Cisco AAA/Identity/Nac :: 6506-9 / TACACS+ Server Authentication Failed

Mar 15, 2010

I've been configured my device 6506-9 with TACACS+ server authentication: [code]
 
but when I tried to access the device only uses authentication local but not uses TACACs (with username/password defined) it can be an error in configuration? in the other devices of network this works properly, only it's wrong in Cat6506-E

View 6 Replies


ADVERTISEMENT

Cisco AAA/Identity/Nac :: W2003 / ACS Tacacs Authentication Failed

Jun 27, 2012

we have a ACS server V4 installed on W2003 server ,when we make a telnet to an equipement on the wan the authentication pass on the first connexion ,but when we telent to a switch on the lan the first connxion fails and we need to retry to login .when i check the  field attempt log on the ACS i dont find the field attempt.i find this issue in ALL switch on the LAN ,from the switch i can ping the the ACS server .this problem appear frequently?

View 1 Replies View Related

AAA/Identity/Nac :: Command Authorization Failed In TACACS With ACS 4.2

Feb 2, 2012

We have a group in TACACS ACS4.2.  I configure it can do show command. When logged, it can do show command some parameters, like show ip interface, but it cannot do show running-config. it says "command authorization failed".

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 And TACACS + Authentication From VPN?

Mar 4, 2012

I have a Cisco ASA (8.2) setup with remote access for my users using Cisco VPN client. The authentication is passed off to my ACS 5.3 which then checks with AD. What I've done so far is create Access Policy rule where I define specifically the Location and NDG where the ASA is and then a DenyAllCommands command set. This should pass authentications just fine but this also gives those users the ability to remote connect directly into the ASA and login successfully. Even though there is a Deny Commands there I still would prefer they get Access Denied as a message. If I do a Deny Access on the ShellProfile then this stops the login authentication altogether.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: 3560 / TACACS (Command Authorization Failed)

Jan 3, 2012

While working in a 3560 all of a sudden I received the message "command authorization failed" while trying to issue certain commands.

It appears I lost my priv 15 authorization.  We have seen this before, we do not have access to the ACS to trouble shoot the issue.I tried logging in a 2nd and 3rd time using tacacs and received the same error whenever I issued a command such as dir flash: , copy tftp flash or show run. At the time I was trying to copy IOS to the switch, I had a co-worker log in and it was fine for him and he completed the copy.

Once completed I logged back in and all was fine again.   We suspect an issue with ACS? possibly a timeout of our TACACS authorization ?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: NCS TACACS+ With ACS 4.2 - Authentication / Authorization?

Sep 13, 2011

I tried to configure TACACS+ authentication / authorization for NCS via ACS 4.2. For that I followed the configuration guide:
 
1. Configured the service for NCS with HTTP (see attachment)
 
2. Added the tasks to the user (see attachment)
  
When I try to login on the NCS it fails, in the logs on the NCS I see the following lines:
 
09/14/11 16:53:03.333 TRACE [system] [http-443-7] [TACACS+ AAAModule] Creating authorization socket   - To Server:  192.168.49.14  - For User:  netadmin
09/14/11 16:53:03.335 TRACE [system] [http-443-7] [TACACS+ AAAModule] Sending authorization request packet  - To Server:  192.168.49.14  - For User:  netadmin
09/14/11 16:53:03.336 TRACE [system] [http-443-7] [TACACS+ AAAModule] Receiving authorization response packet  - From Server:  192.168.49.14  - For User:  netadmin

[code].....

View 7 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 TACACS+ And Two Factor Authentication?

May 1, 2013

I want to setup two factor authentication via ACS 5.2 TACACS+ without having to use a token (such as that by RSA).  Is there a way to do it?
 
More info:
 
Users from unconnected AD domains will be connecting to the routers and switches.There is a certificate server available to generate certificates.SSHv2 is the current login protocol.

View 5 Replies View Related

Cisco AAA/Identity/Nac :: ASA5545 - Allow Tacacs Authentication

May 14, 2013

I am trying to access an ASA 5545 using TACACS+.  I have the ASA configured as follows:

aaa-server tacacs+ protocol tacacs+
aaa-server tacacs+ (inside) host 10.x.x.x
[code]....
 
