Cisco :: Getting CWLMS 3.2 And ACS 5.2 Authentication?
Aug 26, 2011
before i have problem, i installed CWLMS3.2 and ACS 4.2 and everything is ok, but after upgrade, ACS 4.2 to ACS 5.2, CWLMS can't authenticate to devices and get their configuration. i checked everything include creadential, and i debuged aaa authentication and tacacs on devices. it seems devices can not get username from CWLMS. also i run putty on CWLMS server and try to telnet to devices with ACS username nad password, and the result, there is no problem, and i can telnet to device with ACS username and password without any problem.
the below text is the output of debug on devices when CWLMS try to archive configuration:
R#
Aug 27 05:10:11.571: AAA/BIND(00000064): Bind i/f
Aug 27 05:10:11.571: AAA/AUTHEN/LOGIN (00000064): Pick method list 'CACS'
Aug 27 05:10:11.575: TPLUS: Queuing AAA Authentication request 100 for processing
Aug 27 05:10:11.575: TPLUS: processing authentication start request id 100
Aug 27 05:10:11.575: TPLUS: Authentication start packet created for 100()
[code]...
View 3 Replies
ADVERTISEMENT
Jul 11, 2011
I will be updating from 3.2 to 4.1?Is there perhaps some documentation for this procedure?
View 1 Replies
View Related
Apr 3, 2012
I have CWLMS-3.0-5K-K9 with licence file but I can't install it in the VM ( the version didn't support virtualisation vmware).
View 4 Replies
View Related
May 6, 2012
Is it possible to run an uptime report using CWLMS 3.2 ?
View 2 Replies
View Related
Jan 29, 2012
We are using CWLMS 2.6 on a UNIX machine. And recently we changed the SNMP String to our network devices. One of L2 switches keeps logging the following message:
%SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host 10.x.x.1
Where 10.x.x.1 is ciscoworks LMS server. I found a solution on many sites that suggest resetting DFM database. I stopped first the daemon manager and tried to apply the perl script:
perl dbRestoreOrig.pl dsn=dfmInv dmprefix=INV npwd=cisco
but it gives me the following error:
Can't locate CRM.pm in @INC (@INC contains: /usr/perl5/5.6.1/lib/sun4-solaris-64int /usr/perl5/5.6.1/lib /usr/perl5/site_perl/5.6.1/sun4-solaris-64int /usr/perl5/site_perl/5.6.1 /usr/perl5/site_perl /usr/perl5/vendor_perl/5.6.1/sun4-solaris-64int /usr/perl5/vendor_perl/5.6.1 /usr/perl5/vendor_perl .) at dbRestoreOrig.pl line 31.
BEGIN failed--compilation aborted at dbRestoreOrig.pl line 31.
CRM.pm already exists in the path ENV{NMSROOT}/lib/perl/db
At line 31 of dbRestoreOrig.pl – the error – I found the following:
push(@INC, "$ENV{NMSROOT}/cgi-bin/dbadmin/pdbadmin");
use lib "$ENV{NMSROOT}/lib/perl/db";
I gave the system the path of NMSROOT and run the script again but it gives me the same error “Can't locate CRM.pm”
View 8 Replies
View Related
Aug 9, 2011
I'm looking for Cisco works 4.1, but has the following problem:
i bought the product CWLMS-3.2-300-K9, this was related to my account in Cisco, i mean, it was registered correctly. now, the thing is that i need to download the version 4.1 in order to install it, but don't have access.
is correct the steps i followed?, what else i must do??
View 5 Replies
View Related
Aug 24, 2011
I am getting following error during installation of LMS 4.0. ( "CWLMS-4.0-100-K9").I have installed SP1 for the Windows 2008 Standard R2, still getting same error. Since Cisco's minimum requirement is Windows 2008 Standard and Enterprise with Service Pack 1 and Service Pack 2 (32 and 64 bit).
