ACS 4.2 - LDAP TCP Keepalive
Hello
I have an ACS 4.2.1.15 patch 3 and Novell Netware LDAP Server separated by a Firewall. The Firewall's default tcp session timeout is 3600 seconds.
When no LDAP-Request is made for over one hour, the Firewall drops the connection from its table. The Problem is, that the ACS-Server thinks the connection is still open. When it tries to send an LDAP-Query this results in retransmissions and finally a RST... On the User side the Authentication attempt fails (timeout).
I tried to enable TCP Keepalives on the Windows-Server side, but this has no effect on the LDAP-Connections used by ACS.
Is there any possibility to enable Keepalives in ACS?
Thanks in advance for any help!
I'm seeing this issue too on 5.2.0.26.1, running LDAP auth through a F5 Load Balancer to a pair of Sun directory servers.
Did you make any progress with your TAC case?
Without using the root patch, this command is useful for finding out what is going on (it's just netstat):
# show tech-support | i ldap | i tcp
ldap 389/tcp
ldaps 636/tcp # LDAP over SSL
tcp 0 0 exc2-acscor-1401:53892 acs.ldapunix.co:ldap ESTABLISHED
tcp 0 0 exc2-acscor-1401:53893 acs.ldapunix.co:ldap ESTABLISHED
tcp 0 0 exc2-acscor-1401:53890 acs.ldapunix.co:ldap ESTABLISHED
tcp 0 0 exc2-acscor-1401:53891 acs.ldapunix.co:ldap ESTABLISHED
tcp 0 0 exc2-acscor-1401:53889 acs.ldapunix..co:ldap ESTABLISHED
Also try adjusting "Max. Admin Connections" for LDAP.
From the admin guide:
LDAP Connection Management
ACS 5.1 supports multiple concurrent LDAP connections. Connections are opened on demand at the time of the first LDAP authentication. The maximum number of connections is configured for each LDAP server. Opening connections in advance shortens the authentication time. You can set the maximum number of connections to use for concurrent binding connections. The number of opened connections can be different for each LDAP server (primary or secondary) and is determined according to the maximum number of administration connections configured for each server.
ACS retains a list of open LDAP connections (including the bind information) for each LDAP server that is configured in ACS. During the authentication process, the connection manager attempts to find an open connection from the pool. If an open connection does not exist, a new one is opened.
If the LDAP server closed the connection, the connection manager reports an error during the first call to search the directory, and tries to renew the connection.
After the authentication process is complete, the connection manager releases the connection to the connection manager.
I'd be interested to hear if you have fixed your issue, or if anyone else is facing similar problems load balancing LDAP servers for the ACS.
Cheers
R.
Similar Messages
-
ACS - LDAP TCP Keepalive (v5.2)
reposting as with subject including v5.2:
Hello
I have an ACS 4.2.1.15 patch 3 and Novell Netware LDAP Server separated by a Firewall. The Firewall's default tcp session timeout is 3600 seconds.
When no LDAP-Request is made for over one hour, the Firewall drops the connection from its table. The Problem is, that the ACS-Server thinks the connection is still open. When it tries to send an LDAP-Query this results in retransmissions and finally a RST... On the User side the Authentication attempt fails (timeout).
I tried to enable TCP Keepalives on the Windows-Server side, but this has no effect on the LDAP-Connections used by ACS.
Is there any possibility to enable Keepalives in ACS?
Thanks in advance for any help!
Average Rating: 0 (0 Votes)
Reply
Outline View
Javier Henderson
159 posts sinceMar 12, 2010
1. Dec 28, 2010 5:54 PM in response to: Zentraler Informatikdienst
Re: ACS 4.2 - LDAP TCP Keepalive
You are seeing the effects of bug CSCti03338 which I filed a few months ago, though it is supposed to be fixed on 4.2.1(15) patch 3. Please open a TAC case so we can look into this in detail.
ACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP Keepalive
Average Rating: 0 (0 Votes)
Report Abuse
Reply
Juergen Meier
2 posts sinceSep 28, 2010
2. Jan 17, 2011 5:46 AM in response to: Javier Henderson
Also ACS 5.2 (was: ACS 4.2 - LDAP TCP Keepalive)
Apparently this bug has re-appeared in ACS 5.2 (5.2.0.26). ACS re-uses stale TCP connections many hours after the last TCP packet was sent.
It also uses different TCP connections for LDAP search queries and the subsequent authentication bind requests, so sometimes the search query and sometimes the bind request fails due to the TCP connection been timed-out long ago on all network devices (stateful firewalls, IDS/IPS, load balancers) between the ACS and the LDAP servers.
Further ACS fails to detect stale TCP connections and reports bogus authentication failures back to the NAS.
A new ticket will be filed with TAC today.
ACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP Keepalive
Average Rating: 0 (0 Votes)
Report Abuse
Reply
ROB SCHIERON
5 posts sinceOct 20, 2010
3. Feb 14, 2011 10:29 PM in response to: Juergen Meier
Re: Also ACS 5.2 (was: ACS 4.2 - LDAP TCP Keepalive)
I'm seeing this issue too on 5.2.0.26.1, running LDAP auth through a F5 Load Balancer to a pair of Sun directory servers.
Did you make any progress with your TAC case?
Without using the root patch, this command is useful for finding out what is going on (it's just netstat):
# show tech-support | i ldap | i tcp
ldap 389/tcp
ldaps 636/tcp # LDAP over SSL
tcp 0 0 exc2-acscor-1401:53892 acs.ldapunix.co:ldap ESTABLISHED
tcp 0 0 exc2-acscor-1401:53893 acs.ldapunix.co:ldap ESTABLISHED
tcp 0 0 exc2-acscor-1401:53890 acs.ldapunix.co:ldap ESTABLISHED
tcp 0 0 exc2-acscor-1401:53891 acs.ldapunix.co:ldap ESTABLISHED
tcp 0 0 exc2-acscor-1401:53889 acs.ldapunix..co:ldap ESTABLISHED
Also try adjusting "Max. Admin Connections" for LDAP.
From the admin guide:
LDAP Connection Management
ACS 5.1 supports multiple concurrent LDAP connections. Connections are opened on demand at the time of the first LDAP authentication. The maximum number of connections is configured for each LDAP server. Opening connections in advance shortens the authentication time. You can set the maximum number of connections to use for concurrent binding connections. The number of opened connections can be different for each LDAP server (primary or secondary) and is determined according to the maximum number of administration connections configured for each server.
ACS retains a list of open LDAP connections (including the bind information) for each LDAP server that is configured in ACS. During the authentication process, the connection manager attempts to find an open connection from the pool. If an open connection does not exist, a new one is opened.
If the LDAP server closed the connection, the connection manager reports an error during the first call to search the directory, and tries to renew the connection.
After the authentication process is complete, the connection manager releases the connection to the connection manager.
I'd be interested to hear if you have fixed your issue, or if anyone else is facing similar problems load balancing LDAP servers for the ACS.
Cheers
R.reposting as with subject including v5.2:
Hello
I have an ACS 4.2.1.15 patch 3 and Novell Netware LDAP Server separated by a Firewall. The Firewall's default tcp session timeout is 3600 seconds.
When no LDAP-Request is made for over one hour, the Firewall drops the connection from its table. The Problem is, that the ACS-Server thinks the connection is still open. When it tries to send an LDAP-Query this results in retransmissions and finally a RST... On the User side the Authentication attempt fails (timeout).
I tried to enable TCP Keepalives on the Windows-Server side, but this has no effect on the LDAP-Connections used by ACS.
Is there any possibility to enable Keepalives in ACS?
Thanks in advance for any help!
