Cisco AAA/Identity/Nac :: ACS V4.2 / This Machine Cannot Be Used For Administration
Jul 17, 2011
I have just reimaged one of my ACS appliances as it was completely corrupted.Now I have done this I have connected it to the network via DHCP so I can patch it from v4.2 to the latest version.The machines is now on the same VLAN as my workstation. When I try to login I get the message
"This machine cannot be used for administration"
The box is a vanilla install with only the passwords set on the machine - my workstation has its local firewall turned off and is not using a proxy server. as I can't log into the gui I can't change any settings there?
I want to use LDAP accounts to administrate switches.It works fine when I use telnet. I just need to push RADIUS attribute Login-Service (ID 15) with Telnet value (ID 0) Now, I want to use SSH (for security reasons )RADIUS have to push RADIUS attribute Login-Service (ID 15) with SSH value (ID 50)(For example with Steel-belt RADIUS [URL] SSH value doesn't exist in RADIUS IETF dictionary for Login-Service attribute.I can't create SSH value because this dictionary is protected...
I'm having problems settting up a Guest NAC server to authenticate administrative users against a ACS 5.x server. In the ACS RADIUS Authentication log, I can see the user authentication is successful.In the AAA Diagnostics log, I can see the following warning:An Access-Request MUST contain either a NAS-IP-Address or a NAS-Identifier or both; Continue processing.
I'm trying to configure ACS 5.1 as radius server for a catalyst switch but i can't make it work.I keep on getting the "11033 Selected Service type is not Network Access" error message.
Tacacs works fine but radius does not. Any sample device administration config to use with RADIUS?it seem the service type does not work with radius in this scenario ( radius + device admin).
Under 'Policy Elements/Authorization and Permissions/Network Access/Authorization profiles' I have defined a profile and the following Attribute:Attribute = F5-LTM-User-RoleType = Unsigned Integer 32Value = 300.
My question is:How can I define the same as above using 'Device Administration/Shell Profiles' ?
There is a Custom Attributes tab but I cannot figure out how to specify the 'Type' field. (Under Custom Attributes tab there is only space for 2 fields and not 3 fields).
I'm planning migration from ACS 3.3 to a new machine, so I'm thinking about new Cisco ISE.I have the following question: ACS 3.3 acts as AAA RADIUS with LDAP repositoriy for wireless deployment, using PEAP-GTC. Is possible, with ISE, to use a different EAP method, such as PEAP-MsCHAPv2 or EAP-TTLS?
In ACS 5.X I think it's only supported PEAP-GTC and EAP-TLS when identity repository is LDAP. Is the same in Cisco ISE?
we have a customer with a wifi deployment aruba 3600 controller based. Corporate SSID authentication is EAP-TLS double machine and user authentication through ACS 4.2 against AD and Microsoft AC PKI infraestructure based; it was working ok. After migrating from ACS 4.2 to 5.2, both authentication (machine and user) are reported as succeed by ACS but aruba controller does not recognize machine authentication. It seems that controller sees two authentication users and not an machine followed by and user one. We have revised configuration in detail and it seems correct. We begin thinking it could be a bug .
A PC with a machine cert gets connected to a switch running 802.1x. The switch uses EAP with .1x to query PC, handing this off to ACS, that bit I'm ok with. The ACS needs to query the CA server to authenticate the PC, its this process I'm not sure about.
Reading the documentation I think that I need to configure LDAP between the ACS and the CA, which is running on 64-bit 2008 server. But, ACS SE remote agent is 32 bit only.
Is this correct, if so how do I get ACS SE to communicate with a 64-bit 2008 CA server?
Any good guide for configuring PEAP with Machine Authentication to allow for domain login?This is a clean install on a new 5.2 install.We are moving from 4.X to 5.2 and i want to make sure i dont miss anything.
I am trying to setup up a rule to allow wireless access only to users in my AD when they use computers from my AD.I have Machine authentication working on it's own (computer boots up and connects to wireless - confrimed by ACS logs) I have User authentication working But when I try to creat the floowing rule:it does not work.
Is there a way to authenticate a windows computer in ACS 5.2 for 802.1x only with a certificate.The Computer is from a different active directory than the one that is configured in ACS.I tried importing the cert into "external indentity Stores" > "certificate authorities", then setup the computer to use smart card or certificate, then selected the certificate from the other AD.when i look at the ACS log, here is the message i can see: 22044 Identity policy result is configured for certificate based authentication methods but received password based
I am using ISE 1.1.3.124.My first question:I want to know the relation between the attribute "WasMachineAuthenticated" and the MAR (MAchine access restriction in advanced setting for AD).Is-it the same or not ?Once you time out, you need to do machine auth again. What is the timer ?Using the attribute "WasMachineAuthenticated", is-it the same timer that you configure in MAR ? In a distributed environnement, is the information about machine previously authenticated replicated to all policy node ?Because, if a swicth has 2 radius-server, we are not sure that it will point everytime to the same server.
