I'm trying to configure a timeout for network connection, but when it suppose to disconnect client, it's not working. Is it possible to do this??
Only works when the client is connecting and is denied if the time is not valid. But how could I do this if the client is already connected, enable re-authentication?
I have several devices on the same subnet and with similar configuration. All of them were entered manually on the ACS server and are configured to authenticate using TACACS+. Some of the devices can authenticate ok, but other will timeout. I did a tcpdump on the firewall port and can see the device sending the SYN to the ACS server but the server sends no reply to the device.
View 3 Replies View Relatedmy current setup: Windows XP machines authenticating wireless using 802.1X to a Cisco ACS 5.3 that redirects the request to Microsoft Active Directory. All the statements that I make below are what I have gathered from reading on forums, some of them might be incorrect.
In the ACS Under “External Identity Stores” and “Active Directory”, there is a check box called “Enable Machine Access Restrictions” if it is checked and the Aging time is set to 8 hours and a Windows XP machine authenticates using it’s Domain credentials it will gain access to the network but if that computer is not rebooted after the 8 hours is up, Windows XP will not send it machine credentials again, it will only send the user/pass of the user and will loose access to the network. The problem we have is that most of the users do not shutdown their computers when they go home, they hibernate the computers thus when they come back to the school the 8 hours aging time on the ACS has expired. The ACS expects to see the Windows XP machine send it’s domain credentials again but from every forum I have read on, Windows XP will not send it again until it get rebooted (FYI, Windows 7 will send the proper info, thus they work just fine). In the mean time I have changed the aging time to 8760 hours but this should only be temporary because it is a security risk to have the aging time set so high. Moving forward what are my options to make this work properly?
-Is there a way to fix Windows XP?
-Is there a recommendation on how to bypass this issue but still give us decent security?
-Is setting the aging time so high, a non security issue?
-I guess worst case scenario, the customer can try to educate all the students and staff to reboot their machines every morning?
We're having trouble trying to deploy 802.1x authentication on a brand new site.
Our primary and secondary ACS are located in Paris and the new site located in Toulouse, France. Both sites are connected through the WAN. Everytime a computer/user connects to this new site in Toulouse, ACS 5.2 sends a "5411 EAP session timeout" error message.
I am using ISE 1.1.3.124.My first question:I want to know the relation between the attribute "WasMachineAuthenticated" and the MAR (MAchine access restriction in advanced setting for AD).Is-it the same or not ?Once you time out, you need to do machine auth again. What is the timer ?Using the attribute "WasMachineAuthenticated", is-it the same timer that you configure in MAR ? In a distributed environnement, is the information about machine previously authenticated replicated to all policy node ?Because, if a swicth has 2 radius-server, we are not sure that it will point everytime to the same server.
View 1 Replies View Relatedi am configuring a Cisco Secure ACS 1120 appliance running ACS 5.0.0.21 to handle RADIUS request from a Cisco WLC 5508 appliance running version 7.0.116.0.these devices have open communication on all ports - no firewalls or ACL'sthey have successful ping communication The following statements illustrate some but not all the debugging I have done to ensure each device functions as it should in isolation.Using a simple windows RADIUS server (radserv2.exe) instead of the Cisco ACS This works and the WLC gets RADIUS response from my makeshift serverUsing a simple windows EAP client to query the ACS using RADIUS protocol this works and the ACS processes the RADIUS request and sends a responsePlaced a wireshark client on the network to inspect timeout. Wireshark logs the packet from the WLC to the ACS using port 1812 but doesn't see any packet responses from the ACS At the moment I have the WLC accepting the association from the wireless client and sending the RADIUS (PEAP, EAP-FAST or EAP-TLS) request to the ACS, the WLC receives no response and generates a timeout message and disassociates from the client. note this is not a reject or similar message, the ACS simple does not even process the packet. i.e. there is absolutely nothing in the ACS logs to suggest it even received a radius packet from the WLC. In summary the WLC and the ACS successfully function independently but they do not communicate via radius.
View 3 Replies View Related[Env on my lab investigation]
supplicant - W7 with cert
authenticator - Catalyst 2960 with IOS 15.0(1)SE2 /newest/
authentication server 2x - W2008/NPS like a RADIUS server
The problem is the end station that are still connected to the supplicant port /use a EAP-TLS/ after the reboot supplicant! All of them will be put into the Guest VLAN instead of static VLAN 34!
[The question]
What is wrong and how to configure/tune and what authenticator or authentication server to prevent after the reboot to observe a authentication timeouts? Of course the supplicant after 20 minutes /next EAPOL start farmet put into VLAN 34.
