CiscoSecure EasyACS or TACACS+ configuration is not correct in the network access server (the necessary commands are listed in \EasyACS\NASCONFIG.TXT or README.TXT files).
You can additionally verify CiscoSecure EasyACS connectivity as follows:
- Telnet to the access server.
- A successful authentication for Telnet confirms that CiscoSecure EasyACS is working with the network access server.
|
A dial-in user is unable to make a connection to the network access server, and a Telnet connection can't be authenticated across the LAN.
|
- Determine if CiscoSecure EasyACS is receiving the request. This can be done by viewing the EasyACS reports. Based on what does or doesn't appear in the reports and which database is being used, troubleshoot CiscoSecure EasyACS based on one of the first three listings in this matrix.
|
Need sample network access server or PIX configuration
|
- Open the README file as it has several configurations for both access servers and PIX Firewalls.
|
Internet Explorer not refreshing screen
|
- From the Internet Explorer menu bar, go to View/Options/Advanced/Settings and enable "Check for new versions of stored pages: Every visit to the page"
|
Browser can't bring up CiscoSecure EasyACS
|
- Open Internet Explorer or Netscape Navigator and select the Help/About option from the menu in order to determine the version the browser. If you are running a version earlier than 3.0, CiscoSecure EasyACS will not run. Download version 3.0 software from the websites of one of those companies. These are the only browsers supported by CiscoSecure EasyACS.
|
Remote Administrator can't bring up EasyACS from his or her browser or receives a warning that access is not permitted.
|
- Verify version of Microsoft or Netscape browser is 3.0.
- Add IP address of the remote administrator to the "Remote Administration" section of EasyACS
|
Under EXEC Commands, Cisco IOS commands are not being denied when checked
|
- Examine the Cisco IOS Configuration at the network access server. If not already present, add the following Cisco IOS Command to the network access server configuration:
AAA Authorization Commands <0-15> TACACS+
|
Remote administrator received an error messages indicating that the changes can't be saved
|
- Click the browser Refresh button and re-enter the changes.
Two remote administrators were simultaneously making a change to the same record/group. CiscoSecure EasyACS detected the conflict and would not write over the other changes.
|
Administrator has been locked out of the network access server as a result of an incorrect configuration being set-up in the network access server
|
- Try to connect directly to the network access server at the console port. If that isn't successful, consult your network access server documentation or go to the Cisco web page for service/support regarding this condition.
|