Average Rating: 0 (0 Votes)
Reply
Outline View
Javier Henderson
159 posts sinceMar 12, 2010
1. Dec 28, 2010 5:54 PM in response to: Zentraler Informatikdienst
Re: ACS 4.2 - LDAP TCP Keepalive
You are seeing the effects of bug CSCti03338 which I filed a few months ago, though it is supposed to be fixed on 4.2.1(15) patch 3. Please open a TAC case so we can look into this in detail.
ACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP Keepalive
Average Rating: 0 (0 Votes)
Report Abuse
Reply
Juergen Meier
2 posts sinceSep 28, 2010
2. Jan 17, 2011 5:46 AM in response to: Javier Henderson
Also ACS 5.2 (was: ACS 4.2 - LDAP TCP Keepalive)
Apparently this bug has re-appeared in ACS 5.2 (5.2.0.26). ACS re-uses stale TCP connections many hours after the last TCP packet was sent.
It also uses different TCP connections for LDAP search queries and the subsequent authentication bind requests, so sometimes the search query and sometimes the bind request fails due to the TCP connection been timed-out long ago on all network devices (stateful firewalls, IDS/IPS, load balancers) between the ACS and the LDAP servers.
Further ACS fails to detect stale TCP connections and reports bogus authentication failures back to the NAS.
A new ticket will be filed with TAC today.
ACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP KeepaliveACS 4.2 - LDAP TCP Keepalive
Average Rating: 0 (0 Votes)
Report Abuse
Reply
ROB SCHIERON
5 posts sinceOct 20, 2010
3. Feb 14, 2011 10:29 PM in response to: Juergen Meier
Re: Also ACS 5.2 (was: ACS 4.2 - LDAP TCP Keepalive)
I'm seeing this issue too on 5.2.0.26.1, running LDAP auth through a F5 Load Balancer to a pair of Sun directory servers.
Did you make any progress with your TAC case?
Without using the root patch, this command is useful for finding out what is going on (it's just netstat):
# show tech-support | i ldap | i tcp
ldap 389/tcp
ldaps 636/tcp # LDAP over SSL
tcp 0 0 exc2-acscor-1401:53892 acs.ldapunix.co:ldap ESTABLISHED
tcp 0 0 exc2-acscor-1401:53893 acs.ldapunix.co:ldap ESTABLISHED
tcp 0 0 exc2-acscor-1401:53890 acs.ldapunix.co:ldap ESTABLISHED
tcp 0 0 exc2-acscor-1401:53891 acs.ldapunix.co:ldap ESTABLISHED
tcp 0 0 exc2-acscor-1401:53889 acs.ldapunix..co:ldap ESTABLISHED
Also try adjusting "Max. Admin Connections" for LDAP.
From the admin guide:
LDAP Connection Management
ACS 5.1 supports multiple concurrent LDAP connections. Connections are opened on demand at the time of the first LDAP authentication. The maximum number of connections is configured for each LDAP server. Opening connections in advance shortens the authentication time. You can set the maximum number of connections to use for concurrent binding connections. The number of opened connections can be different for each LDAP server (primary or secondary) and is determined according to the maximum number of administration connections configured for each server.
ACS retains a list of open LDAP connections (including the bind information) for each LDAP server that is configured in ACS. During the authentication process, the connection manager attempts to find an open connection from the pool. If an open connection does not exist, a new one is opened.
If the LDAP server closed the connection, the connection manager reports an error during the first call to search the directory, and tries to renew the connection.
After the authentication process is complete, the connection manager releases the connection to the connection manager.
I'd be interested to hear if you have fixed your issue, or if anyone else is facing similar problems load balancing LDAP servers for the ACS.
Cheers
R. -
Lack of TCP keepalive parameter in Microsoft SQL Server ODBC Driver for Linux
Hello,
the problem in the
aforementioned driver is the lack of TCP keepalive parameter that results in hanged threads because of closed connections on the SQL Server side, but not closed
sockets on the client side. This could happen due to network-related problems.
The driver is used in mission critical 24/7 uptime application and due to hanged threads the application cannot continue it's work and it needs to be restarted.
This is observed in the latest version of the driver on RHEL 5.6.
