|
|
This chapter provides information to help you identify and resolve potential problems with your CiscoSecure Access Control Server (ACS) and includes the following sections:
The following error messages are described:
Many messages are dynamic, containing variables that are context sensitive.
The errmsg.dat file contains the text of most of the error messages for the CiscoSecure ACS displayed in the GUI. It is in the following directory:
ns-home/cs
The errmsg.dat file can be edited in any text editor or word processor that supports ASCII. Character sets for languages other than English are supported.
The following guidelines must be observed:
The following tables list descriptions of error messages.
| Error Message | Meaning |
|---|---|
| Unable to create accounting directory dictionary_name | Where directory_name = accounting directory from the server's profile. RADIUS server is unable to create the directory for the accounting records. Because the server executes as root, this problem is normally caused by a non-existent parent directory. Until this problem is corrected, all accounting records received by the RADIUS server are rejected. |
| Couldn't start accounting file (accounting_file) | Where accounting_file = accounting file from the server's profile. The RADIUS1 server is unable to access the previously opened accounting file. Until this problem is corrected, all accounting records received by the RADIUS server are rejected. |
| Couldn't open accounting file accounting_directory / nas_name / detail | Where directory_name = accounting directory from the server's profile and nas_name = NAS2 sending the accounting packet. RADIUS server is unable to open the accounting file. Until this problem is corrected, all accounting records received by the RADIUS server are rejected. |
| Couldn't update accounting file accounting_directory / nas_name / detail | Where directory_name = accounting directory from the server's profile and nas_name = NAS sending the accounting packet. The write to the previously opened accounting file failed. Until this problem is corrected, all accounting records received by the RADIUS server are rejected. |
| Send Account Rsp from nas_name - Security | Where nas_name = NAS sending the accounting packet. The accounting packet from the NAS failed to pass the security check and will be rejected. |
| Can't resolve server hostname (host_name), using default server setting | Where host_name = name of the host where the RADIUS AAA3 server is running. The RADIUS AAA server is unable to resolve it's hostname which needed to retrieve the RADIUS server's profile from the database. The RADIUS AAA server uses internal default values for the server profile attributes. |
| Can't locate server profile (server_profile), using defaults | Where server_profile = name of the server's profile in the database. The RADIUS AAA server is unable to retrieve the RADIUS server's profile from the database. The RADIUS AAA server uses internal default values for the server profile attributes. |
| Error Message | Meaning |
|---|---|
| Unknown Acct-Status value (accounting_status_value) | Where accounting_status_value = decimal value of the invalid attribute. An accounting packet contained an accounting status attribute with an invalid value. |
| Invalid Accounting Packet from (nas_name) "+ variable message" | Where nas_name = name of the NAS sending the accounting packet and variable_message = valid accounting packet must contain a valid session id, accounting status, and NAS id attribute. A list of missing attributes are added to the warning message. The accounting packet is rejected by the RADIUS server. |
| NAS (nas_name) input packet contains attr_name (Unknown Type attr_type) | Where nas_name = name of the NAS sending the packet, attr_name = name of the attribute in question, and attr_type = decimal value of the attribute. The unknown attribute is discarded but the RADIUS server attempts to process the packet. A common cause of the error is an incorrect dictionary for the NAS sending the packet. |
| Passchange: from (nas_name): Password Changing NOT Allowed | Where nas_name = name of the NAS sending the packet. The RADIUS server is configured to deny change password requests and a change password request was received. The request is rejected. |
| Authenticate: nas (nas_name) user (user_name) invalid NAS, NAS port, or Caller id | Where nas_name = name of the NAS sending the packet and user_name = user profile requested by the NAS. The user's profile contained limiting origin information the request did not fulfill. The request is rejected. |
| Passchange: from (nas_name) - Missing Password: user_name | Where nas_name = name of the NAS sending the packet and user_name = user profile requested by the NAS. A change password request failed to provide a new and old password. The request is rejected. |
| Passchange: from (nas_name) - Missing Local Password: user_name | Where nas_name = name of the NAS sending the packet and user_name = user profile requested by the NAS. The user profile referenced in the change password request doesn't contain a password attribute or has a null password value. The request is rejected. |
| Passchange: from (nas_name): system password change not allowed: user_name | Where nas_name = name of the NAS sending the packet and user_name = user profile requested by the NAS. The user profile password type doesn't support password changes. The request is rejected. |
| Passchange: from (nas_name) - Bad Pwd for user_name: | Where nas_name = name of the NAS sending the packet and user_name = user profile requested by the NAS. |
| The password provided in the change password request is incorrect. The request is rejected.
