ACS 4.2 NDG problem

Hi I have ACS appliance 4.2.0.124 installed at 2 sites. In one of the Appliance, under (Not Assigned) NDG the AAA server was reflecting as Self with IP address 127.0.0.1 & with the other one under AAA servers exact ip address of the appliance was reflecting with server name AAA. I had added the 1st server in 2nd server's unassigned NDC and 2nd server in 1st's unassigned NDC.
After that I configured the 1st server for outbound replication and 2nd for inbound replication with "Network Configuration Device tables" selected. After manual replication I found in 2nd appliances under unassigned NDG, server entry with name self and IP address 127.0.0.1 , along with teh second entry self and its own IP address are there. Now I am neither able to add the 1st server's entry to NDG grop(Error: host already exist) or DElete/edit the self with 127.0.0.1 ip adress. Can anybody help me to delete this entry from the database pls?
I dont have any backup previously and the ACS is live.

Hi all, I am using ACS SE 4.2 . Can i edit the IP address for record "Self" under AAA servers table under not assigned NDG, as the Ip address of self is showing 127.0.0.1???
Also can reinitialize the data base because one of the server's entry is not appearing under Not assigned NDG but during if i am trying to add the server error" Host already exists" comming.
Pls help me as i am stack at this point.

Similar Messages

  • Tacacs problem with ACS 4.2 NDG and shell authorization sets

    Hi all,
    I am trying to solve this problem without success so far. I have fresh ACS 4.2.15 patch 5 ACS installation and I am tryng to deploy it to our environment. So I have configured one 2960S to be my test client and everything works fine. Problem is when I try to create fine grained policies using network device groups and shell authorization sets.
    I have created shell authorization sets called ReadOnly and FullAccess. I have also created NDG called FloorSwitches and added my 2960. I have 2 user groups called FloorSwitchesReadOnly and FloorSwithcesFullAccess. Now, if I configure group FloorSwitchesFullAccess and assign Shell command authorization set per NDG and then log into the switch, all of my commands are refused as unauthorized.
    One thing that I have noticed is that if I assign shell command authorization set to any device ( in user group settings ) it works fine. Or if I create association with DEFAULT NDG in user group it also works. So my conclusion is that ACS for some reason does not associate my switch with correct group but rather puts it to DEFAULT group for some reason.
    Did anyone had similar problem or is there something that I am doing in a wrong way? Is there another way to achieve such thing without using NDG's?
    Thanks everyone....

    Please upgrade to patch 6, there is a bug in patch 5 and you can check the release notes or the readme for more information.
    What is your user setting set to while you are testing command authorization, did you set it back to the group setting?
    Thanks,
    Tarik Admani

  • ACS 5.3 Authorization problem with using Identity Groups in Access Policy Rule

    Hello guys, I am found a problem which I can't solve regarding authorization with using Identity Groups in Access Policy rule.
    ACS version: 5.3.0.40.6 (internal build B.839)
    I have very simple RADIUS Authorization rule which authorize user on behalf of right Identity Group.
    Requested Identity Group exist
    Testing user is created in Internal Users and has assigned requested Identity Group
    Radius Access Policy: 
    Authentication against Identity Store Sequence, where authorization server is external RSA SecurID device and additional attributes retrieval is configured from Internal Users.
    Authorization is very simple – One Rule with only one Condition which is: Identity Group - in - Requested_Testing_Rule. Then Default rule is set to Deny.
    When I will try login with my testing user then authentication against RSA SecurID is OK, but authorization will be denied by Default rule – It looks like my Rule with Identity Group is totally omitted.
    I am managing several other ACS servers (version 5.3 but with older patches) where similar rules are working without problem.
    What I am tested:
    Remove testing user and create his account again.
    Rename Identity Group
    Use another Identity Group
    Remove Access Policy rule and create it again
    Use Compound Condition: System:Identity Group
    Use Compound Condition: System:UserID instead of Identity Group in Rule (it is working without problem)
    Do you have any idea where problem can be?

    OK guys, it started working yesterday without any configuration change. Maybe it was some database inconsistence wich was solved by ACS itself.