If you need clarification please ask.
Does anybody know any workaround to this situation or a solution that I'm not aware of?
Thank you for your help,
luk.sFind the TCP socket of the ODBC connection in your process and set the keep-alive option and keep-alive timeout on it.
You can do that by interposing socket system call.
Or use libkeepalive: http://www.tldp.org/HOWTO/html_single/TCP-Keepalive-HOWTO/#libkeepalive -
TCP keepalives sent too early and terminates connection
I'm trying to implement an persistent TCP connection between an Android phone and a desktop server.
I've got heartbeat threads on both ends which are sending keepalive-packets on application level successfully.
The problem is that after a while (varies between 5-20min) the phone is starting to send TCP keepalives to the server, which the server does not seem to respond to. (I'm using Wireshark to monitor this).
This results in an exception on the server thread which is reading from the phone:java.net.SocketException: Connection reset
Why are the phone sending TCP keepalives so early? Even when there's constantly activity on application level? And why doesn't the desktop server respond to this keepalives?
I've checked my Android phone's settings with "sysctl -A | grep net.ipv4" and "net.ipv4.tcp_keepalive_time" is set to 7200 (2 hours).
Thanks.shuwo wrote:
I'm holding both a wakelock and a wifilock, so that shouldn't be the problem. I also tried it without putting my phone to sleep at all. I want a persistent connection because I need live data to be transmitted over the network, is there any other method for that?
If it isn't keep alive packets, what could it be? What causes a connection reset on server side?I wouldn't rely on a persistent connection. Mobile phones and bad network conditions/lost connections is bound to happen, and can happen frequently.
What do you mean by live data? Are you e.g streaming data? Polling (e.g. once per minute) could otherwise be better, that is how gmail works.
I doubt that the battery will last more than 6-7 hours if the phone never goes down to sleep mode. You can easily test it. Create an app, that just aquires a wakelock and then run it on your phone without doing any else like accessing network etc. Constantly using the network will also reduce the battery time even more. -
What is tcp-keepalives-in and tcp-keepalives-out
Can anyone help me out by telling the both things and the differences between
tcp-keepalives-in and tcp-keepalives-out
Thanks
IrshadIrshad,
If you have already not read this link...
http://www.cisco.com/en/US/tech/tk801/tk36/technologies_tech_note09186a00801365f3.shtml -
ACS v5.1 - LDAP and PEAP
Hi!
I'm trying to authenticate a WinXP client with PEAP.
And since it is only possible to define only one Active Directory in ACS v5.1 ( why on earth is that???), I had to define my other AD domain through LDAP.
But when I try to authenticate, this is what happens:
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15004 Matched rule
15012 Selected Access Service - Policy-SwitchAccess-Testdomain
11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12301 Extracted EAP-Response/NAK requesting to use PEAP instead
12300 Prepared EAP-Request proposing PEAP with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318 Successfully negotiated PEAP version 0
12800 Extracted first TLS record; TLS handshake started.
12805 Extracted TLS ClientHello message.
12806 Prepared TLS ServerHello message.
12807 Prepared TLS Certificate message.
12810 Prepared TLS ServerDone message.
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12318 Successfully negotiated PEAP version 0
12812 Extracted TLS ClientKeyExchange message.
12804 Extracted TLS Finished message.
12801 Prepared TLS ChangeCipherSpec message.
12802 Prepared TLS Finished message.
12816 TLS handshake succeeded.
12310 PEAP full handshake finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12313 PEAP inner method started
11521 Prepared EAP-Request/Identity for inner EAP method
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11522 Extracted EAP-Response/Identity for inner EAP method
11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store -
22043 Current Identity Store does not support the authentication method; Skipping it.
22056 Subject not found in the applicable identity store(s).
22058 The advanced option that is configured for an unknown user is used.
22061 The 'Reject' advanced option is configured in case of a failed authentication request.
11815 Inner EAP-MSCHAP authentication failed
11520 Prepared EAP-Failure for inner EAP method
22028 Authentication failed and the advanced options are ignored.
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12307 PEAP authentication failed
11504 Prepared EAP-Failure
11003 Returned RADIUS Access-Reject
What does this mean? Is it possible that ACS *STILL* does not support PEAP authentication agains LDAP??
