Cisco AAA/Identity/Nac :: ACS 5.2 EAP-TLS Re-authentication Fails
Jan 21, 2013
I configured WiFi connection on Windows XP and Windows 7 with EAP-TLS (using Cisco WLC 7.0.235.3 and Cisco ACS 5.2.0.26.10). It is configured with computer authentication and computers certificates are autoenrolled from Microsoft PKI.It works well!
Now I configured Windows 8 with same configuration.First authentication works but if I manually disconnect and reconnect, I got this error on ACS: 22047 Principal username attribute is missing in client certificate.In EAP packets, we could see that Windows 8 sent a TLS session ticket but session was not resumed correctly by ACS..On ACS configuration, we checked this option "Enable EAP-TLS Session Resume" with session timeout "7200".
View 2 Replies
ADVERTISEMENT
Oct 24, 2011
I set up LDAP store pointing to a Windows domain and am testing authenticating users via an ASA. In my LDAP config, its set for "Groups Objects refer to subjects" and I selected usernames in the drop down. I also added a a Global Group to the Directory groups tab in the LDAP store that I created.
Under my Access Polices, I created a rule that meets two condititons - coming from the ASA, and then I was able to select the group from the drop down box for my ldap domain. As a condition, it shows up as DomainName:External Groups. I set the permission to Permit Access.
Originally, I was failing authentication and I was receiving Subject Not Found in Store. I adjusted the Identity Sequence and now I receive a the following error:
15039: Selected Authorization Profile is Deny Access. So it must not be associating my account with the group with the Permit Access and using the Default Permissions.So it does match the correct Access Service, and Identity Store.
View 1 Replies
View Related
Jan 9, 2012
Running ACS5.2, Windows XP Pro, Window Server 2003 and Cisco Anyconnect Client. When the machine name password changes between the PC and the AD server the ACS will error out with "24485 Machine authentication against Active Directory has failed because of wrong password".TAC has been working with us on this and sees the error in the logs but does not have an answer on with to do to solve this. It has the same problem with Wireless Zero. Once the PC is rebooted the error goes away for 30 days. We are in a hospital setting so this is a not just a minor problem
View 16 Replies
View Related
Jan 25, 2012
I'm trying to set up vpn with ASA 8.2(5) and Anyconnect 3.0.4235. The goal is to force user to connect from registered machines only (winXP & win7 x32 and x64). To do this, I used machine certificates issued by own CA. Certificate is installed in machine store. I use double authentication (aaa & certificates). Everything works fine, AnyConnect browses cert store, ASA validating machine certificate, then user is prompted for username/password and finally if all is correct - connection is established.My problem is, that for new installation (new host), AnyConnect fails at first connection attempt. If I use aaa authentication only, connection is established, but if I use aaa & certificates - connection fails. The appropriate .xml profile is predeployed at client host asa well as machine and root certificates.Important: When first try (aaa auth) succeded, others are always OK (with aaa. certificate or aaa & certificate authentication). Only the first one fails.The goal is to succesfuly establish connection with aaa & cert.
With DART i get:
******************************************
Type : Error
Source : acvpnagent
Description : Function: CTransportWinHttp::WinHttpCallback
File: .CTransportWinHttp.cpp
Line: 2150
[code]....
Certificate is valid for sure, and as I mentioned before, if first use aaa only, the second try is OK. At ASA with debug crypto ca 255 can't see any certificate from client.
View 3 Replies
View Related
Aug 23, 2012
I am running Cisco ACS 5.1 802.1x with certificate based authentication for Wired and Wireless connections. The issue that I am having is that when a user comes in from home with their laptop the wireless connection works, they pass the authentication and have network access fine. But when the plug the laptop into a docking station the LAN connection fails and gets put in the Auth Failure Vlan. A reboot of the phone/ shut/no shut fixes this, but I really need to find a resolution.This is an intermittent fault and only effects users with both LAN and WLAN enabled. Running ACS 5.1.0.44, all Cisco 3750s - c3750-ipservicesk9-mz.122-55.SE.Certificates are issues by group policy and only using computer authentication.
