ACS 4.0 and Windows 7.

Similar Messages

• ACS 5.5 and Windows 2012 AD support

  Hi All,
  previously I had two AD domains based on 2008 and had machines in one domain and users in another domain
  and the condition statement "Was machine authenticated=True" worked fine when doing EAP-TLS machine then user
  authentication.
  I have now upgraded the machine's domain to 2012 and  machine authentication works fine and user authentication
  also works, but when you put the two together, and enable "Was machine authenticated=True" the ACS errors
  out when doing user authentication with the message "ACS unable to find previous successful machine authentication"
  even though machine authentication was successful. I have tried with with ACS being a member of both 2008 and 2012 domains at each stage.
  The clients are all windows 8.1
  Has anyone encountered this scenario before ?
  TIA

  I would like to share a good troubleshooting guide for ACS 5.X and later, Please have a look:
  http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113485-acs5x-tshoot.html

• Cisco ACS 4.2 and Windows 2008 R2 CA

  Has anyone been successfully in getting a cert off of a 2008 R2 CA and imported correct in to ACS 4.2?  I've had and have seen other have the problem with creating a web server certificate from R2 (1024 bit) and putting it in ACS 4.2 only to have HTTPS/SSL no longer work correctly.  I haven't even tested the intended purpose of the cert (EAP-TLS) yet, so who knows if that works.  I've also seen through searching where some one was able to take a 2003 CA web server template and put it into R2 and it work, but I know longer have 2003 available?  Any ideas?
  Thanks,
  Raun

  I have seen issues where the template on the R2 boxes are using elliptical curve cryptography, basically if the template has a '#" charcter in it is what I think causes this process to be used. Try to use a template that doesnt have this in the front and then try to generate a cert against the template you created.
  Here is a snip of the guide that I am forwarding you:
  Determining Whether to Implement Cryptography Next Generation Algorithms
  For Windows Server 2008–based version 3 certificate  templates, the option exists to configure advanced cryptographic  algorithms such as elliptic curve cryptography (ECC). Before configuring  these settings, ensure that the operating systems and applications  deployed in your environment can support these cryptographic algorithms.
  http://technet.microsoft.com/en-us/library/cc731705%28v=ws.10%29.aspx
  Screenshots in another article:
  http://technet.microsoft.com/en-us/library/cc725621%28v=ws.10%29.aspx
  Thanks,
  Tarik Admani

• ACS 3.3 and windows 2k3 issue

  Have an issue with installation of ACS 3.3 trial version on windows 2k3 server. When I go to setup an AAA client type of RADIUS (Cisco Aironet), with values entered for Hostname, IP address and Key, and submit changes, dialog comes back saying "RADIUS key value must not be blank".
  Have implemented this on a windows 2000 server with no issues. Have tried install on 4 different 2003 servers all behave in this manner.
  Anyone else seen this?

  I had the same problem several months ago. The solution I found was to download and install the latest java on the server.

• ACS 5.3 and Windows AD account lockout

  Currently on 5.3.0.40.2 when a invalid password is attempted via TACACS or RADIUS to the AD identity store is locks the account out on the first failed attempt. The AD policy is lockout after three attempts. Is there a way to fix this issue so the account is not locked out with only one failed attempt? I see options for local password policys in ACS but nothing for the identity store. For what its worth this happened also with ACS 4.X deployment before we moved to ACS 5.3.
  Just wanted to see if this is the expected behavior or if I should open a TAC case to see what is causing this.
  Thanks.

