ACE Virtual context -TACACS authentication issue
Hello All,
I have configured four context in ACE module.
I am trying to authenticate individual context through ACS.
Admin context authentication is working perfectly fine , and it is assigning the role of Admin for all the ACS users.
But when i am trying to authenticate other context , authentication part is working fine. but the user is not able to do any action other than show commands.
when i checked the user-account ( show user-account), it is given the role of Network-Admin .
Admin Context Output:
user:parvees.m
roles: Admin
domain: default-domain
Context: Admin
Context ABC output
user:parvees.m
roles: Network-Admin
domain: default-domain
Context: ABC
Any help is highly appreciated.
regards,
Parvees
Hi
ACS shell following command has been added and it worked for me
shell:ABC ="Admin default-domain"
this has been repeated for all the domains... and it worked fine
regards,
Parvees
Similar Messages
-
Hi,
I am having few questions with setting the RBAC on an ACE with an ACS (AAA servers).
1. Custom attributes: according to the config guide, the following string must be specified in the customer attribute.
eg. shell:Admin=Admin default-domain. This does include the ACE name so it can be any Admin VC. This means a user with the group can access all Admin VC?
2. When an user VC talks to an ACS, does it use the Context name as the hostname (AAA client) when configure the network configuration in ACS?Each virtual context can be configured with TACACS separately. when you configure:
shell:Admin=Admin default-domain
and set management ip of Admin context as the device in ACS then a user logging into Admin can do a changeto and get into that context with Admin rights.
But let's say that we have a context named TEST and we want to set up a group of users who only have admin rights for test.
we set up the context to do tacacs (define server aaa authentication etc)
we put the management ip as a new device in ACS
we define the tacacs properties for the group as:
shell:TEST=Admin default-domain
you can use multiple lines in the group or user defining different roles for different contexts, the trick is each context would be configured for tacacs and defined in tacacs as separate devices in ACS.
if you login to the Admin context with Admin rights only Admin context talks to ACS there is no further authentication done when you do a changeto.
when you login directly to contexts those contexts talk to ACS and are identified by IP address of device you added as AAA client IP in network config screen of ACS. -
Reload a virtual context in ACE
Hi,
is possible to reload one or more virtual contexts in ACE module? Is possible to download checkpoints from ACE to remote server and vice versa?
Thank youYou can't reload a single context, maybe they will change this with a next major. Copying a checkpoint is also not possible imho. So if you delete a context the whole checkpoints are gone.
If you want to do a write erase and reload for a fresh start you have to create an initial "empty" checkpoint and roll back.
Easiest way to create a fresh context and make sure it has the same configuration is copy and paste from a config file but you have to be careful in which order. If you e.g. reference a cert which is not in the store or paste an ssl-proxy into a service policy without the ssl-proxy part configured etc.
But as always maybe someone has even better advice.
Roble -
Ssh access into virtual context on the ACE module A(2.2)
Hello,
I tried to configure:
Admin(conf)#context test
Admin(conf-context)#ssh key rsa1 1024
but this command ssh is not supported int this newest version. How can I configure the ssh access directly into virtual context on the ACE module??
Thank youHere's a link on how to configure it.
https://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/admin/guide/access.html#wp1049450
Hope that helps. -
Integrate Cisco ACE into AAA TACACS+
Dear Community!
I would like to configure Cisco ACE 4710 CLI and WebAmin to use ACS v4.2 TACACS+ authentication and accounting feature. After found a Cisco document, which describes ACE AAA features (http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/security/guide/aaa.html), I have setup all configuration parameters mentioned in this document, everything seems to be OK.
But...
I have a TACACS+ group named "Network Administrators", which has privilege level 15 option enabled, so admins do not have to type enable password when authenticating. After setting up ACE AAA, the prvilege level 15 option stops working, while logging in Cisco routers: after authentication, the user remains in privilege level 1.
Logging in Cisco switches seems to be OK, stepping immediately to level 15 as usual.
I tried upgrading IOS in a router, but no luck...
Does anybody have any experiance about this "bug"?
Thanks in advance!