  • ACS 5.2 NDG Locations not showing up in Access Policies

    When I add locations under Network Device Groups and then try and use them in my Access Policies they don't show up. It just says "No data to display". If I try and recreate them I get an error "Object you are trying to Create already exists.' but it is blank. I can run an export and they show up in the CSV file but they don't show up anywhere on the GUI. I have deleted the file and recreated with the same result.
    I have been searching all over for anyone with a similar situation but have come up empty. Any thougts?
    Regards,
    Andy

    I have recollections about two issues related to this:
    - If there are mutliple attributes with the same name as the NDG. Eg if create a user attribute called "Locations" it can cause problems. Can be resolved by renaming the attribute
    - Could be issues if word "system" appears in NDG node name
    Not 100% sure for these (disclaimer) but wanted to mention in case it gives some pointers

  • EAP-TLS + CA MICROSOFT + ACS 3.2 APPLIANCE = Problem

    I have a Wireless Lan platform composed by equipment Access Points Cisco 1100 with ACS 3,1 and CA Microsoft.The security scheme is EAP-TLS (certificates).This architecture was completely functional. The problem took place when replacing the ACS 3,1 by the ACS 3,2 APPLIANCE, for which new certificates they were emitted by the CA of the infrastructure. The problem appears when a wireless client tries to connect to the wireless network,without obtaining the objective ,being in a state of "trying to authenticate" in networks adapters, in addition the ACS Logs appear the following message "NAS duplicated authentication attempt".
    If somebody knows the reason of this problem, can be contacted to my mail ([email protected]).

    A hint i could give you that in such a scenario you need an Trusted boundary between the ACS Appliance and the MS AD/PDC. This we be realized trough an PC/Host who is a regitered member or user of the AD/PDC. This relay Computer then communicates with the MS CA. The SW that Cisco Provides is the Cisco Secure ACS Agent. Hope this helps as we found the same problem in leap authentication as the ACS Appliance could not be set into a AD/PDC Domain. This has to be realized trough this smal piece of SW installed on an PC/Host etc. wich is a active AD/PDC Member.

