Cisco AAA/Identity/Nac :: ACS 4.2 UCP Application Not Working
Apr 20, 2011I have Cisco ACS 4.2 since few days users can not change their password, what could be the issue? Even after resetting the password I got error.
View 3 Replies
ADVERTISEMENT
Cisco AAA/Identity/Nac :: 2960 Unprotected Identity Pattern Not Working As Expected
Oct 28, 2012I'm trying to test such 802.1x wired environment:windows xp sp3 as supplicant windows NPS as radius server 2960 as authenticator latest anyconnect (3.1.01065) + nam and standalone profile editor.I have a question: What is the difference between protected identity pattern and unprotected identity pattern (set in nam profile editor)? As I understand documentation PEAP-MSCHAPv2 is a tunneled method and it uses un- protected identity pattern to protect user's identity during phase 0. But if I use any fake identity here (anonymous, anonymous@[domain], etc) access is rejected (Access-Reject in switch debugs). I have to use exacly the same pattern in unprotected identity pattern as in protected identity pattern ([username] or [username]@[domain]) to gain access, regardless of authenticaton mode (same in machine only, user only authentication).
View 1 Replies View RelatedCisco AAA/Identity/Nac :: ACS 5.3 - Application Failed To Start
Apr 28, 2012Although, ACS states its installed, after going through the startup. However when I do show application nothing comes up. When I do a application start acs, %Application failed to start.
View 7 Replies View RelatedCisco AAA/Identity/Nac :: 5.4 - Possible To Stop Acs Application Automatically
Jan 8, 2013I have an ACS 5.4 which is integrated with AD and a RSA. Is there any possibility to Stop the ACS Application automatically if either of these devices are down.
View 2 Replies View RelatedCisco AAA/Identity/Nac :: Patch Application Procedure ACS 5.2?
May 4, 2011procedure to apply the 5-2-0-26-4.tar.gpg patch. I don't know how to get the patch file into the ACS server.The procedure in the "Read me" for the patch does not indicate anything about how to this:
1. open CLI console2. define new repository in which the 5-2-0-26-4.tar.gpg resides3. issue: 'acs patch install 5-2-0-26-4.tar.gpg repository YOUR_REPOSITORY'4. verify installation by getting the following version information via CLI by issuing:#show application version acs I don't know how to put the patch file from my local machine to the repository created in the GUI (if there is where the actual place to creat the repository).
Cisco AAA/Identity/Nac :: ISE 1.1.0.665 Application Server Is Still Initializing
Sep 25, 2012I had a working server running ISE version 1.1.0.665 but someone in the build room decided to pull the power out of the server rather than shutting it down correctly. I have booted the server back up however the web management page was not accessable. I have checked the server status and the end result is the Application Server in the "still initializing" stage. I have left the server for several hours and the status has not changed.
I know people have previously run into this issue but no one has posted any resolution or confirmed that a rebuild is the only solution. I have tried to create an on-demand backup but it seems to fail when attempting to provide the credentials (which are correct) for the FTP server.
Cisco AAA/Identity/Nac :: Application Upgrade Of ACS 5.4 Manifest?
Oct 27, 2012I'm trying to upgrade my ACS 5.3 (patch 7) to ACS 5.4 and I've downloaded the application bundle from Cisco. I'm transferring the app bundle via FTP towards the VM containing ACS, yet I ALWAYS get %Manifest File not found in bundle. I've opened the bundle and found the manifest .xml inside.
I've double verified MD5 checks, size files, re-downloaded everything, even copied it to the local disk of the appliance. Also browsed through this forum to see that there are people having the same problem with other ACS version upgrades and besides re-downloading and using FTP there isn't a specific solution. I'm always getting this error. I know that it must be possible to do upgrade, but I'm stuck. I do see on the FTP server logs that the file gets transferred, but as pretty much as soon as it finishes transferring (not enough time in my view to extract a 1.2 GB file) I get an error
I'm doing the:
application upgrade ACS_5.4.0.46.tar.gz FTP
(...)
%Manifest file not found in the bundle
AAA/Identity/Nac :: ACS 5.2 Application Upgrade Package?
Apr 12, 2011what the "ACS 5.2 application upgrade package" is? I've seen this package on the download software area but couldn't find any document on this.