Regards,
Belabacsi
@ Budapest, HungaryHello Bela
In ACE on every context (including Admin and other) you should have following strings:
tacacs-server host x.x.x.x key 7 "xxx"
tacacs-server host x.x.x.x key 7 "xxx"
aaa group server tacacs+ MYTACACS
server x.x.x.x
server x.x.x.x
aaa authentication login default group MYTACACS local
aaa authentication login console group MYTACACS local
aaa accounting default group x.x.x.x
On ACS side for group named "Network Administrators" you should configure in TACACS settting:
1. Shell (exec) enable
2. Privilege level 15
3. Custom attributes:
shell:Admin*Admin default-domain
if you have additional context add next line
shell:mycontext*Admin default-domain
After loging to ACE and issuing sh users command you should see following
User Context Line Login Time (Location) Role Domain(s)
*adm-x Admin pts/0 Sep 21 12:24 (x.x.x.x) Admin default-domain
Regards,
Stas -
Problem setting 7606 router for TACACS+ authentication
Hello Support Community,
I have two Cisco 7606 routers which I have tried in vain to have users authenticated using TACACS+ servers. As shown below, I have two servers (1.1.1.1 and 2.2.2.2) reachable via vrf OAM which is reachable from desktops for ssh login. The true IP addresses and vrf have been altered because it's a company router.
I use the two servers to authenticate many other Cisco devices in the network they are working fine.
I can reach the servers from the vrf and the source interface in use. I can also telnet port 49 if the servers from the source interface and the vrf.
The server key is hidden but at the time of configuration, I can ascertain that it's correct.
The problem is that after confuring for TACACS authentication, the router still uses the enable password instead of TACACS. While the debug output shows 'bad password', why is the router not authenticating using TACACS? Why is it using the enable password?
Please study the outputs below and help point out what I may need to change.
PS: I have tried out many other combinations, including deprecated ones without success including the method suggested in this page;
http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_vrf_tacas_svrs.html
Please help I'm stuck.
ROUTER#sh running-config | sec aaa
aaa new-model
aaa group server tacacs+ admin
server name admin
server name admin1
ip vrf forwarding OAM
ip tacacs source-interface GigabitEthernet1
aaa authentication login admin group tacacs+ local enable
aaa session-id common
ROUTER#sh running-config | sec tacacs
aaa group server tacacs+ admin
server name admin
server name admin1
ip vrf forwarding OAM
ip tacacs source-interface GigabitEthernet1
aaa authentication login admin group tacacs+ local enable
tacacs server admin
address ipv4 1.1.1.1
key 7 XXXXXXXXXXXXXXXXXXXX
tacacs server admin1
address ipv4 2.2.2.2
key 7 XXXXXXXXXXXXXXXXxxxx
line vty 0 4
login authentication admin
ROUTER#sh tacacs
Tacacs+ Server - public :
Server name: admin
Server address: 1.1.1.1
Server port: 49
Socket opens: 15
Socket closes: 15
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 0
Total Packets Sent: 0
Total Packets Recv: 0
Tacacs+ Server - public :
Server name: admin1
Server address: 2.2.2.2
Server port: 49
Socket opens: 15
Socket closes: 15
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 0
Total Packets Sent: 0
Total Packets Recv: 0
Oct 22 12:38:57.587: AAA/BIND(0000001A): Bind i/f
Oct 22 12:38:57.587: AAA/AUTHEN/LOGIN (0000001A): Pick method list 'admin'
Oct 22 12:38:57.587: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
Oct 22 12:38:57.587: AAA/AUTHEN/ENABLE(0000001A): Done status GET_PASSWORD
Oct 22 12:39:02.327: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
Oct 22 12:39:02.327: AAA/AUTHEN/ENABLE(0000001A): Done status FAIL - bad password
Oct 22 12:39:04.335: AAA/AUTHEN/LOGIN (0000001A): Pick method list 'admin'
Oct 22 12:39:04.335: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
Oct 22 12:39:04.335: AAA/AUTHEN/ENABLE(0000001A): Done status GET_PASSWORD
Oct 22 12:39:08.675: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
Oct 22 12:39:08.675: AAA/AUTHEN/ENABLE(0000001A): Done status FAIL - bad password
Oct 22 12:39:10.679: AAA/AUTHEN/LOGIN (0000001A): Pick method list 'admin'
Oct 22 12:39:10.683: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
Oct 22 12:39:10.683: AAA/AUTHEN/ENABLE(0000001A): Done status GET_PASSWORD
Oct 22 12:39:14.907: AAA/AUTHEN/ENABLE(0000001A): Processing request action LOGIN
Oct 22 12:39:14.907: AAA/AUTHEN/ENABLE(0000001A): Done status FAIL - bad password
ROUTER#sh ver
Cisco IOS Software, c7600rsp72043_rp Software (c7600rsp72043_rp-ADVIPSERVICESK9-M), Version 15.1(3)S3, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Fri 30-Mar-12 08:34 by prod_rel_team
ROM: System Bootstrap, Version 12.2(33r)SRE, RELEASE SOFTWARE (fc1)
BOOTLDR: Cisco IOS Software, c7600rsp72043_rp Software (c7600rsp72043_rp-ADVIPSERVICESK9-M), Version 15.1(3)S3, RELEASE SOFTWARE (fc1)
ROUTER uptime is 7 weeks, 5 days, 16 hours, 48 minutes
Uptime for this control processor is 7 weeks, 5 days, 16 hours, 49 minutes
System returned to ROM by reload (SP by reload)
System restarted at 20:00:59 UTC Wed Aug 28 2013
System image file is "sup-bootdisk:c7600rsp72043-advipservicesk9-mz.151-3.S3.bin"
Last reload type: Normal Reload
Last reload reason: power-on
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco CISCO7606-S (M8500) processor (revision 1.1) with 3670016K/262144K bytes of memory.
