ACS 4.2.1: adding new AAA clients through odbc import

Similar Messages

• Adding New Screen Fields Through BDT

  Hi All,
        In BP transaction there is a concession tab. i want to add 2 new screen fields from z table.
        i have added from z table in that concession tab.
  But The problem is that screen fields are coming in the last line.but where as i need those all new fields in right corner of first and second lines of the existing fields .plz.. help me
  Thanks Inadvance ,
  Siva Kumar

  Hi Vishnu
  I suggest to use EEWB for adding the new field. Follow the following steps
  1. Run Transaction EEWB (Easy Enhancement Work Bench)
  2. Create new Project.
  3. Select the relevent Z package.
  4. Create Customizing and Workbench Requests.
  5. Select table BUPA
  6. Select the type of field you require (single or table) and follow the wizard.
  The new fields will appeare on a new tab "Customer Data" on BP Screen.
  The Screen Name and Sequence can then be changed with VCT.
  Precautions:
  1. Your user must have developer's key privilages.
  2. There should not be any users working on the system when you are doing this activity.
  3. The workbench request created is client independent. The customization request created is client specific.
  4. The process is reversable and does not get effected by patch upload.
  hope this may help.
  Cheers
  Avi

• Help adding new WLC to existing ACS

  Hi All,
  I need help with this.
  This network has a working WLC that authenticates wireless users against an ACS by MAC address. It works fine.
  I need to add a new WLC.
  I added the WLC, the APs connect to the WLC fine, but the users get limited connectivity and we've found out that is because the new WLC is getting authentication errors against the ACS.
  The configuration of the new WLC is exactly the same as the current working WLC and both controllers show as AAA clients on the ACS.
  I want to know if somebody can point me out in the right direction to solve this.
  There's connectivity fine between all devices (as far as PING goes), and there's no Firewall or filters in between.
  The difference I see on both WLCs is that on the working one (WLC1), under Security - AP Policies, we see the AP Authorization List with the MAC addresses/cert type/hash.  We don't get this information on the non-working WLC (attached document shows both)
  Also in the attached document, I'm sending the errors I get no the WLC2 controller.
  Any help is greatly appreciated.
  Federico.

  Federico,
  I didn't get you when you say that you see only One WLC under groupsetup/Mac address. Could you please elaborate this?
  Also, if you don't know see any NAR configured under shared profile component then check inside the group/user setup there must be either ip based or CLI/DNIS based NAR configured for WLC's and looking at failed attempts it seem that action is denied.
  HTH
  Regds,
  JK
  Do rate helpful posts-

• Issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

  issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

  issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

• How to stop ACS intergated AD users to login in AAA clients(network device)

  I have ACS 4.2 Appliance which is integrated with Active directory.
  AD users are able to login in network devices. Is there any so that I can stop AD user and other local users to login in AAA clinets (network devices).

  These types of configurations are a two-way street. ACS must be configured to actually perform the authentication/authorization, and the AAA clients must also be configured for authentication/authorization. I would look at the AAA client configurations, first.
  What kind of AAA clients are we talking about? Cisco switches, Cisco WLC's? Swicthing gear from other companies?
  For Cisco switches, lines like the following will tell them to use your ACS server for administrative user auth (RADIUS ro TACACS+, respectively):
  aaa group server radius rad_admin
  server xxx.xxx.xxx.xxx
  aaa group server tacacs+ tac_admin
  server xxx.xxx.xxx.xxx
  If your AAA client is a WLC, then you need to uncheck the "Management" box where the RADIUS server is defined for authentication (Security -> AAA -> RADIUS -> Auth).

• Adding new project mask  in Production Client

  Hi,
  I have requirement of adding new project mask code for Production client.
  As SAP standard functionality does not allow you to add any new project
  mask once you create a project .So if I try to add new mask system will not
  show me projects already created and released.Is there any solution to this
  problem?
  Ranjit

  Hi Ranjit,
  You did not specify exactly what type of new mask you are adding.  For example, maybe you simply need to modify an existing code.  You can make two changes to existing codes that have projects created.
  1.  You can extend the length of the mask to the complete 24 characters, if not already 24 characters.
  2.  You can change any 0 (numeric only) character in the mask to an X (allows alphanumeric).
  The best means to see what project codes are already in use, you should run SE16 for table PROJ and PRPS.  You want to view the fields in PROJ-PSPNR and/or PROJ-PSPID as well as PRPS-PSPNR and PRPS-POSID.  So, any project code beginning values (A, B, C, etc; 1, 2, 3, etc) displayed cannot be setup as new project codes.
  Yes, you could delete the old project codes after archiving the structures, but you also have to (or should) archive any associated financial documents.  As the previous responder stated, this is not a trivial task.
  Points appreciated....
  Regards,
  Kent Bettisworth

