Authentication an admin user on AP1200 with Cisco Secure

Similar Messages

• With Cisco Secure ACS 4.2 User accounts gets locked at first instance of wrong credentials even if configured for 3 attempts

  Hello Everybody,
  I am working with Cisco Secure ACS 4.2 and it is integrated with Active Directory at a Windows 2008 R2 functional level, user accounts that are set with lockout parameters (3 incorrect attempts) are locked out prematurely after the user enters the wrong credentials just once, the integration is done via LDAP.
  I wonder if anybody has any idea why this is happening, because when I connect to a Cisco device or VPN, and type my password wrongly, on the Active Directory I get extra bad password counts.
  Thanks in advance and regards....

  Hello Scott,
  Thanks for your answer. However we checked the ACS logs and it shows that we entered bad credentials just once, but in the Active Directory our account sometimes is blocked because we get at least 2 and sometimes 3 failures. This problem is only presented when we authenticate Cisco devices or through VPN, in normal circumstances, when users enter bad credentials on their computers, it works fine.
  Thanks and regards...

• With Cisco Secure ACS For Windows TACACS+, authentication fails with AD

    I am setting up a Cisco Secure ACS 4.2 server to act as a TACACS server for Switches and Routers  I am using Windows 2003 server for the ACS,
  and a Windows 2003 Active Directory server.  The AD server is fine, as it is used for many other things.
  I have set up ACS as defined nit he installation guide, including all the steps in the 'Member Server' section of the install guide
  when using AD as an external database (i.e. setting up the services to run with a domain admin account, setting up a machine called 'CISCO'
  on the domain etc).
  I've set the unknown user policy to use the Windows database if the internal database doesn;t contain the user details.
  If I add a user to the internal database, the authentication goes through fine, with an entry in the 'Passed Authentications' log,
  02/24/2010,05:07:03,Authen failed,eXXXX,Network Administrators(NDG) ,X.X.X.X,(Default),Internal error,,(geting error message as INternal Error)
  I've scoured google etc, and just cannot come up with any reason why this should be happening.
    I've followed all the install guides to the letter.  I need to get this up and running as soon as possible,
  so am looking forward to finding out if anyone can help me with this one!
  THanks and regards
  Sharan

  Hi  Jesse,
  Thasts a great answer and Soution.
  My previous version was 4.2 and it was installed on 64 bit machine hence getting internal Error.
  After this answer i have upgraded it to ACS4.2.1 and its started working fine
  Thanks very much for the help
  Dipu

• Cannot reset user vmail password with Cisco Unified CM Administration

  We are using Cisco Unified CM Administration ver 7.1 with Cisco 7945 IP phones. I have a user who came to me saying that they could no longer access voice mail, getting invalid pin. Ichanged the pin with the Cisco Unified CM Administration which accepts the new pin no problem but when we try it from the phone it doesn't work. Any ideas... Thanks Don

  Hey Don,
  Well, that's no good
  There should be no correlation between resetting the user PIN
  and the forwarding to voicemail.
  Let's say that the user is @ DN/extension 5999.
  In CUCM admin go to;
  Device>Phone>Find List by Directory number> find 5999
  on the DN config page look at the Call Forward sections (all, no answer, busy)
  and make sure they are set to forward to VM (usually by using the VM checkbox)
  If you need to, have a look at a working phone/DN for comparison
  Cheers!
  Rob
  "Spend your life waiting,
  for a moment that just don't come,
  Well, don't waste your time waiting" 
  -Springsteen

• Problem with Cisco Secure Access Server 3.0

  Hi All,
  Please what is my problem? I use Cisco Secure Access Server Version 3.0 for Windows 2000/NT Servers to authenticate users on our wireless network. I however wish to assign monthly time limits to each user after which he/she will no longer have access until next month or the timer is reset. I tried this with the "User Usage Quota" under User setup. I set the Server to "Limit user to X hours of online time per Month" and enabled the "Use these settings" and also checked the box by the side of the option. I saved and restarted my server. Unfortunetly the settings did not work for all the users whose quotas I set.
  What Am I doing wrong. Please assist.
  Chafe

  Do you have your AP's sending accounting data? If not, ACS has no way of knowing how long they've been online?
  You can utilize your ACS logging to see what your accounting looks like to confirm whether you are receiving accounting packets or not?
  HTH
  Jeff

