1200, ACS 3.1 and EAP Auth Problem

Similar Messages

• ACS 3.3 for windows - Win AD and eap-tls problem

  Hi,
  I have a problem with an ACS to authenticate users with certificate on MS AD.
  Working things:
  PEAP authentication with the MS AD;
  EAP-TLS authentication with the local DB.
  Not working things:
  EAP-TLS authentication with MS AD.
  Because I'm able to auth users with PEAP on MS AD, I guess my config on MS AD is correct.
  Because I'm able to auth users with certif in EAP-TLS, I guess my certif config is correct.
  So, why it's not working with the combination EAP-TLS and MS AD.
  I receive the error 'External DB Account Restriction'
  Thanks for your help.

  Hi,
  This is what is interesting,
  AuthenProcessResponse: process response for 'phd' against Windows Database
  Unknown User 'phd' was not authenticated
  Done RQ1027, client 50, status -2125
  The field that is being picked from certificate has the value 'phd', check you check which field is it.
  And was the logging at full?, I think something is missing in the logs.
  Lets do a sanity check, and go through following link again,
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a008068d45a.shtml
  Regards,
  Prem

• ACS 4.2 and EAP-TLS with AD and prefix problem

  Hi there
  we have the following situation:
  - 2 x ACS (1 x ACS SE 4.2 and 1 x ACS 4.2) for domain A
  - 2 x ACS (1 x ACS SE 4.2 and 1 x ACS 4.2) for domain B
  First of all, is it a problem to have an ACS SE and an ACS working together for one domain, I don't think so? When we had only one domain and both ACS SE were responsible for domain A, it worked.
  Now after the changes, machine authentication with EAP-TLS doesn't work anymore. In the logs it always says that the "External DB user is unknown" for a (machine) username like host/abc.domain.ch
  This is the normal output of the Remote Agent, it finds the host but then nothing happens:
  CSWinAgent 11/30/2009 16:32:13 A 0140 3672 0x0 Client connecting from x.x.x.x:2443
  CSWinAgent 11/30/2009 16:32:14 A 0507 3512 0x0 RPC: NT_DSAuthoriseUser received
  CSWinAgent 11/30/2009 16:32:14 A 0474 3512 0x0 NTLIB:       Creating Domain cache
  CSWinAgent 11/30/2009 16:32:14 A 0549 3512 0x0 NTLIB: Loading Domain Cache
  CSWinAgent 11/30/2009 16:32:14 A 0646 3512 0x0 NTLIB: No Trusted Domains Found
  CSWinAgent 11/30/2009 16:32:14 A 0735 3512 0x0 NTLIB: Domain cache loaded
  CSWinAgent 11/30/2009 16:32:14 A 2355 3512 0x0 NTLIB: User 'host/abc.domain.ch' was found [DOMAIN]
  CSWinAgent 11/30/2009 16:32:14 A 0584 3512 0x0 RPC: NT_DSAuthoriseUser reply sent
  So I made a test from an ASA to see if the host/ is a problem (before any changes were made it wasn't a problem):
  test aaa authentication RADIUS host 10.3.1.9 username host/abc.domain.ch (the ASA transforms the host/ input to the correct Windows schema with the $):
  CSWinAgent 11/30/2009 15:39:23 A 0140 3672 0x0 Client connecting from x.x.x.x:1509
  CSWinAgent 11/30/2009 15:39:23 A 0390 3728 0x0 RPC: NT_MSCHAPAuthenticateUser received
  CSWinAgent 11/30/2009 15:39:23 A 0474 3728 0x0 NTLIB:       Creating Domain cache
  CSWinAgent 11/30/2009 15:39:23 A 0549 3728 0x0 NTLIB: Loading Domain Cache
  CSWinAgent 11/30/2009 15:39:23 A 0646 3728 0x0 NTLIB: No Trusted Domains Found
  CSWinAgent 11/30/2009 15:39:23 A 0735 3728 0x0 NTLIB: Domain cache loaded
  CSWinAgent 11/30/2009 15:39:23 A 1762 3728 0x0 NTLIB: Got WorkStation CISCO
  CSWinAgent 11/30/2009 15:39:23 A 1763 3728 0x0 NTLIB: Attempting Windows authentication for user ABC$
  CSWinAgent 11/30/2009 15:39:23 A 1815 3728 0x0 NTLIB: Windows authentication FAILED (error 1326L)
  CSWinAgent 11/30/2009 15:39:23 A 0373 3728 0x0 NTLIB: Reattempting authentication at domain DOMAIN
  CSWinAgent 11/30/2009 15:39:23 A 0549 3728 0x0 NTLIB: Loading Domain Cache
  CSWinAgent 11/30/2009 15:39:23 A 1762 3728 0x0 NTLIB: Got WorkStation CISCO
  CSWinAgent 11/30/2009 15:39:23 A 1763 3728 0x0 NTLIB: Attempting Windows authentication for user ABC$
  CSWinAgent 11/30/2009 15:39:23 A 1815 3728 0x0 NTLIB: Windows authentication FAILED (error 1326L)
  CSWinAgent 11/30/2009 15:39:23 A 0456 3728 0x0 RPC: NT_MSCHAPAuthenticateUser reply sent
  It's clear that the test was not successful because of the wrong "machine password" but it's a different output as before. I saw that in ACS 4.1 you could change the prefix of /host to nothing, but in 4.2 this is not possible anymore.
  Could this be the problem or does someone see any other problem?
  Best Regards
  Dominic