View 2 Replies View RelatedCisco AAA/Identity/Nac :: ISE 1.1 On ESXi 5.0 - Show Application Status ISE
Apr 11, 2012I have a very unusual issue with my installation of ISE on my VMWare ESXi 5.0 environment. but whenever I issue the command "show application statuse ise" I get the following output:
ISE Database listener is running, PID: 13675
ISE Database is running, number of processes: 27
ISE Application Server is running, PID: 15163
ls: /opt/TimesTen/tt1121/lib/*.jar: No such file or directory
ISE M&T Session Database is not running.
ls: /opt/TimesTen/tt1121/lib/*.jar: No such file or directory
ISE M&T Log Collector is running, PID: 15379
ls: /opt/TimesTen/tt1121/lib/*.jar: No such file or directory
ISE M&T Log Processor is running, PID: 15457
ls: /opt/TimesTen/tt1121/lib/*.jar: No such file or directory
ISE M&T Alert Process is running, PID: 15296
Cisco AAA/Identity/Nac :: Rename Existing Username On ACS 4.2 Application
Mar 22, 2011how can we rename an existing username on ACS 4.2 Application.I don't want to rename the group just the username.
View 3 Replies View RelatedCisco AAA/Identity/Nac :: Upgrade CSACS-1121 From ACS 5.2 To 5.4 - Application Initializing?
May 29, 2013We upgraded a CSACS-1121 from ACS 5.2 to ACS 5.4 with CLI Application upgrade ACS_5.4.0.46.0a.tar.gz FTP After ACS reboot, services never start... After 15 hours, we always get same message:
ACS/admin# show application status acs
Application initializing...
Status is not yet available.
Please check again in a minute.
We installed patch 5-4-0-46-2.tar.gpg but we got same issue for 2 hours ...What could I do?
Cisco Application :: Traceroute Not Working On ACE Version A2 (3.3)?
May 17, 2011My setup is :
Source--- Router 1 ( ip 1.1.1.1) --ACE---router---cloud---customer---router--destination( ip 99.99.99.99).
Traceroute from client to destination shows the following:
traceroute 99.99.99.99
traceroute to 99.99.99.99 (99.99.99.99), 30 hops max, 40 byte packets
1 1.1.1.1 (1.1.1.1) 1.10 ms 1.78 ms
2 99.99.99.99 (99.99.99.99) 1.01 ms 1.97 ms 2.511 ms
3 99.99.99.99 (99.99.99.99) 2.01 ms * 99.99.99.99 (99.99.99.99) 2.330 ms
[code]....
So on this, the destination is 99.99.99.99.The first hop is the default gateway, which is 1.1.1.1.After that, the next step is the Cisco ACE.After that there are several hops to the destination.Looks like for some reason the Cisco ACE is not recording his ip.( For any destination traceroute result is the saame.ICMP is allowed in the access list and also ther is ICMP inspect in my config. access-list ICMP line 10 extended permit icmp any
class-map type management match-any abc
201 match protocol ssh source-address X.X.0.0 x.x.0.0
class-map match-all ICMP_allow
2 match access-list ICMP
[code]....
Version running on ACE is Version A2(3.3)
Cisco Application :: 3750 - FT Failover Not Working
May 1, 2012We have 2 ACEs configured as Active/Standby. FT vlan is configured directly using a crossover cable , not using a switch for the FT vlan.ACE is setup in routed mode ,vlan 29 is client vlan and 28 is server vlan ,both are being trunked on ACE-- trunk 3750 switch.
When I shutdown the port on 3750 for the primary ACE , data connectivity wise ,primary ACE is down ,but the secondary is not taking over ,and also when I do sh ft group status on the secondary ACE,I see the status of STANDBY_HOT and the peer state: ACTIVE.
Cisco Application :: ACE 4710 SSL Terminate Not Working
Jul 1, 2011I configured cisco ace 4710 with ssl-proxy and it is not working,url..When i put https://10.1.41.20 the output is: "There is a problem with this website's security certificate", so i click in "Continue to this website (not recommended)" and the ace dont balance the output show error "Internet Explorer cannot display the webpage". [code]
View 2 Replies View RelatedCisco Application :: ACE 4710 GUI Access Is Not Working
Jun 1, 2011We have Cisco ACE 4710 in our network.system image file: (hd0,1)/c4710ace-mz.A3_2_0.bin Device Manager version 1.1 (0) 20080805:0415
We are not able to connect to the device through HTTPS (GUI) , it used to work before. When we try access the GUI, it asks for user name and password.After that it shows blank screen.
Cisco Application :: ACE 4710 Policy Is Not Working
Jun 16, 2011I have ACE 4710 in context mode. I am doing internet browsing (Port 80) redirection to two proxy servers (Transparent Proxy) as well as I am using this ACE box for multiple other servers load balancing.
I have multiple policies applied on my LAN interface (VLAN 300) where all the users and servers are connected.
