Cisco AAA/Identity/Nac :: Cannot Authenticate AD For Tacacs ACS 5.0
May 24, 2011
I think i've got everything set up to authenticate against AD for Tacacs+ device logins. When i check the logs, i see:"24408 User authentication against Active Directory failed since user has entered the wrong password". This leads me to believe that it is checking AD correctly, however if i enter the password correctly for the same AD user, there is no log at all...no pass, no fail.
If i look at the Tacacs debugs on the switch, i see the following:May 25 10:55:07.927 CDT: TAC+: ver=192 id=874699084 received AUTHEN status = ERRORMay 25 10:55:09.932 CDT: TAC+: send abort reason=Unknown
Obviously the switch is communicating to ACS, and ACS is passing info back to the switch. ACS also appears to be communicating effectively with AD since it knows when i put in an incorrect password for the specific user.
View 2 Replies
ADVERTISEMENT
Jan 5, 2012
ACS 5.1 is failing to authenticate tacacs authentication to the ASA firewall, getting
View 6 Replies
View Related
May 2, 2012
I have a cisco nexus 7000 switch and a cisco ACS 5.2. I would like to setup the switch to be able to authenticate users with tacacs+ using RSA secureid tokens when they try to logon to the switch.
View 1 Replies
View Related
Sep 23, 2012
I have an issue with two wlc 5508 in the same mobility group. We use TACACS to authenticate admins, with maximum privileges.
When I want to configure cleanair, or some security functions (such as ACL, or password policies), I have an error message saying that my privileges are not enough.When I use local account, it works well.
At the begining, I thought it was a TACACS issue, but I have the same problem with WCS and SNMP. Cleanair doesn't appears in config menu, and I have an error message for security function.
View 10 Replies
View Related
Feb 22, 2013
I have installed ACS 5.4 and we are looking to authenticate our Anyconnect users with ACS via Active Directory. I think I have the correct commands in our ASA ( we had ACS 4 and authenticated our anyconnect users ).
I also have configured ACS to use Active Directory and installed the server side cert in ACS. I'm just uncertain how to program ACS to use the security group that I have setup in Active Directory.
View 6 Replies
View Related
Aug 30, 2012
Having an issue with Macbook authentication. All Macbooks at this one site, on same switch, going to same RADIUS server, work except for one. Looking at logs it appears server and client never exchange certificates. Attached is log for failed Macbook authentication.
View 4 Replies
View Related
Aug 20, 2012
we have deployed L3 in-band scenario for wireless 2 years ago and the solution was working without any problem. we have upgrade wireless controller to 5508, since then, when users login to the first page and certified, and they want to browse to the internet, NAC redirects the web page and ask for authenticatin again, despite the users' devices are being shown as certified devices in the list.
View 6 Replies
View Related
Mar 4, 2012
I have a Cisco ASA (8.2) setup with remote access for my users using Cisco VPN client. The authentication is passed off to my ACS 5.3 which then checks with AD. What I've done so far is create Access Policy rule where I define specifically the Location and NDG where the ASA is and then a DenyAllCommands command set. This should pass authentications just fine but this also gives those users the ability to remote connect directly into the ASA and login successfully. Even though there is a Deny Commands there I still would prefer they get Access Denied as a message. If I do a Deny Access on the ShellProfile then this stops the login authentication altogether.
View 2 Replies
View Related
Feb 9, 2012
We have remote users that dial-in over ISDN to a Cisco 2911. We have configured AAA to pass the authentication off to a RADIUS server. Once successfully authenticated, the router permits the users to access a single web server. However, we need to do some testing in our test environment, but unfortunately we don't have an ISDN line to test with. We have created a little environment in our LAB using a 2911, a switch, a RADIUS server & web server. I was hoping that we could simply create a "user" VLAN off the back of the 2911 to simulate our remote users, and access the web site from the test usr PC's over the LAN. I was hoping that the 2911 would be able to intercept the connection and pass the authentication off to the RADIUS server (as it does with the PPP ISDN traffic). But I cannot find anyway to do this, because I can only configure AAA to offload either PPP traffic or telnet/ssh connections to the router itself.
