ACS 4.1 traffic
I'm trying to find out how to send authentication traffic from a router to an ACS 4.1 server through a specified interface across a crypto tunnel.
How about the following:
ip tacacs source loopback0
The route it takes is directly related to your routing table.
HTH
Similar Messages
-
Tacacs+ not working on VRF Interface
C4948-10G switch running IOS 15.0(2)SG
ACS 4.2 cannot authenticate on the vrf interface. The issue on vrf aaa authentication.
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login no_tacacs local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization network default group tacacs+ local if-authenticated
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common
ip vrf mgmt
rd 100:1
interface fa1
ip vrf forwarding mgmt
IP address 192.168.5.1 255.255.255.0
duplex auto
speed auto
ip vrf forwarding mgmt
aaa group server tacacs+ tacacs+ (command did not prompt to sub-command for server-private ....)
server-private {ip-address | name} [nat] [single-connection] [port port-number] [timeout seconds] [key [0 | 7] string]
tacacs-server host 192.168.5.75 key secret (Then, I decided to use global)
tacacs-server host 192.168.5.76 key secret
ip route vrf mgmt 192.168.5.75 255.255.255.0 192.168.5.2 (ACS 4.2 Tacacs+ server1)
ip route vrf mgmt 192.168.5.76 255.255.255.0 192.168.5.2 (ACS 4.2 Tacacs+ server2)
ip route vrf mgmt 192.168.5.85 255.255.255.0 192.168.5.2 (my management workstation)
ip tacacs source-interface fa1
sw2#debug tacacs
SW2#debug aaa authentication
SW2#test aaa group tacacs+ tester passwordtest new-code
Feb 4 11:36:09.808: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default'
Feb 4 11:36:09.808: TPLUS: Queuing AAA Authentication request 0 for processing
Feb 4 11:36:09.808: TPLUS: processing authentication start request id 0
Feb 4 11:36:09.808: TPLUS: Authentication start packet created for 0(tester)
Feb 4 11:36:09.808: TPLUS: Using server 192.168.5.75
Feb 4 11:36:09.808: TPLUS(00000000)/0/NB_WAIT/1AEFC558: Started 5 sec timeout
Feb 4 11:36:14.808: TPLUS(00000000)/0/NB_WAIT/1AEFC558: timed out
Feb 4 11:36:14.808: TPLUS: Choosing next server 192.168.5.76
Feb 4 11:36:14.808: TPLUS(00000000)/1/NB_WAIT/1AEFC558: Started 5 sec timeout
Feb 4 11:36:14.808: TPLUS(00000000)/1AEFC558: releasing old socket 0User rejected
SW2#
Feb 4 11:36:19.808: TPLUS(00000000)/1/NB_WAIT/1AEFC558: timed out
Feb 4 11:36:19.808: TPLUS(00000000)/1/NB_WAIT/1AEFC558: timed out, clean up
Feb 4 11:36:19.808: TPLUS(00000000)/1/1AEFC558: Processing the reply packet
SW2#test aaa group tacacs+ tester passwordtest legacy
Attempting authentication test to server-group tacacs+ using tacacs+
Feb 4 11:39:16.372: AAA: parse name=<no string> idb type=-1 tty=-1
Feb 4 11:39:16.372: AAA/MEMORY: create_user (0x1AEFC4A4) user='tester' ruser='NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
Feb 4 11:39:16.372: TAC+: send AUTHEN/START packet ver=192 id=153531412
Feb 4 11:39:16.372: TAC+: Using default tacacs server-group "tacacs+" list.
Feb 4 11:39:16.372: TAC+: Opening TCP/IP to 192.168.5.75/49 timeout=5
Feb 4 11:39:21.372: TAC+: TCP/IP open to 192.168.5.76/49 failed -- Connection timed out; remote host not responding
Feb 4 11:39:21.372: TAC+: Opening TCP/IP to 192.168.5.76/49 timeout=5No authoritative response from any server.
