ACS 4.1 traffic

I'm trying to find out how to send authentication traffic from a router to an ACS 4.1 server through a specified interface across a crypto tunnel.

How about the following:
ip tacacs source loopback0
The route it takes is directly related to your routing table.
HTH

Similar Messages

  • Tacacs+ not working on VRF Interface

    C4948-10G switch running IOS 15.0(2)SG
    ACS 4.2 cannot authenticate on the vrf interface. The issue on vrf aaa authentication.
    aaa new-model
    aaa authentication login default group tacacs+ local
    aaa authentication login no_tacacs local
    aaa authentication enable default group tacacs+ enable
    aaa authorization exec default group tacacs+ local if-authenticated
    aaa authorization network default group tacacs+ local if-authenticated
    aaa accounting commands 15 default start-stop group tacacs+
    aaa session-id common
    ip vrf mgmt
    rd 100:1
    interface fa1
    ip vrf forwarding mgmt
    IP address 192.168.5.1 255.255.255.0
    duplex auto
    speed auto
    ip vrf forwarding mgmt
    aaa group server tacacs+ tacacs+ (command did not prompt to sub-command for server-private ....)
    server-private {ip-address | name} [nat] [single-connection] [port port-number] [timeout seconds] [key [0 | 7] string]
    tacacs-server host 192.168.5.75 key secret (Then, I decided to use global)
    tacacs-server host 192.168.5.76 key secret
    ip route vrf mgmt 192.168.5.75 255.255.255.0 192.168.5.2 (ACS 4.2 Tacacs+ server1)
    ip route vrf mgmt 192.168.5.76 255.255.255.0 192.168.5.2 (ACS 4.2 Tacacs+ server2)
    ip route vrf mgmt 192.168.5.85 255.255.255.0 192.168.5.2 (my management workstation)
    ip tacacs source-interface fa1
    sw2#debug tacacs
    SW2#debug aaa authentication
    SW2#test aaa group tacacs+ tester passwordtest new-code
    Feb  4 11:36:09.808: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default'
    Feb  4 11:36:09.808: TPLUS: Queuing AAA Authentication request 0 for processing
    Feb  4 11:36:09.808: TPLUS: processing authentication start request id 0
    Feb  4 11:36:09.808: TPLUS: Authentication start packet created for 0(tester)
    Feb  4 11:36:09.808: TPLUS: Using server 192.168.5.75
    Feb  4 11:36:09.808: TPLUS(00000000)/0/NB_WAIT/1AEFC558: Started 5 sec timeout
    Feb  4 11:36:14.808: TPLUS(00000000)/0/NB_WAIT/1AEFC558: timed out
    Feb  4 11:36:14.808: TPLUS: Choosing next server 192.168.5.76
    Feb  4 11:36:14.808: TPLUS(00000000)/1/NB_WAIT/1AEFC558: Started 5 sec timeout
    Feb  4 11:36:14.808: TPLUS(00000000)/1AEFC558: releasing old socket 0User rejected
    SW2#
    Feb  4 11:36:19.808: TPLUS(00000000)/1/NB_WAIT/1AEFC558: timed out
    Feb  4 11:36:19.808: TPLUS(00000000)/1/NB_WAIT/1AEFC558: timed out, clean up
    Feb  4 11:36:19.808: TPLUS(00000000)/1/1AEFC558: Processing the reply packet
    SW2#test aaa group tacacs+ tester passwordtest legacy
    Attempting authentication test to server-group tacacs+ using tacacs+
    Feb  4 11:39:16.372: AAA: parse name=<no string> idb type=-1 tty=-1
    Feb  4 11:39:16.372: AAA/MEMORY: create_user (0x1AEFC4A4) user='tester' ruser='NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
    Feb  4 11:39:16.372: TAC+: send AUTHEN/START packet ver=192 id=153531412
    Feb  4 11:39:16.372: TAC+: Using default tacacs server-group "tacacs+" list.
    Feb  4 11:39:16.372: TAC+: Opening TCP/IP to 192.168.5.75/49 timeout=5
    Feb  4 11:39:21.372: TAC+: TCP/IP open to 192.168.5.76/49 failed -- Connection timed out; remote host not responding
    Feb  4 11:39:21.372: TAC+: Opening TCP/IP to 192.168.5.76/49 timeout=5No authoritative response from any server.
    SW2#
    Feb  4 11:39:26.372: TAC+: TCP/IP open to 192.168.5.75/49 failed -- Connection timed out; remote host not responding
    Feb  4 11:39:26.372: AAA/MEMORY: free_user (0x1AEFC4A4) user='tester' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 vrf= (id=0)
    SW2#ping vrf mgmt 192.168.5.85
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.5.85, timeout is 2 seconds:
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
    SW2#sh ip route vrf mgmt
    Routing Table: mgmt
    Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
           ia - IS-IS inter area, * - candidate default, U - per-user static route
           o - ODR, P - periodic downloaded static route
    Gateway of last resort is not set
         192.168.5.0/24 is variably subnetted, 3 subnets, 2 masks
    S       192.168.5.75/32 [1/0] via 192.168.5.2
    S       192.168.5.76/32 [1/0] via 192.168.5.2
    S       192.168.5.85/32 [1/0] via 192.168.5.2
    C       192.168.5.0/24 is directly connected, FastEthernet1
    SW2#sh ip vrf
      Name                             Default RD          Interfaces
      mgmt                             100:1                     Fa1
    http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080bd091c.shtml