• ACS 5.0 having issues with different subnet AAA Clients

  Dear All,
  I am getting weird issue. My ACS 5.0 is in subnet 10.1.1.0/24. All the AAA clients which are in the same subnet can communicate with the ACS but different subnet cannot.
  I have checked the firewall between them, Its allow any any with all services.
  One more thing I have faced today is that now from only one switch (10.1.2.10) can access ACS but switches in the same subnet (10.1.2.0/24) cant access ACS as same previous issue.
  Following are the logs of one switch(10.1.2.10) in different subnet can access ACS :
  Working Switch with Same configuration:
  SW-A#test aaa group tacacs+ test cisco legacy
  Attempting authentication test to server-group tacacs+ using tacacs+
  User was successfully authenticated.
  SW-A#
  *Nov 17 00:05:52.041: AAA: parse name=<no string> idb type=-1 tty=-1
  *Nov 17 00:05:52.041: AAA/MEMORY: create_user (0x1B1FD04) user='test' ruser='NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
  *Nov 17 00:05:52.041: TAC+: send AUTHEN/START packet ver=192 id=3237327729
  *Nov 17 00:05:52.041: TAC+: Using default tacacs server-group "tacacs+" list.
  *Nov 17 00:05:52.041: TAC+: Opening TCP/IP to 10.1.1.2/49 timeout=5
  *Nov 17 00:05:52.041: TAC+: Opened TCP/IP handle 0x1B44D48 to 10.1.1.2/49
  *Nov 17 00:05:52.041: TAC+: 10.1.1.2 (3237327729) AUTHEN/START/LOGIN/ASCII queued
  SW-A#
  *Nov 17 00:05:52.243: TAC+: (3237327729) AUTHEN/START/LOGIN/ASCII processed
  *Nov 17 00:05:52.243: TAC+: ver=192 id=3237327729 received AUTHEN status = GETPASS
  *Nov 17 00:05:52.243: TAC+: send AUTHEN/CONT packet id=3237327729
  *Nov 17 00:05:52.243: TAC+: 10.1.1.2 (3237327729) AUTHEN/CONT queued
  *Nov 17 00:05:52.444: TAC+: (3237327729) AUTHEN/CONT processed
  *Nov 17 00:05:52.444: TAC+: ver=192 id=3237327729 received AUTHEN status = PASS
  *Nov 17 00:05:52.444: AAA/MEMORY: free_user (0x1B1FD04) user='test' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 vrf= (id=0)
  Logs from the same subnet switch (10.1.2.20) which cannot access ACS:
  SW-B#test aaa group tacacs+ test cisco legacy
  Attempting authentication test to server-group tacacs+ using tacacs+
  No authoritative response from any server.
  SW-B#
  *Oct 20 00:54:12.834: AAA: parse name=<no string> idb type=-1 tty=-1
  *Oct 20 00:54:12.842: AAA/MEMORY: create_user (0x1A6F3F0) user='test' ruser='NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
  *Oct 20 00:54:12.842: TAC+: send AUTHEN/START packet ver=192 id=3281146755
  *Oct 20 00:54:12.842: TAC+: Using default tacacs server-group "tacacs+" list.
  *Oct 20 00:54:12.842: TAC+: Opening TCP/IP to 10.1.1.2/49 timeout=5
  *Oct 20 00:54:12.842: TAC+: Opened TCP/IP handle 0x1B1E888 to 10.1.1.2/49
  *Oct 20 00:54:12.842: TAC+: 10.1.1.2 (3281146755) AUTHEN/START/LOGIN/ASCII queued
  SW-B#
  *Oct 20 00:54:12.943: TAC+: (3281146755) AUTHEN/START/LOGIN/ASCII processed
  *Oct 20 00:54:12.943: TAC+: received bad AUTHEN packet: type = 0, expected 1
  *Oct 20 00:54:12.943: TAC+: Invalid AUTHEN/START/LOGIN/ASCII packet (check keys).
  *Oct 20 00:54:12.943: TAC+: Closing TCP/IP 0x1B1E888 connection to 10.1.1.2/49
  *Oct 20 00:54:12.943: TAC+: Using default tacacs server-group "tacacs+" list.
  *Oct 20 00:54:12.943: AAA/MEMORY: free_user (0x1A6F3F0) user='test' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 vrf= (id=0)
  Waiting for your responses.
  Regards,
  Anser