SW2#
Feb 4 11:39:26.372: TAC+: TCP/IP open to 192.168.5.75/49 failed -- Connection timed out; remote host not responding
Feb 4 11:39:26.372: AAA/MEMORY: free_user (0x1AEFC4A4) user='tester' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 vrf= (id=0)
SW2#ping vrf mgmt 192.168.5.85
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.5.85, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
SW2#sh ip route vrf mgmt
Routing Table: mgmt
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
192.168.5.0/24 is variably subnetted, 3 subnets, 2 masks
S 192.168.5.75/32 [1/0] via 192.168.5.2
S 192.168.5.76/32 [1/0] via 192.168.5.2
S 192.168.5.85/32 [1/0] via 192.168.5.2
C 192.168.5.0/24 is directly connected, FastEthernet1
SW2#sh ip vrf
Name Default RD Interfaces
mgmt 100:1 Fa1
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080bd091c.shtmlHi,
Your debug output shows time out to ACS server as below.
Feb 4 11:39:21.372: TAC+: TCP/IP open to 192.168.5.76/49 failed -- Connection timed out; remote host not responding
Feb 4 11:39:21.372: TAC+: Opening TCP/IP to 192.168.5.76/49 timeout=5No authoritative response from any server.
Feb 4 11:39:26.372: TAC+: TCP/IP open to 192.168.5.75/49 failed -- Connection timed out; remote host not responding
Considering the fact that you are not able to see any logs on ACS, that means traffic may not be reaching the ACS.
Have you tried pinging the ACS server from the switch mgmt vrf? Your previous example was showing ping responce to the managment workstation (192.168.5.85) and not to the ACS.
Hope that helps
Najaf
Please rate when applicable or helpful !!! -
Per VRF Tacacs+ - not working
I'm trying to configure per VRF tacacs+ on a 2901 running IOS 15.2(4)M2.
I have the following configured:
aaa new-model
aaa group server tacacs+ MYGROUP
server-private 1.2.3.4 key cisco
ip vrf forwarding vpn_nms
ip tacacs source-interface Loopback100
aaa authentication login default local
aaa authentication login MYGROUP group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group MYGROUP if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common
ip cef
ip vrf forwarding
ip vrf vpn_nms
rd 65XXX:3
interface Loopback100
description NMS LOOPBACK
ip vrf forwarding vpn_nms
ip address 10.10.10.10 255.255.255.255
tacacs-server host 1.2.3.4
tacacs-server directed-request
tacacs-server key cisco
line con 0
privilege level 15
logging synchronous
login authentication MYGROUP
line vty 0 4
exec-timeout 0 0
privilege level 15
logging synchronous
login authentication MYGROUP
length 0
transport input all
I know some of this config is redundant but I have been trying different things and getting nowhere.Hi,
Your debug output shows time out to ACS server as below.
Feb 4 11:39:21.372: TAC+: TCP/IP open to 192.168.5.76/49 failed -- Connection timed out; remote host not responding
Feb 4 11:39:21.372: TAC+: Opening TCP/IP to 192.168.5.76/49 timeout=5No authoritative response from any server.
Feb 4 11:39:26.372: TAC+: TCP/IP open to 192.168.5.75/49 failed -- Connection timed out; remote host not responding
Considering the fact that you are not able to see any logs on ACS, that means traffic may not be reaching the ACS.
Have you tried pinging the ACS server from the switch mgmt vrf? Your previous example was showing ping responce to the managment workstation (192.168.5.85) and not to the ACS.
Hope that helps
Najaf
Please rate when applicable or helpful !!! -
How do I create a default account with an ACS Server
Has anyone seen this. I have an ACS Solution engine appliance with Several devices using it for authentication and accounting. It all seems to work great.
When I add a new device (router or switch) i noticed that it will let me login via the acs based authentication even before i even setup the aaa-client account for this device in the acs appliance. I do have the tacacs key and all the appropriate information on the router or switch but i dont have an entry for it in the acs appliance yet. This has puzzled me Where is this default account setup. I have another ACS server (Windows Based) It seems to have a completely different behavior when it encounters an unconfigured AAA-client compared to the ACS Appliance. Can anyone tell me how to configure the ACS server to do the same and where these configuration options exist?