View 2 Replies
View Related
Jun 27, 2012
how many of you use 802.1x for authenticating users on a wired LAN. We have a new site which supports a ton of users and before implementing an RA VPN solution for them I was thinking about using 802.1x to ensure they've got proper credentials before they're put on the production VLAN.
View 11 Replies
View Related
Feb 2, 2011
how can I config Auth-proxy In ACS 4.0 in ACS 3.3 we can Add this in the Interface , but I can't see any thing for Add Auth-proxy in This menu
View 2 Replies
View Related
May 20, 2011
Currently working on Proxy Authentication on a catalyst 3750GCisco's documentation says that I can customize my own web pages for the login, success, failure, and expire web pages. However, I am having a difficult time finding a template to build upon.
View 8 Replies
View Related
Oct 13, 2011
Just a sanity check, but setting up NTP authetication on our switches to sync with our Core first, then our NTP server that the Core syncs to second.
View 3 Replies
View Related
Feb 20, 2012
I have a access point model WAP4410N , I want to configure for mac authentication by using MS IAS , but when I set MY SSID to radius in wireless connection control and try to connect to that SSID by a laptop I didn't get any logs in my IAS. My methods for radius mac authentication is correct or not ?
View 1 Replies
View Related
Feb 2, 2012
In order to restrict access to websites on our internal network, would we be able to put an ASA in front of the web server and force users to authenticate through the ASA and, once authenticated, allow only port 80 or 443 traffic for that use? The ASA would query the ACS 5.1 server for authentication/authorization using AD as the identity store. Is this even possible with TACACS?
View 1 Replies
View Related
Apr 1, 2012
My customer has a large installed base of MACs, all connected via controller-based (5508) WLAN. He wants to grant access to the network based on the device's mac addresses and move the WLAN-clients to a specific VLAN.I added all devices with their mac addresses to the ACS internal identity store for hosts.According to the following message the client sends the user-login credentials (chegger) within the RADIUS-request instead of the clients mac address and of course it has to fail. After many configuration changes, I ended up always with the same result.
View 2 Replies
View Related
Feb 21, 2012
I have set up an ACS (5.2) to do EAP-TLS Machine and User Authentication.I am getting intermittent results with the machine authentication using the same laptop as a test client.When the machine authentication succeeds the RADIUS name shows as host/xxx-yyy.When the machine authentication fails the RADIUS name shows as xxx-yyy without the host/.
View 9 Replies
View Related
Feb 26, 2012
I need to order a CISCO881, only CISCO881-K9 is available.I checked everywhere, still not sure if it is enough for me. We used to buy Sec-K9.I've got an adsl modem in bridgemode in the front. As only 1 IP provided by ISP, I need 881 to be able to pass on the PPP authentication.I also need the router to have vpn server function.Could CISCO881-K9 do this or not?
View 1 Replies
View Related
Jun 13, 2012
I have question on EAP-TLS with ACS 5.2. If I would like to implement the EAP-TLS with Microsoft CA, how will the machine and user authentication take place? Understand that the cert are required on both client and server end, but is this certificate ties to the machine or ties to individual user?
If ties to user, and I have a shared PC which login by few users, is that mean every user account will have their own certificates?
And every individual user will have to manually get the cert from CA? is there any other method as my environment has more than 3000 PCs.
And also if it ties to user, all user can get their cert from CA with their AD login name and password, if they bring in their own device and try to get the cert from CA, they will be able to successfully install the cert into their device right?
View 7 Replies
View Related
Dec 17, 2010
I'm using a router 877 at home and i really need to check out what this router do during the day. So some time ago i configured it using some eem actions and sending to me email, without any problems. Yesterday I changed my internet provider and now i need to use smtp autheticantion to send emails.
I read about how to authenticate, like username:password@host and also made a fast search here, without solve my problem. I need to put as username the email of the provider like: mouse@host.com:mypassword@smtpserveraddress.com. So, i want to know if someone had the same problem and solved it. Of course i couldn't use @ two times or eem would think that host.com is my smtp server! And right now is going in this way!