  Ok, cool,
  So this usually means that the switch is sourcing the requests from a difernet interface that is configured on the ACS.
  I would guess that the ACS is reporting unknown NAS...
  Can you please use the "ip tacacs source-interface" command to make sure the switch will source the Tacacs+ packets from the interface with the IP address for which you have the ACS configured to?
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Authentication in the chain DUN-AAA client-ACS-NMAS-NDS

  Dears,
  I have installed Novell client on a windows XP.
  I will login my user and my password in NDS via the chain cisco aaa client
  (router cisco 2503)- acs server - nmas.
  For this in the login mask of the novell client, I select Dialup --> login
  using dial-up networking --> the profile of my DUN containing the
  properties of my modem connection --> no location (direct connect).
  When I press OK, it is asking to me the detail of the connection :
  - my username
  - my password
  - my domain
  - my phone number
  I select connect to inititiate the connection. I late the parameter "my
  domain" to empty.
  I see that the novell client is using DUN to dialin the correspondant
  modem.
  I receive the call on my acs aaa client (router cisco 2503)and this aaa
  client is sending the packets to acs server for authentication.
  Then, the ACS server is receiving these packets and resend these to NMAS
  (token radius server external database). Normally NMAS has to authenticate
  the user and password inside the NDS.
  But I receive an error message indicating that the usename and password
  are invalid on the doamin (error code 619).
  I don't understand this error message because there is no domain notion in
  Novell. I can understand that mircosoft needs a domain to authenticate the
  user and password. Because the Novell client dial-up is based on DUN and
  DUN is based microsoft, we need a domain for authenticating the username
  and password.
  Does it mean that I need an Active Directory for authenticating username
  and pasword in the domain ?
  Does it mean that I have to integrate the AD with NDS ?
  Can I use the local AD/SAM of my PC to authenticate the username and the
  password in the domain ?
  If yes, how can I configure the NDS for this ?
  Could you help me as soon as possible ?
  Yours sincerely,
  Olivier MONTEE.

  Olivier,
  It appears that in the past few days you have not received a response to your posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Do a search of our knowledgebase at http://support.novell.com/search/kb_index.jsp
  - Check all of the other support tools and options available at http://support.novell.com in both the "free product support" and "paid product support" drop down boxes.
  - You could also try posting your message again. Make sure it is posted in the correct newsgroup. (http://support.novell.com/forums)
  If this is a reply to a duplicate posting, please ignore and accept our apologies and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://support.novell.com/forums/

• Denying AAA Clients to a specific user group in ACS v4.1

  Using 4.1 is there a "simple" method of simply denying a usergroup the ability to even login to specific AAA clients? Customer has a telephony group that they want to allow them to telnet and check into all the voice routers, but no other routers, they have the command sets and all that setup but wanted to see if a way to push that group simply to voice routers only ??
  thanks in advance,
  dave

  Hi,
  Why don't you use NAR (Network access restriction)
  Under the network config > simply create one NDG and assign all the voice router under it.
  After that go to the group/user where you want to put this restriction
  You need to check that what are we getting in calling station id. If we are getting ip address then
  [1] To accomplish above we would configure the group with following
  NAR (network access restriction)
  Define IP based Network Access Restriction
  Permitted Calling Point
  AAA client: VOICE NDG created
  Port *
  Src IP Address *
  Subit the changes and try.
  Here is more on configuring Network Access Restriction:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.
  2/user/guide/GrpMgt.html#wp478900
  HTH
  JK
  Plz rate helpful posts-

