AAA Server IP Pool based on AAA Client

Similar Messages

• Assigned by AAA client pool problem

  folks
  i think i'm getting closer to resolving my problem with acs and dhcp
  i have an acs se (4.1) authenticating dialin users on a management network
  i'm getting duplicate ip addresses being issued by the acs so i want to use a router to allocate dhcp addresses to upto 8 scopes - one per user on the acs
  i've added the router as a aaa client on the acs with cisco ios radius and in the user settings i selected Assigned by AAA client pool and selected the pool name used on the router
  once the user tries they get authenticated but i don't see any dhcp requests to the router
  the acs se has 4 other aaa clients
  has anyone had an issue or successfully configured this before?
  thanks to anyone taking the time to read this or to post a reply
  greatly appreciated

  With ACS v4 you could do this....
  Define your pools and add your devices to their own NDGs. Then define a NAP which is triggered off each NDG. Each NAP can use its own group mapping scheme which each target group using a different IP pool.
  Probably only works when users are external as you need group mapping to make it work.
  A bit cludgy.. but should work.

• Authentication in the chain DUN-AAA client-ACS-NMAS-NDS

  Dears,
  I have installed Novell client on a windows XP.
  I will login my user and my password in NDS via the chain cisco aaa client
  (router cisco 2503)- acs server - nmas.
  For this in the login mask of the novell client, I select Dialup --> login
  using dial-up networking --> the profile of my DUN containing the
  properties of my modem connection --> no location (direct connect).
  When I press OK, it is asking to me the detail of the connection :
  - my username
  - my password
  - my domain
  - my phone number
  I select connect to inititiate the connection. I late the parameter "my
  domain" to empty.
  I see that the novell client is using DUN to dialin the correspondant
  modem.
  I receive the call on my acs aaa client (router cisco 2503)and this aaa
  client is sending the packets to acs server for authentication.
  Then, the ACS server is receiving these packets and resend these to NMAS
  (token radius server external database). Normally NMAS has to authenticate
  the user and password inside the NDS.
  But I receive an error message indicating that the usename and password
  are invalid on the doamin (error code 619).
  I don't understand this error message because there is no domain notion in
  Novell. I can understand that mircosoft needs a domain to authenticate the
  user and password. Because the Novell client dial-up is based on DUN and
  DUN is based microsoft, we need a domain for authenticating the username
  and password.
  Does it mean that I need an Active Directory for authenticating username
  and pasword in the domain ?
  Does it mean that I have to integrate the AD with NDS ?
  Can I use the local AD/SAM of my PC to authenticate the username and the
  password in the domain ?
  If yes, how can I configure the NDS for this ?
  Could you help me as soon as possible ?
  Yours sincerely,
  Olivier MONTEE.

  Olivier,
  It appears that in the past few days you have not received a response to your posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Do a search of our knowledgebase at http://support.novell.com/search/kb_index.jsp
  - Check all of the other support tools and options available at http://support.novell.com in both the "free product support" and "paid product support" drop down boxes.
  - You could also try posting your message again. Make sure it is posted in the correct newsgroup. (http://support.novell.com/forums)
  If this is a reply to a duplicate posting, please ignore and accept our apologies and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://support.novell.com/forums/

• Configured Nacs- how to restrict AAA client access by specified Password

  Hi all
  i hav given the below config in AAA Client& added the Client in User,Group, the NAR is configured for all Clients ,
  But my requirement is restrict AAA client access by specified Password
  aaa new-model
  aaa group server tacacs+ NACS_Group1
  server 10.x.x.x
  server 10.y.y.y
  aaa authentication login default group NACS_Group1 local
  aaa authentication enable default group NACS_Group1 enable
  aaa authorization config-commands
  aaa authorization exec default group NACS_Group1 if-authenticated
  aaa authorization exec NACS_Group1 group tacacs+ local
  aaa authorization commands 1 default group tacacs+ if-authenticated
  aaa authorization commands 15 default group tacacs+ if-authenticated
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+

  You use the Network Access Restrictions table in the Advanced Settings area of User Setup to set NARs in three ways:
  Apply existing shared NARs by name.
  Define IP-based access restrictions to permit or deny user access to a specified AAA client or to specified ports on an AAA client when an IP connection has been established.
  Define CLI/DNIS-based access restrictions to permit or deny user access based on the CLI/DNIS that is used.
  Note: You can also use the CLI/DNIS-based access restrictions area to specify other values. See the Network Access Restrictions section for more information.