Authenticate: from (nas_name) - No User Name | Where nas_name = name of the NAS sending the packet. The authentication request from the NAS doesn't contain a user name attribute. The request is rejected. |
| Authenticate: from (nas_name) - user_name failed | Where nas_name = name of the NAS sending the packet and user_name = user profile requested by the NAS. A valid user profile wasn't found in the database for the authentication request. The request is rejected. |
| Unknown accounting mode (accounting_mode) | Where accounting_mode = decimal value of the accounting mode in the RADIUS server profile. The accounting mode contained in the RADIUS AAA server profile is unknown to the RADIUS server. All accounting requests are rejected. |
| Unknown attribute type attribute_type | Where attribute_type = decimal value of attribute type. The reply attributes contain a type unknown to the RADIUS server. The attribute is ignored. |
| Dictionary dictionary_name contains unsupported vendor attributes | Where dictionary_name = dictionary profile name in database. The Ascend RADIUS handler found vendor specific dictionary attributes in the dictionary attached to the NAS. The dictionary is ignored and all requests from the NAS in question are rejected. |
| dictionary (dictionary_name) Invalid attribute value (attribute_value) | Where dictionary_name = dictionary profile name in database and attribute_value = the value of the attribute in question. A dictionary A/V pair contains a value less than 0 or greater than 255. The dictionary is ignored and all requests that require the dictionary are rejected. |
| dictionary (dictionary_name) attribute (attribute_name) invalid length | Where dictionary_name = dictionary profile name in database and attribute_name = the attribute. The dictionary contains an attribute name that exceeds the max. allowed attribute name length. The dictionary is ignored and all requests that require the dictionary are rejected. |
| Malformed enum in dictionary dictionary_name | Where dictionary_name = dictionary profile name in database. The dictionary is formatted incorrectly. The dictionary is ignored and all requests that require the dictionary are rejected. |
| Dictionary (dictionary_name) unknown attribute type attribute_type | Where dictionary_name = dictionary profile name in database and attribute_type = the decimal value of the attribute type. The dictionary contains an attribute that has an unsupported type. The attribute is marked as invalid. |
| Dictionary dictionary_name not found in database | Where dictionary_name = dictionary profile name in database. The dictionary profile wasn't found in the database. Requests that require the dictionary are rejected. |
| CHAP Token - Bad Pwd Size(pwd_size): user user_name, NAS nas_name | Where pwd_size = decimal size of the CHAP1 token, nas_name = name of the NAS sending the packet, and user_name = user profile requested by the NAS. The CHAP token in the request exceeds the max. CHAP token length. The request is rejected. |
| CHAP Token Attempt: user user_name, NAS (nas_name) | Where user_name = user profile requested by the NAS and nas_name = name of the NAS sending the packet. An Ascend NAS attempted to use CHAP token password expiration without token caching enabled. The request is rejected. |
| authChapPwd: update failed | Update of the idle value of a cached token password failed. |
| authChapPwd: insert failed | Insertion of a token in the password cache failed. |
| CHAP Unix Attempt: user user_name, NAS (nas_name) | Where user_name = user profile requested by the NAS and nas_name = name of the NAS sending the packet. An CHAP password was provided by the NAS but the user profile requires an UNIX system password. The request is rejected. |
| authPapPwd: from (nas_name), user user_name: pwd too long (pwd_length) | Where user_name = user profile requested by the NAS, nas_name = name of the NAS sending the packet, and pwd_length = password length. The password provided by the NAS exceeds the max. PAP2 password length. The length is set to the max. PAP password length. |
| Unknown password type (password_type) found in profile | Where password_type = decimal value of the password type. An unsupported password type was encountered in an user profile. The password is ignored. |
| T+ DES password length exceeds RADIUS string length | TACACS+ DES3 password length exceeds the length supported by the RADIUS server. The password is ignored. |
| T+ password length exceeds RADIUS string length | TACACS+ password exceeds the max. length of a RADIUS string attribute. The password is ignored. |
| Unknown results challenge_results from token card challenge | Token card challenge returned a value unknown to the RADIUS server. The challenge request fails. |
| unexpected PW_SKIP status from token card api | Token Card library return a "PW_SKIP" status. The token card operation fails. |
| unexpected token_card_status status from token card api | Where token_card_status = decimal value of the status returned from the token card library. The token card library returned an unsupported status value. The token card operation fails. |
| Tokencard Authenticate (nas_name), user user_name: Invalid State | Where nas_name = name of the NAS sending the packet and user_name = user profile requested by the NAS. The NAS provided a state value unknown the RADIUS server. The token card operation fails. |