In summary what I want is for a user to access an internal web site over a LAN interface of a 2911 - but have the 2911 authenticate the user via a remote RADIUS server first. Is there a way to configure a 2911 (or any router!) to do this?Is the answer to configure port-based authentication (802.1X) on the switch?
View 3 Replies
View Related
Jul 30, 2012
I have setup Cisco Identity Service Engine (1.1.1) with Wireless LAN Controller (7.2.110)Everything is complete unless the URL redirect. My guest client can join the Guest SSID and also can authenticate to ISE.But after they success to authenticate with ISE, the URL in the browser doesn't change to the pre-configure. It still be something like [URL]. Anyway the content in the browser is changed to the URL that being configured such as url...How can I do with this situation cause everything is working fine but only the browser URL that is not change to the preconfigure one.
View 5 Replies
View Related
Jun 3, 2012
Have set up a pair of ACS 5.3 servers and have set up device administration authentication be passed through to an RSA server via RADIUS. All works great.
What we want to do is go a step further and set the system up so that ACS Administrators also have to authenticate to the ACS system by RSA via RADIUS (the same as the Device Authentication we've set up) for ACS administration tasks.
Looking at the options available in the ACS Administration setup (administrator accounts etc) there doesn't seem to be an option to authenticate via another method apart from a local administrator account on the ACS.
Is it possible to do this?
View 1 Replies
View Related
Aug 21, 2012
I have seen couple of people with win7 cannot authenticate to ISE: 12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate.I've thought of this: Maybe get a 3rd party cert (go daddy) and have that installed in ISE.I know i do have to make a CSR Cert.Sign.Request that matches cn=primary.ise.mydomain, would I also need a cert for secondary?
If I use LEAP as a preferred protocol then it doesn't ask for cert and users are authenticated successfully.I know they have to say do not validate cert and all that but sometimes it doesn't popupt to them they just can't get on.Again maybe going wtih 3rd party certs will make it easier while benefiting from using PEAP?
View 5 Replies
View Related
Jul 12, 2011
On an ASA5520 v7.2 I can only seem to authenticate to the console when using telnet and not ssh. I can connect using both methods, but just have trouble authenticating with ssh. Here are relevent lines related to the issue:
username user1 password ***** encrypted privilege 15username user2 password ***** encrypted privilege 15
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
telnet <my subnet> 255.255.255.0 Inside
ssh <my subnet> 255.255.255.0 Inside
View 2 Replies
View Related
Jun 9, 2011
I have an issue with an implementation, I had a ACS R5.1 that I'm using to authenticate the wireless users with 802.1x, that's OK and working fine. Now I want to use the same ACS to authenticate wired users using MAB (for IP phones, printers, servers, and other devices) and 802.1x (for corporate users). I already configured the authentication services (MAB and 802.1x) on ACS, but when I'm doing tests I can see that for example the phones are trying to authenticate using the 802.1x rules of wireless connection, not using the MAB rules. [code]
You could also see an screen from the ACS in the attached file. On the picture remark you could see a IP Phone trying to authenticate using the wireless Access Services insted of using MAB.
View 1 Replies
View Related
Sep 25, 2011
Having an issue with Cisco ACS v5.1.0.44 and the Cisco WLC 5508. Cannot get users to authenticate and keep getting error messages referring to EAP session timeouts from WLC filling our logs. Seems to be with this model WLC because we have Cisco 4400 WLCs pointing to the same ACS with no issues. Is there a bug or special configuration that is necessary to marry the 5508 with ACS v5.1.0.44?
View 9 Replies
View Related
Dec 9, 2012
We are doing a new installation of a Cisco ACS 5.4 replacing a Microsoft NPS.
Recently I ran into issues with Lexmark wireless printers authenticating against the ACS 5.4.
While these printers work against the old Microsoft NPS we want to replace, I get "11500 Invalid or unexpected EAP payload received" on the ACS.
Windows/Android/iDevices authenticate against the same SSID using PEAP. I suspect, we ran into
CSCtq46211 Bug Details
Lexmark Printers work with ACS 4 but not ACS 5 Symptom: Lexmark printers uzed to work with ACS 4.2 but they produce "internal error" on acs 5.1 or 5.2
Conditions: Not known exactly
Workaround:1st Found-In 5.2(0.26.3)
Fixed-In 5.3(0.40.7)
setting up a new VM with ACS 5.3 patching it to P7, reconfiguring and retest all the stuff we implemented during several days ist not an option.