Now I am facing problem with one application (PLATTS) which is oil company related application. This application is working fine while directly connected with Internet (extrenal internet connection) or by giving explicit proxy in the user browser.
But In transparent proxy This application is not working and my company policy only allow the transparent proxy not explicit proxy.
Now if on my interface vlan 300 i will remove the service-policy input PM_MAIN_BCPROXY my application will start working but i cant redirect the port 80 traffic to my proxy servers which is also my requirement.
interface vlan 300
description ACE-INSIDE CONTEXT RACK1
ip address 192.168.0.65 255.255.255.224
[Code]....
This application use multiple destinations for connectivity and I have even tried by passing the destination IP addresses by making bypass policy but still no luck.
I want this application to work as well as redirection of port 80. I even try re-ordering the policy sequence but no luck. this application to work as well as redirectino of port 80 for Internet.
Cisco AAA/Identity/Nac :: ACS 5.1 View Application Exceeded Its Maximum Allowed Disk Size
Apr 6, 2011This is the error message I am getting on our ACS 5.1 appliance - is there anyway to purge the database or compact the file?
View 1 Replies View RelatedCisco Application :: Active CSS 11501 Telnet And Console Not Working?
Mar 31, 2013implementation of the cisco CSS 11501 boxes available as spare on our site into production for an application evry thing worked as expected. i was able to telnet the active/master box and was able to console both master and backup box from the console port.however a week post the activity im faced with this weird problem where im not able to take console or the telnet access of my primary/active box.The boxes are working in BOX-to-BOX redundancy and now im not able to telnet or console my active/master box. The telnet and console window prompts me for username and password and after entering the credentials nothing happens. no prompt or no error message is displayed.
The telnet primary authentication is via tacacs and secondary is via local. however for console im not using any method for primay authentication and local for secondary authentication. however i can successfully console my backup box. below are my obsrvations 1. the left and right status LED on the active CSS box is OFF.- it means my CSS 11501 failed and has no power. 2. upon firing the rcmd command with show line command on backup box i see that the telnet sessions and console session is established with the master box3. the redundancy state of the active box says it is master and has not changed state since my last activity, no application issue reported, all the services are active on the active box and also i can ping the active box ip address from my backup box over which box to box redundancy is established. This confirms the active box is functioning well 4. i initially thought the telnet sessions are not getting cleared, however the show line cmd with the rcmd cmd on the backup box confirms this is not happening. now im stuck as the active box cannot be accessed at all via console or telnet. i was thinking of below steps to be carried out.1. to failover the boxes and make the backup as master2. then try to take the faulty box off the network and troubleshoot (are there any other commands that i should use to troubleshoot)3. if nothing works try rebooting the box and check
NOTE: the software running is version 7.20.30.3 with standard feature set. we are not using cvdm or the CSS GUI. we could access the css initially on CSS gui and that is also not working now.
Cisco Application :: 4710 - HTTP-Cookie Sticky Not Working
Feb 1, 2012I have a requirement to load balance OWA 2010 inbound connectivity to 2 CAS servers using a ACE 4710 with sticky sessions enabled.
The CAS servers are currently responding on 80 or 443 at this moment in time. Eventually I want to off load the SSL to the ACE 4710, its currently running on the CAS servers. I need to enable sticky sessions to keep the session to the same CAS server for each internet based connection. I also have a proxy enabled for inbound connectivity so I cannot use source IP.
Here is my configuration but it doesn’t seem to be working, i am currently testing with port 80 connections not SSL.
serverfarm host INHOUSE-EXCHANGE-OWA-vFARM
predictor response app-req-to-resp samples 4
probe 443
probe HTTP-PROBE
rserver INHOUSE-TEST-CAS01-SVR
inservice(code)
Cisco Application :: CSS 11503 Flow Idle Timeout Not Working As Expected?
Jan 20, 2012I have a CSS 11503 with a basic content rule for TCP 10000 going to a few backend servers. I was looking into the default timeout values for flows and when testing using telnet the flow didn't terminate as expected?
For example, i have no 'timeout multiplier' specified in the config and when i look at the output of 'show flow-timeout default' it tells me the default 16 seconds timeout is in effect for *. With that in mind, i telnet to the content rule vip on TCP 10000 and on the backend server using wireshark i can see the TCP threeway handshake. With no data passing i'd expect the CSS to terminate this flow after 16 seconds.. yet it takes exactly 128 seconds before wireshark shows the RST and the flow is terminated. 128 being 8 times the default 16 second flow timeout.