View 2 Replies
View Related
Jul 15, 2011
I've got a weird problem that I can't figure out. I've de-authorized the switch in the RADIUS server to force an ERROR status to test the backup entries in the AAA authentication method list. However, after I do that and try to log in (through ssh), it just prompts me for my username's password and not the enable password. Here's the debug output:
1d02h: RADIUS: Marking server xxx.xxx.xxx.xxx:1812,1813 dead
1d02h: RADIUS: Tried all servers.
1d02h: RADIUS: No valid server found. Trying any viable server
1d02h: RADIUS: Tried all servers.
1d02h: RADIUS: No response for id 10
[code]...
View 14 Replies
View Related
Oct 19, 2011
I have a problem with a customer of mine. We have deployed two new WLC5508 running r7.0.116.0 and AP1142s, also WCS with r7.0.172. When we setup a "Guest Access" we ran into trouble.The problem is that we can associate to the SSID/AP and get an ip-adress. When we open the web- browser we do not get redirected to the virtual interface but instead the _hostname_ of the WLC. Like this: url...
I we manually replace "cisco6a19c4" with 1.1.1.1 it works as it should, the login page appears, we login and can access the internet.We have tested and disabled web-auth on the ssid an everything works, we can directly go out on the internet, DNS works without any problems. [code]Guest network (VLAN) is transfered from WLC via the trunk to the Cat4503 and then connected on a access-port to a separate broadband-router, then to the inetrnet.DHCP to guest-users from separate broadband-router which is def gwy and "DNS".On the virtual interfaces no hostname is configured.
View 6 Replies
View Related
Jan 16, 2012
I have setup the WLC to authenticate to a MS Server2008 NPS for a WPA2/AES SSID. The connection is successful, but client authentication fails for wrong EAP-type. I believe this indicates a Windows7 client issue. What is the required client setup to satisfy the MS NPS?
View 8 Replies
View Related
Nov 13, 2010
Just purchased an E2000 (Firmware version 1.0.03) to use with DDNS. Much to my surprise there seems to be a problem with saving the password at the configuration screen. [code] With the above settings entered and the Update button pressed favorable results are obtained; the router reports that DynDNS.org updates okay. However once the "Save Settings" button is pressed an update fails with the error "Authorization failure bad ID or password".Is anyone else experiencing this issue? Is the password field limited to certain characters?
View 9 Replies
View Related
Nov 16, 2011
I have a 3845 router. Setup SSH Version 2generated rsa keys (1024)set login localtransport input ssh and telnet is enabled since I can't get ssh connection working When I connect using SSH, I get the following error. server refused authentication protocol.
View 21 Replies
View Related
Jan 16, 2012
I configured before ACS v4.2 to authenticate network devices using internal users at first, and if the user is not found use AD list users. But with v5.3 I have some problems doing this, on identity policies I use rule based result selection option, I configured 2 polices for Identity source, one for Internal Users and other policy for AD user, but it only works with the first policy, internal users or AD, but works only for the first policy identity. how to do that, if the user is not found on first policy, continue to the next policy.
View 7 Replies
View Related
Jul 3, 2011
I need a specify users to allow access to particular devices and give privilege only for show command or show run. Here is how I tried to configured.
1. Configured two seperate Shell Profile and Command set with privilege level 4-5 and allowing only show run command
2. create seperate service selection rule with adding the require NDG and protocol TACACS and maching service "RestrictAccess"
3. In the RestrictAccess Service I have following configured; Identity: internal users, Group Mapping to a particular group where the user exists, authorization: matching the above created identity group, NDG, shell profile, command sets
All the steps are attached in the .doc file. However when I tried with the particular user he is able to access everything and he is not hitting the correct access rule.
View 6 Replies
View Related
Aug 11, 2011
We are using ACS v5.2.0.26.3 in 802.1X certificate based authentication. Now, when we added CRL functionality into ACS it fails in CRL validation and gives following error message:
LastErrorMessage=CRL PKI verification failed
Certificate Revocation list [URL]
We have installed root, device and server certificates from CA, but for management we are still using self-signed certificate.
Question is, which certificate is used when validating downloaded CRL file - one used for EAP-TLS or one used for management interface?
