Cisco AAA/Identity/Nac :: ACS 5.3 And WLC Not Working?
Sep 27, 2012
I got a question about ACS 5.3 and WLC We have now the ACS 5.3 running for MAB (good working) and TACAS for device AAA.But now our WLC’s will not work.I have created already a special “custom attribute” => role1 / mandatory / ALL Already changed to the combinations Role1=ALL / Role1=All / Role1=all / role1=ALL / role1=All / role1=all But still not working. I get a wrong response.
I followed the guideline in attach, PDF file.
Debug dump from WLC
ACS 5.2 / ACS 5.3
-------------------
*tplusTransportThread: Sep 28 15:07:59.222: auth_cont get_pass reply: pkt_length=24
*tplusTransportThread: Sep 28 15:07:59.222: processTplusAuthResponse: Continue auth transaction
*tplusTransportThread: Sep 28 15:07:59.388: tplus response: type=1 seq_no=4 session_id=b1fddbfc length=6 encrypted=0
[code]....
View 3 Replies
ADVERTISEMENT
Oct 28, 2012
I'm trying to test such 802.1x wired environment:windows xp sp3 as supplicant windows NPS as radius server 2960 as authenticator latest anyconnect (3.1.01065) + nam and standalone profile editor.I have a question: What is the difference between protected identity pattern and unprotected identity pattern (set in nam profile editor)? As I understand documentation PEAP-MSCHAPv2 is a tunneled method and it uses un- protected identity pattern to protect user's identity during phase 0. But if I use any fake identity here (anonymous, anonymous@[domain], etc) access is rejected (Access-Reject in switch debugs). I have to use exacly the same pattern in unprotected identity pattern as in protected identity pattern ([username] or [username]@[domain]) to gain access, regardless of authenticaton mode (same in machine only, user only authentication).
View 1 Replies
View Related
Apr 20, 2011
I have Cisco ACS 4.2 since few days users can not change their password, what could be the issue? Even after resetting the password I got error.
View 3 Replies
View Related
Aug 17, 2011
I have a dot1x client with client certificate working well with my ACS 5.2 and EAP-TLS. Now I would like to configure the Re-Auth periode on the ACS 5.2, I did the following:
1. Configure a Access Profile with Reauthentication Timer = static and 30 seconds (see attachment ACS1.png and ACS2.png)
2. Enabled authentication periodic and authentication timer reauthenticate server on switchport
interface GigabitEthernet1/0/x
description to dot1x clients
switchport access vlan 5
switchport mode access
authentication event fail action authorize vlan 998
[code]....
View 2 Replies
View Related
Sep 12, 2012
I've got an issue with my ACS 5.1 implementation not updating any of the RADIUS or TACACS authz, authc, or acct records. Nothing is showing up, even though i've logged in via TACACS to several devices, and there are numerous wireless devices authenticated and online via RADIUS right now.
View 3 Replies
View Related
Mar 4, 2013
I have to created command set under "Policy Elements>Authorization and Permissions>Device Administration" for limited access user in ACS 5.3. Like i triyed to give them permission to only few show commands. I have set user priviledge 1, 7, 10 however either of the priviledge level user was able to run those commands. I works like the shell priviledge level.
View 1 Replies
View Related
Mar 31, 2011
We have a Cisco Access Control Server (TACACS+ version 5.1) with an additional 2 port NIC card. This produces 4 ports on the ACS server(G0 through G3).After initial setup of the ACS server with an IP address on G0, I connected a Windows 7server with IE8 to G0. The ACS web interface appears (after accepting certificate) and Ientered some user accounts and NDGs.I then connected the ACS server to a configured port with port-security on our 6500switch. The port becomes err-disabled since the MAC address does not match up. It appearsthat the onboard NIC on the ACS server is bonded thus producing the MAC address issue.To fix this connection issue, on the ACS server, I cleared out G0 and setup G2 (additiional NIC card) with the IP address. After connecting to the 6500 switch, the ACS server port works fine. I removed the connection to the 6500 and connected the Windows server to the ACS.I can ping the ACS server but the web interface is now unavailable unlike before. I do not get a certificate warning on IE, it just states that internet not available. On ACS, the 'show' status of acs shows all the processes are running and initialized. It has got me stumped as all I did was change NIC configurationon the ACS server.