Processor board ID FOX1623G61B
BASEBOARD: RSP720
CPU: MPC8548_E, Version: 2.1, (0x80390021)
CORE: E500, Version: 2.2, (0x80210022)
CPU:1200MHz, CCB:400MHz, DDR:200MHz,
L1: D-cache 32 kB enabled
I-cache 32 kB enabled
Last reset from power-on
3 Virtual Ethernet interfaces
76 Gigabit Ethernet interfaces
8 Ten Gigabit Ethernet interfaces
3964K bytes of non-volatile configuration memory.
500472K bytes of Internal ATA PCMCIA card (Sector size 512 bytes).
Configuration register is 0x2102In order to resolve this issue. Please replace the below listed command
aaa authentication login admin group tacacs+ local enable
with;
aaa authentication login default group admin local enable
You defined the server group name as method list and instead of using admin as a server-group, you used tacacs+
Note: Please ensure you have local user and enable password configured in case of tacacs server unreachable.
~BR
Jatin Katyal
**Do rate helpful posts** -
Tacacs+ access issue with ASA firewall after integrating with RSA SecureID
Hi,
In my earlier post, I raised the same question but let me rephrased it again. I have configured TACACS+ in cisco ASA firewall and able to access . But when I integrated it with RSA secure ID , I am not able to enter in enable mode. It is not accepting enable password nor RSA passcode. I have created enable_15 in ASA , ACS and RSA server but no luck.
Did any one face similar issue with ASA access ?
Rgds
SiddheshHi Siddesh,
In order to help you here, I need to know few things:
1.] Show run | in aaa
2.] When you enter enable password on ASA CLI, what error do you see on ACS > Monitoring and reports > AAA protocols > tacacs authentication > "look for the error message"
3.] Turn on the debugs on ASA "debug tacacs" and "debug aaa authentication" before you duplicate the problem.
