Cisco AAA/Identity/Nac :: ACS 5.1 - Can't Contact AD Server Slow TACACS Auth Response
Sep 28, 2011
Running ACS 5.1 appliance, and am seeing slow repsonse on TACACS authentications due to the ACS trying to reach overseas AD servers and failing. Is there any way to configure a /etc/host/ file locally on the ACS in order to force the appliance to use specific AD servers for authentication? As I understand the process currently, the ACS appliance will query the top-level domain and get a list of all the AD servers in DNS. In my case, this would include the AD servers overseas that we do not want to use.
View 1 Replies
ADVERTISEMENT
Sep 30, 2012
After implementing TACACS, one of our routers takes about 8 seconds to response to any CLI command. We have no problems with other devices in the same location with the same AAA configuration. The router is talking to the ACS server (ACS 5.3) and the logs on the ACS server look normal for the router as well.
View 5 Replies
View Related
Nov 1, 2010
I'm having issue with tacacs server(ACS 4.2), did the following test from the router:
Router1#test aaa group tacacs+ cisco cisco legacyAttempting authentication test to server-group tacacs+ using tacacs+No authoritative response from any server.I can ping the ACS server from this router though.
View 6 Replies
View Related
Apr 9, 2012
I see there is a similar post for Nexus 5000 to ACS 5.2. Identical symptoms. The supervisor crashed and switched to secondary. Is there a comparable field for ACS 4.1 that needs to have something in it? 2012 Apr 9 11:07:55 va-core02 %$ VDC-1 %$ %SYSMGR-2-SERVICE_CRASHED: Service "Tacacs Daemon" (PID 9390) hasn't caught signal 11 (core will be saved). 2012 Apr 9 11:07:55 va-core02 %$ VDC-1 %$ %SYSMGR SYSMGR_AUTOCOLLECT_TECH_SUPPORT_LOG: This supervisor will temporarily remain online in order to collect show tech-support. This behavior is configurable via 'system [no] auto-collect tech-support'.
View 2 Replies
View Related
Jan 23, 2012
Have you ever found the problem that if I set two tacacs server in my N7K and the primary tacacs server fail, won't switch over to another tacacs server.
View 1 Replies
View Related
Jun 10, 2013
We have an ASR 9010 with IOS XR, and we are making the configuration to connect to a tacacs+ server, this tacacs+ server works and is givins service to many other MPLS equipments. We have been following the guide:
Configuring AAA Services on
Cisco ASR 9000 Series Routers
but we have had a lot of troubles, in fact we have loose the administration of the box, at this moment the only lines that are in the ASR900 are: [code]
View 8 Replies
View Related
Mar 15, 2010
I've been configured my device 6506-9 with TACACS+ server authentication: [code]
but when I tried to access the device only uses authentication local but not uses TACACs (with username/password defined) it can be an error in configuration? in the other devices of network this works properly, only it's wrong in Cat6506-E
View 6 Replies
View Related
Jan 17, 2012
I have two Nexus 5520 running 5.0(3)N1(1c).
I have both boxes heading off to ACS for TACACS lo gin authentication and for command authorization. When I first set things up everything works fine. I have a shell profile configured in ACS with Cisco-av-pair*shell:roles="network-admin" to set the network-admin role. I even have command sets configured to deny the use of configure terminal as I am using switch configuration profiles. Everything runs fine. User lo gins are authenticated by ACS and users have the correct command set applied to them.
The problem comes when I make a change to a shell profile in ACS. Even something as simple as changing the name of a shell profile causes the 5520's to crash as soon as I try to log on. If I unplug the management link so that the TACACS server is unavailable I can log on fine with the local admin user.
The NEXUS console reports this error. (amongst many others)
EDNAM-NEXUS-2 %$ VDC-1 %$ %SYSMGR-2-SERVICE_CRASHED: Service "Tacacs Daemon" (PID 4331) hasn't caught signal 11 (core will be saved).
A show system reset-reason shows:
EDNAM-NEXUS-2# sh system reset-reason
----- reset reason for Supervisor-module 1 (from Supervisor in slot 1) ---
1) At 389 usecs after Wed Jan 18 12:32:49 2012
Reason: Reset triggered due to HA policy of Reset
Service: Tacacs Daemon hap reset
Version: 5.0(3)N1(1c)
Could this be a bug with Nexus/ACS?
