Cisco AAA/Identity/Nac :: ACS 5.3 - Backups Fail To TFTP
Jul 14, 2012
I'm configuring ACS for the first time and the config is complete and working, except backups of the view database. I've created a TFTP repositiory and if I perform a manual backup or wait for a scheduled one to occur it fails. I do get a .tar.gpg file in the TFTP server (but can not restore from it as it's not listed in "Restore" as a backup).
It works fine if I create and use a local disk repository. I get a .tar.gpg but also a catalog.xml and repolock.cfg file (which I don't in TFTP). Looking at the logs on the TFTP server I can see it tries repeatedly to read the catalog.xml file but fails:
Read request for file <DB/catalog.xml>. Mode netascii [15/07 16:05:52.167]
File <DBcatalog.xml> : error 2 in system call CreateFile The system cannot find the file specified. [15/07 16:05:52.167]
That seems correct, the file doesn't exist. However it never seems to try and create it.
I've noticed, that ACS 5.1 is writing .gpg archives for backups. I'm about to upgrade an evaluation system and the Installation and Upgrade Guide tells me to do a full backup and restore in order to upgrade an eval to a production system. [URL] (second note in section "Evaluating ACS 5.1)
Question: can the production system sucessfully decrypt the backup? According to my personal gpg it is CAST5 encrypted with one passphrase. Is this passphrase constant for all ACS 5.x?
Using ISE 1.1.1 and Switch 3650 12.2(55)SE6. I have a client (computer) that should be authenticated with MAB and then the switch port should be asigned a DACL and VLAN 90. I do get "Authorization succeeded" but directly after it fails and I can't figure out why. ISE only shows the successful authentication under "Live Authentications".
As you can se from the log below 802.1x fails, as it should, and then MAB succeed, asigns the VLAN and then fails:
Have you ever found the problem that if I set two tacacs server in my N7K and the primary tacacs server fail, won't switch over to another tacacs server.
I have a problem where wireless clients at a remote site cannot successfully authenticate through their WLC to my ACS 5.2 (Linux on VM). I have three sites where this authentication is functioning properly; at my fourth site the wireless clients fail with a PEAP error: "12321 PEAP failed SSL/TLS handshake because the client rejected the ACS local-certificate". My wireless clients are Win7 using WPA2-Enterprise security type with AES encryption. The authentication method is set to Microsoft PEAP (EAP-MSCHAP v2) and the 'Validate server certificate' is not checked. My wireless access rules on ACS 5.2 are working well at three sites. My ACS 5.2 has a self-signed certificate that doesn't expire until August 2012. A laptop that can successfully authenticate at other sites cannot authenticate at the fourth site.
Phase one of the PEAP process is where the client authenticates the server certificate and the TLS tunnel is created so that in phase two user authentication credentials are sent through the TLS tunnel using EAP. My clients do not seem to be able to create the TLS tunnel because they reject the ACS local certificate; thus, user credentials are never passed and authentication fails. I have renewed the ACS local certificate and rebooted the ACS server but the problem persists. My WLAN on the WLC has its security policy set to [WPA + WPA2][Auth(802.1X)]. WPA uses TKIP and WPA2 uses AES; Auth Key Mgmt is set to 802.1X. The remote site where authentication fails is a different domain; the other three sites are the same domain.
I can see the failed authentication attempts in my ACS "Monitoring and Reports | Reports | Catalog | AAA Protocol | RADIUS Authentication" report. They all fail with the same PEAP error: 12321 PEAP failed SSL/TLS handshake because the client rejected the ACS local-certificate. The ACS local certificate works fine at three sites--just not at the fourth. Is my problem the certificate or is it an 802.1X client problem?
Web auth redirect URL gets dropped if stateful firewall is between webauth host and switch management interface. Aaron at Cisco live london kinda hinted about maybe Cisco working on this ? We can't disable stateful inspection. Is there any other solutions or workarounds ?
