I have 2 ACS 5.2 (VMWARE) in my network configured as primary and secondary. When my AAA clients are configured for Primary ACS authentication works fine.But the clients configured with secondary fails authenticating.My replication status of the secondary box is showing UPDATED.
View 1 Replies
I am using ACS 5.3 for certificate based authentication for lan workstation. Now few times I received this message from ACS.5411 EAP session timed out : EAP session timed out?
View 1 Replies View RelatedI've got ACS currently authenticating wireless users - using EAP-MSCHAPv2. There are a large number of failures being reported as:
View 4 Replies View RelatedI have upgraded Cisco ACS from 4.1 to 4.2, I have Cisco Access Control 1113 apliance, as soon as I upgraded I am getting error in failed logs "Authen session timed out: Challenge not provided by client", what is wring with this?
View 4 Replies View RelatedAny upto date reference for setting up the ACS v 5.3 for mac filtering via built in radius with wireless lan controllers?
all I seem to find is this old document - which uses the user database.
the ACS 5.3 has host store, which seems like the logical place to setup mac address information
[URL]
So if I do a static ip address it works fine, but if I turn off static, the machine authenticates fine, but is not assigned to the access vlan, and it does not get an ip address.now when I use static I notice in the ISE live authentication logs, 11213 No response received from Network Access Device, for the switch even though its configured correctly.
View 5 Replies View RelatedWe are using the Cisco ACS 5.2 for AAA to manage our network devices. We plan to migrate all our edge's devices to IPv6 soon. Can or when the Cisco ACS 5 support IPv6 address?
View 1 Replies View RelatedI've inherited some ACS appliances from another part of my organization. I need to keep most of the settings but want to remove all the AAA clients; and preferably not one-by-one. I don't see a way in the documentation and web searches have proven fruitless.
View 1 Replies View Relatedwe are moving network devices (200+) authentication/authorization/accounting to new ACS5.2, is there any easy way to copy/sync all those AAA clients configuration to another ACS5.2 server? I don't need other configuration to be synced/copied to another ACS5.2 server
View 8 Replies View RelatedI have a problem where wireless clients at a remote site cannot successfully authenticate through their WLC to my ACS 5.2 (Linux on VM). I have three sites where this authentication is functioning properly; at my fourth site the wireless clients fail with a PEAP error: "12321 PEAP failed SSL/TLS handshake because the client rejected the ACS local-certificate". My wireless clients are Win7 using WPA2-Enterprise security type with AES encryption. The authentication method is set to Microsoft PEAP (EAP-MSCHAP v2) and the 'Validate server certificate' is not checked. My wireless access rules on ACS 5.2 are working well at three sites. My ACS 5.2 has a self-signed certificate that doesn't expire until August 2012. A laptop that can successfully authenticate at other sites cannot authenticate at the fourth site.
Phase one of the PEAP process is where the client authenticates the server certificate and the TLS tunnel is created so that in phase two user authentication credentials are sent through the TLS tunnel using EAP. My clients do not seem to be able to create the TLS tunnel because they reject the ACS local certificate; thus, user credentials are never passed and authentication fails. I have renewed the ACS local certificate and rebooted the ACS server but the problem persists. My WLAN on the WLC has its security policy set to [WPA + WPA2][Auth(802.1X)]. WPA uses TKIP and WPA2 uses AES; Auth Key Mgmt is set to 802.1X. The remote site where authentication fails is a different domain; the other three sites are the same domain.
I can see the failed authentication attempts in my ACS "Monitoring and Reports | Reports | Catalog | AAA Protocol | RADIUS Authentication" report. They all fail with the same PEAP error: 12321 PEAP failed SSL/TLS handshake because the client rejected the ACS local-certificate. The ACS local certificate works fine at three sites--just not at the fourth. Is my problem the certificate or is it an 802.1X client problem?
I need this SSL certficate installation on my acs appliance 1120 for PEAP clients.I have exported SSL server certficate from my old acs 3.3 server which is under acscertstore folder issued by CA vendor . I need to reuse this same SSL certificate on my acs appliance .ACS appliance certficate setup requires following two certificate to be installed for PEAP clients authentication
1) Server Certificate
2) CA certificate
Server Certificate : For server certifcate , I have my old certificate which is exported from my old acs 3.3 server , when i tried to download my server certficate via ftp server on my acs appliance , its looking for private key & private key file .Private key & file is generated intially on CSR request when this server certificate is requested to CA vendor for my old acs 3.3 . I dont know the private key password . If i need private key & file , then i need to generate new CSR from my acs appliance and i need to submit this CSR output to my CA vendor to generate new SSL server certificate .which is something like new server certificate request .CA certficate : For CA certficate , when i open my existing SSL certificate under detials tab in CRL distribution point , i could see below URL . whn i open this URL it giving certificate revocation list . [1]CRL Distribution Point.