View 8 Replies
View Related
Oct 9, 2011
we updated our NAC appliances from 4.8.1 to 4.9 and have noticed that web authentication is no longer woking on Apple IOS devices. We had setup a user page for the MAC_ALL OS and iphones etc. were able to authenticate using thier browser ok. Now (after the upgrade) after they authenticate they receive the below warning.
There doens't seem to be any other config changes we can make for the IOS device.
View 2 Replies
View Related
Sep 16, 2010
I configured multidomain on a Cisco 3650 port (12.2(53)SE1), and connected a 7941 Phone and laptop behind it. The phone gets successfully authenticated but the PC does not get fully connected. The PC adapter´s icon shows a "authentication error" message. The same PC, connected to another port (same commands except "authentication host-mode multi-domain") works perfect, including new VLAN and ACL assigned from ACS.
This is the configuration on the switch port where the PC chained to the phone fails:
interface FastEthernet0/6 switchport access vlan 701 switchport mode access switchport voice vlan 123 authentication event fail action next-method authentication event server dead action authorize vlan 704 authentication event no-response action authorize vlan 701 authentication host-mode multi-domain authentication open authentication port-control auto authentication periodic dot1x pae authenticator dot1x timeout tx-period 60 spanning-tree portfast
This is the configuration on the switch port where the PC without a phone works OK (exactly the same config, except for multidomain):
interface FastEthernet0/7 switchport access vlan 701 switchport mode access switchport voice vlan 123 authentication event fail action next-method authentication event server dead action authorize vlan 704 authentication event no-response action authorize vlan 701 authentication open authentication port-control auto authentication periodic dot1x pae authenticator dot1x timeout tx-period 60 spanning-tree portfast When the PC fails to get connected, I see the following messages on the switch:
Sep 17 18:36:18: %DOT1X-5-SUCCESS: Authentication successful for client (0023.aeb8.ce44) on Interface Fa0/6 AuditSessionID 0A01460A000000310080FDFCSep 17 18:36:18: %AUTHMGR-7-RESULT: Authentication
[Code].....
View 9 Replies
View Related
Jan 31, 2011
I have not managed to get the Monitoring to work on the ACS 5.1. This is an eval version. Advanced monitoring and reporting is installed on the ACS. This is my configuration on the Cisco Router
aaa accounting exec default start-stop group tacacs+aaa accounting commands 0 default start-stop group tacacs+aaa accounting commands 1 default start-stop group tacacs+aaa accounting commands 15 default start-stop group tacacs+aaa accounting connection default start-stop group tacacs+
logging origin-id iplogging facility sysloglogging source-interface GigabitEthernet1/1logging host 1.1.1.1 transport udp port 20514
logging monitor informational
epm logging
On the ACS, when I open the dashboard --> ACS health -> I get Status not available.Global Instance under Logging Categories been configured for local logging?
View 4 Replies
View Related
Oct 19, 2011
we are facing a strange problem with a Cisco Small Business SG 200-08 Switch (firmware release 1.0.1.0). When configuring the switch to act as a RADIUS Client with 802.1x port security enabled, it sends the “Account Name” attribute to the radius server with max. 32 characters. The string comes in this format: host/dns Host Name and will be cut after 32 characters which will cause the NPS to say: “The specified domain does not exist.” and NPS is right. When I reduce the hostname so that host/dnsHostName <= 32 characters, authentication is working fine. And by the way, we also have a SG 200-26 in production and it can handle more than 32 characters which lead me to think of a bug in the firmware of the SG 200-08.
View 1 Replies
View Related
Feb 14, 2012
I'm trying to configure a timeout for network connection, but when it suppose to disconnect client, it's not working. Is it possible to do this??
Only works when the client is connecting and is denied if the time is not valid. But how could I do this if the client is already connected, enable re-authentication?
View 2 Replies
View Related
Nov 27, 2012
I configure my Cisco ACS5.2 using Command set policy and providing Shell access 15.I allow user only “show * ” command.It works fine with Telnet. User Group cannot execute any command apart from “Show * ”But when I connect the device using Console user group has full permission on the devices.I believe Command set policy is not working on Console. Is it normal behavior or do I need to update some changes in ACS or Network devices ?