If i try to force the connection to close early by specifiying 'flow-timeout-multiplier 2' in the content rule, or even a multiplier of 40, it still waits 128 seconds to close the telnet connection.
Cisco Switching/Routing :: 3750x Application Not Working When Switch As Gateway
Jun 2, 2011In change network topology, we are going to assign PC's Gateway as Switch (3750X) IP Address rather than server IP Address. Currently we have configured all Sytems's Gateway is Internet Server IP Address which we are going to replace with Switch IP as Gateway.Issue is while connecting specific application like team viewer in which application tried to send keepalive message to the live server and in case of switch/router IP as gateway. Connection doesn't established. However it is working fine when Internet Server IP treated as gateway.
View 1 Replies View RelatedBelkin Setup / Router Monitor Application Has Stopped Working?
Jun 29, 2011Belkin Setup / Router monitor application has stopped working. A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available.
View 1 Replies View RelatedCisco Switching/Routing :: 3750X - Application Not Working (Switch / Router IP As Gateway)
Nov 12, 2012In change network topology, we are going to assign PC's Gateway as Switch (3750X) IP Address rather than server IP Address. Currently we have configured all Sytems's Gateway is Internet Server IP Address which we are going to replace with Switch IP as Gateway. [code]
Issue is while connecting specific application like team viewer in which application tried to send keep alive message to the live server and in case of switch/router IP as gateway. Connection doesn't established. However it is working fine when Internet Server IP treated as gateway.
Cisco Application :: 11503 - Stickiness Not Working Fine Without Clearing Session Manually
Sep 11, 2012We have a pair of CSS 11503 installed in our DC. Stickiness is configured for one of the application since long back and was working pretty fine till last couple of months. Since last two months, we observed that CSS is not distributing sessions the way it suppose to be. Mostly, it forwards the session to same server even though request is coming from different sources. Once we refresh the sessions manually, it starts working fine. We have to do this exercise manually every alternate day.
View 1 Replies View RelatedCisco Application :: 4710 ACE Source-address Matching In Nested Class-maps Not Working
Sep 6, 2012Im having a (from google-fu) seemingly unique issue with load balancing. So for background, I am running the ACE 4710 device in "on a stick" mode, so I am using NAT and all that good stuff. I am also utilizing class maps and host header matching so I can save on IP space. [code]
Basically, as soon as I add that ACL_CLASS_beta.mainsite.com class map, all I get back from the ACE is RST packets and it comes back with an L7 LB Policy Miss.
It SEEMS like it should work, but it doesnt seem to like matching on those source addresses at all.
Cisco AAA/Identity/Nac :: ACS 5.3 And WLC Not Working?
Sep 27, 2012I got a question about ACS 5.3 and WLC We have now the ACS 5.3 running for MAB (good working) and TACAS for device AAA.But now our WLC’s will not work.I have created already a special “custom attribute” => role1 / mandatory / ALL Already changed to the combinations Role1=ALL / Role1=All / Role1=all / role1=ALL / role1=All / role1=all But still not working. I get a wrong response.
I followed the guideline in attach, PDF file.
Debug dump from WLC
ACS 5.2 / ACS 5.3
-------------------
*tplusTransportThread: Sep 28 15:07:59.222: auth_cont get_pass reply: pkt_length=24
*tplusTransportThread: Sep 28 15:07:59.222: processTplusAuthResponse: Continue auth transaction
*tplusTransportThread: Sep 28 15:07:59.388: tplus response: type=1 seq_no=4 session_id=b1fddbfc length=6 encrypted=0
[code]....
Cisco AAA/Identity/Nac :: ACS 5.2 Re-authentication Not Working?
Aug 17, 2011I have a dot1x client with client certificate working well with my ACS 5.2 and EAP-TLS. Now I would like to configure the Re-Auth periode on the ACS 5.2, I did the following:
1. Configure a Access Profile with Reauthentication Timer = static and 30 seconds (see attachment ACS1.png and ACS2.png)
2. Enabled authentication periodic and authentication timer reauthenticate server on switchport
interface GigabitEthernet1/0/x
description to dot1x clients
switchport access vlan 5
switchport mode access
authentication event fail action authorize vlan 998
[code]....
Cisco AAA/Identity/Nac :: ACS 5.1 - Accounting Is Not Working?
Sep 12, 2012I've got an issue with my ACS 5.1 implementation not updating any of the RADIUS or TACACS authz, authc, or acct records. Nothing is showing up, even though i've logged in via TACACS to several devices, and there are numerous wireless devices authenticated and online via RADIUS right now.
View 3 Replies View RelatedCisco AAA/Identity/Nac :: (command Set) Not Working In ACS 5.3?