The other thing that bothers me, is that the matching rule is Default.
But when I go into the matching Policy to see the hit count, none of the rules (including Default) has increased its Hit Count.. very strange.
Thanks.LDAP as an external database never supports PEAP with Mschap. The client should be installed with the EAP-GTC supplicant.
Peap Mschapv2 only works with Active Directory.
Its an LDAP limitation, not ACS- there is no LDAP API to do it.
Supported LDAP server and 802.1x clients:
http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/de
vice_support/sdt51.html#wp71123
You may check PEAP FAQ's, please take a look under EAP TYPE comparison chart:
http://www.cisco.biz/en/US/prod/collateral/wireless/ps5678/ps430/prod_qas0900aecd801764fa_
ps2706_Products_Q_and_A_Item.html
Regds,
JK
Do rate helpful posts- -
ACS 5.2 LDAP authentication through groupMembership
Hi all,
I've succesfully configured ACS to authenticate users against our Novell DB through LDAP External Identity Store . With this setup all users having Novell account are authenticated.
There's an extra requirement that only users belong to group "Internet Access Users" can be authenticated. Running debugging on the ACS (5.2), I've been able to see that ACS can extract the user's group properties as bellow:
LDAP-response-search-entry-attr-value=groupMembership=cn=Internet Access Users\,ou=App Groups\,ou=ZENINTH\,o=Company
but I unable to create mapping/rules that filter this extra value. What I did is :
- Under External Identity Stores --> LDAP --> LDAP_Connection --> Directory Attributes, I added Attribute Name = "groupMembership", Type: "String", Policy Condition Name: "LDAP_Connection:groupMembership"
- Under Access Policies --> Internet Access --> Authorization, I create Rule-1 stated that "LDAP-LDAP_Connection:groupMembership contains cn=Internet Access Users", it will permitAccess. The default rules is denyAccess
But it seems it didn't work (never hit Rule-1)
Could anybody shed some lights ?
Thank you very much,Ok All is working, consider this as solved.
A restart of the ACS service magically fixed whatever was going on.
Cheers -
ACS 4.1 LDAP configuration
Does anyone have examples of what to enter in the External User Database, Generic LDAP for Novell eDir? I can't seem to get the ACS to query eDir.
I also would like to see some design docs on Novell eDir.
thanks
roger.... -
ACS 4.x LDAP Group Order
Hello there.
A customer of mine is complaining about the LDAP groups order. When he needs to make group mappings to one of the many groups he have in his database, he face problems to find them, because they're not in alphabetical order. Is that a way to get it in this way?
There's a screenshot to illustrate what's going on.Hi,
The LDAP Group set will populate the groups as defined in the AD.
I don't think it does take the pain to arrange them in an alphabetical order.
Regards,
Anisha
P.S.: please mark this thread resolved if you think your query is answered. -
EAP-TLS Vista Machine Authentication to ACS integrated to non AD LDAP
Hello all,
I've been working on a scenario with ACS 4.2 (trial) for Proof of Concept to a customer of ACS's abilities.
His intended network plan is to use Vista Laptops doing Machine authentication only towards a ACS server integrated with a non-microsoft LDAP server. The mechanism of choice is EAP-TLS.
We've set up the PKI on the right places and it is all up. We do manage to get a user certificate on the PC, authenticate via ACS to the LDAP repository, and everything is good.
The problem that we are facing is when we want to move to do machine authentication, the behaviour is inconsistent. I'll explain:
When the first authentication is done, the EAP-Identity requests are always prepended with a "host/". What we see is that the CN of a certificate is TEST, and the Identity request appears as host/TEST. This is no problem to LDAP, as we can get rid of the "host/" part to do the user matching and in fact it does match. After TLS handshake (certificates are ok), ACS tries to check CSDB (the internal ACS db) and afterwards it will follow the unknown user policy and query LDAP.