The Cisco TAC refuses to open a SR because the product is under warranty only, and claims warranty only covers HARDWARE replacement... (and we ordered ACS is a VM,,,) Maybe I should burn the ISO image to a DVD and RMA it for repair .
Maybe Cisco could verify whether the fix for CSCtq46211 has been integrated to ACS Version 5.4.0.46-B.221 already or not ?
View 1 Replies
View Related
Jul 22, 2012
Is it possible for ACS 5.1 to only allow specific AD users to authenticate the switches and routers? Currently What I have configured is only for all AD users. I can't seem to find a way to be selective.
View 9 Replies
View Related
Jan 16, 2013
I'm having an issue with a cloned vm of our ACS. We are moving it to a different location. I was able to clone it and get it back on the network, but I can't authenticate to it from any of my switches. I do have an older version:5.2.0.26
View 2 Replies
View Related
Sep 13, 2011
I tried to configure TACACS+ authentication / authorization for NCS via ACS 4.2. For that I followed the configuration guide:
1. Configured the service for NCS with HTTP (see attachment)
2. Added the tasks to the user (see attachment)
When I try to login on the NCS it fails, in the logs on the NCS I see the following lines:
09/14/11 16:53:03.333 TRACE [system] [http-443-7] [TACACS+ AAAModule] Creating authorization socket - To Server: 192.168.49.14 - For User: netadmin
09/14/11 16:53:03.335 TRACE [system] [http-443-7] [TACACS+ AAAModule] Sending authorization request packet - To Server: 192.168.49.14 - For User: netadmin
09/14/11 16:53:03.336 TRACE [system] [http-443-7] [TACACS+ AAAModule] Receiving authorization response packet - From Server: 192.168.49.14 - For User: netadmin
[code].....
View 7 Replies
View Related
Feb 27, 2011
I found that TACACS should be available for network access with ACS 5.2:(url) But when I'm trying to create Rule tu allow PPP authentication against TACACS server I get error.
View 2 Replies
View Related
Sep 20, 2011
I am running ACS 4.1.1.23 on a Microsoft server and I am trying to get TACACS to work with two Linux servers. The servers are capable of TACACS, are using port 49 and have the correct shared secret. I believe I do not have the devices configured properly on the ACS side. These 2 servers currently are using RADIUS and we are getting bit by the bug where the ACS application will start rejecting RADIUS authentication requests but still accept TACACS requests.
View 6 Replies
View Related
May 14, 2013
I am setting up reports for tacacs accounting on ACS 5.3. However, accounting only seems to work after entering enable mode on the switch. I would like to see all commands, even the enable command when in privlage 1 mode.
View 2 Replies
View Related
Mar 4, 2012
I can get it to authenticate. But I've read some posts on ACS 4.2 and authorization, but I don't find anything similar.I want to control down to what commands the authenticated user can run. I want the defintion to come from the ACS server, or at least control it from the ACS server. I want to minimize the changes on the JunOS side,but if it can't be easily done, I'll change the JunOS side.
View 10 Replies
View Related
Nov 14, 2012
ACS 5.3 configured with two rules, 1 rule for standard level 15 access for the Network Engineers and a 2nd rule to allow some limited access to switches: The limited access account has enough command set access to change the vlan on a switchport, so Configure Terminal, Interface FAx/x and switchport access vlan x.
Switch configuration:
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa session-id common
Everything works well and the limited access users can only perform the commands i've setup.
Problem:The problem i've encountered is when one of the network engineers makes a change that would stop the device from being able to see the ACS server it stops allowing any commands to be typed in the router/switch. Additionally if you then connect to the device and login with the local username and password the device then waits for it to hit the TACACS server timeout for every command you enter. This is obviously very slow and painful for the engineer.
Question:Is there a way to set this up so the engineer logging in with full Level 15 access doesn't have to have each command authorized by the ACS server but still allow the limited access accounts to be able to make interface changes?
View 1 Replies
View Related
Aug 14, 2011
So far i managed my switches with TACACS+, however now i've to deploy 802.1X, requiring RADIUS only. For what i know, ACS (i'm using 4.2) allows to define a device using only TACACS or RADIUS, but not both. Do i am right? Or there is a way to define an AAA client to communicate with the same ACS using both the protocols?
