AAA/Identity/Nac :: ACS 4.0 / 4500 Switch - External DB User Invalid Or Bad Password
Apr 19, 2011
I have problem with Cisco ACS 4.0 "Windows" with core 4500 switch "cat4500-ENTSERVICESK9-M 12.2" the problem shows only on one device "x.x.x.x" the problem is " Authen failed-------badcred------External DB user invalid or bad password" i can see it in failed attempt. on the same side i can see in Passed Authentications for same record "Authen OK", i can login to the mentioned switch using my ACS credentials and not local database credentials
can debug this from ACS if not how can view the authentication records from core switch?
View 8 Replies
ADVERTISEMENT
Jun 7, 2011
Cisco Secure ACS 4.0
View 2 Replies
View Related
Jan 16, 2012
Is it possible to create on ACS5 rule which will:
1. Try to authenticate user in external database1 (radius)
2. When external database1 returns FAIL (because of bad password) ACS5 should try to authenticate user in another external database2 (radius)
View 5 Replies
View Related
Mar 9, 2012
Having CSACSE-1113-K9 with ACS 4.2.15.I want to configure windows user database under extrenal user database but i get an error (attached) 'An error has occured while processing the Authen DLL Configure pagebecasue an error occured.I tried to stop the services and start agian but the same issue. The eappliance is secondary (backup) ACS. On the primary it is working fine.
View 1 Replies
View Related
Dec 10, 2012
I am having the Cisco NAC enviroment (Software Version is 4.9.1) and OOB VG.
We are getting the below and attached Error while deploying on some machines.
"Invalid switch configuration-OOB Error:OOB client "mac/ip" not found."
Some users on same switches are working fine but some are not....
What would be the possibilities and any work around? other than keeping the port shudown for long time means that atleast 10 - 20 secs or more or a PC restart. Customer is not feeling comfortable with the current situation.
View 4 Replies
View Related
Apr 11, 2012
We are currently using Cisco ACS 5.3.0.40.2. One of the Services Selection Policy it hosts is:
Receive Authentication request from a wireless controller for a wireless userIf the wireless user's username contains a particular domain suffix, the request is proxied to an external proxy server using an External Proxy service (configured for both local/remote accounting)On receiving an Acccess-Accept from the external proxy, the user is given access and ACS 5 will start logging account packets for the username (nothing appears in the RADIUS authentication logs - ACS 5 it seems doesn't log proxied authentication requests) The above setup works fine in most instances. We start to have problems when an external proxy server strips the domain suffix off the username in the Access-Accept packet e.g.
ACS 5 proxies an Access-Request to an external proxy server (with Username = someuser@somwhere.com)The external proxy replies with an Access-Accept (with Username = someuser)The user 'someuser' is given access but subsequent accounting attempts fail because their username (without the domain suffix) doesn't match the Service Selection PolicyIs there any way to get ACS 5.3 to log proxied authentication requests? If not, can I configure ACS 5.3 to use the username in the Access-Request packet (rather than the username in the Access-Accept packet) for accounting?
View 2 Replies
View Related
Nov 30, 2011
I have ACS4 and i am planning to upgrade to ACS5.I would like to have such a rules:I have user1, one ASA device which is VPN concentrator for remote users.ASA have two different tunnel-groups: one which allow for logging via certificate (with mandatory pki authorization thru ACS) with disabled Xauth,and second tunnel-group with allow login thru typical Xauth with authorization thru ACS which users external database (RSA Tokens).So i have one user1 which can login thru VPN using RSA tokencode or certificate.For example: on phone user1 uses certificate, and on PC station the same user1 uses token password.For tunnel-group with pki authorization ASA checks username in ACS and in typical scenario login="CN from certificate" and password="CN from certificate". So we would need "two credentials" for the user - one for pki authorization, and second one external database (RSA token).Is such scenatio possible under ACS 5 ? where one user uses different credentials based on tunnel-group usage ?
View 2 Replies
View Related
Oct 11, 2011
I use ACS appliance 1120 for cisco devices administration. The identity store is external. I use Active directory. Actually, Authentication, authorization and accounting work well but users can not change theirs Active directory password when they have expired. Do you now how to configure ACS to permit password changing?
View 5 Replies
View Related
Mar 7, 2012
On the ACS ver5, there is a "User Change Password" feature. When i click the UCP WSDL, it gives me a page with WSDL language. how is it supposed to be installed? does it copy or install to any web server
View 1 Replies
View Related
Aug 25, 2011
I have configured under Administration password policies about password lenght, items to be putted as number, letters and so on.on the second tab is the password expire for users and I configured to expire after 90 days.