I have added the ASA in ACS with the correct IP and the correct key. When I try to test the authentication via test aaa-server authentication tacacs+ host 10.x.x.x username Cisco password Cisco, I get:
 
ERROR: Authentication Server not responding: No error.

View 20 Replies View Related

Cisco AAA/Identity/Nac :: Setting Up ACS 5.2 TACACS Authentication With JUNOS?

Aug 6, 2012

I have ACS 5.2 and JUNOS 10.6.x  I setup 2  classes eng-class and ops-class  with read/write and read-only permission here is my configuration on JUNOS
 
set system login class eng-class idle-timeout 15
set system login class eng-class permissions all
set system login user engineer full-name “Regional-Engineering”
set system login user engineer uid 2001
set system login user engineer class eng-class
set system login user engineer authentication plain-text-password xxxxxxx

[code]....
 
I have 2 separate Authorization policies for engineer and operator group.Result,

1.  engineering group is working fine.

2.  the operator group its not working im unable to login to device under this group "authentication failed" but on the ACS logs its successfully authenticated.

3.  Web authentication is not also working for bot group.

View 14 Replies View Related

Cisco AAA/Identity/Nac :: Juniper JWEB Authentication Via TACACS To ACS 5.1?

Dec 20, 2009

Having an issue with authenticating Juniper J Series and SRX devices with ACS 5.1 The devices can authenticate using TACACS to ACS 5.1 via the CLI (telnet / ssh connections) but cannot using the JWEB management page.Doing packet captures between the Juniper devices and the ACS 5.1 box shows the Authenticate phase passing, but it does not progress onto the Authorisation phase.  There is nothing of interest in the ACS Logs (Even with the debugging levels turned right up) The same Access service is in use for both the CLI and GUI (JWEB).Using ACS 4.1, both CLI and JWEB authentication works.[URL]I'm thinking the issue is with ACS 5.0 / 5.1 and it maybe not liking the response from the Juniper (even though it should be the same mechanism)

View 6 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Authentication Against Microsoft AD / TACACS Authorization

Feb 2, 2013

I am trying to configure ACS 5.2 to do all authentication against Microsoft AD, but use local identity groups to determine TACACS+ authorization. 

View 1 Replies View Related

Cisco AAA/Identity/Nac :: How To Configure User Authentication Via TACACS On UCS 1.4 With ACS 5.2

Aug 18, 2011

how do i configure user authentication via TACACS on UCS 1.4 with ACS 5.2?  My TACACs connection works, and my user authentication is successful, but i can only get read-only rights.  I have tried several versions of "cisco-av-pair= role=admin" both as mandatory attributes named role and as cisco-av-pair=role , with "admin" as the value, and i still get read-only.
 
When i attempt to find any documentation, it only describes ACS 4.2, which is another problem i have with most documentation for new cisco products (i have this exact issue with my NAMs, nothing i do to change the attributes results in successfully logging into the NAM, and all config guides are written in 4.2 speak).
 
is there any possiblity cisco is going to release some documentation on how to convert 4.2 speak to 5.2 speak?

View 8 Replies View Related

Cisco AAA/Identity/Nac :: Configuring WLC 4402 TACACS+ Authentication Using ACS 5.0

Aug 22, 2009

We added AAA client in the Cisco ACS 5.0 for WLC 4402 (TACACS+ Authentication) and configured WLC 4402 to use TACACS+ authentication for the management access. We can't get this work for some reasons.
 
Other Cisco routers and switches all worked fine with TACACS+ authentication. This is a TACACS debug output from the WLC;
 
Sun Aug 23 16:19:06 2009: tplus response: type=1 seq_no=2 session_id=f59bbf0b length=15 encrypted=0
Sun Aug 23 16:19:06 2009: TPLUS_AUTHEN_STATUS_GETPASS

[Code].....

View 24 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.1 Failing To Authenticate Tacacs Authentication To ASA Firewall?

Jan 5, 2012

ACS 5.1 is failing to authenticate tacacs authentication to the ASA firewall, getting

View 6 Replies View Related

Cisco AAA/Identity/Nac :: TACACS Authentication Working Via SSH But Not HTTP (ACS 5.1 / 3560)

Aug 26, 2010

My switches are able to successfully authenticate user access against ACS 5.1 via SSH with TACACS+, but I am not able to authenticate via HTTPS with TACACS+.  I don't even get a log in ACS when attempting to authenticate via HTTPS.
 
