AAA/Identity/Nac :: ACS 4.2 Authenticating 4710 ACE Appliance Failed

May 5, 2011

I've got a problem with Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance.
 
ACS4.2 has been configured to use both internal and external database. It's been working fine for a couple or years.
 
Recently we bought a Cisco 4710 ACE appliance. When I use ACS4.2 internal username and password to login the Cisco 4710 ACE appliance, I have no problem. I can also see the passed authentication log on ACS4.2. However, if I use AD username and password, I couldn't login in. The message is "Login incorrect". I checked the failed attempts log on the ACS4.2, there was no log regarding the failed attempt. My AD username and password works fine on all other cisco routers and switches.
 
I've posted my AAA configuration of the 4710 ACE below. ACE is running on the latest version A4(1.1).
 
tacacs-server key 7 "xxxxxxxxxxxxx"aaa group server tacacs+ tac_admin  server xx.xx.xx.xx
 
aaa authentication login default group tac_admin local aaa authentication login console group tac_admin local aaa accounting default group tac_admin

View 2 Replies


ADVERTISEMENT

Cisco Application :: ACE 20 (ACE 30) Versus 4710 Appliance Reliability

Jun 21, 2012

In 2008-2010 timeframe, I used the ace 4710 appliances at one customer and kind of liked them. The deployment was not too SSL intensive and B/W requirements were low, but I configured a few HA pairs and that worked well. The configuration was pretty comparable to other Cisco devices; so easy to learn/pick-up.Fast forward to 2011: stepped into an environment, where customer purchased 3 - ACE 20 modules (before I got here), and had multiple issues with them. I found 4 documented TAC cases, and 1 was still open. I started working from December 2011 on getting Cisco to own-up WRT modules but customer by that time had had enough.
 
The most serious issue was a random reboot, hang or lockup. I wasn’t here to work with them to verify, but that’s eventually what the deal breaker was. Around the February 2012 timeframe, talking to Cisco SE, he revealed Cisco had an independent lab in Switzerland verify that some hardware component on the device had a terminal defect, in which a bit would flip, and force the device to lock or reboot - subject ot radioactive decay or interference.Cisco and the lab attributed this to improper shielding, coupled with defective material in the electronic component; hence the device was highly susceptible to radiation-type errors. This is the kind of stuff you read in doomsday reports! As a result, Cisco was EOL-ing the ACE-20 module. I am trying to get Cisco to replace the ACE-20 modules with something else, but they haven’t been too cooperative. They have also limited their SE/Salseperson presence where I work (Pacific Northwest); and are not too responsive.
 
I have gotten a verbal agreement to get a credit on prior purchases for the amount this customer spent on the ACE-20 modules. However, the credit is only a few points off their normal discounting model. And Cisco will not go into loss on new product sales. Using example, $100 product would cost me $55 with standard Cisco discounting. Cisco’s cost might be $45 so I will only get another $10 credit on this new purchase.The 3 Cisco ACE-20’s originally cost customer about $100K, so to dwindle this credit down, we would need to purchase about $1-$2 million of new hardware - that's a lot of new gear! And I don’t have any real way of knowing that Cisco is applying the credit honestly, and they won’t put anything in writing. This entire issue has really dampened customer’s impression of Cisco. They had smartnet on the ACE-20’s for 2+ years, but then dumped that after losing faith in the product. Now I am trying to resurrect smartnet to see if Cisco will give us an alternate product.
 
And to cap it all off, the original Cisco salesperson (who sold customer the ACE’s), has left and went to work for F5! And yes, he has been calling on customer to try to sell some big-IP's! At least there is some humor in all of this. So... Has anyone else had bad experience with ACE-20 module? How about ACE 4710? How to get a reliable working ACE module from Cisco?

View 6 Replies View Related

Cisco Application :: Discovery Protocol On ACE 4710 Appliance

May 26, 2011

My TCOM guys say they do not see the ACE as a CDP neighbor on their switches. Is CDP enabled by default? I cannot find any documentation that suggests this is configuration (like on the Cisco CSS - where it can be enabled, but cannot see its' CDP neighbors).
 
BTW - The ACE 4710 Appliance documentation uses CDP as acronym for Certificate Revocation List Discovery Point (for SSL CRL's).

View 2 Replies View Related

Cisco Application :: ACE 4710 Redundant Appliance Telnet

Jan 21, 2013

I have a pair of ACE 4710's that I am deploying within a datacenter.  The primary and secondary ACE appliances have identical configurations except for the IP addressing and priorities for FT.  The FT peer is going into a TL error state. 
 