All of this appears to be successful the first time.
If we disassociate the machine, the problems start. The accounting STOP message is never sent.
Any new authentication will fail with a message that CS user is invalid. The AUTH log shows that ACS will never try again to check LDAP, and invalidates the user right after CSDB check. In fact if we do see the reports for RADIUS, the authenticated user is host/TEST, but if we check the dynamic users, only TEST appears. Even disabling caching for dynamic users the problem remains.
Does anyone have an idea on how to proceed? If it was possible to handle the machine authentication without the "host/" part, that would be great, as it works.
My guess is that ACS is getting confused with the host/, as I'm seeing its AUTH logs and I do see some messages like UDB_HOST_DB_FAILURE, after UDB_USER_INVALID.
IF someone can give me a pointer on how to make this work, or if I'm hitting a bug in ACS.
Thanks
GustavoAssuming you're using the stock XP wifi client.
When running XPSP3, you need to set two things:
1) force one registry setting.
According to
http://technet.microsoft.com/en-us/library/cc755892%28WS.10%29.aspx#w2k3tr_wir_tools_uzps
You need to force usage of machine cert-store certificate:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]
"AuthMode"=dword:00000002
2) add the ACS certificate signing CA to the specific SSID profile "trusted CA".
- show available wireless networks
- change advanced settings
- wireless networks tab
- select your SSID, and then hit the "properties" button
- select authentication tab, and then hit "properties" button
- search for your signing CA, and check the box.
I did with a not-so-simple autoIT script, using the "native wifi functions" addon.
Unfortunately I'm not allowed to share the script outside the company, but I'll be more than happy to review yours.
please cross reference to
https://supportforums.cisco.com/message/3280232
for a better description of the whole setup.
Ivan -
Failed to authenticate user to ACS 5.1 with LDAP as external identity storage
Hi , I have an ACS and Open-LDAP server running on my company network.
Now, I 'm setting up a new linksys WAP-54G and choose WPA2-Enterprise option with ACS as the radius server.
first thing first, I created new internal user on ACS, and trying to join the wireless network from my computer. I made it....
then, I'm moving on external entity (LDAP Server). I've set up the LDAP configuration and identity sequence, also select it on access service. but when I tried to authenticate from my computer, an error was occurred. I received :
the following error 22056 Subject not found in the applicable identity store (s)
Wonder 'bout this thing, I set up a cisco 1841 router to become AAA client. and surprisingly... it works !!!
so, is there any problem to authenticate from windows platform to ACS (pointing to LDAP) ?
any suggestion ?
thanksThis is the log when using windows 7 as authentication client (Failed) :
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15004 Matched rule
15012 Selected Access Service - Default Network Access
11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12301 Extracted EAP-Response/NAK requesting to use PEAP instead
12300 Prepared EAP-Request proposing PEAP with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318 Successfully negotiated PEAP version 0
12800 Extracted first TLS record; TLS handshake started.
12805 Extracted TLS ClientHello message.
12806 Prepared TLS ServerHello message.
12807 Prepared TLS Certificate message.
12810 Prepared TLS ServerDone message.
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12318 Successfully negotiated PEAP version 0
12812 Extracted TLS ClientKeyExchange message.
12804 Extracted TLS Finished message.
12801 Prepared TLS ChangeCipherSpec message.
12802 Prepared TLS Finished message.
12816 TLS handshake succeeded.
12310 PEAP full handshake finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12313 PEAP inner method started
11521 Prepared EAP-Request/Identity for inner EAP method
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11522 Extracted EAP-Response/Identity for inner EAP method
