ACS 5.3.0.40 with Bluecoat Packetshaper via Radius Auth using PAP/CHAP

Hi,
We have a strange issue may be an known issue. We have the ACS 5.3.0.40 with Bluecoat Packetshaper (Packeteer) as the Radius Client and tried with PAP as well as CHAP with the suggested VSA. But once we try to authenticate with GUI in the PS end we get authentication failed. i.e its says invalid password but in the ACS end we get it as the Auth success log. We are not able to login to the PS as well. Anyone have any idea what is the issue anything to be done with the patch upgrade or any issue with the packetshaper??????
below is the logs in ACS server.
Logged At:        September 4,2012 4:10:26.250 PM
RADIUS Status: Authentication        succeeded
NAS Failure:
Username: knpdtf
MAC/IP Address:
Network        Device: Test-PS : 10.187.115.83:
Access Service: Radius Network
Identity        Store: Internal Users
Authorization Profiles: Permit Access
CTS        Security Group:
Authentication Method: PAP_ASCII
By
Karthik

Hi,
Do you have any special characters in the password? I would see if you can create an internal user in ACS and use a basic password (like cisco123) and see if the authentication will succeed. I have seen with some GUI based products that some special characters can cause some headaches.
thanks,
Tarik Admani
*Please rate helpful posts*

Similar Messages

  • ACS Database Replication over VPN with overlapping Network Addresses

    We currently have two co-locations each situated in different provinces. We have two ACS servers which we want to deploy at each co-location. All our network equipments are behind PIX/ASA devices. Getting them to replicate over the VPN should be easy but in our case we have overlapping Network Addresses at both ends of the tunnels.
    As per Cisco data does not transit a NAT device when the two Cisco Secure ACS servers communicate and a successful database replication can occur only if the secondary ACS server perceives no change in the IP header or content of the data it receives. So that means we will not be able to Implement NAT to achiever this.
    Has any one of you faced this problem of replicating ACS Database over the VPN with overlapping Network Addresses and was anyone able to successfully solve this issue using a work around ?
    All provided info and comments are greatly appreciated.

    I can help with the 3005 setup if you decide to go that route.
    You will need to add 2 network list entries under Configuration>Policy Management>Traffic Management>Network Lists.
    You will need to configure a local and remote address. The local will be one of the public ip's for the site.(Provided by your ISP)The remote will be the device you are connecting to on the other end.
    You will also need to add a Nat Lan to Lan rule under Configuration>Policy Management>Traffic Management>Nat>Lan to Lan.
    Use a static Nat type. The rest will look similar to my example.
    Source(Local address)Translated(Public Ip Address used in the network local list)Remote(Ip address of the device on the other end)
    Now just create an Ipsec lan to lan tunnel. You will need to agree with the ISP on des type and auth type. Use you local and remote networks you created earlier.

  • 802.1x with AD support via ACS 4

    Hello ,
    I have been trying to configure 802.1x Authentication on a test switch . Authentication will be provided by the ACS server . This worked when I had the client setup for EAP-MD5 and had local user accounts on the ACS server . However this is impractical if we were to deploy this on a large scale. How can i configure 802.1X authentication to occur via the ACS with the ACS looking at the AD database . The trouble is AD does not support EAP-MD5. It supports PEAP but the problem I am having is "EAP-TLS or PEAP authentication failed during SSL handshake "
    Has anyone here setup 802.1x with AD integration via ACS 4.0 . Please help.
    Thanks.
    Karthik

    Hi Karthik,
    The SSL handshake will fail in our experience for any of the following reasons:
    - The supplicant cannot access the private key corresponding to it's certificate - check that the system a/c has pemissions over the private key found in c:\documents and settings\all users\application data\microsoft\crypto\rsa\machine keys
    - The ACS sever does not trust the Root Certificate for the PKI that issued the supplicants certificate - Is the Supplicants Root CA present in the ACS Certificate Trust List?
    - CRL checking is enabled and the CRL has expired or is inaccessible
    If you up the logging levels to full and examine the csauth log closely you should get more detail as to the reason
    Hope that helps
    Andy

  • ACS with Dynamic VLAN which protocol to use ??

    Hello,
    Which Protocol do I need to use, for providing dynamic VLAN to my desktop machines?
    As in ACS 4.0 if I use local database of ACS then users successfully get the dynamic VLAN & as soon I use AD database while integration it with ACS ,the authentication fails!!
    Please help.

    Hi,
    Thanks for the reply. I am using EAP-MD5.
    However, the problem is if I am using ACS solution Engine local database, users are getting dynamic VLAN after authentication.
    But when I use AD as user database, the authentication fails. Even strange thing is that if I use AD database to log in to any Cisco Router then the authentication is working fine.
    Even I am struggling with TAC also from last week in two different cases! However, they are unable to help! I found TAC has limited resource for ACS.
    So please suggest what to do as on Cisco site, I found lots of stuff for Wireless but I have only the desktops (no wireless).
    So will the mention below URL be of any help?
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00805e7a18.shtml
    Thanks in advance
    Vijay

  • ACS 5.0 having issues with different subnet AAA Clients

    Dear All,
    I am getting weird issue. My ACS 5.0 is in subnet 10.1.1.0/24. All the AAA clients which are in the same subnet can communicate with the ACS but different subnet cannot.
    I have checked the firewall between them, Its allow any any with all services.
    One more thing I have faced today is that now from only one switch (10.1.2.10) can access ACS but switches in the same subnet (10.1.2.0/24) cant access ACS as same previous issue.
    Following are the logs of one switch(10.1.2.10) in different subnet can access ACS :
    Working Switch with Same configuration:
    SW-A#test aaa group tacacs+ test cisco legacy
    Attempting authentication test to server-group tacacs+ using tacacs+
    User was successfully authenticated.
    SW-A#
    *Nov 17 00:05:52.041: AAA: parse name=<no string> idb type=-1 tty=-1
    *Nov 17 00:05:52.041: AAA/MEMORY: create_user (0x1B1FD04) user='test' ruser='NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
    *Nov 17 00:05:52.041: TAC+: send AUTHEN/START packet ver=192 id=3237327729
    *Nov 17 00:05:52.041: TAC+: Using default tacacs server-group "tacacs+" list.
    *Nov 17 00:05:52.041: TAC+: Opening TCP/IP to 10.1.1.2/49 timeout=5
    *Nov 17 00:05:52.041: TAC+: Opened TCP/IP handle 0x1B44D48 to 10.1.1.2/49
    *Nov 17 00:05:52.041: TAC+: 10.1.1.2 (3237327729) AUTHEN/START/LOGIN/ASCII queued
    SW-A#
    *Nov 17 00:05:52.243: TAC+: (3237327729) AUTHEN/START/LOGIN/ASCII processed
    *Nov 17 00:05:52.243: TAC+: ver=192 id=3237327729 received AUTHEN status = GETPASS
    *Nov 17 00:05:52.243: TAC+: send AUTHEN/CONT packet id=3237327729
    *Nov 17 00:05:52.243: TAC+: 10.1.1.2 (3237327729) AUTHEN/CONT queued
    *Nov 17 00:05:52.444: TAC+: (3237327729) AUTHEN/CONT processed
    *Nov 17 00:05:52.444: TAC+: ver=192 id=3237327729 received AUTHEN status = PASS
    *Nov 17 00:05:52.444: AAA/MEMORY: free_user (0x1B1FD04) user='test' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 vrf= (id=0)
    Logs from the same subnet switch (10.1.2.20) which cannot access ACS:
    SW-B#test aaa group tacacs+ test cisco legacy
    Attempting authentication test to server-group tacacs+ using tacacs+
    No authoritative response from any server.
    SW-B#
    *Oct 20 00:54:12.834: AAA: parse name=<no string> idb type=-1 tty=-1
    *Oct 20 00:54:12.842: AAA/MEMORY: create_user (0x1A6F3F0) user='test' ruser='NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
    *Oct 20 00:54:12.842: TAC+: send AUTHEN/START packet ver=192 id=3281146755
    *Oct 20 00:54:12.842: TAC+: Using default tacacs server-group "tacacs+" list.
    *Oct 20 00:54:12.842: TAC+: Opening TCP/IP to 10.1.1.2/49 timeout=5
    *Oct 20 00:54:12.842: TAC+: Opened TCP/IP handle 0x1B1E888 to 10.1.1.2/49
    *Oct 20 00:54:12.842: TAC+: 10.1.1.2 (3281146755) AUTHEN/START/LOGIN/ASCII queued
    SW-B#
    *Oct 20 00:54:12.943: TAC+: (3281146755) AUTHEN/START/LOGIN/ASCII processed
    *Oct 20 00:54:12.943: TAC+: received bad AUTHEN packet: type = 0, expected 1
    *Oct 20 00:54:12.943: TAC+: Invalid AUTHEN/START/LOGIN/ASCII packet (check keys).
    *Oct 20 00:54:12.943: TAC+: Closing TCP/IP 0x1B1E888 connection to 10.1.1.2/49
    *Oct 20 00:54:12.943: TAC+: Using default tacacs server-group "tacacs+" list.
    *Oct 20 00:54:12.943: AAA/MEMORY: free_user (0x1A6F3F0) user='test' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 vrf= (id=0)
    Waiting for your responses.
    Regards,
    Anser

    Ok, cool,
    So this usually means that the switch is sourcing the requests from a difernet interface that is configured on the ACS.
    I would guess that the ACS is reporting unknown NAS...
    Can you please use the "ip tacacs source-interface" command to make sure the switch will source the Tacacs+ packets from the interface with the IP address for which you have the ACS configured to?
    HTH,
    Tiago
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • Cisco WCCP (multicast method ) with Bluecoat Implementation

    hi
    Cisco WCCP with Bluecoat Implementation  . during implemetation multicast packet not flow to other vlan interface.
    few observation .
    Cisco wccp with bluecoat proxy ( Multicast method )  - Multicast IP # 224.1.1.103 , Group 11, dense-mode
    Same Vlan  its working ( user and Proxy SG )
    Different Vlan not working ( user Vlan 10 and server Vlan 20 )
    sample configuration :
    ip multicast-routing
    ip wccp 11 group-address 224.1.1.103 redirect-list 103
    sh ip access-lists 103
    Extended IP access list 103
        40 permit tcp 10.10.10.0 0.0.0.31 any eq 443
        50 permit tcp 10.10.10.0 0.0.0.31 any eq www
        60 permit tcp 10.10.10.0 0.0.0.31 any eq ftp
        70 deny ip any any
    interface Vlan10 description "AP_User_Range"
     ip address 10.10.10.0 255.255.255.0
     ip helper-address 10.10.20.100
     ip wccp 11 redirect in
     ip wccp 11 group-listen
     ip pim dense-mode

    Dear Jon,
    After changes the WCCP Command  ,still  WCCP not working
    but  both client and Proxy Same VLAN its working fine with Multicast mode
    interface Vlan10
     description "AP_User_Range"
     ip address 10.10.10.10 255.255.255.0
     ip helper-address 10.10.10.100
     ip wccp 11 redirect in
    interface Vlan20
     description PROXY_WAN_VLAN
     ip address 10.10.20.10 255.255.255.0
     ip helper-address 10.10.10.100
     no ip redirects
     no ip unreachables
     no ip proxy-arp
     ip wccp 11 group-listen
    ip wccp 11 group-address 224.1.1.103 redirect-list 103
    sh ip access-lists 103
    Extended IP access list 103
        40 permit tcp 10.10.10.0 0.0.0.255 any eq 443
        50 permit tcp 10.10.10.0 0.0.0.255 any eq www
        60 permit tcp 10.10.10.0 0.0.0.255 any eq ftp
        70 deny ip any any
    sh ip wccp
    Global WCCP information:
        Router information:
            Router Identifier:                   -not yet determined-
            Protocol Version:                    2.0
        Service Identifier: 11
            Number of Service Group Clients:     0
            Number of Service Group Routers:     0
            Total Packets s/w Redirected:        0
              Process:                           0
              CEF:                               0
            Service mode:                        Open
            Service Access-list:                 -none-
            Total Packets Dropped Closed:        0
            Redirect access-list:                103
            Total Packets Denied Redirect:       0
            Total Packets Unassigned:            0
            Group access-list:                   -none-
            Total Messages Denied to Group:      0
            Total Authentication failures:       0
            Total GRE Bypassed Packets Received: 0

  • ACS appliance 3.3 - user with mulptile static IPs

    Hi,
    currently we are using ACS Unix. There it os possible to assign static IPs to a user based on the radius dictonary.
    e.g.
    NAS1- Ascent Max uses dictionary Ascend gets 10.1.1.1
    NAS2- VPN 3000 uses IETF gets 10.1.2.1
    Any ideas how this could be resolved on an ACS appliance?
    Regards, Celio

    Following installation and initial configuration, see the User Guide for Cisco Secure ACS Solution Engine Version 3.3 for information on how to use a browser and the HTML interface to fully configure your Cisco Secure ACS Solution Engine to provide the AAA services you want from this installation.
    http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_installation_guide_chapter09186a0080235f77.html

  • I have 2 macbooks each with an account for me and one for my wife. I use one Macbook logged in with my account and my wife uses the other Macbook only loged in on her account. We both make regular time-machine back-ups each on a separate external disk

    I have 2 Macbooks each with an account for me and one for my wife. I use one Macbook logged in with my account and my wife uses the other Macbook only logged in on her account. We both make regular time-machine back-ups each on a separate external disk. Is it possible to update her account on my macbook using her external disk without overwriting my stuff on the same Macbook and vice versa?

    Time Machine does not do individual accounts. It records the complete drive. So if you were to use her TM backup on your Mac it would make your Mac just like hers. Both yours and her account on your MAC.
    Just copy the missing files over from her Mac to yours. If there are differennt programs on each then they would need to be installed on both.

  • Have family plan with 250 data which I almost use each month.  Going on vacation and will be on the road for two weeks.  Should I up my data for a month then change back.  Is it worth it or should I just run over and pay the extra 15 per gig?

    have family plan with 250 data which I almost use each month.  Going on vacation and will be on the road for two weeks.  Should I up my data for a month then change back.  Is it worth it or should I just run over and pay the extra 15 per gig?

    Hello mlazaretti. Vacation time is awesome. (Especially a road trip!) Since you will be going out for two weeks, you never know if having extra data may come in handy. I highly recommend switching to the next tier up so this way you have more data. This way it is only $10.00 more versus $15.00, and you dont have to worry about overages. Then change back at the start of the next billing cycle.
    If you need help making this change let us know! Have a safe trip!
    NicandroN_VZW
    Follow us on twitter @VZWSupport

  • My iPhone 5 won't use 3G when 4G isn't available. I live in the middle of nowhere, but with my iPhone 4 I could use the Internet on 3G just fine. Now I don't get anything unless I'm on wifi. I have AT

    My iPhone 5 won't use 3G when 4G isn't available. I live in the middle of nowhere, but with my iPhone 4 I could use the Internet on 3G just fine without needing wifi. Now I don't get anything unless I'm on wifi. My phone says '4G' but then says 'could not activate cellular data' or gives me the gray google failed because you dont have internet page. I have AT&amp;T if that matters. I just want to get Internet and my email like I used to be able to. Slow 3G is fine with me, but I need it to work on my iPhone 5. Can anyone help me?

    Oh ok, thank you! So I just got a bum SIM card when I bought this phone or something?

  • Since iOS 8.1.2 upgrade problems with yahoo mail via apple mail client

    Since the upgrade to iOS 8.1.2 on my iPad I'm having issues with my yahoo mail account when using the apple mail client. I can send emails but cannot receive them. When I use the yahoo mail app there is no problem Sending or receiving. I have deleted and reinstalled my yahoo email account from the apple mail client. I have checked the wifi by changing between wifi hotspots. I have also restarted the iPad as well as resetting. None of these actions have resolved the problem. would appreciate any assistance that can be provided.

    Do you use two-step verification for your Yahoo! account? If yes, you need an app-specific password.
    If no, make sure your password is already entered in the "Outgoing Mail Server" in the Settings app.

  • I got a macbook pro 13 inch core i5  late 2011 , it came with osx lion  and i been using facebook videocalls normaly , now i updated to Mountain lion but when i use facebook video calls in (safari ,chrome ) i see the window box but i only see my self  i c

    i got a macbook pro 13 inch core i5  late 2011 , it came with osx lion  and i been using facebook videocalls normaly , now i updated to Mountain lion
    but when i use facebook video calls in (safari ,chrome ) i see the window box but i only see my self  i can hear my friends but cant see em, they also can see me and hear me but i just see me and hear them .
    any ideas ?

    Your wifi problem sounds very much like the problem I had. The wifi would drop out, the icon showed it was still connected. If I turned it off, I couldn't turn it back on. Another user here pointed me to the problem, which was the wifi cable (the flat cable goint from the card to the motherboard). I found it on ebay for $13 and it's been running fine since I replaced it. This is the repair guide for your machine. The part number will be on there if you click the link.
    http://www.ifixit.com/Guide/MacBook+Pro+15-Inch+Unibody+Late+2011+AirPort-Blueto oth+Cable+Replacement/7510

  • How can I do live streaming with a Mac Book Pro 2011, using a new model of Sony HD camcorder which does not have firewire out/input? it comes only with a component video output, USB, HDMI and composite RCA output?

    I need to do live streaming with a Mac Book Pro 2011, using a new model of Sony HD camcorder (http://store.sony.co...ber=HDRAX2000/H) ..this camcorder model does not have firewire out/input ..it comes only with a component video output, USB, HDMI and composite A/V video output..
    I wonder how can I plug this camcorder to the firewire port of my laptop? Browsing on internet I found that Grass Valley Company produces this converter http://www.amazon.co...=A17MC6HOH9AVE6 ..but I am not sure -not even after checking the amazon reviews- if this device will send the video signal through firewire to my laptop, in order to live streaming properly? ..anyone in this forum could help me please?
    Thanx

    I can't broadcast with the built in iSight webcam... how would I zoom in or zoom out? or how would I pan? I've seem people doing it walking with their laptops but that's not an option for me... there's nothing wrong with my USB ports but that's neither an option to stream video because as far as I know through USB you can't connect video in apple operating systems ..you can for sure plug any video cam or photo camera through usb but as a drive to transfer data not as a live video camera...  is by firewire an old interface developed by apple that you can connect all sorts of cameras to apple computers... unfortunately my new sony HDR-AX2000 camcorder doesn't have firewire output...
    thanx

  • When streaming a movie with the new Apple TV, and using a DSL Internet connection, all audio sound works, e.g., the music track, but the audio track with the actor's voices, does not work. What can I do?

    When streaming a movie with the new Apple TV, and using a DSL Internet connection, all audio sound works, e.g., the music track, but the audio track with the actor's voices, does not work. What can I do?

    Hi Brian,
    Thanks restoring and restarting didn't fix my problem - i have started it fresh and still it doesn't work. Basically I press ONCE on the remote, after the machine has not had any commands for 10 minutes, and the cursor skips from one end of the menu to the other - so I can't choose network or update software etc - I sometimes manage to stop it randomly in the middle of the menu if I press on a command in the middle of the cursor skipping all the menu steps...not sure what the problem is but I have basically not used my brand new apple tv since I bought it for that reason! I should call Apple support I suppose! grrrr hate wasting time with stuff like this!
    Thanks for your help though!
    Pernille

  • Time Capsule with HH3 but want to still use HH3 Wi...

    Hi folks,
    I'm thinking about getting an Apple Airport Time Capsule (2013 version) but need to check compatability with my HH3 first.
    I've seen other posts here regarding TC and HH3 but not specifically for the configuration I want.
    I only want to use the TC for backup and do NOT want to use it as a Wifi router.
    I want to continue to use my HH3 for my Wifi network (mostly because I dont want to reconfigure all (10) of my computers with a new Wifi password).
    I'm thinking the best way to set this up would be to switch OFF the wifi on the TC and connect it directly to the HH3 using an ethernet cable. In that setup would computers connected to the HH3 via Wifi then be able to see the TC?
    Or is there a better configuration?

    Hi.
    I have a Time Capsule and have it configured in a similar fashion with my HH4. I still use Airport Utility 5.6 and in the Internet section if you set the Internet Connection Sharing to "Off (Bridge Mode)" it will disable DHCP and any device you connect to it will get its IP address from the HH. It will be visible to any other device on the network. As you say by switching off Wireless Mode you can continue using your HH for this, although the wireless capabilities of the time capsule can come in handy. I have used it to set up a "guest" network and I have also used it in WDS mode to use an Airport Express to extend my network to a non wireless device (PVR) rather than using homeplugs.
    Hope this helps.
    Andy.

Maybe you are looking for

  • EbTAX define tax rule based on the purchase value

    Hi, I have 2 questions to configure a rule in EBTAX. 1. XXVAT tax only applies if the purchase value is greater than 100 HOL. In Tax Determining Factor Sets I can't find the options to define this condition. Where I can define this condition? 2. In e

  • Serial number for photoshop cc 2014

    help

  • F8 and f9

    Hi, not sure if when using f8 and f9 is called tab browsing or not.... anyway before when pressed f8 it would split the screen into 4 windows and then by pressing f9, it would split the individual windows furher so u can see what windows are open. No

  • Is it possible to edit info from V$SESSION

    I have to write something to the CLIENT_INFO field of whatever table the V$SESSION view gets its data from everytime a user connects to a database. The script should be server-side. Is this possible?

  • Safari pdf controls

    Safari automatically puts pdfs onto a Safari page.  I can't adjust the size of the page or print.  Help says that I can access a toolbar for that by put the curser at the bottom of the page, but that doesn't work.  What can I do?