~BR
Jatin Katyal
**Do rate helpful posts** -
Authentication issue getting "UMELoginException"
Dear Guys,
I am facing an authentication issue. The situation is like this,
My NT password was about to expire (had 6 more days for expiry). I was able to login till yesterday and all of the sudden today, when I was trying to login, I was not able to (it gave me password change message). So I went back and changed my NT password and tried to login again into the portal, however I am still not able to. I am pasting the stack trace,
#1.5#001143FDCEA7006700000008000018C40004196E4AD849E8#1153861399615#com.sap.security.core.imp#sap.com/irj#com.sap.security.core.imp.[cf=com.sap.security.core.sapmimp.logon.SAPMLogonLogic][md=doLogon][cl=20282]#Guest#192####fff21cf01c2011dba425001143fdcea7#SAPEngine_Application_Thread[impl:3]_0##0#0#Error##Java###doLogon failed
[EXCEPTION]
#1#com.sap.security.core.logon.imp.UMELoginException
at com.sap.security.core.logon.imp.SAPJ2EEAuthenticator.logon(SAPJ2EEAuthenticator.java:318)
at com.sapportals.portal.prt.service.authenticationservice.AuthenticationService.login(AuthenticationService.java:344)
at com.sapportals.portal.prt.connection.UMHandler.handleUM(UMHandler.java:126)
at com.sapportals.portal.prt.connection.ServletConnection.handleRequest(ServletConnection.java:186)
at com.sapportals.portal.prt.dispatcher.Dispatcher$doService.run(Dispatcher.java:522)
at java.security.AccessController.doPrivileged(Native Method)
at com.sapportals.portal.prt.dispatcher.Dispatcher.service(Dispatcher.java:405)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet.service(InvokerServlet.java:156)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.doWork(RequestDispatcherImpl.java:312)
at com.sap.engine.services.servlets_jsp.server.runtime.RequestDispatcherImpl.forward(RequestDispatcherImpl.java:368)
at com.sap.portal.navigation.Gateway.service(Gateway.java:101)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.runServlet(HttpHandlerImpl.java:390)
at com.sap.engine.services.servlets_jsp.server.HttpHandlerImpl.handleRequest(HttpHandlerImpl.java:264)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:347)
at com.sap.engine.services.httpserver.server.RequestAnalizer.startServlet(RequestAnalizer.java:325)
at com.sap.engine.services.httpserver.server.RequestAnalizer.invokeWebContainer(RequestAnalizer.java:887)
at com.sap.engine.services.httpserver.server.RequestAnalizer.handle(RequestAnalizer.java:241)
at com.sap.engine.services.httpserver.server.Client.handle(Client.java:92)
at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:148)
at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
at java.security.AccessController.doPrivileged(Native Method)
at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
Please help.
Regards,
DeepakHi Deepak,
it is most times that it needs to replicate through your system(s).
Regards,
Kai
PS: Please reward points if that was helpful. -
The documentation for configuring Tacacs authentication at this link (http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/application_networking_manager/4.2/user/guide/UG_admin.html#wp1267519) states the following:
Note For the ACE to properly perform user authentication using a TACACS+ server, the username and password must be identical on both ANM and the TACACS+ server.
If the user id and password have to be the same, what is the point of using Tacacs for authentication? Someone tell me that I can use a TACACS+ server without being forced to keep the user id and password synched between ANM and Tacacs.This has now been corrected
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/application_networking_manager/4.2/user/guide/UG_admin.html#wp1275208
Matthew -
ACE - Setup AAA TACACS+ using CS Unix ACS
Hi,
I have setup AAA tacacs+ on ACE Admin context with RSA token. This is similar to AAA IOS setup.
I can login but it does not allow me to do any commands.
"show users", under Domain says I am logged in as "
Network-Monitor default-domain".
Any ideas how to get around and making myself as Admin group?
Also is there any doco on setting AAA on ACE module using Cisco Secure For Unix ACS?
Thanks
SanjayHi,
It did work as you suggested. I had to move user in [Root] as we have other Shell attributes in different groups.
ct 16 15:18:29 c1 CiscoSecure: [ID 428912 local0.debug] DEBUG -
Oct 16 15:18:29 c1 user = test2 {
Oct 16 15:18:29 c1 service = shell {
Oct 16 15:18:29 c1 set optional shell:Admin = "Admin Admin default-domain"
Oct 16 13:18:29 c1 }
Oct 16 13:18:29 c1 service = exec {
Oct 16 13:18:29 c1 set optional shell:Admin = "Admin Admin default-domain"
ACE-Admin/Admin# sh users
User Context Line Login Time (Location) Role Domain(s)
admin Admin pts/0 Oct 17 13:43 (127.0.0.71) Admin default-domain
*test2 Admin pts/1 Oct 17 14:07 (a.b.c.d) Admin default-domain
When I moved user in the support group with existing shell access configured, it dumps in network monitor mode. Maybe due to TACACS attribute inheritance. I did not want to stuff up existing support users.
So I guess my option is to use RADIUS as login method.
I am trying to get it going but the CS ACS Unix does not like :
cisco-avpair = "shell:Admin=Admin default-domain;
Oct 16 15:18:29 c1 radius = ACE_Admin_Pri {
Oct 16 15:18:29 c1 check_items = {
Oct 16 15:18:29 c1 200 = 1
Oct 16 15:18:29 c1 }
Oct 16 15:18:29 c1 reply_attributes = {
Oct 16 15:18:29 c1 26 = "cisco-avpair=shell:Admin=Admin default-domain; "
Oct 16 15:18:29 c1 6 = 6
Oct 16 15:18:29 c1 }
Oct 16 15:18:29 c1 }
Now I get :
[ID 901471 local0.warning] WARNING - RADIUS: Invalid attribute (1) in profile
Oct 17 15:49:41 c1 CiscoSecure: [ID 347837 local0.warning] WARNING - RADIUS: Authenticate: from (10.17.1.4) -
test2 failed
It would be good to see if anyone else has tried this.
sanjay -
Tacacs authentication fails for one user account for only one switch
Hi,
I am having an scenario, where as Tacacs authentication fails for one user account for only one switch.