  Hi;
  Well, we got it working. Not sure of the exact fix, but allow me to ramble, perhaps it will help someone else.
  We think that a combinationof factors caused the problem. First, we had clock drift, and that resulted in clock skew messages in the logs like these:
  Sep 20 18:06:03 ecb-acs1 adclient[8322]: INFO  base.adagent start: Problem connecting to domain controller (KDC refused skey: Clock skew too great), will try again later.
  and
  ecb-acs1 adclient[1163]: WARN  base.bind.cache LDAP fetch CN=bubba,OU=staff,OU=edcenter,OU=edcenterarea,OU=episd,DC=episd,DC=org threw unexpected exception: SASL bind to ldap/[email protected] - GSSAPI Mechanism with Kerberos error ": Clock skew too great"
  Somehow the ACS lost the ntp config, very disturbing, because I know that one of the first things I did was setup NTP. So I re-did the ntp config, confirmed the time was accurate. Still failed. Then, because I was annoyed by the log entries comning out in UTC, I did a clock timezone to set it to local. That made the logs come out in local time, but might have caused other problems (I saw another forum entry for that) so I set it back to UTC.
  This begs the question - how to leave the timezone at UTC but fix the timestamps for the logs? This is easy on Cisco switches.
  Various reboots of the ACS after deleting the object in AD did not fix the problem. During these reboots I continued to use the original userid and password to authenticate. At all times, the "test connection" button showed that the credentials were OK.
  Because we had recently added our first Win2008 domain controller to our world (all ther other DCs are Win2k3), we started worrying about this:
  http://support.microsoft.com/kb/978055/en-us
  But, after some checking, it seems as if we already had the fix applied.
  Next, we created a dedicated user in AD for the ACS to use when authenticating. Deleted the ACS object, restarted the ACS, applied those new credentials. Still broken.
  Our AD admin looked in various logs and found some things, here is his summary:
  ----------- from Danny --------
  Checked the domain controller log under system.  Found the following:
  While processing an AS request for target service krbtgt, the account ecb-acs1$ did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes : 17. The accounts available etypes : 23  -133  -128  3  1. Changing or resetting the password of ecb-acs1$ will generate a proper key.
  and
  While processing an AS request for target service krbtgt, the account stcrye did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 2). The requested etypes : 18. The accounts available etypes : 23  -133  -128  3  1. Changing or resetting the password of stcrye will generate a proper key.
  This may be related to either clock scew between acs and the domain or introducing server 2008 domain controllers into an existing server 2003 domain. 
  On a desperate hunch, after yet again deleting the ACS object in AD and reloading the ACS, I used the new dedicated ACS user account, but gave it a wrong password. Hit save, watched it fail. Then I put in the correct password, hit save, and it worked! Finall we have re-joined and are connected to the domain.
  BUT ... I have now lost all confidence in ACS 5.3 . We are in the middle of a major rollout of WiFi clients using 802.1x authentitcation, replacing our previous pre-shared WPA setup. We are talking > 20,000 WiFi clients. If ACS <--> AD is not rock-solid, I need to try something else. Should we consider using LDAPS instead?
  Steve

• ACS Se 4.2.1.15 patch 4 and Windows 2008 R2

  Hi, Can anyone advise whether ACS Se and Remote Agent 4.2.1.15.4 supports Windows 2008 R2 please. Thank you.

  Hi,
  ACS 4.2.1.15 does not support windows 2008 R2.
  ACS 5.2 supports the same.
  It is a bug CSCtg12399 which is resolved on ACS 5.2.
  The release notes of ACS 5.2 describing the same.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/release/notes/acs_52_rn.html
  The following link gives details of the ACS 4.2 and Windows 2008 compatibility.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/release/notes/ACS42_RN.html#wp100949
  Hope this helps.
  Regards,
  Anisha
  P.S.: please mark this thread as answered if you feel your query is answered. Do rate helpful posts.

• CA and Certificate Issue in ACS 4.0 For Windows 2003 Enterprise Server

  Hi,
  I have configured Microsoft CA server on the same ACS 4.0 for Windows 2003 enterprise server which was configured earlier using the self generated certificates for EAP and PEAP authentications.
  After I change the certificate from self generated to the new CA certificate that can be viewed under install ACS certificate option on ACS server but having the following problems
  1. SSL is not functioning while internet browser access to the ACS server and going through http instead of https.
  2. Wireless clients are authenticated successfully even after the certificate is uninstalled.
  Any help on these problems will be appreciated.
  Thanks
  Best Regards,
  Ahmed

  Hi Rohit,
  Thanks for reminding the HTTPS option under Administration Control on ACS.
  I have some doubts pertaining to installation of certificates on Wireless clients though it is optional for Self Generated Certificates but what in case of Mirosoft CA as I tested wireless client authentications even after removing the certificate from microsoft supplicant WindowsXP SP2 having installed the patch KB885453 for PEAP. How the certificate on wireless client works.
  Is it mandatory or optional to keep certificate on Wireless Clients as they could able to get authenticated through ACS after removing the certificate.
  Thanks
  Best Regards,
  Ahmed

