Cisco ACS server clock skew error
Posted on 2011-10-05
i have a Cisco ACS server configured in a virtual environment - V-Sphere.
The ACS is used for authenticating wireless and VPN users RADIUS. Also it is used for for authenticating netork admins logging in to routers and switches etc... TACACS is used for this.
The ACS talks to Active directory to authenticate the users.
Every so often, maybe every 3 months, people are not able to authenticate. I log on to the ACS GUI page, and perform a connectivity test to AD. It fails and says there is a clock skew error. i then have to manually SSH to the ACS, change the clock and then restart. the funny thing here is, the clock on ACS has to be 1hour and 10 minutes behind the domain controller for the link between ACS and AD to be successfull. If i set the correct time on the ACS then the connection actually fails - clock skew error.
does anybody know a fix for this? maybe someone has seen this before?
its even more frustrating because, even though all my NAS devices such as wireless access points, VPN concentrator etc... are configured to use an alternative server for user authentication, this other server is never attempted becase the wireless access point for instance can still see the ACS. Therefore the secondary authentication server is never attempted, and the user just fails authentication based on the clock skew error.
a quick fix is to power off the ACS, and then the secondary auth server is used. But this is obviously just a workaround and would prefer a better solution.
thanks in advance.