Cisco ACS server clock skew error

Posted on 2011-10-05
Last Modified: 2012-05-12
Hello all,

i have a Cisco ACS server configured in a virtual environment - V-Sphere.

The ACS is used for authenticating wireless and VPN users RADIUS. Also it is used for for authenticating netork admins logging in to routers and switches etc... TACACS is used for this.
The ACS talks to Active directory to authenticate the users.

Every so often, maybe every 3 months, people are not able to authenticate. I log on to the ACS GUI page, and perform a connectivity test to AD. It fails and says there is a clock skew error. i then have to manually SSH to the ACS, change the clock and then restart. the funny thing here is, the clock on ACS has to be 1hour and 10 minutes behind the domain controller for the link between ACS and AD to be successfull. If i set the correct time on the ACS then the connection actually fails - clock skew error.

does anybody know a fix for this? maybe someone has seen this before?

its even more frustrating because, even though all my NAS devices such as wireless access points, VPN concentrator etc... are configured to use an alternative server for user authentication, this other server is never attempted becase the wireless access point for instance can still see the ACS. Therefore the secondary authentication server is never attempted, and the user just fails authentication based on the clock skew error.

a quick fix is to power off the ACS, and then the secondary auth server is used. But this is obviously just a workaround and would prefer a better solution.

thanks in advance.
Question by:L-Plate
    LVL 14

    Expert Comment


    DOes the  ACS  is configured for  NTP ?

    what is the  version of  ACS ?

    Author Comment

    hi anoopkmr,


    ACS is not currently configured to receive time from an NTP server. We do have an NTP server on the network, but the ACS has time configured static using the clock set command.
    LVL 14

    Accepted Solution

    you may need to configure  NTP.. this what  i found in the cisco forum

    Please go throug the   below paragraph ( details can be found at

    The error message you are getting is no doubtly due to time syncronization. ACS 5.1 has to be configured with a valid NTP server for time synchronization, preferably from where the domain controller is syncing its time but AD should be configured with NTP for time syncronization. It won'y work if you manually set the clock even though its correctly setup. Another one is a valid DNS server which can resolve internal names.

    Both of them will be configured from the CLI:

    ip name-server

    Ntp server



    Author Comment

    Thanks for the information.

    I guess it seems that configuring the ACS to use NTP is an absolute must. I'll get that configured during our next change window.

    thanks again,


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Suggested Solutions

    Title # Comments Views Activity
    url shaping application 8 46
    Cisco ASA Inside hosts cannot access the internet 8 72
    UPS Systems 6 47
    Network Connecitivity 9 55
    When replacing some switches recently I started playing with the idea of having admins authenticate with their domain accounts instead of having local users on all switches all over the place. Since I allready had an w2k8R2 NPS running for my acc…
    Managing 24/7 IT Operations is a hands-on job and indeed a difficult one. Over the years I have found some simple tips and techniques to increase the efficiency of the overall operations. The core concept has always been on continuous improvement; a…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now