Mar 4, 2013I have to created command set under "Policy Elements>Authorization and Permissions>Device Administration" for limited access user in ACS 5.3. Like i triyed to give them permission to only few show commands. I have set user priviledge 1, 7, 10 however either of the priviledge level user was able to run those commands. I works like the shell priviledge level.
View 1 Replies View RelatedCisco AAA/Identity/Nac :: ACS 5.1 Web Interface Not Working
Mar 31, 2011We have a Cisco Access Control Server (TACACS+ version 5.1) with an additional 2 port NIC card. This produces 4 ports on the ACS server(G0 through G3).After initial setup of the ACS server with an IP address on G0, I connected a Windows 7server with IE8 to G0. The ACS web interface appears (after accepting certificate) and Ientered some user accounts and NDGs.I then connected the ACS server to a configured port with port-security on our 6500switch. The port becomes err-disabled since the MAC address does not match up. It appearsthat the onboard NIC on the ACS server is bonded thus producing the MAC address issue.To fix this connection issue, on the ACS server, I cleared out G0 and setup G2 (additiional NIC card) with the IP address. After connecting to the 6500 switch, the ACS server port works fine. I removed the connection to the 6500 and connected the Windows server to the ACS.I can ping the ACS server but the web interface is now unavailable unlike before. I do not get a certificate warning on IE, it just states that internet not available. On ACS, the 'show' status of acs shows all the processes are running and initialized. It has got me stumped as all I did was change NIC configurationon the ACS server.
View 8 Replies View RelatedCisco AAA/Identity/Nac :: NAC 4.9 Not Working With Iphones / Ipads
Oct 9, 2011we updated our NAC appliances from 4.8.1 to 4.9 and have noticed that web authentication is no longer woking on Apple IOS devices. We had setup a user page for the MAC_ALL OS and iphones etc. were able to authenticate using thier browser ok. Now (after the upgrade) after they authenticate they receive the below warning.
There doens't seem to be any other config changes we can make for the IOS device.
Cisco AAA/Identity/Nac :: 3650 - 802.1x Multidomain Not Working
Sep 16, 2010I configured multidomain on a Cisco 3650 port (12.2(53)SE1), and connected a 7941 Phone and laptop behind it. The phone gets successfully authenticated but the PC does not get fully connected. The PC adapter´s icon shows a "authentication error" message. The same PC, connected to another port (same commands except "authentication host-mode multi-domain") works perfect, including new VLAN and ACL assigned from ACS.
This is the configuration on the switch port where the PC chained to the phone fails:
interface FastEthernet0/6 switchport access vlan 701 switchport mode access switchport voice vlan 123 authentication event fail action next-method authentication event server dead action authorize vlan 704 authentication event no-response action authorize vlan 701 authentication host-mode multi-domain authentication open authentication port-control auto authentication periodic dot1x pae authenticator dot1x timeout tx-period 60 spanning-tree portfast
This is the configuration on the switch port where the PC without a phone works OK (exactly the same config, except for multidomain):
interface FastEthernet0/7 switchport access vlan 701 switchport mode access switchport voice vlan 123 authentication event fail action next-method authentication event server dead action authorize vlan 704 authentication event no-response action authorize vlan 701 authentication open authentication port-control auto authentication periodic dot1x pae authenticator dot1x timeout tx-period 60 spanning-tree portfast When the PC fails to get connected, I see the following messages on the switch:
Sep 17 18:36:18: %DOT1X-5-SUCCESS: Authentication successful for client (0023.aeb8.ce44) on Interface Fa0/6 AuditSessionID 0A01460A000000310080FDFCSep 17 18:36:18: %AUTHMGR-7-RESULT: Authentication
[Code].....
Cisco AAA/Identity/Nac :: Monitoring And Reporting On ACS 5.1 Not Working?
Jan 31, 2011I have not managed to get the Monitoring to work on the ACS 5.1. This is an eval version. Advanced monitoring and reporting is installed on the ACS. This is my configuration on the Cisco Router
aaa accounting exec default start-stop group tacacs+aaa accounting commands 0 default start-stop group tacacs+aaa accounting commands 1 default start-stop group tacacs+aaa accounting commands 15 default start-stop group tacacs+aaa accounting connection default start-stop group tacacs+
logging origin-id iplogging facility sysloglogging source-interface GigabitEthernet1/1logging host 1.1.1.1 transport udp port 20514
logging monitor informational
epm logging
On the ACS, when I open the dashboard --> ACS health -> I get Status not available.Global Instance under Logging Categories been configured for local logging?