• 13017 Received TACACS+ packet from unknown Network Device or AAA Client

  I am adding new routers to our Corporate network for a new MPLS network.  I am getting 13017 Received TACACS+ packet from unknown Network Device or AAA Client  errors for these new routers.  They are added to ACS 5.4.0.30 correctly just like all of our other devices.  We have never had real routers on the network before, just switches and access points.  Is there something special I need to set in ACS for these to work and authenticate correctly?  I can only access the currently with built in login locally.
  One of the new router configs
  Current configuration : 2370 bytes
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname T666
  boot-start-marker
  boot-end-marker
  enable secret 5 $1$h7b3$.T2idTKb9H98BQ8Op0MAC/
  aaa new-model
  aaa authentication login default group tacacs+ local
  aaa authentication enable default group tacacs+ enable
  aaa authorization exec default group tacacs+ local if-authenticated
  aaa accounting exec default start-stop group tacacs+
  aaa session-id common
  clock timezone CST -6
  clock summer-time CDT recurring
  ip cef
  ip auth-proxy max-nodata-conns 3
  ip admission max-nodata-conns 3
  voice-card 0
  crypto pki trustpoint TP-self-signed-2699490457
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-2699490457
   revocation-check none
   rsakeypair TP-self-signed-2699490457
  username netadmin privilege 15 secret 5 $1$SIR2$A3MpShVNeAOlTPyLZESr..
  interface FastEthernet0/0
   ip address 10.114.2.1 255.255.255.0
   ip helper-address 10.30.101.4
   duplex auto
   speed auto
  interface FastEthernet0/1
   no ip address
   shutdown
   duplex auto
   speed auto
  interface Serial0/1/0
   ip address X.X.X.X 255.255.255.252
   no fair-queue
   service-module t1 timeslots 1-24
   service-module t1 remote-alarm-enable
   service-module t1 fdl ansi
   no cdp enable
  router bgp 65065
   no synchronization
   bgp log-neighbor-changes
   network 10.114.2.0 mask 255.255.255.0
   neighbor X.X.X.X remote-as 209
   neighbor X.X.X.X default-originate
   default-information originate
   no auto-summary
  ip forward-protocol nd
  ip bgp-community new-format
  ip http server
  ip http authentication aaa
  ip http secure-server
  ip tacacs source-interface FastEthernet0/0
  no logging trap
  tacacs-server host 10.30.101.221 key 7 1429005B5C502225
  tacacs-server host 10.30.101.222 key 7 1429005B5C502225
  tacacs-server directed-request
  control-plane
  banner exec ^CC
  C
  Login OK
  ^C
  banner motd ^CC
  C
  **  UNAUTHORIZED ACCESS TO THIS SYSTEM IS PROHIBITED.  USE OF
  **  THIS SYSTEM CONSTITUES CONSENT TO MONITORING AT ALL TIMES.
  **  RUAN Transport Corporation
  **  Network Services
  **  [email protected]
  **  515.245.2512
  ^C
  line con 0
  line aux 0
  line vty 0 4
   exec-timeout 30 0
   transport input all
  line vty 5 15
   exec-timeout 30 0
  scheduler allocate 20000 1000
  end
  T666#

  AAA Protocol > TACACS+ Authentication Details
  Date :
  September 19, 2014
  Generated on September 19, 2014 10:21:27 AM CDT
  Authentication Details
  Status:
  Failed
  Failure Reason:
  13017 Received TACACS+ packet from unknown Network Device or AAA Client
  Logged At:
  Sep 19, 2014 10:21 AM
  ACS Time:
  Sep 19, 2014 10:21 AM
  ACS Instance:
  acs01
  Authentication Method:
  Authentication Type:
  Privilege Level:
  User
  Username:
  Remote Address:
  Network Device
  Network Device:
  Network Device IP Address:
  10.114.2.1
  Network Device Groups:
  Access Policy
  Access Service:
  Identity Store:
  Selected Shell Profile:
  Active Directory Domain:
  Identity Group:
  Access Service Selection Matched Rule :
  Identity Policy Matched Rule:
  Selected Identity Stores:
  Query Identity Stores:
  Selected Query Identity Stores:
  Group Mapping Policy Matched Rule:
  Authorization Policy Matched Rule:
  Authorization Exception Policy Matched Rule:
  Other
  ACS Session ID:
  Service:
  AV Pairs:
  Response Time:
  Other Attributes:
  ACSVersion=acs-5.3.0.40-B.839 
  ConfigVersionId=359 
  Device Port=59840 
  Protocol=Tacacs
  Authentication Result
  Steps
  Received TACACS+ packet from unknown Network Device or AAA Client
  Additional Details
  DiagnosticsACS Configuration Changes

• Add AAA Client Errors,Shared Secret value must not be blank.

  hello,
  When i add the AAA client to the ACS 4.2 90 eveluation software installed on win2003 std OS with SPk 1 gives the below error when entered the shared secret value then submitting it.
  "Shared Secret value must not be blank"
  what could br the cause?
  Thks
  swami

  This could be related to the browser it sounds like the ACS might not be receiving the Shared Secret from your input.
  The ACS 4.2 does not allow a AAA to be added without a shared secret key.
  CSCsr68278 ACS 4.2 does not allow a blank TACACS+ key
  Make sure that the ACS IP Address is added into your Trusted Sites (IE). You could also try updating to the latest version of Java.