Here is my AAA config, followed by a debug:
 
aaa new-modelaaa authentication login ACCESS group tacacs+ localaaa authorization consoleaaa authorization config-commandsaaa authorization exec ACCESS group tacacs+ aaa authorization commands 1 Priv1 group tacacs+ none

[Code]......

View 8 Replies View Related

AAA/Identity/Nac :: ACS 5.4 - TACACS Authentication - Drop Straight Into Enable Mode?

Dec 5, 2012

I successfully authenticate through ACS to my Identity Store, but only get dropped into a non-enable prompt: ciscoasa> How can I get an Authenticated user directly into enable mode?

View 3 Replies View Related

Cisco AAA/Identity/Nac :: Nexus 5010 Allows TACACS And Local Authentication Concurrently

Jun 6, 2011

I am experiencing an issue where NX-OS on our 5010s is allowing both Local AND TACACS authentication concurrently.  If I don't configure any aaa authorization commands, the locally logged in user has unmitigated access to the device.  Once I enable aaa authroization, all commands issued by the locally logged in user are denied by ACS, but they can still log in to the device.  When I comb through the logs on the ACS server, I see successful logins when TACACS credentials are used, and also the failed attempts when the locally configured credentials are used.  On the switch, however, I receive "%TACACS-3-TACACS_ERROR_MESSAGE:  All servers failed to respond" when using locally configured credentials on the switch itself.  We are running ACS v4.2.

View 6 Replies View Related

Cisco AAA/Identity/Nac :: Catalyst 3750 - TACACS Authentication Stopped Working

Jul 25, 2011

We have a Catalyst 3750 switch that failed over to local login after the Tacacs authentication stopped working. I went through the configuration settings and everything appears to be identical to another switch in this same building.

View 4 Replies View Related

Cisco LAN :: 5.3.0.40.6 / Tacacs Appliances Crashing AD Authentication ACS Server Version?

Dec 27, 2012

We are using  Cisco ACS server Version : 5.3.0.40.6. Our tacacs appliances are crashing on AD authentication on a fairly regular basis.  I have been searching Cisco.com to see whether we are on the latest version or not  however I  couldn't find anything lattest than what we are currently using. Are we on the latest version?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: 802.1x Failed Authentication With WS-C3750G-24T

Mar 12, 2013

I have already set up a lab  comprising of  1x2950-24 switch, 2x3750-24T in stack mode and 2x MS Domain Controller with AD 2008 Servers and NPS enabled (Domain level 2008). I use NPS as a Radius Server. I am trying to test the 802.1x framework in two scenarios.
 
1.     I use as client a domain laptop with Windows XP SP3 with the embedded 802.1x MS supplicant. As authenticator use the 2950 switch and as authentication servers I use the two NPS integrated in MS DCs. Everything is working fine as I expected with basic configuration guidelines from Cisco & Microsoft.
 
2.      I use as client a domain laptop with Windows XP SP3 with the embedded 802.1x MS supplicant (the same as before). As authenticator I use the 3750 Stack switch and as authentication servers I use the two NPS integrated in MS DCs (the same as before). I have configured the supplicant for both machine or user authentication in both scenarios. However the client never pass the authentication in the second one. I disconnect and connect the same supplicant in the 2950 switch and the authentication is completed successfully. Getting back to the 3750 stack the authentication failed and the laptop gains network access in the configured Auth-Failed Vlan. I have tried several configuration changes without success. I cannot understand why does this happen. I have made some debugs and I am sending them a long with a partial basic configuration of 3750 stack switch.

View 7 Replies View Related

Cisco AAA/Identity/Nac :: ACS Version 5.2.0.26 / Failed MAB Authentication Logs

Jan 8, 2013

Having an issue where a user will plug a PC into a switch.  The switch does a MAB authenticaiton and the MAC is not located in the ACS server.  It logs the failed attempt, but when the PC is removed from the switch, the failed attempts keep getting logged until the port is bounced.  Any way to keep the attemps from happening after the PC is removed?  If not, any way to make it stop without bouncing the port?
 
running ACS version 5.2.0.26
 
switch port config: 
interface GigabitEthernet1/0/2
sw access vlan 2 sw mode access
authentication control-direction in
authenticaion host-mode multi-auth
authentication port-control auto
mab
spanning-tree portfast