This really concerns me from a security perspective.Hmm, ACS should not (by default) accept traffic from any old device.
Could it be you have a wild-card IP Addr in your ACS network config somewhere that accidentally includes the new device?
Or possibly a DNS name (instead of an IP Addr) that resolves to the address of the new device?
Try changing the shared secret in the device - you should find you get errors in the Failed Attempts Log.
Also check the Passed Authenications report as this included the ACS network config device name in the Access-Device column. -
Cisco ACS with External DB - EAP-TLS
Hi Guys,
I understand how the EAP-TLS exchange works (I think), but If I have a client (wireless or wired) that is using EAP-TLS with an ACS, can I confirm the following.
Let say both user and computer certs are employed:
1. Both Client and ACS perform check with each others certs to ensure they are know to each other. The eap-tls exchange.
2a. At some stage and I am assuming before the eap-tls success message is sent back to the client, the ACS has to check if either the username or computer name is in the AD database?
2b. Wot is the paramater that is checked against the AD database?
I read here that it can be : http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/peap_tls.html#wp999517
Client Certificates
Client Certificates are used to positively identify the user in EAP-TLS. They have no role in building the TLS tunnel and are not used for encryption. Positive identification is accomplished by one of three means:
CN (or Name)Comparison-Compares the CN in the certificate with the username in the database. More information on this comparison type is included in the description of the Subject field of the certificate.
SAN Comparison-Compares the SAN in the certificate with the username in the database. This is only supported as of ACS 3.2. More information on this comparison type is included in the description of the Subject Alternative Name field of the certificate.
Binary Comparison-Compares the certificate with a binary copy of the certificate stored in the database (only AD and LDAP can do this). If you use certificate binary comparison, you must store the user certificate in a binary format. Also, for generic LDAP and Active Directory, the attribute that stores the certificate must be the standard LDAP attribute named "usercertificate".
3. With the above, if options 1 or 2 are used (CN or SAN comparison), I assume this is just a check between a value pulled out of the CERT by the ACS and checked with AD, is that correct? With option 3, does the ACS perform a full compaison of the certificate between what the client has and a "client stored cert" on the AD DB?
Please can someone help me with these points.
I am so lost in this stuff :)) I think.
Many thx and many kind regards,
Kenonly TLS *handshake* is completed/succcessful, but because user authentication fails,
CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read client key exchange A
CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read certificate verify A
CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read finished A
CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 write change cipher spec A
CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 write finished A
CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 flush data
CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSL negotiation finished successfully
EAP: EAP-TLS: Handshake succeeded
EAP: EAP-TLS: Authenticated handshake
EAP: EAP-TLS: Using CN from certificate as identity for authentication
EAP: EAP state: action = authenticate, username = 'jatin', user identity = 'jatin'
pvAuthenticateUser: authenticate 'jatin' against CSDB
pvCopySession: setting session group ID to 0.
pvCheckUnknownUserPolicy: session group ID is 0, calling pvAuthenticateUser.
pvAuthenticateUser: authenticate 'jatin' against Windows Database
External DB [NTAuthenDLL.dll]: Creating Domain cache
External DB [NTAuthenDLL.dll]: Loading Domain Cache
External DB [NTAuthenDLL.dll]: No UPN Suffixes Found
External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust dwacs.com, [Error = 1355]
External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust enigma.com, [Error = 1355]
External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust acsteam.com, [Error = 1355]
External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust vikram.com, [Error = 1355]
External DB [NTAuthenDLL.dll]: Domain cache loaded
External DB [NTAuthenDLL.dll]: Could not find user jatin [0x00005012]
External DB [NTAuthenDLL.dll]: User jatin was not found
pvCheckUnknownUserPolicy: setting session group ID to 0.
Unknown User 'jatin' was not authenticated
So the EAP-Failure(Radius Access-Reject( is sent, not EAP-Success(Radius Access-Accept).
And any port/point wont be allowed to pass traffic unless the NAS device gets an EAP-Success(Radius Accept) for the user.
HTH
Regards,
Prem -
AP Authentication via ACS.
Hi All,
Just a basic question regarding MAC based authenitcation of AP with ACS.
