AAA authertication problem

Similar Messages

• Aaa ldap problem on UCS Manager

  Hi all,
  i'm working on UCS Manager Suite and i would like configure Authentication method using LDAP protocol ( AD : Windows 2008 R2 Standard Edition).
  I follow this configuration guide:
  http://www.cisco.com/en/US/docs/unified_computing/ucs/sw/sample_configurations/UCSM_1_4_LDAP_with_AD/b_Sample_Configuration_LDAP_with_AD.pdf
  but i obtained some message : authentication failed.
  10.164.85.2 (UCS Manager)
  10.164.85.21 (AD)
  I have some doubt regarding  "Non-Admin Bind User Account" : what are the privileges that it need?
  In attach wireshark capture taken on AD Server.
  Regards.
  Dino

  Hi Brian,
  I deleted ldap provider profle and reconfigure new profile with same parameters and now it works.
  I already use "aaa test server" command to verify authentication and it's works BUT if i checks output
  scope security
  scope ldap
  show server
  i obtained same output
  DAP server:
      Hostname or IP address   DN to search and read    Port  SSL  Password
      10.164.85.21             CN=ucs binduser,OU=DDUsers,DC=didata-dc,DC=local
                                                        389   No
  I expected **** under Password column.
  Thank you for support.
  Regards.
  Dino

• Acs se aaa server problem

  HI
  I have installed acs se for peap authenetication in a wireless network .
  however when i install the acs se it shows me 2 profiles (self and deliverance) after initial config in the aaa server window of network configuration .
  The name of the default server is delivernace and its ip is 169.x.x.x which is the default nic ip as u can check it out during the initial startup configuration.
  Pls help me to get this fixed

  Hi.
  The name of the ACS SE listed in AAA Server section is "self".
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/NetCfg.html#wp341780
  "In ACS SE, the name of the machine is listed as self."
  "deliverance1" is the default ACS SE name(hostname).
  Sometimes what happens is, even if we have ACS SE connected to Netowork during initial configuration. And we change the name of the ACS SE from "deliverance1" to something that we want. After changes has been made, on ACS SE, it comes back, and shows the ip 169.x.x.x associated with the new hostname.
  NOTE: I am considering that during initial configuration ACS SE was connected to network. If not, then this is supposed to happen.
  In order to correct this issue, follow following steps:
  [1] On ACS hardware/appliance go to,
  Reports and Activity > Appliance Status Page >
  From "NIC Configuration", copy the IP address of the ACS SE.
  Interface Configuration > Advanced Options > check "Distributed System Settings" > Submit.
  Network Configuration > under "AAA Servers" > Search > type the IP address of the ACS hardware/appliance > Search.
  Note down the "Name" against the Ip address of the ACS SE.
  Now go to, Network Configuration > under "Proxy Distribution Table" > (Default) > make sure that the name that appeared against the Ip address of the ACS Hardware/appliance is in "Forward To" Column, If it is not, move it , and move all other entries under "AAA Servers" column and press "Submit + Restart"
  And delete the entry from the AAA Server section, that is associated with IP address 169.x.x.x
  [2] Now, if you do not want the name that is shown in the Proxy Distribution Table, and want the one that is there in the section,
  System configuration > Appliance Configuration... Hostname section, associated with the correct IP address. Then do this,
  Establish Serial Console connection to ACS SE,
  Issue the command "set hostname " and then reboot the ACS SE by command, "reboot".
  [3] Once ACS SE is backup, go to, Network Configuration > under "Proxy Distribution Table" > (Default) > And make sure that the new name is in "Forward To" Column > Submit + Restart.
  Now, the correct IP address will be associated with the correct hostname.
  Regards.
  Prem

• AAA pix problem

  Hi All
  From the PDM I can't change the AAA server to inside from outside, I get the following error.
  Also issuing the no command from CLI does not work
  [ERR]no aaa-server RADIUS (outside) host *.*.*.* cisco timeout 10
  you must remove all AAA corresponding entries prior to

  Hi. This means that the server *.*.*.* is referenced either by a AAA server group or in some other way in use. I ran into the same issue and had to remove all the "accounting include" or "authentication include" statements that were referencing my server before I could remove the server definition and recreate it.
  HTH,
  Curtis

• AAA Accounting problems

  I have questions regarding the aaa accounting of NX-OS. In N7K and  N5K is not done the accounting of show commands, only the config command's. Unlike the IOS. Is there any way to enable accounting of show commands as well?
  Another question is related to the Nexus 1000V, which only supports PAP or MSCHAP. Does not support the command "aaa authentication login ascii-authentication".  Is there way to enable? Or is it some restriction.

