ACS 5.1 mab reauthentication in every 1 mintues

Hello,
I am using Cisco ACS 5.1. I would like to authenticate my ip phones with mab (Avaya phones) and the commputers with dot1x.
Everything works fine except that the phones which are successfully authenticated with mab tries to authenticate again
and again and again ... and this fills up the ACS logs. Every authentication is successfull and the phone does not hang up. But this fills
up my logs and makes them unusefull.
switch version: cat4500-ipbasek9-mz.122-53.SG3.bin
port config:
interface FastEthernet2/25
switchport access vlan 107
switchport mode access
switchport voice vlan 502
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no logging event link-status
load-interval 60
speed 100
duplex full
qos vlan-based
authentication event fail action authorize vlan 109
authentication event server dead action authorize vlan 101
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 30
dot1x timeout server-timeout 25
dot1x timeout tx-period 15
dot1x timeout supp-timeout 25
dot1x max-req 3
tx-queue 3
priority high
no cdp enable
spanning-tree portfast
ip dhcp snooping limit rate 10
end
Thanks,
Andras

Hi,
If you remove the commands:
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
Does the phones stop authenticating every minute?
Please note that you have set the aging time to 1 minute, which means that if the phone is not sending any traffic, the switch will delete its mac address fro mthe mac table, therefore, the dot1x process will kick.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Similar Messages

ACS 5.5 MAB Notebook do Host-Lookup then also send PEAP (EAP-MSCHAPv2) requests

Hello Community,
i have a problem, one Notebook in our enviroment authenticates successfully with Host-Lookup (MAC-Adress) and get the right VLAN but then also sends permanantly PEAP (EAP-MSCHAPv2) requests with a diffrent Username ( Username is not an MAC-Adress) It is the Computername of Windows.
What is the Problem here ?
Thanks

Hello Sebastian. A few questions:
- How is the supplicant configured on the Windows machines?
- Is 802.1x enabled on the supplicant?
- If possible please attach screenshots of the supplicant's configuration
- Is this for wireless, wired or both?
- Can you post screenshots of the ACS log page for those events along with a screenshot of the "detailed screen" for one of those events
Thank you for rating helpful posts!

802.1x dynamic vlan assignment using ACS 4.2

Hi
we have 10 switches 2960 configured with 802.1x authentication against ACS server 4.2.
we have 2 vlans configured on the switches for administrator and endusers. the end user vlan id is 10 and the administartor vlan is is 100.
we need to apply the following scenario, if the enduser PC - that is connected to vlan 10 - has an issue and the administrator will login to the PC with the administrator account to fix that issue, the switch should dynamically reconfigure the port with the administrator vlan ( 100 ) .
is the above scenario doable using dot1x with the ACS server?
waiting your replies
Mohamed

Hi,
I have the following scenario
2 bulidings with multiple floor
Each floor should be in different VLAN.
The network should be authenticated with 802.1x and each switch port should be assigned with dynamic VLAN from ACS.
Each
user should be able to connect and roam around between any building.
when ever a user is connecting his laptop to any floor, he should be
made part of that respective vlan. It is not requred to have the same
IP rage to be allocated, but the dynamic VLAN should be based on the
switch port location.
Can
I configure ACS in such a way that, the ACS will allocate dynamic VLAN
for every 802.1x authentication based on the Network Device Group.
Please refer the attached diagram
Hi,
Check out the below link for your requirement for dynamic vlan assignement using ACS
http://www.ciscosystems.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
Hope to Help !!
Ganesh.H
Remember to rate the helpful post

802.1x Dynamic Vlan assignment using ACS

Hi,
I have the following scenario
2 bulidings with multiple floor
Each floor should be in different VLAN.
The network should be authenticated with 802.1x and each switch port should be assigned with dynamic VLAN from ACS.
Each user should be able to connect and roam around between any building. when ever a user is connecting his laptop to any floor, he should be made part of that respective vlan. It is not requred to have the same IP rage to be allocated, but the dynamic VLAN should be based on the switch port location.
Can I configure ACS in such a way that, the ACS will allocate dynamic VLAN for every 802.1x authentication based on the Network Device Group. Please refer the attached diagram