My network device configuration is as below :
tacacs-server host 10.x.x.x key test123
tacacs-server host 10.y.y.y key test123
tacacs-server timeout 1
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
[code].....
View 1 Replies
View Related
Aug 25, 2011
I have configured under Administration password policies about password lenght, items to be putted as number, letters and so on.on the second tab is the password expire for users and I configured to expire after 90 days.
I even tried creating a new user and changing a password from an existing user using Apache TOMCAT WAR,I have checked CLOCK of ACS appliance and setted up NTP on our internal NTP servers
even I create a new user or I change the password via Admin GUI or I change the user password via Apache TOMCAT WAR, I have the user being disabled in a few of minutes, half an hour.,As last, with CISCO AnyConnect is possible to warn the user about the password being expireing and if so, the change could be driven via AnyConnect or is absolutely needed a User Hand Task on the Apache TOMCAT portal I setted up with the ACS WAR application?
View 6 Replies
View Related
Sep 13, 2012
I have a cisco 3845 running 12.4(15)T10.
I can send a POD and disconnect my session. But when I try to send a COA, I always get back the same error. Here is the debug log:
*Sep 14 17:25:16.017: COA: 172.16.XX.XX request queued
*Sep 14 17:25:16.017: ++++++ CoA Attribute List ++++++
*Sep 14 17:25:16.017: 66F2DBEC 0 00000009 string-session-id(337) 8 0000007F
*Sep 14 17:25:16.017: 670B3394 0 00000009 sub-qos-policy-out(346) 11 POLICE-TEST
[code]....
View 10 Replies
View Related
Feb 3, 2013
C4948-10G switch running IOS 15.0(2)SG ?ACS 4.2 cannot authenticate on the vrf interface. The issue on vrf aaa authentication.
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication login no_tacacs local
aaa authentication enable default group tacacs+ enable
[code]....
View 13 Replies
View Related
Mar 3, 2013
We have a configuration that work fine but one of the combinations it don´t work. When we connect a guest laptop, the first time work fine. The configuration is when the laptop don´t authenticates with radius, the dhcp server assigned vlan guest and ip guest. The first time was ok. After, We connect a laptop with users authenticates work ok, the radius asigned vlan of users and dhcp server assigned ip users. The problem was when we connect for two time a guest laptop, radius didn´t validate and laptop didn´t negociate ip with dhcp server. In this time, the administrator of dhcp server, tell us that they didn´t see nothing traffic of my mac. and anymore run fine. If Whe change the port of switch , the laptup start working again.
Radius=NPS
Server dhcp: is typical.
Our scenario is with a ip cisco phone. the ip phone don´t have the authentication. The administrator of radius tell us that the configuratation is fine and the configuration of dhcp is fine. When we connect only laptop, everything run ok.
Configuration Port.
interface GigabitEthernet1/0/3
switchport access vlan 202
switchport mode access
[Code]...
View 4 Replies
View Related
Mar 20, 2013
I am trying to get AAA Authentication working on a Cisco 2960-24pc-l running 12.2(55)SE5 IOS and cannot get it to work. I have it currently working on a Cisco 3750-24te-m running 12.2(55)SE IOS. Here is my config: [code]
When I login to the 3750, AAA is used. When I login to the 2960, the local username is used. Any thoughs here as to why it works on the 3850 and not the 2960?
View 2 Replies
View Related
Feb 25, 2013
For some reason i can't get access anymore to the web interface of our ACS 5.3 appliance.Where i used to get a certificate warning first, and after that the ACS5 login screen, i now get totally no response anymore in my IE browser.
