I an currently running Cisco (ACS 5.2.0.26.3) and attempting to get my Cisco 5508 WLC's (7.0.98.0) loaded into ACS for TACACS+ authentication for managment users.
However I keep getting the following error:
*emWeb: Sep 14 14:44:45.931: %EMWEB-1-LOGIN_FAILED: ews_auth.c:2104 Login failed for the user:test_tac. Service-Type is not present or it doesn't allow READ/WRITE permission.
Now I've attempted the step-by-step using the following URL but to no avail.( there are some slight differences in ACS 5.2)
[URL]
Latest WLC configuration guide I could find (Software Release 7.0 June 2010) isn't much useful either.
'Use Unicasting' is selected by default in the Dynamic IP (DHCP) connection type.I turned it off based upon the router's support text since the router gets an IP address from my cable modem.I don't understand this option at all. I've searched for data on the topic and I can't make sense of it.I think I made the correct selection by un-selecting 'Use Unicasting.'
I'm trying to configure ACS 5.1 as radius server for a catalyst switch but i can't make it work.I keep on getting the "11033 Selected Service type is not Network Access" error message.
Tacacs works fine but radius does not. Any sample device administration config to use with RADIUS?it seem the service type does not work with radius in this scenario ( radius + device admin).
Our ACS 5.2 is authenticating ASA VPN users with Radius. I would like to use the ACS to authenticate ASA administrator logins with Tacacs. When I modify the ASA Network Device by checking the Tacacs box in addition to the Radius box, ASA VPN authentication stops. Running original 5.2 without any patches on ESX. platform. I thought 5.2 supports radius and tacacs on the same device?
On subsequent tests found that just opening the ASA Network Device and closing the window will also stop the ASA RADIUS from working. Logs don't show any attempt by the ASA to connect and I'm sure that's wrong. To fix it, I reselect all ACS policy items and save the same settings. Sounds like a bug?
I am having difficulties implementing Mac-auth on selected ports between an HP ProCurve 2510 and Cisco ACS 5.3.The 802.1x works just fine, but for selected ports I need to implement port-access with MAC-based authentication instead of regular 802.1X (yeah, I know, but this line of ProCurve switches only support one auth-mechanism per port!).The switch successfully forwards interesting MAC-auth requests for authentication to the ACS with CHAP/MD5, but the ACS reports this:
Logged At: April 16,2012 1:20:48.080 PM RADIUS Status: Authentication failed : 22056 Subject not found in the applicable identity store(s). NAS Failure: Username: 002655886b3d MAC/IP Address: 00-26-55-88-6b-3d Network Device:
[code].....
The ACS is configured to use the Internal Hosts database, where the client computer is configured like this;MAC-address: 00-26-55-88-6B-3D
We are planning to implement the following policy map for egress traffic on an Nexus 7000:
policy-map type queuing dd-1p3q1t-8e-out-10G class type queuing 1p3q1t-8e-out-pq1 priority level 1 shape percent 10 class type queuing 1p3q1t-8e-out-q2 bandwidth remaining percent 5 class type queuing 1p3q1t-8e-out-q3 bandwidth remaining percent 5 class type queuing 1p3q1t-8e-out-q-default bandwidth remaining percent 90
We are using two N7K's to which is one N5K connected through a vPC. From the N5k we use a port-channel with 4 * 10G. Two of this four ports are connected to on N7K and the other two are connected to the other N7K. On the n/K's we are using vPC.
My question now are:
1. Where i have to connect the policy map? To the port-channel or on each physical interface?
2. When i have to connect this policy to the port-channel, how does i have to set the shape percent, when i would like to reserve 10% from the 40G? Does i have to set the shape value to 5% on each N7K because vPC?
laptop could not connect to wifi. Other laptops can connect to this same wifi but this one can't. tried laptop on other routers and it was able to connect. The error message displays" Windows cannot connect to the selected network.The network may no longer be in range...." tried the solution on microsoft but didn't work. Tried changing the ssid of the wifi then scanned for it. it showed that it was changed. The laptop can detect the wifi but it can't connect to it.The laptop is running on windows xp.
