802.1x, catalyst, ACS & active directory external DB!

Hi,
I'm working with 802.1x over catalyst switch, ACS 3.1 as Radius and external DB users authentication on Ms Active Directory with LDAP.
My questions are:
1) Are the only EAP's version supported by catalyst, MD5-EAP and EAP-TLS (not PEAP and LEAP);
2) The only supported method to authenticate users from ACS to AD is EAP-TLS? is EAP-MD5 not supported over LDAP access protocol?
3) Can I import the users from Active Directory to Internal ACS data base? (like a RDBMS...)
thanks,
Graz.

I am in a installation with 802.1x.
I have install a Cisco ACS and cisco 2950 Switch and I am authorizating users via MS-CHAPv2 against the Cisco ACS
ACS is validating users against a Microsoft Active directory.
I have the following problem: When user logs in, it takes between 45 to 90 seg to log the user and change the vlan.
I have install Windows XP Service Pack 2 and patches:
xp-kb817778-x86-esn
xp-kb826942-x86-esn
I have change the switch software to the latest release.
How can I reduce this delay? Any idea?

Similar Messages

ACS 5 : 24463 Internal error in the ACS Active Directory

I am configuring ACS 5.
I have group in AD created. There is 2 users in the group. Usera are from different OUs.
One user get authenticated.
The other failing to get trough authentication with following error:
24463 Internal error in the ACS Active Directory
Could anybody help?
P.S. I have something to add.
It works for some users and does not for others. I have created new user and it worked.
So it looks it is sometjing in user properties of groups it belongs to.

This is Bug
CSCsx94072

Invoking 'active directory external authentication plug-in' from login.jsp

Hi
I am using the Oracle AS 10g on Unix. We have a web application in JAVA based on OC4J Framework.
Currently user use application url for accessing the login page, enters credentials and then the authentication is done through LDAP.
Now we have to remove the login page from application. i.e. once user is successfully logged in Windows on his pc, and tries to access our application through it's url, he must be automatically authenticated using the credentials entered in windows and display the welcome page of application. Same as any intranet application.
For this requirement, we have 'active directory external authentication plug-in' installed on server.
What we need to know is how this process will work and changes required in our jsp page to invoke this plug-in and authenticate user by accessing windows-credentials automatically.
kindly let me know

Hi
I am currently using NTLM to fetch the windows username and then creating an anonymous connection with the LDAP Server.
Then i serach using the user name in ldap directory.
NTLM is no longer required , instead we have 'active directory external authentication plug-in' installed on LDAP.
as far as i know the plug-in will process the kerberos ticket generated by windows to automatically authenticate.

Use Profile Manager to configure 802.1x authentication to Active Directory

I have an OS X Lion Server running profile manager, and I want to authenticate Macs against Active Directory. My test machine is running Lion as well.
If I configure the profile to for WPA/WPA2 Enterprise security type and PEAP protocol with a generic user name and password with explicit access on the RADIUS server, the machine can get on the 802.1x network
If I configure the profile to "Use as a Login Window configuration", the machine can get on the 802.1x network after entering the user name and password of an authorized RADIUS user.
Here's my problem:
I want to enable authentication for machines that are members of the Active Directory domain, but when I use the "Use Directory Authentication" option to authenticate with the target machine's directory credentials, the machine does not connect to my 802.1x network.
Any thoughts?
Thanks!!!!

I'm trying to do the same thing, but I'm using Mountain Lion Profile Manager. If I can't get this to work I'm going to try SCEP and certificate authentication.

Reconfigure Active Directory External Authentication plug in to use ssl

Assuming this is the proper place to post this question:
I've quickly gone through the IM integration documentation trying to find out how to reconfigure the ad external auth plugin to use ssl and have come up empty handed. Does anyone know how to do this? Should I just rerun oidspadi.sh?
Also, where can i view the configuration information that was entered the last time this was configured?
thanks for any help!
chris

Rerun oidspadi.sh and select SSL option. You can get adwhencompare and adwhenbind plug-ins detail under plug-in management in Oracle directory manager.