I can telnet to port 443 of the unit however. And i (fortunately) still have ssh access to the unit. So i did a reload (microsoft habits) but that did'nt solve anything.https access to other systems from the same browser is functioning fine
=================================
admin# sh ver
Cisco Application Deployment Engine OS Release: 1.2ADE-OS Build Version: 1.2.0.228ADE-OS System Architecture: i386
Copyright (c) 2005-2009 by Cisco Systems, Inc.All rights reserved.Hostname: <deleted>
Version information of installed applications---------------------------------------------
Cisco ACS VERSION INFORMATION-----------------------------Version : 5.3.0.40.8Internal Build ID : B.839Patches :5-3-0-40-55-3-0-40-8
=================================
View 4 Replies
View Related
Feb 28, 2013
I've configure Ldap authentication on ASA 5545 to allow only a certain user group. I mapped the the memberOf group but this seems not to be working as it allows all AD users. [code]
View 1 Replies
View Related
Jul 27, 2011
We have an issue with View db (Monitoring & Reports) backup on ACS, version 5.2.0.26. We have scheduled incremental backup daily and full backup monthly. Everything has been working well, but since yesterday following errors have appeared, and full and incremental backup stopped working:
Alarm Name
System Alarm [Incremental Backup]
Cause/Trigger
On-demand Full Backup failed
Alarm Details
CARS_BR_BACKUP_CREATE : -405 : Internal error: couldn't create backup file
Alarm Name
[code]....
We use same repository as always. Backup to the same repository works from CLI.
View 2 Replies
View Related
Aug 26, 2010
My switches are able to successfully authenticate user access against ACS 5.1 via SSH with TACACS+, but I am not able to authenticate via HTTPS with TACACS+. I don't even get a log in ACS when attempting to authenticate via HTTPS.
Here is my AAA config, followed by a debug:
aaa new-modelaaa authentication login ACCESS group tacacs+ localaaa authorization consoleaaa authorization config-commandsaaa authorization exec ACCESS group tacacs+ aaa authorization commands 1 Priv1 group tacacs+ none
[Code]......
View 8 Replies
View Related
Mar 27, 2012
on the followup the document "Configuration example : central web-authentication with a switch and Identity Service Engine" by Nicolas Darchis, since the redirection on the switch is not working.
I'm using ISE Version : 1.0.4.573 and WS-C2960-24PC-L w/software 12.2(55)SE1 and image C2960-LANBASEK9-M for the access.
The interface configuration looks like this:
interface FastEthernet0/24
switchport access vlan 6
switchport mode access
switchport voice vlan 20
ip access-group webauth in(code)
View 12 Replies
View Related
Jan 28, 2013
When the users connect their laptop they are getting a authentication prompt but the switch is not changing the VLANs on the port after successful authentication.Below are the logs on the switch
Jan 28 2013 17:21:32.417 CST: RADIUS: Framed-MTU [12] 6 1500
Jan 28 2013 17:21:32.417 CST: RADIUS: Called-Station-Id [30] 19 "E4-D3-F1-0B-C6-0A"
Jan 28 2013 17:21:32.417 CST: RADIUS: Calling-Station-Id [31] 19 "84-8F-69-A8-BD-1D"
Jan 28 2013 17:21:32.417 CST: RADIUS: EAP-Message [79] 45
[code]....
View 1 Replies
View Related
Feb 28, 2012
I have a weird issue. I recently setup an ASA 5510 and had SSH working. To make it easier on my VPN users I then decided I wanted to setup a Windows 2008 Network Policy Server for RADIUS authentication. Ever since I added the RADIUS part to aaa authentication, when I use SSH to connect to the ASA it will not take the local user name and password I have setup. I can however get in using a Domain user name and password. Below is the SSH and AAA configuration. Am I missing something here? The username and password in the ASA is not on the domain and it's like the ASA is not even trying LOCAL when it tries to authenticate. I want it to use the local username and password if possible. I'm kind of new to ASA's..
On another note, I have never been able to SSH in on the internal interface. I always get a "The remote system refused the connection" error message. I can only use the outside interface.
Site-ASA# sh run | in ssh
aaa authentication ssh console SERVER_RADIUS LOCAL
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
[code]....
View 2 Replies
View Related
Jul 25, 2011
We have a Catalyst 3750 switch that failed over to local login after the Tacacs authentication stopped working. I went through the configuration settings and everything appears to be identical to another switch in this same building.
View 4 Replies
View Related
May 18, 2011
I have a new Cisco Secure ACS 5.2 on a VM. We want to use it to for administrative access to our Cisco equipment with TACACS+. I am trying to map user permissions to different groups of devices based on active directory group membership, however it is not working.