• ACS and Windows Domain / AD

  Hi All,
  In my environment there are two Windows Domain - Doamin A and B. ACS is configured on member server in domain B and hence Windows Authentication for users in Domain B is working fine. However I'm unable to see domain A in Configure Domain List on ACS server in Windows Domain configuration menu.
  Please note, there is one way trust between domain A and B with Domain A trusting Domain B.
  Is there a way I can use the same instance of ACS to authenticate the users in Domain A as well? If YES, can you please guide me with some pointers - thanks.
  I'm using ACS and Windows AD elements to authenticate users for SSL Web VPN on ASA 5540.
  Apprecaite quick help on this.
  -Satishcp

  Unfortunatley we are not using the Cisco Secure ACS Appliances, rather its ACS Ver 3.3 running on Windows 2000 Server (member server in Domain B).
  My guess Remote Agents for Windows / Solaris works with Appliances alone.

• ACS 3.2 for Windows and MS Windows AD Directory Integration Problem

  Dear all,
  We have some issues while integrating Windows AD with ACS 3.2 for Windows.Currently we have done the following:
  1. Installed ACS 3.2 for Windows on Windows 2003 Enterprise with SP1
  2. ACS and Domain Controller are configured on the same server
  Checked and verified the following configurations
  1. created a domain user "csacs" selected Act as a part of operating system and log on as a service enabled for this user.
  2. Enabled all the CS services to log on as a user csacs.
  But I noticed CS services are not respdonding and gives the error as "Could not able to start the service with service specific error ..." while trying to start services manually on ACS.
  Kindly help me through this integration part
  An easy and handy Step wise procedure on configuring integration of AD with ACS 3.2 on both Domain Controller and on Member server will be of great help.
  Thanks
  Kind Regards,
  Ahmed

  I have no issues running Cisco ACS version 3.2 on Windows
  Server 2003 with SP2:
  1) create user test1 in MS Active Directory and put test1
  in users group with dial-in access granted,
  3) Create a group called "LDAP". Actually I renamed
  group name "group 1" to "LDAP".
  3) in ACS external user database configuration, I specified
  domain "CCIE" as for this. unknow user policy is to use
  Windows Database configuration,
  4) Configure the database configuration in ACS to point
  to "CCIE" windows domain,
  5) setup the ACS to authenticate one of your Cisco devices
  and log in using the MS windows account,
  By the way, mgurwara, you are wrong. I run Cisco
  ACS 3.2 on windows 2003 Enterprise Edition with Service
  Pack 2. I am running it on a Dell Optiplex Gx240
  (1.7 GHz with 512MB of RAM) and it is running fine.
  I use it to manage about 20 cisco devices and
  about 200 Wireless LEAP user(s). Furthermore, I am also
  running ACS 4.1 on another identical hardware. It has
  nothing to do with the hardware. I don't know where
  you get that information from.

• ACS 3.2 for Windows and Windows Active Directory.

  I'm using a member W2K server to run ACS 3.2.
  I'm using ACS and Windows group mapping but my users always go into default group.
  Why?
  Thanks.
  Andrea.

  I'm assuming your ACS \DEFAULT domain has NT Groups mapped to . Use a new Domain Configuration to add your AD and group mappings.
  The group name in ACS must match exactly the same group in AD. ie. If your AD group name is "Engineering" , create a ACS group with exactly the same spelling. Also,avoid certain characters such as @#%&*() in the naming of groups, both in AD and ACS.
  Hope this helps. let us know.
  P

• Looking for successful auth debug between cisco 1113 acs 4.2 and Active Directory

