ACS 5.3 and Command Auth

I am rolling out the Latest 5.3.0.40.6 patched ACS 1121 in a redundant pair mode.   I have build user based auth without issue but am having an issue with Command auth.  once I add command auth to the test router and modify the shell profile and command set for privilege 1 nd 15,  none of the commands are authenticated and the report indicates the "DenyCommand" default.  I have followed the user guide and the step by step from Security Solutions. ( link below) 
I still get no joy.   Also Cisco changed the GUI and the way command sets are built
(http://www.security-solutions.co.za/Cisco-ACS-5.2-Role-Based-Authentication-Authorization-For-Different-Privilege-Levels-Configuration-Example.html )
Any help would be appreciated
Patrick Connor

Tarik,  thanks for the response.  I cannot get screen shots but can define the options sets.
I created 2 command sets
Pri-15  has only the permit all command not in the table below check box checked
Pri-1  has a single permit "show"  with no arguments
the Auth rule has 2 rules
rule 1  identity group "network Admin"  any any any pri-15
rule 2 identity group "network monitor" any any any pri-1
service selection rule    rule 1  condition ( match system: protocol match TACACS)  result Default Device Admin   hit count 98
the report indicated the a FAIL "13025 command failed to match a Permit rule)  and the Selected Command Set = (DentAllCommands) 
So it looks like the command set is not being recognized.  but I cannot see why?
Thanks,
Pat 

Similar Messages

  • 1200, ACS 3.1 and EAP Auth Problem

    Hi,
    I try configure LEAP auth with ACS using local database. I configures just like say in the Cisco Security Suite 2.0 Doc. For some reason Leap auth sometimes work sometimes don't work. Thanks if anyone could help me.

    Is this the document you used? can you share the problems you faced??

  • Looking for successful auth debug between cisco 1113 acs 4.2 and Active Directory

    Hello,
    Does anyone have a successful authentication debug using cisco 1113 acs 4.2 and Active Directory?  I'm not having success in setting this up and would like to see what a successful authentication debug looks.  Below is my current situation:
    Oct  6 13:52:23: TPLUS: Queuing AAA Authentication request 444 for processing
    Oct  6 13:52:23: TPLUS: processing authentication start request id 444
    Oct  6 13:52:23: TPLUS: Authentication start packet created for 444()
    Oct  6 13:52:23: TPLUS: Using server 110.34.5.143
    Oct  6 13:52:23: TPLUS(000001BC)/0/NB_WAIT/46130160: Started 5 sec timeout
    Oct  6 13:52:23: TPLUS(000001BC)/0/NB_WAIT: socket event 2
    Oct  6 13:52:23: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
    Oct  6 13:52:23: T+: session_id 763084134 (0x2D7BBD66), dlen 26 (0x1A)
    Oct  6 13:52:23: T+: type:AUTHEN/START, priv_lvl:15 action:LOGIN ascii
    Oct  6 13:52:23: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:12 (0xC) data_len:0
    Oct  6 13:52:23: T+: user: 
    Oct  6 13:52:23: T+: port:  tty515
    Oct  6 13:52:23: T+: rem_addr:  10.10.10.10
    Oct  6 13:52:23: T+: data: 
    Oct  6 13:52:23: T+: End Packet
    Oct  6 13:52:23: TPLUS(000001BC)/0/NB_WAIT: wrote entire 38 bytes request
    Oct  6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:23: TPLUS(000001BC)/0/READ: Would block while reading
    Oct  6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:23: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 16bytes data)
    Oct  6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:23: TPLUS(000001BC)/0/READ: read entire 28 bytes response
    Oct  6 13:52:23: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
    Oct  6 13:52:23: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
    Oct  6 13:52:23: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:10, data_len:0
    Oct  6 13:52:23: T+: msg:  Username:
    Oct  6 13:52:23: T+: data: 
    Oct  6 13:52:23: T+: End Packet
    Oct  6 13:52:23: TPLUS(000001BC)/0/46130160: Processing the reply packet
    Oct  6 13:52:23: TPLUS: Received authen response status GET_USER (7)
    Oct  6 13:52:30: TPLUS: Queuing AAA Authentication request 444 for processing
    Oct  6 13:52:30: TPLUS: processing authentication continue request id 444
    Oct  6 13:52:30: TPLUS: Authentication continue packet generated for 444
    Oct  6 13:52:30: TPLUS(000001BC)/0/WRITE/46130160: Started 5 sec timeout
    Oct  6 13:52:30: T+: Version 192 (0xC0), type 1, seq 3, encryption 1
    Oct  6 13:52:30: T+: session_id 763084134 (0x2D7BBD66), dlen 15 (0xF)
    Oct  6 13:52:30: T+: AUTHEN/CONT msg_len:10 (0xA), data_len:0 (0x0) flags:0x0
    Oct  6 13:52:30: T+: User msg: <elided>
    Oct  6 13:52:30: T+: User data: 
    Oct  6 13:52:30: T+: End Packet
    Oct  6 13:52:30: TPLUS(000001BC)/0/WRITE: wrote entire 27 bytes request
    Oct  6 13:52:30: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:30: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 16bytes data)
    Oct  6 13:52:30: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:30: TPLUS(000001BC)/0/READ: read entire 28 bytes response
    Oct  6 13:52:30: T+: Version 192 (0xC0), type 1, seq 4, encryption 1
    Oct  6 13:52:30: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
    Oct  6 13:52:30: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
    Oct  6 13:52:30: T+: msg:  Password:
    Oct  6 13:52:30: T+: data: 
    Oct  6 13:52:30: T+: End Packet
    Oct  6 13:52:30: TPLUS(000001BC)/0/46130160: Processing the reply packet
    Oct  6 13:52:30: TPLUS: Received authen response status GET_PASSWORD (8)
    Oct  6 13:52:37: TPLUS: Queuing AAA Authentication request 444 for processing
    Oct  6 13:52:37: TPLUS: processing authentication continue request id 444
    Oct  6 13:52:37: TPLUS: Authentication continue packet generated for 444
    Oct  6 13:52:37: TPLUS(000001BC)/0/WRITE/46130160: Started 5 sec timeout
    Oct  6 13:52:37: T+: Version 192 (0xC0), type 1, seq 5, encryption 1
    Oct  6 13:52:37: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
    Oct  6 13:52:37: T+: AUTHEN/CONT msg_len:11 (0xB), data_len:0 (0x0) flags:0x0
    Oct  6 13:52:37: T+: User msg: <elided>
    Oct  6 13:52:37: T+: User data: 
    Oct  6 13:52:37: T+: End Packet
    Oct  6 13:52:37: TPLUS(000001BC)/0/WRITE: wrote entire 28 bytes request
    Oct  6 13:52:37: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:37: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 33bytes data)
    Oct  6 13:52:37: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:37: TPLUS(000001BC)/0/READ: read entire 45 bytes response
    Oct  6 13:52:37: T+: Version 192 (0xC0), type 1, seq 6, encryption 1
    Oct  6 13:52:37: T+: session_id 763084134 (0x2D7BBD66), dlen 33 (0x21)
    Oct  6 13:52:37: T+: AUTHEN/REPLY status:7 flags:0x0 msg_len:27, data_len:0
    Oct  6 13:52:37: T+: msg:  Error during authentication
    Oct  6 13:52:37: T+: data: 
    Oct  6 13:52:37: T+: End Packet
    Oct  6 13:52:37: TPLUS(000001BC)/0/46130160: Processing the reply packet
    Oct  6 13:52:37: TPLUS: Received Authen status error
    Oct  6 13:52:37: TPLUS(000001BC)/0/REQ_WAIT/46130160: timed out
    Oct  6 13:52:37: TPLUS(000001BC)/0/REQ_WAIT/46130160: No sock_ctx found while handling request timeout
    Oct  6 13:52:37: TPLUS: Choosing next server 101.34.5.143
    Oct  6 13:52:37: TPLUS(000001BC)/1/NB_WAIT/46130160: Started 5 sec timeout
    Oct  6 13:52:37: TPLUS(000001BC)/46130160: releasing old socket 0
    Oct  6 13:52:37: TPLUS(000001BC)/1/46130160: Processing the reply packet
    Oct  6 13:52:49: TPLUS: Queuing AAA Authentication request 444 for processing
    Oct  6 13:52:49: TPLUS: processing authentication start request id 444
    Oct  6 13:52:49: TPLUS: Authentication start packet created for 444()
    Oct  6 13:52:49: TPLUS: Using server 172.24.5.143
    Oct  6 13:52:49: TPLUS(000001BC)/0/NB_WAIT/46130160: Started 5 sec timeout
    Oct  6 13:52:49: TPLUS(000001BC)/0/NB_WAIT: socket event 2
    Oct  6 13:52:49: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
    Oct  6 13:52:49: T+: session_id 1523308383 (0x5ACBD75F), dlen 26 (0x1A)
    Oct  6 13:52:49: T+: type:AUTHEN/START, priv_lvl:15 action:LOGIN ascii
    Oct  6 13:52:49: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:12 (0xC) data_len:0
    Oct  6 13:52:49: T+: user: 
    Oct  6 13:52:49: T+: port:  tty515
    Oct  6 13:52:49: T+: rem_addr:  10.10.10.10
    Oct  6 13:52:49: T+: data: 
    Oct  6 13:52:49: T+: End Packet
    Oct  6 13:52:49: TPLUS(000001BC)/0/NB_WAIT: wrote entire 38 bytes request
    Oct  6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:49: TPLUS(000001BC)/0/READ: Would block while reading
    Oct  6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:49: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 43bytes data)
    Oct  6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:49: TPLUS(000001BC)/0/READ: read entire 55 bytes response
    Oct  6 13:52:49: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
    Oct  6 13:52:49: T+: session_id 1523308383 (0x5ACBD75F), dlen 43 (0x2B)
    Oct  6 13:52:49: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:37, data_len:0
    Oct  6 13:52:49: T+: msg:   0x0A User Access Verification 0x0A  0x0A Username:
    Oct  6 13:52:49: T+: data: 
    Oct  6 13:52:49: T+: End Packet
    Oct  6 13:52:49: TPLUS(000001BC)/0/46130160: Processing the reply packet
    Oct  6 13:52:49: TPLUS: Received authen response status GET_USER (7)
    The 1113 acs failed reports shows:
    External DB is not operational
    thanks,
    james

    Hi James,
    We get External DB is not operational. Could you confirm if under External Databases > Unknown User           Policy, and verify you have the AD/ Windows database at the top?
    this error means the external server might not correctly configured on ACS external database section.
    Another point is to make sure we have remote agent installed on supported windows server.
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/remote_agent/rawi.html#wp289013
    Also provide the Auth logs from the server running remote agent, e.g.:-
    AUTH 10/25/2007 15:21:31 I 0376 1276 External DB [NTAuthenDLL.dll]:
    Attempting Windows authentication for user v-michal
    AUTH 10/25/2007 15:21:31 E 0376 1276 External DB [NTAuthenDLL.dll]: Windows
    authentication FAILED (error 1783L)
    thanks,
    Vinay

  • TACACS+ Command Auth and Config T

    Can I use Command Auth Sets in CiscoSecure to provide a subset of configuration commands? I want to give Interface commands, but not anything else.

    Hi,
    Sure you can. See the attachment.
    Regards,
    Prem

  • 802.1x Machine and User Auth Vlan assignments

    I have machine and user auth working between Win2K PC and ACS 3.3 but not sure how to best use the Vlan assignment feature. I use Vlans for different departments and if I assign a vlan in ACS to a machine when it authenticates but the user is assigned to a different Vlan, I don't get a renewed IP.
    Here is how it's working now:
    1. Machine authenticates to ACS and assigned to a Vlan
    2. User logs in and if they are assigned to the same Vlan as the machine, works fine. If assigned to another vlan, the switchport does get changed but the PC still has an IP from the initial Vlan it was assigned to. Releasing and renewing doesn't work but I really don't expect it to.
    So, I figure the solution to this is just not set a per user vlan and only set it per machine. But, the group mapping in ACS looked like a great way to assign Vlans based on a user's Active Directory group but it doesn't appear to recognize the different computer OU's we have. So I can assign vlan's based on user groups but not computer groups. As machines are added to ACS, I could change them to an ACS group with the Vlan set but this would be a lot more work than an automated method like unknown user policy.
    So, how are others assigning machines to vlans in large multi-vlan networks using ACS and 802.1x?

    By default users and computers belong to different global groups. "Domain Users" vs. "Domain Cmpouters" for example.
    As for your example, it seems like you have a misbehaving supplicant, and authentication is attempting and then timing out and starting over .. that never actually gets to fail, so the auth-fail stuff won't help.
    Note: A good way to troubleshoot this is to notice it in action via show command:
    Here's an example of what you should see on a switch port.
    AuthSM State = State of the 802.1X Authenticator PAE state machine
    VALUES:
    AUTHENTICATED -- Auth Succeeded
    AUTHENTICATING -- Auth is attempting
    CONNECTING -- Dot1x is up and configured and trying to locate a supplicant.
    HELD -- Auth probably failed.
    BendSM State = State of the 802.1X back-end authentication state machine
    VALUES:
    IDLE -- Nothing is happening.
    REQUEST -- Switch sent some EAP data to AAA, and is waiting to get something back.
    RESPONSE -- AAA sent the switch back some data, and the switch in turn asked the supplicant for more data.
    NOTE: You should rarely see the RESPONSE state above. If you see it for more than a second or so i nthe middle of an auth attempt, that's a smoking gun that you might have a mis-behaving supplicant, b/c it shouldn't take that long to send an EAPOL frame. The switch will eventually time out, and start auth over.
    Hope this helps,

  • Does XI support FTP over SSL with Command AUTH TLS??

    Hi All,
    Can we change Command AUTH TLS to AUTH SSL in the Command Order of receiver FTP adapter when you select FTPS (FTP using SSL/TLS) for Controal and Data Connection??
    We are able to transfer business documents to bank's FTP server (Following RFC 2228 standards) using WS FTP Pro (I think follows RFC 959 and 1123 standards) which using AUTH SSL in Command order.
    We did go through SAP note 821267 (FAQ for XI 3.0 / PI 7.0 File Adapter)...question number 33 address about the "AUTH TLS" command. But we not getting the same error. We get different as in this forum:
    Re: Error: Message processing failed: FTPEx: PBSZ=0
    Can someone please confirm if this is the issue with FTP RFC standarads?? Or can we coustomize FTPS adapter to send AUTH SSL command??
    Thank you,
    Indrasena Janga

    Dear Andy,
    I am also looking for the same information.
    Could you please share with ,if u have got anything related....
    Hi Experts,
    Pls share your exp with us if u have any....
    Regards,
    Srinivas

  • Win 7 client with machine and user auth stuck in 802.1x_REQD

    Hi everybody
    we have a WLC 5508 with 7.2.110.0 and an ACS 5.3 and do the following:
    - Win 7 client gets a GPO object with the wlan configuration for "Machine and User authentication" with PEAP
    - On ACS 5.3 I configured correctly the authentication and authorization for first machine authentication and then user authentication ("Was machine authenticated = true)
    - First when machine authentication happens, the client is configured into a quarantine VLAN, where it is only allowed to communicate with the domain controllers
    - When the user authenication happens, the client is moved into the productive client vlan with no restrictions.
    Everything works fine, except that after the user loggs in, it takes about 3 minutes until the client answers the EAP Identity Request and loggs in, see attached screenshot or the screenshot below:
    In the client status on WLC i can see that the client is stuck in the 802.1x_REQD state for these 3 minutes, until suddenly it authenticates (but then very often, about 5 times - see screenshot).
    We tried the following to find the problem spot. but we were not able to locate the problem:
    - Configure the machine and user authentication into the same vlan all the time
    - ONLY user authentication on the client
    - Played with the Win 7 settings (timers, and so on)
    - When we manually configured the WLAN profile on the Win 7 client and saved it, the Win 7 client connected to the SSID without any problems and without any delay (about 5 seconds after the save)
    Did someone ever had the same issue?
    Thanks a lot and best regards
    Dominic

    Hi Amjad
    very good point on this, thanks a lot. In this case, I did not even think about the client firmware side, thought that I should be the WLC or the client settings, but not the driver. We will give a shot on this next week, maybe this will help us to solve the problem.
    It is normal to have the clietn in 802.1x_REQD if it is not yet authenticated and that is the expected state to be at in your situation untlil the client fully authenticates.
    Absolutely correct that the client is associated and in the 802.1x_REQD state as long as the authenticator did not get the EAP identity Response, but that the client takes such a long time to answer is not normal ;-)
    - What is the supplicant that is used on the windows machines? default WLAN supplicant? or you use some commercial supplicants?
    WZC.
    - what is the result when testing with user auth only?
    The same, it takes such a long time.
    - what ist he result when testing with machine auth only?
    Machine authentication works as expected, fast and as soon as the client is booted, the client gets authenticated.
    Regards and have a nice weekend
    Dominic

  • Dacl on ACS 5.1 and Catalyst switch 3560

    Dear all
    I have ACS 5.1 and Catalyst switch 3560 with version 12.2(53)SE. I configure a dacl on the ACS and I use it on authorization profile.
    This authrization profile is used on access policy.
    I tried the authentication but it doesn't work. I checked the ACS logs and I found that the user is authenicated successfuly but the dacl gives this error (The Access-Request for the requested dACL is missing a cisco-av-pair attribute with the value aaa:event=acl-download. The request is rejected)
    Steps:
    11001  Received RADIUS Access-Request
    11017  RADIUS created a new session
    11025  The Access-Request for the requested dACL is missing a cisco-av-pair attribute with the value aaa:event=acl-download. The request is rejected
    11003  Returned RADIUS Access-Reject
    DACL:
    deny ip host 1.2.3.4 1.2.3.0 0.0.0.255 log
    permit ip any any log
    Thanks on advance,

    Dear Tiago
    I applied the command "radius-server vsa send". Now I can see the dacl is applied but I can't see it on the switch and even the authentication is succueeded ont the ACS logs but it give me unauthoized on the switchport. You can see the logs( started with the username acstest and the access-list is applied but it doesn't work and you can see theat it goes for mab after eap timed out). I hope you can help on this issue.
    Dec 13,10 10:29:00.513 AM
    00-23-AE-7A-58-A6
    00-23-AE-7A-58-A6
    Default Network Access
    Lookup
    Dot1x-3560-Switch
    1.2.3.4
    FastEthernet0/5
    TESTACS
    22056 Subject not found in the applicable identity store(s).
    Dec 13,10 10:28:29.186 AM
    #ACSACL#-IP-Guest-4cfcc14d
    Dot1x-3560-Switch
    1.2.3.4
    TESTACS
    Dec 13,10 10:28:28.726 AM
    acstest
    00-23-AE-7A-58-A6
    Default Network Access
    PEAP (EAP-MSCHAPv2)
    Dot1x-3560-Switch
    1.2.3.4
    FastEthernet0/5
    TESTACS
    Thanks,

  • Guest WLAN and Web Auth?

    Hi Guys,
    Maybe someone can help me out?
    I just finished setting up a trial "Cisco Virtual Wireless Controller" with nearly the same configuration as our Physical
    "Cisco Wireless Controller" with the exception of having 2 ports.  Anyhow, I managed to get everything working except for the WEB AUTH on the Guest WLAN.  When a client connects, he gets a DHCP address from our ASA but when we try to get to a website, we never reach the WEB AUTH page. 
    What I tried so far is..
    add a DNS Host Name to the virtual interface and assign it to our internal DNS server.dns name was resolving but we were unable to ping 1.1.1.1
    changed the virtual ip from 1.1.1.1 to 2.2.2.2 and modified the DNS entrydns name resoved but still could not ping 2.2.2.2(I think this is normal)
    changed the virtual IP to a private address of 192.168.102.1 and modified the dns entrysame result
    I've attached some screenshots of our configuration.

    Troubleshooting Web Authentication
    After you configure web authentication, if the feature does not work as expected, complete these
    troubleshooting steps:
    Check if the client gets an IP address. If not, users can uncheck
    DHCP Required
    on the WLAN and
    give the wireless client a static IP address. This assumes association with the access point. Refer to
    the
    IP addressing issues
    section of
    Troubleshooting Client Issues in the Cisco Unified Wireless
    Network for troubleshooting DHCP related issues
    1.
    On WLC versions earlier than 3.2.150.10, you must manually enter
    https://1.1.1.1/login.html
    in
    order to navigate to the web authentication window.
    The next step in the process is DNS resolution of the URL in the web browser. When a WLAN client
    connects to a WLAN configured for web authentication, the client obtains an IP address from the
    DHCP server. The user opens a web browser and enters a website address. The client then performs
    the DNS resolution to obtain the IP address of the website. Now, when the client tries to reach the
    website, the WLC intercepts the HTTP Get session of the client and redirects the user to the web
    authentication login page.
    2.
    Therefore, ensure that the client is able to perform DNS resolution for the redirection to work. On
    Windows, choose
    Start > Run
    , enter
    CMD
    in order to open a command window, and do a  nslookup
    www.cisco.com" and see if the IP address comes back.
    On Macs/Linux: open a terminal window and do a  nslookup www.cisco.com" and see if the IP
    address comes back.
    If you believe the client is not getting DNS resolution, you can either:
    Enter either the IP address of the URL (for example, http://www.cisco.com is
    http://198.133.219.25)

    Try to directly reach the controller's webauth page with
    https:///login.html. Typically this is http://1.1.1.1/login.html.

    Does entering this URL bring up the web page? If yes, it is most likely a DNS problem. It might also
    be a certificate problem. The controller, by default, uses a self−signed certificate and most web
    browsers warn against using them.
    3.
    For web authentication using customized web page, ensure that the HTML code for the customized
    web page is appropriate.
    You can download a sample Web Authentication script from Cisco Software Downloads. For
    example, for the 4400 controllers, choose
    Products > Wireless > Wireless LAN Controller >
    Standalone Controllers > Cisco 4400 Series Wireless LAN Controllers > Cisco 4404 Wireless
    LAN Controller > Software on Chassis > Wireless Lan Controller Web Authentication
    Bundle−1.0.1
    and download the
    webauth_bundle.zip
    file.
    These parameters are added to the URL when the user's Internet browser is redirected to the
    customized login page:
    4.
    ap_mac The MAC address of the access point to which the wireless user is associated.

    switch_url The URL of the controller to which the user credentials should be posted.

    redirect The URL to which the user is redirected after authentication is successful.

    statusCode The status code returned from the controller's web authentication server.

    wlan The WLAN SSID to which the wireless user is associated.

    These are the available status codes:
    Status Code 1: "You are already logged in. No further action is required on your part."

    Status Code 2: "You are not configured to authenticate against web portal. No further action
    is required on your part."

    Status Code 3: "The username specified cannot be used at this time. Perhaps the username is
    already logged into the system?"

    Status Code 4: "You have been excluded."

    Status Code 5: "The User Name and Password combination you have entered is invalid.
    Please try again."

    All the files and pictures that need to appear on the Customized web page should be bundled into a
    .tar file before uploading to the WLC. Ensure that one of the files included in the tar bundle is
    login.html. You receive this error message if you do not include the login.html file:
    Refer to the Guidelines for Customized Web Authentication section of Wireless LAN Controller Web
    Authentication Configuration Example for more information on how to create a customized web
    authentication window.
    Note:
    Files that are large and files that have long names will result in an extraction error. It is
    recommended that pictures are in .jpg format.
    5.
    Internet Explorer 6.0 SP1 or later is the browser recommended for the use of web authentication.
    Other browsers may or may not work.
    6.
    Ensure that the
    Scripting
    option is not blocked on the client browser as the customized web page on
    the WLC is basically an HTML script. On IE 6.0, this is disabled by default for security purposes.
    7.
    Note:
    The Pop Up blocker needs to be disabled on the browser if you have configured any Pop Up
    messages for the user.
    Note:
    If you browse to an
    https
    site, redirection does not work. Refer to Cisco bug ID CSCar04580
    (registered customers only) for more information.
    If you have a
    host name
    configured for the
    virtual interface
    of the WLC, make sure that the DNS
    resolution is available for the host name of the virtual interface.
    Note:
    Navigate to the
    Controller > Interfaces
    menu from the WLC GUI in order to assign a
    DNS
    hostname
    to the virtual interface.
    8.
    Sometimes the firewall installed on the client computer blocks the web authentication login page.
    Disable the firewall before you try to access the login page. The firewall can be enabled again once
    the web authentication is completed.
    9.
    Topology/solution firewall can be placed between the client and web−auth server, which depends on
    the network. As for each network design/solution implemented, the end user should make sure these
    ports are allowed on the network firewall.
    Protocol
    Port
    HTTP/HTTPS Traffic
    TCP port 80/443
    CAPWAP Data/Control Traffic
    UDP port 5247/5246
    LWAPP Data/Control Traffic
    (before rel 5.0)
    UDP port 12222/12223
    EOIP packets
    IP protocol 97
    Mobility
    UDP port 16666 (non
    secured) UDP port 16667
    (secured IPSEC tunnel)
    10.
    For web authentication to occur, the client should first associate to the appropriate WLAN on the
    WLC. Navigate to the
    Monitor > Clients
    menu on the WLC GUI in order to see if the client is
    associated to the WLC. Check if the client has a valid IP address.
    11.
    Disable the Proxy Settings on the client browser until web authentication is completed.
    12.
    The default web authentication method is PAP. Ensure that PAP authentication is allowed on the
    RADIUS server for this to work. In order to check the status of client authentication, check the
    debugs and log messages from the RADIUS server. You can use the
    debug aaa all
    command on the
    WLC to view the debugs from the RADIUS server.
    13.
    Update the hardware driver on the computer to the latest code from manufacturer's website.
    14.
    Verify settings in the supplicant (program on laptop).
    15.
    When you use the Windows Zero Config supplicant built into Windows:
    Verify user has latest patches installed.

    Run debugs on supplicant.

    16.
    On the client, turn on the EAPOL (WPA+WPA2) and RASTLS logs from a command window, Start
    > Run > CMD:
    netsh ras set tracing eapol enable
    netsh ras set tracing rastls enable
    In order to disable the logs, run the same command but replace enable with disable. For XP, all logs
    will be located in C:\Windows\tracing.
    17.
    If you still have no login web page, collect and analyze this output from a single client:
    debug client
    debug dhcp message enable
    18.
    debug aaa all enable
    debug dot1x aaa enable
    debug mobility handoff enable
    If the issue is not resolved after you complete these steps, collect these debugs and use the TAC
    Service Request Tool (registered customers only) in order to open a Service Request.
    debug pm ssh−appgw enable
    debug pm ssh−tcp enable
    debug pm rules enable
    debug emweb server enable
    debug pm ssh−engine enable packet

  • AP350 with LEAP and MAC-Auth

    Hi,
    is there any solution for this?
    I'd like to do LEAP and MAC-Auth with Microsoft IAS-Server instead of Cisco ACS.
    With ACS everything works fine but i have to buy the licences. For IAS i already have them but always 'EAP authentication method is unrecognized'.
    The clients all use W2K Prof.- no XP anywhere, so i can't go to EAP-TLS.
    thanks in advance
    Thomas / Networking admin

    Sorry, but LEAP is today only available on :
    Cisco Secure ACS
    Cisco Access Registrar
    Funk Software Radius
    Interlink Radius

  • Question in ACS radius ports and how test connectivity between router

    hi all
    im asking here about default ports used in cisco acs for radius protocol
    is it 1812 and 1813 ???
    or there is another ports ??
    Q2-
    how to test connectivity between ACS "server aaa"  and the router "client aaa " ??????
    Q3-
    can anyone give me simple config on router for radius protocol to connect acs based on radius protocol ?
    regards

    The default authentictaion port is 1812 and the default accounting port is 1813.
    Here's an example config-
    aaa new-model
    aaa group server radius ACME-RADIUS
    server-private 192.168.1.5 auth-port 1812 acct-port 1813 key SeCrEtPaSsWoRd
    aaa authentication login default local
    aaa authentication login ACME-AAA group ACME-RADIUS local
    aaa accounting send stop-record authentication failure
    aaa accounting exec default start-stop group ACME-RADIUS
    line vty 0 4
    login authentication ACME-AAA
    You can test with-
    test aaa group radius server 192.168.1.5 mmessier St@nleyCup
    where mmessier is your username and the password is St@nleyCup

  • WLC / ACS / AD - Domain and non-Domain Laptops (802.1X / PEAP)

    Hi All,
    I'm implementing a solution based around 4404 WLC, 1113 ACS and Microsoft AD. What I want to achieve is have two WLAN (SSID), one that can only be used by domain users on domain laptops, the other can be used by domain users on personal laptops. The domain laptops will have full connectivity but the personal laptops will be restricted.
    I've created the two SSID using 802.1X via ACS / Remote Agent and can authenticate and logon OK.
    I thought that I should have user auth and machine auth for the domain laptops but just user auth for personal laptops.
    I can have non authenticated machines go to a specific ACS group or blocked but I need to allow them if they're on the restricted SSID. I can't quite figure out how to have two SSIDs authenticating to the same ACS / AD - allow one and block the other.
    Am I on the right path?
    Anyone done this before or have any bright ideas?
    Cheers,
    John

    With the use of SSID-based WLAN access, the users can be authenticated based on the SSID they use in order to connect to the WLAN. The Cisco Secure ACS server is used to authenticate the users. Authentication happens in two stages on the Cisco Secure ACS:
    1. EAP authentication
    2. SSID authentication based on Network Access Restrictions (NARs) on Cisco Secure ACS
    For the further description and configuraiton following URL may help you :
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml

  • ACS Tacacs+ aaa authorization commands

    Hi,
    I would like to authorize only certain configuration commands by the Tacacs Server, so in the group setup of ACS, I have checked : command, I have written in the field : configure, and declared as arguments : permit terminal and permit snmp-server enable traps. But I can not configure snmp until I declare in the router : privilege config level 7 snmp-server enable. (I use a level 7 user)
    My question is : is there a way to control the granularity of configuration commands on the ACS, in the same way as you can control the granularity of the show commands ?
    Many thanks
    Patrice

    Yes, you can get very granular using Command Authorization Sets and they can be applied to individual users or groups.
    Setting Up and Managing Shared Profile Components
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a00800d9e6b.html
    hth

  • Shell Command Auth Question

    I'm trying to setup a Shell command auth set for clearing interface counters but I can't think of a way to do so. Is there a way to do something like:
    "permit counters interface *"?
    TIA

    I'm assuming you are using CSACS (not indicated) for defining your command sets.
    e.g.:
    "Deny" radio button selected (i.e.: only listed commands will be authorized).
    Command List:
    clear
    disable
    enable
    show
    "Clear" command argument(s) set as follows:
    (a) Deselect the "Permit Unmatched Args" checkbox.
    (b) Enter the following argument(s) into the list:
    permit counters
    ... or, to be more specific:
    permit counters Ethernet 0
    permit counters FastEthernet 0
    This should result in the ability to clear all counters, or the counters of specific interfaces (if you define them).
    Notes:
    (1) Command arguments are case sensitive and may differ from how they are entered at the CLI.
    (2) A sniffer is helpful in determining proper case.
    (3) Wireshark is capable of decrypting TACACS+ packets if you configure the application with the password.

  • Ctrl + e and command + e stopped working

    I've seen a few other discussions about ctrl + e not working but none of them fit the problem I'm having here.
    On http://www.clarkwfobes.com I have ICE set up. I've been editing before and so has the client so it was working with no problem. Now when I or he goes to the site, ctrl + e doesn't work on his PC and command + e on my mac doesn't work either.
    Can anyone shed some light as to why this is happening. when I log into the manage sites section, I can edit from there and see that the client edited something on the site in January 2010.
    Thanks in advance for your help!
    best,
    Leslie

    Interesting.
    Well this won't hurt and might resolve your issue, it's sort of a "clean out everythng and reset" sort of approach but I find it cleans out the gremlins.
    Download the free OnyX and run ALL the cleaning and maintainence steps.
    http://www.titanium.free.fr/
    You can Cancel the reboots in between.
    Lastly use the Verify > Preferences check
    Now Reboot the machine.
    Another good piece of free software to have is Carbon Copy Cloner, all you need is a external drive and your a simple "hold option" boot off the clone for any emergencies with your boot drive.

Maybe you are looking for

  • What is causing Motion 5 to crash overtime I attempt to export movie?

    Hi, I just purchased Motion 5 for my iMac and after creating my first project I've attempted now multiple times, to export it as a movie and EVERY time I do it crashes.  I've tried restarting the program, shutting down my computer, installing the lat

  • Why can't I install any version of Firefox?

    I uninstalled FF, after having something called freecause.com cause ff to freeze or lock up to where I couldn't close or navigate ff. To even close ff, I had to close using task manager. Now I can't install ff, I can download the executable file, but

  • Getting Iphoto files out of Previous System file

    I upgraded to Leopard using the Archive choice. My iphoto and iweb files are in the Previous System file under User and won't load when I load the programs. How do I get them to load. How much free disk space do I need on my HD

  • Two vendor locations, one planning location

    Dear all, For several reasons we have two vendor location codes in our ECC-system representing the same location. In APO we want to treat both locations as one. So plan on one (main) location, only when interfacing with ECC we want to distinguish to

  • What is the release code in workflow?

    what is the release code in workflow? why we use this release code and release group? i wanna to to the purpose of these both ? plz explain me in detail? thanks in advance