The scenario is - If I have a ACS installed and I want all my Cisco 3502 APs to be authenticated on MAC basis via ACS. I know that AP mac is used as a username and password at ACS so that whenever we plugin the new AP in the network, it gets authenticated via ACS first and if the AP is authorised to be used in network then only it gets the IP address from DHCP.
My question is - What will happen, if the AP is connected in local mode on a remote location and the WLC, ACS & DHCP are in Datacenter. The traffic coming from remote location will pass through the Remote-site router and during that pass, it will remove the source mac address of AP and put the router interface MAC address as source, so how will the ACS authenticate the AP in that case.
When working in a LAN I know its possible, but how will it work over the WAN.
Pls. suggest ASAP.
Thanks in Advance.
Regards
HarishHarish:
As you may know that traffic between WLC and APs is encapsulated in CAPWAP tunnel.
The information insdie the CAPWAP should tell the WLC what MAC address the AP uses.
CAPWAP RFC metniones that you can do AP authorization by two ways:
- with certificates
- with PSK.
The standards does no imply what the PSK should be, however, Cisco seems to use it to be the mac address of the AP when the ap authorization is enabled. RFC recommends to use mac address of AP as PSK.
2.4.4.4. PSK Usage
When DTLS uses PSK Ciphersuites, the ServerKeyExchange message MUST
contain the "PSK identity hint" field and the ClientKeyExchange
message MUST contain the "PSK identity" field. These fields are used
to help the WTP select the appropriate PSK for use with the AC, and
then indicate to the AC which key is being used. When PSKs are
provisioned to WTPs and ACs, both the PSK Hint and PSK Identity for
the key MUST be specified.
The PSK Hint SHOULD uniquely identify the AC and the PSK Identity
SHOULD uniquely identify the WTP. It is RECOMMENDED that these hints
and identities be the ASCII HEX-formatted MAC addresses of the
respective devices, since each pairwise combination of WTP and AC
SHOULD have a unique PSK. The PSK Hint and Identity SHOULD be
sufficient to perform authorization, as simply having knowledge of a
PSK does not necessarily imply authorization.
If a single PSK is being used for multiple devices on a CAPWAP
network, which is NOT RECOMMENDED, the PSK Hint and Identity can no
longer be a MAC address, so appropriate hints and identities SHOULD
be selected to identify the group of devices to which the PSK is
provisioned
you may spend more time reading the CAPWAP RFC if you are interested
CAPWAP RFC: http://www.ietf.org/rfc/rfc5415.txt
Hope this answers your concern.
Amjad -
ACS 4.2 Database replication issue
Hello Experts,
Hope you are all doing well. I need your help in ACS database replication, I want to do replication between ACS servers. The issue i am facing is that there is no error in ACS replication log. It just says outbound replication started. and sits there no other error message is shown. I can successfully telnet secondary server's destination port 2000. But when i hit the replication button from primary server, i do not observe any hit count on my ASA ACL on which i allowed tcp 2000 for destination secondary server.I also checked my syslog server if there is any traffic denied between these 2 ACS servers but found nothing. I also did wireshark captures on the interfaces but no traffic is initiated when i press replicate now button. Initially i thought its a machine issue, but same behavior is shown when i swapped primary----to secondary. There are other applications running on both the servers which requires JAVA. Like Cisco IME etc. Can it be JAVA issue? Please help me out. i am using Release 4.2(0) Build 124 on both servers.Attached below is the Replication LOG snapshot,
Regards,
Rizwan.https://supportforums.cisco.com/discussion/11382366/problems-witch-acs-42-replication
https://supportforums.cisco.com/discussion/11363046/replication-problem-acs-ver-42 -
ACS Database Replication over VPN with overlapping Network Addresses
We currently have two co-locations each situated in different provinces. We have two ACS servers which we want to deploy at each co-location. All our network equipments are behind PIX/ASA devices. Getting them to replicate over the VPN should be easy but in our case we have overlapping Network Addresses at both ends of the tunnels.
