Cisco AAA/Identity/Nac :: ACS 5.1 AD Join Fails
Sep 11, 2011
I am trying to join my ACS 5.1 to my AD. In the External Identity Stores > Active Directory I have put in the AD administrator details and hit the test button and the test succeeds.
However, when I try to save changes it fails with an eror saying it can't connect to the LDAP server.
Error while configuring Active Directory:Error while configuring Active Directory:Unexpected LDAP Error Can't contact LDAP server due to unexpected configuration or network error.Please try the --verbose option or run 'adinfo --diag' to diagnose the problem.Join to domain 'Mydomain.local', zone 'null' failed.
I have done this lots of times and never had any issue once the test connection succeeds.
I've checked the time and timezones on both ACS and AD and they are the same.
View 7 Replies
ADVERTISEMENT
Apr 9, 2013
I get the following errors when a new 2600 series AP tries to join a 5500 series WLC:
*Apr 10 11:44:52.747: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Apr 10 11:44:53.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.0.0.9 peer_port: 5246
[Code].....
10.0.0.9 is the management interface IP of the WLC. The primary-base is set manually due to the fact that we have several WLCs in place but only 1 is s 5500 series. The other ones are 4400 series WLCs. The new 2600 APs only can join a 5500 WLC afaik. The WLC runs 7.4.100.0
View 8 Replies
View Related
Jan 18, 2012
l have a new ACS v 5.2 appliance and l´m trying to join to my domain, but l haven´t could, the acs shows me the Clock skew error, and l was checking some documents about it doesnt work. the acs have the same timezone and time that my domain, but the problem persist
View 7 Replies
View Related
May 5, 2011
is it possible to join the ACS 5.1 to a rootdomain (AD) with a subdomain and to authenticate against the subdomain? Or do I need different ACS' for the root and the subdomain?
View 2 Replies
View Related
Sep 5, 2012
I try to join an ACS v. 5.3 to the domain. For my acs in Location A, I can join without problems using my account. When I try to join the ACS in location B to the same domain with the same account, it doesnt work.I looked at the debug log files for the ad client, and noticed, that the ACS in location B goes to a certain Domain Controller. However, I would have expected the ACS to contact another DC, which is located on the same location as the ACS ... this doesnt happen.
My question: How does the ACS determine what DC to contact ? Is it possible to force the AC to join by connecting a certain DC ?
View 2 Replies
View Related
Oct 17, 2012
I would like to ask, given that i got 2 units of ISE-3315 appliance, one need to be primary node for admin-policy service-monitoring, another unit then become Inline posture node.For the preparation on line posture node, what shoud i do on it?
01. For the unit ready to become inline posture node, so I just boot it, install the OS from sractch (using version 1.1.1), then start the initialize setup etc, like Normal setup?
02. Before i regieter, what is the deployment nodes i should select for inline posture node unit? provided the admin-policy service-monitoring will become primary node, and registration for inline posture node will be next action.
View 10 Replies
View Related
Aug 11, 2011
We are using ACS v5.2.0.26.3 in 802.1X certificate based authentication. Now, when we added CRL functionality into ACS it fails in CRL validation and gives following error message:
LastErrorMessage=CRL PKI verification failed
Certificate Revocation list [URL]
We have installed root, device and server certificates from CA, but for management we are still using self-signed certificate.
Question is, which certificate is used when validating downloaded CRL file - one used for EAP-TLS or one used for management interface?
How I can check which certificate ACS server is using for CRL validation?
View 19 Replies
View Related
Dec 6, 2012
I try upgrade ACS 5.3.0.40 to new version 5.4.0.46. Everything looks ok:
ACS-machine/acsadmin# application upgrade ACS_5.4.0.46.tar.gz rep01 Do you want to save the current configuration ? (yes/no) [yes] ? Generating configuration. Saved the running configuration to startup successfully
% CARS Install application required post install reboot...
Broadcast message from root (pts/0) (Thu Dec 6 23:36:41 2012):
The system is going down for reboot NOW!
Application upgrade successful
But ACS machine (vmware instance) can't boot with this result: Volume group "smosvg" not found. (for details see attachment)
View 3 Replies
View Related
Jan 30, 2013
I am trying to upgrade ISE from 1.1.0 to 1.1.2.145 but failed. Find the details below.
DR-ise-pdp-01/admin# application upgrade ise-appbundle-1.1.2.145.i386.tar.gz ISE1
Save the current ADE-OS running configuration? (yes/no) [yes] ?