802.1x, Machine Authentication, Active Directory and eDirectory

Does anyone think this is feasible as a solution...
Problem Definition.
1) Machines all use the netware Client and authenticate to eDirectory initially, then to AD.
2) I want to use ACS, not Free Radius.
3) I don't want to use a 3rd party supplicant.
Possible solution...
Does anyone think it might be possible to authenticate a machine using a certificate into AD before the user logs in using the netware client. My thinking being this... the user (or machine in this case) will have already been identified as trusted (through AD), will be connected to the network when the user submits their netware credentials. This would mean that netware could be left out of the 802.1x process completely and yet the user would still get a single sign on experience.

I did. Basically the scenrio I described in the original post worked.
The only caveat is that user auth still occurs through 802.1x once you submit the user credentials. There are regestry hacks which disable this if you solely want to use machine auth.
hope this helps

OracleAS SSO - Microsoft Active Directory External Authentication Plug-in

hi ,
I recently inherited support of a Oracle SSO/OID environment where we use AD and a external Authentication Plug-
in to talk to it as user credentials are managed in AD,
We have a lot of domain controllers for AD in our env , so my questions is
1) How do I find out which AD server is the plugin currently referring to ,
I need to know this info ASAP as lot of AD servers are getting decomissioned and I want to make sure the SSO env
is not talking to a AD server that would get decomissioned soon

hi,
Look in the integration part in oidadmin. ActiveChgImp
$ORACLE_HOME/bin/oidadmin
or look for ad2oid.properties
or look at this URL http://www.oracle.com/technology/obe/obe_as_10g/im/ads_import/import.htm
is what I used to configure ours
Regards

Bug with Active Directory external authentication plug-in??

I'm configuring the plugin on Windows. I installed the cygwin unix emulation software already. It kept saying incorrect connect string or ODS password specified when I tried to enter values for the following 2 questions
1) Please enter DB connect string: hostname.domain:1521:orcl.domain
2) Please enter ODS password: ODS (I viewed the ODS schema password in OID and it's ODS)
I'm using
OID 10.1.2.1.0
Portal 10.1.4
Thanks

Hi,
I've got the same error.
The user is not found.
Tue Aug 24 17:20:36 CEST 2004 [ERROR] AJPRequestHandler-ApplicationServerThread-6 Could not get attributes for user, [email protected]
oracle.ldap.util.NoSuchUserException: User does not exist - SIMPLE NAME = [email protected]
at oracle.ldap.util.Subscriber.getUser_NICKNAME(Subscriber.java:1041)
at oracle.ldap.util.Subscriber.getUser(Subscriber.java:820)
at oracle.ldap.util.Subscriber.getUser(Subscriber.java:767)
at oracle.security.sso.server.ldap.OIDUserRepository.getUserProperties(OIDUserRepository.java:483)
at oracle.security.sso.server.auth.SSOServerAuth.authenticate(SSOServerAuth.java:561)
at oracle.security.sso.server.auth.SSOKerbeAuth.authenticate(SSOKerbeAuth.java:111)
at oracle.security.sso.server.ui.SSOLoginServlet.processSSOPartnerRequest(SSOLoginServlet.java:833)
at oracle.security.sso.server.ui.SSOLoginServlet.doPost(SSOLoginServlet.java:318)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.evermind.server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:65)
at oracle.security.jazn.oc4j.JAZNFilter.doFilter(Unknown Source)
at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:604)
at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:317)
at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:790)
at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:208)
at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:125)
at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:192)
at java.lang.Thread.run(Thread.java:534)

Active Directory External Authentication Plug-in

Right now, this script is a UNIX shell script and I'm using windows so I have to install a UNIX emulation software. I have 2 questions
1) Is there a windows version of this script? I searched everywhere but I couldn't find any.
2) If there's no windows version, after I executed the script, can I uninstall the UNIX emulation software from my windows server?
Thanks