• How to stop ACS intergated AD users to login in AAA clients(network device)

  I have ACS 4.2 Appliance which is integrated with Active directory.
  AD users are able to login in network devices. Is there any so that I can stop AD user and other local users to login in AAA clinets (network devices).

  These types of configurations are a two-way street. ACS must be configured to actually perform the authentication/authorization, and the AAA clients must also be configured for authentication/authorization. I would look at the AAA client configurations, first.
  What kind of AAA clients are we talking about? Cisco switches, Cisco WLC's? Swicthing gear from other companies?
  For Cisco switches, lines like the following will tell them to use your ACS server for administrative user auth (RADIUS ro TACACS+, respectively):
  aaa group server radius rad_admin
  server xxx.xxx.xxx.xxx
  aaa group server tacacs+ tac_admin
  server xxx.xxx.xxx.xxx
  If your AAA client is a WLC, then you need to uncheck the "Management" box where the RADIUS server is defined for authentication (Security -> AAA -> RADIUS -> Auth).

• ISE Could not locate Network Device or AAA Client

  When authenticating using 802.1x and MAB, I recieve an authentication failure with the error 11007(Could not locate Network Device or AAA Client). The root cause that ISE spits back at me is "Could not find the network device or the AAA Client while accessing NAS by IP during authentication." I did pretty much everything by the book except instead of using a loopback interface I used a vlan with a defined ip address.  Could this be causing the problem?
  Here is the config of the port that I'm testing on:
  interface GigabitEthernet1/0/9
   switchport access vlan 9
   switchport mode access
   switchport voice vlan 8
   ip access-group ACL-ALLOW in
   srr-queue bandwidth share 1 30 35 5
   queue-set 2
   priority-queue out
   authentication event fail action next-method
   authentication event server dead action reinitialize vlan 4
   authentication event server dead action authorize voice
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication violation restrict
   mab
   mls qos trust device cisco-phone
   mls qos trust cos
   dot1x pae authenticator
   dot1x timeout tx-period 10
   auto qos voip cisco-phone
   spanning-tree portfast
   service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
  end

  I can ping both the vlan and the endpoint from the ISE.  As far as allowing ISE to speak snmp and RADIUS to the NAD, I have enabled it on the NAD config inside the ISE. I have also double checked the snmp and radius shared passwords.
  I have gotten MAB authentication to work but I am still getting the same error for dot1x authentication. Here are some of the configs on the switch.
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authentication dot1x defualt group radius
  aaa authentication dot1x group group radius
  aaa authorization network default group radius
  aaa accounting dot1x default start-stop group radius
  aaa server radius dynamic-author
  aaa session-id common
  ip radius source-interface TenGigabitEthernet1/0/1
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 6 support-multiple
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 5 tries 3
  radius-server host 10.10.10.47 auth-port 1812 acct-port 1813 test username test key 7 097940581F5412162B464D
  radius-server vsa send accounting
  radius-server vsa send authentication
  dot1x system-auth-control
   authentication order dot1x mab
   authentication priority dot1x mab
   dot1x pae authenticator
   dot1x timeout tx-period 10