The same user account works well for other devices.
The AAA configs are same on every devices in the network.
Heres the show tacacs output from the switch where only one user account fails;
Socket opens: 157
Socket closes: 156
Socket aborts: 303
Socket errors: 1
Socket Timeouts: 2
Failed Connect Attempts: 0
Total Packets Sent: 1703
Total Packets Recv: 1243
Expected Replies: 0
What could be the reason ?
No errors on ACS server; same rights had been given to the user account.
Thanks to advise.
PraseyHi there,
Does the user get authenticated in the ACS logs?
reports and activity----> failed attempts
ro
reports and activity-----> passed authentications
That will help narrow it down.
Brad -
3750 IOS 15.0(2)SE4 tacacs when issuing tacacs-server host X.X.X.X I receive "the cli will be deprecated soon" please advise
The syntax structure of the AAA commands for both Radius and TACACS+ are being changed with the newer code. Take a look at this link for some examples:
http://slaptijack.com/networking/new-style-tacacs-configuration/
Hope this helps!
Thank you for rating helpful posts! -
Authentication Issue, When Profile ReCreate
Hi,
i face authentication issue in SQL Server 2012 Evalution after i login in new account.
Take a look situation and what i did.
1) I install SQL Server 2012 in Member Server (Server 2012 Standard).
2). Every Thing i Did i by using AD User name "SP_Farm"
3). I install SQL in Windows Authentication Mode only and i provide User ****\SP_Farm, when Ever Installation Ask.
Note: during the whole process i only use SP_Farm (AD Admin User)
Every thing going working fine till my mistake. By mistake i delete account SP_Farm from AD and i re create it.
after that i cant access Management Studio. :(
Please Guide if is there any other way.
Thanks you
Shariq Ayaz
[email protected]
www.shariqdon.com
www.shariqdon.com/itworld
www.shariqdon.comHi,
i face authentication issue in SQL Server 2012 Evalution after i login in new account.
Take a look situation and what i did.
1) I install SQL Server 2012 in Member Server (Server 2012 Standard).
2). Every Thing i Did i by using AD User name "SP_Farm"
3). I install SQL in Windows Authentication Mode only and i provide User ****\SP_Farm, when Ever Installation Ask.
Note: during the whole process i only use SP_Farm (AD Admin User)
Every thing going working fine till my mistake. By mistake i delete account SP_Farm from AD and i re create it.
Creating a user with the same name is
not the same user :-)
A user has a unique ID and you did not create the same ID, but a new user with same name.
after that i cant access Management Studio. :(
Please Guide if is there any other way.
Thanks you
Shariq Ayaz
[email protected]
www.shariqdon.com
www.shariqdon.com/itworld
www.shariqdon.com
You can try to use This solution:
http://blogs.msdn.com/b/raulga/archive/2007/07/12/disaster-recovery-what-to-do-when-the-sa-account-password-is-lost-in-sql-server-2005.aspx
* After the SQL Server Instance starts in single-user mode, the Windows Administrator account is able to connect to SQL Server using the sqlcmd utility using Windows authentication.
[Personal Site] [Blog] [Facebook] -
Essbase 6.5 External Authentication Issue!! Urgent Please!!
Hi all,
I am great trouble over an external authentication issue in Essbase 6.5. I request you all to please give me your feedback on the same as soon as possible.
I am in a situation where I need to get my Essbase 6.5 external Authentication converted from LDAP to Active Directory services.
I suppose there has been necessary changes done to the .cfg file for the same. However, I think I am getting an error
"User [vikc]'c external authentication protocol [MSEX]'s password check module is not loaded".
Please let me know if you have come across such an issue earlier and can anybody to able to help me with the same.
Its kinda Urgent. so any replies for the same will be appreciated.