Generating configuration...
Saved the ADE-OS running configuration to startup successfully
Initiating Application Upgrade...
Stopping ISE application before upgrade...
Running ISE Database upgrade...
% Application upgrade failed. check logs for more details.
View 2 Replies
View Related
Dec 6, 2010
I'm trying the csv file import and getting some errors.
010-12-07 14:23:47: File Format Validation Completed2010-12-07 14:23:47: Import Started
2010-12-07 14:23:47: Record number: 1, Host 01-02-03-04-05-06: Import Failed2010-12-07 14:23:47: null Import process failed for unexpected reason: Unknown error has accurred.2010-12-07 14:23:47: Import Completed With errors
-------- Summary --------Total Number of Records Processed:1Number of Records Failed:1Number of Records Imported:1---------- End ----------Please refresh the table to see the changes.
On some other tries I get null field or missing fields.
It actually creates the host, but on editing it I get the following message:
An unexpected error has occurred. To continue your work, reselect the option in the left navigation bar.If you continue to receive the unexpected error message, close your browser and log in to ACS again.If you still receive the unexpected error message, contact your system administrator or technical assistance.
MACAddress:String(64):Required,description:String(1024),"enabled:Boolean(true,false):Required",HostIdentityGroup:String(256),VLAN:String(256):Required,attr-Expiration Date:Date(yyyy-Mmm-dd)01-02-03-04-05-06,AAATest,true,,Guest,2010-Dec-08
View 3 Replies
View Related
Jan 21, 2013
I configured WiFi connection on Windows XP and Windows 7 with EAP-TLS (using Cisco WLC 7.0.235.3 and Cisco ACS 5.2.0.26.10). It is configured with computer authentication and computers certificates are autoenrolled from Microsoft PKI.It works well!
Now I configured Windows 8 with same configuration.First authentication works but if I manually disconnect and reconnect, I got this error on ACS: 22047 Principal username attribute is missing in client certificate.In EAP packets, we could see that Windows 8 sent a TLS session ticket but session was not resumed correctly by ACS..On ACS configuration, we checked this option "Enable EAP-TLS Session Resume" with session timeout "7200".
View 2 Replies
View Related
Jun 8, 2011
I have IAS set up on my organization's AD domain controller. Multiple policies set up for various authorization scenarios, authenticating based on Windows user groups and client IP, authorizing by passing "shell:priv-lvl=#" where #=desired privilege level. On my IOS devices I have:[code]
This identical configuration operates correctly on a Cisco 3825 and a Catalyst 4506. On the 24 port Cat 3560G PoE running 12.2SE (do not recall exact IOS version, but I know it is in that release train) that I am currently working on, every attempt to login via ssh passes authentication but fails authorization, displaying %Authorization Failed on the terminal and a message stating that "No appropriate privilege level found for user" in the debug statement from RADIUS.I have verified correct server addresses, correct source-interfaces, and that configs between the three devices match exactly with regards to aaa.
View 1 Replies
View Related
Jan 7, 2010
I've got 2 freshly installed ACS 4.2 for Windows servers and I need to apply the latest patch rollup before I build the configurations. I stopped the ACS services and ran Acs-4.2.0.124.15-SW.exe to install the patches. The application begins running fine but fails on upgrading the database and then none of the ACS services would start. I was able to restore the files from the backup that runs with the patch utility and get ACS functioning again. What am I missing - does the patch rollup require any specific Microsoft Patches to be installed or something like that?
View 7 Replies
View Related
Nov 13, 2012
I have a user named "testuser" and trying to authenticate from the xp computer but fails to authenticate. The ACS logs says that authentication failed, the user is in the local database but why it fails to authenticate?
I have cisco switch :
WS-C2960G-48TC-L 12.2(52)SE C2960-LANBASEK9-M
*Mar 8 04:03:55.030: AAA/BIND(00000029): Bind i/f
*Mar 8 04:03:55.173: %AUTHMGR-5-START: Starting 'dot1x' for client (782b.cbc9.a027) on Interface Gi0/2 AuditSessionID 0A6A00200000001924EBD428
*Mar 8 04:03:57.010: %LINK-3-UPDOWN: Interface GigabitEthernet0/2, changed
[Code]....