    Hi,
    Your debug output shows time out to ACS server as below.
    Feb  4 11:39:21.372: TAC+: TCP/IP open to 192.168.5.76/49 failed -- Connection timed out; remote host not responding
    Feb  4 11:39:21.372: TAC+: Opening TCP/IP to 192.168.5.76/49 timeout=5No authoritative response from any server.
    Feb  4 11:39:26.372: TAC+: TCP/IP open to 192.168.5.75/49 failed -- Connection timed out; remote host not responding
    Considering the fact that you are not able to see any logs on ACS, that means traffic may not be reaching the ACS.
    Have you tried pinging the ACS server from the switch mgmt vrf? Your previous example was showing ping responce to the managment workstation (192.168.5.85) and not to the ACS.
    Hope that helps
    Najaf
    Please rate when applicable or helpful !!!

  • Per VRF Tacacs+ - not working

    I'm trying to configure per VRF tacacs+ on a 2901 running IOS 15.2(4)M2.
    I have the following configured:
    aaa new-model
    aaa group server tacacs+ MYGROUP
     server-private 1.2.3.4 key cisco
     ip vrf forwarding vpn_nms
     ip tacacs source-interface Loopback100
    aaa authentication login default local
    aaa authentication login MYGROUP group tacacs+ local
    aaa authentication enable default group tacacs+ enable
    aaa authorization exec default group MYGROUP if-authenticated
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    aaa accounting network default start-stop group tacacs+
    aaa accounting connection default start-stop group tacacs+
    aaa accounting system default start-stop group tacacs+
    aaa session-id common
    ip cef
    ip vrf forwarding
    ip vrf vpn_nms
     rd 65XXX:3
    interface Loopback100
     description NMS LOOPBACK
     ip vrf forwarding vpn_nms
     ip address 10.10.10.10 255.255.255.255
    tacacs-server host 1.2.3.4
    tacacs-server directed-request
    tacacs-server key cisco
    line con 0
     privilege level 15
     logging synchronous
     login authentication MYGROUP
    line vty 0 4
     exec-timeout 0 0
     privilege level 15
     logging synchronous
     login authentication MYGROUP
     length 0
     transport input all
    I know some of this config is redundant but I have been trying different things and getting nowhere.

    Hi,
    Your debug output shows time out to ACS server as below.
    Feb  4 11:39:21.372: TAC+: TCP/IP open to 192.168.5.76/49 failed -- Connection timed out; remote host not responding
    Feb  4 11:39:21.372: TAC+: Opening TCP/IP to 192.168.5.76/49 timeout=5No authoritative response from any server.
    Feb  4 11:39:26.372: TAC+: TCP/IP open to 192.168.5.75/49 failed -- Connection timed out; remote host not responding
    Considering the fact that you are not able to see any logs on ACS, that means traffic may not be reaching the ACS.
    Have you tried pinging the ACS server from the switch mgmt vrf? Your previous example was showing ping responce to the managment workstation (192.168.5.85) and not to the ACS.
    Hope that helps
    Najaf
    Please rate when applicable or helpful !!!

  • How do I create a default account with an ACS Server

    Has anyone seen this. I have an ACS Solution engine appliance with Several devices using it for authentication and accounting. It all seems to work great.
    When I add a new device (router or switch) i noticed that it will let me login via the acs based authentication even before i even setup the aaa-client account for this device in the acs appliance. I do have the tacacs key and all the appropriate information on the router or switch but i dont have an entry for it in the acs appliance yet. This has puzzled me Where is this default account setup. I have another ACS server (Windows Based) It seems to have a completely different behavior when it encounters an unconfigured AAA-client compared to the ACS Appliance. Can anyone tell me how to configure the ACS server to do the same and where these configuration options exist?
    This really concerns me from a security perspective.