How I can check which certificate ACS server is using for CRL validation?
View 19 Replies
View Related
Dec 6, 2012
I try upgrade ACS 5.3.0.40 to new version 5.4.0.46. Everything looks ok:
ACS-machine/acsadmin# application upgrade ACS_5.4.0.46.tar.gz rep01 Do you want to save the current configuration ? (yes/no) [yes] ? Generating configuration. Saved the running configuration to startup successfully
% CARS Install application required post install reboot...
Broadcast message from root (pts/0) (Thu Dec 6 23:36:41 2012):
The system is going down for reboot NOW!
Application upgrade successful
But ACS machine (vmware instance) can't boot with this result: Volume group "smosvg" not found. (for details see attachment)
View 3 Replies
View Related
Jan 30, 2013
I am trying to upgrade ISE from 1.1.0 to 1.1.2.145 but failed. Find the details below.
DR-ise-pdp-01/admin# application upgrade ise-appbundle-1.1.2.145.i386.tar.gz ISE1
Save the current ADE-OS running configuration? (yes/no) [yes] ?
Generating configuration...
Saved the ADE-OS running configuration to startup successfully
Initiating Application Upgrade...
Stopping ISE application before upgrade...
Running ISE Database upgrade...
% Application upgrade failed. check logs for more details.
View 2 Replies
View Related
Sep 11, 2011
I am trying to join my ACS 5.1 to my AD. In the External Identity Stores > Active Directory I have put in the AD administrator details and hit the test button and the test succeeds.
However, when I try to save changes it fails with an eror saying it can't connect to the LDAP server.
Error while configuring Active Directory:Error while configuring Active Directory:Unexpected LDAP Error Can't contact LDAP server due to unexpected configuration or network error.Please try the --verbose option or run 'adinfo --diag' to diagnose the problem.Join to domain 'Mydomain.local', zone 'null' failed.
I have done this lots of times and never had any issue once the test connection succeeds.
I've checked the time and timezones on both ACS and AD and they are the same.
View 7 Replies
View Related
Dec 6, 2010
I'm trying the csv file import and getting some errors.
010-12-07 14:23:47: File Format Validation Completed2010-12-07 14:23:47: Import Started
2010-12-07 14:23:47: Record number: 1, Host 01-02-03-04-05-06: Import Failed2010-12-07 14:23:47: null Import process failed for unexpected reason: Unknown error has accurred.2010-12-07 14:23:47: Import Completed With errors
-------- Summary --------Total Number of Records Processed:1Number of Records Failed:1Number of Records Imported:1---------- End ----------Please refresh the table to see the changes.
On some other tries I get null field or missing fields.
It actually creates the host, but on editing it I get the following message:
An unexpected error has occurred. To continue your work, reselect the option in the left navigation bar.If you continue to receive the unexpected error message, close your browser and log in to ACS again.If you still receive the unexpected error message, contact your system administrator or technical assistance.
MACAddress:String(64):Required,description:String(1024),"enabled:Boolean(true,false):Required",HostIdentityGroup:String(256),VLAN:String(256):Required,attr-Expiration Date:Date(yyyy-Mmm-dd)01-02-03-04-05-06,AAATest,true,,Guest,2010-Dec-08
View 3 Replies
View Related
Jun 8, 2011
I have IAS set up on my organization's AD domain controller. Multiple policies set up for various authorization scenarios, authenticating based on Windows user groups and client IP, authorizing by passing "shell:priv-lvl=#" where #=desired privilege level. On my IOS devices I have:[code]
This identical configuration operates correctly on a Cisco 3825 and a Catalyst 4506. On the 24 port Cat 3560G PoE running 12.2SE (do not recall exact IOS version, but I know it is in that release train) that I am currently working on, every attempt to login via ssh passes authentication but fails authorization, displaying %Authorization Failed on the terminal and a message stating that "No appropriate privilege level found for user" in the debug statement from RADIUS.I have verified correct server addresses, correct source-interfaces, and that configs between the three devices match exactly with regards to aaa.