Hi,
I've got the same error.
The user is not found.
Tue Aug 24 17:20:36 CEST 2004 [ERROR] AJPRequestHandler-ApplicationServerThread-6 Could not get attributes for user, [email protected]
oracle.ldap.util.NoSuchUserException: User does not exist - SIMPLE NAME = [email protected]
at oracle.ldap.util.Subscriber.getUser_NICKNAME(Subscriber.java:1041)
at oracle.ldap.util.Subscriber.getUser(Subscriber.java:820)
at oracle.ldap.util.Subscriber.getUser(Subscriber.java:767)
at oracle.security.sso.server.ldap.OIDUserRepository.getUserProperties(OIDUserRepository.java:483)
at oracle.security.sso.server.auth.SSOServerAuth.authenticate(SSOServerAuth.java:561)
at oracle.security.sso.server.auth.SSOKerbeAuth.authenticate(SSOKerbeAuth.java:111)
at oracle.security.sso.server.ui.SSOLoginServlet.processSSOPartnerRequest(SSOLoginServlet.java:833)
at oracle.security.sso.server.ui.SSOLoginServlet.doPost(SSOLoginServlet.java:318)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.evermind.server.http.ResourceFilterChain.doFilter(ResourceFilterChain.java:65)
at oracle.security.jazn.oc4j.JAZNFilter.doFilter(Unknown Source)
at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:604)
at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:317)
at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:790)
at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:208)
at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:125)
at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:192)
at java.lang.Thread.run(Thread.java:534)

Problem authenticating with Active Directory

Hi,
We want to authenticate the users from Microsoft Active directory.We created users by doing a bootstrapping from AD to OID (10.1.2).
I enabled the plug in by following the Chapter 18 Configuring Active Directory External Authentication plug -in.
After running through the plug in is installed if i try to login with AD user id I am getting authentication failure error.
I am not sure whether OID is connecting to Active Directory for authentication.How to ensure that it is connecting to AD
I am giving uid attribute as login id.What is the login id to be given
I have tried many combinations no luck. I am getting following error in ssoServer.log
Sun Dec 11 19:44:13 EST 2005 [ERROR] AJPRequestHandler-ApplicationServerThread-5 Communication Exception received. Cleaning up the stale connection
oracle.ldap.util.CommunicationErrorException: Unable to establish connection to directory. Please verify the input parameters: host, port, dn & password connection closed
     at oracle.ldap.util.Subscriber.getUser_NICKNAME(Subscriber.java:1213)
     at oracle.ldap.util.Subscriber.getUser(Subscriber.java:912)
     at oracle.ldap.util.Subscriber.getUser(Subscriber.java:859)
     at oracle.security.sso.server.ldap.OIDUserRepository.getUserProperties(OIDUserRepository.java:493)
     at oracle.security.sso.server.auth.SSOServerAuth.authenticate(SSOServerAuth.java:485)
     at oracle.security.sso.server.ui.SSOLoginServlet.processSSOPartnerRequest(SSOLoginServlet.java:796)
     at oracle.security.sso.server.ui.SSOLoginServlet.doPost(SSOLoginServlet.java:328)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:760)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
     at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:824)
     at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:330)
     at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:830)
     at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:224)
     at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:133)
     at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:192)
     at java.lang.Thread.run(Thread.java:534)
Thanks

Did you check the debug information from the external auth plugin.?
This is mentioned in metalink note https://metalink.oracle.com/metalink/plsql/showdoc?db=NOT&id=277382.1
here an excerpt:
D) Enabled plug in debugging at the database level. Reference documentation: Oracle Internet Directory Administrator's Guide 10g (9.0.4) Chapter 43 Integration with the Microsoft Windows Environment - Troubleshooting Integration with Microsoft Windows Under section "Debugging the Microsoft Active Directory External Authentication Plug-in"
...enable the plug-in debugging. To do this, enter:
sqlplus ods/odspassword @$ORACLE_HOME/ldap/admin/oidspdon.plsTo check the plug-in debugging log, enter:
sqlplus system/managerSQL> select * from ods.plg_debug_log order by id;
(To delete the plug-in debugging log:
sqlplus system/managerSQL> truncate table ods.plg_debug_log
To disable the plug-in debugging:
sqlplus ods/ods @$ORACLE_HOME/ldap/admin/oidspdof.plsE) Dump the plug-in profile to make sure it is enabled and configured correctly:
ldapsearch -h <OID host> -p <OID port> -D "cn=orcladmin" -w <orcladmin password> -b "cn=plugin,cn=subconfigsubentry" -L -s sub "(objectclass=*)" "*"please take also a look into the DIPTESTER tool available in
http://www.oracle.com/technology/sample_code/products/oid/java_diptester.tar
regards
--Olaf