I'm trying to use 802.1x to authenticate clients on my network with dynamic VLAN assignment from RADIUS. We have IP-Phones(powered by PoE) that only supports EAP-MD5, and we would rather use MAB(it also uses LLDP-MED for some settings) to authenticate the phones using the MAC-range from the phones vendor. The following scenario works perfect:Connect the phone and let it boot up(takes a while) and authenticate with MAB.Connect a computer in the phones data-port and let it authenticate with 802.1x(or fail and reach guest-vlan) However, the following scenario doesn't work:The computer is already connected to the phoneThe phone is then connected to the switch What happends now is that the computer is authenticated using 802.1x before the phone boots up and get's authenticated with MAB. When the phone is ready, it's authenticated with MAB and everything works. However, after a short period(let's say a minute), using `debug authentication all`, we see a "NEW LL MAC: phones mac" message(which is weird since the mac has already been MAB-authenticated), and then we are unable to contact the phone using ping. When I check `show mac address-table` it has now moved the mac from `Port Gi 0/12` to `Port Drop`. However, if I check `show mab interface Gi 0/12` or `show authentication sessions` it lists the phones-mac as `mab auth sucess `.why the first scenario works, and not the second?
The switch is a 3560E PoE 24p with IOS 12.2.58SE2. Sample of the switch-config: network-policy profile 1voice vlan 90!interface GigabitEthernet0/12switchport mode accessnetwork-policy 1authentication control-direction inauthentication event fail retry 1 action authorize vlan 60authentication event server dead action authorize vlan 60authentication event no-response action authorize vlan 60authentication event server alive action reinitializeauthentication host-mode multi-domainauthentication order mab dot1xauthentication priority mab dot1xauthentication port-control autoauthentication periodicauthentication violation replacemabdot1x pae authenticatordot1x timeout tx-period 5dot1x max-reauth-req 1spanning-tree portfast!Btw, when we tried authenticating the phones using 802.1x too (EAP-MD5), there are NO problems in any of the scenarios. However, we want to use MAB instead of 802.1x to avoid the requirement of configuring the phones with a username and password. The RADIUS response was the same when using 802.1x as it is with MAB for the phones (including device-traffic-class=voice AV-pair).
what is the maximum number of AAA clients supported by a single ACS5.3 instance?
View 1 Replies View RelatedWe are deploying BYOD with Cisco ISE 1.1.2 and WLC (5508) using 802.1x authentication.Windows clients cannot connect to 802.1x SSID with the following error on ISE:Authentication failed : 12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
The client doesn't have preconfigured wifi profile or root certificate installed.The concept of BYOD suppose that you can connect your device without any installed certificates and preconfigured wifi-profiles.
The problem is that Windows 7 supplicant does not send TLS alert in pop up window, when connecting to 802.1x SSID.If this alert is seen, than you can accept it and proceed the connection. After that you will be asked to install ROOT-cert, get your own cert and etc.So, the question is: how to make the windows supplicant to show the pop-up window with TLS alert?
p.s. the attached file shows the example of pop up TLS-alert window
We have had an active ACS unit for many years now, and we've added a second one, both are 1121 Appliances. The newer one came with 5.4, so we upgraded the older one to 5.4.
We setup replication between the two, with the newer one primary and the older one secondary. Problem is, windows based clients are unable to authenticate to the older ACS appliance. The only problem we can see is that it indicates that adclient is not running, under Monitoring & Troubleshooting, ACS Health Instance Summary.
So... been trying to figure out how to correct this, yet have been hard pressed to find a knowledgebase article that works. So far, Cisco hasn't added my smartNet on the new box so I can get some support?
I have a ASA5505 and it has a vpn set up. The VPN user connects using the Cisco VPN client. They can connect fine (the get an ip address from the ASA), but they can't ping the asa or any clients on the network. Here is the running config:
Result of the command: "show running-config"
: Saved
:
ASA Version 7.2(4)
!
hostname ASA
domain-name default.domain.invalid
[code].....
what I need to add to get the vpn client to be able to ping the router and clients?
We currently have an ASA 5520 communicating with 10 ASA 5510's, all on static outside addresses. I was asked to add 5 additional 5510's on dynamic address. All worked well in testing until it was decided that some of the dynamic clients needed to talk to each other.
My testing shows packets just dying in the 5520.
