Cisco AAA/Identity/Nac :: ACS 5.1 Web Interface Not Working
Mar 31, 2011
We have a Cisco Access Control Server (TACACS+ version 5.1) with an additional 2 port NIC card. This produces 4 ports on the ACS server(G0 through G3).After initial setup of the ACS server with an IP address on G0, I connected a Windows 7server with IE8 to G0. The ACS web interface appears (after accepting certificate) and Ientered some user accounts and NDGs.I then connected the ACS server to a configured port with port-security on our 6500switch. The port becomes err-disabled since the MAC address does not match up. It appearsthat the onboard NIC on the ACS server is bonded thus producing the MAC address issue.To fix this connection issue, on the ACS server, I cleared out G0 and setup G2 (additiional NIC card) with the IP address. After connecting to the 6500 switch, the ACS server port works fine. I removed the connection to the 6500 and connected the Windows server to the ACS.I can ping the ACS server but the web interface is now unavailable unlike before. I do not get a certificate warning on IE, it just states that internet not available. On ACS, the 'show' status of acs shows all the processes are running and initialized. It has got me stumped as all I did was change NIC configurationon the ACS server.
View 8 Replies
ADVERTISEMENT
Feb 3, 2013
C4948-10G switch running IOS 15.0(2)SG ?ACS 4.2 cannot authenticate on the vrf interface. The issue on vrf aaa authentication.
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication login no_tacacs local
aaa authentication enable default group tacacs+ enable
[code]....
View 13 Replies
View Related
Aug 27, 2012
I have setup an Identity Firewall on a ASA version 5.6 on a DMZ interface.I have installed the ADAgent on a domain member Win2008 and configured as follows: [code]
where ashdew is a domain user and ACL 122(only one line) is applied on the dmz interface and NAT is properly configured.The ADagent has been properly tested and ASA can register to it.The ASA can connect to AD DC controller and query user database.I have placed a laptop ip 172.17.h.x on the DMZ and can ping the DMZ interface.
The laptop cannot authenticate on the domain and the asa does not seem to retrieve the user identity.Do I need to add extra rules in the access-list 122 to permit trafic to DC?Can I check on the AD Agent if it can retrieve the user to ip mapping ?
View 6 Replies
View Related
Oct 28, 2012
I'm trying to test such 802.1x wired environment:windows xp sp3 as supplicant windows NPS as radius server 2960 as authenticator latest anyconnect (3.1.01065) + nam and standalone profile editor.I have a question: What is the difference between protected identity pattern and unprotected identity pattern (set in nam profile editor)? As I understand documentation PEAP-MSCHAPv2 is a tunneled method and it uses un- protected identity pattern to protect user's identity during phase 0. But if I use any fake identity here (anonymous, anonymous@[domain], etc) access is rejected (Access-Reject in switch debugs). I have to use exacly the same pattern in unprotected identity pattern as in protected identity pattern ([username] or [username]@[domain]) to gain access, regardless of authenticaton mode (same in machine only, user only authentication).
View 1 Replies
View Related
Sep 10, 2012
Just got my server team to install ACS 5.3 on a virtual machine.Unable to access the web interface url...Nothing happens when i try and access this.how i can fault find this as i have cli access.
View 8 Replies
View Related
Jul 6, 2011
I had insatalled the ACS 5.2 on Vmware . As per my requirement i need to configure a user to restricted privilege so that he should be able to execute only the below commands on the switch .
-Show ver
-Show interfaces
-Show ip Interface Brief
-Configure terminal
-Interface <interface name >
-Shutdown
-No shutdown
The users should not be authorized to execute any other commands than above listed one .After the configuration i was not able to restrict the config mode commands . Once the user is authoized for Configure terminal access he will have full access on the device. How to configure the command set only to allow interface access and he should be able to apply Shutdown and No shutdown command .
View 6 Replies
View Related
Mar 5, 2012
I have a cisco asa 5010 where, during the process of configuring, the outside ports become down/down. The /0 port won't even reactivate after cycling power on the unit.Port /1 is the inside interface and it is not affected by the problems.I switched the outside port to port /3 and it worked for awhile then it stopped working. I switched it to Port /2 and the same thing.Port /2 and Port /3 are on after a power recycle but shut down completely (down/down) during the reconfiguration. It seems like a hardware failure, but I'm wondering if it could be anything else.