[Code] ........
Our company has installed ACS Version: 5.1.0.44.6 Internal Build ID: B.2347 with patches: 5-1-0-44-5, 5-1-0-44-6. The security policy of our company includes a password change every 3 months. Our programmers had written a script that allows us to do it. When testing revealed that the script does not work. This is due to the fact that it is not possible to enter the mode "acs-config". In determining the reasons it was found that to enter this mode there is a limit on sessions (6 sessions). When the number of connections becomes larger than 6 then the script does not work. The documentation says that the update is not active sessions is set with terminal session-timeout. In this case, the terminal session-timeout 30. But after 30 minutes of the session will remain active. It interferes with our script.
View 1 Replies View RelatedI have a CSS 11503 with a basic content rule for TCP 10000 going to a few backend servers. I was looking into the default timeout values for flows and when testing using telnet the flow didn't terminate as expected?
For example, i have no 'timeout multiplier' specified in the config and when i look at the output of 'show flow-timeout default' it tells me the default 16 seconds timeout is in effect for *. With that in mind, i telnet to the content rule vip on TCP 10000 and on the backend server using wireshark i can see the TCP threeway handshake. With no data passing i'd expect the CSS to terminate this flow after 16 seconds.. yet it takes exactly 128 seconds before wireshark shows the RST and the flow is terminated. 128 being 8 times the default 16 second flow timeout.
If i try to force the connection to close early by specifiying 'flow-timeout-multiplier 2' in the content rule, or even a multiplier of 40, it still waits 128 seconds to close the telnet connection.
ASA 8.2(5), uauth absolute timeout is disabled and inactivity timeout is set to 48 hours:
timeout xlate 48:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:00:00 absolute uauth 48:00:00 inactivity
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
Users still get kicked out every 8 hours and they have to reauth. This is a logging message:
%ASA-5-109012: Authen Session End: user 'john', sid 839, elapsed 28801 seconds
Request timeout on network connection
View 4 Replies View RelatedI am able to access 930L (2 cams) from wifi be it laptop,iphone or ipad but I am not able to see it through 3g.I have Huawei fibre optics broadband reuter from Starhub.Starhub is running away if ask them to fix it. Huawei never takes the call.I tried atleast 3 times 10 minutes each at 8006011450.It goes to disconnect. The lot talked about UPNP is enable in reuter but it does not work.
Now i talked to Dlink support with ticket DCX36811.They advised to load the firmware.I did it still the connection timeout is there. we have baby to monitor through iphone/android 3g.
I'm trying to test such 802.1x wired environment:windows xp sp3 as supplicant windows NPS as radius server 2960 as authenticator latest anyconnect (3.1.01065) + nam and standalone profile editor.I have a question: What is the difference between protected identity pattern and unprotected identity pattern (set in nam profile editor)? As I understand documentation PEAP-MSCHAPv2 is a tunneled method and it uses un- protected identity pattern to protect user's identity during phase 0. But if I use any fake identity here (anonymous, anonymous@[domain], etc) access is rejected (Access-Reject in switch debugs). I have to use exacly the same pattern in unprotected identity pattern as in protected identity pattern ([username] or [username]@[domain]) to gain access, regardless of authenticaton mode (same in machine only, user only authentication).
View 1 Replies View RelatedAt the moment I am trying to connect to a DHCP ISP, but the connection only last for 10-15mins and then it will automatically disconnected. Every time I reset the WAN port , service back to normal for another 10-15 mins ><
[code]...
I have a network set up with file sharing. I use a Windows 7 PC to host files that are shared with around 8 other PCs - some on Windows 7, some on Windows XP. The file sharing works but sometimes some users are unable to get access to the files. The error message is something like PCNAME is not accessible...
View 2 Replies View RelatedI'm using the D-link dir-300 wi-fi router. Cable internet connection. PC is connected to the router by the cable and the laptop via wi-fi. Both machines have the same problem - after some time, although there are no package loss when I'm pinging anything, some services report "connection timeout". Such as PvP.net, EA Online and Turbofilm.tv. Soft reset, hard reset didn't solve anything. Although when PC is connected straight to the main internet cable - there are no problems at all. [code]
View 7 Replies View RelatedI recently had a firewall that wasn't passing traffic (ASA 5510 running software version 9.1).It turned out it had 130000 active connections. Doing a "clear conn port 53" dropped the active connection count back to 38k, and the firewall started passing traffic again.