I am using ACS 5.3. I have succesfully configured Machine Authentication for a Windows 7 laptop using EAP-TLS. The ACS is configured with an Active Directory external identity store where the Windows 7 laptop is configured as part of the domain. I'm pretty sure that the ACS was using the AD to authenticate the laptop's name because at first the authentications were failing because I had the Certificate Authentication Profile configured to look at an attribute in the client certificate that was empty. When I fixed that, the authentication suceeded.
I started doing some failure testing so I disconnected the Domain Controller from the network. Sure enough, the ACS shows the Active Directory external store is in the Disconnected State.I then went to my Windows 7 laptop and disconnected the wireless connection and connected it again, expecting it to fail because the AD is down. But it succeeded! My Win 7 laptop is accessing the network wirelessly through a Lightweight AP and 5508 WLC. The WLAN Session Timeout was set for 30 minutes. So even with the AD disconnected, every 30 minutes, the ACS log showed a successful EAP-TLS authentication. I then changed the WLAN Session Timeout to 2 hours 10 minutes. Same thing, every 2 hours 10 minutes, a succesfull EAP-TLS authentication. I really don't know how the authentications are succeeding when the AD is not even connected. Is there a cache in the ACS?
For our wireless, we enabled the machine authentication, but we want to bind the machine authentication and user authentication together which means they need to meet both requirements to access the wireless, how can we do this? Right now looks like as soon as the machine is authenticated, it can access the network, no user authentication needed.
Cisco 5508 wireless controllerCisco ACS 5.1LDAP connection I have setup the wireless controller to do RADUIS authentication with the ACS 5.1 using LDAP. The setup is currently working, Brief info below on setup.
I setup the PC client to use WPA2-Enterprise AES and authentication method CISCO PEAP. When I connect to the SSID this will prompt for a username and password. I will enter in my AD details and the ACS with the LDAP connection will authenicate and on the network I go.
Now I want to add machine authentication with CERTIFICATES, each laptop and pc in our network has CA certificates installed.
way that I can add these certificates into the ACS 5.1 so I pretty much want to import them into the ACS. Once they are imported inside I want the ACS to check that the certificates are on the PC and then prompt for the AD username and password, and only once it meets these two conditions it allows the workstation onto the network.So it will be a two form authentication one with certificates and the other ldap.
We plan to use machine certificates on our notebooks with Windows Vista. Our authenticating server is Cisco ACS 5.1. To access the wireless network we want to use the machine certificate of the notebook and a verification of the corresponding computer account in the Active Directory. What authentication method is the best to check the machine certificate and if in the Active Directory exist the enabled corresponding computer account ? How to configure the ACS and the notebook to use it like described ?
- I have a cisco unified network (ACS 5.1, Cisco controller, LWAP) and have configured ACS to integrate with AD.
- I am using this network for Laptops and wireless IP phones access.
- I have only one Service Selection rule for both Laptops and wireless IP phones. All the conditions attributes are set to ANY except Protocol = Radius
- I select a simple Identity Policy and I use a sequence where IP phones users are authenticated using ACS local user and the Laptops users are authenticated using AD
- Laptop users are authenticated using PEAP and IP phones users using EAP-Fast
Everything is working fine BUT I need to make 2 changes and eventhough I spent many hours hours on forums and reading articles and trying things myself I can't get the changes to work.
The first change is to use 2 Service Selection Rules one for the IP phones and one for the Laptops. After adding another service selection rules that I put at the top, I tried many combinations to try and get the IP phones to use it but whatever I did (used different combinations of conditions), the IP phones always select the 2nd rule, which is the original one. The question is "what conditions to put in a service selection rule to make wireless IP phones use the rule).
The second change is that I want to add machine authentication so only Laptops that are in AD can access the network. AGain I tried various settings but can't get this to work.
- On ACS we were doing 802.1x Authentification over an Activedirectory, assigning Vlan according to computer/user group. In some case the user vlan could be different from the computer vlan (ex admin account connecting to a user account). This works great with ACS.I tested the same function with ISE and the behaviour is a bit different :
- When the computer boot, I can see the computer account being authenticated on ISE. The logs show the AD groups the computer belongs to and the Authorization profile is well applied according to the AD group.
- When the user login, I can see the user account being authenticated on ISE, BUT the logs show the AD groups of the previous authentication, the one belonging to the computer not the user. So the authorization profile is the one from the computer not the user.
It seems that the AD group attributes are not well updated :
- AD logs show the second authentication doesn't engage a new group parsing from AD - Shutting down the switch port when user is logged engage a new authentication a AD group are well updated. - Bug toolkit reference the same bug but for WLC CSCto83897 so I suspect it's present in other case.
802.1x is working properly, 802.1x port is up,but;when I do a remote desktop to machine that is 802.1x authenticated by an user(Wired), first, login to pc successfuly then(3 minutes) is switch port down..