  Larry,
  1) Please set up enable authentication to get the actual user name,
  aaa authentication enable console tacacs-auth LOCAL
  On ACS user setup you need to set up tacacs+ enable password.
  3) Since you have defined both server for authentication and accounting ie 219 and 218 it is sending accounting to 218, as it is also defined as accounting server and firewall it active.
  Use only
  aaa-server tacacs-auth (dept-outside) host 10.1.26.218 key tacacs-secret
  aaa-server tacacs-acct (dept-outside) host 10.1.26.219 key tacacs-secret
  Now auth should go to 218 and acc to 219.
  Regards,
  ~JG
  Do rate helpful posts

• Crystal Reports 2008; Can't select the certain table. Why?

  Please help me everyone!
  problem note:
  I'm using Crystal Report 2008 to access MS SQL Server 2005 Database.
  Everything was good until last month.
  But somehow when I select the table "FTABLE11C", Crystal Repors hanging-up and no more Crystal Reports works.
  If I copy the FTRAN11C to different name such as "aaa" using following statement and use Crystal Reports then I can select the "aaa" whthout problems.
  Select * into aaa from FTRAN11C.
  So, I drop the tbale FTRAN11C and copy FTRAN11C from aaa table using following statement,
  select * into FTRAN11C from aaa
  and select the FTRAN11C again on Crystal Reports 2008, Crystal Reports 2008 hanging-up again.
  I'd like to know how to solve this situation.
  Thanks.
  1. We didn't have any patch on SQL Server.
  2. I delete one field on table that named "FTRAN11C".
     That's all.
  3. I tried following steps;
     a. Copy the file to another name.
          Select * into aaa from FTRAN11C
     b. Droped the bad table.
          Drop table FTRAN11C
     c. Copy back from saved table.
          Select * into FTRAN11C from aaa
  4. Open Crystal Reports 2008
     a. Connect to database with OLD DB.
         Crystal Reports shows all the tables within database without any problems.
     b. Select the table aaa.
         No problems. It shows on right side box.
     c. Select the table FTRAN11C that is recently created from saved table.
         Now we have problems.
          It does not shows on right side box.
          Little circle displaying forever.
          If I click right side x, Crystal Reports 2008 is closed.
  5. If I use following command on SQL Server Management Studio Express, all of data shows without any problems.
         Select * from FTRAN11C

  Install all patches as you are on the original release:
  Be sure you have the keycode, used to install the product, I will not be able to get you a new one if you lose it or don't have it available.
  The easiest way to update is to uninstall CR 2008 and then install Service Pack 3 full build:
  https://smpdl.sap-ag.de/~sapidp/012002523100009989492010E/cr2008_sp3_fullbuild.zip
  Then install SP 4:
  https://smpdl.sap-ag.de/~sapidp/012002523100008782452011E/cr2008sp4.exe
  Then test your reports again.
  As for using/upgrading to CR 2011 it's not required and likely won't make any difference but you can upgrade if you want of course.
  Don

• InstanceValueIf without a unique identifier in OPM 10.1

  Hi,
  I need to get an instance value from a child instance when the condition I use can have the same conclusion in few instances as there is no data I could use to make the conclusion unique.
  The issue is that InstanceValueIf requires to have a condition with a unique conclusion for all instances.
  E.g.:
  A relationship name between entities Global and the bill is the bills (1 to Many).
  the name of the selected bill = InstanceValueIf(the bills, the bill's name, the simplified name = "AAA")
  The problem is that in my scenario few instances can have the simplified name as AAA. In that case OPA will return uncertain as there are few instances that satisfy the condition. I would like to pick the bill's name from any instance where the simplified name = "AAA" because if the simplified name = "AAA", the bill's name will always be either AAA1 or AAA2 for all instances where the simplified name = "AAA", e.g. the bill's name = AAA1 for all instances where the simplified name = AAA.
  I was looking whether I could use alias (maybe ForScope), but from what I understand ForScope still should be able to find a unique value. Am I wrong?
  Is there anything else I could use to get around the problem in OPM 10.1?
  Thank you