  Hi Colin
  thanks for your answer, we had the this setting correct. I was able to solve the problem yesterday, we had some faults in the AD mapping.
  I didn't know that when I select more AD groups for one ACS group in one step, that the user / host has to be in every of these AD groups (AND conjunction).
  Now I only added one AD group for my ACS group and it works. The error message "AD user restriction" was not very helpful for finding this fault ;-)
  Regards
  Dominic

• ACS 5.3 and Command Auth

  I am rolling out the Latest 5.3.0.40.6 patched ACS 1121 in a redundant pair mode.   I have build user based auth without issue but am having an issue with Command auth.  once I add command auth to the test router and modify the shell profile and command set for privilege 1 nd 15,  none of the commands are authenticated and the report indicates the "DenyCommand" default.  I have followed the user guide and the step by step from Security Solutions. ( link below) 
  I still get no joy.   Also Cisco changed the GUI and the way command sets are built
  (http://www.security-solutions.co.za/Cisco-ACS-5.2-Role-Based-Authentication-Authorization-For-Different-Privilege-Levels-Configuration-Example.html )
  Any help would be appreciated
  Patrick Connor

  Tarik,  thanks for the response.  I cannot get screen shots but can define the options sets.
  I created 2 command sets
  Pri-15  has only the permit all command not in the table below check box checked
  Pri-1  has a single permit "show"  with no arguments
  the Auth rule has 2 rules
  rule 1  identity group "network Admin"  any any any pri-15
  rule 2 identity group "network monitor" any any any pri-1
  service selection rule    rule 1  condition ( match system: protocol match TACACS)  result Default Device Admin   hit count 98
  the report indicated the a FAIL "13025 command failed to match a Permit rule)  and the Selected Command Set = (DentAllCommands) 
  So it looks like the command set is not being recognized.  but I cannot see why?
  Thanks,
  Pat 

• EAP Auth problems....

  Hello
  I'm trying to do EAP-TLS and for some reason every time I start authentication, the first time it tries, it fails with this error message:
  EAP retry limit reached for Station (StationName)
  And then almost exactly 1 minute later, it will try to auth again and this time, it usually works fine. Any ideas. Thanks

  Jason, I feel your pain but I think I know your answer. The newest client software stores your credentials. If you go into ACU and edit your profile you will see, if you scroll down, a listing for Username, Password, and Domain. You will find that your user name is filled in after you login the first time but not your password. What happens the next time you login, I think, is that the client tries to log you in with the incomplete credentials and only after it fails will it come up and ask you for you to enter them. When you enter them you are then given access to the network and allowed to reach the DHCP server. If your remove all credential info from your profile it will ask you to login immediately. If you enter all three you will be logged in automatically, which of course has major security issues. Remove all traces of credential info from your profile and try it. Let me know.