View 4 Replies
View Related
Nov 7, 2011
I'm actualy trying to bring two IPSec VPN on only one interface. I've successfully created a tunnel between Par and Barcelone and between Par and Mad. But I can't create it between Barcelone et Mad. We have a cisco ISR1921 in Mad and Barcelone, and a Netgear in Par.
Barcelone config:
crypto isakmp policy 10
encr 3des
authentication pre-share
[Code].....
View 7 Replies
View Related
May 11, 2013
How to make a Cisco 881 router finally work. I have the following configuration:
Current configuration : 2964 bytes
!
! No configuration change since last restart
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
[code].....
As much as I understand, the VPN tunnel is active.I can access the Internet, but I cannot access anything through the VPN tunnel.
View 3 Replies
View Related
Aug 11, 2011
I configured dot1x on my swicth 4500 series, Here is the interface configration:
interface FastEthernet3/2
description Test dot1x
switchport mode access
load-interval 30
authentication event fail action authorize vlan 800
authentication host-mode multi-host
authentication port-control auto
[code]....
When I remove the port-control configuration on the interface, the status change to UP/UP.
View 1 Replies
View Related
Jun 8, 2013
how ISE support on third party LAN switch, if the requirement is doing 802.1X based flexauth.Refer to the diagram i attached; 01 topology.png
Concern 1: if the 3com switch with 802.1X feature, but still without the full feature to support FlexAuth, policy encforcement, DACL etc. In this kind of situation, will user still able to authenticate (using method PEAP-MSCHAP v2), but authorization just grant with permit any any?
Concern 2: Can i assume i authenticated the 3com switch using MAB? But this will cause endpoint with no 802.1X, am i right?
Concern 3: cisco switch C4507-E, loaded with IOS version Cat4500e-UNIVERSALK9-M, version 03.04 and Supervisor Engine :WS-X45-SUP7-E, is this platform is supported in Cisco TrusctSEC?
View 2 Replies
View Related
Sep 27, 2012
I got a question about ACS 5.3 and WLC We have now the ACS 5.3 running for MAB (good working) and TACAS for device AAA.But now our WLC’s will not work.I have created already a special “custom attribute” => role1 / mandatory / ALL Already changed to the combinations Role1=ALL / Role1=All / Role1=all / role1=ALL / role1=All / role1=all But still not working. I get a wrong response.
I followed the guideline in attach, PDF file.
Debug dump from WLC
ACS 5.2 / ACS 5.3
-------------------
*tplusTransportThread: Sep 28 15:07:59.222: auth_cont get_pass reply: pkt_length=24
*tplusTransportThread: Sep 28 15:07:59.222: processTplusAuthResponse: Continue auth transaction
*tplusTransportThread: Sep 28 15:07:59.388: tplus response: type=1 seq_no=4 session_id=b1fddbfc length=6 encrypted=0
[code]....
View 3 Replies
View Related
Feb 18, 2013
I have a Cisco 2821 with two serial interfaces bundled using PPP multilink. I want to monitor traffic flow (net flow) on the multilink interface. I have tried configuring ip route-cache flow/ ip flow ingress / egress but no luck.The other thing is when I do sh ip cache flow I guess I should see the multilink interface in both Source and destination columns which is not happening (not showing in destination column).The other router with same config but with ATM sub-interface working properly (same IOS). Are there any hits on this ? Also, is it possible to use SPAN feature ? The monitoring server is at some other site (coming via WAN).
View 1 Replies
View Related
Feb 5, 2012
i have here a ASA 5510 sec k9.
I build a Config with a DMZ,INSIDE and OUTSIDE Interface. My Plan is to use the IP-Address of the OUTSIDE Interface with PORT to setup a HTTP Server In the DMZ
But my Config doesn't work. And I have no Plan why .....
The Inside Interface have to work normal. The Traffic to the Internet is TRiggert from Inside with Dynamic PAT
ciscoasa(config)# exit
ciscoasa# show run
: Saved
:
ASA Version 8.4(1)
[Code].....
View 2 Replies
View Related
Jan 6, 2012
Can Cisco 881G cellular interface (Modem Firmware Version = K2_0_7_19AP C:/WS/FW) work with r-uim cards? I can't find correct answer in documentation .
View 2 Replies
View Related
Sep 18, 2012
I just recently bought a new Cisco 2611 for my home lab and am having trouble getting the serial port to work. I have tried multiple things such as erase startup, switching the cables to rule them out, and even changing IP addresses but none worked. [code]
View 1 Replies
View Related
Apr 20, 2011
I have Cisco ACS 4.2 since few days users can not change their password, what could be the issue? Even after resetting the password I got error.