• Problem with Cisco Secure agent instalaltion

  Hi,
  I am having problems with installing the Cisco Secure agent 5.2-203 on a RHEL 3.0 AS server.
  I gives me the following error
  [root@ABC CSCOcsa]# ./install_rpm.sh
  Red Hat Enterprise Linux AS release 3 (Taroon Update 6)
  Preparing packages for installation...
  CSAagent-5.2-203
  cc -DMODULE -D__KERNEL__ -Dlinux -Dkernel -I. -I/usr/src/linux-2.4/include -I../ ../../include/unix -pipe -Os -march=i686 -fno-defer-pop -fno-common -mpreferred- stack-boundary=2 -c symbols.c -o symbols.o
  cc -DMODULE -D__KERNEL__ -Dlinux -Dkernel -I. -I/usr/src/linux-2.4/include -I../ ../../include/unix -pipe -Os -march=i686 -fno-defer-pop -fno-common -mpreferred- stack-boundary=2 -c fshook.c -o fshook.o
  cc -DMODULE -D__KERNEL__ -Dlinux -Dkernel -I. -I/usr/src/linux-2.4/include -I../ ../../include/unix -pipe -Os -march=i686 -fno-defer-pop -fno-common -mpreferred- stack-boundary=2 -c hotpatch.c -o hotpatch.o
  cc -DMODULE -D__KERNEL__ -Dlinux -Dkernel -I. -I/usr/src/linux-2.4/include -I../ ../../include/unix -pipe -Os -march=i686 -fno-defer-pop -fno-common -mpreferred- stack-boundary=2 -c adapt.c -o adapt.o
  adapt.c: In function `kutil_vprintk':
  adapt.c:3442: parse error before `char'
  adapt.c:3443: `buf' undeclared (first use in this function)
  adapt.c:3443: (Each undeclared identifier is reported only once
  adapt.c:3443: for each function it appears in.)
  make: *** [adapt.o] Error 1
  Failed to build adaptation kernel module. Aborting
  error: %post(CSAagent-5.2-203) scriptlet failed, exit status 1
  ./install_rpm.sh: installation failed
  Would like to know where the dependancy is and what is needed to be installed for this installation to work.
  Joel

  Hi Joel,
  The following packages are need to compile the 5.2 agent.
  *GCC*
  *kernel-snmp-devel*
  *compat-libstdc++*
  Also 5.2 error messages are alot less friendly than 5.1's

• User from certificate with Cisco VPN client and ASA (and radius)

  Hello,
  we are trying to migrate a vpn client connection from GROUP to certificate. We want that client uses the user from the certificate and doesn't ask user, only password. Is it possible? Now, with user certificate, you can connect as another user if you know the user and the password of the other user with your own certifcate.
  Thanks!
  Santiago.

  mrbacklash wrote:
  Ok with that being said will the MBA 11.6 1.4ghz have the guts to make it run mostly internet based programs over the VPN connection?
  I think if you are running apps over the Internet the bottleneck will be the Internet and your VPN bandwidth. Your computer can certainly execute faster than Internet communications.
  Besides, Internet or remote applications run on the remote server. All your local computer does is local processing of the data if necessary.
  Message was edited by: BobTheFisherman

• Authenticating Device Admin users against AD specific groups

     Hi,
  I am using ACS 5.3 What I am about is setting user authentication against existence of the user in specific AD group, not just being a member in any AD. What is happening now, users get authenticated as long as they exists in the AD, luckily they fail on authorization, as it is bound to specific AD group.
  Any idea, how can I bind the authentication aginst specific group in AD, not just using AD1 as the identity source.
  Thanks

  Hi Mike,
  Can you please define what you exactly mean by authentication and authorization?
  The ACS checks the AD for a specific user if it is available and if the credentials are correct. If it is then on the AD you will probably find a successful authentication on the logs, but form the user perspective, the user does not know about if it is authenticated or not at this stage.
  Now, the ACS knows the credentials are correct and then check the policy rules that are configured. depending on the policy rules it will tell the user if it is successfully authenticated or not.
  In the policy, you control success of failure of the authentication of the client depending on the AD group.
  If what I explained above is not what you are looking for please elaborate more about your request so we better understand your concern.
  Regards,
  Rating useful replies is more useful than saying "Thank you"

• How can I login with my admin user after the "file vault-security option" disabled?

  My HD was full. So i deleted the biggest files related to file vault. After that i disabled the file vault option in security preferences, and restarted the machine. When i tried to connect again, appear the message"error in file vault". How can i fix?