  Hello,
  Does anyone have a successful authentication debug using cisco 1113 acs 4.2 and Active Directory?  I'm not having success in setting this up and would like to see what a successful authentication debug looks.  Below is my current situation:
  Oct  6 13:52:23: TPLUS: Queuing AAA Authentication request 444 for processing
  Oct  6 13:52:23: TPLUS: processing authentication start request id 444
  Oct  6 13:52:23: TPLUS: Authentication start packet created for 444()
  Oct  6 13:52:23: TPLUS: Using server 110.34.5.143
  Oct  6 13:52:23: TPLUS(000001BC)/0/NB_WAIT/46130160: Started 5 sec timeout
  Oct  6 13:52:23: TPLUS(000001BC)/0/NB_WAIT: socket event 2
  Oct  6 13:52:23: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
  Oct  6 13:52:23: T+: session_id 763084134 (0x2D7BBD66), dlen 26 (0x1A)
  Oct  6 13:52:23: T+: type:AUTHEN/START, priv_lvl:15 action:LOGIN ascii
  Oct  6 13:52:23: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:12 (0xC) data_len:0
  Oct  6 13:52:23: T+: user: 
  Oct  6 13:52:23: T+: port:  tty515
  Oct  6 13:52:23: T+: rem_addr:  10.10.10.10
  Oct  6 13:52:23: T+: data: 
  Oct  6 13:52:23: T+: End Packet
  Oct  6 13:52:23: TPLUS(000001BC)/0/NB_WAIT: wrote entire 38 bytes request
  Oct  6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:23: TPLUS(000001BC)/0/READ: Would block while reading
  Oct  6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:23: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 16bytes data)
  Oct  6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:23: TPLUS(000001BC)/0/READ: read entire 28 bytes response
  Oct  6 13:52:23: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
  Oct  6 13:52:23: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
  Oct  6 13:52:23: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:10, data_len:0
  Oct  6 13:52:23: T+: msg:  Username:
  Oct  6 13:52:23: T+: data: 
  Oct  6 13:52:23: T+: End Packet
  Oct  6 13:52:23: TPLUS(000001BC)/0/46130160: Processing the reply packet
  Oct  6 13:52:23: TPLUS: Received authen response status GET_USER (7)
  Oct  6 13:52:30: TPLUS: Queuing AAA Authentication request 444 for processing
  Oct  6 13:52:30: TPLUS: processing authentication continue request id 444
  Oct  6 13:52:30: TPLUS: Authentication continue packet generated for 444
  Oct  6 13:52:30: TPLUS(000001BC)/0/WRITE/46130160: Started 5 sec timeout
  Oct  6 13:52:30: T+: Version 192 (0xC0), type 1, seq 3, encryption 1
  Oct  6 13:52:30: T+: session_id 763084134 (0x2D7BBD66), dlen 15 (0xF)
  Oct  6 13:52:30: T+: AUTHEN/CONT msg_len:10 (0xA), data_len:0 (0x0) flags:0x0
  Oct  6 13:52:30: T+: User msg: <elided>
  Oct  6 13:52:30: T+: User data: 
  Oct  6 13:52:30: T+: End Packet
  Oct  6 13:52:30: TPLUS(000001BC)/0/WRITE: wrote entire 27 bytes request
  Oct  6 13:52:30: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:30: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 16bytes data)
  Oct  6 13:52:30: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:30: TPLUS(000001BC)/0/READ: read entire 28 bytes response
  Oct  6 13:52:30: T+: Version 192 (0xC0), type 1, seq 4, encryption 1
  Oct  6 13:52:30: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
  Oct  6 13:52:30: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
  Oct  6 13:52:30: T+: msg:  Password:
  Oct  6 13:52:30: T+: data: 
  Oct  6 13:52:30: T+: End Packet
  Oct  6 13:52:30: TPLUS(000001BC)/0/46130160: Processing the reply packet
  Oct  6 13:52:30: TPLUS: Received authen response status GET_PASSWORD (8)
  Oct  6 13:52:37: TPLUS: Queuing AAA Authentication request 444 for processing
  Oct  6 13:52:37: TPLUS: processing authentication continue request id 444