As per Cisco data does not transit a NAT device when the two Cisco Secure ACS servers communicate and a successful database replication can occur only if the secondary ACS server perceives no change in the IP header or content of the data it receives. So that means we will not be able to Implement NAT to achiever this.
Has any one of you faced this problem of replicating ACS Database over the VPN with overlapping Network Addresses and was anyone able to successfully solve this issue using a work around ?
All provided info and comments are greatly appreciated.I can help with the 3005 setup if you decide to go that route.
You will need to add 2 network list entries under Configuration>Policy Management>Traffic Management>Network Lists.
You will need to configure a local and remote address. The local will be one of the public ip's for the site.(Provided by your ISP)The remote will be the device you are connecting to on the other end.
You will also need to add a Nat Lan to Lan rule under Configuration>Policy Management>Traffic Management>Nat>Lan to Lan.
Use a static Nat type. The rest will look similar to my example.
Source(Local address)Translated(Public Ip Address used in the network local list)Remote(Ip address of the device on the other end)
Now just create an Ipsec lan to lan tunnel. You will need to agree with the ISP on des type and auth type. Use you local and remote networks you created earlier. -
ACS 5.4 AD Join strange Issue
Hi,
We have two ACS boxes with the same software version (5.4.0.46.0a), we were able to join domain one ACS only and other ACS is given the attached error.
When we checked "main-acs-01/admin# acs troubleshoot adcheck <domain-name>, it gave the same error for both ACS, however one ACS successfully joined to the domain and still other one failed.
main-acs-01/admin# acs troubleshoot adcheck <domain-name
This command is only for advanced troubleshooting and may incur a lot of network traffic
Do you want to continue? (yes/no) yes
OSCHK : Verify that this is a supported OS : Pass
PATCH : Linux patch check : Pass
PERL : Verify perl is present and is a good version : Pass
SAMBA : Inspecting Samba installation : Pass
SPACECHK : Check if there is enough disk space in /var /usr /tmp : Pass
HOSTNAME : Verify hostname setting : Pass
NSHOSTS : Check hosts line in /etc/nsswitch.conf : Pass
DNSPROBE : Probe DNS server 172.24.1.1 : Pass
DNSPROBE : Probe DNS server 172.24.1.2 : Pass
DNSCHECK : Analyze basic health of DNS servers : Pass
WHATSSH : Is this an SSH that DirectControl works well with : Pass
SSH : SSHD version and configuration : Note
: You are running OpenSSH_5.3p1, CiscoSSL 0.9.8r.1.3.
DOMNAME : Check that the domain name is reasonable : Pass
ADDC : Find domain controllers in DNS : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
ADPORT : Port scan of DC xxxx.<domain-name> : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
ADPORT : Port scan of DC xxxx.<domain-name> : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Failed
: Cannot resolve the IP address for xxxx.hmc.org.qa.
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
ADPORT : Port scan of DC xxxx.<domain-name> : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
ADPORT : Port scan of DC xxxx.<domain-name> : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
ADPORT : Port scan of DC xxxx.<domain-name> : Warning
: One or more ports failed to respond correctly. Either:
: a) the DC is offline
: b) a firewall is preventing access to a port
: The following is a list of failed ports:
: ldap(389)/udp - timeout
: smb(445)/tcp - refused
: ldap(389)/tcp - refused
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
ADPORT : Port scan of DC xxxx.<domain-name> : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
ADPORT : Port scan of DC xxxx.<domain-name> : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
ADPORT : Port scan of DC xxxx.<domain-name> : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
ADPORT : Port scan of DC xxxx.<domain-name> : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
GCPORT : Port scan of GC xxxx.<domain-name> : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
GCPORT : Port scan of GC xxxx.<domain-name> : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Failed
: Cannot resolve the IP address for airportdc1.<domain-name>.