View 3 Replies
View Related
Mar 20, 2012
I'm trying to configure an ASA firewall (FW2) for syslog and tacacs and am experiencing strange behavior. Both the syslog and ACS server are on the inside of another firewall (CoreFW). Whenever a log message is generated on FW2 the request is dropped by CoreFW and message '%ASA-4-313004: Denied ICMP type=0, from laddr FW2 on interface outside-b2b to syslog01: no matching session' is displayed. The same thing occurs for tacacs.
It appears that the syslog and ACS requests are generating ICMP echo replies, which the core firewall drops since no session exists on a lower security interface. I have access lists configured on CoreFW to allow the syslog and tacacs requests.
FW2 is running asa825-k8.bin, CoreFW is asa824-k8.bin
View 1 Replies
View Related
Jun 24, 2012
In ACS 5.3 radius authentication report I want to show the called-station-id attribute. (this was appearning on failed and passed auth in ACS 4.2). The value of called-station-id appears in the details. However, I want it to appear as a column with the report.
View 2 Replies
View Related
Jun 11, 2012
I'm having trouble getting things working on a pair of ASA5510's using Cisco Secure ACS v5.1. We were previously using a much older version of ACS to these (and a lot of other) devices which worked OK for remote access for read/write use. Am in the process of migrating to the new ACS software and have got it working OK to everything (many Cisco switches and other IOS devices) except these ASA5510s.
I can get TACACS authenticating fine and am able to log on and go into enable mode. Any subsequent commands are then met with 'command authorization failure', including 'show run', 'conf t' and even 'exit'!
My ASA5510 config has not changed, other than to define the new AAA server, which leads me to think its something to do with how I have the ACS user profile set up. I have configured the ACS5.1 device administration Shell Profile to have the maximum privilege level (15) and the command set I'm using has the box checked 'permit any command that is not in the table below'.
View 7 Replies
View Related
May 15, 2011
Im trying to configure a 7204 for radius login authentication, although the router is also configured with radius for VPN access. How can I configure it for both using 2 different raidus servers? the login via radius is working fine on another router, although that one is not doing VPN access so there's no conflict.
My config:
aaa group server radius RADIUS_AUTH server x.x.3.11 auth-port 1645 acct-port 1646
aaa authentication login networkaccess group radius local
[Code]....
For some reason, this does not work. I cannot access the router and authenticate via x.x.3.11 radius server. I think there's a conflict between the VPN and the login authentication but im unsure how to resolve this.
View 3 Replies
View Related
Apr 15, 2012
I am having difficulties implementing Mac-auth on selected ports between an HP ProCurve 2510 and Cisco ACS 5.3.The 802.1x works just fine, but for selected ports I need to implement port-access with MAC-based authentication instead of regular 802.1X (yeah, I know, but this line of ProCurve switches only support one auth-mechanism per port!).The switch successfully forwards interesting MAC-auth requests for authentication to the ACS with CHAP/MD5, but the ACS reports this:
Logged At:
April 16,2012 1:20:48.080 PM
RADIUS Status:
Authentication failed : 22056 Subject not found in the applicable identity store(s). NAS Failure:
Username:
002655886b3d MAC/IP Address:
00-26-55-88-6b-3d Network Device:
[code].....
The ACS is configured to use the Internal Hosts database, where the client computer is configured like this;MAC-address: 00-26-55-88-6B-3D
View 1 Replies
View Related
Apr 29, 2012
We are deploying ACS 5.2 to replace our ACS 4.2 in production. I have two wireless networks setup as WPA2-Enterprise. One points at the ACS 4.2 and the other at the ACS 5.2. Both use the same SSL certificate with the same CN. Both authenticate Windows 7 clients. However, Windows 8 CP will only authenticate to the ACS 4.2 and not to ACS 5.2. The error it gives is:
11051 Radius packet contains invalid state attribute
It also shows no authentication method (most of the time).
Occasionally, I get a request that actually shows an authentication method of PEAP (EAP-MSCHAPv2) which is what it should be. On those requests, I get error:
24444 Active Directory operation has failed because of an unspecified error in the ACS.
Both ACs 4.2 and ACS 5.2 are pointed at the same Windows AD source.
View 3 Replies
View Related
Nov 27, 2012
I am managing a firewall over remotely in my LAN itself. I started a continous ping to the Firewall IP and the response is less than 1 ms.
While applying some access control list to the firewall via putty ...Suddenly the latency is going hing and it is hitting xxxx ms. And also the acl are getting pasted on the screen by word by word. Sometimes i used to get some RTO for the Firewall IP Address inth eping response.
find the Firewall Version:
Cisco ASA 5510
Version : 7.2
Having more than 600 ACL's.