View 7 Replies View RelatedI configured multiple vlan on my Cisco ASA5520. Everything work perfectly except RDP (3389) connections. The connections are established but but after a period of inactivity, the user is disconnected from server (black screen). The same problem happens with other type of connections (client/server), exemple : Oracle, file sharing. Before installing the ASA, computers and servers were in the same vlan and it worked well.
There's a notion of inter vlan timeout connection ?
I am using DHCP ISP , but the connection only last for 20 mins exactly and then it will automatically disconnected. Every time I reset the WAN port ,
service back to normal for another 20 mins ><
The are no log or any error message when connection timeout. the status of the WAN port is normal "Up Up".
I have tried this config on another ISP and everything work just fine !
Fiber converter -------> Cisco 1812 (FastEthernet1) --------->LAN
Router#sh runBuilding configuration...
Current configuration : 3205 bytes!
version 12.4service tcp-keepalives-inservice tcp-keepalives-outservice timestamps
[Code].....
I have a network set up with file sharing. I use a Windows 7 PC to host files that are shared with few other PCs - some on Windows 7, some on Windows XP. The file sharing works but sometimes some users are unable to get access to the files. It seems to be only on the machines that are on XP that this problem occurs. The error message is something like \PCNAME is not accessible...
The user can connect if the machine storing the files is restarted but it will happen 4-5 times during the day.
I've been running into an issue for the past week or so where my wireless adapter intermittently can't contact my router.When it occurs the network connection reads as having limited connectivity. I'm unable to send requests to load webpages, and videos and the like stop loading. Sometimes the network disconnects entirely. After this occurs, I can't connect again for a few minutes. My connection consistently reads as having 2-3 bars available. The issue tends to occur frequently, often every 15 minutes or so. Strangely enough, I have been able to play bf3 online for over 40 minutes without connection problems (I quit before any occurred - not sure if any would have). So far I've tried the windows troubleshooter, updating the driver to my wireless networking adapter, manually assigning my network address (tried 192.168.1.4, 192.168.1.5, etc), setting my 802.11b preamble to "Long only" and performing a system restore. I have rebooted my machine as well.
My technical specs are as follows:I'm running Windows 7 Ultimate N 64 bit edition with service pack 1. System has 8gb Ram, an i5-3570k processor and HD7850 graphics card. Motherboard is the Asrock Z77 extreme 4. My wireless network adapter is the TP-link TL-WN722N. The adapter was working fine for some time before this issue appeared.My router is an old U.S. Robotics Wireless MaxG Router. It seems to work fine with other computers in the household, although it does require fairly frequent power-cycling. Running ipconfig on the command prompt while the internet is working returns:
Quote:
Windows IP Configuration
Wireless LAN adapter Wireless Network Connection 2:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::293a:e9bb:ba5a:7536%14
IPv4 Address. . . . . . . . . . . : 192.168.2.5
[code]....
At the moment I am trying to connect to a DHCP ISP, but the connection only last for 10-15mins and then it will automatically disconnected. Every time I reset the WAN port , service back to normal for another 10-15 mins >< The are no log or any error message when connection timeout. the status of the WAN port is normal "Up Up"I have tried this config on another ISP and everything work just fine!!!
Fiber connector -------> Cisco 1812 (FastEthernet1) --------->LAN
Router#sh run
Building configuration...Current configuration : 3205 bytes
!
version 12.4
service tcp-keepalives-in
service tcp-keepalives-out
[code]....
I have ASA 5510 with 8.2.4 and 8.0.x OS and all seem to have common problem of idle TCP connections not timing out. The host to host connections are coming over VPN tunnels. I have default timeouts on all the firewalls. I have tried changing global timeouts and as well as host specific timeouts using MPF but doesn't work at all ! The problem is when TCP connections are sitting idle in conn table for days and when connection limit of 50,000 conns reach the firewall starts behaving unpredictably dropping packets or unresponsive! I need the unused idle connections to timeout which is NOT happening either by changing global values or MPF.
View 1 Replies View Relateddefault inactivity connection time out for A3(1.0) So by defult any tcp connection(http or https) will be timed out in an hour. [code]Was this change in the A4(2.0) code or is it still the same? I heard a TAC engg say that default inactivity timeout for http and https are now 5 mins that is 300 seconds.
View 3 Replies View RelatedI was able to connect to my 5ghz and 2.4ghz networks just fine. Now today I get a message that the connection timed out whenever I try and connect to the 5ghz. I have done a 30/30/30 reset, and still no joy. The one thing I haven't done yet is a 30/30/30 with a configuration from scratch. I will probably try that later. I've done the usual things like change the channel and all that, still no go. Other things I've done, change the network name, change the MTU, restart my machine. However, this is happening on other devices as well. The 2.4ghz network, solid as a rock.