OID and Active Directory

1 Does Oracle OID integrate with Active Directory to synch data with Active Directory periodically?
2 Marshall data from Active Directory on demand (live link)?
3 Does Oracle Single Sign-on solution work with multiple directories (i.e. OID and AD both being used by Oracle Single Sign-on)
4 Can Oracle Single-Sing-on work with a Desktop login into a Domain (also called NT Authentication or Desktop authentication).

This is what I have to share with you....For further details refer link http://otn.oracle.com/products/oid/index.html and Oracle Internet Directory Administrator's Guide.
1 Does Oracle OID integrate with Active Directory to synch data with Active Directory periodically?
For synchronizing from Microsoft Active Directory to Oracle Internet Directory, you need to track changes in Microsoft Active Directory and configure your Active directory connector giving its URL, user account and password to be used by the Active Directory connector, its DIT info on domain which contain the users/groups. And in the Active Directory synchronization profile you'll have to set the mapping rule.
2 Marshall data from Active Directory on demand (live link)?
Yes, its possible to migrate data between directories. Configure your Active Directory connector and External auth Plug-in. And use the Directory Integration and Provisioning Assistant.
3 Does Oracle Single Sign-on solution work with multiple directories (i.e. OID and AD both being used by Oracle Single Sign-on)
Yes, its possible. When a user tries to log in, the OracleAS Single Sign-On server tries to verify the credentials the user enters against those stored in Oracle Internet Directory. If the user credentials are not there, then the Oracle directory server invokes the Active Directory external authentication plug-in. This plug-in verifies the user credentials in Microsoft Windows. If the verification is successful, then the Oracle directory server notifies the OracleAS Single Sign-On accordingly.
4 Can Oracle Single-Sing-on work with a Desktop login into a Domain (also called NT Authentication or Desktop authentication).
Oracle Application Server Single Sign-On enables native authentication, also called autologin, in a Microsoft Windows environment. Once logged into the Windows desktop, the user automatically has access to Oracle components. OracleAS Single Sign-On automatically logs the user into the Oracle environment using user's Kerberos credentials.

Two factor authentication ACS 5.x against external Radius and Active Directory

On ACS 5.x I'd like to authenticate against two external Directories
Active Directory
Black Shield Token Server (via RADIUS)
I found a description the meets mostly my requirements at
http://blog.pbmit.com/digipass2
Has somebody an Idea how this has to be implemented on Cisco ACS 5.3?
In the identity store swwquence there's no way to implement a compound condition (if user authenticated against Directory 1 AND Directory 2 then success)
Active Directory and Cisco ACS
This solution attempts to solve the limitation described in Solution 1. Instead of letting the Identikey server communicate directly to the AD, we use the Identikey server only to strip the PIN and OTP from the password and loop the authentication request back to the Cisco ACS to utilize its Identity Store Sequence, which can now be set to both Internal Identity Store and AD.

just following up to see if there was a solution to this. I am also interested in setting this type of scenerio out.

Cisco ACS 4.2 + Active directory + peap

Hello guys!
We have acs 4.2 SE + remoteAgent which is located on our DC. WLAN with wpa+wpa2[802.1x auth] has been configured and all working perfectly - domain users trying to connect and gets user\pass prompt, after it auth succesfull and wireless access granted. But its a bit complicated with non-domain users, when they trying to connect to this network they get windows security alert because machine authentication not passed(PC not in domain so ACS can't auth this users). So, if i enable machine authentication under external windows database setting, acs succesfully authenticated station but wont promt for user\password. How can we enable prompting for user\pass while still maintain machine auth ?
Thank you!

