I'm having issue with tacacs server(ACS 4.2), did the following test from the router:
Router1#test aaa group tacacs+ cisco cisco legacyAttempting authentication test to server-group tacacs+ using tacacs+No authoritative response from any server.I can ping the ACS server from this router though.
Running ACS 5.1 appliance, and am seeing slow repsonse on TACACS authentications due to the ACS trying to reach overseas AD servers and failing. Is there any way to configure a /etc/host/ file locally on the ACS in order to force the appliance to use specific AD servers for authentication? As I understand the process currently, the ACS appliance will query the top-level domain and get a list of all the AD servers in DNS. In my case, this would include the AD servers overseas that we do not want to use.
View 1 Replies View RelatedAfter implementing TACACS, one of our routers takes about 8 seconds to response to any CLI command. We have no problems with other devices in the same location with the same AAA configuration. The router is talking to the ACS server (ACS 5.3) and the logs on the ACS server look normal for the router as well.
View 5 Replies View RelatedWe`re using a WLC 5508 with SW 7.2.103.0.The most things are working fine, but i have a problem with the web auth.
Setup:
- Max Concurrent Logins for a user name is set to 1
- Max-Login Ignore Identity Response is set to enable
- Web Authentication Type is set to customized
The Problem:
- the user "test" is logged in at device1 (working), the same user "test" try to login at device 2 (is not working, fine!) -> login is not accepted, WLC redirects to the INTERNAL Web Login Page.The problem is the redirect to the internal web login page after failed login. If i try to login with a not existing user, the redirect is working perfect to the customized web login.
I try to set up EZVPN server. I cannot get any response from server.
View 1 Replies View RelatedI've been using my pair of ACE-4710s for quite some time and have usually stuck to the Class C Subnet sticky settings, as that's what we migrated from in Windows NLB. In one instance of load balancing I'm trying to create an L4 inspection policy that looks for a certain payload (much like a http header) and would like to persist on this. The problem is that the client portion of the conversation starts with a 'SessionID' of 0, and the server responds with a unique 'SessionID'. If I setup the sticky policy with 'Enable Sticky For Response', I get entries populated in the sticky database, but they all go to the same server as there is a sticky session setup for the SessionID = 0. Is there a way to setup sticky entries on server response only? Currently using ACE DM v4(1.0).
View 10 Replies View RelatedI connects to the wireless box and has full signal but an exclamation mark is present.I have run some tests and the IPv4 and IPv6 say they have no internet access.I also run a full test and everything passed except the ping test which failed and it said: no response:default gateway response: dhcp server it suggested disabling security firewall but i'm not sure if that's the correct thing to do or even how to do that!
View 7 Replies View RelatedI am trying to recover a WRT54GS v1 router from a bad flash. The power light is blinking and would not accept pings. Since I figured it was already hopeless, I attempted shorting pin 15 and 16 which cause it to start receiveing pings. My problem is it won't accept the tftp flash, I've tried both cmd prompt and auto upgrade utility. Upgrade utility says "Unable to get response from the server" however it is still accepting pings. Cmd prompt TFTP says it can't read from local file. I am using windows XP. Code...
View 3 Replies View Relatedwe Bough new mcs server in order to install ACS 4.1,now acs is running on normal PC and its fully configured , so now i want to back up the acs database and the configuration file in order to install it in the new server so how to do that
View 4 Replies View RelatedI need to patch our ACS server to 4.2.0.124.17 from 4.2.0.124.6. My question is, do I need to apply the same patch to our remote agents? Cisco's documentation only states that both the ACS and the Remote Agents need to be 4.2.0.
View 1 Replies View RelatedI am wanting to generate a signing request for an ACS 5.3 box to send to a Microsoft CA. Is there anyone out there using a MS CA for eap-tls?
View 1 Replies View RelatedI'wont to upgade my ACS server 5.0.0.21 to 5.1 . I wont to use Active Directory . it's seem that in my curent version AD is not supported !
View 12 Replies View RelatedI am looking for any PDF, recomendation, link for best approach for secondary ACS as resiliency.
View 4 Replies View RelatedWe have enabled EAP-TLS authentication for our wireless LAN end user in our network setup , And we have defined certificate on our old acs server 3.3 from a third party CA . I want to use the same certifcate which is being used in 3.3 ,how i can copy that certficate from 3.3 and get it installed on new acs 4.2 .