    Hmm, ACS should not (by default) accept traffic from any old device.
    Could it be you have a wild-card IP Addr in your ACS network config somewhere that accidentally includes the new device?
    Or possibly a DNS name (instead of an IP Addr) that resolves to the address of the new device?
    Try changing the shared secret in the device - you should find you get errors in the Failed Attempts Log.
    Also check the Passed Authenications report as this included the ACS network config device name in the Access-Device column.

  • Cisco ACS with External DB - EAP-TLS

    Hi Guys,
    I understand how the EAP-TLS exchange works (I think), but If I have a client (wireless or wired) that is using EAP-TLS with an ACS, can I confirm the following.
    Let say both user and computer certs are employed:
    1. Both Client and ACS perform check with each others certs to ensure they are know to each other. The eap-tls exchange.
    2a. At some stage and I am assuming before the eap-tls success message is sent back to the client, the ACS has to check if either the username or computer name is in the AD database?
    2b. Wot is the paramater that is checked against the AD database?
    I read here that it can be : http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/peap_tls.html#wp999517
    Client Certificates
    Client Certificates are used to positively identify the user in EAP-TLS. They have no role in building the TLS tunnel and are not used for encryption. Positive identification is accomplished by one of three means:
    CN (or Name)Comparison-Compares the CN in the certificate with the username in the database. More information on this comparison type is included in the description of the Subject field of the certificate.
    SAN Comparison-Compares the SAN in the certificate with the username in the database. This is only supported as of ACS 3.2. More information on this comparison type is included in the description of the Subject Alternative Name field of the certificate.
    Binary Comparison-Compares the certificate with a binary copy of the certificate stored in the database (only AD and LDAP can do this). If you use certificate binary comparison, you must store the user certificate in a binary format. Also, for generic LDAP and Active Directory, the attribute that stores the certificate must be the standard LDAP attribute named "usercertificate".
    3. With the above, if options 1 or 2 are used (CN or SAN comparison), I assume this is just a check between a value pulled out of the CERT by the ACS and checked with AD, is that correct? With option 3, does the ACS perform a full compaison of the certificate between what the client has and a "client stored cert" on the AD DB?
    Please can someone help me with these points.
    I am so lost in this stuff :)) I think.
    Many thx and many kind regards,
    Ken

    only TLS *handshake* is completed/succcessful, but because user authentication fails,
    CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read client key exchange A
    CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read certificate verify A
    CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read finished A
    CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 write change cipher spec A
    CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 write finished A
    CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 flush data
    CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSL negotiation finished successfully
    EAP: EAP-TLS: Handshake succeeded
    EAP: EAP-TLS: Authenticated handshake
    EAP: EAP-TLS: Using CN from certificate as identity for authentication
    EAP: EAP state: action = authenticate, username = 'jatin', user identity = 'jatin'
    pvAuthenticateUser: authenticate 'jatin' against CSDB
    pvCopySession: setting session group ID to 0.
    pvCheckUnknownUserPolicy: session group ID is 0, calling pvAuthenticateUser.
    pvAuthenticateUser: authenticate 'jatin' against Windows Database
    External DB [NTAuthenDLL.dll]: Creating Domain cache
    External DB [NTAuthenDLL.dll]: Loading Domain Cache
    External DB [NTAuthenDLL.dll]: No UPN Suffixes Found
    External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust dwacs.com, [Error = 1355]
    External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust enigma.com, [Error = 1355]
    External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust acsteam.com, [Error = 1355]
    External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust vikram.com, [Error = 1355]
    External DB [NTAuthenDLL.dll]: Domain cache loaded
    External DB [NTAuthenDLL.dll]: Could not find user jatin [0x00005012]
    External DB [NTAuthenDLL.dll]: User jatin was not found
    pvCheckUnknownUserPolicy: setting session group ID to 0.
    Unknown User 'jatin' was not authenticated
    So the EAP-Failure(Radius Access-Reject( is sent, not EAP-Success(Radius Access-Accept).
    And any port/point wont be allowed to pass traffic unless the NAS device gets an EAP-Success(Radius Accept) for the user.
    HTH
    Regards,
    Prem

  • AP Authentication via ACS.

