Cisco AAA/Identity/Nac :: ACS 5.1 - Can't Contact AD Server Slow TACACS Auth Response

Sep 28, 2011

Running ACS 5.1 appliance, and am seeing slow repsonse on TACACS authentications due to the ACS trying to reach overseas AD servers and failing.  Is there any way to configure a /etc/host/ file locally on the ACS in order to force the appliance to use specific AD servers for authentication?  As I understand the process currently, the ACS appliance will query the top-level domain and get a list of all the AD servers in DNS.  In my case, this would include the AD servers overseas that we do not want to use.

View 1 Replies


ADVERTISEMENT

Cisco AAA/Identity/Nac :: ACS 5.3 Slow CLI Response After Implementing TACACS

Sep 30, 2012

After implementing TACACS, one of our routers takes about 8 seconds to response to any CLI command. We have no problems with other devices in the same location with the same AAA configuration. The router is talking to the ACS server (ACS 5.3) and the logs on the ACS server look normal for the router as well.

View 5 Replies View Related

Cisco AAA/Identity/Nac :: ACS 4.2 No Authoritative Response From Any Server

Nov 1, 2010

I'm having issue with tacacs server(ACS 4.2), did the following test from the router:
 
Router1#test aaa group tacacs+ cisco cisco legacyAttempting authentication test to server-group tacacs+ using tacacs+No authoritative response from any server.I can ping the ACS server from this router though.

View 6 Replies View Related

AAA/Identity/Nac :: Nexus 7000 Crashes Using Tacacs To ACS 4.1 Server

Apr 9, 2012

I see there is a similar post for Nexus 5000 to ACS 5.2.  Identical symptoms.  The supervisor crashed and switched to secondary.  Is there a comparable field for ACS 4.1 that needs to have something in it? 2012 Apr  9 11:07:55 va-core02 %$ VDC-1 %$ %SYSMGR-2-SERVICE_CRASHED: Service "Tacacs Daemon" (PID 9390) hasn't caught signal 11 (core will be saved). 2012 Apr  9 11:07:55 va-core02 %$ VDC-1 %$ %SYSMGR SYSMGR_AUTOCOLLECT_TECH_SUPPORT_LOG: This supervisor will temporarily remain online in order to collect show tech-support. This behavior is configurable via 'system [no] auto-collect tech-support'.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: N7K Primary Tacacs Server Fail / Won't Switch Over To Another

Jan 23, 2012

Have you ever found the problem that if I set two tacacs server in my N7K and the primary tacacs server fail, won't switch over to another tacacs server.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ASR 9010 Configuration To Connect To A Tacacs+ Server

Jun 10, 2013

We have an ASR 9010 with IOS XR, and we are making the configuration to connect to a tacacs+ server, this tacacs+ server works and is givins service to many other MPLS equipments. We have been following the guide:
 
Configuring AAA Services on
Cisco ASR 9000 Series Routers
 
but we have had a lot of troubles, in fact we have loose the administration of the box, at this moment the only lines that are in the ASR900 are: [code]

View 8 Replies View Related

Cisco AAA/Identity/Nac :: 6506-9 / TACACS+ Server Authentication Failed

Mar 15, 2010

I've been configured my device 6506-9 with TACACS+ server authentication: [code]
 
but when I tried to access the device only uses authentication local but not uses TACACs (with username/password defined) it can be an error in configuration? in the other devices of network this works properly, only it's wrong in Cat6506-E

View 6 Replies View Related

Cisco AAA/Identity/Nac :: 5520 - Change Shell Profile In ACS / TACACS Server Unavailable

Jan 17, 2012

I have two Nexus 5520 running 5.0(3)N1(1c).
 
I have both boxes heading off to ACS for TACACS lo gin authentication and for command authorization. When I first set things up everything works fine. I have a shell profile configured in ACS with Cisco-av-pair*shell:roles="network-admin" to set the network-admin role. I even have command sets configured to deny the use of configure terminal as I am using switch configuration profiles. Everything runs fine. User lo gins are authenticated by ACS and users have the correct command set applied to them.
 