• ACS 4.2.1: adding new AAA clients through odbc import

  Hello,
  we have added the user defined vendor RADIUS_HUAWEI to our Cisco ACS 4.2.1  Windows Server.
  Unfortunately there is a problem with importing network devices through odbc  connection using the accountactions table with the action code 220.
  The documentation tells us :
  220
  ADD_NAS
  VN, V1, V2, V3
  Adds a new AAA client (named in VN) with an IP address (V1), shared secret key  (V2), and vendor (V3). Valid vendors are:
  •VENDOR_ID_IETF_RADIUS—For IETF RADIUS.
  •VENDOR_ID_CISCO_RADIUS—For Cisco IOS/PIX RADIUS.
  •VENDOR_ID_CISCO_TACACS—For Cisco TACACS+.
  •VENDOR_ID_AIRESPACE_RADIUS—For Cisco Airespace RADIUS.
  •VENDOR_ID_ASCEND_RADIUS—For Ascend RADIUS.
  •VENDOR_ID_ALTIGA_RADIUS—For Cisco 3000/ASA/PIX 7.x+ RADIUS.
  •VENDOR_ID_AIRONET_RADIUS—For Cisco Aironet RADIUS.
  •VENDOR_ID_NORTEL_RADIUS—For Nortel RADIUS.
  •VENDOR_ID_JUNIPER_RADIUS—For Juniper RADIUS.
  •VENDOR_ID_CBBMS_RADIUS—For Cisco BBMS RADIUS.
  •VENDOR_ID_3COM_RADIUS—For Cisco 3COMUSR RADIUS.
  The new user defined vendor is:
  C:\Program Files\CiscoSecure ACS v4.2\bin>CSUtil.exe -listUDV
  CSUtil v4.2(1.15), Copyright 1997-2009, Cisco Systems Inc
  UDV 0 - RADIUS (RADIUS_HUAWEI)
  Our action code and variables look like:
  A=220
  VN="xxx"
  V1="10.10.10.10"
  V2="blabla"
  V3="VENDOR_ID_RADIUS_HUAWEI"
  Error Code is as following:
  06/22/2010,10:21:12,W03P-3413,ERROR,Parse Error: Reason - Host vendor is unknown   [A=220 UN="" GN="" AI="" VN="xxx" V1="10.10.10.10" V2="blabla"  V3="VENDOR_ID_RADIUS_HUAWEI"]
  Does anybody knows the correct name for the V3-variable to import the network  device in a correct way?
  Best regards
  Torsten Waibel

  Hello,we
  have a new acs appliance (1113) with version 4.2.1.15 and we want to
  authenticate user through ssh from routers with ios xr software.
  unfortunately this doesn't work.Here ist our configuration of the router:##################################################line template VTY
  access-class ingress abcd!tacacs-server host x.x.x.x port 49 single-connectiontacacc-server key 7 test!tacacs source-interface Loopback13!ssh server v2
  ssh timeout 60! AAA config
  aaa accounting exec default start-stop group tacacs+
  aaa accounting network default start-stop group tacacs+
  aaa accounting commands default start-stop group tacacs+
  aaa authorization exec default group tacacs+ none
  aaa authorization commands default group tacacs+ none
  aaa authentication login default group tacacs+ local##################################################does anybody has a solution for this problem?thnx and best regardsTorsten Waibel
  Hi Torsten Waibel,
  For ssh to support you should have a cryptography ios image in router and check the following command in line vty that transpot input ssh under line vty cofiguration.
  If helpful do rate the post
  Ganesh.H