Windows is unable to connect to the selected network." The network may no longer be in range. refresh the list of available networks and try to connect again." Your in range of the network (right in the same room as the wireless access point). And when you refresh the list, the network still shows up there.It seems that it will only connect to Routers which use WEP security and not ones which use WPA. I have looked on the Toshiba site for the Wireless Drivers to see if there is any updated ones and used the Driver Update Utility on Intel's download site and that tells me that the latest wireless driver is installed.
Windows is unable to connect to the selected network. The network may no longer in range. Please refresh the list of available networks, and try to connect again.This message poped up during connecting to a wireless network[CODE]
I am trying to connect to the internet using an external wireless device (Netgear model:MA101), I have managed to install the drivers and my wireless network is coming up as an option! For some bizarre reason when I try and connect the following messages appears: "Windows is unable to connect to the selected network. The network may no longer be in range. Please refresh the list of available networks, and try again"I then refresh and try to connect but the message constantly appears I have rebooted my computer in case it needs to reset after installing the driver for the wireless device.
I'm working on a computer that has no connectivity on wired or wireless connections. the wired eth card is a broadcom netlink card and the wireless adapter is an atheros ar5007eg. I found the drivers for the wireless on acer.com and removed the driver that was on here at first and put the one from acer. i cant find a network in range but device manager says its working fine. Then I found out the wired connection isnt working either and im getting the same messages from windows troubleshooter. It says both are "experiencing driver or hardware related issues and "make sure your internet protocol bindings are correct - ensure that ipv4 and ipv6 are selected in the config for the network adapter". it links me to the connection properties and ipv4 and ipv6 are checked off for both. futhermore, in the connection status window it says i have no ipv4 or ipv6 connectivity.
I've been able to duplicate my problem by using another WinXp computers instead of a USB drive plugged into my router. Same exact problem. So, the bottom line is that I can access (and modify) the files across the network if I'm doing so manually, but my Windows service fails when trying to do the same thing. If I run the program through Visual Studio, it works. If I run that same exact code as a Windows service, it fails.
I've created a Windows service that needs to access a common network location. To test it at home, I plugged a USB drive into my Netgear N600 WNDR3400 router. The USB storage settings show the workgroup name as Workgroup, and the file path is. [code]
We are evaluating Cisco ACS 5.2 and I can not delete a service policy that was created. The message we receive is " the item that you are trying to delete is being referenced by other items". I am new to ACS, but I did go through each tab in the manager multiple times.
I used ACS 4.2.1.15 on windows 2008 SP1, found CSLog service not started. I try to restarted but service was started for while and went to stopped.How should i do to start this service?
I have an issue about ACS v5.3 Appliance.I have an ACS v 5.3 wo authenticate wireless users, together with a cisco wlc. One profile is to corporate users and the second profile is to guest.
The corporate users should authenticate with Active Directory and the guest with WLC. Guest users should authenticate with the ACS Local Database. I have configurate two service selection policy that match with protocol Radius. The first rule is to users of Active Directory and the second is to users in
the Local Database of ACS.When i try to authenticate users with active directory is OK, but when try to authenticate users with Local Database (Guest Portal) the ACS try to find the
the internal user in the Active Directory, because math the first rule, and the second profile can not authenticate.When I change the order, first the Rule of internal users and second the rule of users of Active Directory, the internal users can authenticate in to ACS, but
the users in the Active Directory can not authenticate.I think my ACS only authenticate the first rule of radius to Active Directory, no two rules of radius in the same time. Or maybe exists an issue in OS of the ACS.The authentication by separately is OK.
I'm working with an ACS 5.3 and ASA 8.2.5 and i've configured several access services for webvpn and ipsec remote access profiles but i haven't found which radius attribute can differentiate among them in the service selection rules.
We are currently using Cisco ACS 5.3.0.40.2. One of the Services Selection Policy it hosts is:
Receive Authentication request from a wireless controller for a wireless userIf the wireless user's username contains a particular domain suffix, the request is proxied to an external proxy server using an External Proxy service (configured for both local/remote accounting)On receiving an Acccess-Accept from the external proxy, the user is given access and ACS 5 will start logging account packets for the username (nothing appears in the RADIUS authentication logs - ACS 5 it seems doesn't log proxied authentication requests) The above setup works fine in most instances. We start to have problems when an external proxy server strips the domain suffix off the username in the Access-Accept packet e.g.