The problem comes when I make a change to a shell profile in ACS. Even something as simple as changing the name of a shell profile causes the 5520's to crash as soon as I try to log on. If I unplug the management link so that the TACACS server is unavailable I can log on fine with the local admin user.
 
The NEXUS console reports this error. (amongst many others)
 
EDNAM-NEXUS-2 %$ VDC-1 %$ %SYSMGR-2-SERVICE_CRASHED: Service "Tacacs Daemon" (PID 4331) hasn't caught signal 11 (core will be saved).
 
A show system reset-reason shows:
 
EDNAM-NEXUS-2# sh system reset-reason
----- reset reason for Supervisor-module 1 (from Supervisor in slot 1) ---
1) At 389 usecs after Wed Jan 18 12:32:49 2012
    Reason: Reset triggered due to HA policy of Reset
    Service: Tacacs Daemon hap reset
    Version: 5.0(3)N1(1c)

Could this be a bug with Nexus/ACS?

View 3 Replies View Related

Cisco Firewall :: ASA 5520 - Syslog And Tacacs Generate Ping Response?

Mar 20, 2012

I'm trying to configure an ASA firewall (FW2) for syslog and tacacs and am experiencing strange behavior.  Both the syslog and ACS server are on the inside of another firewall (CoreFW).  Whenever a log message is generated on FW2 the request is dropped by CoreFW and message '%ASA-4-313004: Denied ICMP type=0, from laddr FW2 on interface outside-b2b to syslog01: no matching session' is displayed.  The same thing occurs for tacacs.
 
It appears that the syslog and ACS requests are generating ICMP echo replies, which the core firewall drops since no session exists on a lower security interface.  I have access lists configured on CoreFW to allow the syslog and tacacs requests.
 
FW2 is running asa825-k8.bin, CoreFW is asa824-k8.bin

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 Auth Report Called-Station-ID

Jun 24, 2012

In ACS 5.3 radius authentication report I want to show the called-station-id attribute. (this was appearning on failed and passed auth in ACS 4.2). The value of called-station-id appears in the details. However, I want it to appear as a column with the report.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: Command Auth Failure On ASA5510 Using ACS5.1

Jun 11, 2012

I'm having trouble getting things working on a pair of ASA5510's using Cisco Secure ACS v5.1. We were previously using a much older version of ACS to these (and a lot of other) devices which worked OK for remote access for read/write use. Am in the process of migrating to the new ACS software and have got it working OK to everything (many Cisco switches and other IOS devices) except these ASA5510s.
 
I can get TACACS authenticating fine and am able to log on and go into enable mode. Any subsequent commands are then met with 'command authorization failure', including 'show run', 'conf t' and even 'exit'!
 
My ASA5510 config has not changed, other than to define the new AAA server, which leads me to think its something to do with how I have the ACS user profile set up. I have configured the ACS5.1 device administration Shell Profile to have the maximum privilege level (15) and the command set I'm using has the box checked 'permit any command that is not in the table below'.

View 7 Replies View Related

Cisco AAA/Identity/Nac :: 7204 - Radius Auth For Login And VPN Conflicts

May 15, 2011

Im trying to configure a 7204 for radius login authentication, although the router is also configured with radius for VPN access. How can I configure it for both using 2 different raidus servers? the login via radius is working fine on another router, although that one is not doing VPN access so there's no conflict.
 
My config:
 
aaa group server radius RADIUS_AUTH      server x.x.3.11 auth-port 1645 acct-port 1646
aaa authentication login networkaccess group radius local

[Code]....

For some reason, this does not work. I cannot access the router and authenticate via x.x.3.11 radius server. I think there's a conflict between the VPN and the login authentication but im unsure how to resolve this.

View 3 Replies View Related

Cisco AAA/Identity/Nac :: Implementing Mac-auth On Selected Ports Between An HP ProCurve 2510 And ACS 5.3?