| Tokencard Authenticate from (nas_name), user user_name: Invalid Request | Where nas_name = name of the NAS sending the packet and user_name = user profile requested by the NAS. A pending token card request for the token card operation couldn't be located in the request queue. The token card operation fails. |
| Tokencard Authenticate from (nas_name), user user_name: Invalid State | Where nas_name = name of the NAS sending the packet and user_name = user profile requested by the NAS. The state of the pending request located of this token card request doesn't match the state required by the token card request. The token card request fails. |
| Unable to locate library for token card library_name | Where library_name = token card shared library name. The token card shared library needed to complete the token card request couldn't be loaded. The token card request fails. |
| zero length username not permitted | Incoming NAS request contains a zero length user name. The request fails. |
| Non-numeric value in numeric only field | User profile contains a non-numeric value in a numeric field. The request fails. |
| Attribute (attribute_name) length (attribute_length) exceeds RADIUS length (RADIUS_length) | Where attribute_name = name of attribute, attribute_length = decimal length of attribute, and RADIUS_length = decimal maximum RADIUS attribute length. A user profile contains a attribute that exceeds the max. length support by the RADIUS server. The request fails. |
| setpwfile failed for 'file_name' | Where file_name = file name of the UNIX password file. Function setpwfile() failed to setup the password file. The request fails. |
| Can't locate NAS profile (nas_name) | Where nas_name = name of the NAS sending the packet. The RADIUS server failed to retrieve the NAS profile from the database. The request fails. |
| Invalid type for state attribute (state_type) | Where state_type = decimal value of the state attribute. A state attribute was received from the NAS with an unknown type. The attribute is ignored. |
| Error Message | Meaning | Solution |
|---|---|---|
| Maximum number of users exceeded | Maximum users allowed as specified by the license key exceeded. | If the number of users allowed is less that what the administrator expects, check CSU.cfg, is the license key entered correctly? Also check cs_startup.log and syslog (/var/log/csuslog), these log files will contain information about the license key (expiration date and so on). Possibly get a new license key. |
| Protocol - mismatched encryption
Protocol - mismatched encryption keys | Secret shared between the NAS and the ACS does not match. | Find the secret for the NAS in CSU.cfg, also the secret in the NAS configuration. These secrets must match exactly. If the NAS is not listed in CSU.cfg, use the secret for the default NAS. If a default NAS is not specified, an entry with matching secret must be added to CSU.cfg. |
| Authentication - Bad method for user | User is not configured for the type of NAS. For example, if the NAS is a Cisco RADIUS NAS, but the user is configured for TACACS+ only. | Check the user profile. Make sure it is configured for the type of NAS. |
| Authentication - Insufficient privilege | User privilege is too low. | If the user's request is being denied erroneously due to insufficient privilege, check the user's profile, and increase privilege if necessary. |
| Authentication - No token passcode received | User configured for token card but no token password is received. | User did not enter a token password. Enter a token passcode during the login process. |
| Authentication - Account disabled | User's account is disabled due to too many failed logins. | The account can be re-enabled by setting profile_status to enabled. |
| Authentication - Maximum sessions exceeded | User's exceed the allowed maximum number of sessions. | If the user is entitled to more sessions, change the user's profile to have more allowed sessions. |
| Authorization - No service specified
Authorization - No protocol specified Authorization - No command specified Authorization - Failed mandatory argument Authorization - Bad argument Authorization - Failed command line Authorization - Failed command Authorization - Failed time qualification | Requested service or command is denied. | Either the service, protocol, or command is entirely or partially missing or incorrect, or it is denied by the deny/permit statements in the profile. Check the profile and make sure the deny/permit statements are correct. |
| Error Message | Meaning |
|---|---|
| Protocol - Username too long
Protocol - Token passcode too long Protocol - NAS name too long Protocol - NAS port name too long Protocol - NAS address too long | Length of fields exceeded the maximum allowed. |
| Protocol - Invalid privilege field
Protocol - Session id in use Protocol - No session found Protocol - Incorrect type Protocol - Incorrect session Protocol - Incorrect sequence Protocol - Incorrect version Protocol - Garbled message Protocol - Bad type | Bad data in the packet header. |
| Protocol - Read timeout
Protocol - Connection closed | Network connection errors. |
| Error Message | Meaning |
|---|---|
| Authentication - User not found | User not found in the database. |
| Authentication - Bad type | Bad authentication type (login, sendpass, and so on). |
| Authentication - No username specified | No user name found in the database. |
| Authentication - Unexpected data Authentication - Unexpected reserved data | Bad data in the authentication packet. |