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
GCPORT : Port scan of GC xxxx.<domain-name> : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
GCPORT : Port scan of GC xxxx.<domain-name> : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
GCPORT : Port scan of GC xxxx.<domain-name> : Warning
: One or more ports failed to respond correctly. Either:
: a) the GC is offline
: b) a firewall is preventing access to a port
: The following is a list of failed ports:
: gc(3268)/tcp - refused
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
GCPORT : Port scan of GC xxxx.<domain-name> : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
GCPORT : Port scan of GC xxxx.<domain-name> : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
GCPORT : Port scan of GC xxxx<domain-name> : Pass
ADDNS : DNS lookup of DC xxxx.<domain-name> : Pass
GCPORT : Port scan of GC xxxx.<domain-name> : Pass
ADGC : Check Global Catalog servers : Pass
DCUP : Check for operational DCs in <domain-name> : Pass
SITEUP : Check DCs for <domain-name>in our site : Pass
DNSSYM : Check DNS server symmetry : Pass
ADSITE : Check that this machine's subnet is in a site known by AD : Pass
GSITE : See if we think this is the correct site : Pass
TIME : Check clock synchronization : Pass
2 serious issues were encountered during check. These must be fixed before proceeding
2 warnings were encountered during check. We recommend checking these before proceeding
main-acs-01/admin#
Has any one face this issue before and appreciate if someone can advise how to fix this.This was a known issue with ACS 5.3 however, we got this fixed in ACS 5.3 patch 7 and ACS 5.4
Since you're running ACS 5.4, it should not trigger.
CSCtx53223 After upgrade ACS 5.3 fail to join AD domain - missing Centrify license
Symptom:
After upgrading from 5.2 to 5.3, ACS fails to join the domain. AD connection worked for a few days, until the services were restarted. After that ACS fails to join AD with the following error message in ACSADAgent.log:
Jan 20 02:36:32 CBR1BACS01 adjoin[6814]: DEBUG cli.adjoin Join to zone is only permitted with a licensed copy of DirectControl. Get a license or learn more about Centrify Suite at http://www.centrify.com/express
Jan 20 02:36:32 CBR1BACS01 adjoin[6814]: DEBUG cli.adjoin Without a license, you may connect to a domain through Auto Zone by specifying adjoin -w Test.Test
Conditions:
Upgrade from 5.2 to 5.3. Restart the services later on.
Workaround:
Backup the ACS db and re-image the box to 5.3
How did you upgrade to ACS 5.4
1.] Upgraded from 5.3 to 5.4 using upgrade package.
2.] reianged it with ACS 5.4 ISO and restored the ACS 5.3 database.
I would suggest you to open a TAC case on this. Most likely you need reimage the server and restore the database if you had gone through with option 1.]
~BR
Jatin Katyal
**Do rate helpful posts** -
Hi guys,
I have a strange error here and I`m really disappointed.
We currently try to do "Wired-802.1X" with our Windows XP SP3 Clients with EAP-TLS and "machine-only" authentication.
We use ACS5.1 to authenticate the clients. At about 50% of the clients authentication works fine.
At the other clients we can see a strange error at the ACS.
At the Reports page --> "Authentications - RADIUS - Today" we see that a client is trying to authenticate, but this fails with the Failure Code: 5411 EAP session timed out.
Logged At RADIUS
Status NAS
Failure Details Username MAC/IP
Address Access Service Authentication
Method Network Device NAS IP Address NAS Port ID CTS
Security Group ACS Instance Failure Reason
Sep 2,10 3:37:46.916 PM
Wired_802.1X_EAP-TLS
EAP-TLS
svacs01
5411 EAP session timed out
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15004 Matched rule
15012 Selected Access Service - Wired_802.1X_EAP-TLS
11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
11006 Returned RADIUS Access-Challenge
5411 EAP session timed out
At the switch I used "Authentication Open" to get the client working and capture traffic with wireshark.
Switch --> Request Identity --> Client
Switch <-- Response Identity <-- Client
Switch --> Request EAP-TLS --> Client
Switch --> Request EAP-TLS --> Client
Switch --> Request EAP-TLS --> Client
Switch --> Request Identity --> Client
Switch --> Request Identity --> Client
Switch --> Request Identity --> Client
What is missing ist the Switch <-- Response EAP-TLS <-- Client
Any ideas what is going wrong ? Maybe someone had this error before ?
Any suggestions how to debug this ?
Thank you very much for your help!