11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store -
22043 Current Identity Store does not support the authentication method; Skipping it.
24210 Looking up User in Internal Users IDStore - xxxxx
24216 The user is not found in the internal users identity store.
22016 Identity sequence completed iterating the IDStores
22056 Subject not found in the applicable identity store(s).
22058 The advanced option that is configured for an unknown user is used.
22061 The 'Reject' advanced option is configured in case of a failed authentication request.
11815 Inner EAP-MSCHAP authentication failed
11520 Prepared EAP-Failure for inner EAP method
22028 Authentication failed and the advanced options are ignored.
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12307 PEAP authentication failed
11504 Prepared EAP-Failure
11003 Returned RADIUS Access-Reject
This is the log when using 1841 router as authentication client (succeded) :
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
11049 Settings of RADIUS default network will be used
Evaluating Service Selection Policy
15004 Matched rule
15012 Selected Access Service - Default Network Access
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - LDAPyyyy
24031 Sending request to primary LDAP server
24015 Authenticating user against LDAP Server
24022 User authentication succeeded
22037 Authentication Passed
22023 Proceed to attribute retrieval
22038 Skipping the next IDStore for attribute retrieval because it is the one we authenticated against
24210 Looking up User in Internal Users IDStore - xxxxx
24216 The user is not found in the internal users identity store.
22016 Identity sequence completed iterating the IDStores
Evaluating Group Mapping Policy
Evaluating Exception Authorization Policy
15042 No rule was matched
Evaluating Authorization Policy
15006 Matched Default Rule
15016 Selected Authorization Profile - Permit Access
11002 Returned RADIUS Access-Accept
I realized that Windows is using PEAP-MSCHAPv2 while Router is using PAP-ASCII as it's protocol.
so now, why PEAP-MSCHAPv2 can't authenticate to LDAP ?
is there anything I can do to make it work ? -
Hi, I'm in a project security information and I'm think integration ACS software with ldap hosts in Unix machine: Samba
it's works??
there is a version trial of the ACS ? any version 4.2, 5.1 etc..
thankTry this
ACS 4.2
http://www.cisco.com/cgi-bin/Software/Tablebuild/doftp.pl?ftpfile=cisco/crypto/3DES/ciscosecure/acs/win/90-dayeval/eval-ACS-4.2.0.124-SW.zip&app=Tablebuild&status=showC2A%3E
ACS 4.1
http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-eval
ACS 5.1
https://supportforums.cisco.com/thread/2024417 -
AAA acs 4.1 to generic ldap
Hi there
We've installed ACS 4.1 to use it for network access authentication (switches, routers) via Radius (IETF).
I setup ACS with generic ldap to verfy users from MS Active Directory.
Everything work well :-)
But how do I configure ldaps under Cisco ACS?
Thanx for helpHi BB,
Please ensure the cert is installed correctly. Did you generate cert7.db file ?
How to generate "cert7.db" file :
1. Setup the LDAP with a certificate.
2. Install Netscape 4.x (this creates the cert7.db file, which is just a database of
certs)
3. Browse to https://servername:636 with the netscape browser.
4. Install the certificate selecting the option "accept this certificate forever"
5. Copy the cert7.db file to another directory (like the ACS folder)
The default location of the cert7.db file is C:\Program Files\Netscape\Users\default
6. Now just enter the path to the cert7.db file in the "Certificate DB Path" field in the
configuration for your LDAP DB in ACS.
Also let me know if you are using acs windows or acs appliance as we might need to look at the detailed logs.
Regards,
~JG -
ACS can not access ADS-LDAP starting from "DC=..."
Hi
I have an ACS v4.2 from which I try to access an ADS LDAP directory. When I use "CN=Users,DC=Domain,DC=com" as the baseDN for the users and the groups everything works as it should. When I change the base DN to "DC=Domain,DC=com" only, then the ACS is not able to find any users or groups. Even when trying to configure the group mappings he claims: "LDAP Server NOT reachable. Please check the configuration.". Using an LDAP browser I don't have any issues accessing the directory from the shorter baseDN.
Is this a v4.2 related problem or a general ACS problem?