View 7 Replies View RelatedQuestion on this, is 5.2 backwards compatible with 4.2 appliance? If not, what is needed to bring the 4.2 appliance up to 5.2 and will the VMWare version work for the second system with the appliance as primary? Years ago I had 2 of them and replication worked flawlessly, but we had to take the one unit offline for another project and have never replaced it.
View 3 Replies View Relatedconfigure AAA (Radius server, access list) There are two devices An access point and cisco 881w. It is necessary to set up authentication through a radius server. You can configure detailed how to do this?
View 3 Replies View RelatedI'm having problems settting up a Guest NAC server to authenticate administrative users against a ACS 5.x server. In the ACS RADIUS Authentication log, I can see the user authentication is successful.In the AAA Diagnostics log, I can see the following warning:An Access-Request MUST contain either a NAS-IP-Address or a NAS-Identifier or both; Continue processing.
View 2 Replies View RelatedHow to convert a 3140 CAM to a CAS ? if so what software / licensing would be required and is there a documented process
View 1 Replies View RelatedWe are using ACS 5.3 with two servers in a distributed solution.All logs are collected on primary server so when this server fails all logs are lost.How can I enable log on secondary server also?
View 2 Replies View RelatedI have a cisco ACS 4.0 build 27 on windows 2003 server . My site was working fine when i was having a AD on 2003 server . Recently i have migrated my AD servers is 2008 .
After the migration the ACS is not authenticating the users . Now i have made a server with 2003 and made the site working . I need a solution to make it work using 2008 server is there any compatiblity issue between ACS 4.0 and 2008 server .
I setup one acs v5.3 in one server in NYC and another acs v5.3 in SJC.I want to make the acs.nyc as primary and acs.sjc as the secondary, how do i setup it up?
View 1 Replies View RelatedI'm currently working on ACS 5.1 to use it as AAA server for Netscout NGenius.I followed a guide for ACS 4.2 and tried to replicate the configuration settings in ACS 5.1.
- created a host profile on network devices and AAA clients having the same shared key with NGenius
- added three (3) NGenius required attributes in system administration > configuration > identity > internal users
- added attribute values to Internal User database
- created an access policy:
* identity pointing to Internal Users
- edit serverprivate.properties in NGenius server to match the requirements
I would like to have NGenius authenticate via ACS 5.1, but as of the moment there is an error message that I receive:
Unicentified error, Code=16510, Details: AV pairs do not match NGenius format ::<insert tacacs username here>, Severity 1, Code: 16510.
When I tried to import the file, there are two lines there, One is Certificate file, the other is for "Private Key File".
My question for you is, is this the private key of CA? My understanding has always been that the private key stays in CA only, not going to any other devices.
I have deployed 7 appliances 5.2.0.26.4 CSACS-1121-K9 whose 6 are performing AAA authentications while the last one is is the primary and is the master for configuration and log collector.
Since this morning, I cannot access anymore the view where I can see all Radius authentication for today. I obtain the following message:The server workspace storage for on demand transient reports is full, please try again later or contact administrator to increase on demand transient report storage capacity?
Moreover, if I generate other report, I have the message:18002: iPortal generate report failed.I could find some information which makes references to a Cisco bug CSCtb98071, as below:
Launching a shared report in the ACS 5.1 Monitoring and Report Viewer displays an iportal error for a particular scenario.
#Symptom: You will see the following iportal error message when you launch a shared report:
#iPortal generate report failed.
#
#Conditions: This error occurs when you add a report to a group in the interactive viewer and save it as a shared report.
#Workaround: Avoid using the option Add Group from the interactive viewer for hyperlinked column entries when you save the report as shared
However, I am not adding any report to any group, so I don't understand why this error appears and how to solve it.
I had a working server running ISE version 1.1.0.665 but someone in the build room decided to pull the power out of the server rather than shutting it down correctly. I have booted the server back up however the web management page was not accessable. I have checked the server status and the end result is the Application Server in the "still initializing" stage. I have left the server for several hours and the status has not changed.