• 13017 Received TACACS+ packet from unknown Network Device or AAA Client

  I am adding new routers to our Corporate network for a new MPLS network.  I am getting 13017 Received TACACS+ packet from unknown Network Device or AAA Client  errors for these new routers.  They are added to ACS 5.4.0.30 correctly just like all of our other devices.  We have never had real routers on the network before, just switches and access points.  Is there something special I need to set in ACS for these to work and authenticate correctly?  I can only access the currently with built in login locally.
  One of the new router configs
  Current configuration : 2370 bytes
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname T666
  boot-start-marker
  boot-end-marker
  enable secret 5 $1$h7b3$.T2idTKb9H98BQ8Op0MAC/
  aaa new-model
  aaa authentication login default group tacacs+ local
  aaa authentication enable default group tacacs+ enable
  aaa authorization exec default group tacacs+ local if-authenticated
  aaa accounting exec default start-stop group tacacs+
  aaa session-id common
  clock timezone CST -6
  clock summer-time CDT recurring
  ip cef
  ip auth-proxy max-nodata-conns 3
  ip admission max-nodata-conns 3
  voice-card 0
  crypto pki trustpoint TP-self-signed-2699490457
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-2699490457
   revocation-check none
   rsakeypair TP-self-signed-2699490457
  username netadmin privilege 15 secret 5 $1$SIR2$A3MpShVNeAOlTPyLZESr..
  interface FastEthernet0/0
   ip address 10.114.2.1 255.255.255.0
   ip helper-address 10.30.101.4
   duplex auto
   speed auto
  interface FastEthernet0/1
   no ip address
   shutdown
   duplex auto
   speed auto
  interface Serial0/1/0
   ip address X.X.X.X 255.255.255.252
   no fair-queue
   service-module t1 timeslots 1-24
   service-module t1 remote-alarm-enable
   service-module t1 fdl ansi
   no cdp enable
  router bgp 65065
   no synchronization
   bgp log-neighbor-changes
   network 10.114.2.0 mask 255.255.255.0
   neighbor X.X.X.X remote-as 209
   neighbor X.X.X.X default-originate
   default-information originate
   no auto-summary
  ip forward-protocol nd
  ip bgp-community new-format
  ip http server
  ip http authentication aaa
  ip http secure-server
  ip tacacs source-interface FastEthernet0/0
  no logging trap
  tacacs-server host 10.30.101.221 key 7 1429005B5C502225
  tacacs-server host 10.30.101.222 key 7 1429005B5C502225
  tacacs-server directed-request
  control-plane
  banner exec ^CC
  C
  Login OK
  ^C
  banner motd ^CC
  C
  **  UNAUTHORIZED ACCESS TO THIS SYSTEM IS PROHIBITED.  USE OF
  **  THIS SYSTEM CONSTITUES CONSENT TO MONITORING AT ALL TIMES.
  **  RUAN Transport Corporation
  **  Network Services
  **  [email protected]
  **  515.245.2512
  ^C
  line con 0
  line aux 0
  line vty 0 4
   exec-timeout 30 0
   transport input all
  line vty 5 15
   exec-timeout 30 0
  scheduler allocate 20000 1000
  end
  T666#

  AAA Protocol > TACACS+ Authentication Details
  Date :
  September 19, 2014
  Generated on September 19, 2014 10:21:27 AM CDT
  Authentication Details
  Status:
  Failed
  Failure Reason:
  13017 Received TACACS+ packet from unknown Network Device or AAA Client
  Logged At:
  Sep 19, 2014 10:21 AM
  ACS Time:
  Sep 19, 2014 10:21 AM
  ACS Instance:
  acs01
  Authentication Method:
  Authentication Type:
  Privilege Level:
  User
  Username:
  Remote Address:
  Network Device
  Network Device:
  Network Device IP Address:
  10.114.2.1
  Network Device Groups:
  Access Policy
  Access Service:
  Identity Store:
  Selected Shell Profile:
  Active Directory Domain:
  Identity Group:
  Access Service Selection Matched Rule :
  Identity Policy Matched Rule:
  Selected Identity Stores:
  Query Identity Stores:
  Selected Query Identity Stores:
  Group Mapping Policy Matched Rule:
  Authorization Policy Matched Rule:
  Authorization Exception Policy Matched Rule:
  Other
  ACS Session ID:
  Service:
  AV Pairs:
  Response Time:
  Other Attributes:
  ACSVersion=acs-5.3.0.40-B.839 
  ConfigVersionId=359 
  Device Port=59840 
  Protocol=Tacacs
  Authentication Result
  Steps
  Received TACACS+ packet from unknown Network Device or AAA Client
  Additional Details
  DiagnosticsACS Configuration Changes

• TACACS+ packet from unknown Network Device or AAA Client

  Hi all,
  I can't perform login using the credential set at ACS server, From the log it shown:
  "Failure Reason: 13017 Received TACACS+ packet from unknown Network Device or AAA Client"
  I know there's some changes on TACACS+ part for new catalyst IOS, so i refer the guide and this is my config snipet:
  aaa group server tacacs+ TAC_PLUS
  server name AUTH
  tacacs server AUTH
  address ipv4 10.10.21.251
  key xxxxxx
  aaa authentication login TAC_PLUS group tacacs+ local line
  aaa authorization exec TAC_PLUS group tacacs+ none
  aaa authorization commands 15 default if-authenticated
  aaa accounting update periodic 1
  aaa accounting exec TAC_PLUS start-stop group tacacs+
  aaa accounting network TAC_PLUS start-stop group tacacs+
  aaa accounting connection TAC_PLUS start-stop group tacacs+
  My platform is
  - C6500 running on IOS 12.2 (33) SXJ1
  - ACS 5.2.0.26
  Need guidance on this, thanks
  Noel

  Hello,
  Is the appropriate IOS IP address defined on the Network Devices and AAA Clients for the ACS? If yes, which IP address is reported on the ACS Failure that includes the error "TACACS+ packet from unknown Network Device or AAA Client"? Is the ACS reporting the IP address as unknown when it is already defined appropriately?
  Regards.