On the primary ACE appliance, I am able to ping and telnet from/to it without any issues.  All of the routing works as it should and everything is seen in the ARP table as it should.  The secondary appliance is able to ping everywhere, but telnet out of or into that appliance does not work.   
 
I am able to see the IP addresses in the arp table and can successfully ping end to end from the secondary device, just unable to telnet into or out of it.  When I try to telnet out of the secondary device, it reports that there is no route, even though the IP's I am trying to telnet to are directly connected and those interfaces are up and working (otherwise ping would fail).  The exact same filters (access-lists, service-policies) are configured in the exact same format and applied to the exact same interfaces. 
 
I tried removing all of the fault tolerance configurations and just created a Layer 3 vlan interface for management and I am still unable to telnet into or out of the appliance.  This is not a complicated setup and I have to think there is something obvious that I'm missing, but I'm hung up on the fact that the config's are almost identical while one works exactly as intended and the other reports no route to host for a directly connected interface.

View 2 Replies View Related

Cisco Application :: ACE-4710-0.5F-K9 / Redundancy Not Supported Between ACE Module And Appliance

Mar 19, 2012

what is that mean-"Redundancy is not supported between an ACE module and an ACE appliance operating as peers" I'm designing network in which I plan to use  ACE-4710-0.5F-K9 appliances.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: 11213 NAC Clients Via ISE Authenticating

Apr 17, 2012

So if I do a static ip address it works fine, but if I turn off static, the machine authenticates fine, but is not assigned to the access vlan, and it does not get an ip address.now when I use static I notice in the ISE live authentication logs, 11213 No response received from Network Access Device, for the switch even though its configured correctly.

View 5 Replies View Related

Cisco Application Networking :: 4710 Appliance / HTTP To HTTPS Redirection URL

Sep 25, 2011

i have a 4710 appliance (one armed) and i am load balancing with two webservers. In the URL, there are links that need to be redirected to https:

[URL]
 
i am using the

rserver redirect REDIRECT-TO-HTTPS[URL] 
 
The https is working but i have a problem. when i access the Main link "first" it is redirected to https to the Main link.But if i access one of the Sublinks directly(without having to click on the main link first) the page is redirected to https but to the Main Link. i have to click the Sublink again in order to get the page.How can i redirect to https and stay on the same page? What might be the general link in the webserver-redirection?

View 4 Replies View Related

Cisco AAA/Identity/Nac :: MC75 Motorola Handheld Not Authenticating With ACS

Jun 6, 2011

I have deployed a Cisco wireless environment at one of our sites. The problem is that we are rolling out new motorola handhelds (MC75) are not authenticating with the ACS. I have copied the same config as it was with the exsisting  wireless that was installed. Funny thing is we have another set of motorola handhelds (MC70) all use the same certificates and can authenticate without any issues.When i look at the ACS for logs I get the following error; EAP-TLS or PEAP authentication failed during SSL handshake.

View 6 Replies View Related

Cisco Application :: Double-check Point With Forum On Licensing On 4710 Appliance

Jan 9, 2013

I would just like to double-check a point with the forum on licensing on 4710 Appliance.If with version 4.2 and above 2Gbps Bandwidth licence is required, the output of the sho license status should be?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ASA5510 / VPN Client And Clientless Users Not Authenticating With AD?

Oct 16, 2012

Web clients are receiving login failed messages and VPN clients are getting disconnected by host messages. I am able to ping the server from the ASA5510.  Users authenticate in AD.  I am not sure if the problem is on the server or the ASA.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 / Authenticating Device Admin Users Against AD Specific Groups

Jan 28, 2013

I am using ACS 5.3 What I am about is setting user authentication against existence of the user in specific AD group, not just being a member in any AD. What is happening now, users get authenticated as long as they exists in the AD, luckily they fail on authorization, as it is bound to specific AD group.
 
how can I bind the authentication aginst specific group in AD, not just using AD1 as the identity source.

