Cisco Systems Servers Manuale Utente

When running debug aaa 
authentication on the AAA 
client, a failure message is 
returned from 
Cisco Secure ACS.

The configurations of the AAA client or Cisco Secure ACS are 
likely to be at fault.

From within Cisco Secure ACS confirm the following:

Cisco Secure ACS is receiving the request. This can be done by 
viewing the Cisco Secure ACS reports. Based on what 
does/does not appear in the reports and which database is being 
used, troubleshoot Cisco Secure ACS based on one of the first 
three listings in this matrix.

From the AAA client, confirm the following:

The command ppp authentication pap is entered for each 
interface if authentication against the Windows NT/2000 User 
Database is being used.

The command ppp authentication chap pap is entered for 
each interface if authentication against the CiscoSecure user 
database is being used.

The AAA and TACACS+ or RADIUS configuration is correct 
in the AAA client. The necessary commands are listed in the 
following:

Program Files\CiscoSecure ACS v

.

\TacConfig.txt

Program Files\CiscoSecure ACS v

.

\RadConfig.txt

Program Files\CiscoSecure ACS v

.

\README.TXT

When running debug aaa 
authentication and debug aaa 
authorization on the AAA 
client, a 

PASS

 is returned for 

authentication, but a 

FAIL

 is 

returned for authorization.

This problem occurs because authorization rights are not correctly 
assigned.

From Cisco Secure ACS User Setup, confirm that the user is 
assigned to a group that has the correct authorization rights. 
Authorization rights can be modified under Group Setup or User 
Setup. User settings override group settings.

If a specific attribute for TACACS+ or RADIUS is not displayed 
within the Group Setup section, this might indicate it has not been 
enabled in Interface Configuration: TACACS+ (Cisco IOS) or 
RADIUS.