  If we take your rule above and imagine the following data...
  Instance 1
  the bill's name: Homer
  the bill's simplified name: AAA
  Instance 2
  the bill's name: Marge
  the bill's simplified name: AAA
  ... how is the function meant to know whether 'the name of the selected bill' is Homer or Marge? Or are you saying that it will always be the case that 'the bill's name' will be identical for all instances of the entity where the simplified name is AAA? And you're wondering why the InstanceValueIf still evaluates to uncertain if the values for 'the bill's name' are identical?
  (Side note: All entity attributes should contain the name of the entity in the attribute text, e.g. "the bill's simplified name" rather than "the simplified name".)
  Cheers,
  Jasmine

• ACS + Device Authorization Failure

  Good Afternoon:
  I hoping someone can help me out... I have an ACS configured with a group that is setup for admins. This group is mapped to an AD group. This is setup correctly. On each network device are the commands:
  aaa authorization exec default group tacacs+ if-authenticated
  I can create a local user and place them into the aformentioned group and the TACACs authentication and authorization work fine. However, I cannot use that same local group mapped to a AD group and a user in that group. It passes authentication but I get an authorization failure in my logs (ACS) and a authorization failed message on the device.
  Any ideas?
  Thanks!

  ACS has extensive logging capabilities that allow an administrator to troubleshoot any issue pertaining to the ACS server itself (for example, replication) or an AAA request problem (for example, an authentication problem) from NAS.
  Refer the following url for more info on troubleshooting ACS:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/A_Trble.html

• SPLIT ACS CONFIGURATION

       Hi all. in cisco's documentation, I found somthing about split acs deployment where both acs boxes can act as primary in their zones and then secondary for the other zone respectively, but I don't seem to understand how this can be done on the two acs boxes.  My concern is this:
  Is there a place where you can configure on each machine that machine "A" is the primary for this zone and machine "B" the other zone and vice visa?
  I also want to believe that on each aaa client, the first tacacs server configured would be default aaa server less its on available, the client checks the next server just like the behaviour of acl.
  Are there any docs that explain the replication of this database, and configurations required?
  Regards all.
  Thanks.

  Hi
  Split ACS Configuration is the concept of dividing the AAA load.
  As per Cisco :  In split ACS deployment, you use primary and secondary servers as in a small ACS deployment, but the AAA load is split between the two servers to optimize AAA flow. Each server handles the full workload of both servers in the event of a AAA connectivity problem, but during normal operations neither server carries the full load of authentication requests. This property of the servers allows for less stress on each ACS system, provides better loading, and makes you aware of the functional status of the secondary server through normal operations
  If you want to Split the Load then you have to change the way of AAA deployment.
  For Example : You have 2000 Decives  & 2 ACS Then you can divide the load.
  You can configure the 1000 Devices with  : ACS 1  - Primary  IP address
                                                                 ACS 2 - Secondary IP address
  & Other 1000 Devices with : ACS 2  - Secondary IP address
                                           ACS 1 -  Primary   IP Address
  In this way the Load of 2000 devices will be split between 2 ACS Server.
  Regards
  Chetan Kumar
  http://chetanress.blogspot.com