View 2 Replies View Related

Cisco AAA/Identity/Nac :: Radius Authentication Failed On 6509

Jan 29, 2012

I have configured Radius authentication on Windows 2008 server (NPS)  The following configuration is working perfectly on Cisco Switch 3560. [code]But, the same configuration is not working on Cisco Catlyst Switch 6509 (C3560-IPBASEK9-M), Version 12.2(46)SE, RELEASE SOFTWARE (fc2)/

View 2 Replies View Related

AAA/Identity/Nac :: Nexus 7000 Crashes Using Tacacs To ACS 4.1 Server

Apr 9, 2012

I see there is a similar post for Nexus 5000 to ACS 5.2.  Identical symptoms.  The supervisor crashed and switched to secondary.  Is there a comparable field for ACS 4.1 that needs to have something in it? 2012 Apr  9 11:07:55 va-core02 %$ VDC-1 %$ %SYSMGR-2-SERVICE_CRASHED: Service "Tacacs Daemon" (PID 9390) hasn't caught signal 11 (core will be saved). 2012 Apr  9 11:07:55 va-core02 %$ VDC-1 %$ %SYSMGR SYSMGR_AUTOCOLLECT_TECH_SUPPORT_LOG: This supervisor will temporarily remain online in order to collect show tech-support. This behavior is configurable via 'system [no] auto-collect tech-support'.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: N7K Primary Tacacs Server Fail / Won't Switch Over To Another

Jan 23, 2012

Have you ever found the problem that if I set two tacacs server in my N7K and the primary tacacs server fail, won't switch over to another tacacs server.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ASR 9010 Configuration To Connect To A Tacacs+ Server

Jun 10, 2013

We have an ASR 9010 with IOS XR, and we are making the configuration to connect to a tacacs+ server, this tacacs+ server works and is givins service to many other MPLS equipments. We have been following the guide:
 
Configuring AAA Services on
Cisco ASR 9000 Series Routers
 
but we have had a lot of troubles, in fact we have loose the administration of the box, at this moment the only lines that are in the ASR900 are: [code]

View 8 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.1 - Can't Contact AD Server Slow TACACS Auth Response

Sep 28, 2011

Running ACS 5.1 appliance, and am seeing slow repsonse on TACACS authentications due to the ACS trying to reach overseas AD servers and failing.  Is there any way to configure a /etc/host/ file locally on the ACS in order to force the appliance to use specific AD servers for authentication?  As I understand the process currently, the ACS appliance will query the top-level domain and get a list of all the AD servers in DNS.  In my case, this would include the AD servers overseas that we do not want to use.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 4.2(0) Build 124 / Failed To Initialize PEAP Or EAP-TLS Authentication Protocol

Oct 31, 2010

I replaced an ACS certificate that had been installed as follows:

1. Generate CSR file and private key file, then send CSR to GeoTrust (Key length: 2048 and Digest to sign with SHA1)

2. GeoTrust send me a certificate. Issued by "GeoTrust SSL CA".

3. Install the certificate on the ACS. Restart ACS service.

4. ACS Certification authority setup. Issued by "VeriSign Class 2 Public Primary Certification Authority - G3"

5. Edit certificate trust list and select "VeriSign Class 2 Public Primary Certification Authority - G3" as trusted.

6. Enable EAP-TLS, then restarted the ACS service. The problem is when i try to enable EAP i get the error msg:Failed to initialize PEAP or EAP-TLS authentication protocol because CA certificate is not installed. Install the CA certificate using "ACS Certification Authority Setup" page.I searched on cisco and it said to disable the CSA, but in fact there is no CSA installed on this server.
 
OS: Win 2003 sp2Cisco ACS: Release 4.2(0) Build 124

View 4 Replies View Related

Cisco AAA/Identity/Nac :: 5520 - Change Shell Profile In ACS / TACACS Server Unavailable

Jan 17, 2012

I have two Nexus 5520 running 5.0(3)N1(1c).
 
I have both boxes heading off to ACS for TACACS lo gin authentication and for command authorization. When I first set things up everything works fine. I have a shell profile configured in ACS with Cisco-av-pair*shell:roles="network-admin" to set the network-admin role. I even have command sets configured to deny the use of configure terminal as I am using switch configuration profiles. Everything runs fine. User lo gins are authenticated by ACS and users have the correct command set applied to them.
 