• TACACS+ packet from unknown Network Device or AAA Client

  Hi all,
  I can't perform login using the credential set at ACS server, From the log it shown:
  "Failure Reason: 13017 Received TACACS+ packet from unknown Network Device or AAA Client"
  I know there's some changes on TACACS+ part for new catalyst IOS, so i refer the guide and this is my config snipet:
  aaa group server tacacs+ TAC_PLUS
  server name AUTH
  tacacs server AUTH
  address ipv4 10.10.21.251
  key xxxxxx
  aaa authentication login TAC_PLUS group tacacs+ local line
  aaa authorization exec TAC_PLUS group tacacs+ none
  aaa authorization commands 15 default if-authenticated
  aaa accounting update periodic 1
  aaa accounting exec TAC_PLUS start-stop group tacacs+
  aaa accounting network TAC_PLUS start-stop group tacacs+
  aaa accounting connection TAC_PLUS start-stop group tacacs+
  My platform is
  - C6500 running on IOS 12.2 (33) SXJ1
  - ACS 5.2.0.26
  Need guidance on this, thanks
  Noel

  Hello,
  Is the appropriate IOS IP address defined on the Network Devices and AAA Clients for the ACS? If yes, which IP address is reported on the ACS Failure that includes the error "TACACS+ packet from unknown Network Device or AAA Client"? Is the ACS reporting the IP address as unknown when it is already defined appropriately?
  Regards.

• Configured Nacs- how to restrict AAA client access by specified Password

  Hi all
  i hav given the below config in AAA Client& added the Client in User,Group, the NAR is configured for all Clients ,
  But my requirement is restrict AAA client access by specified Password
  aaa new-model
  aaa group server tacacs+ NACS_Group1
  server 10.x.x.x
  server 10.y.y.y
  aaa authentication login default group NACS_Group1 local
  aaa authentication enable default group NACS_Group1 enable
  aaa authorization config-commands
  aaa authorization exec default group NACS_Group1 if-authenticated
  aaa authorization exec NACS_Group1 group tacacs+ local
  aaa authorization commands 1 default group tacacs+ if-authenticated
  aaa authorization commands 15 default group tacacs+ if-authenticated
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+

  You use the Network Access Restrictions table in the Advanced Settings area of User Setup to set NARs in three ways:
  Apply existing shared NARs by name.
  Define IP-based access restrictions to permit or deny user access to a specified AAA client or to specified ports on an AAA client when an IP connection has been established.
  Define CLI/DNIS-based access restrictions to permit or deny user access based on the CLI/DNIS that is used.
  Note: You can also use the CLI/DNIS-based access restrictions area to specify other values. See the Network Access Restrictions section for more information.

• Assigned by AAA client pool problem

  folks
  i think i'm getting closer to resolving my problem with acs and dhcp
  i have an acs se (4.1) authenticating dialin users on a management network
  i'm getting duplicate ip addresses being issued by the acs so i want to use a router to allocate dhcp addresses to upto 8 scopes - one per user on the acs
  i've added the router as a aaa client on the acs with cisco ios radius and in the user settings i selected Assigned by AAA client pool and selected the pool name used on the router
  once the user tries they get authenticated but i don't see any dhcp requests to the router
  the acs se has 4 other aaa clients
  has anyone had an issue or successfully configured this before?
  thanks to anyone taking the time to read this or to post a reply
  greatly appreciated

  With ACS v4 you could do this....
  Define your pools and add your devices to their own NDGs. Then define a NAP which is triggered off each NDG. Each NAP can use its own group mapping scheme which each target group using a different IP pool.
  Probably only works when users are external as you need group mapping to make it work.
  A bit cludgy.. but should work.

• How to create new subsite while adding new item to the list by using javascript?

  hi,
  I hav a task ie, when I add item to the list then subsite will create with that list item title and description . So By using javascript, I have to create subsite while adding new item to the list.
  Help me to solve this.
  Thank you, 

  Is your item getting added through Javascript client object model ? If yes, you can write in the success delegate of your list creation method the logic to create the subsite.
  function CreateListItem()
  var clientContext = new SP.ClientContext.get_current();
  var oList = clientContext.get_web().get_lists().getByTitle('List Name');
  var itemCreateInfo = new SP.ListItemCreationInformation();
  this.oListItem = oList.addItem(itemCreateInfo);
  oListItem.set_item('Title', 'My New Item!');
  oListItem.set_item('Body', 'Hello World!');
  oListItem.update();
  clientContext.load(oListItem);
  clientContext.executeQueryAsync(Function.createDelegate(this, this.CreateListItemOnSuccess), Function.createDelegate(this, this.onQueryFailed));
  function CreateListItemOnSuccess() {
  var subsiteTitle = oListItem.get_item('Title');
  //Logic to create a subsite
  function onQueryFailed(sender, args) {
  I have added a sample flow for the above scenario. Have a look at the following lnk for how you can craete a subsite using ecmascript.
  http://ravisoftltd.wordpress.com/2013/03/06/sharepoint-2010-create-site-with-ecma-script-with/
  Geetanjali Arora | My blogs |