  I have the same problem.  My Mac Mini server will not let me reset pram or safemode.  Can't login.  Help

• ACS 5.x with either AD or RSA Authentication depending on user

  I am trying to implement RSA two-factor authentication for our company for access to secure resources.
  Our current setup before we had RSA, due to PCI restrictions, was based on AD group membership but was still extremely restrictive on even our admin users to ensure that no secure resources could be accessed without two-factor authentication.
  I do not want to have to enable RSA tokens for our entire company - but I would like to be able to allow admins the ability to connect from the outside with two-factor authentication and have access to secure resources in an emergency.
  We have less than ten people that require elevated access privileges so my hope is to enable RSA only for those ten users, and leave the rest of the accounts authenticating normally against AD.
  I cannot figure out how to configure this.  With ACS 4.x such a policy would be simple - just create the user on ACS and point to the Identity Store that I want to authenticate against.  Not as easy with 5.x
  I tried creating an rules based selection for Identity policy, making RSA the first one, configuring it to drop if no users is found, and configuring the RSA to treat user rejects as user not found.  This broke VPN completely.
  From what I can tell it seems like ACS really wants me to choose an Identity store based on the NDG - but in this case it will always be our same ASA VPN device.
  Anyone know how to accomplish this?
  I am running 5.4 with the latest patches.

  Hope you're well!
  I am facing some access issue after completed the ACS (5.1) and AD (Windows 2003) integration, details underneath.
  Enable password for (Router, Switches) is working fine if identify source is "Internal Users", unfortunately after completed the integration between ACS to MS AD, and change the Identity source to "AD1" I got the following result
  1. able to access network device (cisco switch) using MS AD username and password via SSH/Telnet.
  2. Enable password is not working (using the same user password configured in MS AD.
  3. When I revert back and change the ACS identity source from "AD1" to "Internal Users" enable password is working fine.
  Switch Tacacs Configuration
  aaa new-model
  aaa authentication login default none
  aaa authentication login ACS group tacacs+ local
  aaa authentication enable default group tacacs+ enable
  aaa authorization exec ACS group tacacs+ local 
  aaa authorization commands 15 ACS group tacacs+ local 
  aaa accounting exec ACS start-stop group tacacs+
  aaa accounting commands 15 ACS start-stop group tacacs+
  aaa authorization console
  aaa session-id common
  tacacs-server host 10.X.Y.11
  tacacs-server timeout 20
  tacacs-server directed-request
  tacacs-server key gacakey
  line vty 0 4
   session-timeout 5 
   access-class 5 in
   exec-timeout 5 0
   login authentication ACS
   authorization commands 15 ACS
   authorization exec ACS
   accounting commands 15 ACS
   accounting exec ACS
   logging synchronous
  This is my first ACS - AD integration experience, hoping to fix this issue with your support, thanks in advance.
  Regards,

• Cisco Secure ACS with UCP assistance and enable password

  I am running Cisco Secure ACS version 4.2 running on a
  Standalone Windows 2003 Enterprise 2003with the lastest
  windows service pack and update. Secure ACS is running
  fine and I can authenticate with Cisco routers and
  switches. The Windows 2003 server is also running Microsoft
  IIS Server. In other words, the IIS server and Cisco
  Secure ACS is running on the same windows 2003 server.
  I am trying to get Cisco User-Changeable password to work
  with Cisco Secure ACS. I followed the release notes lines
  by lines and the work around provided below:
  Also server require more privileges for the internal windows user that runs CSusercgi.exe.
  The name of the windows user that runs UCP is IUSR_<machine_name>.
  Workaround steps:
  1) Install UCP 4 on a machine that runs IIS server.
  2) Open IIS manager
  3) Locate Default Web Site
  4) Double click on the virtual name 'securecgi-bin'
  5) Right click on CSusercgi.exe and choose Properties
  6) Choose 'File Security' tab
  7) Choose 'Edit' in 'Authentication and access control' area
  8) Change username from IUSR_<machine_name> to 'Administrator' and enter his
  password (make sure that 'Integrated Windows authentication' is checked)
  I still can NOT get this to work. I got this error:
  It says:
  The page cannot be found
  The page you are looking for might have been removed,
  had its name changed, or is temporarily unavailable.
  HTTP Error 404 - File or directory not found.
  Internet Information Services (IIS)
  I modified everything in the Windows 2003 to be "ALLOWED" by
  EVERYONE. In other words, there are NO security on the windows 2003.
  It is still NOT working.
  The other question I have is that can Cisco UCP allow user
  to change his/her enable password?
  Can someone help? Thanks.

  Yes bastien,
  Thank you.
  But one thing more i want to know that in its Redundant AAA server, when i try to open IIS 6.0 window 2003; it prompts for Username and Password.
  I've given it several time; also going through Administrator account with administrative credentials but it always failed.
  Any suggestions/solution/?
  This time many thanks in advance.
  Regards
  Mehdi Raza

• TS1541 volume won't mount for main user-intel imac with mountain lion-what to do?