Hi,
I have the following scenario
2 bulidings with multiple floor
Each floor should be in different VLAN.
The network should be authenticated with 802.1x and each switch port should be assigned with dynamic VLAN from ACS.
Each
user should be able to connect and roam around between any building.
when ever a user is connecting his laptop to any floor, he should be
made part of that respective vlan. It is not requred to have the same
IP rage to be allocated, but the dynamic VLAN should be based on the
switch port location.
Can
I configure ACS in such a way that, the ACS will allocate dynamic VLAN
for every 802.1x authentication based on the Network Device Group.
Please refer the attached diagram
Hi,
Check out the below link for your requirement for dynamic vlan assignement using ACS
http://www.ciscosystems.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
Hope to Help !!
Ganesh.H
Remember to rate the helpful post

ACE ACS TACACS+ Key Mismatch issue

Goodday,
I have an issue when trying to setup ACE Modules for TACACS+ and AAA autentication whereby the Failed Authentication reports, state the reason as "Key Mismath".
We have confirmed that the key we are using is the same on the ACE and on the ACS.
The question I have is as follows:
Should the key we enter on the ACE remain as we have typed it, so if we enter mysharedkey as the key should this show as such in the running config or should it show as encrypted? Currently it shows in the running as we have entered it but just adds the 7 before the key and places the key in inverted commas.
So config entered something like this:
tacacs-server host 10.10.10.10 key mysharedkey
aaa group server tacacs+ acs_pri
server 10.10.10.10
aaa authentication login default group acs_pri local none
BTW, we are running version 2.1.4(a).
Thanks for any assitance with this.
Paul

Hi Kevin,
Thanks for the reply. I can confirm we have the "ssh key rsa 1024 force". I even tried removing and re-issueing the command.
On the point of the show run revealing the something encrypted instead of the actual TACACS key, this is not what we see, we see the actual key we entred.
This is my concern.
We managed to get his working by checking on the production ACE modules and production ACS, using the "encryped" key we see in that "show run" and locating the key in the production ACS config (which was not under the ACE NDG, but under the ACS server itself's config, which also looks like something encrypted) and using this in the NDG config as the key for our ACE NDG on the test ACS.
The problem arises that every six months or so, securiy requirement, the keys change, and how will we then know what to apply on the ACE if it does not apply the encyption of the key we enter itself.
See my problem...
Thanks again for the assistance and any further guidance would be appreciated.
Paul.

ACS Purging

Hi Everyone
ACS is set to purge data every day or at the end of the month, depending on settings. But can someone please explain what "purging data" means exactly. What information is actually deleted?
Thanks

Hi Haider,
The Monitoring & Report Viewer database handles large volumes of data. When the database size becomes too large, it slows down all the processes. You do not need all the data all the time. Therefore, to efficiently manage data and to make good use of the disk space, you must back up your data regularly and purge unwanted data that uses up necessary disk space. Purging data deletes it from the database.

Symbol LA-4137's (Spectrum 24 Hi-Rate) sends repeated LEAP auth requests

Anyone using the Symbol LA-4137 ?
I'm troubleshooting at a hospital and they have many of these Symbol LA-4137 connect to a Alaris Pump. LA-4127 client is setup for LEAP and is sending 5 authentication packets per second. The radius server sends back a success only to get another re-auth request immediately. The network is Autonomous 1220s running 12.3(8)JA with WDS setup.
This large volume of traffic from the Symbol LA-4137s (these are Alaris Pump's from Cardinal Healthcare) generates a Passed Authetication Attempts csv log file of 100MB per day on ACS. I estimate this is about 512,000 auths per day, far too much traffic. We upgraded ACS to 4.1 for multithreaded LEAP support and added another CPU as we say ACS failing to respond due to every packet due to the shear volume of packets it was getting from these Symbol devices.
No roaming is occuring. The Alaris Pumps are usually placed in patient room and kept their.