"Although this approach introduces additional hops in the return path from the switch to the host, it produces negligible load on the default router and intervening infrastructure since only the WebAuth traffic from the switch to the host follows this path. In campus designs that do not use SVIs on the data VLAN,6 a default route is typically already configured. In this case, no additional configuration is required to support WebAuth.
However, problems may arise in the case in which traffic to the default router is bridged through a stateful firewall. The original SYN packet in the TCP handshake is consumed by the access switch, so the first packet that the firewall sees is the SYN-ACK packet from the access switch. Stateful firewalls typically drop SYN-ACK packets if they have not seen the original SYN packet.In this case, you will need to turn off stateful inspection for ports 80 and 443 on the firewall."
I have a setup with a were I configured monitor mode on a switch with ISE as RADIUS server. This is for testing before a bigger deployment at a customer site.Im using ISE 1.1.3, C2960 and IOS 15.0(2) and a laptop with Windows 7 Enterprise SP1. The correct configuration with EAP-TLS and machin cert is working like it should but it is when I remove this and make the laptop fail that I get wierd results with monitor mode. I cant get DNS to work in dot1x monitor mode if the client fail authentication.
When the client fail dot1x and MAB it gets a IP with DHCP. I can ping but DNS/browsing is not working. If I put the AuthC back and the client authenticates DNS is working, or if I turn of dot1x on the client then DNS work as it should. [code]
when the supplicant is missing vlan500 is open for port and everything is ok, but when supplicant has wrong configuration something happend and port is always authenticating(every 30s, vlan500 is not assign to this port with bad configuration supplicant) and logs show something like that
Jul 10 10:20:12.362: %AUTHMGR-5-START: Starting 'dot1x' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A3545161E4 Jul 10 10:20:44.365: %AUTHMGR-5-START: Starting 'mab' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A45451DF11 Jul 10 10:20:44.399: %MAB-5-FAIL: Authentication failed for client (001e.3718.7297) on Interface Ga0/1AuditSessionID 0A0EFF5B000004A45451DF11 Jul 10 10:20:44.399: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A45451DF11 Jul 10 10:20:44.399: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A45451DF11 Jul 10 10:20:44.399: %AUTHMGR-5-START: Starting 'dot1x' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A45451DF11
version - Cisco IOS Software, C3560E Software (C3560E-UNIVERSALK9-M), Version 15.0(1)SE2
We have two Cisco 2960 TT-L switches. I'd like to reduce single points of failure and have dual servers for most tasks. For example, two firewall servers and two web servers. Should one server fail the other will act as a failover.I'd like to extend the redundancy to the switches, and am thinking of connecting one web server to one switch, and one to the other. In the event a switch failed a set of servers would still run, and be able to talk to each other.I'd like to run two VLANs, one for the LAN, and one of the WAN, and connect the two VLANs on each of the switches with the associated VLAN on the other switch.
I'm wanting to setup a Virtual Office scenario. Everything is working fine except for 802.1x...I can get the 881 to authenticate things connected to it, but I don't have the options of guest-vlan or auth-fail vlan.Idea is if the users takes the router home and someone, either accidentally or on pupose, connects an unauthorized Laptop, they stay off the Corp network but can get to the internet still.I found this link on Cisco's site: [URL]That link shows them configuring a guest vlan right on the fa0-3 ports of an 881W. I dont have that option on mine. I can only configure 802.1x on the vlan interface. I have 802.1x working, for things that connect to vlan1, but I would like to have a "fallback" setup.
i have a 2008 server that needs 80GB of data backed up over a VPN.i want to use backup exec 2012 i tried backing up the first 10GB but at the rate it will take two weeks to copy across we are upgrading our upload, but it still wont be viable i need to put the machine on the local network, do a full backup then point a differential backup to the same full backup (Anyway thats what i think should happen)
With this Windows 7 & 8 needing storage device for ISO, looking for a better way to back'em up through my network... or having storage device attached to My router..?This is my router.. It has ReadyShare USB storage Access [URL] PDF Manual Router:[URL]I have available hardware 500Gb eBook device I can use???I also have a [URL]How to set these items up for best preference.
