?
Solved

Cisco ACS server clock skew error

Posted on 2011-10-05
4
Medium Priority
?
4,508 Views
Last Modified: 2012-05-12
Hello all,

i have a Cisco ACS server configured in a virtual environment - V-Sphere.

The ACS is used for authenticating wireless and VPN users RADIUS. Also it is used for for authenticating netork admins logging in to routers and switches etc... TACACS is used for this.
The ACS talks to Active directory to authenticate the users.

Every so often, maybe every 3 months, people are not able to authenticate. I log on to the ACS GUI page, and perform a connectivity test to AD. It fails and says there is a clock skew error. i then have to manually SSH to the ACS, change the clock and then restart. the funny thing here is, the clock on ACS has to be 1hour and 10 minutes behind the domain controller for the link between ACS and AD to be successfull. If i set the correct time on the ACS then the connection actually fails - clock skew error.

does anybody know a fix for this? maybe someone has seen this before?

its even more frustrating because, even though all my NAS devices such as wireless access points, VPN concentrator etc... are configured to use an alternative server for user authentication, this other server is never attempted becase the wireless access point for instance can still see the ACS. Therefore the secondary authentication server is never attempted, and the user just fails authentication based on the clock skew error.

a quick fix is to power off the ACS, and then the secondary auth server is used. But this is obviously just a workaround and would prefer a better solution.

thanks in advance.
0
Comment
Question by:L-Plate
  • 2
  • 2
4 Comments
 
LVL 14

Expert Comment

by:anoopkmr
ID: 36916466

DOes the  ACS  is configured for  NTP ?

what is the  version of  ACS ?
0
 

Author Comment

by:L-Plate
ID: 36916498
hi anoopkmr,

Version 5.1.0.44.5

ACS is not currently configured to receive time from an NTP server. We do have an NTP server on the network, but the ACS has time configured static using the clock set command.
0
 
LVL 14

Accepted Solution

by:
anoopkmr earned 2000 total points
ID: 36916530
you may need to configure  NTP.. this what  i found in the cisco forum


Please go throug the   below paragraph ( details can be found at https://supportforums.cisco.com/thread/2017996)

The error message you are getting is no doubtly due to time syncronization. ACS 5.1 has to be configured with a valid NTP server for time synchronization, preferably from where the domain controller is syncing its time but AD should be configured with NTP for time syncronization. It won'y work if you manually set the clock even though its correctly setup. Another one is a valid DNS server which can resolve internal names.

 
Both of them will be configured from the CLI:
http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/command/reference/cli_use.html#wp1096003




ip name-server
http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/command/reference/cli_app_a.html#wp1729536

 
Ntp server
http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/command/reference/cli_app_a.html#wp1013780

 
HTH




0
 

Author Comment

by:L-Plate
ID: 36916973
Thanks for the information.

I guess it seems that configuring the ACS to use NTP is an absolute must. I'll get that configured during our next change window.

thanks again,

L-Plate.
0

Featured Post

Shaping tomorrow’s technology leaders, today

The leading technology companies all recognize the growing need for gender diversity. Through its Women in IT scholarship program, WGU is working to reverse this trend by empowering more women to earn IT degrees and become tomorrow’s tech-industry leaders.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
In this article, we’ll look at how to deploy ProxySQL.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Suggested Courses
Course of the Month13 days, 14 hours left to enroll

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question