• Java Persistance: Question about query within inheritance class

  In father class here is the annotation:
  @Entity
  @Table(name = "CONTENT_MEDIA")
  @Inheritance(strategy=javax.persistence.InheritanceType.JOINED)
  @DiscriminatorColumn(name="CONTENT_TYPE", discriminatorType=javax.persistence.DiscriminatorType.INTEGER)
  @DiscriminatorValue("4")
  In son class here is the annotation and query:
  @Entity
  @Table(name = "ISBN_BOOK")
  @DiscriminatorValue("1000001")
  @NamedQueries( {
  @NamedQuery(name = "ISBN_BOOK.findViaISBN", query = "SELECT g FROM ISBNBook g WHERE g.ISBNnumber = :isbn")
  When I do the query, the result is:
  Internal Exception: org.apache.derby.client.am.SqlException: Comparisons between 'INTEGER' and 'CHAR' are not supported.Error Code: -1
  Call:SELECT t0.CONTENT_ID, t0.CONTENT_TYPE, t0.OBTAIN_DATE, t0.SEARCH_TIMES, t0.LAST_SEARCH_DATE, t1.CONTENT_ID, t1.BOOK_NAME, t1.AUTHOR, t1.ISBN_NUMBER, t1.CURRENT_LOCATION FROM CONTENT_MEDIA t0, ISBN_BOOK t1 WHERE ((t1.ISBN_NUMBER = CAST (? AS VARCHAR(32672) )) AND ((t1.CONTENT_ID = t0.CONTENT_ID) AND (t0.CONTENT_TYPE = '1000001')))
  bind => [AAA]
  The problem is: t0.CONTENT_TYPE = '1000001'. I have set the column to Integer, why the JPA use the char?
  Can anyone solve the problem for me?

  In father class here is the annotation:
  @Entity
  @Table(name = "CONTENT_MEDIA")
  @Inheritance(strategy=javax.persistence.InheritanceType.JOINED)
  @DiscriminatorColumn(name="CONTENT_TYPE", discriminatorType=javax.persistence.DiscriminatorType.INTEGER)
  @DiscriminatorValue("4")In son class here is the annotation and query:
  @Entity
  @Table(name = "ISBN_BOOK")
  @DiscriminatorValue("1000001")
  @NamedQueries( {
  @NamedQuery(name = "ISBN_BOOK.findViaISBN", query = "SELECT g FROM ISBNBook g WHERE g.ISBNnumber = :isbn")
  })When I do the query, the result is:
  Internal Exception: org.apache.derby.client.am.SqlException: Comparisons between 'INTEGER' and 'CHAR' are not supported.Error Code: -1
  Call:SELECT t0.CONTENT_ID, t0.CONTENT_TYPE, t0.OBTAIN_DATE, t0.SEARCH_TIMES, t0.LAST_SEARCH_DATE, t1.CONTENT_ID, t1.BOOK_NAME, t1.AUTHOR, t1.ISBN_NUMBER, t1.CURRENT_LOCATION FROM CONTENT_MEDIA t0, ISBN_BOOK t1 WHERE ((t1.ISBN_NUMBER = CAST (? AS VARCHAR(32672) )) AND ((t1.CONTENT_ID = t0.CONTENT_ID) AND (t0.CONTENT_TYPE = '1000001')))
  bind => [AAA]he problem is: t0.CONTENT_TYPE = '1000001'. I have set the column to Integer, why the JPA use the char?
  Can anyone solve the problem for me?
  I think now it is more readable.
  (use code tags pls)

• Cannot sh run or ls

  Hi,
  Fairly new to ACS. Our 4.2 has been working fine until about 2 weeks ago. I have an account as part of the admin group, that group is set to lvl15 priv. When I telnet into any of our routers or linux servers, we can log in, but once we issue a sh run on routers or ls on ix boxes the session freezes. It appears to be anything related to listing etc. I can get into exec mode on our routers, those that are not part of any aaa, same problem, can't sh run

  Hi, JK,
  I tried what you suggested, but no luck. The odd thing is the router I am telnet to is not AAA enabled,
  Password:
  golr_middelburg>en
  Password:
  golr_middelburg#sh run | in aaa
  no aaa new-model
  golr_middelburg#sh run
  Building configuration...
  and that is where is stays for a long time until it disconnects. I created a new account and put it in the default group, it did not make a difference. The new account also have lvl15 priv. However I can RDP fine to servers, it's just when you seem to pass output from telnet like ls or sh run...
  Sincerely

• AAA Problem when WAN is offline

  Hi All,
  I have a problem at the moment logging into a router while the WAN is offline. TACACS+ works fine when the WAN is up but when its down i get prompted for a password which i enter and then get authorisation failed...
  Here is the AAA config
  aaa authentication login default group tacacs+ enable
  aaa authorization config-commands
  aaa authorization exec default group tacacs+
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa accounting network default start-stop group tacacs+
  aaa accounting connection default start-stop group tacacs+
  aaa accounting system default start-stop group tacacs+