Supposing i am right, i was then considering the following options: - configure all of the switches to use radius for any service (authentication, authorization etc ec) This simplifies the task, but i lose the TACACS+ services for the switches. Is this a big loss?
- configure the L3 switches to use a second Loopback, just for RADIUS services. This would allow to still use the TACACS+ but would require a new network just for the RADIUS service; furthermore L2 switches doesn't support two IP addresses and would require anyway a migration to RADIUS.
A considerable administrative overhead, in other words. I'm not willing to deploy a second RADIUS (ACS, Windows, whatever), in this moment.
The key point is this: reading around i see Cisco documentation recommending always to use TACACS+ for management, but in this situation is not possibile. In general, every time the device has a role of network admission (switch or access-point) RADIUS seems to be the protocol of choice. Moving to RADIUS would have some major drawback or only a change in the communication protocol? (I know the difference between TACACS+ and RADIUS: tcp vs udp, encryption of the whole packet vs encryption of only the password).
View 3 Replies
View Related
May 1, 2013
I want to setup two factor authentication via ACS 5.2 TACACS+ without having to use a token (such as that by RSA). Is there a way to do it?
More info:
Users from unconnected AD domains will be connecting to the routers and switches.There is a certificate server available to generate certificates.SSHv2 is the current login protocol.
View 5 Replies
View Related
Jan 15, 2012
Noticed tacacs authorization logs when you change password for a user ?? in authorization logs I can see the new password but same I can not see in accounting logs ? is it a normal behaviour ?? or do we need to do something to hide the password in authorization logs ?
For example if i type command username xyz priv 15 secret cisco 123
I see this command in accounting logs as uername xyz oriv 15 secret *** where as in tacacs authorization logs it shows username xyz priv 15 secret cisco 123
View 1 Replies
View Related
May 14, 2013
I am trying to access an ASA 5545 using TACACS+. I have the ASA configured as follows:
aaa-server tacacs+ protocol tacacs+
aaa-server tacacs+ (inside) host 10.x.x.x
[code]....
I have added the ASA in ACS with the correct IP and the correct key. When I try to test the authentication via test aaa-server authentication tacacs+ host 10.x.x.x username Cisco password Cisco, I get:
ERROR: Authentication Server not responding: No error.
View 20 Replies
View Related
Mar 8, 2012
I have several 2950 switches that I cannot get to work with TACACS. I'm using the same config for these that I am using for other cisco switches. [code]
View 1 Replies
View Related
Nov 10, 2011
I am not sure what I am trying to do is possible, so I thought I would pose the question on here. In ACS 5.3, I would like to use an RSA server and AD to authenticate my network devices. So when I log into a router or switch I would enter my AD username, be prompted for my RSA token, then when I enable be prompted for my AD password, or visa versa. how to write an access policy to achive this?
View 2 Replies
View Related
Mar 21, 2011
Rather than maintaining local accounts is it possible to authenticate admins against AD? I'm talking about administrators of the ACS server itself to be clear.
View 2 Replies
View Related
Nov 13, 2012
I have a user named "testuser" and trying to authenticate from the xp computer but fails to authenticate. The ACS logs says that authentication failed, the user is in the local database but why it fails to authenticate?
I have cisco switch :
WS-C2960G-48TC-L 12.2(52)SE C2960-LANBASEK9-M
*Mar 8 04:03:55.030: AAA/BIND(00000029): Bind i/f
*Mar 8 04:03:55.173: %AUTHMGR-5-START: Starting 'dot1x' for client (782b.cbc9.a027) on Interface Gi0/2 AuditSessionID 0A6A00200000001924EBD428
*Mar 8 04:03:57.010: %LINK-3-UPDOWN: Interface GigabitEthernet0/2, changed
[Code]....
View 7 Replies
View Related
Apr 8, 2009
The ACS can authenticate people using local database , it can also authenticate a single user (using windows database) if you are fast after the service is restarted , however after a few secounds, it fails to authenticate any users , the error we are seeing on the logs appear as authentication failure type : internal error. Also on the log files, the authentication request from the user does not appear in the correct group, it is thrown into the default group.
View 7 Replies
View Related