I have a strange error on my home network that I cannot find a solution to.I have an Huawei SmartAX MT882 from TalkTalk acting as a modem connected to a D-Link DSL-G624T acting as a router/switch. Connected to the D-Link I have a Windows 7 Pro machine (64-bit, SP1) and an XP (home i think) machine (sp 2 i think).The SmartAX modem is set up to perform DHCP and DNS relaying and the D-Link has DHCP turned off and DNS relay turned off.The Win7 machine can access the network, get an IP address and access the internet without problems, regardless as to the status of the XP machine.The XP machine can access the network, get an IP address and access the internet with no problems ONLY of the win7 is powered up. When the win7 machine is off, the XP machine seems to drop about 25% of the ping packets between it and the D-Link router and has no internet access (because of this i assume). [code]
New Win-7 machine set up. I used the printer set-up wizard to install a networked printer in the new machine with absolutely no problem. Proved it would print from that machine.Now, I get a call informing me that her old XP machine, which had been printing to the network printer with no problems, will no longer print.Documents go into the print queue, but they don't get printed.No error messages show up.I did some messing around via remote access, and finally removed the printer with the intention of reinstalling it.Scanning for network printers turned up several redundant instances of the same printer with different names. Some are identified as "invalid" some a "access denied". Bottom line. I can't get any of the selections to install.On the Win-7 machine I did find a window that indicated that the printer is designated as being shared, but I didn't explicitly set it for sharing when I installed it. Also, I somehow got to a window that told me that for printers that were to be shared with other versions of windows I could optionally install drivers to support such machines. Didn't have the driver disk handy and took the window down. Now I can't even find it again.I need sorting this all out.Part of the problem is that out there in "network land" there are redundant remnants of previous installations that are being remembered inappropriately.
I have a network problem. My windows 7 machine is not detecting win xp machine whereas win xp machine is detecting win 7 machine. They are in the same workgroup named Home. And the networking system is set to work. I have left the homegroup I was previously in. I enabled file sharing for devices that use 40 bit and 50 bit encryption. On XP I have enabled NetBios over TCP/IP. File sharing is enabled on both computers. I think it's something obvious as both instalations on different computers are really fresh and both windows haven't been tampered with.
my config : one DAP-1522 as an AP + one DAP-1522 as a switch, 6 meters between them, signal strength about 70. Any others wifi networks around my house. both with FW140b03.bin dated 01/14/2011.Most of the time, both work correctly. But time to time, the wifi link is ko. In AP status, the switch is mentionned connected (uptime = 3 hours ...). The red led is blinking on the switch. The administration web of the switch is not available and the link is ko. Unplug and plug power units doesn't fix the problem. I need to reset DAPs.From Dlink experts, i would like to get more description about issues :
- in switch mode, which are the events modifying the red led state ? what does blinking / off led mean ?
- in AP mode, what does "uptime ...STA ...." mean ? frames are periodically received from STA ?
we are using Cisco RV042 router with i guess V3 hardware version, latest driver version (4.2.1.02). We changed the username and password from admin, default, to another name and password. Since then, we are able to log in only once, once the router is restarted. If we leave the page, logout or after several hours after boot, we wont be able to log to web administration again. We enter username, password, submit, the image keeps spinning, but nothing happens.
I have an AP(Cisco Lynksis Wireless G WAP54G) with one port (LAN) on the back, i have tried several time accessing the administration page but in vain. I reseted the AP (holding the reset button within 10 secondes) and try again to access through my internet brower but still having the same issue on accessing the admin page. The main target is to access the admin page and configure settings in order to amplify my signal in some offices away.
RV220W is at firmware v1.0.2.4 From: Administration / Management Interface / Web Accesss I have configured remote Management: Remote Management [x] EnabledAccess Type: All IP addressesPort Number: 8888Remote SNTP [ ] not enabled
From within the LAN side I can connect to the router and administer via https://192.168.3.97:8888
Status / System Summary reports:WAN (Internet) Information (IP4) Connection Type: Static Connection State: Connected IP Address: 207.180.139.242 NAT: Enabled But from the WAN side (using the same Win7 computer) I cannot connect via: https://207.180.139.242:8888
This used to work. Also not working: PPTP logins. ISP is RCN via cable modem, fixed IPs.
Have tried power cycling router - no luck. Have tried from PC with AV off and Win7 firewall off
I have the router configured for remote admin from the web outside the network however I cannot establish a connection with the router.Other than adding the check mark and selecting a port are there any other considerations for remote admin?
Region : Australia Model : TL-MR3420 Hardware Version : Not Clear Firmware Version : ISP : Telstra
Is remote administration over 3G connection possible? The telstra public IP is not pingable. (from externally) Goes no where when I put the public IP into a browser. (from externally) Any settings changes to enable this?
We have a rack with a Cisco Catalyst 3750 that is networked with other racks in the data center and uses bandwidth from the data center co-location (which is also an ISP). We had a need to install a Comcast Business Class modem in this rack and want to be able to manage this modem remotely. What I have done so far is.
First time user of cisco hardware and we just purchased the 4900m catalyst switch. My question is very general. I am simply hoping to network 3 servers together and I do not wish to do any fancy or advanced configuration. Can I simply use the web management interface for network administration and setup? I just downloaded the Catalyst 4500 Series Switch Cisco IOS software configuration guide and they talk about Cisco View network management system, is this my answer or is this what most people use for basic configuration and administration?