Apr 15, 2012

I am having difficulties implementing Mac-auth on selected ports between an HP ProCurve 2510 and Cisco ACS 5.3.The 802.1x works just fine, but for selected ports I need to implement port-access with MAC-based authentication instead of regular 802.1X (yeah, I know, but this line of ProCurve switches only support one auth-mechanism per port!).The switch successfully forwards interesting MAC-auth requests for authentication to the ACS with CHAP/MD5, but the ACS reports this:

Logged At:
April 16,2012 1:20:48.080 PM
RADIUS Status:
Authentication failed : 22056 Subject not found in the applicable identity store(s). NAS Failure:
Username:
002655886b3d MAC/IP Address:
00-26-55-88-6b-3d Network Device:

[code].....

The ACS is configured to use the Internal Hosts database, where the client computer is configured like this;MAC-address: 00-26-55-88-6B-3D

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Testing Windows 8 Consumer Preview With ACS 5.2 PEAP Auth

Apr 29, 2012

We are deploying ACS 5.2 to replace our ACS 4.2 in production.  I have two wireless networks setup as WPA2-Enterprise.  One points at the ACS 4.2 and the other at the ACS 5.2.  Both use the same SSL certificate with the same CN.  Both authenticate Windows 7 clients.  However, Windows 8 CP will only authenticate to the ACS 4.2 and not to ACS 5.2.  The error it gives is:
 
11051 Radius packet contains invalid state attribute
 
It also shows no authentication method (most of the time).
 
Occasionally, I get a request that actually shows an authentication method of PEAP (EAP-MSCHAPv2) which is what it should be.  On those requests, I get error:
 
24444 Active Directory operation has failed because of an unspecified error in the ACS.
 
Both ACs 4.2 and ACS 5.2 are pointed at the same Windows AD source.

View 3 Replies View Related

Cisco Firewall :: ASA 5510 - Response Is Very Slow While Applying ACL

Nov 27, 2012

I am managing a firewall over remotely in my LAN itself. I started a continous ping to the Firewall IP and the response is less than 1 ms.
 
While applying some access control list to the firewall via putty ...Suddenly the latency is going hing and it is hitting xxxx ms. And also the acl are getting pasted on the screen by word by word. Sometimes i used to get some RTO for the Firewall IP Address inth eping response.
 
find the Firewall Version:
 
Cisco ASA 5510
Version : 7.2
Having more than 600 ACL's.

View 4 Replies View Related

Cisco WAN :: Periodic Slow Response 2821 (300+ms / 1 Minute)?

Mar 10, 2011

Periodic Slow Response 2821 (300+ms, 1 minute) My solarwinds NPM reports very slow response times from my satellite clinic.Often times it is 300ms to 600ms when it should be 10-15ms. CPU does not seems to spike, the memmory does not seem to spike The bandwidth does not spike.It happens mostly during work hours about 10 times a day Solarwinds reports the delay and then 2 minutes later it reports normal activity
 
I have broadcast/multicast control on the switches? We have static route for our network meaning no routing protocols ?We have 12 other clinics with the same configs and they are fine?I have double checked the configs but I am not holding my breath on that item?I have rebooted the router without affect
 
I have not replaced the cable to the demarc on either side of the WAN connection?I have not reseated the service provider T1 cards?I have not reseated the T1 card on either router.

View 1 Replies View Related

D-Link DIR-615 :: Slow Response Commands In FIFA

Jul 13, 2012

I'm using a cable connection with my router and most of the time I'm playing FIFA12 on PS3 i feel like the commands takes a second to respond, like if was a delay. I tried most of everything in firewall settings, port foward, internet settings...

View 4 Replies View Related

DNS Server May Not Be Available - Contact Provider

Jun 6, 2012

I have a Time Warner modem/router. There are a ton of different devices constantly being connected/disconnected to our router - itouches, computers, smartphones etc.

The problem started with my otherwise super reliable HP g42 (i3) laptop. Nothing would solve the issue other than recovering it back a few days to when the issue wasn't happening. But then it would happen again after a few days. All other devices would connect without issue.

Time warner's technical troubleshooting consists of "unplug the router for 10 seconds and then plug it back in. Did that work?"

So now, my son gets his first computer and I bring it home last night. Also an HP (pavillion -i3). Same deal. At first, it connects fine and dandy. Then after about 2 hours it get the ol' "won't connect - diagnose the problem?" After diagnose, it says "DNS server may not be available.