View 3 Replies
View Related
Aug 17, 2011
I have a dot1x client with client certificate working well with my ACS 5.2 and EAP-TLS. Now I would like to configure the Re-Auth periode on the ACS 5.2, I did the following:
1. Configure a Access Profile with Reauthentication Timer = static and 30 seconds (see attachment ACS1.png and ACS2.png)
2. Enabled authentication periodic and authentication timer reauthenticate server on switchport
interface GigabitEthernet1/0/x
description to dot1x clients
switchport access vlan 5
switchport mode access
authentication event fail action authorize vlan 998
[code]....
View 2 Replies
View Related
Sep 12, 2012
I've got an issue with my ACS 5.1 implementation not updating any of the RADIUS or TACACS authz, authc, or acct records. Nothing is showing up, even though i've logged in via TACACS to several devices, and there are numerous wireless devices authenticated and online via RADIUS right now.
View 3 Replies
View Related
Mar 4, 2013
I have to created command set under "Policy Elements>Authorization and Permissions>Device Administration" for limited access user in ACS 5.3. Like i triyed to give them permission to only few show commands. I have set user priviledge 1, 7, 10 however either of the priviledge level user was able to run those commands. I works like the shell priviledge level.
View 1 Replies
View Related
Oct 13, 2012
I need to configure a Cisco ASA5510.Connencted the a single interface I have a switch. To this switch (same VLAN) there are connected:
1. The Subnet of the main office (192.168.1.253)
2. A router (IP 192.168.1.254) that routes the traffic to a remote location (Subnet 192.168.8.0/24)
I have so allowed any traffic incoming to the inside interface as follows:access-list inside_access_in extended permit ip any any and I have permitted traffic intra interface as follows: same-security-traffic permit intra-interface. [code]Unfortunately I cannot RDP into that server. When I simulate the connection via Packet tracer, it tells me that the implicit deny on the bottom of the connections from "inside" (firewall) does not allow the connection. It sounds to me like that "same-security-traffic permit intra-interface" does work only if there are 2 interfaces and not a single one.Unfortunately I cannot just unplug the cable and connect it into another port as the ip is on the same subnet and I cannot configure the other end router.
View 4 Replies
View Related
Aug 12, 2011
We bought an RV042 at the end of June. It is used as a gateway and VPN router. DHCP server is disabled and all IPs are configured manually.Every once in a while (Tuesday night, then Friday night - yesterday, it has hapened once or twice before that) the router appears to restart (see log below) then comes back up with system time of Jan 01 2010. At this point the router will no longer load its configuration page (https://10.29.238.197:16443/) and VPN connection to our customer in Africa drops. However, devices behind the router can be reached and can access the internet. The only way to fix this is to power cycle the router at which point everything starts working flawlessly again.The PID VID is RV042 V03 running firmware v4.0.3.03-tm (May 12 2011 21:27:37). Our RV042 is a newer one with Cisco SMB Router branding not the older Linksys branding.
From the log when the router reboots:
Aug 12 22:38:42 2011VPN Log(g2gips0) #141: retransmitting in response to duplicate packet; already STATE_QUICK_I2Jan 1 01:00:05 2010System Logheart : System is upJan 1 01:00:13 2010System LogWAN connection is up : 10.29.238.197/255.255.255.192 gw 10.29.238.225 on eth1Jan 1 01:00:15 2010VPN Log(g2gips0) #1: [Tunnel Negotiation Info] >>> Initiator Send Main Mode 1st packet
I looked at the log more and all the usual messages assosciated with VPN being established are there - the last thing in the log before the router coming back up again is:
Jan 1 01:03:49 2010VPN Log(g2gips0) #4: [Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel ConnectedJan 1 01:03:49 2010VPN Log(g2gips0) #4: [Tunnel Negotiation Info] Quick Mode Phase 2 SA Established, IPSec Tunnel ConnectedJan 1 01:03:49 2010VPN Log(g2gips0) #4: sent QI2, IPsec SA established {ESP=>0x575a01c0 <0x6534ae4e
So it even claims the tunnel should be up but I can never reach anything on the far side.