  Oct  6 13:52:37: TPLUS: Authentication continue packet generated for 444
  Oct  6 13:52:37: TPLUS(000001BC)/0/WRITE/46130160: Started 5 sec timeout
  Oct  6 13:52:37: T+: Version 192 (0xC0), type 1, seq 5, encryption 1
  Oct  6 13:52:37: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
  Oct  6 13:52:37: T+: AUTHEN/CONT msg_len:11 (0xB), data_len:0 (0x0) flags:0x0
  Oct  6 13:52:37: T+: User msg: <elided>
  Oct  6 13:52:37: T+: User data: 
  Oct  6 13:52:37: T+: End Packet
  Oct  6 13:52:37: TPLUS(000001BC)/0/WRITE: wrote entire 28 bytes request
  Oct  6 13:52:37: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:37: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 33bytes data)
  Oct  6 13:52:37: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:37: TPLUS(000001BC)/0/READ: read entire 45 bytes response
  Oct  6 13:52:37: T+: Version 192 (0xC0), type 1, seq 6, encryption 1
  Oct  6 13:52:37: T+: session_id 763084134 (0x2D7BBD66), dlen 33 (0x21)
  Oct  6 13:52:37: T+: AUTHEN/REPLY status:7 flags:0x0 msg_len:27, data_len:0
  Oct  6 13:52:37: T+: msg:  Error during authentication
  Oct  6 13:52:37: T+: data: 
  Oct  6 13:52:37: T+: End Packet
  Oct  6 13:52:37: TPLUS(000001BC)/0/46130160: Processing the reply packet
  Oct  6 13:52:37: TPLUS: Received Authen status error
  Oct  6 13:52:37: TPLUS(000001BC)/0/REQ_WAIT/46130160: timed out
  Oct  6 13:52:37: TPLUS(000001BC)/0/REQ_WAIT/46130160: No sock_ctx found while handling request timeout
  Oct  6 13:52:37: TPLUS: Choosing next server 101.34.5.143
  Oct  6 13:52:37: TPLUS(000001BC)/1/NB_WAIT/46130160: Started 5 sec timeout
  Oct  6 13:52:37: TPLUS(000001BC)/46130160: releasing old socket 0
  Oct  6 13:52:37: TPLUS(000001BC)/1/46130160: Processing the reply packet
  Oct  6 13:52:49: TPLUS: Queuing AAA Authentication request 444 for processing
  Oct  6 13:52:49: TPLUS: processing authentication start request id 444
  Oct  6 13:52:49: TPLUS: Authentication start packet created for 444()
  Oct  6 13:52:49: TPLUS: Using server 172.24.5.143
  Oct  6 13:52:49: TPLUS(000001BC)/0/NB_WAIT/46130160: Started 5 sec timeout
  Oct  6 13:52:49: TPLUS(000001BC)/0/NB_WAIT: socket event 2
  Oct  6 13:52:49: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
  Oct  6 13:52:49: T+: session_id 1523308383 (0x5ACBD75F), dlen 26 (0x1A)
  Oct  6 13:52:49: T+: type:AUTHEN/START, priv_lvl:15 action:LOGIN ascii
  Oct  6 13:52:49: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:12 (0xC) data_len:0
  Oct  6 13:52:49: T+: user: 
  Oct  6 13:52:49: T+: port:  tty515
  Oct  6 13:52:49: T+: rem_addr:  10.10.10.10
  Oct  6 13:52:49: T+: data: 
  Oct  6 13:52:49: T+: End Packet
  Oct  6 13:52:49: TPLUS(000001BC)/0/NB_WAIT: wrote entire 38 bytes request
  Oct  6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:49: TPLUS(000001BC)/0/READ: Would block while reading
  Oct  6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:49: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 43bytes data)
  Oct  6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:49: TPLUS(000001BC)/0/READ: read entire 55 bytes response
  Oct  6 13:52:49: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
  Oct  6 13:52:49: T+: session_id 1523308383 (0x5ACBD75F), dlen 43 (0x2B)
  Oct  6 13:52:49: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:37, data_len:0
  Oct  6 13:52:49: T+: msg:   0x0A User Access Verification 0x0A  0x0A Username:
  Oct  6 13:52:49: T+: data: 
  Oct  6 13:52:49: T+: End Packet
  Oct  6 13:52:49: TPLUS(000001BC)/0/46130160: Processing the reply packet
  Oct  6 13:52:49: TPLUS: Received authen response status GET_USER (7)
  The 1113 acs failed reports shows:
  External DB is not operational
  thanks,
  james