I know people have previously run into this issue but no one has posted any resolution or confirmed that a rebuild is the only solution. I have tried to create an on-demand backup but it seems to fail when attempting to provide the credentials (which are correct) for the FTP server.
getting a Cisco WLC to work with MS NPS server? We've done it before albeit with differnt code versions.
I have a Cisco 5508 WLC running 7.0.116.0 code hosting a WLAN configured for WPA2 with 802.1x for authentication. I have two Windows NPS servers configured as the RADIUS servers for EAP-TLS authentication. Via debug info on the WLC I can see the 802.1x handshake take place with the wireless client and the WLC as well as a successful transmission of an Authentication Packet from the WLC to one of the RADIUS servers. However on the WLC I see repeated RADIUS server x.x.x.x:1812 deactivated in global list and on the NPS server I'm seeing event log errors indicating "The Network Policy Server discarded the request for a user" along with the pertinent auth request info that I would expect the NPS server to receive from the WLC. Based on the WLC debug info I'm never actually getting to the EAP-TLS certificate authentication part. It seems the NPS servers don't like the format of the initial RADIUS authentication request coming from the WLC and so don't respond whcih in turn casues to WLC to switch to the other NPS server which produces the same issue.
1 ) : Is it possible to do authentication with one ACS server while authorization with another ACS? Use case is if the user authenticated to one ACS server and then switch loses the connectivity to this ACS. Now command authorization requests will go to another ACS server since switch is not able to communicate to the 1st ACS.
2): How can the local database sync be acheived in distributed ACS deployments?
3): Are the accounting records are sync between different ACS? In other words can accounting be centeralised with ACS4.2
We have 4 ACS 5.3 Servers connected as Primary and Secondary Servers.We use a "RSA SecurID Token Servers" External userdatabase for authentications and are able to sucessfully authenticate (vpn-)users when the requests are send from the primary ACS Server.As soon as a secondary ACS server sends the request to the RSA server the request fails. "Node verification failes"
On the RSA Authentication Manager 6.1 Server, we have created a Agent-host wich contains the 3 secondary nodes (FQDN and IP's). The "sdconf.rec" file has been installed on theprimary ACS Server and are automatically (so it looks like) replicated to all ACS Servers.Still none of the secondary server are able to authenticate the users agains the RSA server.
Is there any way to set up our ISE to provide Radius instead of acting as Radius Proxy? In our Company we use ACS 4.2 to provide AAA via Tacacs+ and this works proper with all our Cisco-Switches. Now we are testing the ISE 1.1.1 as NAC-Solution.
I know how to set up the ISE as 'Radius Proxy', configuring the Sequences and Policies, but till now we are using only Tacacs+ for AAA. The current version of ISE does not support Tacacs+ and I don't want to set up a Radius-enviroment in ACS if not necessary. Somewhere ( I think the specs) I read, the ISE is a merge of ACS and NAC. So in my Opinion there should be a way to provide AAA via Radius on the ISE without ACS and without 'Radius Proxy'.
I'm curently studying for my CCNP Switch certfification, and I'm learning about RADIUS and AAA. I need to practice this topics, but unfortunately I can't find any way to do it. I have cisco ACS 4.2 but I'm unable to install it on my Server 2003 (it says mmc.exe needs to be closed, tried some things but no luck...). I'm unaware of any simulator for RADIUS or anything similar.
how to install ACS 4.2 on Server 2003 (how to solve the error I'm recieving), or point me towards some other product to practise RADIUS and AAA authentication
I have a pair of managers in HA mode and a pair of servers in HA mode. The solution is working in OOB Virtual Gateway. When i add the server in the manager, which IP address must i use, the service IP address or the physical Ip address.I'm running 4.8.2
View 2 Replies View RelatedToday I have configured my ACS 5.2-0.26.4 to synchronize with NTP server which is implemented in Cisco 6500, but it don´t become to work. The switch Core is configuared in HSRP, for that reason in the ACS server I defined the IP virtual of the Core like ntp server, maybe the ACS don´t work with IP virtual of the switch Core. Finally I wanto to kown if is posible to synchronize this versión of the ACS withc cisco 6500. I had integrated this ACS versión with cisco 2800.. maybe the ACS could integrate with same special models.
View 3 Replies View RelatedMy customer has an ACS 1121 version 5.4. Now we want to install a secondary ACS 1121.
View 2 Replies View Related