I even tried creating a new user and changing a password from an existing user using Apache TOMCAT WAR,I have checked CLOCK of ACS appliance and setted up NTP on our internal NTP servers
even I create a new user or I change the password via Admin GUI or I change the user password via Apache TOMCAT WAR, I have the user being disabled in a few of minutes, half an hour.,As last, with CISCO AnyConnect is possible to warn the user about the password being expireing and if so, the change could be driven via AnyConnect or is absolutely needed a User Hand Task on the Apache TOMCAT portal I setted up with the ACS WAR application?
View 6 Replies
View Related
Sep 21, 2011
Is there a way to configure a webpage where end users would go to change their passwords? I would not like to use the network devices themselves with the "change password at next logon" option.
I believe ACS 4.2 has such solution. Does 5.2 have it too?
View 3 Replies
View Related
Jul 19, 2011
I am migrating from ACS 4.2 to 5.2. In 4.2 you could assign one user to auth via Internal Database and another user to auth via Radius Token Server. I cannot find how to do this with 5.2. There is a note in the doc that states 'Identity-related attributes are not available as conditions in a service selection policy'. Does this mean that you can only choose one auth method for all users? If it is possible to have multiple methods, how am I able to accomplish this?
View 1 Replies
View Related
Sep 27, 2010
I am looking for a way how to set the password-rules for individually for for some users or identity-groups.I just can find the global settings,Background of the requirement: We want to use password-aging for most admin-users, for some we dont want that pw expires.
View 10 Replies
View Related
May 30, 2011
Our customer has the business needs to authenticate remote users against AD with empty password. I've seen ACS5.1 release note where mentioned about resolved issue: #CSCte72751 #ACS 5.1 drops authentication with empty password.
I tried to authenticate dial-in users through Tacacs and Radius against AD with empty password but without success. ACS points to wrong AD password. Is it possible to authneticate remote users with empty password?
View 3 Replies
View Related
Mar 28, 2012
My question is on ASA and ACS5.2 users.Have my ASA SSL VPN and IPSEC VPN, the my ACS5.2 many users, for example, wireless user.I would now like to establish an independent user group, only the VPN user name and password, while both the ASA VPN can only allow users in this independent group of ACS5.2 VPN login, how to configure?
View 1 Replies
View Related
Nov 14, 2012
i just want to ask whether i should do some configurations or not on my cisco switch 4500 L3 regarding the error of 500 invalid port command when host try to access FTP active on to FTP server, i just did static route on gig interface with no switchport mode to that host network, all traffic type was allowed except the FTP with active mode?
View 7 Replies
View Related
Apr 29, 2012
I'm doing some testing with ACS server on my windows box and I can't seem to get a barebone radius authentication to work with ACS internal users. I tested the same configuration with TACACS and it works fine, so there's something missing or misconfigured in my setup.
I have a cisco 3550 switch that I want users to login using their ACS username/password.
SW1
username cisco password 0 cisco
username admin password 0 admin
[Code].....
View 2 Replies
View Related
Sep 3, 2012
Most of the 4500 Switches in our network are giving the similar error for so many ports
%C4K_L2MAN-6-INVALIDSOURCEADDRESSPACKET: (Suppressed 1 times)Packet received with invalid source MAC address (00:00:00:00:00:00) on p t Gi2/6 in vlan 100
Its impossible to do a wireshark packet tracing for all the ports.
View 2 Replies
View Related
Feb 20, 2012
How to upgrade from LMS 3.0 December 2007 update to LMS 3.1 or LMS 3.2. The problem is the large number of C2960S-24TS-L switches that my organization has and cannot managed them.. I tried to upgrade devices through Software Center but always Ciscoworks informs me with the following message."Error while downloading package information from [URL] for the selected products. See the log file for details". Also i can not run EOL/EOS inventory report. The message is " INVREP0102: Cisco.com user credentials are invalid. Enter correct credentials." I check my credentials and is right. The server has access to www through proxy without any restrictions. In the past I've already updated devices through the software center. Also in the past i ve run EOS/EOL inventory reports.The LMS 3.0 December 2007 has the following products LMS3.0.116 May 2008
CiscoWorks Common Services3.1.102 Jul 2009, 07:44:58 EEST2.Campus Manager5.0.511 Oct 2009, 07:36:10 EEST3.CiscoView6.1.702 Jul 2009, 07:45:05 EEST4.CiscoWorks Assistant1.0.102 Jul 2009, 07:45:05 EEST5.Device Fault Manager3.0.512 Jun 2010, 07:31:48 EEST6.Internetwork Performance Monitor4.0.102 Jul 2009, 07:45:11 EEST7.Integration Utility1.7.102 Jul 2009, 07:45:14 EEST8.LMS Portal1.0.102 Jul 2009, 07:45:16 EEST9.Resource Manager Essentials4.1.102 Jul 2009, 07:45:17 EEST
View 1 Replies
View Related
Feb 7, 2012
Can't get in tells me password invalid.