    Hi All,
    Just a basic question regarding MAC based authenitcation of AP with ACS.
    The scenario is - If I have a ACS installed and I want all my Cisco 3502 APs to be authenticated on MAC basis via ACS. I know that AP mac is used as a username and password at ACS so that whenever we plugin the new AP in the network, it gets authenticated via ACS first and if the AP is authorised to be used in network then only it gets the IP address from DHCP.
    My question is - What will happen, if the AP is connected in local mode on a remote location and the WLC, ACS & DHCP are in Datacenter. The traffic coming from remote location will pass through the Remote-site router and during that pass, it will remove the source mac address of AP and put the router interface MAC address as source, so how will the ACS authenticate the AP in that case.
    When working in a LAN I know its possible, but how will it work over the WAN.
    Pls. suggest ASAP.
    Thanks in Advance.
    Regards
    Harish

    Harish:
    As you may know that traffic between WLC and APs is encapsulated in CAPWAP tunnel.
    The information insdie the CAPWAP should tell the WLC what MAC address the AP uses.
    CAPWAP RFC metniones that you can do AP authorization by two ways:
    - with certificates
    - with PSK.
    The standards does no imply what the PSK should be, however, Cisco seems to use it to be the mac address of the AP when the ap authorization is enabled. RFC recommends to use mac address of AP as PSK.
    2.4.4.4.  PSK Usage
       When DTLS uses PSK Ciphersuites, the ServerKeyExchange message MUST
       contain the "PSK identity hint" field and the ClientKeyExchange
       message MUST contain the "PSK identity" field.  These fields are used
       to help the WTP select the appropriate PSK for use with the AC, and
       then indicate to the AC which key is being used.  When PSKs are
       provisioned to WTPs and ACs, both the PSK Hint and PSK Identity for
       the key MUST be specified.
       The PSK Hint SHOULD uniquely identify the AC and the PSK Identity
       SHOULD uniquely identify the WTP.  It is RECOMMENDED that these hints
       and identities be the ASCII HEX-formatted MAC addresses of the
       respective devices, since each pairwise combination of WTP and AC
       SHOULD have a unique PSK.  The PSK Hint and Identity SHOULD be
       sufficient to perform authorization, as simply having knowledge of a
       PSK does not necessarily imply authorization.
       If a single PSK is being used for multiple devices on a CAPWAP
       network, which is NOT RECOMMENDED, the PSK Hint and Identity can no
       longer be a MAC address, so appropriate hints and identities SHOULD
       be selected to identify the group of devices to which the PSK is
       provisioned
    you may spend more time reading the CAPWAP RFC if you are interested
    CAPWAP RFC: http://www.ietf.org/rfc/rfc5415.txt
    Hope this answers your concern.
    Amjad

  • ACS 4.2 Database replication issue

    Hello Experts,
    Hope you are all doing well. I need your help in ACS database replication, I want to do replication between ACS servers. The issue i am facing is that there is no error in ACS replication log. It just says outbound replication started. and sits there no other error message is shown. I can successfully telnet secondary server's destination port 2000. But when i hit the replication button from primary server, i do not observe any hit count on my ASA ACL on which i allowed tcp 2000 for destination secondary server.I also checked my syslog server if there is any traffic denied between these 2 ACS servers but found nothing. I also did wireshark captures on the interfaces but no traffic is initiated when i press replicate now button. Initially i thought its a machine issue, but same behavior is shown when i swapped primary----to secondary. There are other applications running on both the servers which requires JAVA. Like Cisco IME etc. Can it be JAVA issue? Please help me out. i am using Release 4.2(0) Build 124 on both servers.Attached below is the Replication LOG snapshot,
    Regards,
    Rizwan.

    https://supportforums.cisco.com/discussion/11382366/problems-witch-acs-42-replication
    https://supportforums.cisco.com/discussion/11363046/replication-problem-acs-ver-42

  • ACS Database Replication over VPN with overlapping Network Addresses

    We currently have two co-locations each situated in different provinces. We have two ACS servers which we want to deploy at each co-location. All our network equipments are behind PIX/ASA devices. Getting them to replicate over the VPN should be easy but in our case we have overlapping Network Addresses at both ends of the tunnels.
    As per Cisco data does not transit a NAT device when the two Cisco Secure ACS servers communicate and a successful database replication can occur only if the secondary ACS server perceives no change in the IP header or content of the data it receives. So that means we will not be able to Implement NAT to achiever this.
    Has any one of you faced this problem of replicating ACS Database over the VPN with overlapping Network Addresses and was anyone able to successfully solve this issue using a work around ?
    All provided info and comments are greatly appreciated.

    I can help with the 3005 setup if you decide to go that route.
    You will need to add 2 network list entries under Configuration>Policy Management>Traffic Management>Network Lists.
    You will need to configure a local and remote address. The local will be one of the public ip's for the site.(Provided by your ISP)The remote will be the device you are connecting to on the other end.
    You will also need to add a Nat Lan to Lan rule under Configuration>Policy Management>Traffic Management>Nat>Lan to Lan.
    Use a static Nat type. The rest will look similar to my example.
    Source(Local address)Translated(Public Ip Address used in the network local list)Remote(Ip address of the device on the other end)
    Now just create an Ipsec lan to lan tunnel. You will need to agree with the ISP on des type and auth type. Use you local and remote networks you created earlier.