• Upload and http auth problem

  Hello.
  I wrote flex application with http basic authorization. After
  I successfuly loginin i try to upload file and independently of
  used browser I recieve authorization window from IE and I have to
  enter login/passwd second time. After it everything work fine and I
  can upload more files without authorization window. How can I make
  away this window? Is there any securinty flash settings?
  bye...

  Adobe Newsbot hopes that the following resources helps you.
  NewsBot is experimental and any feedback (reply to this post) on
  its utility will be appreciated:
  Flex 3 - Working with file upload and download:
  The SWF tried to upload a file to a server that requires
  authentication (such as a user name and password). During upload,
  Flash Player does not provide a
  Link:
  http://livedocs.adobe.com/flex/3/html/17_Networking_and_communications_7.html
  9 Flex File Upload Examples Visited:
  Flash 8 File Upload Download. As we know the Flex Upload is
  actually use the Flash 8 FileReference object to do the work. The
  guy who is writing the book
  Link:
  http://www.flex888.com/296/9-flex-file-upload-examples-visited.html
  Flex 3 - Example: Uploading and downloading files:
  The main application file in Flash (FLA) or Flex (MXML). ...
  A class that includes methods for uploading files to a server.
  Link:
  http://livedocs.adobe.com/flex/3/html/17_Networking_and_communications_9.html
  File Upload in Flex/Flash in Internet Explorer:
  Because Macromedia Flash doesn't include the capability to
  upload files, a Macromedia Flex developer will need to use multiple
  technologies to add uploading
  Link:
  http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_19382
  Adobe - Developer Center : Multiple file upload with Flex
  and:
  Sep 11, 2006 ... Through the Multi-File Upload application,
  you will learn how to do the ... capabilities of Flex 2, Flash
  Player 9, and ColdFusion MX 7 file
  Link:
  http://www.adobe.com/devnet/coldfusion/articles/multifile_upload.html
  Derrick Grigg's Blog, Flex and Flash file uploading with
  return data:
  I see one for Flex and other for Coldfusion, but none for
  Flash. Maybe the title should be Flex and CF file uploading with
  return data?
  Link:
  http://www.dgrigg.com/post.cfm/08/02/2007/Flex-and-Flash-file-uploading-with-return-data
  Disclaimer: This response is generated automatically by the
  Adobe NewsBot based on Adobe
  Community
  Engine.

• Cisco ACS 5.1 Machine Auth Problem

  Hi All,
  I have a query regarding ACS 5.1 using EAP-PEAP (machine auth plus user name and password). I have successfully setup AD authentication using Machine auth and user credentials and this works ok for corporate wireless devices and users.
  My ACS rules are machine auth against AD computers which gives a positive/pass, then a rule against user but ensuring the device is a valid domain device with "was machine authenticated = TRUE".
  The problem is when using a Windows 7 device (laptop) and logging in using the local admin account I successfully connect to the network but the local Admin account is not in AD. By default the W7 wireless adapter under security>advanced settings> specify authentication mode is computer authentication only.The W7 client doesn't send over any user credentials?
  Has anyone come across this problem before? Do I need to tweek the W7 clients via GP or is there a way of stopping just machine authentication with out a valid user name and password?
  Realy appreciate any responses and thank you in advance. 
  Jason

  check out
  http://technet.microsoft.com/en-us/library/dd759219.aspx

• ACS 4.0 and RSA Token Server problem

  Hi,
  We are having a problem trying to get ACS 4.0 for Windows to authenticate wireless users on an RSA Token server.
  Our Cisco 1200 series AP is configured for WPA2 and LEAP authentication. It points at the ACS server for RADIUS authentication. Now this works fine for users with a static password defined on the ACS internal database. However, for obvious security reasons, we?d like the authentication passed to our internal RSA server.
  I have installed the RSA Agent on the same server as the ACS along (after adding the generated sdconf.rec file to the System32 folder). The RSA server has been added to the ACS external databases and a user configured to use the RSA Token server for password.
  When we try to authenticate, the ACS fails the attempt with reason ?External DB password invalid?. The same user can successfully authenticate when using the RSA test authentication tool which is installed on the ACS server as part of the RSA Agent software.
  After running some debugs on a PIX in front of the servers, I can see traffic to/from the servers when using the test tool (which works), however it looks like ACS doesn?t even send traffic to the RSA server when authenticating.
  Any help or advice appreciated.
  Thanks

  Hi,
  The token servers only support PAP. Please make sure that the request are going to the RSA in PAP.
  Following link talks about the same.
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/o.htm#wp824733
  Regards,
  ~JG

• Looking for successful auth debug between cisco 1113 acs 4.2 and Active Directory

  Hello,
  Does anyone have a successful authentication debug using cisco 1113 acs 4.2 and Active Directory?  I'm not having success in setting this up and would like to see what a successful authentication debug looks.  Below is my current situation:
  Oct  6 13:52:23: TPLUS: Queuing AAA Authentication request 444 for processing
  Oct  6 13:52:23: TPLUS: processing authentication start request id 444
  Oct  6 13:52:23: TPLUS: Authentication start packet created for 444()
  Oct  6 13:52:23: TPLUS: Using server 110.34.5.143
  Oct  6 13:52:23: TPLUS(000001BC)/0/NB_WAIT/46130160: Started 5 sec timeout
  Oct  6 13:52:23: TPLUS(000001BC)/0/NB_WAIT: socket event 2
  Oct  6 13:52:23: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
  Oct  6 13:52:23: T+: session_id 763084134 (0x2D7BBD66), dlen 26 (0x1A)
  Oct  6 13:52:23: T+: type:AUTHEN/START, priv_lvl:15 action:LOGIN ascii
  Oct  6 13:52:23: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:12 (0xC) data_len:0
  Oct  6 13:52:23: T+: user: 
  Oct  6 13:52:23: T+: port:  tty515
  Oct  6 13:52:23: T+: rem_addr:  10.10.10.10
  Oct  6 13:52:23: T+: data: 
  Oct  6 13:52:23: T+: End Packet
  Oct  6 13:52:23: TPLUS(000001BC)/0/NB_WAIT: wrote entire 38 bytes request
  Oct  6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:23: TPLUS(000001BC)/0/READ: Would block while reading
  Oct  6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:23: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 16bytes data)
  Oct  6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:23: TPLUS(000001BC)/0/READ: read entire 28 bytes response
  Oct  6 13:52:23: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
  Oct  6 13:52:23: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
  Oct  6 13:52:23: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:10, data_len:0
  Oct  6 13:52:23: T+: msg:  Username:
  Oct  6 13:52:23: T+: data: 
  Oct  6 13:52:23: T+: End Packet
  Oct  6 13:52:23: TPLUS(000001BC)/0/46130160: Processing the reply packet
  Oct  6 13:52:23: TPLUS: Received authen response status GET_USER (7)
  Oct  6 13:52:30: TPLUS: Queuing AAA Authentication request 444 for processing
  Oct  6 13:52:30: TPLUS: processing authentication continue request id 444
  Oct  6 13:52:30: TPLUS: Authentication continue packet generated for 444
  Oct  6 13:52:30: TPLUS(000001BC)/0/WRITE/46130160: Started 5 sec timeout
  Oct  6 13:52:30: T+: Version 192 (0xC0), type 1, seq 3, encryption 1
  Oct  6 13:52:30: T+: session_id 763084134 (0x2D7BBD66), dlen 15 (0xF)
  Oct  6 13:52:30: T+: AUTHEN/CONT msg_len:10 (0xA), data_len:0 (0x0) flags:0x0
  Oct  6 13:52:30: T+: User msg: <elided>
  Oct  6 13:52:30: T+: User data: 
  Oct  6 13:52:30: T+: End Packet
  Oct  6 13:52:30: TPLUS(000001BC)/0/WRITE: wrote entire 27 bytes request
  Oct  6 13:52:30: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:30: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 16bytes data)
  Oct  6 13:52:30: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:30: TPLUS(000001BC)/0/READ: read entire 28 bytes response
  Oct  6 13:52:30: T+: Version 192 (0xC0), type 1, seq 4, encryption 1
  Oct  6 13:52:30: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
  Oct  6 13:52:30: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
  Oct  6 13:52:30: T+: msg:  Password:
  Oct  6 13:52:30: T+: data: 
  Oct  6 13:52:30: T+: End Packet
  Oct  6 13:52:30: TPLUS(000001BC)/0/46130160: Processing the reply packet
  Oct  6 13:52:30: TPLUS: Received authen response status GET_PASSWORD (8)
  Oct  6 13:52:37: TPLUS: Queuing AAA Authentication request 444 for processing
  Oct  6 13:52:37: TPLUS: processing authentication continue request id 444
  Oct  6 13:52:37: TPLUS: Authentication continue packet generated for 444
  Oct  6 13:52:37: TPLUS(000001BC)/0/WRITE/46130160: Started 5 sec timeout
  Oct  6 13:52:37: T+: Version 192 (0xC0), type 1, seq 5, encryption 1
  Oct  6 13:52:37: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
  Oct  6 13:52:37: T+: AUTHEN/CONT msg_len:11 (0xB), data_len:0 (0x0) flags:0x0
  Oct  6 13:52:37: T+: User msg: <elided>
  Oct  6 13:52:37: T+: User data: 
  Oct  6 13:52:37: T+: End Packet
  Oct  6 13:52:37: TPLUS(000001BC)/0/WRITE: wrote entire 28 bytes request
  Oct  6 13:52:37: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:37: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 33bytes data)
  Oct  6 13:52:37: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:37: TPLUS(000001BC)/0/READ: read entire 45 bytes response
  Oct  6 13:52:37: T+: Version 192 (0xC0), type 1, seq 6, encryption 1
  Oct  6 13:52:37: T+: session_id 763084134 (0x2D7BBD66), dlen 33 (0x21)
  Oct  6 13:52:37: T+: AUTHEN/REPLY status:7 flags:0x0 msg_len:27, data_len:0
  Oct  6 13:52:37: T+: msg:  Error during authentication
  Oct  6 13:52:37: T+: data: 
  Oct  6 13:52:37: T+: End Packet
  Oct  6 13:52:37: TPLUS(000001BC)/0/46130160: Processing the reply packet
  Oct  6 13:52:37: TPLUS: Received Authen status error
  Oct  6 13:52:37: TPLUS(000001BC)/0/REQ_WAIT/46130160: timed out
  Oct  6 13:52:37: TPLUS(000001BC)/0/REQ_WAIT/46130160: No sock_ctx found while handling request timeout
  Oct  6 13:52:37: TPLUS: Choosing next server 101.34.5.143
  Oct  6 13:52:37: TPLUS(000001BC)/1/NB_WAIT/46130160: Started 5 sec timeout
  Oct  6 13:52:37: TPLUS(000001BC)/46130160: releasing old socket 0
  Oct  6 13:52:37: TPLUS(000001BC)/1/46130160: Processing the reply packet
  Oct  6 13:52:49: TPLUS: Queuing AAA Authentication request 444 for processing
  Oct  6 13:52:49: TPLUS: processing authentication start request id 444
  Oct  6 13:52:49: TPLUS: Authentication start packet created for 444()
  Oct  6 13:52:49: TPLUS: Using server 172.24.5.143
  Oct  6 13:52:49: TPLUS(000001BC)/0/NB_WAIT/46130160: Started 5 sec timeout
  Oct  6 13:52:49: TPLUS(000001BC)/0/NB_WAIT: socket event 2
  Oct  6 13:52:49: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
  Oct  6 13:52:49: T+: session_id 1523308383 (0x5ACBD75F), dlen 26 (0x1A)
  Oct  6 13:52:49: T+: type:AUTHEN/START, priv_lvl:15 action:LOGIN ascii
  Oct  6 13:52:49: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:12 (0xC) data_len:0
  Oct  6 13:52:49: T+: user: 
  Oct  6 13:52:49: T+: port:  tty515
  Oct  6 13:52:49: T+: rem_addr:  10.10.10.10
  Oct  6 13:52:49: T+: data: 
  Oct  6 13:52:49: T+: End Packet
  Oct  6 13:52:49: TPLUS(000001BC)/0/NB_WAIT: wrote entire 38 bytes request
  Oct  6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:49: TPLUS(000001BC)/0/READ: Would block while reading
  Oct  6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:49: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 43bytes data)
  Oct  6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:49: TPLUS(000001BC)/0/READ: read entire 55 bytes response
  Oct  6 13:52:49: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
  Oct  6 13:52:49: T+: session_id 1523308383 (0x5ACBD75F), dlen 43 (0x2B)
  Oct  6 13:52:49: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:37, data_len:0
  Oct  6 13:52:49: T+: msg:   0x0A User Access Verification 0x0A  0x0A Username:
  Oct  6 13:52:49: T+: data: 
  Oct  6 13:52:49: T+: End Packet
  Oct  6 13:52:49: TPLUS(000001BC)/0/46130160: Processing the reply packet
  Oct  6 13:52:49: TPLUS: Received authen response status GET_USER (7)
  The 1113 acs failed reports shows:
  External DB is not operational
  thanks,
  james

  Hi James,
  We get External DB is not operational. Could you confirm if under External Databases > Unknown User           Policy, and verify you have the AD/ Windows database at the top?
  this error means the external server might not correctly configured on ACS external database section.
  Another point is to make sure we have remote agent installed on supported windows server.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/remote_agent/rawi.html#wp289013
  Also provide the Auth logs from the server running remote agent, e.g.:-
  AUTH 10/25/2007 15:21:31 I 0376 1276 External DB [NTAuthenDLL.dll]:
  Attempting Windows authentication for user v-michal
  AUTH 10/25/2007 15:21:31 E 0376 1276 External DB [NTAuthenDLL.dll]: Windows
  authentication FAILED (error 1783L)
  thanks,
  Vinay

• EAP Chaining with Cisco ACS 5.x and the Cisco Anyconnect NAM Client

  Hi Guys,
  Whilst I’m well aware of the limitations of the built in the windows Wireless 802.1x supplicant. Is there a way, using the NAM client to authenticate both a computer and a user simultaneously, when used for authentication to wireless networks?
  As has been posted many times before on this forum, this isn’t possible due to windows not authenticating with the 'computer account' whilst the user is logged in, but with the NAM client it seems possible to do both user and computer authentication based on the options it gives you with EAP-Fast and 'EAP Chaining'.
  Can anyone validate this is possible? I have the design guide for exactly this for Cisco ISE but i need it to work on ACS (5.x).
  Thanks in advance.
  SteveH

  Bobby, I ran into the same issue with the "15015 Could not find ID Store" issue.  It turned out to be an issue with communication between the ACS and AD.  It looked like AD was connected successfully, but until I rebooted ACS, I kept getting the same error.  It was like it couldn't see the AD security groups even though it could scan the AD tree successfully.
  So, try rebooting ACS if you haven't already and see if that resolves the error.

• Win 7 client with machine and user auth stuck in 802.1x_REQD

  Hi everybody
  we have a WLC 5508 with 7.2.110.0 and an ACS 5.3 and do the following:
  - Win 7 client gets a GPO object with the wlan configuration for "Machine and User authentication" with PEAP
  - On ACS 5.3 I configured correctly the authentication and authorization for first machine authentication and then user authentication ("Was machine authenticated = true)
  - First when machine authentication happens, the client is configured into a quarantine VLAN, where it is only allowed to communicate with the domain controllers
  - When the user authenication happens, the client is moved into the productive client vlan with no restrictions.
  Everything works fine, except that after the user loggs in, it takes about 3 minutes until the client answers the EAP Identity Request and loggs in, see attached screenshot or the screenshot below:
  In the client status on WLC i can see that the client is stuck in the 802.1x_REQD state for these 3 minutes, until suddenly it authenticates (but then very often, about 5 times - see screenshot).
  We tried the following to find the problem spot. but we were not able to locate the problem:
  - Configure the machine and user authentication into the same vlan all the time
  - ONLY user authentication on the client
  - Played with the Win 7 settings (timers, and so on)
  - When we manually configured the WLAN profile on the Win 7 client and saved it, the Win 7 client connected to the SSID without any problems and without any delay (about 5 seconds after the save)
  Did someone ever had the same issue?
  Thanks a lot and best regards
  Dominic

  Hi Amjad
  very good point on this, thanks a lot. In this case, I did not even think about the client firmware side, thought that I should be the WLC or the client settings, but not the driver. We will give a shot on this next week, maybe this will help us to solve the problem.
  It is normal to have the clietn in 802.1x_REQD if it is not yet authenticated and that is the expected state to be at in your situation untlil the client fully authenticates.
  Absolutely correct that the client is associated and in the 802.1x_REQD state as long as the authenticator did not get the EAP identity Response, but that the client takes such a long time to answer is not normal ;-)
  - What is the supplicant that is used on the windows machines? default WLAN supplicant? or you use some commercial supplicants?
  WZC.
  - what is the result when testing with user auth only?
  The same, it takes such a long time.
  - what ist he result when testing with machine auth only?
  Machine authentication works as expected, fast and as soon as the client is booted, the client gets authenticated.
  Regards and have a nice weekend
  Dominic

• EAP-AUTH-AAA-ERROR: Reply received on stale handle

  Hi,
  I try to deploy 802.1x EAP-TLS in Lab enviroment with ACS 4.2 and
  Cisco IOS Software, C3560 Software (C3560-ADVIPSERVICESK9-M), Version 12.2(46)SE
  If I use the PEAP, it is working, but if EAP-TLS, then nothing show in logs on ACS, but error message.
  EAP-AUTH-AAA-ERROR: Reply received on stale handle (0x00000000)
  If I switch Network Access Profile to another one w/o EAP-TLS then in log I get
  12/10/2009 10:23:21 Authen failed [email protected] Default Group XX-XX-XX-XX-XX-XX, other, EAP type not configured
  What could be a problem?

  Problem was solved by migration of whole ACS to another server with 4.2.0.124 Patch 12.

• 802.1x with ACS 3.3 and windowsXP

  We are using RADIUS IETF in ACS and EAP MD5.
  My switch is 2950 whith this commands:
  radius-server host a.b.c.d
  radius-server key cisco
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  dot1x system-auth-control
  int fa 0/1
  dot1x port-control auto
  When we try authenticate appears this error: "CS user unknown" in ACS reports.
  Has somethings that we forget?
  Where I configure the respective VLAN to user when he authenticate?
  Thanks

  I`m using 2950 and Cisco ACS. In my Windows XP, I did only this"Ativar authenticaçao IEEE 802.1x para esta rede -->MD5 Challenge". I create one user in ACS database and assign the following IETF RADIUS attributes to this user:
  [64] Tunnel-Type = VLAN
  [65] Tunnel-Medium-Type = 802
  [81] Tunnel-Private-Group-Id = teste
  At my network icon apears: Authentication Fail
  See some debug message on my switch:
  03:09:14: dot1x-ev:Received AuthStart from Authenticator for supp_info=80D607DC
  03:09:14: dot1x-ev:Managed Timer in sub-block attached as leaf to master
  03:09:14: dot1x-ev:Going to Send Request to AAA Client on RP for id = 0 and length = 25
  03:09:14: dot1x-ev:Got a Request from SP to send it to Radius with id 7
  03:09:14: dot1x-ev:Couldn't Find a process thats already handling the request for this id 0
  03:09:14: dot1x-ev:Inserted the request on to list of pending requests
  03:09:14: dot1x-ev:Found a free slot at slot 0
  03:09:14: dot1x-ev:Found a free slot at slot 0
  03:09:14: dot1x-ev:Request id = 7 and length = 25
  03:09:14: dot1x-ev:The Interface on which we got this AAA Request is FastEthernet0/1
  03:09:14: dot1x-ev:Username is SMSTESTE\joe
  03:09:14: dot1x-ev:MAC Address is 0026.540f.5555
  03:09:14: dot1x-ev:MAC Address copied is 0026.540f.4c43
  03:09:15: dot1x-ev:dot1x_post_message_to_auth_sm: Skipping tx for req_id for default supplicant
  03:09:34: dot1x-err:EAP packet not recvd
  03:09:34: dot1x-ev:going to send to backend on SP, length = 4
  03:09:34: dot1x-ev:Received VLAN is No Vlan
  03:09:34: dot1x-ev:Enqueued the response to BackEnd
  03:09:34: dot1x-ev:Received QUEUE EVENT in response to AAA Request
  03:09:34: dot1x-ev:Dot1x matching request-response found
  03:09:34: dot1x-ev:Length of recv eap packet from radius = 4
  03:09:34: dot1x-ev:Received VLAN Id -1
  03:09:34: dot1x-ev:dot1x_bend_fail_enter:0026.540f.5555: Current ID=0
  Can you help me?
  Thanks,