View 1 Replies
View Related
Jan 7, 2010
I've got 2 freshly installed ACS 4.2 for Windows servers and I need to apply the latest patch rollup before I build the configurations. I stopped the ACS services and ran Acs-4.2.0.124.15-SW.exe to install the patches. The application begins running fine but fails on upgrading the database and then none of the ACS services would start. I was able to restore the files from the backup that runs with the patch utility and get ACS functioning again. What am I missing - does the patch rollup require any specific Microsoft Patches to be installed or something like that?
View 7 Replies
View Related
Nov 13, 2012
I have a user named "testuser" and trying to authenticate from the xp computer but fails to authenticate. The ACS logs says that authentication failed, the user is in the local database but why it fails to authenticate?
I have cisco switch :
WS-C2960G-48TC-L 12.2(52)SE C2960-LANBASEK9-M
*Mar 8 04:03:55.030: AAA/BIND(00000029): Bind i/f
*Mar 8 04:03:55.173: %AUTHMGR-5-START: Starting 'dot1x' for client (782b.cbc9.a027) on Interface Gi0/2 AuditSessionID 0A6A00200000001924EBD428
*Mar 8 04:03:57.010: %LINK-3-UPDOWN: Interface GigabitEthernet0/2, changed
[Code]....
View 7 Replies
View Related
Mar 22, 2011
i'm trying to configure acs 5.2 to LDAP external idenity store, when LDAP failes ACS 5.2 should use internal indenity store. I configured A sequence to use LDAP 1st then Internal and i shut off the link to the LDAP but ACS will not use internal, AAA Diagnostics keeps telling me that Cannot establish connection with LDAP server and will not use the internal store.
View 7 Replies
View Related
Dec 21, 2010
I am working through the migration from ACS 4.1.4 on Windows Server 2003 to ACS 5.2 on the appliance. I have created the 4.1.4 migration server, installed the software and imported the data from our production ACS 4.1.4 box. I downloaded the migration utility from the 5.2 ACS server and am attempting to run on the 4.1.4 migration server. The question that fails is:
Enter ACS 4.x Server ID:
I do not know what this means and do not see anything on the 4.1.4 server that identifies the Server ID. I try localhost and it does not work and the 4.1.4 server is not registered in DNS or I would try that (and . are not valid characters in the ID so the IP does not work).
How have other people handled this question? Is there something that can identify the local server ID?
View 9 Replies
View Related
Apr 29, 2012
We're in the process of implementing an ISE 1.1 server for Guest Wireless Access / BYOD at our company and ran into an issue with authenticating from iPhones / iPads when the account is set with 'change password on next logon' (it's a local account created on the ISE server - not AD). It fails and displays 'unable to join network' on the iPhone. The ISE log shows a '5411: No response received in 120 seconds'. We're able to authenticate from Windows devices and are prompted to change the password during the authentication process. If we unchecked the 'change password' box we can authenticate from iPhones & iPads without any issue but we need to have a way for users to set their own password.
View 3 Replies
View Related
Aug 9, 2011
IP address of Primary had to be changed, to respond to a hardware failure of TACACS server with IP in many device configs.
Now the Secondary fails to respond to repeated "Deregister from Primary" requests, even after reload - apparently because it cannot reach the Primary at its old IP address.
Requesting Deregister in GUI generates pop-up that says, "This operation will deregister this ACS Instance from the Primary Instance. Management applications on this ACS instance will be restarted and you will be required to login again. After performing this operation
[code]....
