ACS 5.2 WCS 7 TACACS+ CHAP probleme

Similar Messages

• ACS 5.3, ASA using TACACS+ forces to PAP?

  As the title says I'm trying to have an ASA (8.2.3) auth against an ACS 5.3 using TACACS+.  It only works if I have PAP enabled on the ACS.  Obviously this concerns me.  I've found the following reference in the configuration guides:
  TACACS+ Server Support
  The ASA supports TACACS+ authentication with ASCII, PAP, CHAP, and MS-CHAPv1.
  I can't figure out how to make the ASA use MS-CHAPv1 though.  Seems like it should be pretty simple.
  Incidentally I was having the same problem with VPN auth's using RADIUS but I was able to fix that by enabling the password management option which is only available in CHAPv2.  Seems that option isn't available under TACACS+.
  Any suggestions?

  As far as I am aware the asa will only use PAP to authenticate console exec logins. I wish it used chap-v2.
  Sent from Cisco Technical Support iPhone App

• Cisco Prime Infrastructure 1.3 Tacacs+ authorization problem

  Hello,
  We are having trouble setting our new installation of Cisco PI 1.3 to work with Tacacs+ configured on ACS 4.2.
  We have followed procedure explained in Cisco PI 1.3 configuration guide and in Tacacs+ logs we can see that we have successful authentification but authorization is unsuccessful:
  21/05/2013,16:36:44,Authen OK,pradoicic,admins,192.168.187.109,,192.168.187.109,wifi-prime-p-vm01,AP,ACS1AERO,1,,,192.168.187.109,No Filters activated.,,,No,
  21/05/2013,16:36:44,Author failed,pradoicic,admins,192.168.187.109,,Service denied,protocol=HTTP service=NCS,NCS HTTP,192.168.187.109,wifi-prime-p-vm01,AP
  We have added user group into ACS as is explained in configuration gude and we have also tried to add virtual domain at the beggining or at the and of the list but that didn't solve our problem.
  Is there anything that we can do in order to make Cisco PI to authentificate users using Tacacs+?
  Any help in finding solution for this problem will be very appreciated.
  Regards,
  Jelena

  Hi,
  On the Cisco PI side we have:
  1. Added Tacacs+ server under Administration > AAA > TACACS+
      We have entered all required parameters
  2. Enabled AAA Tacacs+ mode under Administration > AAA > AAA Mode and we have choosed on auth failure or no server response oprion.
  On the ACS side:
  1. Under Network Configuration > New Entry we have added Cisco PI
  2.  Under Interface Configuration >TACACS+ (Cisco IOS) > New Services >
  we have added Prime and HTTP (we have checked box infront of these service).
  3. Under Group Setup > Edit Settings > prime HTTP service we have added custom attributes that we have copied from Cisco PI Admin group. We have also exported virtual domain information from Prime and have imported them on the beggining of the custom attributes and we have also tried to place that virtual domain information on the end but we have the same behavior.
  For some reason ACS doesn't know how to return authorization information.
  Regards,
  Jelena

• Tacacs authentication problem.

  Hy,
  I have a network with several layer 2 (c2960) attached to a layer 3 switch (c3750).
  All these switches are behind a firewall (ASA 5510) and the firewall is connected to a router c3810.
  I have an ACS v.4.x to use as a Tacacs server.
  In all the equipments I have aaa authentication with tacacs and vlans.
  To test the tacacs authentication in the switch, I created a bypass to the firewall and connected the network (using a management vlan) to the router.
  With this scenario the tacacs authentication works.
  If I disconnect the bypass, all the traffic cross over the firewall. But I will not have the tacacs working anymore with the switch.
  I do not understand why!!?
  I have another problem, this time with the firewall.
  I configured the tacacs and the aaa in the firewall, as advised by Cisco.
  But it seems that it doesn’t work!
  In this two cases only the local authentication works.
  Can you help me, please?
  Thanks in advance,
                        Rui Oliveira

  Hy,
  I am doing tests in a Lab.
  So, the addresses presented here are not Internet routable.
  The configuration for the tacacs at the ASA is:
  aaa-server TACACS protocol tacacs+
  aaa-server TACACS (OUT_MANGMT) host 172.16.20.10
  key mykey
  aaa authentication enable console LOCAL
  aaa authentication serial console LOCAL
  aaa authentication telnet console TACACS LOCAL
  aaa authentication http console TACACS LOCAL
  aaa authentication ssh console TACACS LOCAL
  aaa authorization command LOCAL
  aaa accounting enable console TACACS
  aaa accounting telnet console TACACS
  aaa accounting ssh console TACACS
  aaa local authentication attempts max-fail 5
  aaa authorization exec LOCAL
  I´m doing the tests with an ASA with a the IP address 10.183.0.61.
  And this address is seen from the outside, but I do a NAT between the 10.183.0.61 and the IP address 192.168.100.2 in the TCP/23.
  Besides that I have an interface called OUT_MANGMT, with IP address 192.168.100.2 .
  I have another interface that a called GESTAO, with IP address 10.183.0.61.
  This interface GESTAO is connected to a management vlan.
  My ACS has IP 172.16.20.10 and the standard port for tacacs is tcp/49.
  I send the logging file that I take from my firewall.
  Thanks,
             Rui

• ACS 4.0 and RSA Token Server problem

  Hi,
  We are having a problem trying to get ACS 4.0 for Windows to authenticate wireless users on an RSA Token server.
  Our Cisco 1200 series AP is configured for WPA2 and LEAP authentication. It points at the ACS server for RADIUS authentication. Now this works fine for users with a static password defined on the ACS internal database. However, for obvious security reasons, we?d like the authentication passed to our internal RSA server.
  I have installed the RSA Agent on the same server as the ACS along (after adding the generated sdconf.rec file to the System32 folder). The RSA server has been added to the ACS external databases and a user configured to use the RSA Token server for password.
  When we try to authenticate, the ACS fails the attempt with reason ?External DB password invalid?. The same user can successfully authenticate when using the RSA test authentication tool which is installed on the ACS server as part of the RSA Agent software.
  After running some debugs on a PIX in front of the servers, I can see traffic to/from the servers when using the test tool (which works), however it looks like ACS doesn?t even send traffic to the RSA server when authenticating.
  Any help or advice appreciated.
  Thanks

  Hi,
  The token servers only support PAP. Please make sure that the request are going to the RSA in PAP.
  Following link talks about the same.
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/o.htm#wp824733
  Regards,
  ~JG

• WCS 6.0 Upgrade Problem

  I've downloaded WCS-STANDARD-K9-6.0.132.0.exe (205,164 KB). Each time I try to write this to a CD it errors out and the CD is not readable. Is anyobe else have similar problem? Is there a work around?

  I am able to burn the CD. Perhaps use another software?
  Or zip it up and try again?

• WCS 7.0 Campus problem

  After installing the WCS upgrade to 7 to the wrong drive letter, I uninstalled it and reinstalled to the correct drive.  I then restored the database backup and all looked ok.  I noted that in the restore, I now had a System campus.  Thought I would set up a campus for each division of my company.  I started with Central and was able to add several offices.  I next tried to create North and got the following error - Following Error occured Update Maps\n\n'COMMON-1::Some unexpected internal error has occured. If the problem persists please report to the Tech Support.\'\n\n.
  I tried creating another campus with a different name and got the same error.  I then moved all of the buildings back to the system campus and deleted the Central campus.  I now cant create any campus.
  Anyone else seen this ?

  Hi,
  thank you for your return
  We have tried to disable Slinux without succèss.
  What do you mean about reinstalled/upgraded , do you mean réinstall a linux ??
  Upgrade do you mean upgrade in last version ???
  We are in version 7.0.164.3
  Thank's a lot for your help.
  Best regards
  S.H

• Upgrade ACS V3.2 - V4.0 Tacacs/Radius Key Query

  Hi All
  I am in the process of upgrading my ACS server from V3.2 to V4.0
  I have a Production Server which will be replaced by the New Production Server and A Test Server for upgrading the ACS Database.
  I have successfully upgraded from V3.2 to V3.3 then to V4.0 on my test server.
  My original plan was to upgrade the database with my Test Server and Restore it to my New Production Server.
  just copy the new V4.0 database to the New Production Server and change the ip address to the old servers address.
  However looking through the database there are sections which are hardcode with the test servers hostname.
  This has forced me to rethink my original plan and to use the original servers hostname.
  This also got me thinking what else is hardcoded in the database.
  My question is - When I installed V3.2 on my test server
  Under the Tacacs+ or Radius Key section - do I need to put the same key as the original V3.2 database or will this key change when I come to restore the original database on the test server ?
  I am just concerned that my radius/tacacs clients will not authenticate with the new server when it is put in to production with the new V4.0 database.
  Thanks in Advanced

  Hi,
  The "hard-coded" things will change automatically once the database is restored on the new server.
  The only thing which you woul dneed to take care of is the change in Ip address such that the clients send the request to the right ACS.
  Regards,
  Vivek

• TACACS login problem

  Here's the config:
  aaa new-model
  ip tacacs source-interface Loopback0
  tacacs-server host 10.1.1.100
  tacacs-server directed-request
  Here's the debug:
  R7#test aaa group t U1 cisco new-code
  Trying to authenticate with Servergroup tacacs+
  *Mar 1 03:17:17.816: TPLUS: Queuing AAA Authentication request 0 for processing
  *Mar 1 03:17:17.820: TPLUS: processing authentication start request id 0
  *Mar 1 03:17:17.820: TPLUS: Authentication start packet created for 0(U1)
  *Mar 1 03:17:17.820: TPLUS: Using server 10.1.1.100User rejected
  R7#
  *Mar 1 03:17:22.824: TPLUS(00000000): Select Timed out
  *Mar 1 03:17:22.824: TPLUS(00000000) Error connecting to socket 0
  *Mar 1 03:17:22.824: %TAC+: no address for get_server
  I can't find the sys message in the doc. Any ideas?
  TIA

  Disregard....
  routing problem
  TPLUS(00000000) Error connecting to socket 0
  Doh!

• Legacy Profile on ACS Unix migrate to ACS 4.2 windows using TACACS+ av-pair

  Hello
  I'm migrating on ACS Unix 2.x ver to ACS 4.2 windows
  we only use TACACS+ protocol
  ACS Unix managed the profile   such as
  group LANadmins{
  service=shell {
  cmd=interface{
  permit "Ethernet *"
  deny "Serial *"
  cmd=aaa{
  deny ".*"
  cmd=tacacs-server{
  deny ".*"
  default cmd=permit
  those things. 
  So, I' guessing That above syntex is similar to TACACS+ av-pairs
  and I found TACACS+ av-pairs list. but I couldn't find out examples .
  those are only shown the List   and no examples.
  Does anybody help me ?
  Thanks

  I've been researching the differences between 4.2 and 5.4. There is a fundemental difference in the two. In my research, I have not found anything that Cisco indicates that log files can be imported. Because ACS 5.4 has it's own robust logging and database viewing tools, I'm leaning towards no. But I cannot give a definitive answer on this, sorry. Just know that I've read for several hours, and have not seen anything that talks about the importation of logging files. You can import users, mac addresses, etc. This may be something someone knows and will post eventually; probably need to call "The Cisco" and get a quicker answer.

• WCS Busiest Client Report Problem

  We are using Wism 4.0.155.5 and WCS 4.0.81.0. Everytime I run "busiest client report" on WCS, I get some clients with throughput more than 70Mbps and utilization more than 600%!!! It is very weird. Anyone see this as well? Thanks.

  zhenningx:
  I see it too. It definitely appears to be a bug, but I will do some checking. Mine show upwards of 2000% and most of my top 25 show an almost identical tx/tx amount of 4gb.
  If I make any headway with TAC, I'll let you know.

• License WCS (Wireless Control System) Problem to install

  Hello,
  I'm Christopher, I have a need to update the WCS and license this, but when I perform the load operation, this throws me this message.
  "You must have Base a license in order to install an upgrade license"
  How I can fix it?

  Hi Christopher,
  Base license should always be installed before you can upgrade license count.
  For ex if you buy 2 AP's initially and got WCS license with them and installed then on WCS.
  Now after few days you buy few more AP's and want to add them to WCS you won't be able to do so unless you have base license. So please contact license team to get base license(Only needs to be installed once not everytime.)

• TACACS+ fallback problem ASA 5520

  Hi,
  I  have configured tacacs in ASA 5520, it is working fine, I can login  into ASA with tacacs credentials..authentication is successfull when  tacacs server is unreachable Local authentication is also  successfull.....But after that when Tacacs server is reachable again...I am not able to login with tacacs credentials.
  Is the the bug of Cisco ASA 5520 software image?
  Below are the configurations:
  aaa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ (inside) host 1.1.1.1
  key tacacs_key
  aaa authentication enable console TACACS+ LOCAL
  aaa authentication http console TACACS+ LOCAL
  aaa authentication serial console LOCAL
  aaa authentication ssh console TACACS+ LOCAL
  aaa accounting enable console TACACS+
  aaa accounting ssh console TACACS+
  aaa accounting command privilege 15 TACACS+

  Hello Arun,
  Can you share the following command with us when the AAA authentication against the tacacs+ database is not working
  show aaa-server TACACS+  host 1.1.1.1
  For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
  Any question contact me at [email protected]
  Cheers,
  Julio Carvajal Segura

• WCS Unique Client report problem

  If I run a "Unique Client" report in WCS (based on 4 controllers) using the range "last 1 day", I get plenty of data.  But if I choose a specific range of time, even within the last 24 hours, I don't get any data.  Seems like a bug.  Anyone else experience this issue?
  It's WCS 7.0.172

  Seems you are facing below bug and needs a patch uniqueclients.xml which can be provided by TAC.CSCtq64813
  Apply the workaround which done by the following steps:  1. Stop WCS 2. cd to /webnms/classes/com/cisco/server/reports/conf 3. Backup UniqueClients.xml 4. Copy the attached file to UniqueClients.xml (batch file attached in the case) 5. Restart the server

• How to configure ACS 5.2 for policy condition on TACACS+ Service

  In https://supportforums.cisco.com/message/3953175#3953175 thread, I was able to get the ACS 5.2 work with SRX for both SSH CLI and J-Web TACACS+ accounts. However, I found the behavior is different on our production environment. I found our ACS 5.2 was configured authorization rule with condition "TACACS+ Service" = "junos-exec". I don't know how to configure this on my ACS 5.2 Please guide me how to configure this.
  I found there was NO TACACS+ "Authorization Request" when access via J-Web in our production SRX and ACS. However, there were TACACS+ "Authorzation Request" when access via J-Web in our production SRX and ACS. The difference between my lab ACS and production ACS is the authorization rule condition. In my condition, I configure with all "SRX" Device Type. but in our production ACS 5.2, it was configure to TACACS+ Service=junos-exec. so I like to test it in our lab to find out the difference. Thanks.

  I would suggest you to go through the below two link.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/migration/guide/Migration_Configure.html
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/common_scenarios.html