• 802.1x Machine and User Auth Vlan assignments

  I have machine and user auth working between Win2K PC and ACS 3.3 but not sure how to best use the Vlan assignment feature. I use Vlans for different departments and if I assign a vlan in ACS to a machine when it authenticates but the user is assigned to a different Vlan, I don't get a renewed IP.
  Here is how it's working now:
  1. Machine authenticates to ACS and assigned to a Vlan
  2. User logs in and if they are assigned to the same Vlan as the machine, works fine. If assigned to another vlan, the switchport does get changed but the PC still has an IP from the initial Vlan it was assigned to. Releasing and renewing doesn't work but I really don't expect it to.
  So, I figure the solution to this is just not set a per user vlan and only set it per machine. But, the group mapping in ACS looked like a great way to assign Vlans based on a user's Active Directory group but it doesn't appear to recognize the different computer OU's we have. So I can assign vlan's based on user groups but not computer groups. As machines are added to ACS, I could change them to an ACS group with the Vlan set but this would be a lot more work than an automated method like unknown user policy.
  So, how are others assigning machines to vlans in large multi-vlan networks using ACS and 802.1x?

  By default users and computers belong to different global groups. "Domain Users" vs. "Domain Cmpouters" for example.
  As for your example, it seems like you have a misbehaving supplicant, and authentication is attempting and then timing out and starting over .. that never actually gets to fail, so the auth-fail stuff won't help.
  Note: A good way to troubleshoot this is to notice it in action via show command:
  Here's an example of what you should see on a switch port.
  AuthSM State = State of the 802.1X Authenticator PAE state machine
  VALUES:
  AUTHENTICATED -- Auth Succeeded
  AUTHENTICATING -- Auth is attempting
  CONNECTING -- Dot1x is up and configured and trying to locate a supplicant.
  HELD -- Auth probably failed.
  BendSM State = State of the 802.1X back-end authentication state machine
  VALUES:
  IDLE -- Nothing is happening.
  REQUEST -- Switch sent some EAP data to AAA, and is waiting to get something back.
  RESPONSE -- AAA sent the switch back some data, and the switch in turn asked the supplicant for more data.
  NOTE: You should rarely see the RESPONSE state above. If you see it for more than a second or so i nthe middle of an auth attempt, that's a smoking gun that you might have a mis-behaving supplicant, b/c it shouldn't take that long to send an EAPOL frame. The switch will eventually time out, and start auth over.
  Hope this helps,

• AP350 with LEAP and MAC-Auth

  Hi,
  is there any solution for this?
  I'd like to do LEAP and MAC-Auth with Microsoft IAS-Server instead of Cisco ACS.
  With ACS everything works fine but i have to buy the licences. For IAS i already have them but always 'EAP authentication method is unrecognized'.
  The clients all use W2K Prof.- no XP anywhere, so i can't go to EAP-TLS.
  thanks in advance
  Thomas / Networking admin

  Sorry, but LEAP is today only available on :
  Cisco Secure ACS
  Cisco Access Registrar
  Funk Software Radius
  Interlink Radius