View 1 Replies
View Related
Jul 21, 2011
After we have installed patch 5 on several ACS 5.2 server they aren't able anymore to write their backups to the sftp servers. I tried to search on the bug tool kit, but it seems to be broken when searching for the keyword "sftp". It's the same when I try to do a "copy logs" with sftp as destination.running a debug I can see,
acs/admin# copy logs sftp://10.1.115.11/,Collecting logs...,Username: backupuser,Password: ,6 [16376]: transfer: cars_xfer.c[301] [admin]: sftp copy out of /var/tmp/ADElogs.tar.gz requested,6 [16376]: transfer: cars_xfer_util.c[412] [admin]: resolved server to 10.1.115.11,7 [16383]: transfer: sftp_copy.c[75] [daemon]: Executing SFTP command: /usr/bin/scp -o StrictHostKeyChecking=no /var/tmp/ADElogs.tabackupuser@10.1.115.11://ADElogs.tar.gz,% Error: Transfer failed3 [16376]: transfer: sftp_copy.c[230] [admin]: sftp_copy ERROR: command execution failed,3 [16376]: copy: cm_copy.c[1226] [admin]: Logs archive transfer to url sftp://10.1.115.11/ failed retcode=-306,acs/admin#
View 21 Replies
View Related
Feb 2, 2012
In order to restrict access to websites on our internal network, would we be able to put an ASA in front of the web server and force users to authenticate through the ASA and, once authenticated, allow only port 80 or 443 traffic for that use? The ASA would query the ACS 5.1 server for authentication/authorization using AD as the identity store. Is this even possible with TACACS?
View 1 Replies
View Related
Apr 1, 2012
My customer has a large installed base of MACs, all connected via controller-based (5508) WLAN. He wants to grant access to the network based on the device's mac addresses and move the WLAN-clients to a specific VLAN.I added all devices with their mac addresses to the ACS internal identity store for hosts.According to the following message the client sends the user-login credentials (chegger) within the RADIUS-request instead of the clients mac address and of course it has to fail. After many configuration changes, I ended up always with the same result.
View 2 Replies
View Related
Jun 13, 2012
I have question on EAP-TLS with ACS 5.2. If I would like to implement the EAP-TLS with Microsoft CA, how will the machine and user authentication take place? Understand that the cert are required on both client and server end, but is this certificate ties to the machine or ties to individual user?
If ties to user, and I have a shared PC which login by few users, is that mean every user account will have their own certificates?
And every individual user will have to manually get the cert from CA? is there any other method as my environment has more than 3000 PCs.
And also if it ties to user, all user can get their cert from CA with their AD login name and password, if they bring in their own device and try to get the cert from CA, they will be able to successfully install the cert into their device right?
View 7 Replies
View Related
Jan 22, 2012
I have a new ACS 5.3 installation which I have joined to our AD Domain and added the directory groups into. I have also added all our devices into ACS and their groups etc but I am still only able to authenticate on the our switches with an internal ACS account, when I try with an external AD account the log shows the following error "Subject not found in the applicable identity Store (s)"
View 1 Replies
View Related
Apr 18, 2010
We got recently a Cisco Secure ACS 1120 and i upgraded the Appliance to 5.1 from 5.0 with all your support
Now I need to integrate Cisco ACS 5.1 with RSA Authentication Manager 6.1 . I Successfully Downloaded config file from RSA ACE Server and exported into ACS 1120.
I also Added ACS as a NetOS Agent in the RSA Server , during the process i found few warnings . The ACE Server is not able to Resolve the IP Address to NAme ( DOes it Necessary ?? ).
I havent created any secret Key file for communication between ACS and RSA and encryption i used is DES.
Now when I log into ACS and search for Devices in the Identity Store Sequences i am not able to Look for RSA Token Sever .
View 10 Replies
View Related
Nov 22, 2011
I have been trying to get our IPS (ASA-SSM-10 and 4260) to authenticate with Cisco Radius ACS 5.2 and they are not working. However, I was able to get them working with Microsoft Radius. Below is the logs from the IPS:
evStatus: eventId=1321566464942057375 vendor=Cisco originator: hostId: NACAIRVIDLAB1 appName: authentication appInstanceId: 350 time: 2011/11/23 17:50:38 2011/11/23 09:50:38 GMT-08:00 controlTransaction:
[Code].....
View 0 Replies
View Related
Dec 13, 2012
If laptop/desktop goes on sleep mode or keep connected with interface configured for 802.1X for more than 12 hours it does not work or not connect to Exchange server, Cisco ISE console, office communicator..for re authentication i need to restart PC/ Laptop or unplug and replug lan cable from it!but before restarting i am able to ping all DNS, DHCP, OCS, everything..[code]
View 6 Replies
View Related
Mar 9, 2011
I would like to konw does Cisco ACS 4.x / 5.x natively support Two factor authenication, but not act as a Radius Proxy?
View 1 Replies
View Related