View 7 Replies
View Related
Mar 22, 2011
i'm trying to configure acs 5.2 to LDAP external idenity store, when LDAP failes ACS 5.2 should use internal indenity store. I configured A sequence to use LDAP 1st then Internal and i shut off the link to the LDAP but ACS will not use internal, AAA Diagnostics keeps telling me that Cannot establish connection with LDAP server and will not use the internal store.
View 7 Replies
View Related
Dec 21, 2010
I am working through the migration from ACS 4.1.4 on Windows Server 2003 to ACS 5.2 on the appliance. I have created the 4.1.4 migration server, installed the software and imported the data from our production ACS 4.1.4 box. I downloaded the migration utility from the 5.2 ACS server and am attempting to run on the 4.1.4 migration server. The question that fails is:
Enter ACS 4.x Server ID:
I do not know what this means and do not see anything on the 4.1.4 server that identifies the Server ID. I try localhost and it does not work and the 4.1.4 server is not registered in DNS or I would try that (and . are not valid characters in the ID so the IP does not work).
How have other people handled this question? Is there something that can identify the local server ID?
View 9 Replies
View Related
Apr 29, 2012
We're in the process of implementing an ISE 1.1 server for Guest Wireless Access / BYOD at our company and ran into an issue with authenticating from iPhones / iPads when the account is set with 'change password on next logon' (it's a local account created on the ISE server - not AD). It fails and displays 'unable to join network' on the iPhone. The ISE log shows a '5411: No response received in 120 seconds'. We're able to authenticate from Windows devices and are prompted to change the password during the authentication process. If we unchecked the 'change password' box we can authenticate from iPhones & iPads without any issue but we need to have a way for users to set their own password.
View 3 Replies
View Related
Oct 24, 2011
I set up LDAP store pointing to a Windows domain and am testing authenticating users via an ASA. In my LDAP config, its set for "Groups Objects refer to subjects" and I selected usernames in the drop down. I also added a a Global Group to the Directory groups tab in the LDAP store that I created.
Under my Access Polices, I created a rule that meets two condititons - coming from the ASA, and then I was able to select the group from the drop down box for my ldap domain. As a condition, it shows up as DomainName:External Groups. I set the permission to Permit Access.
Originally, I was failing authentication and I was receiving Subject Not Found in Store. I adjusted the Identity Sequence and now I receive a the following error:
15039: Selected Authorization Profile is Deny Access. So it must not be associating my account with the group with the Permit Access and using the Default Permissions.So it does match the correct Access Service, and Identity Store.
View 1 Replies
View Related
Aug 9, 2011
IP address of Primary had to be changed, to respond to a hardware failure of TACACS server with IP in many device configs.
Now the Secondary fails to respond to repeated "Deregister from Primary" requests, even after reload - apparently because it cannot reach the Primary at its old IP address.
Requesting Deregister in GUI generates pop-up that says, "This operation will deregister this ACS Instance from the Primary Instance. Management applications on this ACS instance will be restarted and you will be required to login again. After performing this operation
[code]....
View 1 Replies
View Related
Jul 21, 2011
After we have installed patch 5 on several ACS 5.2 server they aren't able anymore to write their backups to the sftp servers. I tried to search on the bug tool kit, but it seems to be broken when searching for the keyword "sftp". It's the same when I try to do a "copy logs" with sftp as destination.running a debug I can see,
acs/admin# copy logs sftp://10.1.115.11/,Collecting logs...,Username: backupuser,Password: ,6 [16376]: transfer: cars_xfer.c[301] [admin]: sftp copy out of /var/tmp/ADElogs.tar.gz requested,6 [16376]: transfer: cars_xfer_util.c[412] [admin]: resolved server to 10.1.115.11,7 [16383]: transfer: sftp_copy.c[75] [daemon]: Executing SFTP command: /usr/bin/scp -o StrictHostKeyChecking=no /var/tmp/ADElogs.tabackupuser@10.1.115.11://ADElogs.tar.gz,% Error: Transfer failed3 [16376]: transfer: sftp_copy.c[230] [admin]: sftp_copy ERROR: command execution failed,3 [16376]: copy: cm_copy.c[1226] [admin]: Logs archive transfer to url sftp://10.1.115.11/ failed retcode=-306,acs/admin#
View 21 Replies
View Related
Jul 18, 2009
I'm having an issue with a 1252 LAP that is connected to the WLC over a WAN link.Basically, it won't associate. The following is taken from a console into the LAP:
*Mar 1 00:00:07.799: %LINK-3-UPDOWN: Interface GigabitEthernet0, changed state to up
*Mar 1 00:00:08.799: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up
*Mar 1 00:00:26.851: %LWAPP-5-CHANGED: LWAPP changed state to DISCOVERY
*Mar 1 00:00:27.003: Logging LWAPP message to 255.255.255.255.