View 1 Replies View RelatedOur client tried to a download a real time generated file from a website, the generation process around 5 mins, after 5 mins, the file will be started to download
When my client direct connect to internet, the file can be download successfully, but when pass through the ASA 5510 and using the internal IP address, a message something like "Are you sure want to logout from this web page?" appears in Safari after 5 mins, i think the time of the error message appear when a "you can start to download" message send from the server to client, the page session timeout so that make the user cannot download the file from internet as the session is not vaild.
I couldn't find any timeout setting in "show runn", is it possible the setting in ASDM? how can I find it and configure it?
Version: Cisco ASA 5510 8.4(4)1
I've installed cisco asa 5510.
When I "show local-host all detail connection "
Normal situation:
105 myfailover:10.255.255.2/0 NP Identity Ifc:10.255.255.1/0,
idle 0s, uptime 1D14h, timeout 2m0s, bytes 18196822
But I got this output ( timeout - )
[URL]
When a client connecting to a specific AP (example AP01), after every 1800 sec uptime it will reconnect and join other unit AP (example AP02)Both AP physically installed distance is around 6 meters from each other. I conduct the testing where i get myself sitting in middle between these two APs.
01. If i disable settsion timeout this feature, or setting the seconds become higher value, what's the performance and security impact? Is it recomend to change the default 1800 seconds session timeout?
02. Is there anyway i can tweak on WLC controller to prevent the client after session timeout then associate with another AP. This will lead major performance impact as the client woudl possibility connect to the weak signal AP and effect on the performance.
These are the details for reference:Client detail
- Dell DW1520 wireless-N WLAN card, with firmware version 5.100.235.12
- CCX version 4 supported
- Layer 2 security is WPA2 personal with PSK.
- wireless radio an
Controller detail:
model is AIR-CT5508-K9
software version is 7.2.110.0
I got a question about ACS 5.3 and WLC We have now the ACS 5.3 running for MAB (good working) and TACAS for device AAA.But now our WLC’s will not work.I have created already a special “custom attribute” => role1 / mandatory / ALL Already changed to the combinations Role1=ALL / Role1=All / Role1=all / role1=ALL / role1=All / role1=all But still not working. I get a wrong response.
I followed the guideline in attach, PDF file.
Debug dump from WLC
ACS 5.2 / ACS 5.3
-------------------
*tplusTransportThread: Sep 28 15:07:59.222: auth_cont get_pass reply: pkt_length=24
*tplusTransportThread: Sep 28 15:07:59.222: processTplusAuthResponse: Continue auth transaction
*tplusTransportThread: Sep 28 15:07:59.388: tplus response: type=1 seq_no=4 session_id=b1fddbfc length=6 encrypted=0
[code]....
we are facing a strange problem with a Cisco Small Business SG 200-08 Switch (firmware release 1.0.1.0). When configuring the switch to act as a RADIUS Client with 802.1x port security enabled, it sends the “Account Name” attribute to the radius server with max. 32 characters. The string comes in this format: host/dns Host Name and will be cut after 32 characters which will cause the NPS to say: “The specified domain does not exist.” and NPS is right. When I reduce the hostname so that host/dnsHostName <= 32 characters, authentication is working fine. And by the way, we also have a SG 200-26 in production and it can handle more than 32 characters which lead me to think of a bug in the firmware of the SG 200-08.
View 1 Replies View RelatedI have Cisco ACS 4.2 since few days users can not change their password, what could be the issue? Even after resetting the password I got error.
View 3 Replies View RelatedI have a dot1x client with client certificate working well with my ACS 5.2 and EAP-TLS. Now I would like to configure the Re-Auth periode on the ACS 5.2, I did the following:
1. Configure a Access Profile with Reauthentication Timer = static and 30 seconds (see attachment ACS1.png and ACS2.png)
2. Enabled authentication periodic and authentication timer reauthenticate server on switchport
interface GigabitEthernet1/0/x
description to dot1x clients
switchport access vlan 5
switchport mode access
authentication event fail action authorize vlan 998
[code]....
I've got an issue with my ACS 5.1 implementation not updating any of the RADIUS or TACACS authz, authc, or acct records. Nothing is showing up, even though i've logged in via TACACS to several devices, and there are numerous wireless devices authenticated and online via RADIUS right now.
View 3 Replies View Related