View 4 Replies
View Related
Mar 10, 2011
Periodic Slow Response 2821 (300+ms, 1 minute) My solarwinds NPM reports very slow response times from my satellite clinic.Often times it is 300ms to 600ms when it should be 10-15ms. CPU does not seems to spike, the memmory does not seem to spike The bandwidth does not spike.It happens mostly during work hours about 10 times a day Solarwinds reports the delay and then 2 minutes later it reports normal activity
I have broadcast/multicast control on the switches? We have static route for our network meaning no routing protocols ?We have 12 other clinics with the same configs and they are fine?I have double checked the configs but I am not holding my breath on that item?I have rebooted the router without affect
I have not replaced the cable to the demarc on either side of the WAN connection?I have not reseated the service provider T1 cards?I have not reseated the T1 card on either router.
View 1 Replies
View Related
Jul 13, 2012
I'm using a cable connection with my router and most of the time I'm playing FIFA12 on PS3 i feel like the commands takes a second to respond, like if was a delay. I tried most of everything in firewall settings, port foward, internet settings...
View 4 Replies
View Related
Jun 6, 2012
I have a Time Warner modem/router. There are a ton of different devices constantly being connected/disconnected to our router - itouches, computers, smartphones etc.
The problem started with my otherwise super reliable HP g42 (i3) laptop. Nothing would solve the issue other than recovering it back a few days to when the issue wasn't happening. But then it would happen again after a few days. All other devices would connect without issue.
Time warner's technical troubleshooting consists of "unplug the router for 10 seconds and then plug it back in. Did that work?"
So now, my son gets his first computer and I bring it home last night. Also an HP (pavillion -i3). Same deal. At first, it connects fine and dandy. Then after about 2 hours it get the ol' "won't connect - diagnose the problem?" After diagnose, it says "DNS server may not be available.
Here's the thing: Both computers connect immediately and without issue to my smartphone wireless tether.
View 6 Replies
View Related
Nov 2, 2011
I've been trying (in vain) to connect a USB Wireless device to be able to use it off my wireless network. I have (2) other laptops and (1) other desktop connecting to the router with no issues. For some reason, this old desktop keeps installing an Ethernet device (probably on the MB) and is automatically Configuring the IP address to that instead of the USB wireless device.I've tried uninstalling the Ethernet device but it comes right back after I do a reboot. Even when I disable it, I still can not connect with my Wireless device.
View 14 Replies
View Related
Jan 20, 2013
Inter-VLAN applications are slow and same VLAN it is working fine.(i.e.VLAN to VLAN applications and File transfer response was Slow).Switch Model number: WS-C3750G-24TS-S1U
View 3 Replies
View Related
Feb 9, 2012
Having issues with HTTPS sites being very slow after applying KB2585542? Once you remove this Microsoft patch everything returns to normal. It appears that the CSS does not handle the split-ssl requests properly. I have opened a TAC case but am not really getting anywhere as we seem to be the only company that is having this issue.
View 2 Replies
View Related
Feb 10, 2012
need to know why I can not connect to the internet after I am done downloading windows Xp on my Desk top. I got an error message from the cmd, saying that computer is unable to contact DHCP server.
View 1 Replies
View Related
Nov 9, 2012
Each time I'm rebooting my E3200 device my ping to my ISP is 20ms. Few hours later the ping goes up to 300-500ms.Than I reboot again and the ping is going down to 20ms again.
View 5 Replies
View Related
Mar 13, 2013
I just moved to Auckland, NZ from the USA to go to school at the university here, and am having a problem connecting to the internet in the university residence hall in which I am living.Wifi is not available in the residence halls, so we need to use an Ethernet cable. When I plug in my computer, the network adapter icon says Identifying for a while then settles on Unidentified Network with no internet access, the IP is 169.x.x.x.When I try to release and renew the IP, it says unable to contact your DHCP server, request has timed out".I've tried multiple Ethernet cables, both brand new.I tried connecting to a port in a friend's room in the same building, and even in a classroom on campus, and both had the same result.Naturally after all that I assumed my NIC somehow died overnight while I traveled here, so I went to a computer repair shop expecting to have some hardware replaced, but we plugged it in there and it worked immediately so they weren't sure what to tell me.