Thanks and Regards,
VikramVikram,
Yes you will have to reconfigure the CSS.xml and cfg file for external auth.
Here is the Sample CSS
<spi>
<provider>
<msad name="full360">
<trusted>false</trusted>
<url>ldap://192.168.1.100:389/DC=full360,DC=com</url>
<userDN>CN=Ravinder Singh,DC=full360,DC=com</userDN>
<password>full@360</password>
<authType>simple</authType>
<identityAttribute>dn</identityAttribute>
<maxSize>1000</maxSize>
<user>
<loginAttribute>sAMAccountName</loginAttribute>
<nameAttribute>dn</nameAttribute>
</user>
<group>
<nameAttribute>cn</nameAttribute>
<objectclass>
<entry>group?member</entry>
</objectclass>
</group>
</msad>
Download this toll "http://www.ldapbrowser.com/download.htm"
LDAP browser to get the perfact DN information.
Let me know the status
Ravikant -
ACS 5.2 Authentication Issue with Local & Global ADs
Hi I am facing authentication issue with ACS 5.2. Below is AAA flow (EAP-TLS),
- Wireless Users >> Cisco WLC >> ADs <-- everything OK
- Wireless Users >> Cisco WLC >> ACS 5.2 >> ADs <-- problem
Last time I tested with ACS, it worked but didn't do migration as there'll be changes from ADs.
Now my customer wants ACS migration by creating new Group in AD, I also update ACS config.
For the user from the old group, authentication is ok.
For the user from the new group, authentication fails. With subject not found error, showing the user is from the old group.
Seems like ACS is querying from old records (own cache or database). Already restared the ACS but still the same error.
Can anyone advice to troubleshoot the issue?
Note: My customer can only access their local ADs (trusted by Global ADs). Local ADs & ACS are in the same network, ACS should go to local AD first.
How can we check or make sure it?
Thanks ahead,
YeHello,
There is an enhacement request open already:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCte92062
ACS should be able to query only desired DCs
Symptom:
Currently on 5.0 and 5.1, the ACS queries the DNS with the domain, in order to get a list of all the DCs in the domain and then tries to communicate with all of them.If the connection to even one DC fails, then the ACS connection to the domain is declared as failed.A lot of customers are asking for a change on this behavior.
It should be possible to define which DCs to contact and/or make ACS to interpret DNS Resource Records Registered by the Active Directory Domain Controller to facilitate the location of domain controllers. Active Directory uses service locator, or SRV, records. An SRV record is a new type of DNS record described in RFC 2782, and is used to identify services located on a Transmission Control Protocol/Internet Protocol (TCP/IP) network.
Conditions:
Domain with multiple DCs were some are not accessible from the ACS due to security/geographic constraints.
Workaround:
Make sure ALL DCs are UP and reachable from the ACS.
At the moment, we cannot determine which Domain Controller on the AD the ACS will contact. The enhacement request will include a feature on which we can specify the appropriate the Domain Controllers the ACS should contact on a AD Domain.
Hope this clarifies it.
Regards.
Maybe you are looking for
-
Is there a way to edit raw files from the Canon 5DMkIII in Lightroom 2?
I rented a Canon 5DMkIII this past weekend and shot in RAW. I'm running Lightroom 2.7 on my laptop because I have a pre-Intel dual-G5 tower at home and can't run LR3 or LR4 on a pre-Intel chip machine and I tend to share my libraries across my laptop
-
Adobe Acrobat 8 Standard License from a crashed laptop
I had installed Adobe Acrobat 8 on my laptop, which subsequently crashed. I've now got a new laptop, and a second laptop. The product works fine on the second laptop, but it won't activate on my new laptop. How do I get it to forget the license fr
-
Defining several paths and finding the shortest route
Ok, I need to write a program that is being used in the logistics department of a car company. I was given: - A database that contains information of parts - A map that shows the hall where the parts are being installed Purpose of application: - The
-
New Retina Macbook pro 13 Haswell system hang/unresponsive
Hello Everyone. I have just got my new macbook pro retina 13 Haswell (October Model). This is my second day of usage and i have encountered sudden system freeze for 2 times already. The keyboard and the trackpad stops working including brigtness keys
-
HTML DB Developers' or users' guide?
Hi, is there developers' or users' guide for HTMLD DB? The tutorials are pretty on OTN, but it presents the product in a somewhat ad hoc way. Thanks in advance. Tamás Szécsy