[code].....
The ap-manager interface is configured correctly and there isn't a duplicate IP address. The LAP was initially stand alone and was converted to LWAPP.The MTU over the WAN link is 1500 bytes.All I'm getting from the WLC debugs is:
Mon Jul 20 11:42:59 2009: 00:22:xx:xx:xx:xx Received LWAPP DISCOVERY REQUEST from AP 00:22:xx:xx:xx:xx to 00:19:xx:xx:xx:xx on port '29'
Mon Jul 20 11:42:59 2009: 00:22:xx:xx:xx:xx LWAPP Discovery Request AP Software Version: 0x3003300
Mon Jul 20 11:42:59 2009: 00:22:xx:xx:xx:xx Successful transmission of LWAPP Discovery Response to AP 00:22:xx:xx:xx:xx on port 29
So basically the join messages don't seem to reach the WLC. In fact they don't even seem to reach the local router on the remote subnet. The discovery packets are seen on the local router but the joins don't seem to appear at all.I'm not sure if it's a latency issue. Average latency over the WAN link is under 70ms.I'm assuming the certificate on the WAP is MIC and the MAC details have been entered into the WLC AP Security policies for authentication. I'm not seeing any debugging messages relating to bad authentication at all.I can't debug from the LAP as it's LWAPP, obviously.We're running WLC version 4.2.130.0.
View 37 Replies
View Related
Nov 6, 2011
I connected the AP [1140 - Version 12.4(21a)JA1, RELEASE SOFTWARE (fc1)] to the switch (3560) and the switch with the WLC (5500 series), but I get the below error:
*Nov 7 09:07:59.916: %DTLS-5-SEND_ALERT: Send WARNING : Close notify Alert to 192.168.10.22:5246
*Nov 7 09:07:59.954: %CAPWAP-5-CHANGED: CAPWAP changed state to
[Code]....
The access point cannot join the controller. Is this a misconfiguration at the WLC or something else?
View 3 Replies
View Related
May 16, 2013
I am new to Cisco wireless solution and would like to ask how to add the AP to the WLC properly. All Cisco 1041 and Cisco 2500 WLC are new. I connect those AP and WLC to the switch without any VLAN tag and the AP can gain the IP address from our DHCP correctly. However, the AP 1041 could not join the WLC successfully.
WLC: Cisco 2500
IP Address: 192.168.1.225
version: 7.4.100.0
View 5 Replies
View Related
Aug 23, 2012
I am trying to lab up an ACS5.2 with windows 2003 AD for PEAP authentication. But my ACS does not join the AD and throws an error "can not resolve network address". But when i do an nslookup on ACS CLI , the same domain wireless.abc.com is returning with the IP address of my AD. I think i am missing something in windows AD/DNS configs here as i am not a windows AD expert.
1) My AD domain is wireless.abc.com. In my DNS, i have a zone called wireless.abc.com. and i have added "New Host" in that DNS zone with the "name" as blank and providing IP address of my AD (AD and DNS are on same windows installation) . Is this the right way to do ?
2) I should be entering "wireless.abc.com" in the ACS active directory domain name field and do test connection. right ?
View 15 Replies
View Related
Mar 24, 2013
Our offcie use WLC2100 Series controller with AIR-LAP1031 and successfully join and running. Now i am trying to replace one ap with AIR-LAP1041N and join with WLC, but i can't and below the error message generate:
[code]....
View 2 Replies
View Related
Jul 10, 2012
I am trying to set up a Wireless network a WLC hosted on an SRE module in a 2911 router. I think i have most of my bases covered but there is still one problem.
My LAP1131AG AP's won't join the controller, on the AP im am seeing this:
Translating "CISCO-LWAPP-CONTROLLER.test.local"...domain server (192.168.250.10) [OK]
[Code].....
But to my knowledge an LWAP AP schould be able to join a CAPWAP WLC
View 2 Replies
View Related
May 22, 2013
I have an allready configured WLC 2504 running in the network. Every LAP i add to the network joins imidiatly to the Controller. But not the AP1121G AP. It fails the Handshake everytime and the Controller shows me an failmessage at the statistics in the GUI. [code]
View 3 Replies
View Related
Apr 8, 2012
WLC software 7.2.103.0
1. first problem: AP1252 can´t join on WLC. MAC was add on mac filter properly.
