A-21
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Appendix A Troubleshooting
User Authentication Issues
Authentication fails; the error “Unknown NAS”
appears in the Failed Attempts log.
Verify the following:
• AAA client is configured under the Network
Configuration section.
• If you have RADIUS/TACACS
source-interface command configured on the
AAA client, make sure the client on ACS is
configured using the IP address of the
interface specified.
Alternatively, you can configure a default NAS in
the NAS configuration area by leaving the
hostname and IP address blank and entering only
the key.
Authentication fails; the error “key mismatch”
appears in the Failed Attempts log.
Verify that the TACACS+ or RADIUS keys, in
both AAA client and Cisco Secure ACS, are
identical (case sensitive).
Re-enter the keys to confirm they are identical.
User can authenticate, but authorizations are not
what is expected.
Different vendors use different AV pairs. AV pairs
used in one vendor protocol may be ignored by
another vendor protocol. Make sure that the user
settings reflect the correct vendor protocol; for
example, RADIUS (Cisco IOS/PIX).
LEAP authentication fails; the error “Radius
extension DLL rejected user” appears in the Failed
Attempts log.
Verify the correct authentication type has been set
on the Access Point. Make sure that, at a
minimum, the Network-EAP check box is selected
If you are using an external user database for
authentication, verify that it is supported. For
more information, see Authentication
Protocol-Database Compatibility, page 1-10.
Condition Recovery Action