View 1 Replies View Related

Cisco Application :: Failed Installing Performance License On ACE 4710

Sep 5, 2012

I'm trying to install performance license on ACE 4710 appliance and it was failed. [code]

View 11 Replies View Related

Cisco Application :: ACE 4710 Failed Probe And Established Connections

Jan 23, 2013

I have four ACE 4710. Each pair of ACE is in one geographical location. Probes are configured so that it is checking regular regex (HTTP GET).When there is need rserver update we change text in our testpage.html (for ie. from "OK" to "SUSPEND" ) so that probe detect fail. In fact rservers are still operational, but should not accept new connections. This works fine. BUT I observed that established connection/sessions did not end up after probe fails. ACE probably wait for openned/established connections to end up and it is what I am askign for.What happens if probe fails but in fact rserver is operational? I thought that if probe fails it also end up/cut all established connections to rserver. But seems it is not true.

View 2 Replies View Related

Cisco Application :: ACE 4710 License Installation Failed With No Space Left On Device

Jan 15, 2012

The installation of an ACE-4710 throughput upgrade license licence (ACE-AP-02-UP1) failed with an error message :CH01AC03/Admin#  license install disk0:ACE20111213081741975.lic.Installing license... failed: No space left on device. [code]

View 4 Replies View Related

Cisco AAA/Identity/Nac :: Unable To SSH To ACS 4.2.0.124 SE Appliance

Feb 20, 2010

I could not SSH to ACS SE appliance? Why I could not, however I can do on another ACS SE.
 
note that I can ping the ACS SE, after disabling the CSA, so netowrk connectivity is ok.
 
Cisco Secure ACS: 4.2.0.124.

View 5 Replies View Related

Cisco AAA/Identity/Nac :: Secure ACS 5.2 Appliance To Use Or Not To Use UCP

Nov 16, 2011

All users are located in the local identity store.So - assume I do not implement ACS but I do turn on password expiration after 60 or 90 days.  Will a user whose password is about to expire attempts to authenticate against ACS 5.2, will they be notified that their password is about to expire?Also, when a user attempts to authenticate but their password expired yesterday, will they be prompted to change it and if so, how will that prompt to change it be presented?

View 3 Replies View Related

Cisco AAA/Identity/Nac :: Re-image NAC-3315 Appliance To ISE

Mar 29, 2012

My site got the NAC-3315 appliance and we would like to reimage this appliance to inline posture mode (for VPN purpose)What's the proper migration process should deal with this? Is the NAC-3315 hardware comply with the Inline posture mode requirement?

View 4 Replies View Related

Cisco AAA/Identity/Nac :: ACS 1121 Appliance Downgrade To 4.2.0.124

May 2, 2011

Newly shipped cisco  ACS appliance 1121 has been shipped with ACS version 5.0 , I need to downgrade to ACS version 4.2,0 , I could not see recovery CD or DVD for acs 4.2 along with shipment , Is ACS 1121 appliance is comptaible to acs 4.2.0 version ? .
 
My ACS BOM details
CSACS-1121-K9
ACS 1121 Appliance With  5.1 SW And Base license

[code]....

View 2 Replies View Related

Cisco AAA/Identity/Nac :: Configure ACS 5.1 Appliance To Connect To AD

Jun 18, 2011

This is a new installation.I did to configure the ACS to connect to the AD to authenticate users and retrieve the user information for group mapping as following step. Go to Users and Identity Stores > External Identity Stores > Active Directory, and enter the domain name and provide a username/password that will allow connect to the domain.Next, click on the Test Connection button to validate joining the domain.
I got success test connection. But when I click Save Changes. I got error .

View 5 Replies View Related

Cisco AAA/Identity/Nac :: Licensing On C1121 ACS Appliance

Feb 13, 2012

01. I have one customer unit C1121 ACS system shipped with version 5.1. The customer buy the base license and large deployment license along with the purchase.
 
02. Fact is i have manually upgrade the system to version 5.3.0.40, and applying a trial license for it for administering the appliance.
 
a. If i now using the purchased base license and large deployment PAK to activate the system, would it still valid for me to continue using Version 5.3.0.40?

View 2 Replies View Related

Cisco AAA/Identity/Nac :: Expanding NIC On 3315 NAC / ISE Appliance

May 2, 2013

Is it possible to add another NIC to the Cisco 3315 NAC appliance. It ships with Four ethernet interfaces, but would like to add at least 1 extra interface i.e. PCI card if possible.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Up-gradation ACS 4.2.0.124.16 On Appliance 1113 To ACS 4.2.1.15

Jun 21, 2012

we have below softwares in the order to install one by one on the appliance 1113.