  • ACS 5.4 AD Join strange Issue

    Hi,
    We have two ACS boxes with the same software version (5.4.0.46.0a), we were able to join domain one ACS only and other ACS is given the attached error.
    When we checked "main-acs-01/admin# acs troubleshoot adcheck <domain-name>, it gave the same error for both ACS, however one ACS successfully joined to the domain and still other one failed.
    main-acs-01/admin# acs troubleshoot adcheck <domain-name
    This command is only for advanced troubleshooting and may incur a lot of network traffic
    Do you want to continue?  (yes/no) yes
    OSCHK    : Verify that this is a supported OS                          : Pass
    PATCH    : Linux patch check                                           : Pass
    PERL     : Verify perl is present and is a good version                : Pass
    SAMBA    : Inspecting Samba installation                               : Pass
    SPACECHK : Check if there is enough disk space in /var /usr /tmp       : Pass
    HOSTNAME : Verify hostname setting                                     : Pass
    NSHOSTS  : Check hosts line in /etc/nsswitch.conf                      : Pass
    DNSPROBE : Probe DNS server 172.24.1.1                                 : Pass
    DNSPROBE : Probe DNS server 172.24.1.2                                 : Pass
    DNSCHECK : Analyze basic health of DNS servers                         : Pass
    WHATSSH  : Is this an SSH that DirectControl works well with           : Pass
    SSH      : SSHD version and configuration                              : Note
             : You are running OpenSSH_5.3p1, CiscoSSL 0.9.8r.1.3.
    DOMNAME  : Check that the domain name is reasonable                    : Pass
    ADDC     : Find domain controllers in DNS                              : Pass
    ADDNS    : DNS lookup of DC xxxx.<domain-name>                     : Pass
    ADPORT   : Port scan of DC xxxx.<domain-name>                      : Pass
    ADDNS    : DNS lookup of DC xxxx.<domain-name>                    : Pass
    ADPORT   : Port scan of DC xxxx.<domain-name>                     : Pass
    ADDNS    : DNS lookup of DC xxxx.<domain-name>                     : Failed
             : Cannot resolve the IP address for xxxx.hmc.org.qa.
    ADDNS    : DNS lookup of DC xxxx.<domain-name>                     : Pass
    ADPORT   : Port scan of DC xxxx.<domain-name>                      : Pass
    ADDNS    : DNS lookup of DC xxxx.<domain-name>                  : Pass
    ADPORT   : Port scan of DC xxxx.<domain-name>                   : Pass
    ADDNS    : DNS lookup of DC xxxx.<domain-name>                    : Pass
    ADPORT   : Port scan of DC xxxx.<domain-name>                     : Warning
             : One or more ports failed to respond correctly. Either:
             :   a) the DC is offline
             :   b) a firewall is preventing access to a port
             : The following is a list of failed ports:
             :    ldap(389)/udp - timeout
             :    smb(445)/tcp - refused
             :    ldap(389)/tcp - refused
    ADDNS    : DNS lookup of DC xxxx.<domain-name>                       : Pass
    ADPORT   : Port scan of DC xxxx.<domain-name>                        : Pass
    ADDNS    : DNS lookup of DC xxxx.<domain-name>                       : Pass
    ADPORT   : Port scan of DC xxxx.<domain-name>                        : Pass
    ADDNS    : DNS lookup of DC xxxx.<domain-name>                          : Pass
    ADPORT   : Port scan of DC xxxx.<domain-name>                           : Pass
    ADDNS    : DNS lookup of DC xxxx.<domain-name>                   : Pass
    ADPORT   : Port scan of DC xxxx.<domain-name>                    : Pass
    ADDNS    : DNS lookup of DC xxxx.<domain-name>                     : Pass
    GCPORT   : Port scan of GC xxxx.<domain-name>                      : Pass
    ADDNS    : DNS lookup of DC xxxx.<domain-name>                    : Pass
    GCPORT   : Port scan of GC xxxx.<domain-name>                     : Pass
    ADDNS    : DNS lookup of DC xxxx.<domain-name>                     : Failed
             : Cannot resolve the IP address for airportdc1.<domain-name>.
    ADDNS    : DNS lookup of DC xxxx.<domain-name>                     : Pass
    GCPORT   : Port scan of GC xxxx.<domain-name>                      : Pass
    ADDNS    : DNS lookup of DC xxxx.<domain-name>                  : Pass
    GCPORT   : Port scan of GC xxxx.<domain-name>                   : Pass
    ADDNS    : DNS lookup of DC xxxx.<domain-name>                    : Pass
    GCPORT   : Port scan of GC xxxx.<domain-name>                     : Warning
             : One or more ports failed to respond correctly. Either:
             :   a) the GC is offline
             :   b) a firewall is preventing access to a port
             : The following is a list of failed ports:
             :    gc(3268)/tcp - refused
    ADDNS    : DNS lookup of DC xxxx.<domain-name>                       : Pass
    GCPORT   : Port scan of GC xxxx.<domain-name>                        : Pass
    ADDNS    : DNS lookup of DC xxxx.<domain-name>                       : Pass
    GCPORT   : Port scan of GC xxxx.<domain-name>                        : Pass
    ADDNS    : DNS lookup of DC xxxx.<domain-name>                          : Pass
    GCPORT   : Port scan of GC xxxx<domain-name>                           : Pass
    ADDNS    : DNS lookup of DC xxxx.<domain-name>                   : Pass
    GCPORT   : Port scan of GC xxxx.<domain-name>                    : Pass
    ADGC     : Check Global Catalog servers                                : Pass
    DCUP     : Check for operational DCs in <domain-name>                    : Pass
    SITEUP   : Check DCs for <domain-name>in our site                        : Pass
    DNSSYM   : Check DNS server symmetry                                   : Pass
    ADSITE   : Check that this machine's subnet is in a site known by AD   : Pass
    GSITE    : See if we think this is the correct site                    : Pass
    TIME     : Check clock synchronization                                 : Pass
    2 serious issues were encountered during check. These must be fixed before proceeding
    2 warnings were encountered during check. We recommend checking these before proceeding
    main-acs-01/admin#
    Has any one face this issue before and appreciate if someone can advise how to fix this.