My IOS version is 15.1(2)T2, eem version is 3.1.
View 27 Replies
View Related
Oct 31, 2011
Trying to apply NTP authentication to 3750 switches (layer-2 WS-C3750-24P switches) but they don't wont to work. Applying the same config to any router or 4500/6500 chassis, and NTP authenticates straight away. NTP without authentication works fine on 3750s as well...
ntp authentication-key 1 md5 <key>
ntp authenticate
ntp trusted-key 1
ntp server 10.200.11.200 key 1
Is there additional config required for 3750s? This is across different IOS versions, so doesn't look like a bug..
View 1 Replies
View Related
Jan 18, 2012
I have cisco 851 using ccp to configure EASY VPN
I click on TEST VPN SERVER then click start the status shows successfull
when I tried to connect a client I get mm_no_state
When I reviewed the report from the test I found
AAA authentication : Not configured
My AAA
aaa new-model
!
!
aaa authentication login tgcsusers local
aaa authorization network tgcsvpn local(code)
View 24 Replies
View Related
Apr 25, 2011
I am running ASA version 8.4(1), and anyconnect version 3.0.1047. My SSL VPN works fine, but i run into an issue with one user . his account did not work , and everytime users logged in it got this message "VPN Server could not parse request".
I found the problem after getting a user information meaning his username and password. His password had "&" as one of the special characters. when we change it to something that does not have that , it works just fine.
We are using microsoft NPS server as radius. but when i run a test within CLI it works just fine, only when anyconnect asks to authenticate it fails.
View 5 Replies
View Related
Oct 29, 2011
i am facing an issue while trying to configure LDAP integration on Cisco ASA firewall. The requirement is allow the remote access VPN to specific group defined on AD. When i checked the debug logs " debug ldap 255" , it shows that the authenication is sucessfull with the LDAP server , but the ldap attribute is not getting mapped and because of this reason , the tunnel-group default group policy of "NOACCESS" is getting applied ( vpn simultanous set to zero) that results zero connection.
I confirmed this by changing the value of NOACCESS from zero to one and found that the VPN is getting connected
The name of user account is testvendor that belongs to the group of Test-vendor.
The configuration and debug output is shown below.
SHOW RUN
ldap attribute-map ABC-VENDOR
map-name memberOf Group-Policy
[Code]....
View 5 Replies
View Related
Sep 13, 2012
I have problem with ESW 520, on 802.1x authentication. The problem is when host authenticates successfully it works about couple of minutes, after it truest too authenticate again but it lags. On network interface it shows notification that if Failed authentication. On ACS I see only one authentication attempt which is successful. This problem is happening on Win7 and Win XP. If I unplug and plug cable it authenticates successfully, but then about couple of minutes it again lags. Switch sees port as authenticated. On Win7 event viewer I have following error:
Reason: 0x70004
Reason Text: The network stopped answering authentication requests
Error Code: 0x0
If I connect same hosts on Catalyst 2960 switch, they work successfully.
View 2 Replies
View Related
Jan 22, 2012
I have a new ACS 5.3 installation which I have joined to our AD Domain and added the directory groups into. I have also added all our devices into ACS and their groups etc but I am still only able to authenticate on the our switches with an internal ACS account, when I try with an external AD account the log shows the following error "Subject not found in the applicable identity Store (s)"
View 1 Replies
View Related
Jul 9, 2012
I will attempt to explain the history of our wireless controller configurations as best I can. We are currently using a 4400 controller running 7.x software which authenticates to and ACS 4.1 appliance. All of this was set up prior to my arrival on the job and the previous engineers had already left with no documentation in place so I'm trying to piece it together. The ACS is setup to map to AD for specific groups.
In the controller we have an SSID called triton which is our corporate SSID that all internal users connect to. Three different interfaces have been defined, a general one for most users and two others( lets call them INT1 and INT2) that place users on separate ip networks. The reason for this is those ip networks can reach certain services that are not allowed for general users. ACS maps those users upon authentication to the Vlans associated with those separate ip networks.