I've gone through pages of old threads at this forum and others like it, trying solutions but having no luck.I've power cycled my computer, obviously I can't power cycle the whole network as it's for 200 people, but the IT people here have tried resetting it for me on their end as best they can. [code]
View 14 Replies
View Related
Jun 18, 2012
I have a Dell 570 Inspiron desktop running win7 home premium w/ a 64 bit OS. I have Frontier dsl with a Westell 327W modem and a netgear router. Two desktops are connected to the internet...one through the modem and the Dell 570 through the router. I also run laptops through the router w/no problem. This morning the dsl went down, and when it came back up, the Dell 570 would not connect. i tried Diagnosing Connection Problems, and I'm told to turn off the modem/router (which I have done a gazillion times).When I look at Network Connections in the Control Panel, It tells me I have an unidentified network and can't connect. I read through some forums earlier, and found that releasing and renewing ipconfig often corrects the problem, and that's when I got the message that 'An error occurred while nenewing. Local Area Connection unable to contact DHCP server.' This set up has worked for the past year and a half. I looked at the network adapter, and it says it's working properly. I changed the cables going to the machines, and they both work on this computer. The only change made to the computer was to install McAfee security center through AOL yesterday, but the set up worked all yesterday and last night.
View 2 Replies
View Related
Aug 30, 2012
Until a couple of days ago I was able to connect to the internet wirelessly on both my laptop as well as my desktop. However, that has changed for the desktop, now I am unable to access the internet on it. It says that it can detect the signal. When I tried to renew the ip it responded with "An error occurred while renewing interface Wireless Network Connection : unable to contact your DHCP server. Request has timed out." [code]
View 5 Replies
View Related
Nov 30, 2012
I have just installed the wireless equipment on my main computer, but unable to pick up the internet on my 2nd computer, how do I do it??
View 1 Replies
View Related
Mar 31, 2013
I randomly lost Internet connection, and since have not been able to Renew an IP address! Other people in my household can connect just fine. I've tried numerous things to get my internet back, but continue to be unsuccessful in doing so.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:Documents and SettingsMike>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : miker
Primary Dns Suffix . . . . . . . :
[code]....
View 19 Replies
View Related
Oct 15, 2011
I have reinstalled windows 7 on my Toshiba laptop, I have my wireless set to automatically connect, I have excellent signal strength and have another pc connected to wireless router, but my laptop does not capture IP addresses. I tried renew command but got message unabl to contact your DHCP server, request timmed out.
View 1 Replies
View Related
Sep 20, 2012
We`re using a WLC 5508 with SW 7.2.103.0.The most things are working fine, but i have a problem with the web auth.
Setup:
- Max Concurrent Logins for a user name is set to 1
- Max-Login Ignore Identity Response is set to enable
- Web Authentication Type is set to customized
The Problem:
- the user "test" is logged in at device1 (working), the same user "test" try to login at device 2 (is not working, fine!) -> login is not accepted, WLC redirects to the INTERNAL Web Login Page.The problem is the redirect to the internal web login page after failed login. If i try to login with a not existing user, the redirect is working perfect to the customized web login.
View 4 Replies
View Related
Mar 11, 2010
We have 2mbps leased line and have Cisco 1841 which is managed by our ISP. I have hooked up another 1841 (please find basic config below, it will get more complex lateron) Now when I connect my laptop I am able to browse Internet. But when I conect VOIP phone, it is not able to contact it's Hosted Server on Internet.
VOIP phone is Polycom SoundPoint 550 and I get URL call disabed message. If I try netgear Firewall everything seems to work.that the voip provider needs following ports UDP Range 16384 - 32766, TCP 5060 & UDP 5060. But in my config all outbound traffic is allowed. [code]
View 6 Replies
View Related
Jul 3, 2011
I've been having problems connecting my laptop to the internet through wireless. When I plug it in with a cable it works fine. I also know my wireless works fine because i have other things attached to it. When I try to connect it says limited or no connectivity, but the signal strength is excellent. I have tried to repair the problem but it then tells me it cannot renew my ip address. I've also tried the ipconfig /release then renew, and thats when it says about my DHCP.
View 1 Replies
View Related
Mar 4, 2012
I have a Cisco ASA (8.2) setup with remote access for my users using Cisco VPN client. The authentication is passed off to my ACS 5.3 which then checks with AD. What I've done so far is create Access Policy rule where I define specifically the Location and NDG where the ASA is and then a DenyAllCommands command set. This should pass authentications just fine but this also gives those users the ability to remote connect directly into the ASA and login successfully. Even though there is a Deny Commands there I still would prefer they get Access Denied as a message. If I do a Deny Access on the ShellProfile then this stops the login authentication altogether.
View 2 Replies
View Related