Run into similar issues with the ACS. Manifests itself as "no Authoritative response ..." when running the test aaa .... legacy command.
Usually seems to one of the following 1. ACS on Win32 is not listening on the required ports. 2. ACS incompatibility with IOS. 3. AAA client was added on ACS but only submit button clicked. Submit and apply was not clicked. Troubleshoot/fix for above 1. Check pingability from AAA client to ACS box. It should be pingable 2. Run a netstat -a on the Win32 box. You should see listening sockets for TCP/49 - TACACS UDP/1645, UDP/1646, UDP/1812, UDP/1813 - RADIUS TCP/2002 - ACS Admin GUI Sometimes service names might show up. Usually the 1812/1813 show up as radius / radiusacct If a hostname shows up in the netstat output then check in the same DOS cmd window ping <hostname> and ensure that the ip displayed is the IP you were expecting the AAA client to contact (unless of course there is some kind of NAT going on enroute). Cross verify on the ACS Admin GUi under Network Config page that the AAA server shows your hostname with the right IP. This means the the ACS services are properly binding to the right IP addresses as listening sockets. If the there is an address mismatch then probably your NIC card on ACS was assigned the incorrect address. Check on NIC config page. Correct it. Now from the ACS admin gui restart the ACS service. Now verify again with netstat -a and ACS->Network Config page. 3. Happens if you have ACS 4.1 and specific versions of the IOS. Upgrading to ACS 4.2 usually fixes the issue. 4. *Last resort* (When you are sweating it out in the lab and clumps of hair in your fisted fingers) a. If in lab scenario then just restart the ACS services. b. Remove the AAA client entry and redo the entry. This time around make sure you click on the "Submit and Apply".. c. Restart ACS services from the ACS admin GUi. Usually work for me :-) ** If your really like to dirty your hands do it the network engineer way 1. debug aaa <radius|tacacs> see what it says 2. Run Wireshark/tcp dump on the ACS server box and filter on the radius or tacacs ports. Will let you know if the pkts are reaching ACS and if ACS is responding or not. 3. If ACS is replying then you run into the 4.1 incompatibility issue. 4. If ACS not replying then you run into the ACS not bound to the right IP address issue - R Shenai
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
