Third-party server issues – Cisco 3.3 User Manual
Page 663
A-19
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Appendix A Troubleshooting
Third-Party Server Issues
Third-Party Server Issues
Condition
Recovery Action
You cannot successfully
implement the RSA token server.
1.
Log in to the computer running Cisco Secure ACS. (Make sure
your login account has administrative privileges.)
2.
Make sure the RSA Client software is installed on the same
computer as Cisco Secure ACS.
3.
Follow the setup instructions. Do not restart at the end of the
installation.
4.
Get the file named
sdconf.rec
located in the
/data
directory of
the RSA ACE server.
5.
Place
sdconf.rec
in the
%SystemRoot%\system32
directory.
6.
Make you can ping the machine that is running the ACE server
by hostname. (You might need to add the machine in the
lmhosts file.)
7.
Verify that support for RSA is enabled in External User
Database: Database Configuration in the Cisco Secure ACS.
8.
Run Test Authentication from the Windows control panel for
the ACE/Client application.
9.
From Cisco Secure ACS, install the token server.
Authentication request does not
hit the external database.
Set logging to full in System Configuration > Service Control
Check csauth.log for confirmation that the authentication request is
being forwarded to the third-party server. If it is not being
forwarded, confirm that the external database configuration is
correct, as well as the unknown user policy settings.
On ACE/SDI server no incoming
request is seen from
Cisco Secure ACS, although
RSA/agent authentication
works.
For dial-up users, make sure you are using PAP and not MS-CHAP
or CHAP; RSA/SDI does not support CHAP, and Cisco Secure ACS
will not send the request to the RSA server, but rather it will log an
error with external database failure.