I have a scenario for you in active directory when two passwords may be valid:
Old passwords can also work on domain controllers that have not received replication yet from either the domain controller the password was changed on, or the PDC emulator in the domain.
Let's take a scenario where we have a 3 site, 3 domain controller (DC) active directory: Site1 with DC1, site2 with DC2 and site3 with DC3.
The ACS application resides in Site3 and is configured to use DC3 for authentication. We have a user "user1" with a password of "123".
User1 decides to call the helpdesk and changes his password to "456".
The helpdesk uses DC1 to make password changes because they are located in site1. For a period of time (based on replication, which defaults to 3 hours between sites) the 123 password and the 456 password will be
valid.
If the user1 user tries the "123" password it will work until DC3 receives the changed password from normal replication. If user1 tries to use 456, DC3 will flag this as a wrong password, and then check the PDC
emulator of the domain to see if it has received a newer password. The PDC emulator will validate the login, and then trigger an immediate replication with DC3.
Regards,
~JG
Do rate helpful posts

ACS 5.3, EAP-TLS Machine Authentication with Active Directory

I have ACS 5.3. I am testing EAP-TLS Machine Authentication using Active Directory as an external Identity Store. II was testing and everything was going fine until I did some failure testing.
My problem: I deleted my computer account out of Active Directory and tried to authenticate my wireless laptop and it still worked when it should have failed.
Here is some of the output of the ACS log. You can see that the computer could not be found in AD and this was returned to the ACS. However, ACS still went ahead and authenticated the computer successfully.
Evaluating Identity Policy
15006 Matched Default Rule
22037 Authentication Passed
22023 Proceed to attribute retrieval
24433 Looking up machine/host in Active Directory - LAB-PC-PB.VITS.attcst.sbc.com
24437 Machine not found in Active Directory
22016 Identity sequence completed iterating the IDStores
Evaluating Group Mapping Policy
12506 EAP-TLS authentication succeeded
11503 Prepared EAP-Success
Evaluating Exception Authorization Policy
15042 No rule was matched
Evaluating Authorization Policy
15006 Matched Default Rule
15016 Selected Authorization Profile - Permit Access
22065 Max sessions policy passed
22064 New accounting session created in Session cache
11002 Returned RADIUS Access-Accept
I was assuming that if the computer was not found, the Identity Policy would fail, so I did not configure any authorization policy. Do I need an authorization policy to tell the ACS to fail the authentication if the machine cannot be found in AD? If I need an authorization policy, how do I configure it?
Note: In my Identity Store Sequence, I did enable the option:
For Attribute Retrieval only:
If internal user/host not found or disabled then exit sequence and treat as "User Not Found"
but this only seems to work for internal identity stores (at least based on my testing)
Under my Access Policy Identity tab, I configured the following Advanced features:
Advanced Options
If authentication failed
RejectDropContinue
If user not found
RejectDropContinue
If process failed
RejectDropContinue
And that didn't do anything either.
Any ideas? Thanks in advance.

Can try the following. Define an attribute to be retrieved from Active Directory and that exists for all objects. When defining the attribute it can be given a default value. Assign a default value which is a value that will never be returned for a real machine entry (eg "DEFAULTVALUE") and give it a "Policy Condition Name"
Then can make a rule in the authorization policy such as
If "Policy Condition Name" equals "DEFAULTVALUE" then "DenyAccess"

Looking for successful auth debug between cisco 1113 acs 4.2 and Active Directory