The point is that I need to find users in different OU's, which are based directly under the domain name, so that I need to search for them starting from "DC=Domain,DC=com". I know that with "Generic LDAP" I can make severeal "Databsae Configurations" to resolve the issue with the OU's. But not with a "RSA SecurID Token and LDAP Group Mapping" setup. There is only possible to have one LDAP group mapping configuration.
Any input would be greatly appreciated.Hi
We invested a lot of time together with TAC and development. Short answer: No it's not solved. It was an ACS bug. But development didn't realy understand the problem. We went ahead and restructured the ADS.
The problem we had, is that a LDAP directory of a Windows is not fully accessible. Even if you connect as a Domain Administrator or to the Global Catalog. :-) And that's where the ACS fails. LDAP browsers just read over the unaccessible parts of a LDAP directory and show you all the accessible part. ACS doesn't. He stops and reports the failure. You can see that clearly when sniffing the access of the ACS and the LDAP browser to the directory. Unfortunately the unaccessible part is at the beginning of the ADS LDAP directory. :-(
Maybe they resolved the problem nowadays. Or if you have a Windows Guru who can help you in making the directory fully accessible I would be interessted in the How-To.
I wish you best luck with your issue.
Kind regards
Roberto -
CSS keepalive TCP flags
Hi. I have a problem with the way an application behaves in response to CSS tcp keepalives, I'd be grateful for any advice.
Using standard TCP keepalives, an application logs a broken connection for every keepalive, filling up the app logs, causing the administrators to complain. If I change the tcp-close type to FIN, the application doesn't log an error, but it still logs the connection, same complaint from the admins.
The application developers feel that it's not their problem, they're comparing the keepalives to nmap probes and indeed, it is possible to confirm that the service is up with nmap, without generating an error/connection log entry on the server.
According to some Wireshark captures, the TCP flags of a CSS keepalive, compared to an nmap probe, are as follows;
CSS
CSS --> Syn --> Server
CSS <-- Syn, Ack <-- Server
CSS --> Ack --> Server
CSS --> Rst, Ack --> Server
nmap -sS
NmapPC --> Syn --> Server
NmapPC <-- Syn, Ack <-- Server
NmapPC --> Rst --> Server
So, my question is, can the tcp behaviour of CSS keepalives be modified, to dispense with the arguably superfluous 'ack'ing that's illustrated above?
Thanks
AndyThanks for the replies.
I've tried tcp-close fin, it stops an error being logged, but the application still logs the connection.
I wouldn't be concerned, other than the fact it clearly is possible to both establish that the service is running on the server and not log the connection attempt, using Nmap's more abbreviated tcp behaviour.
I am curious, though. What is the CSS acknowledging when it sends an ACK in the RST packet?
Regards
Andy
Maybe you are looking for
-
Using the correct charger for hp dv6? 90 or 120w?? which one? help!
Hi guys, currently im using a charger from my hp dv6-6153sa, but i need to cut this story short so you understand. First of i changed the motherboard in this laptop, the motherboard is from the hp pavilion dv6-6198sp however the battery is from a hp
-
Getting error as Buffer table not up to date
Hi SRM gurus, We have one order which is created in the EBP side and the same is replicated in the backend also. Also confirmations and invoices are posted for this local PO. These confirmations and invoices are also carried over to backend. However
-
Standard Datasource for ECMCT and ECMCA:Consolidation
Hi, Are there any Standard Datasources available for extractiong data from ECMCT and ECMCA(ECCS Tables).I am currently working in SAP ECC6.0.I could not find any Standard datasources. Regards, Samir
-
Hi, I opened a SEV 3 SR with Oracle Support a week ago (6/1 8am) and have yet to get any response whatsoever. Updated the SR on Monday asking for a response and none so far. This has happened a couple of times the last 6 months. I read the latest "Or
-
HT204053 Lost all info on ICloud. How to get it Back?
I received an email stating that my Icloud storage was almost full. 4/5Go. I got a new Iphone today and wanted to get my info back on the new one but it is now empty. How can I get my info back?