The problem comes when I make a change to a shell profile in ACS. Even something as simple as changing the name of a shell profile causes the 5520's to crash as soon as I try to log on. If I unplug the management link so that the TACACS server is unavailable I can log on fine with the local admin user.
 
The NEXUS console reports this error. (amongst many others)
 
EDNAM-NEXUS-2 %$ VDC-1 %$ %SYSMGR-2-SERVICE_CRASHED: Service "Tacacs Daemon" (PID 4331) hasn't caught signal 11 (core will be saved).
 
A show system reset-reason shows:
 
EDNAM-NEXUS-2# sh system reset-reason
----- reset reason for Supervisor-module 1 (from Supervisor in slot 1) ---
1) At 389 usecs after Wed Jan 18 12:32:49 2012
    Reason: Reset triggered due to HA policy of Reset
    Service: Tacacs Daemon hap reset
    Version: 5.0(3)N1(1c)

Could this be a bug with Nexus/ACS?

View 3 Replies View Related

Cisco Firewall :: ASA 5510 Server IAS First Authentication Failed

Jun 5, 2011

I have a little problem with my ASA 5510 version 8.2(1) with a IAS server RADIUS for strong authentication.
 
I have configured a double authentication for my client to access SSL portal:
 
First authentication: AD serverSecondary authentication: IAS for my token SAFENET ALADDIN The server IAS is declared on a W2K3 and it's standard.
 
The problem I have is that after more than 24hours of unutilization, when i try to log in, my authentication failed the first time and then the other tries work fine as long as I use it in a period of 24hours.
 
I first thought about the timeout so i tried to put a "timeout" of 15seconds for AD and IAS servers and a "retry intervall" of 3 seconds, it doesn't change much.
 
Is there a tool/option in the ASA to check connectivity with the radius every 1h for example.

View 4 Replies View Related

Cisco AAA/Identity/Nac :: Authentication With One ACS 4.2 Server While Authorization With Another

Apr 5, 2011

1 ) : Is it possible to do authentication with one ACS server while authorization with another ACS? Use case is if the user authenticated to one ACS server and then switch loses the connectivity to this ACS. Now command authorization requests will go to another ACS server since switch is not able to communicate to the 1st ACS.
 
2): How can the local database sync be acheived in distributed ACS deployments?
 
3): Are the accounting records are sync between different ACS? In other words can accounting be centeralised with ACS4.2

View 1 Replies View Related

Cisco AAA/Identity/Nac :: 5510 / Failed To Privilege Mode When Authenticated By Radius Server

Aug 26, 2007

I tried to authenticate and authorized Nokia/checkpoint Nortel/AD3 and Nortel 5510 platform using an 4.1 for windows ACS. the ACCESS-REQUEST is well processed bi the radius server wich send ACCESS-ACCEPT to the AAA Client (ie NORTEL or NOKIA), but i'have got privilege access denied on the Client side. RADIUS IETF Dictionnary is used for every device. all others Cisco Devices authenticate and are well authorized.

View 3 Replies View Related

Cisco AAA/Identity/Nac :: Upgrade To ACS 5.4 - Authentication Server And Log Collector

Jan 28, 2013

We got 2 Cisco ACS 5.2.0.26.10.Primary server as authentication server and log collector.Secondary server as authentication server. Replication is configured. url..."There are some exceptions to this usual setup, which you can handle as described below: If the ACS 5.3 primary server also functions as a log collector in your 5.3 deployment, you should promote any one of the secondary servers as primary server in the deployment. See Promoting a Secondary Server to Primary "
 
This exception matches with my case. I have to promote my secondary server as primary.I would have :Secondary server as authentication server and log collector.Primary server as authentication server. I think I have to deregister secondary from primary server..According to the guide, I have to upgrade the log collector server. "Step 1: Choose any secondary server to become a log collector:" I dont have another secondary server..

View 6 Replies View Related

Cisco AAA/Identity/Nac :: Can Use ACS 5.2 As Guest User Authentication Server?

Jun 5, 2012

Can use ACS 5.2 as Guest user authentication server?

View 3 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved