beautypg.com

Third-party server issues – Cisco 3.3 User Manual

Page 663

background image

A-19

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Appendix A Troubleshooting

Third-Party Server Issues

Third-Party Server Issues

Condition

Recovery Action

You cannot successfully
implement the RSA token server.

1.

Log in to the computer running Cisco Secure ACS. (Make sure
your login account has administrative privileges.)

2.

Make sure the RSA Client software is installed on the same
computer as Cisco Secure ACS.

3.

Follow the setup instructions. Do not restart at the end of the
installation.

4.

Get the file named

sdconf.rec

located in the

/data

directory of

the RSA ACE server.

5.

Place

sdconf.rec

in the

%SystemRoot%\system32

directory.

6.

Make you can ping the machine that is running the ACE server
by hostname. (You might need to add the machine in the
lmhosts file.)

7.

Verify that support for RSA is enabled in External User
Database: Database Configuration in the Cisco Secure ACS.

8.

Run Test Authentication from the Windows control panel for
the ACE/Client application.

9.

From Cisco Secure ACS, install the token server.

Authentication request does not
hit the external database.

Set logging to full in System Configuration > Service Control

Check csauth.log for confirmation that the authentication request is
being forwarded to the third-party server. If it is not being
forwarded, confirm that the external database configuration is
correct, as well as the unknown user policy settings.

On ACE/SDI server no incoming
request is seen from
Cisco Secure ACS, although
RSA/agent authentication
works.

For dial-up users, make sure you are using PAP and not MS-CHAP
or CHAP; RSA/SDI does not support CHAP, and Cisco Secure ACS
will not send the request to the RSA server, but rather it will log an
error with external database failure.