    This was a known issue with ACS 5.3 however, we got this fixed in ACS 5.3 patch 7 and ACS 5.4
    Since you're running ACS 5.4, it should not trigger.
    CSCtx53223    After upgrade ACS 5.3 fail to join AD domain - missing Centrify license
    Symptom:
    After upgrading from 5.2 to 5.3, ACS fails to join the domain. AD connection worked for a few days, until the services were restarted. After that ACS fails to join AD with the following error message in ACSADAgent.log:
    Jan 20 02:36:32 CBR1BACS01 adjoin[6814]: DEBUG cli.adjoin Join to zone is only permitted with a licensed copy of DirectControl. Get a license or learn more about Centrify Suite at http://www.centrify.com/express
    Jan 20 02:36:32 CBR1BACS01 adjoin[6814]: DEBUG cli.adjoin Without a license, you may connect to a domain through Auto Zone by specifying adjoin -w Test.Test
    Conditions:
    Upgrade from 5.2 to 5.3. Restart the services later on.
    Workaround:
    Backup the ACS db and re-image the box to 5.3
    How did you upgrade to ACS 5.4
    1.] Upgraded from 5.3 to 5.4 using upgrade package.
    2.] reianged it with ACS 5.4 ISO and restored the ACS 5.3 database.
    I would suggest you to open a TAC case on this. Most likely you need reimage the server and restore the database if you had gone through with option 1.]
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • ACS 5.1 Failure: 5411 EAP session timed out -- Wired 802.1X, machine-authentication

    Hi guys,
    I have a strange error here and I`m really disappointed.
    We currently try to do "Wired-802.1X" with our Windows XP SP3 Clients with EAP-TLS and "machine-only" authentication.
    We use ACS5.1 to authenticate the clients. At about 50% of the clients authentication works fine.
    At the other clients we can see a strange error at the ACS.
    At the Reports page --> "Authentications - RADIUS - Today" we see that a client is trying to authenticate, but this fails with the Failure Code: 5411 EAP session timed out.
    Logged At RADIUS
    Status NAS
    Failure Details Username MAC/IP
    Address Access Service Authentication
    Method Network Device NAS IP Address NAS Port ID CTS
    Security Group ACS Instance Failure  Reason
    Sep 2,10 3:37:46.916 PM
    Wired_802.1X_EAP-TLS
    EAP-TLS
    svacs01
    5411 EAP session timed out
    Steps
    11001  Received RADIUS Access-Request
    11017  RADIUS created a new session
    Evaluating Service Selection Policy
    15004  Matched rule
    15012  Selected Access Service - Wired_802.1X_EAP-TLS
    11507  Extracted EAP-Response/Identity
    12500  Prepared EAP-Request proposing EAP-TLS with challenge
    11006  Returned RADIUS Access-Challenge
    5411  EAP session timed out
    At the switch I used "Authentication Open" to get the client working and capture traffic with wireshark.
    Switch --> Request Identity --> Client
    Switch <-- Response Identity <-- Client
    Switch --> Request EAP-TLS --> Client
    Switch --> Request EAP-TLS --> Client
    Switch --> Request EAP-TLS --> Client
    Switch --> Request Identity --> Client
    Switch --> Request Identity --> Client
    Switch --> Request Identity --> Client
    What is missing ist the Switch <-- Response EAP-TLS <-- Client
    Any ideas what is going wrong ? Maybe someone had this error before ?
    Any suggestions how to debug this ?
    Thank you very much for your help!
    Mathias