I have 4 desktops cat5 to Dlink DIR 615 router. All work fine. Any wireless clients, laptop or netbooks, see the desktop computers for a while then disconnect somehow. All machines can see the Internet through the router at all times. The desktops disappear from the laptop/netbooks but the wireless machines can be seen from the desktop computers but clicking on them gets 'Access Denied' message after a wait.3 desktops = XP, 1 98SE. All laptop/netbooks = XP
View 2 Replies View RelatedI have a Netgear WNDR4500 running the stock firmware, acting as a router for my home. I also have 2 routers that are flashed with DD-WRT (Linksys WRT54G and Asus WL-520GU) running as client bridges. The Netgear is 192.168.1.1 and the other 2 client bridges are 192.168.1.2 and 192.168.10.3. The Netgear router is performing DHCP giving addresses from 192.168.10.100 to 192.168.10.254. I have numerous machines connected to the Netgear, wirelessly and wired, and numerous machines wired to each client bridge. All machines have IP addresses that are 192.168.10.100, 192.168.10.101, 192.168.10.102, etc... Everything is working fine, but I have one question: When I access the Netgear router, it shows the client bridges as clients, machines that are wired and wireless to the Netgear router are listed as clients, but the client list does not show any clients that are connected to the client bridges. I assumed that since the router is performing DHCP that all clients would show up.
View 2 Replies View RelatedBasically my friend has a game server with a particular IP. But lately I don't seem to be able to even 'see' that server. Pinging the IP gets a timeout. I did a tracert on the IP and from the first hop onwards it gives me 3 stars followed by a 'Request Timed Out' until the 30'th hop.
View 15 Replies View RelatedI see many errors in the ACS 5.1(or 5.3) :5411 EAP session timed out..Becasue I checked the "remember my username and password everytime login" in the wireless network properties, and I can succeed to login finally. but in the ACS will see many errors like ”5411 EAP session timed out“
(Cisco Controller) >debug client 58:1f:aa:8f:ea:44
Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Sending EAP-Request/Identity to mobile 58:1f:aa:8f:ea:44 (EAP Id 1)
Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Received EAPOL EAPPKT from mobile 58:1f:aa:8f:ea:44
Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Received Identity Response (count=1) from mobile 58:1f:aa:8f:ea:44
Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 EAP State update from Connecting to Authenticating for mobile 58:1f:aa:8f:ea:44
Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 dot1x - moving mobile 58:1f:aa:8f:ea:44 into Authenticating state
[code]....
I have a strange issue where the first ping always times out, but the following goes through fine.I have Cisco877 and connection to the internet is fine. I connect a PC to one of the Fast Ether ports and I am able to ping the router without any issues. However, the moment I ping an external website [URL], the first ping request fails. after that the following request come through quickly.
View 24 Replies View RelatedI first noticed it in games, and decided to ping my router in CMD. I see the occasional "request timed out", and not sure how to fix it.My other computers connected to the network are working fine, and I've tried USB Wireless adapters in my laptop which work fine, which implies the problem lies with the inbuilt adapter itself.I've tried reformatting, and updating drivers, but to no avail.I thought maybe the adapter might just be faulty, but then I decided to test it on Linux. I pinged the router in the terminal and... it seemed to work fine. I thought maybe some background process in Windows might be doing something to cause the problem, so I started in safe mode (with networking)... still the problem remained.
View 5 Replies View RelatedI have a Cisco 1801 Router, but whenever there is anything plugged into the integrated 8 port switch for example two computers, I cannot get them to ping each other. All of the ports are on the same vLAN.
I am a Cisco newbie, so sorry if this question/query is really basic. Is there anyway I can test the integrated switch to see if it is faulty.
I can't access the following a specific website from any computer in my house. I am able to access all other sites. I have tried Firefox, IE, Chrome. All i get is the following error: "The connection has timed out" I called my ISP this morning, and they asked me to try adding a proxy server in IE. That is, Internet Options > Connections > LAN settings > Proxy server > proxy.tpg.com.au:3128, After doing this i was able to access the site! What could this mean?
View 3 Replies View RelatedI'm looking to replace my Thomson router with a router capable of being programmed so it can turn wireless off at a certain time.
View 8 Replies View RelatedI have a problem connecting to VPS with Windows XP Remote Desktop Connection.The error I'm getting is:"Remote Desktop Disconnected - The remote connection has timed out. Please try connecting to the remote computer again."I am not behind any network, firewall, router...I tried to turn off firewall and antivirus programs to see if they are blocking it. It didn't work.I could find from Microsoft support site refer to the server side configuration. But I know problem isn't with server, because I am able to connect from another PC (notebook running windows 7 with wireless connection). It is working straightforward with default settings.Are there any settings that need to be changed in Windows XP for RDC to work?