170Mon Apr 9 15:37:32 2012Mesh Node '2c:3f:38:be:53:ef' failed to join controller, MAC address not in MAC filter list.171Mon Apr 9 15:37:32 2012AAA Authentication Failure for UserName:2c3f38be53e0 User Type: WLAN USER172Mon Apr 9 15:37:32 2012Coverage hole pre alarm for client[1] 40:a6:d9:ef:87:68 on 802.11b/g interface of AP 2c:3f:38:bf:0c:80 (AP2c3f.38bf.0c80). Hist: 46 7 5 4 2 1 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0173Mon Apr 9 15:37:32 2012Coverage hole pre alarm for client[1] 8c:7b:9d:05:a0:67 on 802.11b/g interface of AP 2c:3f:38:bf:0c:80 (AP2c3f.38bf.0c80). Hist: 50 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0174Mon Apr 9 15:37:30
[code]....
Several APs can´t join on WLC and all are added on MAC filter, but they are showing this messages.
2 . Second problem.: Operational Status = UNKNOWN
Some Access Point are in UNKNOWN status. I tried but I can´t do the reboot. I can access Web config the APs using WLC, but when I applied the reset, it wasn´t working properly.
View 2 Replies
View Related
Jun 10, 2013
I'm new in installing WIFI, I have WLC 2504 using 7.4.100.0. I have AP 1600 (AIR-CAP1602E-E-K9)
I installed the WLC and AP in a cisco poe switch, wlc and ap are in the same subnet and can ping ap from WLC, but the AP cannot join the wlc. i have this error message
(Cisco Controller) >show ap join stats detailed 00:06:f6:d6:03:f0
Sync phase statistics
- Time at sync request received............................ Not applicable
- Time at sync completed................................... Not applicable
View 15 Replies
View Related
Jan 31, 2013
I have converted ap 1131 from autonomous to lwapp successfully by using upgrade utility tool but the AP does not join the WLC 2106. I can see it as a neighbor on the switch with no IP address.
View 19 Replies
View Related
Jun 29, 2011
My WLC running 6.0.182.0 suddenly could not accept more than 47 APs! Ihave a 1240 trying to join but failed with no obvious reason (no special errors in debugging).
I unplugged one of the joined and the first one joined!! I replugged the second one but could not join!! I unplugged the first one and replugged the second one: the second joined the controller but the first could not associate again!
View 4 Replies
View Related
Mar 2, 2012
Airlap 1041n i have air lap 1041n(soft version 12) and wlc 2112 i dont have dhcp server perhaps i use tftpd32 to act as a dhcp server.
my problem is
1. i have configured the wlc 2112 and it's ip is :172.25.1.1
2. i cant configure the air lap 1041n. when i enter the cli mode the following message comes ****continuously***:
Could not discover WLC using DHCP IP. Renewing DHCP IP.
*Mar 1 01:44:11.310: %CAPWAP-3-ERRORLOG: Not sending discovery request AP does not have an Ip !!
3. my question is how to stop this continuous mgs ?
4. how can i assign an ip to my AP ?
5. how can i join my AP with MY wlc ?
I have to show my office that i can control two ari lap 1041n-k9 with my WLC 2112 and my laptop's wifi and cellphone's wifi are able to get connected with the Access points.
View 1 Replies
View Related
Jan 24, 2011
I have a 4400 WLC for 100APs running the 7.0.98.0software version. Now, only 48 APs are joined, and the WLC dont accept new joins. The log below are from my WLC but appear for all others APs:
%LOG-6-Q_IND: spam_lrad.c:1440 Discarding discovery request in LWAPP from AP 00:3a:98:ae:e3:f0 supporting CAPWAP%LWAPP-6-CAPWAP_SUPP_VER: spam_lrad.c:1440 Discarding discovery request in LWAPP from AP 00:3a:98:ae:e3:f0 supporting CAPWAP%CAPWAP-3-TX_ERR: capwap_ac_sm.c:1966 Failed to transmit discovery response to AP 00:3a:98:ae:e3:f0%CAPWAP-3-ENCODE_ERR: capwap_ac_sm.c:2269 Failed to encode Discovery (code)
View 2 Replies
View Related