View 1 Replies
View Related
Sep 22, 2011
We are running ACS 5.2 patch 6 and want to restrict access for users to be able to add devices to the system.For example, admin person in site A can only add devices into the site A group and cannot see/access other sites groups.
View 1 Replies
View Related
Apr 18, 2011
I was trying to get into the router the other day and it gave me invalid password consistently. I have hardware version B1 and firmware version 2.00NA. This had been working fine but this along with remote desktop no longer work.
View 5 Replies
View Related
Jan 23, 2011
I did some testing in WLC in our company wireless network.However, after my 3 hours testing, I had tried to login WLC again by GUI and SSH. The admin username and password does not work any more. All Read only and Guest Account did not work as well.Is any one had this issue before? Is there a restriction for access to WCL per 3 hours or one day? By the way, I did not change any password.
View 8 Replies
View Related
Dec 3, 2011
I have a d-link router model dir 655.To activate my laptop all that was required was to enter the wps pin.I just purchased an apple ipod touch which is asking for a password.I first tried the wps pin.Then I went to the d-link website and put in my model #.It gave me an ip address which brought up a page where there was a choice admin or user.I picked user.The second choice was to put in a password which I did.The Ipod still says password invalid.I tried numerous times.
View 1 Replies
View Related
Oct 27, 2012
Just bought the N150 router. Trying to enter the router setup for the first time. I leave the password blank like it tells me to, but it says i have an incorrect password. Tried pressing reset button for 10 seconds, but get same result.
View 8 Replies
View Related
Jan 12, 2013
I have successfully installed a DCS-930L camera. However, when I add a second DCS-942L camera everything stops when I enter my existing account and password stating that they are incorrect (which they are not). The answer I get is: "Invalid e-mail and password combination".
View 2 Replies
View Related
Nov 3, 2012
Two 5520 firewall configuration of the failover and SSH, the first remote landing SSH, can use user and password successful landing, again landing, to prompt the user name password is invalid, what is the reason?
View 4 Replies
View Related
May 18, 2011
I have a new Cisco Secure ACS 5.2 on a VM. We want to use it to for administrative access to our Cisco equipment with TACACS+. I am trying to map user permissions to different groups of devices based on active directory group membership, however it is not working.
I am using an LDAP (configured for secure authentication) external identity store. On the directory organization tab, I have confirmed the accuracy of the subject and group search base and the test configuration button shows that it's finding > 100 users and >100 groups.
On the directory groups page I have entered the groups according to the required format. cn=groupname1,ou=groups,dc=abc,dc=com
I have a rule based result selection under group mapping. I have two rules in the format below.
Conditon
LDAP:Externalgroups groupname1
Result
Identitygroup1
I have the default group set to a identity group named other. My problem is, no matter what user attempts to authenticate, the Default rule is applied, and the user is put into the other identity group.This occurs when I log on as a groupname1 user, groupname2 user, or as user that is not a member of either of those groups. LDAP authentication works and the user is able to logon to the device.
View 3 Replies
View Related
May 11, 2012
I am currently running cisco ACS 5.1.0.44 and use active directory as the main authentication identity store to allow network administrators to have access to network devices in my organization .As per the established security policies in my organization , the ACS has to disable any account after 3 failed login attempts to any network devices .i have gone through all the settings oN the acs but couldn't find where or how it is done .
View 3 Replies
View Related
Feb 22, 2013
I have installed ACS 5.4 and we are looking to authenticate our Anyconnect users with ACS via Active Directory. I think I have the correct commands in our ASA ( we had ACS 4 and authenticated our anyconnect users ).
I also have configured ACS to use Active Directory and installed the server side cert in ACS. I'm just uncertain how to program ACS to use the security group that I have setup in Active Directory.
View 6 Replies
View Related
Mar 15, 2011
DIR-655 RevA4 - upgraded to 1.35NA, which is shown on http://192.168.0.1/
When I try to re-log in as Admin, I get a message of invalid password. I have unplugged to reset, but still cannot get back in.
View 3 Replies
View Related
Sep 1, 2012
I have WRT54G2 that I've set up my wireless network on. My Kindle, just the basic one, sees and recognizes the network. It has good signal from it. When I attempt to sign in though the Kindle says my password is invalid or it says it just can not connect. I have gone over and checked what I hope are all the settings but to no avail.
View 1 Replies
View Related
Apr 17, 2013
I bought a cisco router last week. The reseller said it is a brand new one. However, when I try to set it with console cable connecting to PC, the default password does not work. I tried to use control+break to get access to rommon for password recovery. The tera term pro displayed nothing at all! In thin case, what should I do to setup the router? Dose the reset button in the back work to restore the router to factory setting(which means i can use default username and password)?
View 1 Replies
View Related