I have a new installation of LMS 4.2 on the Soft Appliance and seem ot be only able to configure backups to the local disk? There is no option to select any of the configured repositories like there is in ACS. I can backup to /local disk, after change to filesystem as below:
chgrp casusers -R /local disk chmod 0775 /local disk
But the issue is, how to I get this off the box in an automated fashion so it can be part of our corporate backup schedule?
I understand that a full backup backs up everything, and a differential backs up all changes since a full backup, and an incremental backup backs up all changes since the previous incremental.My belief is that I can do a full backup on Sunday, then differentials Mon- Fri. Then, if everything crashes, I can restore the full, then the most recent differential (As opposed to a full restore, an a bunch of incrementals to catch up)My question is if I do a full backup on Sunday, on Tuesday user Mary creates a file, on Wednesday she deletes it by mistake, then on Friday she realizes it and calls me.Will that file still exist on Thursday night's differential? Or do I need to load up Wednesday night's backup?The reason I am asking is because I am trying to go off of tapes and use a NAS instead. I would like to have a Sunday full backup, then have one differential backup that gets overridden nightly, to save space.By doing this, I will only have a full backup and the most recent differential. The alternative is to have a weekly backup and 5 differentials, which takes up more space?
I have been trying, so far unsucessfully, to trigger backups to a TFTP server of our SGE201 switches. I have testesd TFTP backups via the web interface, and that does work. I need SNMP as I need a scriptable method to trgiger the backups on a regular schedule. I am running the SNMP query from a RedHat Linux server. So far I have the following query work out, but it is failing: [code] The error I am getting is generic, and the same query failed on multiple switches running Software Version 3.0.0.18. The switch is set with the community having full SNMP-admin access from the server's IP address.
I would like to schedule automatic backups of our ASA5500's OoO-hours:
1. SSH from secure server and create _FULL_ backup - what would be the CLI command(s) ? 2. SCP from secure server and retreive file(s) - what is the location of the file(s) ?
Although I have no problem with backup/restore in ISA550 when I do it in the same device, I do have problems when restoring in one unit the backup of another unit, i.e. when cloning devices in order to avoid having to configure every device from scratch. Lets call A the master device and B and C the devices I try to clone (to save most of the configuration) to modify them later. I get two different situations here, but none of them works:
Situation 1.B reads without complaining the backup from A and gets the same configurations settings than A, but once modified appropriately to stablish a VPN Site-to-Site tunnel with A, ther is no way to make it work. Furthermore, this unit cannot be configured to VPN with A, even using the Site-to-Site wizzard (which resets all VPN settings).
Situation 2.C complaints when reading the backup from A and does not read it. However, this unit can be configured by hand using the wizzard and the VPN works fine.
So, I suspect that something in the backup identifies the unit in such way that VPN gets in troubles. What it does work is doing a FULL RESET of the unit B and then configure it manually.
I have reported the issue but the Cisco agent closed it simply saying that this cannot be done. I have serious dificulties believing that in you have N devices you have to do N configurations from scratch. I am aware that perhaps some codes must be removed before doing a backup, or that should be something like an "anonymous backup" for such objective, but I cannot accept that it is impossible to do.
I had a pair of Dell R710's and need to revamp our battery backups badly. Having almost no budget has its difficulties.These are 2x 120v 2200 smart ups. The servers both run win2k8r2. Not looking for run time, looking for safe shut down. Thinking 1 server per.
I am using TFTPD32 to upgrade the IOS on a router. When I type in the commands copy tftp flash and enter all the necessary information, the router sits for a minute or so and then times out. There is no entry made in the log when it times out. copy flash tftp yields the same result. The fa 0/0 interface and the TFTP server are both on the same subnet and can successfully ping one anothe
I have a simple wireless network in my home run through a Linksys WRT54G Router connected to a cable modem. I set up a Western Digital 1TB external hard drive as a network drive through use of a Seagate FreeAgent DockStar. (The HD connects to the DockStar by a USB cable, which in turn connects to the router by an Ethernet cable.)