  Hi James,
  We get External DB is not operational. Could you confirm if under External Databases > Unknown User           Policy, and verify you have the AD/ Windows database at the top?
  this error means the external server might not correctly configured on ACS external database section.
  Another point is to make sure we have remote agent installed on supported windows server.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/remote_agent/rawi.html#wp289013
  Also provide the Auth logs from the server running remote agent, e.g.:-
  AUTH 10/25/2007 15:21:31 I 0376 1276 External DB [NTAuthenDLL.dll]:
  Attempting Windows authentication for user v-michal
  AUTH 10/25/2007 15:21:31 E 0376 1276 External DB [NTAuthenDLL.dll]: Windows
  authentication FAILED (error 1783L)
  thanks,
  Vinay

• 802.1x with ACS 3.3 and windowsXP

  We are using RADIUS IETF in ACS and EAP MD5.
  My switch is 2950 whith this commands:
  radius-server host a.b.c.d
  radius-server key cisco
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  dot1x system-auth-control
  int fa 0/1
  dot1x port-control auto
  When we try authenticate appears this error: "CS user unknown" in ACS reports.
  Has somethings that we forget?
  Where I configure the respective VLAN to user when he authenticate?
  Thanks

  I`m using 2950 and Cisco ACS. In my Windows XP, I did only this"Ativar authenticaçao IEEE 802.1x para esta rede -->MD5 Challenge". I create one user in ACS database and assign the following IETF RADIUS attributes to this user:
  [64] Tunnel-Type = VLAN
  [65] Tunnel-Medium-Type = 802
  [81] Tunnel-Private-Group-Id = teste
  At my network icon apears: Authentication Fail
  See some debug message on my switch:
  03:09:14: dot1x-ev:Received AuthStart from Authenticator for supp_info=80D607DC
  03:09:14: dot1x-ev:Managed Timer in sub-block attached as leaf to master
  03:09:14: dot1x-ev:Going to Send Request to AAA Client on RP for id = 0 and length = 25
  03:09:14: dot1x-ev:Got a Request from SP to send it to Radius with id 7
  03:09:14: dot1x-ev:Couldn't Find a process thats already handling the request for this id 0
  03:09:14: dot1x-ev:Inserted the request on to list of pending requests
  03:09:14: dot1x-ev:Found a free slot at slot 0
  03:09:14: dot1x-ev:Found a free slot at slot 0
  03:09:14: dot1x-ev:Request id = 7 and length = 25
  03:09:14: dot1x-ev:The Interface on which we got this AAA Request is FastEthernet0/1
  03:09:14: dot1x-ev:Username is SMSTESTE\joe
  03:09:14: dot1x-ev:MAC Address is 0026.540f.5555
  03:09:14: dot1x-ev:MAC Address copied is 0026.540f.4c43
  03:09:15: dot1x-ev:dot1x_post_message_to_auth_sm: Skipping tx for req_id for default supplicant
  03:09:34: dot1x-err:EAP packet not recvd
  03:09:34: dot1x-ev:going to send to backend on SP, length = 4
  03:09:34: dot1x-ev:Received VLAN is No Vlan
  03:09:34: dot1x-ev:Enqueued the response to BackEnd
  03:09:34: dot1x-ev:Received QUEUE EVENT in response to AAA Request
  03:09:34: dot1x-ev:Dot1x matching request-response found
  03:09:34: dot1x-ev:Length of recv eap packet from radius = 4
  03:09:34: dot1x-ev:Received VLAN Id -1
  03:09:34: dot1x-ev:dot1x_bend_fail_enter:0026.540f.5555: Current ID=0
  Can you help me?
  Thanks,

• ACS 4.0 and RSA Token Server problem

  Hi,
  We are having a problem trying to get ACS 4.0 for Windows to authenticate wireless users on an RSA Token server.
  Our Cisco 1200 series AP is configured for WPA2 and LEAP authentication. It points at the ACS server for RADIUS authentication. Now this works fine for users with a static password defined on the ACS internal database. However, for obvious security reasons, we?d like the authentication passed to our internal RSA server.
  I have installed the RSA Agent on the same server as the ACS along (after adding the generated sdconf.rec file to the System32 folder). The RSA server has been added to the ACS external databases and a user configured to use the RSA Token server for password.
  When we try to authenticate, the ACS fails the attempt with reason ?External DB password invalid?. The same user can successfully authenticate when using the RSA test authentication tool which is installed on the ACS server as part of the RSA Agent software.
  After running some debugs on a PIX in front of the servers, I can see traffic to/from the servers when using the test tool (which works), however it looks like ACS doesn?t even send traffic to the RSA server when authenticating.
  Any help or advice appreciated.
  Thanks