  Specifying local as a backup method for authorization may get around this problem, but does it not require that local user IDs and passwords be configured? Since the authentication login did not use the local IDs as backup I wonder about the logic of doing this for authorization. I have had good success by configuring authorization like this:
  aaa authorization exec default group tacacs+ if-authenticated
  which will bypass authorization processing if TACACS is not available and if the user has successfully authenticated.
  HTH
  Rick

• AAA problems

  I have a doubt. A tacacs server can finish a lot of ppp sessions of customers by don't receive accounting information?

  My problem is that we have a lot of customer connected to a 7206VXR and this AAA with CISCO SECURE.
  We have suffered twice drop of a lot of ppp customers and haven't seen go down link neither nothing problem in box.
  Because of this my question. Cisco Secure can drop a lot of calls ppp after have already connected and passed AAA?
  Thank in advance.

• WebVPN-Problem with Digital Certificate and AAA

  Hello everyone,
  I have a problem during configuring WebVPN on ASA 5520 using AAA and digital certificate of Microsoft. (MSCEP)
  Currently, The WebVPN service is enabled and it worked well with AAA (local or external) only,
  But now, I want to use both AAA and Certificate for most secure-I mean that the users will be authenticated 2 times (firstly, it is checked by valid certificate then user/pass is second one).
  Here are details:
  I tried installation CA server (Microsoft CA service combined with SCEP) and register ASA with CA server (ASA work as subordinate CA)-->these steps is ok, asa has registed, then client use web-browser request CA and it's issued by CA administrator then it is installed on web-browser.
  Testing:
  The Client tried to test with access SSL VPN, the welcome WEBVPN message prompt user/pass but the message is "Logon Failed" before I give user and pass,
  Does anyone know and advise ?
  Thanks
  Khanh

  Hi all,
  Here are attach files for my issuse,
  Khanh

• AAA problems PIX/ASA

  Hello
  I have a problem with authentication on my network. Here I have support level 2 and level 3.
  Level 2 support, has restricted access to some switches and routers, the firewalls they could only give "Show ", the problem is that this is not happening.
  I configured on the ACS command shell Authorization for the commands on switches and routers, for these users of level 2. and PIX / ASA shell commands, I set only the command Enable and Show.
  My problem is that even when the support level 2 tries to access PIX and ASA on my network, they use the authorization of routers and switches, they do not use the parameters that I set up the PIX and ASA for Shell.
  the only firewalls on my line is this Authorization below
  Authorization TACACS + aaa command LOCAL
  I have to configure anything else?
  I can not create command line only for Firewalls.
  I'm missing something? something missing?
  my firewall and IOS versions:
  Pix: 6.3
  ASA 6x, 7x, 8x
  thanks for help
  Digite um texto ou endereço de um site ou traduza um documento.
  Cancelar
  Ouvir
  Ler foneticamente
  Tradução do português para inglês

  My problem is that my ACS v4.2, is not able to be distinguished from other shell comamds PIX / ASA. The same shell commands used in the switches, is being applied in firewalls.
  There is a way to create separate privileges between switches and firewalls?
  output of routers and firewalls. Switches and routera are the same
  switches
  aaa authentication login ACS-AUTH group ACS-TACACS local
  aaa authorization config-commands
  aaa authorization exec ACS-AUTH group ACS-TACACS local
  aaa authorization commands 15 default group ACS-TACACS local
  aaa accounting exec default start-stop group ACS-TACACS
  aaa accounting commands 15 default start-stop group ACS-TACACS
  firewalls
  aaa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ (transit) host x.x.x.x
  aaa-server RADIUS protocol radius
  aaa authentication ssh console TACACS+ LOCAL
  aaa authentication http console TACACS+ LOCAL
  aaa authentication enable console TACACS+ LOCAL
  aaa authentication telnet console TACACS+ LOCAL
  aaa accounting enable console TACACS+
  aaa accounting ssh console TACACS+
  aaa accounting command privilege 15 TACACS+