The hard drive functions as a network drive and I've configured Windows 7 Home Premium on my laptop computer to recognize it at start-up so it can essentially be used read and written to like a local drive.
Is there a way to make Windows 7, either by built-in software or third party software, automatically backup certain files or directories when changes are detected?
For example, I have a folder on my internal HD where I organize the vast amount of photos that I take so that I can easily find them through the operating system instead of having to go through a photo manager. In my ideal situation, something would be monitoring to see if I have made changes in only that folder (either adding new folders, deleting photos, or modifying files) and simultaneously make the changes to the network hard drive. Effectively, I want something to mirror the changes on my local hard drive on the fly and update the network hard drive accordingly. I do this all manually at the moment and it sucks up a lot of time that could probably be done automatically.
I'm having trouble TFTPing a configuration from my 851 Router to my computer through a IPsec VPN tunnel that this router is connected though. I am able to telnet and ping all devices on the far-end with no problem. I can TFTP a config from a switch behind this router, no problem. I am guessing this problem is related to an ACL on the router. I am also having trouble connecting to this router using the Cisco Config Professional. Discovery will fail, with connection could not be established or HTTP service is not enabled. I have enabled HTTP service. The CCP works fine when I am on the router's subnet.
I've got a fully working 877w that I'm trying to get to boot from tftp, but I just can't seem to get that going.I have a tftp server running and can copy images back and forth without any trouble.I have this in my config:boot-start-markerboot system tftp c870-advipservicesk9-mz.124-24.T2.bin 192.168.1.200boot-end-markerDuring the boot process I get an error message that says there is a missing or illegal ip but I really don't see how that can be as my tftp server is 192.168.1.200 just like my config says.
ASR 1004, has a image, which is on the harddrive, not bootflash and we have no boot commands in the configuration…We are running the ROMMON version ‘15_01rs’ The ASR boots into Rommon, as it cannot find a image (as expected), as the configuration has no boot commands.Trying to TFTP or getting an IOS back into bootflash is proving problematic.Follow all TFTP commands..
I need Cisco router 2800 series boot ios image from network(tftp), when flash is corrupted or router doesn't see it, so it is impossible ? Command, i used boot system tftp: ios.bin but this does not work.
We have a LMS 4.2 installed. And I see the tftp port is open on it. however, every time, i tried to "copy running tftp" to the LMS from a switch, it says the Trying to connect to tftp server Connection to Server Established.TFTP put operation failed:Access violation
i seem not be able to find where to configure the tftp server.
I'm trying to automate our rollout process with kiwi cat tools. I want to copy a file via TFTP or FTP: Cisco tftp menu knows the latest ip address which it was connected to.
I am trying to implement a small VoIP LAN (you can see the lan in attachments)for a personal project. I am using:
- 2 x XP (on which i installed Cisco IP Communicator 7.0.3.0) - 1 x Ubuntu (running GNS3 with a c3600 Router)
The problem is that the phone which is not in the same LAN with the tftp server cannot register.
1) Can a phone register to a tftp server from another LAN ? 2) If the answer for 1) is yes, what am i doing wrong (you can see the details in the attachments)? I mention that the ping works well anywhere in the LAN.
I have a questions on an Ip phone when getting the firmware from the TFTP server (e.g. CME) after bootup,- After the registration with CME, the IP phone will getting an auto config file which is the Default.xml file. - The CME will acts a a TFTP server which contains all the IP phone's firmware for different models like 7970 and 7640 in different directories.- The CME have configured with the directory path for all the IP phone when the IP phone come to TFTP and acquired the firmware.Let say I have a phone registered is 7970 and what is the mechanism that governs that my 7970 is not downloading the wrong firmware from the TFTP? Let say it might wrongly downloaded the 7640 firmware? Who take care of this? The phone itself? or the CME will tell the IP phone to take only the 7970 firmware via the Default.xml file?