View 3 Replies
View Related
Aug 20, 2012
I have an ASA 5510 attached to 2 internal networks. Everything is working except communications between the 2 internal interfaces.I can ping the FW from either interface and I can ping hosts on both networks from the CLI but can't get any traffic to pass.I'd like to open the connection to all traffic. [code]
View 33 Replies
View Related
Oct 9, 2011
we updated our NAC appliances from 4.8.1 to 4.9 and have noticed that web authentication is no longer woking on Apple IOS devices. We had setup a user page for the MAC_ALL OS and iphones etc. were able to authenticate using thier browser ok. Now (after the upgrade) after they authenticate they receive the below warning.
There doens't seem to be any other config changes we can make for the IOS device.
View 2 Replies
View Related
Sep 16, 2010
I configured multidomain on a Cisco 3650 port (12.2(53)SE1), and connected a 7941 Phone and laptop behind it. The phone gets successfully authenticated but the PC does not get fully connected. The PC adapter´s icon shows a "authentication error" message. The same PC, connected to another port (same commands except "authentication host-mode multi-domain") works perfect, including new VLAN and ACL assigned from ACS.
This is the configuration on the switch port where the PC chained to the phone fails:
interface FastEthernet0/6 switchport access vlan 701 switchport mode access switchport voice vlan 123 authentication event fail action next-method authentication event server dead action authorize vlan 704 authentication event no-response action authorize vlan 701 authentication host-mode multi-domain authentication open authentication port-control auto authentication periodic dot1x pae authenticator dot1x timeout tx-period 60 spanning-tree portfast
This is the configuration on the switch port where the PC without a phone works OK (exactly the same config, except for multidomain):
interface FastEthernet0/7 switchport access vlan 701 switchport mode access switchport voice vlan 123 authentication event fail action next-method authentication event server dead action authorize vlan 704 authentication event no-response action authorize vlan 701 authentication open authentication port-control auto authentication periodic dot1x pae authenticator dot1x timeout tx-period 60 spanning-tree portfast When the PC fails to get connected, I see the following messages on the switch:
Sep 17 18:36:18: %DOT1X-5-SUCCESS: Authentication successful for client (0023.aeb8.ce44) on Interface Fa0/6 AuditSessionID 0A01460A000000310080FDFCSep 17 18:36:18: %AUTHMGR-7-RESULT: Authentication
[Code].....
View 9 Replies
View Related
Jan 31, 2011
I have not managed to get the Monitoring to work on the ACS 5.1. This is an eval version. Advanced monitoring and reporting is installed on the ACS. This is my configuration on the Cisco Router
aaa accounting exec default start-stop group tacacs+aaa accounting commands 0 default start-stop group tacacs+aaa accounting commands 1 default start-stop group tacacs+aaa accounting commands 15 default start-stop group tacacs+aaa accounting connection default start-stop group tacacs+
logging origin-id iplogging facility sysloglogging source-interface GigabitEthernet1/1logging host 1.1.1.1 transport udp port 20514
logging monitor informational
epm logging
On the ACS, when I open the dashboard --> ACS health -> I get Status not available.Global Instance under Logging Categories been configured for local logging?
View 4 Replies
View Related
Nov 29, 2011
I have been trying to create a Guest WLan on my 4402 WLC system and have found several confilcting documents explaining the procedure. During this process I have notices that although the current corp wireless works, there was never a virtual interface created for it. Instead it uses the same Wlan/Vlan as the ap manager and managemnt interfaces. Could this by why I cant seem to get the Guest access working? or is this not a problem after all since the wireless does work.
View 1 Replies
View Related
May 13, 2012
I installed two AIR-AP1142N-E-K9 access points, running a fairly simple config, WPA2 PSK, with AES cipher, both the same SSID.The two access points are connected to Cisco 2960G switches, which are in turn connected to each other, again without any fancy config options, no VLAN's ed.
After a random while, varying from 30 minutes to 15 hours, the access points will stop sending/recieving traffic on the ethernet interface.The units don't stop at the same moment, this also varies seemingly random. It's not related to load or the amount of clients (1 to 15).Only turning on one unit doesn't make any difference.
The units keep sending out their SSID, you can associate to them, but the DHCP requests aren't passed on to the DHCP server which is connected to one of the 2960G's.If you wirelessly connect to the AP and set a manual IP adress you can reach the webinterface and telnet/ssh to the access point. The ethernet link is reported as being up on the access point. Also the switch reports a link on the port to which the access point is connected.Resetting the link does have no effect. The log doesn't mention any errors or warnings.Power cycling or reloading the access point will put it back in working order for a varying amount of time.
Access point version:
Cisco IOS Software, C1140 Software (C1140-K9W7-M), Version 12.4(21a)JA1, RELEASE SOFTWARE (fc1)
Access point config:
!
