Cisco ACS server clock skew error

Hello all,

i have a Cisco ACS server configured in a virtual environment - V-Sphere.

The ACS is used for authenticating wireless and VPN users RADIUS. Also it is used for for authenticating netork admins logging in to routers and switches etc... TACACS is used for this.
The ACS talks to Active directory to authenticate the users.

Every so often, maybe every 3 months, people are not able to authenticate. I log on to the ACS GUI page, and perform a connectivity test to AD. It fails and says there is a clock skew error. i then have to manually SSH to the ACS, change the clock and then restart. the funny thing here is, the clock on ACS has to be 1hour and 10 minutes behind the domain controller for the link between ACS and AD to be successfull. If i set the correct time on the ACS then the connection actually fails - clock skew error.

does anybody know a fix for this? maybe someone has seen this before?

its even more frustrating because, even though all my NAS devices such as wireless access points, VPN concentrator etc... are configured to use an alternative server for user authentication, this other server is never attempted becase the wireless access point for instance can still see the ACS. Therefore the secondary authentication server is never attempted, and the user just fails authentication based on the clock skew error.

a quick fix is to power off the ACS, and then the secondary auth server is used. But this is obviously just a workaround and would prefer a better solution.

thanks in advance.
L-PlateAsked:
Who is Participating?
 
anoopkmrCommented:
you may need to configure  NTP.. this what  i found in the cisco forum


Please go throug the   below paragraph ( details can be found at https://supportforums.cisco.com/thread/2017996)

The error message you are getting is no doubtly due to time syncronization. ACS 5.1 has to be configured with a valid NTP server for time synchronization, preferably from where the domain controller is syncing its time but AD should be configured with NTP for time syncronization. It won'y work if you manually set the clock even though its correctly setup. Another one is a valid DNS server which can resolve internal names.

 
Both of them will be configured from the CLI:
http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/command/reference/cli_use.html#wp1096003




ip name-server
http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/command/reference/cli_app_a.html#wp1729536

 
Ntp server
http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/command/reference/cli_app_a.html#wp1013780

 
HTH




0
 
anoopkmrCommented:

DOes the  ACS  is configured for  NTP ?

what is the  version of  ACS ?
0
 
L-PlateAuthor Commented:
hi anoopkmr,

Version 5.1.0.44.5

ACS is not currently configured to receive time from an NTP server. We do have an NTP server on the network, but the ACS has time configured static using the clock set command.
0
 
L-PlateAuthor Commented:
Thanks for the information.

I guess it seems that configuring the ACS to use NTP is an absolute must. I'll get that configured during our next change window.

thanks again,

L-Plate.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.