ACS 5 proxies an Access-Request to an external proxy server (with Username = someuser@somwhere.com)The external proxy replies with an Access-Accept (with Username = someuser)The user 'someuser' is given access but subsequent accounting attempts fail because their username (without the domain suffix) doesn't match the Service Selection PolicyIs there any way to get ACS 5.3 to log proxied authentication requests? If not, can I configure ACS 5.3 to use the username in the Access-Request packet (rather than the username in the Access-Accept packet) for accounting?
- I have a cisco unified network (ACS 5.1, Cisco controller, LWAP) and have configured ACS to integrate with AD.
- I am using this network for Laptops and wireless IP phones access.
- I have only one Service Selection rule for both Laptops and wireless IP phones. All the conditions attributes are set to ANY except Protocol = Radius
- I select a simple Identity Policy and I use a sequence where IP phones users are authenticated using ACS local user and the Laptops users are authenticated using AD
- Laptop users are authenticated using PEAP and IP phones users using EAP-Fast
Everything is working fine BUT I need to make 2 changes and eventhough I spent many hours hours on forums and reading articles and trying things myself I can't get the changes to work.
The first change is to use 2 Service Selection Rules one for the IP phones and one for the Laptops. After adding another service selection rules that I put at the top, I tried many combinations to try and get the IP phones to use it but whatever I did (used different combinations of conditions), the IP phones always select the 2nd rule, which is the original one. The question is "what conditions to put in a service selection rule to make wireless IP phones use the rule).
The second change is that I want to add machine authentication so only Laptops that are in AD can access the network. AGain I tried various settings but can't get this to work.
I just upgraded my ACS v4.0 to the latest available version v4.2(1) build 15 patch 2 and I've got some trouble with the CSLog service. I performed a successive upgrade first to v4.2 then to v4.2.1 and finally applied the two patches. Everything is working fine, I'm using both radius and tacacs services and they doing great like they were in v4.0. The only problem I have is with Cslog service which doesn't start. To be accurate, it starts but stops just after. I've uploaded some logs from cslog.log in cslog/logs directory.
I'm migrating ACS 4.2 to ACS 5.2 for a customer and I'd like to find a service selection for TACACS+ protocol coming from an ASA.I use TACACS+ for device administration but also for AAA of internal users internet access.I also use RADIUS for vpn remote-access, without problems.How to distinguish through the ACS service selection ?
but we would need to assign such a policy via Radius during the 802.1x Authentication. different users should get differnt policies. We use Cisco ACS 5.2 as Radius Server and there actually is a field for that in the Authorization Profile Common Tasks Configuration. in detail, this uses the cisco-av-pair "sub-policy-In=<policy name>" attribute to assign a service policy to an NAS.
we found also two other attributes "sub-qos-policy-in" and "ip:sub-qos-polcy-in" for that. CCO says that "ip:sub-qos-polcy-in" works with Catalyst 65k [URL]
unfortunately this seems to not work on Catalyst 45k and 37k.
In the ACS Logs we can see that these attributes are attached to the Radius Reply, but unfortunately they are ignored by the switch.
it is interesing that when entering "show aaa attributes" on the Catalyst 45k, these attributes are displayd - so for my understanding the switch should understand these attibutes (?)
I use ACS 5.3.0.40.8 with TACACS+ servicing Device AAA and RADIUS servicing the Cisco Wireless environment for AD user access. How can I implement 802.1x with the current RADIUS implementation with hindering current wireless users or am I hindered due to the EAP-GTC in use with PEAP via RADIUS?
I'm trying to configure a VPN remote access type on a SA520-k9 but i don't know why doesn't work.
My Internal network is 192.168.131.0/24 and my Wan Ip is 87.216.xxx.xxx.
on Remote WAN's IP Address / FQDN i put the WAN IP 87.216.xxx.xxx on Local WAN's IP Address / FQDN I put the cisco SA520 Ip. I think this is the problem.
I create a IPsec user. I create a firewall rule from WAN interface to SA520 Ip with IPSEC-UDP-ENCAP service.
I found that TACACS should be available for network access with ACS 5.2:(url) But when I'm trying to create Rule tu allow PPP authentication against TACACS server I get error.