Wlclient and clusters

Hi,
We currently have an issue with the use of wlclient from a Swing app going to a weblogic 8.1 sp4 cluster.
When the cluster has 2 servers ( our test state ) everyting works fine.
But when the cluster has 4 servers ( our production environment ) we get random NullPointerExceptions from one one the Weblogic classes.
The Swing app is started using SwingUtilities.InvokeLater and Security.RunAs. A thread is running doing multiple calls to the same EJB, when the application makes another EJB call from a different thread at the same time, the error appears.
The stack trace is below.
java.lang.NullPointerException
     at weblogic.corba.client.security.SecurityInterceptor.receive_reply(SecurityInterceptor.java:192)
     at com.sun.corba.se.internal.Interceptors.InterceptorInvoker.invokeClientInterceptorEndingPoint(InterceptorInvoker.java:274)
     at com.sun.corba.se.internal.Interceptors.PIORB.invokeClientPIEndingPoint(PIORB.java:555)
     at com.sun.corba.se.internal.corba.ClientDelegate.invoke(ClientDelegate.java:457)
     at org.omg.CORBA.portable.ObjectImpl._invoke(ObjectImpl.java:457)
     at ca.gc.ccra.rhmc.tieri.ejb._RHDataCachingBroker_Stub.getString(Unknown Source)
     at ca.gc.ccra.rhmc.tieri.ejb._RHDataCachingBroker_Stub.getString(Unknown Source)
     at ca.gc.ccra.rhmc.tierc.RHRetrieverDelegate.getString(RHRetrieverDelegate.java:790)
     at ca.gc.ccra.nd.nedd.common.interfaces.corpauthority.message.LocalMessageLoader.lookupTextResourceInRH(LocalMessageLoader.java:209)
     at ca.gc.ccra.nd.nedd.common.interfaces.corpauthority.message.LocalMessageLoader.prefetchMessages(LocalMessageLoader.java:159)
     at ca.gc.ccra.nd.nedd.common.interfaces.corpauthority.message.PrefetchMessagesThread.refreshMessages(PrefetchMessagesThread.java:45)
     at ca.gc.ccra.nd.nedd.common.interfaces.corpauthority.message.PrefetchMessagesThread.run(PrefetchMessagesThread.java:29)

Jean-Francois Cormier <> writes:
Yeah, its a little strange. By default load-balancing should be sticky
to avoid stateless reauthentication of every call. You might want to
see if sp5 helps at all (both client and server). I know there was a
bug fixed in either there or sp4 wrt reauthentication.
andy
Thanks,
Here some other info, i've set the weblogic.debug.client.security flag to true. It seems as if it's re-authenticating for each call. This only happens in our production environement ( siteminder plugin for security ). If I run against my own cluster with a vanilla file realm it works ok.
We will probably end up having to raise a case or go back to weblogic.jar.
Here's some of the debuging output, it looks like there is always an invalid context, maybe that's why a NullPointer is thrown:
<SecurityInterceptor> send_request(<5ac0bced>.create)
<SecurityInterceptor> adding MessageInContext
<SecurityInterceptor> receive_exception(create)
<SecurityInterceptor> found SAS ContextError for create()
<SecurityInterceptor> client context not valid, retrying
<SecurityInterceptor> send_request(<bac8a6ee>.create)
<SecurityInterceptor> adding security context from 1 components for Subject:
     Principal: CCRAPrincipal "prezeau"
     Private Credential: weblogic.security.auth.login.PasswordCredential@1a1399
     Private Credential: SubjectProxy[23032071]
<SecurityInterceptor> receive_reply(create)
<SecurityInterceptor> found SAS context for create()
<SecurityInterceptor> send_request(<f5c5ddfd>.getString)
<SecurityInterceptor> adding MessageInContext
<SecurityInterceptor> receive_exception(getString)
<SecurityInterceptor> found SAS ContextError for getString()
<SecurityInterceptor> client context not valid, retrying
<SecurityInterceptor> send_request(<81007eb6>.getString)
<SecurityInterceptor> adding security context from 1 components for Subject:
     Principal: CCRAPrincipal "prezeau"
     Private Credential: weblogic.security.auth.login.PasswordCredential@1a1399
     Private Credential: SubjectProxy[23032071]
<SecurityInterceptor> receive_reply(getString)
<SecurityInterceptor> found SAS context for getString()
<SecurityInterceptor> send_request(<4a952556>.create)
<SecurityInterceptor> adding MessageInContext
<SecurityInterceptor> receive_exception(create)
<SecurityInterceptor> found SAS ContextError for create()
<SecurityInterceptor> client context not valid, retrying
<SecurityInterceptor> send_request(<7f3c180e>.create)
<SecurityInterceptor> adding security context from 1 components for Subject:
     Principal: CCRAPrincipal "prezeau"
     Private Credential: weblogic.security.auth.login.PasswordCredential@1a1399
     Private Credential: SubjectProxy[23032071]
<SecurityInterceptor> send_request(<157197b9>.resolve_any)
<SecurityInterceptor> adding security context from 1 components for Subject:
     Principal: CCRAPrincipal "prezeau"
     Private Credential: weblogic.security.auth.login.PasswordCredential@1a1399
     Private Credential: SubjectProxy[23032071]

WiSM and ACS frequen reauthentications

We have a WiSM deployed. The WLANs use WPA2 and the session timeout is set to default (1800). The ACS is set to authenticate the LEAP clients against a windows AD server.
Clients can associate to the WLAN without any trouble. But they need to reauthenticate every minute although the signal is stable. The clients do not notice this. The only trouble we have is that there are tons of entries (150 clients reauthenticating every minute :D ) in the ACS and the Controller log says twice a day that the ACS stopped responding for a short period of time.
I think this could be a setting in the ACS or the trouble might come from the backend DB. What do you think? What could I do to get this down to an acceptable level?

Check the user group properties in the ACS that your wireless users are authenticating against... there is a property near the bottom called "ieee session timeout" or something to that effect (in seconds)
If you don't see this property then you will have to add it via the ACS services menu

Cisco ACS MAB logs - last time a MAC registered

Just starting to implement MAB and was wondering if there is a way to check for MAC addresss that have not been online in over 6 months. There are only so man MACs that the ACS can hold, and I dont want systems that have been removed from the company hanging out in the system. I haven't been able to find a report that can show this.

Looked around the monitoring and reports viewer. I might have worded it wrong. I am trying to run a report that would show a host that hasn't been looged in the last 6 months. Basically if a computer is destroyed and not in use anymore, but not taken out of ACS. I want to use this type of report as a way of keeping the ACS host list clean.

MAB, 802.1x and ACS 4.2

Hi all,
Currently i'm using an ACS4.2 as radius server, some switch 2960-s ios 12.2.(55)se5, ipphone Alcatel iptouch 4018 and i would like to assign dinamic vlan to some specific users/laptop Daisy-chained to ip phone.
Logic connection is: users laptop---->ipphone---->switch---->radius
What i need is:
if I connect MY laptop to the ipphone port, i receive a specific vlan ( vlan 58 )
if SOMEONE else ( i.e. a consultant ) connect his laptop to the SAME ipphone port (if available) he has to receive a different vlan ( vlan 1).
I've been able to reach the goal using MACRO but it tooks too much time to authenticate ( approx 1 min ) so i give up and tried a different faster way ( 802.1x and MAB ).
i've been able to authenticate the ip-phone using 802.1x auth and to receive the correct vlan when i connect MY laptop (MAB auth) but i was not able to provide the VLAN 1 to the Consultant when he connect his laptop even if the "authentication event fail action authorize vlan 1" is configured.
I used the dot1x auth-fail vlan because i'm not able to use MAB or 802.1x auth on external laptop. I also tried with guest vlan with no luck.
In both case the "consultant" remain in "auth failed"
Here my current configuration
dot1x system-auth-control
dot1x guest-vlan supplicant
identity profile default
interface GigabitEthernet1/0/1
switchport mode access
switchport voice vlan 30
authentication host-mode multi-auth
authentication event fail action authorize vlan 1
authentication order mab dot1x
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 2
dot1x max-reauth-req 1
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
On ACS side i have 2 groups
first Group authenticate the iphone and supply the voice vlan ( vlan 30)
Second Group authenticate using MAB and supply the vlan 58
is there a different way to accomplish this task?
Thank you in advance

hi,
any ideas?
thx

Configure Mac Authentication Bypass (MAB) in ACS 5.1

Hello,
I am a newbie in ACS 5.1 and UAC.
I configured a MAB Access Service, but I get the error in the Radius Monitorring: 15024: PAP is not allowed.
However, I nowhere configured PAP. Any idea what I do wrong ?
I did not configure any protocolls, just 'Process Host Lookup'
Thanks a lot
Karien

Hi,
You can authenticate hosts with ACS internal DB or AD, however please note that if you want to do MAB in AD you need to configure users with the mac address of the machine in the same way you create the users on ACS.
On the other hand if the goal is to authenticate the hosts with the hostname itself, it is diferent from MAB, and you can use the AD DB if the PCs are registered to the domain, whithout any further configuration on the AD side.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Using MAB on ACS for printers

I have MAB set up through ACS 5.2 at one of my sites and it seems to be working fine for laptops, but not for printers. I can plug a laptop into the port the printer is connected to and it connects right away, but pluggin the printer in and I get a "notconnect" and the port goes amber.
I am using the following commands on the switch ports:
authentication port-control auto
mab
I checked the ACS reporting and I see no failed authentication attempts, just the successful authentifications by the laptops.

Robert,
What version are you using and what model switch are you running and what model printer is this not working for? Also the mac address table behavior is expected for devices that fail dot1x or mab, they do not get applied to the mac address table.
Also dhcp behavior is also expected it will not pull an ip address till the port has been authorized.
Can you run a debug dot1x packets (just to make sure there is not a supplicant enabled on the printer)
Also can you run a debug radius authentication while the process is started and post the output here, keep in mind to blurr out any sensitive information.
Also please let me know the full port configuration and show auth session int
Thanks,
Tarik Admani

2611xm Terminal Server + ACS + reauthentication when selecting menu options

Hi,
I've managed to setup ACS Authentication on my 2611xm router,
after you login to the router I have a autocommand setup to run a menu.
My problem is when you select the option on the menu,
You are then re prompted to reauthenicated against the router again before connecting to the line,
can any one tell me how to stop this from happening.
Thanks for your time and effort in advance, I have enclosed a config below.
DDRAS01#sh running-config
Building configuration...
Current configuration : 6854 bytes
! Last configuration change at 10:28:49 AEST Sun Feb 21 2010 by <removed>
! NVRAM config last updated at 19:25:53 AEST Sat Feb 20 2010 by <removed>
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service linenumber
service sequence-numbers
hostname DDRAS01
boot-start-marker
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 informational
logging rate-limit all 10000
logging console critical
enable password 7 <removed>
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login if_needed local
aaa authentication enable default enable
aaa authentication ppp default local
aaa authorization exec default group tacacs+ local if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common
clock timezone AEST 10
clock summer-time AEST recurring last Sun Oct 2:00 last Sun Mar 3:00
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
ip domain list <removed>
ip domain list <removed>
ip domain name <removed>
ip host dd-cr-01e 2033 172.16.1.1
ip host ddsws01 2034 172.16.1.1
ip host ddsws04 2035 172.16.1.1
ip host ddce565 2040 172.16.1.1
ip name-server <removed>
ip name-server <removed>
username netops privilege 15 password 7 <removed>
ip ssh source-interface FastEthernet0/0
ip ssh logging events
ip ssh version 2
interface Loopback0
ip address 172.16.1.1 255.255.255.255
interface FastEthernet0/0
ip address <removed> 255.255.255.0
speed 100
full-duplex
interface Serial0/0
no ip address
shutdown
interface BRI0/0
no ip address
encapsulation hdlc
shutdown
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 <removed>
ip http server
no ip http secure-server
ip tacacs source-interface FastEthernet0/0
ip radius source-interface FastEthernet0/0
logging facility local6
logging <removed>
snmp-server community <removed> RO
snmp-server community <removed> RW
snmp-server location <removed>
snmp-server contact NetOps
menu ddras01 title ^C
Cisco Terminal Server
Select the number from the list below
Use 'ctrl+shift+6' then 'x' to switch back to the menu
^C
menu ddras01 text 1 Connect to DD-CR-01
menu ddras01 command 1 resume dd-cr-01 /connect telnet dd-cr-01 2033
menu ddras01 text 2 Connect to DDSWS01
menu ddras01 command 2 resume ddsws01 /connect telnet ddsws01 2034
menu ddras01 text 3 Connect to DDSWS04
menu ddras01 command 3 resume ddsws04 /connect telnet ddsws04 2035
menu ddras01 text 8 Connect to DDCE565
menu ddras01 command 8 resume ddce565 /connect telnet ddce565 2040
menu ddras01 text 9 Exit
menu ddras01 command 9 menu-exit
menu ddras01 clear-screen
menu ddras01 status-line
menu ddras01 line-mode
tacacs-server host 10.2.0.50
tacacs-server directed-request
tacacs-server key 7 <removed>
control-plane
privilege exec level 15 write terminal
privilege exec level 15 write
privilege exec level 1 ping
privilege exec level 10 undebug ip icmp
privilege exec level 10 undebug ip
privilege exec level 10 undebug all
privilege exec level 10 undebug
privilege exec level 10 terminal monitor
privilege exec level 10 terminal
privilege exec level 15 show running-config
privilege exec level 5 show configuration
privilege exec level 5 show
privilege exec level 10 debug ip icmp
privilege exec level 10 debug ip
privilege exec level 10 debug all
privilege exec level 10 debug
privilege exec level 10 clear interface
privilege exec level 10 clear counters
privilege exec level 10 clear
line con 0
password 7 <removed>
logging synchronous
line 33 64
no exec-banner
exec-timeout 0 0
no activation-character
no exec
transport preferred telnet
transport input all
escape-character 27
stopbits 1
flowcontrol hardware
line aux 0
line vty 0 4
password 7 <removed>
logging synchronous
autocommand menu ddras01
line vty 5 181
password 7 <removed>
logging synchronous
autocommand menu ddras01
ntp clock-period 17208487
ntp source FastEthernet0/0
ntp server <removed>
end

Hi Jesse
I have made the changes you recommended however i'm still getting prompted to reauthenticate each time I choose a menu entry,
I have included a updated copy of the config, any help you can provide if greatly appreaciated.
Thanks
DDRAS01(config)#do sh runnin
Building configuration...
Current configuration : 7371 bytes
! Last configuration change at 17:55:22 AEST Sun Feb 21 2010 by david
! NVRAM config last updated at 11:07:30 AEST Sun Feb 21 2010 by david
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service linenumber
service sequence-numbers
hostname DDRAS01
boot-start-marker
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 informational
logging rate-limit all 10000
logging console critical
enable password 7
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login if_needed local
aaa authentication login NOAUTH none
aaa authentication enable default enable
aaa authentication ppp default local
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization exec NOAUTH none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common
clock timezone AEST 10
clock summer-time AEST recurring last Sun Oct 2:00 last Sun Mar 3:00
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
ip domain list
ip domain list
ip domain name
ip host dd-cr-01 2033 172.16.1.1
ip host ddsws01 2034 172.16.1.1
ip host ddsws04 2035 172.16.1.1
ip host ddce565 2040 172.16.1.1
ip name-server
ip name-server
username netops privilege 15 password 7
ip ssh source-interface FastEthernet0/0
ip ssh logging events
ip ssh version 2
interface Loopback0
ip address 172.16.1.1 255.255.255.255
interface FastEthernet0/0
ip address 255.255.255.0
speed 100
full-duplex
interface Serial0/0
no ip address
shutdown
interface BRI0/0
no ip address
encapsulation hdlc
shutdown
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0
ip http server
no ip http secure-server
ip tacacs source-interface FastEthernet0/0
ip radius source-interface FastEthernet0/0
logging facility local6
logging
snmp-server community RO
snmp-server community RW
snmp-server location
snmp-server contact
menu ddras01 title ^C
Cisco Terminal Server
Select the number from the list below
Use 'ctrl+shift+6' then 'x' to switch back to the menu
^C
menu ddras01 text 1 Connect to DD-CR-01
menu ddras01 command 1 resume dd-cr-01 /connect telnet dd-cr-01 2033
menu ddras01 text 2 Connect to DDSWS01
menu ddras01 command 2 resume ddsws01 /connect telnet ddsws01 2034
menu ddras01 text 3 Connect to DDSWS04
menu ddras01 command 3 resume ddsws04 /connect telnet ddsws04 2035
menu ddras01 text 8 Connect to DDCE565
menu ddras01 command 8 resume ddce565 /connect telnet ddce565 2040
menu ddras01 text a Clear connection to DD-CR-01
menu ddras01 command a clear line 33
menu ddras01 text b Clear connection to DDSWS01
menu ddras01 command b clear line 34
menu ddras01 text c Clear connection to DDSWS04
menu ddras01 command c clear line 35
menu ddras01 text h Clear connection to DDCE565
menu ddras01 command h clear line 40
menu ddras01 text x Exit Menu
menu ddras01 command x menu-exit
menu ddras01 text l Logout
menu ddras01 command l logout
menu ddras01 clear-screen
menu ddras01 status-line
tacacs-server host
tacacs-server directed-request
tacacs-server key 7
control-plane
privilege exec level 15 write terminal
privilege exec level 15 write
privilege exec level 1 ping
privilege exec level 10 undebug ip icmp
privilege exec level 10 undebug ip
privilege exec level 10 undebug all
privilege exec level 10 undebug
privilege exec level 10 terminal monitor
privilege exec level 10 terminal
privilege exec level 15 show running-config
privilege exec level 5 show configuration
privilege exec level 5 show
privilege exec level 10 debug ip icmp
privilege exec level 10 debug ip
privilege exec level 10 debug all
privilege exec level 10 debug
privilege exec level 10 clear interface
privilege exec level 10 clear counters
privilege exec level 10 clear
line con 0
password 7
logging synchronous
line 33 64
no exec-banner
exec-timeout 0 0
no activation-character
no exec
transport preferred telnet
transport input all
escape-character 27
stopbits 1
flowcontrol hardware
line aux 0
line vty 0 4
password 7
logging synchronous
autocommand menu ddras01
line vty 5 181
password 7
authorization exec NOAUTH
logging synchronous
login authentication NOAUTH
autocommand menu ddras01
ntp clock-period 17208478
ntp source FastEthernet0/0
ntp server
end

ACS Machine Authentication Fails Every 30 Days

Running ACS5.2, Windows XP Pro, Window Server 2003 and Cisco Anyconnect Client. When the machine name password changes between the PC and the AD server the ACS will error out with "24485 Machine authentication against Active Directory has failed because of wrong password"
TAC has been working with us on this and sees the error in the logs but does not have an answer on with to do to solve this. It has the same problem with Wireless Zero.
Once the PC is rebooted the error goes away for 30 days. We are in a hospital setting so this is a not just a minor problem

So it looks like this is the offical Microsoft answer:
Hello Tom,
I had a discussion with an escalation resource on this case and updated him on what we found so far, From what I understand this is a known issue when the client is using PEAP with computer authentication only and the workarounds to this problem are the 2 solutions lined up in that article that I sent you.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;904943
Regards
Krishna

ACS 5.1 mab reauthentication in every 1 mintues

Similar Messages

Maybe you are looking for