Problem 1. When I first took this job, users could not map drives or any services because only user authentication was taking place..After some troubleshooting and realization that ACS was authenticating, placing the "Domain Computers" group as an ACS group mapping fixed that issue, allowing the computers to authenticate prior and therefore execute the login script
Problem 2. Recently it has come to my attention that some of the users on one of the other interfaces (INT1 and INT2) that should be placed in the vlans associated with their AD group mapping are not. Upon further investigation it was discovered that the reason they are not is that the authentication is not correct. When the computer first authenticates before the user logs on its shows in ACS as host/xxxxx.yyyy.org where the user authentication shows as xxxxx/username . So some of the computers never change from authenticating as a host to a user and the ip address ends up in the wrong vlan.
View 2 Replies
View Related
Apr 3, 2012
im having trauble when using chap as authentication for my two routers, i dont know whether my configuration is wrong or not.Is theres anything wrong with the configuration ??note : both routers are c2961
View 11 Replies
View Related
Aug 6, 2012
Any software to measure Authentication time between client and Radius serverr.
View 8 Replies
View Related
Jan 1, 2013
I have a following question. I configured different authentication passwords in Master and slave VRRP setup.
View 2 Replies
View Related
Jun 17, 2012
How the one-way hash is generated given the challenge number and shared secret password?It's just that I was reading Cisco 3 chapter 7, and it doesn't explicitly outline how the one-way hash is actually generated, it simply states that it is generated given the challenge number (randomly generated for every challenge message) and the shared secret password.
View 1 Replies
View Related
Apr 18, 2010
We got recently a Cisco Secure ACS 1120 and i upgraded the Appliance to 5.1 from 5.0 with all your support
Now I need to integrate Cisco ACS 5.1 with RSA Authentication Manager 6.1 . I Successfully Downloaded config file from RSA ACE Server and exported into ACS 1120.
I also Added ACS as a NetOS Agent in the RSA Server , during the process i found few warnings . The ACE Server is not able to Resolve the IP Address to NAme ( DOes it Necessary ?? ).
I havent created any secret Key file for communication between ACS and RSA and encryption i used is DES.
Now when I log into ACS and search for Devices in the Identity Store Sequences i am not able to Look for RSA Token Sever .
View 10 Replies
View Related
Nov 22, 2011
I have been trying to get our IPS (ASA-SSM-10 and 4260) to authenticate with Cisco Radius ACS 5.2 and they are not working. However, I was able to get them working with Microsoft Radius. Below is the logs from the IPS:
evStatus: eventId=1321566464942057375 vendor=Cisco originator: hostId: NACAIRVIDLAB1 appName: authentication appInstanceId: 350 time: 2011/11/23 17:50:38 2011/11/23 09:50:38 GMT-08:00 controlTransaction:
[Code].....
View 0 Replies
View Related
Nov 11, 2012
web authentication when using Android devices. I've been testing it and it seems to be caused by certificates (as it has been said in others discussions). With https disabled in the WLC (Wism 6.0.196.0), the portal authentications loads, but no with https. In addition, another issue I've detected is the DNS resolution of my controller by 1.1.1.1 when redirection takes place. With https enabled, DNS resolution and redirection works fine, so I don't think DNS server misconfiguration is the cause of the problem.I've only been able to see the portal with https disabled and entering manually 1.1.1.1/login.html
View 13 Replies
View Related
Dec 13, 2012
If laptop/desktop goes on sleep mode or keep connected with interface configured for 802.1X for more than 12 hours it does not work or not connect to Exchange server, Cisco ISE console, office communicator..for re authentication i need to restart PC/ Laptop or unplug and replug lan cable from it!but before restarting i am able to ping all DNS, DHCP, OCS, everything..[code]
View 6 Replies
View Related