• Denying AAA Clients to a specific user group in ACS v4.1

  Using 4.1 is there a "simple" method of simply denying a usergroup the ability to even login to specific AAA clients? Customer has a telephony group that they want to allow them to telnet and check into all the voice routers, but no other routers, they have the command sets and all that setup but wanted to see if a way to push that group simply to voice routers only ??
  thanks in advance,
  dave

  Hi,
  Why don't you use NAR (Network access restriction)
  Under the network config > simply create one NDG and assign all the voice router under it.
  After that go to the group/user where you want to put this restriction
  You need to check that what are we getting in calling station id. If we are getting ip address then
  [1] To accomplish above we would configure the group with following
  NAR (network access restriction)
  Define IP based Network Access Restriction
  Permitted Calling Point
  AAA client: VOICE NDG created
  Port *
  Src IP Address *
  Subit the changes and try.
  Here is more on configuring Network Access Restriction:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.
  2/user/guide/GrpMgt.html#wp478900
  HTH
  JK
  Plz rate helpful posts-

• ACS 5.0 having issues with different subnet AAA Clients

  Dear All,
  I am getting weird issue. My ACS 5.0 is in subnet 10.1.1.0/24. All the AAA clients which are in the same subnet can communicate with the ACS but different subnet cannot.
  I have checked the firewall between them, Its allow any any with all services.
  One more thing I have faced today is that now from only one switch (10.1.2.10) can access ACS but switches in the same subnet (10.1.2.0/24) cant access ACS as same previous issue.
  Following are the logs of one switch(10.1.2.10) in different subnet can access ACS :
  Working Switch with Same configuration:
  SW-A#test aaa group tacacs+ test cisco legacy
  Attempting authentication test to server-group tacacs+ using tacacs+
  User was successfully authenticated.
  SW-A#
  *Nov 17 00:05:52.041: AAA: parse name=<no string> idb type=-1 tty=-1
  *Nov 17 00:05:52.041: AAA/MEMORY: create_user (0x1B1FD04) user='test' ruser='NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
  *Nov 17 00:05:52.041: TAC+: send AUTHEN/START packet ver=192 id=3237327729
  *Nov 17 00:05:52.041: TAC+: Using default tacacs server-group "tacacs+" list.
  *Nov 17 00:05:52.041: TAC+: Opening TCP/IP to 10.1.1.2/49 timeout=5
  *Nov 17 00:05:52.041: TAC+: Opened TCP/IP handle 0x1B44D48 to 10.1.1.2/49
  *Nov 17 00:05:52.041: TAC+: 10.1.1.2 (3237327729) AUTHEN/START/LOGIN/ASCII queued
  SW-A#
  *Nov 17 00:05:52.243: TAC+: (3237327729) AUTHEN/START/LOGIN/ASCII processed
  *Nov 17 00:05:52.243: TAC+: ver=192 id=3237327729 received AUTHEN status = GETPASS
  *Nov 17 00:05:52.243: TAC+: send AUTHEN/CONT packet id=3237327729
  *Nov 17 00:05:52.243: TAC+: 10.1.1.2 (3237327729) AUTHEN/CONT queued
  *Nov 17 00:05:52.444: TAC+: (3237327729) AUTHEN/CONT processed
  *Nov 17 00:05:52.444: TAC+: ver=192 id=3237327729 received AUTHEN status = PASS
  *Nov 17 00:05:52.444: AAA/MEMORY: free_user (0x1B1FD04) user='test' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 vrf= (id=0)
  Logs from the same subnet switch (10.1.2.20) which cannot access ACS:
  SW-B#test aaa group tacacs+ test cisco legacy
  Attempting authentication test to server-group tacacs+ using tacacs+
  No authoritative response from any server.
  SW-B#
  *Oct 20 00:54:12.834: AAA: parse name=<no string> idb type=-1 tty=-1
  *Oct 20 00:54:12.842: AAA/MEMORY: create_user (0x1A6F3F0) user='test' ruser='NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
  *Oct 20 00:54:12.842: TAC+: send AUTHEN/START packet ver=192 id=3281146755
  *Oct 20 00:54:12.842: TAC+: Using default tacacs server-group "tacacs+" list.
  *Oct 20 00:54:12.842: TAC+: Opening TCP/IP to 10.1.1.2/49 timeout=5
  *Oct 20 00:54:12.842: TAC+: Opened TCP/IP handle 0x1B1E888 to 10.1.1.2/49
  *Oct 20 00:54:12.842: TAC+: 10.1.1.2 (3281146755) AUTHEN/START/LOGIN/ASCII queued
  SW-B#
  *Oct 20 00:54:12.943: TAC+: (3281146755) AUTHEN/START/LOGIN/ASCII processed
  *Oct 20 00:54:12.943: TAC+: received bad AUTHEN packet: type = 0, expected 1
  *Oct 20 00:54:12.943: TAC+: Invalid AUTHEN/START/LOGIN/ASCII packet (check keys).
  *Oct 20 00:54:12.943: TAC+: Closing TCP/IP 0x1B1E888 connection to 10.1.1.2/49
  *Oct 20 00:54:12.943: TAC+: Using default tacacs server-group "tacacs+" list.
  *Oct 20 00:54:12.943: AAA/MEMORY: free_user (0x1A6F3F0) user='test' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 vrf= (id=0)
  Waiting for your responses.
  Regards,
  Anser