  Hi,
  The token servers only support PAP. Please make sure that the request are going to the RSA in PAP.
  Following link talks about the same.
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/o.htm#wp824733
  Regards,
  ~JG

• 802.1X ACS Self Signed External Windows DB

  I can configure the ACS server whit Self Signed and integrate it into a Windows database?
  The users will be authenticate whit 802.1X configured in a WLAN in WLC4400.

  Thanks Sthephen,
  I have configured this in the ACS:
  1. The ACS server is member server, for example LAB.
  2. In External User Database / Windows Database / Configure / In the configure domain list I select the domain called LAB.
  3. System Configuration/ACS Certificate Setup/Generate Self-Signed. I enter all parameter requerided and the certificate is created.
  4. The certificate is installed in the wireless client and the wireless profile is configured selecting the certificate. In the windows profile of the wireless conection, I uncheck the Automatically use my Windows logon name and password, this option is disable to use the local database of the ACS.
  The only configuration necessary for the integration of the ACS server whit the Windows domain. Is that the server is a member of the Windows domain and select the domain in the domain list in the acs? and check the option "Automatically use my Windows logon name and password"

• Delete proxy config on Cisco Secure ACS 4.1 for Windows ?

  We have a pair of ACS 4.1 servers (Windows Server 2003 R2). Let's call them ACS1 and ACS2.
  We don't want either one of them to proxy to any AAA server, including each other. We're using mostly TACACS authentication.
  While troubleshooting a general problem, I'm guessing that one of us did this on ACS1:
  pressed the Network Configuration button,
  saw the Proxy Distribution Table
  clicked (Default)
  moved ACS1 from the AAA Servers column to the Forward To column.
  So, essentially, we're telling ACS1 to proxy all requests to itself, which doesn't seem to make sense. I don't know for sure whether it should work when configured to "self proxy," but in that state, it does not authenticate anyone and gives merely "Internal error" as the reason.
  If I change the configuration so that "ACS2" appears in the Forward To column, and I move "ACS1" back to AAA Servers and restart, ACS1 starts responding correctly to TACACS requests. Of course, ACS1 is just proxying all requests to ACS2, so having two servers isn't doing much good.
  I cannot simply remove ACS1 from the Forward To column and leave it empty. The interface complains that it can't forward to zero servers. Of course, on ACS2, there are no servers in the Forward To column, since we never touched the Proxy Distribution Table there.
  Is there any way to return the Proxy Distribution Table to its default setup, that is, no servers appear in the "Forward To" column?
  We're planning to upgrade to version 4.2 very soon, so this question is mostly academic, unless the same problem exists in 4.2.
  For full disclosure, I should mention that the problem we were troubleshooting was loss of connectivity to our Windows Domain Controllers from our ACS servers. We had missed adding some exceptions in our firewalls to allow for four new DCs. As far as we can tell from testing, connectivity to the DCs is now fine. The firewall rules group ACS1 and ACS2 together, so connectivity should be the same, and ACS2 authenticates users correctly.

  Hello Jeffrey,
  By default the ACS 4.x Proxy Distribution Settings should have the ACS entry for itself on the Forward To box. Your ACS1 entry should be on the Forward To box.
  The Internal Error message on the ACS should be highligthing a different issue on your ACS1. Also, the message stating that we cannot have zero servers on the "Forward To" box is expected.
  Set your ACS1 for Full Logging Detail (System Configuration > Service Control) and configure the ACS1 entry under the Forward To box. Recreate the authentication issue and collect a package.cab file. If you have an ACS for Windows, under the ACS Installation folder look for the CSAuth folder > Logs and share the auth.log file with a failure timestamp for us to review the ACS logs when failing with Internal Error.
  If this was helpful please rate.
  Regards.