| Authentication - Incorrect password | Password incorrect. |
| Authentication - Aborted sequence | Authentication sequence aborted by the NAS. |
| Authentication - File handling error | Authentication encountered a file handling problem with the NAS. |
| Authentication - Unknown password type | Bad password type. |
| Authentication - User not in file | User not found in the database. |
| Authentication - Error in external function | An error occurred outside the AAA server. |
| Authentication - Bad service | Invalid service encountered in the PPP1, shell, or other component. |
| Authentication - Bad action | The server performed an invalid function. |
| Authentication - Bad password | Garbled password. |
| Authentication - SENDPASS successful Authentication - SENDPASS failed Authentication - LOGIN successful Authentication - ENABLE successful Authentication - CHPASS successful Authentication - SENDAUTH successful Authentication - SENDAUTH failed | Various types of authentication success/failure messages. |
| Authentication - Too many tries | User exceeded number of times they can enter the password. |
| Authentication - Can't change password Authentication - Change password failed | Change password failed. |
| Message | Meaning |
|---|---|
| Authorization - Unknown user | User not found. |
| Authorization - Unauthorized NAS or PORT | The NAS or port specified in the database does not exist. Specify a valid one. |
| Authorization - Request authorized | Authorization successful. |
| Authorization - Maximum sessions exceeded | Not used, authorization does not check max session. |
If you are having problems with your CiscoSecure ACS system, check these items first:
Most sites need to detect when a user account has been compromised or is being shared with other people. The CiscoSecure ACS software does not internally detect when a single user account is being used from multiple locations. This must be detected by collecting the accounting logs from all the CiscoSecure ACSes on a network and reporting those accounting records that indicate concurrent use of the network. Accounting must also be enabled on all NASs so that accounting records are generated. For an Internet service provider, this may result in revenue loss for the period between checks of the accounting logs.
Most of the time, you will use automatic startup and shutdown operations while using CiscoSecure ACS for UNIX. But for some diagnostic purposes, you may want to kill or shut down the CiscoSecure ACS and restart it manually.
When the CiscoSecure ACS software is running, you can control its operation and shutdown by using a specific UNIX signal sent with the UNIX kill command; or you can stop security functions by issuing the shutdown command. Both are described as follows:
# kill -INT 'cat /etc/CiscoSecure.pid'
#/etc/rc0.d/K80CiscoSecure
After killing or shutting down CiscoSecure ACS, you can restart it with specific flags to invoke different options that help isolate potential problems. The flags are associated with logging options specified in the CSU.cfg file.
To use these options, enter the following UNIX command line:
# CiscoSecure [-v] [-c] [-d] [-p] [-u] [-x] -f CSU.cfg
where:
| -v | Displays the CiscoSecure ACS software version information. |
| -c | Instructs the CiscoSecure ACS to display its logging output on stderr. Normally, all output is logged using the syslog facility. |
| -p | Causes the CiscoSecure ACS to read and verify that the control file and referenced user database files are correct. |
| -x | CiscoSecure ACS will not divorce itself from the controlling terminal and will stay in the foreground. |
| -f CSU.cfg | Identifies the control file. |
Logging is controlled through the logging options that you can enable or disable on the AAA General page of the CiscoSecure ACS administrative web site. (See "Managing General Settings on the ACS" in the chapter, "ACS and NAS Management.")
The logging options on the AAA General page are listed as follows:
To help ensure proper database operation, verify that the UNIX system is properly configured for recording the CiscoSecure ACS logging information. This information is typically logged in to a file. Significant events are logged to the system console.
The default syslog facility is LOG_LOCAL0. (See your UNIX system documentation for more information about syslog.) You can change this by changing the value of the CiscoSecure ACS software control file variable config_system_logging_level.
To maintain a centralized database of messages, modify the configuration of syslog. This assures that the program logs all CiscoSecure ACS messages. To do this:
1 ) Before you can send information to the file, you must first create it, /var/log/csuslog.
Once this is done, syslog can store messages there.
2 ) To cause all informational messages to be sent to the named file, add the following line to /etc/syslog.conf:
local0.debug /var/log/csuslog
3 ) To cause syslog to reread its configuration file, enter the following command:
# kill -HUP 'cat /etc/syslog.pid'
4 ) To shut down all security and database functions of CiscoSecure ACS, use the K80CiscoSecure command:
#/etc/rc0.d/K80CiscoSecure
5 ) To start all the CiscoSecure ACS security and database functions, use the S80CiscoSecure command:
#/etc/rc2.d/S80CiscoSecure
You can use the following commands to help you troubleshoot your Cisco Systems NAS:
See the documentation for your Cisco Systems NAS for more information on using these commands.
|
|