  • 802.1x with ACS 4.2 (RADIUS) problem

    HI all!
    I am trying to configure AAA authentication and authorization with Cisco 3725 (IOS 12.4(17)) for 802.1x and ACS 4.2 with VLAN assignment to my Windows XP client. (trying to assign VLAN 100 in my scenario).
    When user connects to the Router, it passes the authentication process (EAP-MD5). In my debug i see that Router recieves the Radius Attributes BUT does not apply anything!
    My running config:
    Building configuration...
    Current configuration : 1736 bytes
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname R4
    boot-start-marker
    boot-end-marker
    aaa new-model
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    aaa session-id common
    memory-size iomem 5
    ip cef
    no ip domain lookup
    ip domain name lab.local
    ip device tracking
    dot1x system-auth-control
    interface FastEthernet0/0
    ip address 10.10.0.253 255.255.255.0
    duplex auto
    speed auto
    interface FastEthernet0/1
    no ip address
    shutdown
    duplex auto
    speed auto
    interface FastEthernet1/0
    dot1x port-control auto
    interface FastEthernet1/1
    interface FastEthernet1/2
    interface FastEthernet1/3
    interface FastEthernet1/4
    interface FastEthernet1/5
    interface Vlan1
    ip address 192.168.1.1 255.255.255.0
    interface Vlan100
    ip address 192.168.100.1 255.255.255.0
    ip forward-protocol nd
    no ip http server
    no ip http secure-server
    mac-address-table static 0800.27b1.b332 interface FastEthernet1/0 vlan 1
    radius-server host 10.10.0.2 auth-port 1645 acct-port 1646 key cisco
    radius-server vsa send accounting
    radius-server vsa send authentication
    My Radius debug information:
    *Mar  1 00:21:31.487: RADIUS: Pick NAS IP for u=0x65BAF324 tableid=0 cfg_addr=0.0.0.0
    *Mar  1 00:21:31.491: RADIUS: ustruct sharecount=2
    *Mar  1 00:21:31.491: Radius: radius_port_info() success=1 radius_nas_port=1
    *Mar  1 00:21:31.491: RADIUS: added cisco VSA 2 len 15 "FastEthernet1/0"
    *Mar  1 00:21:31.491: RADIUS: Request contains 9 byte EAP-message
    *Mar  1 00:21:31.491: RADIUS: Added 9 bytes of EAP data to request
    *Mar  1 00:21:31.495: RADIUS/ENCODE: Best Local IP-Address 10.10.0.253 for Radius-Server 10.10.0.2
    *Mar  1 00:21:31.507: RADIUS(00000000): Send Access-Request to 10.10.0.2:1645 id 1645/3, len 127
    *Mar  1 00:21:31.511: RADIUS:  authenticator 36 68 24 30 F0 CC E8 3C - 69 48 61 E3 DA 28 52 AC
    *Mar  1 00:21:31.511: RADIUS:  NAS-IP-Address      [4]   6   10.10.0.253
    *Mar  1 00:21:31.511: RADIUS:  NAS-Port            [5]   6   0
    *Mar  1 00:21:31.511: RADIUS:  Vendor, Cisco       [26]  23
    *Mar  1 00:21:31.515: RADIUS:   cisco-nas-port     [2]   17  "FastEthernet1/0"
    *Mar  1 00:21:31.515: RADIUS:  NAS-Port-Type       [61]  6   X75                       [9]
    *Mar  1 00:21:31.515: RADIUS:  User-Name           [1]   6   "user"
    *Mar  1 00:21:31.515: RADIUS:  Calling-Station-Id  [31]  19  "08-00-27-B1-B3-32"
    *Mar  1 00:21:31.515: RADIUS:  Service-Type        [6]   6   Framed                    [2]
    *Mar  1 00:21:31.515: RADIUS:  Framed-MTU          [12]  6   1500
    *Mar  1 00:21:31.515: RADIUS:  EAP-Message         [79]  11
    *Mar  1 00:21:31.515: RADIUS:   02 1D 00 09 01 75 73 65 72                       [?????user]
    *Mar  1 00:21:31.515: RADIUS:  Message-Authenticato[80]  18
    *Mar  1 00:21:31.515: RADIUS:   B1 8B 8F 4C F1 6D C9 A6 4E 96 B8 3D 53 E9 41 12  [???L?m??N??=S?A?]
    *Mar  1 00:21:31.555: RADIUS: Received from id 1645/3 10.10.0.2:1645, Access-Challenge, len 93
    *Mar  1 00:21:31.555: RADIUS:  authenticator DF 38 A1 1B ED 3C 1E B2 - 1A 92 6A D5 58 CE B8 4A
    *Mar  1 00:21:31.555: RADIUS:  EAP-Message         [79]  28
    *Mar  1 00:21:31.555: RADIUS:   01 1E 00 1A 04 10 BE BA B4 B0 26 9D 52 0E 43 BC  [??????????&?R?C?]
    *Mar  1 00:21:31.555: RADIUS:   33 46 8E A8 C6 45 47 4E 53 33                    [3F???EGNS3]
    *Mar  1 00:21:31.555: RADIUS:  State               [24]  27
    *Mar  1 00:21:31.555: RADIUS:   45 41 50 3D 30 2E 31 66 66 2E 39 38 36 2E 31 3B  [EAP=0.1ff.986.1;]
    *Mar  1 00:21:31.559: RADIUS:   53 56 43 3D 30 2E 31 35 3B                       [SVC=0.15;]
    *Mar  1 00:21:31.559: RADIUS:  Message-Authenticato[80]  18
    *Mar  1 00:21:31.559: RADIUS:   22 C8 D5 BB 44 FC FC 14 D3 2C C9 42 A3 9B A4 9E  ["???D????,?B????]
    *Mar  1 00:21:31.563: RADIUS: Found 26 bytes of EAP data in reply (ofs 0)
    *Mar  1 00:21:31.563: RADIUS: Received 26 byte EAP Message in reply
    *Mar  1 00:21:31.587: RADIUS: Pick NAS IP for u=0x65BAF324 tableid=0 cfg_addr=0.0.0.0
    *Mar  1 00:21:31.587: RADIUS: ustruct sharecount=1
    *Mar  1 00:21:31.587: Radius: radius_port_info() success=1 radius_nas_port=1
    *Mar  1 00:21:31.587: RADIUS: added cisco VSA 2 len 15 "FastEthernet1/0"
    *Mar  1 00:21:31.591: RADIUS: Request contains 26 byte EAP-message
    *Mar  1 00:21:31.591: RADIUS: Added 26 bytes of EAP data to request
    *Mar  1 00:21:31.591: RADIUS/ENCODE: Best Local IP-Address 10.10.0.253 for Radius-Server 10.10.0.2
    *Mar  1 00:21:31.591: RADIUS(00000000): Send Access-Request to 10.10.0.2:1645 id 1645/4, len 171
    *Mar  1 00:21:31.591: RADIUS:  authenticator 0A A2 1F 7C 12 A8 AB F7 - 9F 87 C6 51 A4 0D EA A2
    *Mar  1 00:21:31.595: RADIUS:  NAS-IP-Address      [4]   6   10.10.0.253
    *Mar  1 00:21:31.595: RADIUS:  NAS-Port            [5]   6   0
    *Mar  1 00:21:31.595: RADIUS:  Vendor, Cisco       [26]  23
    *Mar  1 00:21:31.595: RADIUS:   cisco-nas-port     [2]   17  "FastEthernet1/0"
    *Mar  1 00:21:31.595: RADIUS:  NAS-Port-Type       [61]  6   X75                       [9]
    *Mar  1 00:21:31.595: RADIUS:  User-Name           [1]   6   "user"
    *Mar  1 00:21:31.595: RADIUS:  Calling-Station-Id  [31]  19  "08-00-27-B1-B3-32"
    *Mar  1 00:21:31.595: RADIUS:  Service-Type        [6]   6   Framed                    [2]
    *Mar  1 00:21:31.595: RADIUS:  Framed-MTU          [12]  6   1500
    *Mar  1 00:21:31.595: RADIUS:  State               [24]  27
    *Mar  1 00:21:31.595: RADIUS:   45 41 50 3D 30 2E 31 66 66 2E 39 38 36 2E 31 3B  [EAP=0.1ff.986.1;]
    *Mar  1 00:21:31.595: RADIUS:   53 56 43 3D 30 2E 31 35 3B                       [SVC=0.15;]
    *Mar  1 00:21:31.595: RADIUS:  EAP-Message         [79]  28
    *Mar  1 00:21:31.595: RADIUS:   02 1E 00 1A 04 10 AA 09 8E 39 DE 29 E4 CC C6 BC  [?????????9?)????]
    *Mar  1 00:21:31.595: RADIUS:   7F 01 C8 47 EC 74 75 73 65 72                    [???G?tuser]
    *Mar  1 00:21:31.595: RADIUS:  Message-Authenticato[80]  18
    *Mar  1 00:21:31.595: RADIUS:   33 57 82 E2 5C 24 A2 8C 67 CC 0D 8C 25 12 74 13  [3W??\$??g?????t?]
    *Mar  1 00:21:31.731: RADIUS: Received from id 1645/4 10.10.0.2:1645, Access-Accept, len 90
    *Mar  1 00:21:31.731: RADIUS:  authenticator A0 0E DF D7 87 FD 9E B6 - BB 64 04 4F 56 2A 03 89
    *Mar  1 00:21:31.735: RADIUS:  Framed-IP-Address   [8]   6   255.255.255.255
    *Mar  1 00:21:31.735: RADIUS:  EAP-Message         [79]  6
    *Mar  1 00:21:31.735: RADIUS:   03 1E 00 04                                      [????]
    *Mar  1 00:21:31.735: RADIUS:  Tunnel-Type         [64]  6   01:VLAN                   [13]
    *Mar  1 00:21:31.739: RADIUS:  Tunnel-Medium-Type  [65]  6   01:ALL_802                [6]
    *Mar  1 00:21:31.739: RADIUS:  Tunnel-Private-Group[81]  6   01:"100"
    *Mar  1 00:21:31.739: RADIUS:  Class               [25]  22
    *Mar  1 00:21:31.739: RADIUS:   43 41 43 53 3A 30 2F 35 62 31 2F 61 30 61 30 30  [CACS:0/5b1/a0a00]
    *Mar  1 00:21:31.739: RADIUS:   66 64 2F 30                                      [fd/0]
    *Mar  1 00:21:31.739: RADIUS:  Message-Authenticato[80]  18
    *Mar  1 00:21:31.739: RADIUS:   75 BC F2 E0 91 07 6C 12 4D 5C BB 50 A4 FD D3 26  [u?????l?M\?P???&]
    *Mar  1 00:21:31.739: RADIUS: Found 4 bytes of EAP data in reply (ofs 0)
    *Mar  1 00:21:31.739: RADIUS: Received 4 byte EAP Message in reply
    As a result the vlan-switch data based does not change.
    Any help will be appreciated!
    Thanks a lot,
    Chelovekov Alexander

    I've tried multiple ways to cope with this problem but nothing was helpfull...
    Tunnel-Medium-Type  [65]  6   01:ALL_802
    I use only ACS Radius attributes and chose ony what ACS allows me to choose (Tunnel-medium-type: 802).
    Screenshot n attachment.
    The same situation occurs when i try to use some Vendor Specific Attributes (Cisco-AV-Pair)  - downloadable ACEs to my user, and again, i see Radius attributes in my debug but nothing is applied to my L3 Switch.
    What am i missing?

  • ACS RDBMS adding NDG with Shared Secret

    I have an ACS 4.2 on a SE 1113 and I am using RDBMS to add Network Device Groups. I am able to create the group, but I would like to set the Shared Secret for the group. I am using the action code 250 to add the group but I can not see a way to set the Secret. I can modify the Secret after creating the group using the GUI but it would be better to do it all with RDBMS. Are there any other action codes that can be used on NDGs?
    Thank you.

    Per NDG shared secrets came after NDG addition via dbsync. It looks like this has not been retro-fitted to dbsync.
    This is quite typical as dbsync is the poor unloved child of ACS.

  • Cisco Secure ACS "reports and activities" problem

    Hi, I am running ACS 3.3(3) Build 11.
    When I select the "next page" from any of the reports, I get a "page cannot be displayed" error. (1st page is fine).
    Any ideas what this can be caused by?
    Cheers, Steve.

    Not sure about this problem.. .but the ACS interface for searching reports is dire.
    Why not try aaa-reports! There's a free 60 day trial. We have tools to remotely pull down all CSVs from any number of ACSs and import & report on most of the ACS logs.
    Apols for the shameless plug.. but this can save you a lot of time and effort.
    www.extraxi.com

  • ACS Engine Hanging / Replication Problems

    I have two ACS 1112 Appliances running the latest software (Release 4.0(1) Build 42). Each appliance seems to run fine on its own. However, after setting up and successfully performing replication, the second ACS will not fully reboot. It says CSAuth did not start. 'show' usually shows the cpu at 100% with the services in various states of stopped, stopping, or starting. The web interface is unavailable. Another thing I have noticed that I think may have something to do with it is the status of the remote agents in the network device table. After replication, (and before rebooting) I can click on one successfully on the original machine, but when I attempt to click on one on the second appliance, I get a 404 browser error, and my ACS session is closed. I have to log back in to do anything else. Right now, I am rebuilding the second appliance from the cd (for the 15th time) to attempt replication with no remote agents defined to make narrow down the problem. Also note that if I manually add a remote agent on the second appliance, I am able to get to its properties with not problems. I am only not able to get to replicated entries' properties. Thanks in advance for any help.

    Well, forget about the remote agents. The primary appliance has a very basic config. The only things in the network device table are itself and the other ACS. They each have the correct settings and the same key. The backup ACS has no configuration settings, except the ACS settings in the network device table and the appropriate replication settings. After a successful replication from primary to backup, and a reboot of the backup--it will not start back up. The CPU is at 100% and the services look like this:
    CSAdmin stopped
    CSAuth starting
    CSDbSync starting
    CSLog stopping
    CSMon starting
    CSRadius starting
    CSTacacs starting
    CSAgent running
    thanks.

  • ACS Appliance Remote Agent Problem

    Hi there
    we have te following situation:
    - 2 x ACS SE's
    - 2 x ACS Remote Agents on Member Servers
    - 2 x ASA's
    We would like to authenticate the VPN users connecting to the ASA's via the ACS and the active directory.
    I configured the remote agent following this link:
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/3.3/installation/guide/remote_agent/rawi.html#wp289426
    But we are not able to fetch the active directory groups in the acs gui --> External User Database > Database Group Mappings > Active Directory > New Configuration.
    On the Domain Controller we get the errors ID 1030 and 1058, had someone these problemes too?
    Thanks in advance and regards
    Dominic

    Hi JG
    We have MS Windows Server 2003 with SP2. At the begining, the service was running as a local admin, then we had access to the AD, but we had some strange issues: after a short time (~1 Day) of zero authentication requests, the first request used about 2 minutes to get back to the ACS.
    We debugged the way from the ACS to the remote agent, it must have been on the server it self.
    Regards
    Dominic

  • ACS 5.4 snmp problem - sysoid

    I've looked through the posts and haven't found anything on this yet.
    We have 2 ACSs, 5.4, running on VMs.The ovas were initially deployed via the 5.3 image, then upgraded. The secondary had a storage problem over the weekend and the vm was not backed up as production, so it was deleted. We had to completely rebuild.
    This time, the ova was deployed from the 5.4 iso. Did patch 1, AD integration, etc. and then reestablished it as the secondary. Functionally everything
    is fine, replication is good, and everything is working.
    Looking in our NMS, I do see an issue with the sysoid. Below is the a snippet from the primary:
    .1.3.6.1.2.1.1.1.0 = STRING: Cisco Secure Access Control System 5.4
    .1.3.6.1.2.1.1.2.0 = OID: .1.3.6.1.2.1.47.1.1.1.1.13.1
    Here is the same from the newly deployed secondary:
    .1.3.6.1.2.1.1.1.0 = STRING: Cisco Application Deployment Engine
    .1.3.6.1.2.1.1.2.0 = OID: .0.0.0
    Has anyone seen this? Once again, everything is functioning fine and this appears to be cosmetic (not affecting normal ops).
    Thanks, chris

    At this point, my plan is to apply patch 2. When I do this, I will reboot the secondary (the VM itself). What I am not sure of is whether or not this was done. I thought when the initial ADE config was done and the setup script installed the app, the
    VM rebooted at that point. But that's what I'm going to try, change ticket is set for the 23rd. If I still see the same thing, then I'll look at playing around with the snmp settings, since it's not an issue of snmp not working, it's just not reporting the mib2 values I would expect.
    Thanks, chris

  • Acs se aaa server problem

    HI
    I have installed acs se for peap authenetication in a wireless network .
    however when i install the acs se it shows me 2 profiles (self and deliverance) after initial config in the aaa server window of network configuration .
    The name of the default server is delivernace and its ip is 169.x.x.x which is the default nic ip as u can check it out during the initial startup configuration.
    Pls help me to get this fixed

    Hi.
    The name of the ACS SE listed in AAA Server section is "self".
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/NetCfg.html#wp341780
    "In ACS SE, the name of the machine is listed as self."
    "deliverance1" is the default ACS SE name(hostname).
    Sometimes what happens is, even if we have ACS SE connected to Netowork during initial configuration. And we change the name of the ACS SE from "deliverance1" to something that we want. After changes has been made, on ACS SE, it comes back, and shows the ip 169.x.x.x associated with the new hostname.
    NOTE: I am considering that during initial configuration ACS SE was connected to network. If not, then this is supposed to happen.
    In order to correct this issue, follow following steps:
    [1] On ACS hardware/appliance go to,
    Reports and Activity > Appliance Status Page >
    From "NIC Configuration", copy the IP address of the ACS SE.
    Interface Configuration > Advanced Options > check "Distributed System Settings" > Submit.
    Network Configuration > under "AAA Servers" > Search > type the IP address of the ACS hardware/appliance > Search.
    Note down the "Name" against the Ip address of the ACS SE.
    Now go to, Network Configuration > under "Proxy Distribution Table" > (Default) > make sure that the name that appeared against the Ip address of the ACS Hardware/appliance is in "Forward To" Column, If it is not, move it , and move all other entries under "AAA Servers" column and press "Submit + Restart"
    And delete the entry from the AAA Server section, that is associated with IP address 169.x.x.x
    [2] Now, if you do not want the name that is shown in the Proxy Distribution Table, and want the one that is there in the section,
    System configuration > Appliance Configuration... Hostname section, associated with the correct IP address. Then do this,
    Establish Serial Console connection to ACS SE,
    Issue the command "set hostname " and then reboot the ACS SE by command, "reboot".
    [3] Once ACS SE is backup, go to, Network Configuration > under "Proxy Distribution Table" > (Default) > And make sure that the new name is in "Forward To" Column > Submit + Restart.
    Now, the correct IP address will be associated with the correct hostname.
    Regards.
    Prem

  • ACS-Shell commmand author. problem

    I have setup shell commands for the helpdesk to do basic viewing of the router. Is there a way to limit what they can do in config mode and how do i configure that on the ACS. For instance if I want the helpdesk to enable a port on a 3560 switch.
    This is in the test router:
    aaa new-model
    aaa authentication login default group tacacs+ enable
    aaa authorization exec default group tacacs+ none
    aaa authorization commands 1 default group tacacs+ none
    aaa authorization commands 15 default group tacacs+ none
    Thanks in advance

    "aaa authorization commands ....." doesn't include authorization for commands done in config mode. To enable that add the command:
    aaa authorization config-commands
    Then add the "set port enable" (or whatever) command into the TACACS authorization profile on the ACS server just like any other command. Note that you'll have to allow them to get into config mode in the first place though.

  • ACS 5.2 Authentication Issue with Local & Global ADs

    Hi I am facing authentication issue with ACS 5.2. Below is AAA flow (EAP-TLS),
    - Wireless Users >> Cisco WLC >> ADs <-- everything OK
    - Wireless Users >> Cisco WLC >> ACS 5.2 >> ADs <-- problem
    Last time I tested with ACS, it worked but didn't do migration as there'll be changes from ADs.
    Now my customer wants ACS migration by creating new Group in AD, I also update ACS config.
    For the user from the old group, authentication is ok.
    For the user from the new group, authentication fails. With subject not found error, showing the user is from the old group.
    Seems like ACS is querying from old records (own cache or database). Already restared the ACS but still the same error.
    Can anyone advice to troubleshoot the issue?
    Note: My customer can only access their local ADs (trusted by Global ADs). Local ADs & ACS are in the same network, ACS should go to local AD first.
    How can we check or make sure it?
    Thanks ahead,
    Ye

    Hello,
    There is an enhacement request open already:
    http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCte92062
    ACS should be able to query only desired DCs
    Symptom:
    Currently on 5.0 and 5.1, the ACS queries the  DNS with the domain, in order to get a list of all the DCs in the domain  and then tries to communicate with all of them.If the connection to even one DC fails, then the ACS connection to the domain is declared as failed.A lot of customers are asking for a change on this behavior.
    It  should be possible to define which DCs to contact and/or make ACS to  interpret  DNS Resource Records Registered by the Active Directory  Domain Controller to facilitate the location of domain controllers.  Active Directory uses service locator, or SRV, records. An SRV record is  a new type of DNS record described in RFC 2782, and is used to identify  services located on a Transmission Control Protocol/Internet Protocol  (TCP/IP) network.
    Conditions:
    Domain with multiple DCs were some are not accessible from the ACS due to security/geographic constraints.
    Workaround:
    Make sure ALL DCs are UP and reachable from the ACS.
    At the moment, we cannot determine which Domain Controller on the AD the ACS will contact. The enhacement request will include a feature on which we can specify the appropriate the Domain Controllers the ACS should contact on a AD Domain.
    Hope this clarifies it.
    Regards.

  • Machine authentication with MAR and ACS - revisited

    I'm wondering if anyone else has overcame the issue I'm about to describe.
    The scenario:
    We are happily using ACS 4.1 to authenticate wireless PEAP clients to an external Windows AD database.
    We do have machine authentication via PEAP enabled, but at this time we are not using Machine Access Restrictions as part of the external database authentication configuration.
    The clients (we care about) are using the native XP ZWC supplicant and are configured to "authenticate as machine when available".
    The passed authentications log does successfully show the machines authenticating.
    The challege:
    We only want to permit users on our PEAP protected WLAN if the machine they are using has an account in the domain (and they are a Windows XP box - the currents standard corporate image).
    In a testing lab, we enable Machine Access Restrictions, with the access mapped to "No Access" if there is no machine auth, or if machine auth fails.  If a machine is shut down and boots fresh, or if the logged on user chooses to logoff while on that WLAN - we see the Windows box sends its machine authentication.  As I understand it - a windows XP box will only attempt to authenticate as a machine when a user logs off, or upon initial boot.
    In our environment (and I'm sure many others) - if a user comes into the office and docks their laptop and is attached to the wired LAN and boots or logs on - the machine maybe authenticating - but it is authenticating directly to the AD as our wired LAN is not using 802.1x or ACS radius.
    So the user maybe logged on and working on the network - and then choose to undock which activates the wireless.
    The problem then - the machine does NOT attempt to authenticate as a machine and only processes the user credentials - which get passed onto ACS vial the WLC - and when MAR is enabled with the No Access mapping for no machine auth - the user auth obviously fails.
    Has anyone seen / over come this ?
    Our goal is to enforce that only standard XP imaged machines get on the wireless PEAP network (where the configuration is maintained by GPO).

    Here's the only thing I could find on extending the schema (I'm not a schema expert):
    http://msdn.microsoft.com/en-us/library/ms676900%28VS.85%29.aspx
    If all of your clients are Windows machines, it's easier to stick with PEAP for machine auth, user auth, or both.  However, your RADIUS (ACS) server should have a certificate that the clients trust.  You can configure the clients to ignore the RADIUS server cert, but then your clients will trust any network that looks/works like yours.  Get a cert/certs for your RADIUS server(s).
    You can have PEAP and EAP-TLS configured on your ACS server without causing problems for your PEAP clients (be aware that most of my experience is with 4.1/4.2.  Earlier versions may not work the same way).  Your comment about what you're testing is confusing me.  Let's say you have (only) PEAP configured for machine auth on both the client and the ACS server (no user auth is configured on the client, or in ACS).  Your client will offer it's machine account AD credentials to the ACS server in order to authenticate to the network.  Those credentials will be validated against AD by your ACS server, and then the machine will get an IP address and connect to your network.  Once your machine is on the network, and a user tries to log on, then the user's AD credentials will be validated against AD (without any involvement of ACS).  You should not need PEAP and EAP-TLS together.  Both are used for the same purpose: 802.1X authentication for network access.  PEAP only uses AD to validate machine credentials (or user credentials), because you configured your ACS server to use AD as a user database for validating 802.1X credentials.  You could just have easily used PEAP on the client side, but told ACS to an LDAP connection to a Linux box with a user/machine database. Validating credentials for network access (802.1X) is not the same thing as authenticating to AD for server/printer/email/whatever access.  I wish I could explain this better...

Maybe you are looking for

  • Discount in BillOfMaterials

    Hello, I would like to know if it is possible ta have in BillOfMaterials a discount of a Price list. I have a Item with a price List. In the 'Define hierarchies and expansions' form I have select this Price list, and I have fill the item. Then in the

  • Adding fields in FB03 Document List

    Dear Experts Can anyone let me know whether there is any option to add additional fields like userid, Tcode, etc. in Document list available in FB03. I know that this facility is available in SAP versions 4.7 and above, but I am writing this with ref

  • Search results

    Hello to all! Following issue: If I search for a document I get only documents with a relevance higher than 70%. We have many documents in some km repository's so there are some documents are always missing. If I search in a km repository with less d

  • Error 10805 occurred at AI SingleScan

    I have 6024E. I get the following error message when I try to run Real-Time PID Control.vi and PID Control Loop.vi: NI-DAQ LV: The clock rate is faster than the hardware can support. An attempt to input or output a new data point was made before the

  • Recovery Partition HP-2000-2d49wm

    Ok, So my computer came with Windows 8. I Installed Windows 7 becuase of my issues to use certain Programs. Now that windows 8 has support for the things i NEED to use i decided to use the recovery Partition. When my computer boots up i press F11 to