    Hi @all,
    I have this issue too. It occurs in our wireless environment. The problem for me is that I don't know which client (or clients) causes the error. The error occur many times per day.
    Logged At RADIUS
    Status NAS
    Failure Details Username MAC/IP
    Address Access Service Authentication
    Method Network Device NAS IP Address NAS Port ID CTS
    Security Group ACS Instance Failure  Reason
    Sep 7,10 11:50:36.143 PM
    dot1x wireless
    PEAP
    bfnetacs01
    5411 EAP session timed out
    Kind regards,
    Michael

  • ACE 4710 A3(2.0) and ACS - TACACS+

    Hi.
    I am having trouble getting my ACE 4710 (A3(2.0) Build 3.0) to cooperate with my Cisco Secure ACS-server. In the same environment I have it working on my ACE Module, with the same configuration.
    ACE 4710:
    tacacs-server host 10.7.50.20 key 7 "fewhg"
    aaa group server tacacs+ tacacs_server_group
        server 10.7.50.20
        deadtime 15
    aaa authentication login default group tacacs_server_group local none
    aaa accounting default group tacacs_server_group local
    aaa authentication login error-enable
    ACS is configured correctly too. I have tried with several users, both in groups, with and without attributes and so forth. The ACS installation works with other devices and with my ACE modules running A2(3.1). I have tried this on both ACS 4.2(0).124 and 4.2(1).15.
    The strange part is what I see when I set up Wireshark on my ACS-server to look at the traffic. From what I can see, the ACE only sends a request to the AAA-server if the user exists locally. But I do not get authenticated and Failed Attempts show a line with with Message-Type: "Unknown NAS".
    It seems like others have the same problem. The problem is that the link attacked in the topic beneath only leads me back to forum and not to a topic with solution.
    https://supportforums.cisco.com/thread/132445?decorator=print&displayFullThread=true#132445
    Any help is appreciated and thanks in advance!

    are you using telnet or ssh ?
    if ssh can you try telnet, allow telent on your management policy to do this. Then if it works via telnet , then try ssh again, if it now works then you have hit CSCsu36078
    http://tools.cisco.com/squish/03240

  • Use Cisco ACS to verify MAC address for VPN User

    Question: I want to have the MAC address of a machine checked when the user is logging into VPN Client.
    For example:
    User opens VPN client-->Clicks connect-->types in User/Pass which gets passed to ACS (part of what should be sent is the MAC address)---> ACS responds with a yes/no on user/pass and whether the MAC address is right)

    Hi Pete,
    I have found out in some of my testings that If a PC doesnot genareate any kind of traffic and is totally ideal and once the MAC-address table ages out, it doesnot show its MAC untill the PC generates some kind of traffic.I guess this is what you must be seeing.
    I have oberved one more thing that If I connect a fully booted PC which not generating any traffic to a switch port it doesnot learn its Mac-address untill its generates the traffic. This is what my obeservations is and that what I believe in most of the cases.
    i dont know whether that answer your question or not but it could be something closer. I think there will be some who can put some more ligth on this.
    regards,
    -amit singh

  • ACS 4.0 and RSA Token Server problem

    Hi,
    We are having a problem trying to get ACS 4.0 for Windows to authenticate wireless users on an RSA Token server.
    Our Cisco 1200 series AP is configured for WPA2 and LEAP authentication. It points at the ACS server for RADIUS authentication. Now this works fine for users with a static password defined on the ACS internal database. However, for obvious security reasons, we?d like the authentication passed to our internal RSA server.
    I have installed the RSA Agent on the same server as the ACS along (after adding the generated sdconf.rec file to the System32 folder). The RSA server has been added to the ACS external databases and a user configured to use the RSA Token server for password.
    When we try to authenticate, the ACS fails the attempt with reason ?External DB password invalid?. The same user can successfully authenticate when using the RSA test authentication tool which is installed on the ACS server as part of the RSA Agent software.
    After running some debugs on a PIX in front of the servers, I can see traffic to/from the servers when using the test tool (which works), however it looks like ACS doesn?t even send traffic to the RSA server when authenticating.
    Any help or advice appreciated.
    Thanks