1)ACSse-Upgrade-Pkg-appl-mng-v4.2.1.15-K9.zip
(Appliance Management package)

2)ACSse-Upgrade-Pkg-acs-v4.2.1.15-K9.zip
(ACS Software package)

3)applAcs_4.2.1.15.8.zip
(ACS SE 4.2.1.15.8 cumulative patch)
 
take it forward to upgrade by step by step procedure. ( is that same like TFTP to transfer these packeges to appliance or different method? ) (we are using Windows XP system)

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Migration ACS 5 Appliance To ACS 5.1 Vmware

Jun 7, 2011

I'm with problems to migrate the ACS 5.1 hardware to  ACS 5.1 vmware. In my infraestructure I have a appliance with ACS 5.1 and I need to migrate to vmware to do HA. I installed vmware as the Cisco ACS recommendations. I made ​​a backup of the ACS hardware and copied the local disk vmware ACS.
 
When I start the restore process after a few minutes an error occurs:
 
UMA/admin# dir
Directory of disk:/
    33293306 Jun 08 2011 16:51:38  bkp-production-110608-1433.tar.gpg
       5862 Nov 07 2009 01:06:32  favicon.ico.1
      16384 Jun 06 2011 17:54:34  lost+found/
[Code]....

View 4 Replies View Related

Cisco AAA/Identity/Nac :: ISE 3355 Appliance Use Of Both GigE Ports

Apr 12, 2013

I am setting up six ISE 3355 appliances 3 in one datacenter 3 in another. They have just installed a new server farm infrastructure using Nexus 5596 and Nexus 2248TP top of rack switches.I have been looking for documentation on how to do NIC teaming on the 3355 or some way to connect Gig0 to FEX101 and Gig1 to FEX102. Or do I just setup a port channel using LaCP between the two different FEX groups?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Disable Telnet To ACS Appliance 4.2 1113 SE?

Aug 12, 2010

How do we disable the telnet to ACS appliance 4.2 1113 SE

View 4 Replies View Related

Cisco AAA/Identity/Nac :: Unable To Upload Patch To ACS 5.2 Appliance?

Jul 21, 2011

I'm trying to upload the 5-2-0-26-4.tar.gpg patch to our ACS and so far have been unsucessfull. I keep getting the "please verify the patch bundle is valid".
 
When I download the 5-2-0-26-4.tar.gpg file, for some reason the download always comes down from Cisco as 5-2-0-26-4.tar.tar. I've renambed the file to 5-2-0-26-4.tar.gpg and verified the MD5.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Unable To Register A Secondary ACS 5.2 Appliance

Dec 6, 2011

I have installed 2 ACS 5.2 appliances, the two appear as Primary. When I try to register one of them with the other one using "System Administrator -> Local Operation -> Deployment Operations" I get the following message:
 
This System Failure occurred:  Unable to authenticate with node.. Your changes have not been saved.Click OK to return to the list page.
 
I have tried with both "ACSAdmin" and "admin" users with their respective passwords.

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS 4.2 Appliance Integrate Multi Domain

Sep 1, 2011

I have a question. What is the requirement of integrate ACS 4.2 Appliance and AD about CA server? it has to be windows 2003 server enterprice o windows 2008 enterprice? or it can be windows 2003 and 2008 stand alone? another question is about multi domain, i have domain father and children. the installation of CA Server is in domain father to enable 802.1x with AD with all domain children integrate? or I can be install the CA server in the server of domain children and is it work (CA server installed in server in domain child and it working all domains child and father)?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Running An Inventory For ACS 1113 Appliance

Mar 23, 2011

I want to gather an inventory of all devices  that shows the AAA client name, IP addresses, authentication method and key under my Network Configuration on my ACS appliance. Is there a report to run in it that will shows this, or is something that has to be done manually?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Add SNMP Server IP And Community In ACS 3.2 Appliance

May 23, 2012

how to add an snmp server ip and community in the ACS 3.2 appliance .

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.0 0n 1120 Appliance Stopped Booting

May 10, 2012

I have an acs 5.0 running on Cisco 1120 appliance. It has worked for 2 years. Suddenly, I discovered that user can no longer login with their credentials. On close examination, when I console, the booting does not complete. Screen shot attached.

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 Appliance - Service Rules Missing

Sep 25, 2012

This does seem correct.  I had 2 rules and now they are gone.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: Secure ACS 5.2 Appliance - High Availability

Sep 1, 2011

I just want to know if i need to support High Availability in Cisco Secure ACS 5.1 appliance, will the base license suffice or do i need to buy Security Group Access System License/ Large deployment License. Again, do we require license for each appliance or just one is enough?

I Suppose the licensing rules are same for the Vmware version also.

View 2 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved