Troubleshooting

Examine the CiscoSecure Reports or NAS Debug output to help narrow the problem to a system error or a user error. Confirm the following:

• The dial-in user was able to establish a connection and ping the Windows NT server before CiscoSecure was installed. If the dial-in user could not, then the problem is related to a NAS/modem configuration, not CiscoSecure.

• LAN connections for both NAS and the Windows NT Server supporting CiscoSecure are physically connected.

• IP address of the NAS in the CiscoSecure configuration is correct.

• IP address of CiscoSecure in NAS configuration is correct.

• TACACS+ or RADIUS key in both NAS and CiscoSecure are identical (case sensitive).

• The command ppp authentication pap is entered for each interface if the Windows NT User Database is being used.

• The command ppp authentication chap pap is entered for each interface if the CiscoSecure Database is being used.

• The AAA and TACACS+ or RADIUS commands are correct in the NAS (the necessary commands are listed in \CiscoSecure\TacConfig.txt or RadConfig.txt files).

• The CiscoSecure ACS Services are running (CSAdmin, CSAuth, CSLog, CSRadius, CSTacacs) on the Windows NT Server.

A dial-in user is unable to make a connection to the NAS.

The Windows NT User Database is being used for authentication.

A record of a failed attempt is displayed in the Failed Attempts Report (clicking Failed Attempts within Reports & Activity).

The user information is not properly configured for authentication in Windows NT or CiscoSecure.

Confirm the Windows NT User Database resides on the same machine as CiscoSecure.

From the Windows NT User Manager, confirm:

• The username and password are configured in the Windows NT User Manager.

• The User Properties window does not have "User Must Change Password at Login" turned on.

• The User Properties window does not have "Account Disabled" turned on.

• The User Properties for dial-in window does not have "Grant dial-in permission to user turned off if CiscoSecure is using this option for authenticating.

• The Windows NT Policies for User Rights needs to be set to allow the user to "log on locally". Typically the default is not assigned when running CiscoSecure on a PDC/BDC and is required when using CiscoSecure.

From within the CiscoSecure ACS confirm:

• The first option for "NT User Database Authentication Options" in CiscoSecure Configuration (titled: "Check the NT User Database for username not found in CiscoSecure") is turned on if Windows NT names are not going to be manually entered.

• If the username has already been entered into CiscoSecure, the "Password Authentication" under User Setup has "Use Windows NT User Database" selected.

• If the username has already been entered into CiscoSecure, the CiscoSecure "Group" the user is assigned to has the correct authorization enabled (such as IP/PPP, IPX/PPP or Exec/Telnet). Be sure to click Submit + Restart if a change has been made.

• Expiration information hasn't caused failed authentication, set to "Expiration: Never" for troubleshooting.

A dial-in user is unable to make a connection to the NAS.

The CiscoSecure User Database is being used for authentication.

A record of a failed attempt is displayed in the Failed Attempts Report (clicking Failed Attempts within Reports & Activity).

From within CiscoSecure confirm:

• The username has been entered into CiscoSecure.

• The "Password Authentication" under User Setup has "Use CiscoSecure Database" selected and a password entered.

• Both options for "NT User Database Authentication Options" in the CiscoSecure ACS Configuration are turned off.

• The CiscoSecure "Group" the user is assigned to has the correct authorization enabled (such as IP/PPP, IPX/PPP or Exec/Telnet). Be sure to click Submit + Restart if a change has been made.

• Expiration information hasn't caused failed authentication, set to "Expiration: Never" for troubleshooting.

When running debug aaa authentication on the NAS, a "FAIL" is returned from CiscoSecure.

The configurations of the NAS or CiscoSecure are likely to be at fault.

From within CiscoSecure confirm:

• CiscoSecure is receiving the request. This can be done by viewing the CiscoSecure reports. Based on what does/doesn't appear in the reports and which database is being used, troubleshoot CiscoSecure based on one of the first three listings in this matrix.

From the NAS, confirm:

• The command ppp authentication pap is entered for each interface if authentication against the Windows NT User Database is being used

• The command ppp authentication chap pap is entered for each interface if authentication against the CiscoSecure User Database is being used.

• The AAA and TACACS+ or RADIUS configuration is correct in the NAS (the necessary commands are listed in /CiscoSecure/TacConfig.txt, RadConfig.txt, or Readme.txt files).

When running debug aaa authentication and debug aaa authorization on the NAS, a "PASS" is returned for authentication, but a "FAIL" is returned for authorization.

This problem occurs because authorization rights are not correctly assigned.

• From CiscoSecure User Setup, confirm the user is assigned to a group that has the correct authorization rights. Authorization rights can be modified under Group Setup.

• If a specific attribute for TACACS+ or RADIUS is not displayed within the Group Setup section, this may indicate it has not been enabled in the Protocol Configuration Options button found under NAS Configuration.

A dial-in user is unable to make a connection to the NAS, however, a Telnet connection can be authenticated across the LAN.

This isolates the problem to one of three areas:

• Line/modem configuration problem. Review the documentation that came with your modem and verify that the modem is properly configured.

• Confirm that the user is assigned to a group that has the correct authorization rights. Authorization rights can be modified under Group Setup.

• The CiscoSecure or TACACS+ or RADIUS configuration is not correct in the NAS (the necessary commands are listed in \CiscoSecure\NASCONFIG.TXT, RADCONFG.TXT or README.TXT files).

You can additionally verify CiscoSecure connectivity as follows:

• Telnet to the access server from a workstation connected to the LAN.

A successful authentication for Telnet confirms that CiscoSecure is working with the NAS.

A dial-in user is unable to make a connection to the NAS, and a Telnet connection can't be authenticated across the LAN.

• Deter is the CiscoSecure ACS is receiving the request. This can be done by viewing the CiscoSecure ACS reports. Based on what does not appear in the reports and which database is being used, troubleshoot the problem based on one of the following:

  • Line/modem configuration problem. Review the documentation that came with your modem and verify that the modem is properly configured.

  • Confirm the user exists in the Windows NT User Database or the CiscoSecure User Database and has the correct password. Authentication parameters can be modified under User Setup.

  • The CiscoSecure or TACACS+ or RADIUS configuration is not correct in the NAS (the necessary commands are listed in \CiscoSecure\NASCONFIG.TXT, RADCONFG.TXT or README.TXT files).

Need sample NAS or PIX configuration.

• Open the README file as it has several configurations for both access servers and PIX Firewalls.

Browser can't bring up CiscoSecure.

• Open Internet Explorer or Netscape Navigator and select the Help/About option from the menu in order to determine the version the browser. If you are running a version earlier than 3.02, CiscoSecure will not run. Download 3.02 version of software from the websites of one of those companies. These are the only browsers supported by CiscoSecure.

Remote Administrator can't bring up CiscoSecure from his or her browser or receives a warning that access is not permitted.

• Try to ping the machine running CiscoSecure to confirm connectivity.

• Make sure you are using a valid administrator name and password that has already been added.

• Verify that Java functionality is enabled in the browser.

Under EXEC Commands, Cisco IOS commands are not being denied when checked.

• Examine the Cisco IOS Configuration at the NAS. If not already present, add the following Cisco IOS Command to the NAS configuration:

  • AAA Authorization Commands <0-15> TACACS+

• The correct syntax for the arguments in the text box is "permit argument or "deny argument".

Administrator has been locked out of the NAS as a result of an incorrect configuration being set-up in the NAS.

• Try to connect directly to the NAS at the console port. If that isn't successful, consult your NAS documentation or go to the Cisco web page for service/support regarding this condition.

IETF RADIUS Attributes supported in the Cisco IOS software.

Cisco incorporated RADIUS (IETF) attributes in Cisco IOS Release 11.1. However, there are a few attributes that are not yet supported or require a later version of Cisco IOS. The following attributes are listed that fall into this category:

• Number - Attribute Supported

17 - Change Password 11.2(5)F


21 - Password-Expiration 11.2(5)F


35 - Login-LAT-Node No


36 - Login-LAT-Group No

Unable to get ARAP to function correctly

The Cisco IOS version running on your NAS must be 11.1 to support ARAP.

The Proxy statements in the Browser can prevent access to the CiscoSecure ACS interface.

Check the idle time out value for remote administrators. This is in the Administration Control window.

From the Windows NT registry delete the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CiscoSecure

Step 1 Log into the Windows NT Server on which CiscoSecure is installed. (Make sure your login account has administrative privileges.)

Step 2 The SDI Client software needs to be installed on the same Windows NT server as the CiscoSecure ACS.

Step 3 Follow the setup instructions and do not restart at the end of the installation.

Step 4 FTP to the ACE server you want to install.

Step 5 Get the file named sdconf.rec located in the /data directory.

Step 6 Place sdconf.rec on the Windows NT Server in the %SystemRoot%\system32 directory.

Step 7 Make sure you can ping the machine that is running the ACE server by host name. (You might need to add the machine in the lmhosts file.)

Step 8 Support for SDI is enabled within the Token Server Configuration button in the CiscoSecure ACS.

• Run Test Authentication from the Windows NT Server control panel for the ACE/Client application.

• From CiscoSecure you will now need to install the token card server.