    Hi,
    The token servers only support PAP. Please make sure that the request are going to the RSA in PAP.
    Following link talks about the same.
    http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/o.htm#wp824733
    Regards,
    ~JG

  • 802.1x ACS RSA Secure ID/Safeword Token server

    Hello, We are trying to impliment wireless scurity in our network. We want to issue badges with attached tokens so clients can come into our office and login to our wireless network, They would then be prompted for their login and password which would be their Badge ID an their token credentials.
    We are using an airespace wireless security device, We specify ACS as the 802.1x radius server. Airespace is sending the requests to ACS just fine but ACS does not seem to like what it's seeing. We also imported a custom VSA vendor file for the airespace wireless security device. The log below reflects this.
    We have tested by creating local ACS users, and authentication works and we can get onto our network. But when we specify the AAA servers as our Radius Token Server, Set the unknown user DB to that Server and test auth, We are not granted permission to our WLAN. It's as if Cisco does not recognize the PEAP auth information and rejects it by default. We ARE required to get this working with XPSP1, as we would hate to have to install software on every clients laptop.
    A wireless client of ours DID work when we specified EAP-GTC on the client side, But it will never work when we specify PEAP on the client side, We never seem to see communications from ACS to our Safeword token server regardless of what we do(including the successful EAP-GTC login). Our radius strings are correct etc. Safeword is listening on 1812, But also has protols EASSP-1/2 listening on ports we have set manually(are these relevant to our needs?)
    The failed attempts log show "External DB Auth Failed"
    Here is a snip of the CSRadius/RDS.log when we try to auth, when we sniff traffic we see the eap request and the radius reject on the wire, but we never see ACS ask the token server. If anyone can make any suggestions on how we could troubleshoot further/test or make forward progress in any way please do. Thank you all in advance.
    Cisco RDS log attached.

    The problem could be with your Secure ID RSA server.

  • 802.1x(ACS) with avaya phones

    Hi All ,
    We are implementing wired dot1x for our wired users with EAP-TLS. When I am connecting laptop it is getting authenticated and it is working fine. For Voip(Avaya) we are using MAB .When we connect VOIP , after 30 seconds ACS is giving Access-accept(auth success) . But Voip is stuck up in Bad router state and VOIP is not working. If I connect the laptop behind the voip it is getting authenticated and it is working fine eventhough voip is stuck up.
    Is there a way we can reduce 802.1x auth timings , so that VOIP can register succesfully?
    The switch interface config is ,
    authentication event fail action next-method
    authentication host-mode multi-auth
    authentication order dot1x mab
    authetication priority dot1x mab
    authentication port-control auto
    mab
    dot1x pae authenticator
    dot1x timeout tx-period 10
    Thanks,
    Vijay

    Hi,
    i am using AVAYA as well in production. They support 802.1X.
    Configure Voice VLAN on each Port.
    Let ACS send the radius attribute device-traffic-class=voice under
    Policy Elements/Authorization and Permissions/Network Access/Authorization Profiles VOICE VLAN
     and select Permission to join static.
    A good guide: IP Telephony for 802.1X Design Guide
    http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html
    Regards Horst

Maybe you are looking for

  • How do I assign a timer to the DAQ module so that it counts the time from the start of the collection?

    Hi Everybody, I'm new to LabVIEW and need some help! I have setup a system that acquires the data from 4 thermocouples. I have then split the data to provide 4 temperature versus time graphs. The temperature fluctuates up and down but the time values

  • Having issue with Syncing Events from Iphoto to Apple Tv

    All of a sudden I have multiple events of the same title but different amount of photos when i try to sync my photos to apple tv.  Iphoto is fine, nothing is changed but when I go over to itunes to sync I see like 10 different Events with same name.

  • Work Flow preview issue in SBWP

    Hi Friends, We have issue related to SBWP. When a work item is selected in SAP inbox, we are not able to to see any thing on the SAP preview window at the bottom. It shows only the white blank screen. Can any one please help. Regards, Rohit

  • Try catch implementation in dynamic query

    I am fetching values by dynamic selection  (select a,b,..from (var)...) . Eveytime if I am selecting garbage value of var it will throw dump . Can u tell me how we implement try catch method / exception handling method so that I can avoid dump in dyn

  • Modify Ethernet driver settings for a local zone of exclusive ip-type

    Hi there A quick one. Have configured a local zone with ip-type set to exclusive for a physical interface fjgi1. How can I modify the fjgi driver settings for this local zone? Should I edit /platform/SUNW,SPARC-Enterprise/kernel/drv/fjgi.conf under t