MathiasHi @all,
I have this issue too. It occurs in our wireless environment. The problem for me is that I don't know which client (or clients) causes the error. The error occur many times per day.
Logged At RADIUS
Status NAS
Failure Details Username MAC/IP
Address Access Service Authentication
Method Network Device NAS IP Address NAS Port ID CTS
Security Group ACS Instance Failure Reason
Sep 7,10 11:50:36.143 PM
dot1x wireless
PEAP
bfnetacs01
5411 EAP session timed out
Kind regards,
Michael -
ACE 4710 A3(2.0) and ACS - TACACS+
Hi.
I am having trouble getting my ACE 4710 (A3(2.0) Build 3.0) to cooperate with my Cisco Secure ACS-server. In the same environment I have it working on my ACE Module, with the same configuration.
ACE 4710:
tacacs-server host 10.7.50.20 key 7 "fewhg"
aaa group server tacacs+ tacacs_server_group
server 10.7.50.20
deadtime 15
aaa authentication login default group tacacs_server_group local none
aaa accounting default group tacacs_server_group local
aaa authentication login error-enable
ACS is configured correctly too. I have tried with several users, both in groups, with and without attributes and so forth. The ACS installation works with other devices and with my ACE modules running A2(3.1). I have tried this on both ACS 4.2(0).124 and 4.2(1).15.
The strange part is what I see when I set up Wireshark on my ACS-server to look at the traffic. From what I can see, the ACE only sends a request to the AAA-server if the user exists locally. But I do not get authenticated and Failed Attempts show a line with with Message-Type: "Unknown NAS".
It seems like others have the same problem. The problem is that the link attacked in the topic beneath only leads me back to forum and not to a topic with solution.
https://supportforums.cisco.com/thread/132445?decorator=print&displayFullThread=true#132445
Any help is appreciated and thanks in advance!are you using telnet or ssh ?
if ssh can you try telnet, allow telent on your management policy to do this. Then if it works via telnet , then try ssh again, if it now works then you have hit CSCsu36078
http://tools.cisco.com/squish/03240 -
Use Cisco ACS to verify MAC address for VPN User
Question: I want to have the MAC address of a machine checked when the user is logging into VPN Client.
For example:
User opens VPN client-->Clicks connect-->types in User/Pass which gets passed to ACS (part of what should be sent is the MAC address)---> ACS responds with a yes/no on user/pass and whether the MAC address is right)Hi Pete,
I have found out in some of my testings that If a PC doesnot genareate any kind of traffic and is totally ideal and once the MAC-address table ages out, it doesnot show its MAC untill the PC generates some kind of traffic.I guess this is what you must be seeing.
I have oberved one more thing that If I connect a fully booted PC which not generating any traffic to a switch port it doesnot learn its Mac-address untill its generates the traffic. This is what my obeservations is and that what I believe in most of the cases.
i dont know whether that answer your question or not but it could be something closer. I think there will be some who can put some more ligth on this.
regards,
-amit singh -
ACS 4.0 and RSA Token Server problem
Hi,
We are having a problem trying to get ACS 4.0 for Windows to authenticate wireless users on an RSA Token server.
Our Cisco 1200 series AP is configured for WPA2 and LEAP authentication. It points at the ACS server for RADIUS authentication. Now this works fine for users with a static password defined on the ACS internal database. However, for obvious security reasons, we?d like the authentication passed to our internal RSA server.
I have installed the RSA Agent on the same server as the ACS along (after adding the generated sdconf.rec file to the System32 folder). The RSA server has been added to the ACS external databases and a user configured to use the RSA Token server for password.
When we try to authenticate, the ACS fails the attempt with reason ?External DB password invalid?. The same user can successfully authenticate when using the RSA test authentication tool which is installed on the ACS server as part of the RSA Agent software.
After running some debugs on a PIX in front of the servers, I can see traffic to/from the servers when using the test tool (which works), however it looks like ACS doesn?t even send traffic to the RSA server when authenticating.
Any help or advice appreciated.
ThanksHi,
The token servers only support PAP. Please make sure that the request are going to the RSA in PAP.
Following link talks about the same.