Hello,
Does anyone have a successful authentication debug using cisco 1113 acs 4.2 and Active Directory? I'm not having success in setting this up and would like to see what a successful authentication debug looks. Below is my current situation:
Oct 6 13:52:23: TPLUS: Queuing AAA Authentication request 444 for processing
Oct 6 13:52:23: TPLUS: processing authentication start request id 444
Oct 6 13:52:23: TPLUS: Authentication start packet created for 444()
Oct 6 13:52:23: TPLUS: Using server 110.34.5.143
Oct 6 13:52:23: TPLUS(000001BC)/0/NB_WAIT/46130160: Started 5 sec timeout
Oct 6 13:52:23: TPLUS(000001BC)/0/NB_WAIT: socket event 2
Oct 6 13:52:23: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
Oct 6 13:52:23: T+: session_id 763084134 (0x2D7BBD66), dlen 26 (0x1A)
Oct 6 13:52:23: T+: type:AUTHEN/START, priv_lvl:15 action:LOGIN ascii
Oct 6 13:52:23: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:12 (0xC) data_len:0
Oct 6 13:52:23: T+: user:
Oct 6 13:52:23: T+: port: tty515
Oct 6 13:52:23: T+: rem_addr: 10.10.10.10
Oct 6 13:52:23: T+: data:
Oct 6 13:52:23: T+: End Packet
Oct 6 13:52:23: TPLUS(000001BC)/0/NB_WAIT: wrote entire 38 bytes request
Oct 6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:23: TPLUS(000001BC)/0/READ: Would block while reading
Oct 6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:23: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 16bytes data)
Oct 6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:23: TPLUS(000001BC)/0/READ: read entire 28 bytes response
Oct 6 13:52:23: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
Oct 6 13:52:23: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
Oct 6 13:52:23: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:10, data_len:0
Oct 6 13:52:23: T+: msg: Username:
Oct 6 13:52:23: T+: data:
Oct 6 13:52:23: T+: End Packet
Oct 6 13:52:23: TPLUS(000001BC)/0/46130160: Processing the reply packet
Oct 6 13:52:23: TPLUS: Received authen response status GET_USER (7)
Oct 6 13:52:30: TPLUS: Queuing AAA Authentication request 444 for processing
Oct 6 13:52:30: TPLUS: processing authentication continue request id 444
Oct 6 13:52:30: TPLUS: Authentication continue packet generated for 444
Oct 6 13:52:30: TPLUS(000001BC)/0/WRITE/46130160: Started 5 sec timeout
Oct 6 13:52:30: T+: Version 192 (0xC0), type 1, seq 3, encryption 1
Oct 6 13:52:30: T+: session_id 763084134 (0x2D7BBD66), dlen 15 (0xF)
Oct 6 13:52:30: T+: AUTHEN/CONT msg_len:10 (0xA), data_len:0 (0x0) flags:0x0
Oct 6 13:52:30: T+: User msg: <elided>
Oct 6 13:52:30: T+: User data:
Oct 6 13:52:30: T+: End Packet
Oct 6 13:52:30: TPLUS(000001BC)/0/WRITE: wrote entire 27 bytes request
Oct 6 13:52:30: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:30: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 16bytes data)
Oct 6 13:52:30: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:30: TPLUS(000001BC)/0/READ: read entire 28 bytes response
Oct 6 13:52:30: T+: Version 192 (0xC0), type 1, seq 4, encryption 1
Oct 6 13:52:30: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
Oct 6 13:52:30: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
Oct 6 13:52:30: T+: msg: Password:
Oct 6 13:52:30: T+: data:
Oct 6 13:52:30: T+: End Packet
Oct 6 13:52:30: TPLUS(000001BC)/0/46130160: Processing the reply packet
Oct 6 13:52:30: TPLUS: Received authen response status GET_PASSWORD (8)
Oct 6 13:52:37: TPLUS: Queuing AAA Authentication request 444 for processing
Oct 6 13:52:37: TPLUS: processing authentication continue request id 444
Oct 6 13:52:37: TPLUS: Authentication continue packet generated for 444
Oct 6 13:52:37: TPLUS(000001BC)/0/WRITE/46130160: Started 5 sec timeout
Oct 6 13:52:37: T+: Version 192 (0xC0), type 1, seq 5, encryption 1
Oct 6 13:52:37: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
Oct 6 13:52:37: T+: AUTHEN/CONT msg_len:11 (0xB), data_len:0 (0x0) flags:0x0
Oct 6 13:52:37: T+: User msg: <elided>
Oct 6 13:52:37: T+: User data:
Oct 6 13:52:37: T+: End Packet
Oct 6 13:52:37: TPLUS(000001BC)/0/WRITE: wrote entire 28 bytes request
Oct 6 13:52:37: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:37: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 33bytes data)
Oct 6 13:52:37: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:37: TPLUS(000001BC)/0/READ: read entire 45 bytes response
Oct 6 13:52:37: T+: Version 192 (0xC0), type 1, seq 6, encryption 1
Oct 6 13:52:37: T+: session_id 763084134 (0x2D7BBD66), dlen 33 (0x21)
Oct 6 13:52:37: T+: AUTHEN/REPLY status:7 flags:0x0 msg_len:27, data_len:0
Oct 6 13:52:37: T+: msg: Error during authentication
Oct 6 13:52:37: T+: data:
Oct 6 13:52:37: T+: End Packet
Oct 6 13:52:37: TPLUS(000001BC)/0/46130160: Processing the reply packet
Oct 6 13:52:37: TPLUS: Received Authen status error
Oct 6 13:52:37: TPLUS(000001BC)/0/REQ_WAIT/46130160: timed out
Oct 6 13:52:37: TPLUS(000001BC)/0/REQ_WAIT/46130160: No sock_ctx found while handling request timeout
Oct 6 13:52:37: TPLUS: Choosing next server 101.34.5.143
Oct 6 13:52:37: TPLUS(000001BC)/1/NB_WAIT/46130160: Started 5 sec timeout
Oct 6 13:52:37: TPLUS(000001BC)/46130160: releasing old socket 0
Oct 6 13:52:37: TPLUS(000001BC)/1/46130160: Processing the reply packet
Oct 6 13:52:49: TPLUS: Queuing AAA Authentication request 444 for processing
Oct 6 13:52:49: TPLUS: processing authentication start request id 444
Oct 6 13:52:49: TPLUS: Authentication start packet created for 444()
Oct 6 13:52:49: TPLUS: Using server 172.24.5.143
Oct 6 13:52:49: TPLUS(000001BC)/0/NB_WAIT/46130160: Started 5 sec timeout
Oct 6 13:52:49: TPLUS(000001BC)/0/NB_WAIT: socket event 2
Oct 6 13:52:49: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
Oct 6 13:52:49: T+: session_id 1523308383 (0x5ACBD75F), dlen 26 (0x1A)
Oct 6 13:52:49: T+: type:AUTHEN/START, priv_lvl:15 action:LOGIN ascii
Oct 6 13:52:49: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:12 (0xC) data_len:0
Oct 6 13:52:49: T+: user:
Oct 6 13:52:49: T+: port: tty515
Oct 6 13:52:49: T+: rem_addr: 10.10.10.10
Oct 6 13:52:49: T+: data:
Oct 6 13:52:49: T+: End Packet
Oct 6 13:52:49: TPLUS(000001BC)/0/NB_WAIT: wrote entire 38 bytes request
Oct 6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:49: TPLUS(000001BC)/0/READ: Would block while reading
Oct 6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:49: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 43bytes data)
Oct 6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:49: TPLUS(000001BC)/0/READ: read entire 55 bytes response
Oct 6 13:52:49: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
Oct 6 13:52:49: T+: session_id 1523308383 (0x5ACBD75F), dlen 43 (0x2B)
Oct 6 13:52:49: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:37, data_len:0
Oct 6 13:52:49: T+: msg: 0x0A User Access Verification 0x0A 0x0A Username:
Oct 6 13:52:49: T+: data:
Oct 6 13:52:49: T+: End Packet
Oct 6 13:52:49: TPLUS(000001BC)/0/46130160: Processing the reply packet
Oct 6 13:52:49: TPLUS: Received authen response status GET_USER (7)
The 1113 acs failed reports shows:
External DB is not operational
thanks,
james

Hi James,
We get External DB is not operational. Could you confirm if under External Databases > Unknown User Policy, and verify you have the AD/ Windows database at the top?
this error means the external server might not correctly configured on ACS external database section.
Another point is to make sure we have remote agent installed on supported windows server.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/remote_agent/rawi.html#wp289013
Also provide the Auth logs from the server running remote agent, e.g.:-
AUTH 10/25/2007 15:21:31 I 0376 1276 External DB [NTAuthenDLL.dll]:
Attempting Windows authentication for user v-michal
AUTH 10/25/2007 15:21:31 E 0376 1276 External DB [NTAuthenDLL.dll]: Windows
authentication FAILED (error 1783L)
thanks,
Vinay

802.1x, catalyst, ACS & active directory external DB!

Similar Messages

Maybe you are looking for