Here's the thing: Both computers connect immediately and without issue to my smartphone wireless tether.

View 6 Replies View Related

Unable To Contact To DHCP Server?

Nov 2, 2011

I've been trying (in vain) to connect a USB Wireless device to be able to use it off my wireless network. I have (2) other laptops and (1) other desktop connecting to the router with no issues. For some reason, this old desktop keeps installing an Ethernet device (probably on the MB) and is automatically Configuring the IP address to that instead of the USB wireless device.I've tried uninstalling the Ethernet device but it comes right back after I do a reboot. Even when I disable it, I still can not connect with my Wireless device.

View 14 Replies View Related

Cisco Switching/Routing :: WS-C3750G-24TS-S1U Slow Response Between VLAN’s

Jan 20, 2013

Inter-VLAN applications are slow and same VLAN it is working fine.(i.e.VLAN to VLAN applications and File transfer response was Slow).Switch Model number: WS-C3750G-24TS-S1U

View 3 Replies View Related

Cisco Application :: Slow HTTPs Response Time Through CSS After Applying KB2585542?

Feb 9, 2012

Having issues with HTTPS sites being very slow after applying KB2585542? Once you remove this Microsoft patch everything returns to normal.   It appears that the CSS does not handle the split-ssl requests properly.  I have opened a TAC case but am not really getting anywhere as we seem to be the only company that is having this issue.

View 2 Replies View Related

Computer Is Unable To Contact DHCP Server

Feb 10, 2012

need to know why I can not connect to the internet after I am done downloading windows Xp on my Desk top. I got an error message from the cmd, saying that computer is unable to contact DHCP server.

View 1 Replies View Related

Linksys Wireless Router :: E3200 Ping Is Getting Slow TTL Response During Time

Nov 9, 2012

Each time I'm rebooting my E3200 device my ping to my ISP is 20ms. Few hours later the ping goes up to 300-500ms.Than I reboot again and the ping is going down to 20ms again.

View 5 Replies View Related

Unidentified Network / Unable To Contact DHCP Server

Mar 13, 2013

I just moved to Auckland, NZ from the USA to go to school at the university here, and am having a problem connecting to the internet in the university residence hall in which I am living.Wifi is not available in the residence halls, so we need to use an Ethernet cable. When I plug in my computer, the network adapter icon says Identifying for a while then settles on Unidentified Network with no internet access, the IP is 169.x.x.x.When I try to release and renew the IP, it says unable to contact your DHCP server, request has timed out".I've tried multiple Ethernet cables, both brand new.I tried connecting to a port in a friend's room in the same building, and even in a classroom on campus, and both had the same result.Naturally after all that I assumed my NIC somehow died overnight while I traveled here, so I went to a computer repair shop expecting to have some hardware replaced, but we plugged it in there and it worked immediately so they weren't sure what to tell me.

I've gone through pages of old threads at this forum and others like it, trying solutions but having no luck.I've power cycled my computer, obviously I can't power cycle the whole network as it's for 200 people, but the IT people here have tried resetting it for me on their end as best they can. [code]

View 14 Replies View Related

Dell 570 Inspiron / Unable To Contact DHCP Server

Jun 18, 2012

I have a Dell 570 Inspiron desktop running win7 home premium w/ a 64 bit OS. I have Frontier dsl with a Westell 327W modem and a netgear router. Two desktops are connected to the internet...one through the modem and the Dell 570 through the router. I also run laptops through the router w/no problem. This morning the dsl went down, and when it came back up, the Dell 570 would not connect. i tried Diagnosing Connection Problems, and I'm told to turn off the modem/router (which I have done a gazillion times).When I look at Network Connections in the Control Panel, It tells me I have an unidentified network and can't connect. I read through some forums earlier, and found that releasing and renewing ipconfig often corrects the problem, and that's when I got the message that 'An error occurred while nenewing. Local Area Connection unable to contact DHCP server.' This set up has worked for the past year and a half. I looked at the network adapter, and it says it's working properly. I changed the cables going to the machines, and they both work on this computer. The only change made to the computer was to install McAfee security center through AOL yesterday, but the set up worked all yesterday and last night.