  Ok, cool,
  So this usually means that the switch is sourcing the requests from a difernet interface that is configured on the ACS.
  I would guess that the ACS is reporting unknown NAS...
  Can you please use the "ip tacacs source-interface" command to make sure the switch will source the Tacacs+ packets from the interface with the IP address for which you have the ACS configured to?
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Sync/copy AAA clients between two ACS5.2

  Hi, all, we are moving network devices (200+) authentication/authorization/accounting to new ACS5.2, is there any easy way to copy/sync all those AAA clients configuration to another ACS5.2 server? I don't need other configuration to be synced/copied to another ACS5.2 server, thanks in advance.

  To reconfirm from previous thread that export/import mechanism is designed to meet this use case for network devices
  One other point to consider is in the case that you have made changes to the NDGs as well as the network device definitions
  There is also an export/import mechanism for the NDGs.
  Since the network device definitions reference the NDGs need to ensure these are in sync before imprting the netwrok devices themselves

• Issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

  issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

  issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

• Add AAA Client Errors,Shared Secret value must not be blank.

  hello,
  When i add the AAA client to the ACS 4.2 90 eveluation software installed on win2003 std OS with SPk 1 gives the below error when entered the shared secret value then submitting it.
  "Shared Secret value must not be blank"
  what could br the cause?
  Thks
  swami

  This could be related to the browser it sounds like the ACS might not be receiving the Shared Secret from your input.
  The ACS 4.2 does not allow a AAA to be added without a shared secret key.
  CSCsr68278 ACS 4.2 does not allow a blank TACACS+ key
  Make sure that the ACS IP Address is added into your Trusted Sites (IE). You could also try updating to the latest version of Java.

• 11007 could not locate network device or aaa client

  Dears,
  I have two redundant WLC and two ISE configured as primary and secondary.
  I configured the Dot1x and users authenticated successfully, but my issue that i'm still receiving this error message (11007 could not locate network device or aaa client).
  Any ideas or suggestions highly appreciated,

  ISE NAD Import via CSV passes with invalid IP, unable to load NAD config
  CSCur65990
  Description
  Symptom:
  RADIUS requests dropped due to failure reason "11007 Could not locate Network Device or AAA Client", even though they are successfully loaded in ISE.
  Conditions:
  Issue with Network Device import via CSV.
  Known Affected Releases:
  (2)
  1.2(0.912)
  1.3(0.876)