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/o.htm#wp824733
Regards,
~JG -
802.1x ACS RSA Secure ID/Safeword Token server
Hello, We are trying to impliment wireless scurity in our network. We want to issue badges with attached tokens so clients can come into our office and login to our wireless network, They would then be prompted for their login and password which would be their Badge ID an their token credentials.
We are using an airespace wireless security device, We specify ACS as the 802.1x radius server. Airespace is sending the requests to ACS just fine but ACS does not seem to like what it's seeing. We also imported a custom VSA vendor file for the airespace wireless security device. The log below reflects this.
We have tested by creating local ACS users, and authentication works and we can get onto our network. But when we specify the AAA servers as our Radius Token Server, Set the unknown user DB to that Server and test auth, We are not granted permission to our WLAN. It's as if Cisco does not recognize the PEAP auth information and rejects it by default. We ARE required to get this working with XPSP1, as we would hate to have to install software on every clients laptop.
A wireless client of ours DID work when we specified EAP-GTC on the client side, But it will never work when we specify PEAP on the client side, We never seem to see communications from ACS to our Safeword token server regardless of what we do(including the successful EAP-GTC login). Our radius strings are correct etc. Safeword is listening on 1812, But also has protols EASSP-1/2 listening on ports we have set manually(are these relevant to our needs?)
The failed attempts log show "External DB Auth Failed"
Here is a snip of the CSRadius/RDS.log when we try to auth, when we sniff traffic we see the eap request and the radius reject on the wire, but we never see ACS ask the token server. If anyone can make any suggestions on how we could troubleshoot further/test or make forward progress in any way please do. Thank you all in advance.
Cisco RDS log attached.The problem could be with your Secure ID RSA server.
-
802.1x(ACS) with avaya phones
Hi All ,
We are implementing wired dot1x for our wired users with EAP-TLS. When I am connecting laptop it is getting authenticated and it is working fine. For Voip(Avaya) we are using MAB .When we connect VOIP , after 30 seconds ACS is giving Access-accept(auth success) . But Voip is stuck up in Bad router state and VOIP is not working. If I connect the laptop behind the voip it is getting authenticated and it is working fine eventhough voip is stuck up.
Is there a way we can reduce 802.1x auth timings , so that VOIP can register succesfully?
The switch interface config is ,
authentication event fail action next-method
authentication host-mode multi-auth
authentication order dot1x mab
authetication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
Thanks,
VijayHi,
i am using AVAYA as well in production. They support 802.1X.
Configure Voice VLAN on each Port.
Let ACS send the radius attribute device-traffic-class=voice under
Policy Elements/Authorization and Permissions/Network Access/Authorization Profiles VOICE VLAN
and select Permission to join static.
A good guide: IP Telephony for 802.1X Design Guide
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html
Regards Horst
Maybe you are looking for
-
Hi Everybody, I'm new to LabVIEW and need some help! I have setup a system that acquires the data from 4 thermocouples. I have then split the data to provide 4 temperature versus time graphs. The temperature fluctuates up and down but the time values
-
Having issue with Syncing Events from Iphoto to Apple Tv
All of a sudden I have multiple events of the same title but different amount of photos when i try to sync my photos to apple tv. Iphoto is fine, nothing is changed but when I go over to itunes to sync I see like 10 different Events with same name.
-
Work Flow preview issue in SBWP
Hi Friends, We have issue related to SBWP. When a work item is selected in SAP inbox, we are not able to to see any thing on the SAP preview window at the bottom. It shows only the white blank screen. Can any one please help. Regards, Rohit
-
Try catch implementation in dynamic query
I am fetching values by dynamic selection (select a,b,..from (var)...) . Eveytime if I am selecting garbage value of var it will throw dump . Can u tell me how we implement try catch method / exception handling method so that I can avoid dump in dyn
-
Modify Ethernet driver settings for a local zone of exclusive ip-type
Hi there A quick one. Have configured a local zone with ip-type set to exclusive for a physical interface fjgi1. How can I modify the fjgi driver settings for this local zone? Should I edit /platform/SUNW,SPARC-Enterprise/kernel/drv/fjgi.conf under t