  After logging in to admin user, grey screen with spinning arrow
  Can login to Guest User but that is just set up for Safari only
  Tried starting in Safe Boot, zapped the PRAM, removed all peripherals, rebooted with installation disk and used Disk Utility - disk greyed out and says not mounted
  How can that be?
  this is an Intel-based iMac purchased last summer, recently installed Mountain Lion

  I have the same problem. Installed Mountain Lion, got the spinning orb with no escape so I powered down. Upon re-boot I have the dreaded "?" Tried restarting several times to no avial.
  In desperation, I inserted the 10.5 (Leopard) disk to install the original system version that came with my iMac. Now the install disk cannot find or mount my hard drive. I'm stuck.
  Anyone??

• Removing admin user from planning application

  Hi,
  i have a small question that possibly u can answer easily.
  in workflow process when users click "change status", at promote and approve "admin" user comes up with in combo-box.
  we are sharing shared services with another project team so i dont wanna show "admin" to my users in that list cos i have "plnadmin" as application owner.
  by the way "admin" was deprovisioned from planning applications on HSS such that he cannot log-in to planning application. (user doesnot exists for this application message.)
  but he still exists in workflow process combo-boxes and "Administration->Application Settings->Assign application Owner" combo-box.
  how can i remove him ?
  thx,
  Version: 11.1.1.2

  Hi,
  In theory it should remove the admin user if they have been deprovisioned and the application owner assigned to another user. I did a quick check on 11.1.1.3 and it removed the admin user from the workflow and tables.
  Maybe it has not removed the user because a workflow was already in progress even though it worked for me.
  There are probably a number of ways to try and removing the user e.g. try restart planning service and log into the application to see if it syncs up with shared services (it should do if the property SYNC_USER_ON_LOGON is set to true, which is default for planning)
  Try stopping the workflow process and run a refresh, or go to access permissions for a member and click migrate identities to see if it clears the table.
  Final stage would be to manually remove from the repository tables.
  (sorry if I have not covered all areas, I sure somebody will give you different ideas or repeat what I say)
  Cheers
  John
  http://john-goodwin.blogspot.com/

• Using mms.cfg file to enable Autoupdate for non-Admin users

  I need help in getting this to work.  So far it does not.
  Adobe Flash for windows 17.0.0.23
  Windows 7 Enterprise  - 5000 systems
  Users are not administrators on systems.
  The Non admin user gets prompted with a screen ( we do not want any prompts)
  Then the install fails because they are not an administrator.
  My mms.cfg file:
  AutoUpdateDisable=0
  AutoUpdateInterval=1
  SilentAutoUpdateEnable=1
  How do I use this or any other method to have Adobe Flash update automaticly for all users including non-admins
  and give no prompts?
  What are the next steps.  Is there an enterprise support site or method to use for mass distributions for Flash?
  Please Get back to me today before 12:00 EDT 13 Apr 2015.
  Gary Pearson
  401-233-6898

  Hi garyp81126656,
  The current mms.cfg file configuration will perform either a notification update or a background update. There are a few options to update non-admin users:
  Host the background update resources locally.  When using the Adobe servers for background updates there is no way to disable notification updates.  By hosting the background update resources locally users will never be prompted to update.
  Disable updates and deploy Flash Player updates via SCUP, SMS, or Group Policy.
  You can find the various deployment options are listed in Chapter 3 of the Flash Player Administrator's Guide.  The Admin Guide also contains information to license Flash Player for distribution within your organization, which is a requirement for any of the deployment methods described in the Admin Guide.  Additional information is available at An outline of Flash Runtime installation options
  Maria

• Cisco secure ACS - RDBMS Rename a Group-

  Hi,
  I'm currently working with Cisco secure ACS 3.1 and I'm trying to use RDBMS synchronisation with a csv file. I create a accountactions.csv file where I create a new user.
  1,0,TESTuser,,100,,,,,,0,,,0
  2,0,TESTuser,,102,,test,,,,0,,,0
  Until here, all is working fine. But now, I would like to put this user into a Group. This should be done with :
  3,0,TESTuser,Group 30,106,,,,,,0,,,0
  But I would like to know if it's possible to rename or create one Group (e.g rename Group 30 with Group TEST) directly in my csv file ?
  Thank you
  Regards
  Pascal TOURNIER

  Here is what i found works for renaming a default group, as you cannot create more groups beyond what is there.
  SequenceId,Priority,UserName,GroupName,Action,ValueName,Value1,Value2,Value3,DateTime,MessageNo,ComputerNames,AppId,Status
  1,1,,Group 100,210,,BPM,,,,0,,,0
  2,2,,Group 101,210,,CHANNEL SECURE OPS,,,,0,,,0
  3,3,,Group 102,210,,CISCO CNC,,,,0,,,0
  4,4,,Group 103,210,,CISCO NOS,,,,0,,,0
  5,5,,Group 104,210,,CTS,,,,0,,,0
  6,6,,Group 105,210,,DCI,,,,0,,,0
  line 1
  Rename "Group 100" to named group "BPM" using code 210 to perform the Action
  Gerald