! Last configuration change at 14:41:40 +0100 Sat May 12 2012 by admin
! NVRAM config last updated at 14:41:40 +0100 Sat May 12 2012 by admin
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
[code]...
View 13 Replies
View Related
Mar 30, 2011
We have several pairs of ASA5510s in failover A/P mode, some running 8.3(2) and others running 8.4(1).
e0/0 = outside
e0/1 = inside
m0/0 = management
The problem we're having is we can't get anything to route out of the management interface unless we put in a static route at least to the subnet level. For example, we want syslog traffic to exit out m0/0 to our syslog server 10.71.211.79. Our 'gateway of last resort' points to the next hop out e0/0, and a second static route with a higher metric and a more distinct network space is for m0/0 as in:
route outside 0.0.0.0 0.0.0.0 192.168.49.129 1route management 10.72.0.0 255.255.0.0 10.72.232.94 10
This doesn't work, and ASDM loggin gives this error: ".....Routing failed to locate next hop for udp from NP Identity Ifc:10.72.232.89/514 to management:10.72.211.79/514"
If I put in a more granular subnet route, or a host route of the syslog server it works, such as:
route management 10.72.211.0 255.255.255.0 10.72.232.94 10 <------------- this works
route management 10.72.211.79 255.255.255.255 10.72.232.94 10 <------------- this works too
Why won't a static route for 10.71.0.0 255.255.0.0 work in this case?
We are going to have numerous hosts access and be sent messages though the management interface of these ASAs, and it would be very burdonsome to have to add a host, or even a subnet, route for every one. I've removed all static routes and tried to rely on EIGRP, but that doesn't work. I also had to put 'passive-interface management' under the EIGRP for this to work.
Here is the pertinant ASA config concerning syslog, routing, and interfaces:
interface Ethernet0/0 nameif outside security-level 0 ip address 192.168.49.140 255.255.255.128 standby 192.168.49.141 !interface Ethernet0/1 nameif inside security-level 100 ip address xxx.xxx.xxx.xxx 255.255.255.128 standby
[Code].....
View 3 Replies
View Related
Dec 6, 2011
So I have 2 routers (cisco 3640) that each go to their own ISP and then back to the same switch. I have setup ospf and glbp, and now have pretty good redundancy. If either internet connection or routers go down everything is still golden.
So I was thinking that if an interface went down then the router would not be load balanced with glbp which got me thinking whats the best way to get interface redundancy (and I was going to add a 2nd switch with the second interface).
1) Setup BVI on the 2 interfaces.
2) Setup a 2nd interfaces (on each router), I would have to split the subnet, for instance: [code]then the machines could be on the subnet 192.168.0. 0/23 and setup glbp for 1 ip across all 4 interfaces (I'm not even sure if you can do this but think it would work).
3) Is there a way to utilize etherchannel or anything like this
A negative to option 2 would be that if 1 of the interfaces went down, all the sudden 2/3 (or so) of your traffic would be going through 1 router.
View 5 Replies
View Related
Jun 24, 2012
After I have upgraded our ASA 5510 to 8.4.2 I have problem with the management interface.Our former firmware 8.2.3 had no problem using the management interface as a DMZ zone, but after we upgraded to 8.4.2 we can't make it work.The interface and the protocol is up, when I type: show interface.But when I ping the interface from a computer connectet to the interface, nothing happens.
Even the logging shows nothing.
View 7 Replies
View Related
Oct 19, 2011
we are facing a strange problem with a Cisco Small Business SG 200-08 Switch (firmware release 1.0.1.0). When configuring the switch to act as a RADIUS Client with 802.1x port security enabled, it sends the “Account Name” attribute to the radius server with max. 32 characters. The string comes in this format: host/dns Host Name and will be cut after 32 characters which will cause the NPS to say: “The specified domain does not exist.” and NPS is right. When I reduce the hostname so that host/dnsHostName <= 32 characters, authentication is working fine. And by the way, we also have a SG 200-26 in production and it can handle more than 32 characters which lead me to think of a bug in the firmware of the SG 200-08.
View 1 Replies
View Related
Feb 14, 2012
I'm trying to configure a timeout for network connection, but when it suppose to disconnect client, it's not working. Is it possible to do this??
Only works when the client is connecting and is denied if the time is not valid. But how could I do this if the client is already connected, enable re-authentication?
View 2 Replies
View Related