View 1 Replies View RelatedI am able to connect to firefox internet but when I try to log in to my Yahoo Messenger or iTunes store it tells me that my internet connection timed out. I try to connect to Internet Explorer and it will not connect to the web there. I have went into the tools box in Internet Explorer and clicked on internet option and than connection and I was going to try to change the proxy server LAN and when I would go into it to change that I would be able to find the address to put in but can not figure out what the port section is. I am using a wireless connection and it shows that i have connection even when I try the troubleshooting section that checks the connection and it tells me that there is no problem with it. I also tried restarting my wireless router and than restarting my computer which did not work.
Than I tried disconnecting and reconnecting to internet and still nothing. When I would login to my Yahoo Messenger and pushed the troubleshooter bottom it says, "We are not able to make a connection to the Internet. One of the following may be true: You're not connection to the Internet. Check cables, modems, routers, etc; Your Windows Internet options including the Windows Firewall settings are incorrect.; There is a problem with your Windows network settings, for example, the DNS settings in your Internet Protocol (IP) settings are incorrect or the DNS server is specified incorrectly or is not responding.; For more information, check the Windows online help and search for terms like "DNS" or "Firewall."
Checking virtual IP servers...
[VIP Raw] Resolving host name 944.452.2.1... [FAILED]
*** 'COMPONENT_TYPE_WININET' value: '12007' ***
[VIP Raw] Resolving host name 944.452.2.1... [FAILED]
*** 'COMPONENT_TYPE_WININET' value: '12007' ***
[code]....
I had been working on our client servers through Cisco VPN using internet datacard. But from past 3 weeks after logging into Cisco VPN using my username/password, when I try to connect to any of the servers, it is giving connection timed out error.
Whereas, my team members across other locations are able to connect to the servers using my VPN username/password.
I thought there might be some issue with my laptop or internet datacard. I got my laptop formatted, even tried out with fresh new laptops & new internet datacards, but the issue remains same.
I have tried using vpn_5.0.06.0160-k9 & vpnclient-5.0.05.0290-k9 to connect but issue did not get resolved.
In our setup we have WiSM modules installed on cisco 6506-E, ACS 5.3 virtual appliance. We are trying to implement EAP-FAST for our Wireless using WPA/WPA2 802.1x on the WLC side.
I have followed the instructions in the following document step-by-step: [URL]
Still I have no success. Tried most of the permutations on ACS EAP-FAST configuration.
"Remote Desktop Disconnected - The remote connection has timed out. Please try connecting to the remote computer again."I am not behind any network, firewall, outer...I tried to turn off firewall and antivirus programs to see if they are blocking it. It didn't work. All I could find from Microsoft support site refer to the server side configuration. But I know problem isn't with server, because I am able to connect from another PC (notebook running windows 7 with wireless connection). It is working straightforward with default settings.
View 1 Replies View RelatedHave win7 system, cisco WIRED 1720 router, ~1.5mb frame relay via C&WPanama, nortons antivirus installed. IP config dump is at the bottom, but in this event, I don't think my problem is local.An important work-related chat quit working today, and I have narrowed down the issue to not being able to connect to the provider website from my current location. (I can connect via US proxy, but cannot run the java applet via the proxy, it seems it is still trying to go from here to there).
The site I am trying to reach is host7.parachat.com, IP 64.13.158.24
I can load this page (just a landing page comment) as well as their main pages via us proxy, but time out trying to load directly. Fiddler returns a 502 error, socket connection failed.
have tested on 3 machines (all on same router), then on a laptop which hadn't been booted or updated in over a year (also on same router). Trying to find a free wireless network to test with the laptop, but that hasn't been found yet.
[code]....
For the last two weeks or so I keep getting kicked out of websites I have went to on more than one occasion. IE just says cannot display webpage and firefox keeps saying connection timed out. I have been researching this issue through other forms. Here is what I have tried so far to fix this issueReset all cookies, history, etc Renewd IP System Restore I am not running off any proxys Did a full compuer scan and removed all threats/virus' Reset SSL's Uninstalled Windows IE and Firefox and reinstalled Unplugged Router Put cookies/firewall settings to minimun or none and tried to access websitesThere is no specific trend towards the webstites I go to, that I can see at least. One is my bank account and another is a clothing store, little things like that here and there. I can't get on any mozilla websites for tech so I have been googling it through my Android. I even did a diagnostic through windows on a specific website and it said that everything checked out and that it was a web site issue, which I find hard to believe since I can access it through my phone
View 9 Replies View Related