I am using an LDAP (configured for secure authentication) external identity store. On the directory organization tab, I have confirmed the accuracy of the subject and group search base and the test configuration button shows that it's finding > 100 users and >100 groups.
On the directory groups page I have entered the groups according to the required format. cn=groupname1,ou=groups,dc=abc,dc=com
I have a rule based result selection under group mapping. I have two rules in the format below.
Conditon
LDAP:Externalgroups groupname1
Result
Identitygroup1
I have the default group set to a identity group named other. My problem is, no matter what user attempts to authenticate, the Default rule is applied, and the user is put into the other identity group.This occurs when I log on as a groupname1 user, groupname2 user, or as user that is not a member of either of those groups. LDAP authentication works and the user is able to logon to the device.
View 3 Replies
View Related
Jul 11, 2011
We are using ACS 5.2 and we are trying to create a Microsoft Active Directory (AD) Identity Store. We have a user to be used in the Active Directory creation General page and we would like to know how the test communication / ACS to AD communication takes place.
Our user is a predefined user in AD and has admin rights, but the password expires every 60 days. Will this affect the communication between AD and ACS 5.2 at everytime the entered user's password expires?
View 2 Replies
View Related
Jan 24, 2012
I'm currently looking for a solution in order to restrict the modification of the host internal identity store (add or delete MAC host) per group. The default administrator roles does not include "per group restriction". Under the ACS I defined one group per department? My objective it to allow each department to access their ACS MAC database to add or delete MAC addresses as required.
How to restrict internal identity store per group?Do I need to create new roles? and how?I was not able to get an answer from the ACS ADMIN manual.
View 1 Replies
View Related
Dec 5, 2012
I have a new ACS 5.3 configure and a ASA5550 to authenticate VPN users using a remote LDAP server. Once I try to authenticate the users with the ACS it gives me the error message "22056 Subject not found in the applicable identity store(s)."
I checked out the documentation and have already configure the Identity store sequences to redirect everything to the LDAP server, I also did the Bind test and it says that is ok, but I still have the same problem.
I validated the Access Policies Menu, and tried to create a new Service Selection Rules, but whet I get to the option of modifying the Identity option I get the error: "This System Failure occurred: {0}. Your changes have not been saved.Click OK to return to the list page. " and I'm not able to modify the identity, not in this new option I created, nor in the ones already created in the ACS.
View 8 Replies
View Related
Oct 6, 2012
I have two ACS v 5.2 (primary and secundary) and some users are in the internal stor and the others are in the AD.The local site topology is like this:
PC - AP - WLC - ACS - AD
Authentication method is PEAP(EAP-MSCHAPv2) and all user have the certificate company installed. The OS in the client users is Windows 7.Users was working fine but some users reports intranet disconnections. I see in the ACS log many "22056 Subject not found in the applicable identity store(s)." and "24415 User authentication against Active Directory failed since user's account is locked out" alarms.I believed it was because user wasn´t in the AD data base, but some times the same user is authenticated successfull and other i see the "22056...." or "24415...." alarms.
I switched the role for ACS primary to works as secundary and we see the same alarms.
View 2 Replies
View Related
Apr 14, 2011
I have ACS 5.2 running as a VM. I'm AD, then local authentication successfully for device access, but I want to define ACS user groups to restrict login. I don;t see any way to do this. If I use AD groups, they don;t show up as selection options on the policy screens, just the ACS locallyy defined groups.
View 1 Replies
View Related
Dec 3, 2012
We have a ACS 4.3.2 installed with users authenticating against an Active Directory database. The AD database not only authenticate the users but also assigns the group that is used to select IP address pool.Now the requirements require to use token authentication with SafeNet. This authentication uses the same username but the password is composed of the original password + OTP.The problem is that the SafeNet server doesn't return the group membership.I've read about the Identity Store Sequence in ACS 5.x and I think I could use it in the following sequence:! configure an Authentication Sequence using the SafeNet token server (this works with ACS 4.x)I configure an Attribute Retrieval Sequence against the AD database. This would use the username only, no password and would retrieve the group membership.
View 1 Replies
View Related