View 2 Replies View Related

Limited Or No Connectivity - Unable To Contact To DHCP Server

Aug 30, 2012

Until a couple of days ago I was able to connect to the internet wirelessly on both my laptop as well as my desktop. However, that has changed for the desktop, now I am unable to access the internet on it. It says that it can detect the signal. When I tried to renew the ip it responded with "An error occurred while renewing interface Wireless Network Connection : unable to contact your DHCP server. Request has timed out." [code]

View 5 Replies View Related

Limited Or No Connectivity / Unable To Contact To DHCP Server

Nov 30, 2012

I have just installed the wireless equipment on my main computer, but unable to pick up the internet on my 2nd computer, how do I do it??

View 1 Replies View Related

Cannot Renew IP Address - Unable To Contact DHCP Server

Mar 31, 2013

I randomly lost Internet connection, and since have not been able to Renew an IP address! Other people in my household can connect just fine. I've tried numerous things to get my internet back, but continue to be unsuccessful in doing so.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:Documents and SettingsMike>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : miker
Primary Dns Suffix . . . . . . . :

[code]....

View 19 Replies View Related

Unable To Contact DHCP Server / Request Timed Out

Oct 15, 2011

I have reinstalled windows 7 on my Toshiba laptop, I have my wireless set to automatically connect, I have excellent signal strength and have another pc connected to wireless router, but my laptop does not capture IP addresses. I tried renew command but got message unabl to contact your DHCP server, request timmed out.

View 1 Replies View Related

Cisco :: WLC 5508 Max-Login Ignore Identity Response Is Set To Enable

Sep 20, 2012

We`re using a WLC 5508 with SW 7.2.103.0.The most things are working fine, but i have a problem with the web auth.
 
Setup:

- Max Concurrent Logins for a user name is set to 1
- Max-Login Ignore Identity Response is set to enable
- Web Authentication Type is set to customized
 
The Problem:

- the user "test" is logged in at device1 (working), the same user "test" try to login at device 2 (is not working, fine!) -> login is not accepted, WLC redirects to the INTERNAL Web Login Page.The problem is the redirect to the internal web login page after failed login. If i try to login with a not existing user, the redirect is working perfect to the customized web login.

View 4 Replies View Related

Cisco WAN :: 1841 - VOIP Phone Not Able To Contact Hosted Server On Internet

Mar 11, 2010

We have 2mbps leased line and have Cisco 1841 which is managed by our ISP. I have hooked up another 1841 (please find basic config below, it will get more complex lateron) Now when I connect my laptop I am able to browse Internet. But when I conect VOIP phone, it is not able to contact it's Hosted Server on Internet.
 
VOIP phone is Polycom SoundPoint 550 and I get URL call disabed message.  If I try netgear Firewall everything seems to work.that the voip provider needs following ports UDP Range 16384 - 32766, TCP 5060 & UDP 5060. But in my config all outbound traffic is allowed. [code]

View 6 Replies View Related

Unable To Contact DHCP Server Wirelessly - Request Timed Out

Jul 3, 2011

I've been having problems connecting my laptop to the internet through wireless. When I plug it in with a cable it works fine. I also know my wireless works fine because i have other things attached to it. When I try to connect it says limited or no connectivity, but the signal strength is excellent. I have tried to repair the problem but it then tells me it cannot renew my ip address. I've also tried the ipconfig /release then renew, and thats when it says about my DHCP.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 And TACACS + Authentication From VPN?

Mar 4, 2012

I have a Cisco ASA (8.2) setup with remote access for my users using Cisco VPN client. The authentication is passed off to my ACS 5.3 which then checks with AD. What I've done so far is create Access Policy rule where I define specifically the Location and NDG where the ASA is and then a DenyAllCommands command set. This should pass authentications just fine but this also gives those users the ability to remote connect directly into the ASA and login successfully. Even though there is a Deny Commands there I still would prefer they get Access Denied as a message. If I do a Deny Access on the ShellProfile then this stops the login authentication altogether.

View 2 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved