ACS 5.0 issue

Similar Messages

• ACS Windows Agent Issue

  Hi,
  We just upgraded our 3.3. ACS to the latest version without issue. I created the Remote Agent on the ACS, but we I install the Agent on the Windows 2003 server I get "Unable to initialize variables". Anyone? Thanks.
  John

  John,
  - Logon to the computer as a Local Administrator, preferably "Administrator", and then try and uninstall Remote Agent & try and install it back. Log on locally to the box and install the RA.
  - If above doesn't work, you might have to manually uninstall Remote Agent. After uninstalling, you can try to reinstall the current version of the remote agent.
  somishra

• ACS external database issue

  Hi
  I have the following issue, user exists on both the ACS and token server authenication is set to external database with no unknown user policy as the user is known to the ACS! this fails authenication error message is CS user unknown... Now if the unknown user policy is set to the external database the authenication works fine this is on 3.3. I have checked for bugs to no avail.
  Any assistance would be good...
  Thanks MJ

  Hi JG
  Many thanks for your response, it is configured this way due the documentation below:
  Known Users -Users explicitly added, either manually or automatically, into the CiscoSecureACS database.
  These are users added through User Setup in the HTML interface, by the RDBMS Synchronization feature, by the Database Replication feature, or by the CSUtil.exe utility. For more information about CSUtil.exe, see "CSUtil Database Utility".
  CiscoSecureACS attempts to authenticate a known user with the single database that the user is associated with. If the user database is the CiscoSecure user database and the user does not represent a Voice-over-IP (VoIP) user account, a password is required for the user. If the user database is an external user database or if the user represents a VoIP user account, CiscoSecureACS does not have to store a user password in the CiscoSecure user database.
  This is from the following link....
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs32/user/qu.htm
  Many thanks MJ

• ACS INTERNAL USER issue with 4.2.(1) build 15

  Hi all,
              I am facing an issue with my ACS server, nothing to difficult,but which bug me. I have an internal user, this user is able to access some cisco devices and can't access some. There is no Network access Restrict set for the username. The log shows when access is granted to a device, the server map the user to correct user group; however,when the user fails authentication the log shows default user group! which indicate that the user not always map to the correct user group.
  Thanks for the help,
  Jean Paul---

  The problem you're running in clearly indicates that either Network access restriction or Network access policies is configured for an user or group. Since you're positive that there is nothing configured on the NAR, lets narrow it down via logs.
  Duplicate the issue again with both the devices (working and non-working)
  With working devices, you would get the passed attempts >> copy and paste the log attempt as it is.
  With Non-working device, you would see failed attempt >> copy and paste the log attempt as it is.
  Regards,
  Jatin
  Do rate helpful posts-

• ACS 1113 recovery issue

  First time when I boot the ACS 1113 and access through serial port , whenever i put login promp Administrator
  not getting any password promt for last 40 mnt only cusor blinking.
  Try to recover through CD that also not performing for last two hrs.
  Kindly provide solution.

  Its either device is bad or you are trying to recovery with a bad media.
  Try to get new media for ACS SE 1113 (Recovery CD)
  If still issue exists, go for an RMA.
  I am considering that this is a new box that you are trying to configure.
  Regards,
  Prem

• ACS 4 configuration issue

  I had set up Cisco ACS for TACACS authentication for Cisco Aironet and Cisco ASA. Unfortunately the server crashed and i did not have backup. But i had the secret key and other server information. I re-installed the Cisco ACS and could successfully autenticate to Cisco Aironet, but cisco ASA is giving me access denined when trying through SSH by giving username and password. Under ACS
  Created username and password and remaining i left for group setting. under group setting i enabled shell (exec) and privilige level 15. I made the maximum privilge level for AAA clients to 15 and tried enabling and disabling the command level authroization and checked allow unmatched argument, but still getting the same error. The cisco site is also referring to the same. Is there any option i am missing out? Request assistace since i am not able to connect to the ASA.
  Thanks in Advance

  Hi,
  I believe you are getting UnKnown Nas error. Please add the device in the network configuration as a AAA client. Make sure you are using the right protocol (Tacacs/Radius) and right key as per device config.
  Regards,
  Vivek

• ACS Appliance configuration issue.

  When I attempt to configure the ACS IP address I am getting the following error:
  "Error; Failed to get NIC configuration: <null> <FFFFFFFF>"
  The device is connected to a working ethernet port and the the physical layers have been eliminated. Aside from starting from scratch, can anyone suggest a way out of this problem?

  you need to reimage the ACS appliance.

• ACS 3.3 issues trying to use AD authentication

  I am trying to set up ACS to use AD for authentication. I have followed the instructions Cisco gives out, but my test account still fails when I try to log into any network device. I've looked in the ACS logs and it keeps showing "CS user unknown". This tells me that the ACS box is not talking to AD correctly. Any suggestions?

  Go to acs--->Unknow user policy----> Check the following external user databases--->Select windows.
  Regards,
  ~JG
  Do rate helpful posts

• ACS 3.3 issues

  hello
  Currenly I have 802.1x with ACS working to authenticate users to active directory. The network is big also it has wireless, the AP`s has several SSID, where a SSID works with EAP, mi problem is here, only a domain doesn`t work with EAP, I check de ACS (Failed Attempts) but doesn`t show me anything about this domain.
  I add the debug that AP send me.
  Regards,

  well well , i guess you are getting the lovely enable 15 user account on ACS failed attempts for failed authorization.
  so cool ha:)
  It is the ASA trying to force the authorization using that lovely account , what you need to overcome that is having the enable authentication done against the ACS itself.
  By adding the following command on the ASA:
  aaa authentication login console TACACS+ local
  on the ACS make sure that enable password authentication is enabled for the user.
  There you have three options: either you use the same PAP password or spearate one or if you are trying with user
  defined on external db with that user password on the external db.
  Please Don't Forget to rate correct answers

• Acs appliance connectivity issue

  i am currently deploying 802.1x auth for wireless clients using peap however every 15-20 mins after getting authenticated thru acs i loose my connectivity form the acs to my layer 2 core and subsequently the wireless clients cannnot be authenticated any further
  Is this is an OS bug on the acs or config problem or a hardware issue

  Hi,
  Make sure that you have this patch applied on clients
  http://support.microsoft.com/kb/885453
  Regards,
  ~JG
  Please rate helpful posts

• ACS 5.3 Dot1x for Wired/Wireless

  Hi Community,
  I have a query regarding ACS 5.3 installation. I have wired and wireless clients in my setup, with Nexus 5k and 45k Switches and WLC-5508. Also we are using MicroSoft AD to authenticate clients for Network access.
  My questions are
  1.       Can we configure dot1x in this scenario to use Password only (no certificates needed at all)? OR we must need certificates in order to config it perfectly (like AD and ACS synch issues etc)?
  2.       If Yes can someone point out to any good docs that can help  ?
  Regards,
  Hammad

  Hi Jatin,
  Thanks for the tips earlier. However I installed ACS 5.4 and then configure the server from scratch.
  I am getting MAB as well as Dot1X authentication. But for two different users getting two different results for DOT1X, Wondering why is this happening? is it a ACS/Switch config issue or is it related to AD?
  I am finding one user is getting perfectly authenticated while the Other is showing "Authorization failed" yet still able to access the NW.
  #$cation sessions interface tenGigabitEthernet 1/1/12
             Interface: TenGigabitEthernet1/1/12
           MAC Address: 28d2.4421.109c
             IP Address: 10.160.193.100
             User-Name: ABC\shuser
                 Status: Authz Success
                 Domain: DATA
       Security Policy: Should Secure
       Security Status: Unsecure
         Oper host mode: multi-auth
       Oper control dir: both
         Authorized By: Authentication Server
          Vlan Policy: N/A
               ACS ACL: xACSACLx-IP-SSH-PERMIT-ALL-5270ce52
       Session timeout: N/A
           Idle timeout: N/A
     Common Session ID: 0AA000010000010548A006AC
       Acct Session ID: 0x000007A4
                 Handle: 0xA1000106
  Runnable methods list:
         Method   State
         dot1x   Authc Success
  CS01#
  CS01#
  CS01#$cation sessions interface tenGigabitEthernet 1/1/12
             Interface: TenGigabitEthernet1/1/12
           MAC Address: 28d2.4421.109c
             IP Address: 10.160.193.100
             User-Name: host/TESTPC01.sportshub.com.sg
                 Status: Authz Failed
                 Domain: DATA
       Security Policy: Should Secure
       Security Status: Unsecure
         Oper host mode: multi-auth
       Oper control dir: both
         Authorized By: Authentication Server
           Vlan Policy: N/A
       Session timeout: N/A
           Idle timeout: N/A
     Common Session ID: 0AA000010000010648A11C04
       Acct Session ID: 0x000007AD
                 Handle: 0x61000107
  Runnable methods list:
         Method   State
         dot1x   Authc Success
  ================================
  SWITCH PORT CONFIG:
  int ten1/1/9
  switchport mode access
  dot1x pae authenticator
  dot1x port-control auto
  authentication host-mode multi-auth
  authentication violation restrict
  dot1x timeout tx-period 10
  dot1x timeout quiet-period 20
  authentication timer reauthenticate server
  dot1x max-reauth-req 3
  Regards,
  Hammad

• FYI. Verisign Cert & ACS

  for those who have troubles getting verisign cert working on the ACS box, i just spoke to a verisign tech support after facing issues with certs. He mentioned that when generating a CSR on ACS, it generates extra info that are not compatible with verisign. Verisign is working on the issue, it is expected to be rectified soon (in a day or two). The tech support refused to give me further info about what version of ACS causing the issue or so... I'm using ACS3.3 at the moment.

  I've installed a Verisign cert on the ACS with minimal difficulty, but it does take a couple of extra steps.
  When generating the cert request on the ACS, you have to enter the complete identification path in the Common Name field of the form. i.e., instead of just cn=Ciscoacs, you have to enter c=US,s=Florida,l=KeyWest,o=TheShirtShack,ou=Accounting,cn=Ciscoacs all on the same line.
  Also, if the certificate file format that Verisign sends back is not recognized by the ACS, you can import it into your web browser and then re-export it in the correct format (DER .509 if I recall correctly) and then upload the reformatted cert to the ACS.
  It works fine after all that =)

• ACS stops working following alerts

  We have ACS 4 and we use a 4404 wireless lan controller. In the past month we've been experiencing outages for our wireless clients. We get alert messages from ACS like "Auth server down: Could not change Password" or "Test Timed out for service: CSRadius & Test Timed out for service: CSTacacs". Then users start calling in reporting that they are down.
  I did a search and keep finding this "Error Message Auth server down: Could not change Password
  Explanation CSMon could not change the password of the test account.
  Recommended Action No action required."
  Can anyone provide more information on what could be going on and why this alert which says no action required keeps showing up and then wireless goes down?
  Thanks.

  Bret,
  All authentication requests to the ACS from a client is performed by proxy from the controller. If the controller loses the ability to communicate with the ACS server you would see this error. Make sure you are not having ACS database/memory issues. If you can reboot the ACS and everything clears up the problem is on the ACS server. Either the above listed problem or a network connectivity issue would likely be the culprit. To verify that there are no problems on the WLC, run the AAA LWAPP debugs and trace the auth requests.

• ACS appliance 4.1 - machine authentification from trusted Domain failed

  We have a acs appliance 4.1 with a agent running on a X domain controller to authenticate user's from the X domain active directory.
  User's and Computer's are able to authenticate without any issue on X domain.
  We have recently add a trusted Y domain on this X domain.
  User's from Y domain are able to authenticate on our ACS without any issue , but machine are not able to authenticate.
  03/14/2011
  10:44:32
  Authen failed
  host/FLADWS0072.Ydomain
  Default Group
  00-26-82-d6-9b-3f
  (Default)
  External DB user invalid or bad password
  Machine use is the following settings to authenticate :
  EAP type : EAP (PEAP) 
  Authentification method : EAP-MSCHAP v2
  On Y domain active directory :
  Remote access permission is ok for machine
  On ACS applicance :
  "Enable PEAP machine authentication" is select + the machine from X Domain are authenticate without any issue.
  Any idea where is should start to invetigate ?
  Tks in advance for your help

  Dear Valued Cisco Customer,
  I will be out of the office from 03/20/2010 until 04/04/2010. During
  this time, I will have no access to email or voicemail. If you require
  assistance during my absence, please contact Manivannan Srinivasan via
  phone at 469-255-4806 or via email at [email protected] and this
  engineer will continue to work any immediate concerns you may have at
  this time. If this issue can wait until my return on 04/05/2010, I will
  be glad to continue working with you. If you require assistance outside
  of our business hours (10:00am - 7:00pm CST), please contact the TAC by
  calling 1800-553-2447 or email [email protected] and request to have the
  service request re-assigned.
  Best Regards,
  Abhishek Neelakanata

• How many concurrent connections that an ACS server version 4.2 latest patch can handle?

  I have about 50 routers and layer-3 switches that autheticate via tacacs+.  The AAA server used to be on a Linux machine running open-source tacacs+ built by me.  I have a perl script that will log into all 50 devices at the same time to collect statistics.  This script is multi-threaded.  Everything is working fine so far.
  I recently out-sourced the AAA function to a 3rd party company, not by my choice.  The 3rd party uses Cisco ACS version 4.2 with the latest patch running on Windows 2003 Enterprise Server with 16GB RAM and quad processors with quad-cores, IBM x3650-M2 hardware. The connectivity between the 3rd party and my company is through a DS-3 connection.  Maximum bandwidth over this DS-3 connection is less than 10Mbps at most.
  I noticed that for the past 3 months I have multiple failures with this perl script due to authentication failure with the ACS server.  If I just run the script again a few routers/switches, there are no issues; however, whenever I started the script to log into 50 devices all at the same time, it will fail.  If I made the configuration on all routers/switches to point back to the old open-source tacacs+ server, the issue goes away.  The minute I switched back to the
  new ACS server, the issue came back.  If I modified the script to hit one device at a time, it works fine.  I think it is the ACS server can not handle a lot
  of AAA requests at the same time.
  Does anyone know how many concurrent connections that an ACS 4.2, with latest patches on Windows 2003 Enterprise Server with lot of memory and CPU power, can handle?  I can't seem to find this anywhere on Cisco website.
  Thanks in advance.

  No, Im not saying ACS cannot cope.
  Concurrency and latency are very different things. ACS CSTacacs can handle many 100s of simple authentications/authorisations per second with users in the internal database. If 1000s of devices all send traffic in the same instant it would take some seconds to work through the backlog of traffic.
  Also, worth considering that a limited number of tasks within ACS (or threads) can actually handle a much greater number of "logins" because they are generally multi-message allowing ACS to keep lots of plates spinning.
  If users are in an external databases the latency (per authentication) can increase depending on where the users are (eg Windows AD) and if bad enough can have a serious effect on the overall authentication rate. At which point customers normally turn to load balancing.
  If your device timeouts are 20 seconds (totally reasonable) I suggest the issue is more likely to be something else... a bug, perhaps specific to v4.2?