ACS 5.4 with ACS 5.6 as a Log Collector
Hello,
I have a ACS 5.4.0.46-6 running.
Now I want to setup a ACS log collector on my ESX 5.5.
Since ACS 5.4 is not supported on ESX 5.5 I want to install ACS 5.6.
Question :
I this setup possible?
Can I use the ACS 5.6 as a log-collector for the ACS 5.4?
Regards,
Herald
Hi,
Herald .
Your tests spare me lot of time since I was going to try the same configuration.
I am afraid that such a configuration will not work as long as the log collector server has to be part of the same distributed deployment other aaa servers are.Actually I think that servers members of the same distributed deployment needs to run same sw version
Regards
MM
Similar Messages
-
ACS any Version with Domain Controller on Windows Server 2008 R2 64bit
Hi All
Is there currently any ACS version working with Windows Server 2008 R2 domain controllers?
Our server stuff has recently upgraded the Domain Controllers to 2008r2 and turned off the 2003 servers. This didn't make our ACS 4.1.4 really happy.
I've read now serveral posts regarding issues with ACS and Server 2008r2 and hope to find a solution (besides switching to LDAP, yukk).
Thanks
patoHi AllIs there currently any ACS version working with Windows Server 2008 R2 domain controllers?Our
server stuff has recently upgraded the Domain Controllers to 2008r2 and
turned off the 2003 servers. This didn't make our ACS 4.1.4 really
happy.I've read now serveral posts regarding issues with ACS and
Server 2008r2 and hope to find a solution (besides switching to LDAP,
yukk).Thankspato
Hi Pato,
Just check out the below link hope that help.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/release/notes/ACS42_RN.html
As per the link it says The support for Windows Server 2008 is applicable for ACS 4.2 Patch 4 onwards.
Hope to Help !!
Remember to rate the helpful post
Ganesh.H -
Using Multiple AD domains with ACS
Hi,
Is it possible to use multiple domains for authentication with ACS? I need to use AAA to authenticate remote users into a centralised location but the users will be from different domains and I was hoping to use a single applicance to cater for all domains. Can this be achieved using LDAP? I understand that ACS can only be part of one AD domain.....
In essence I am hoping that I will be able to authenticate the user based on their domain\credentials.
Thanks in advance
JasonHi Javier,
I understand that ACS can only join a single AD domain - but can it use LDAP to authenticate users from different AD domains - I don't want to have to established trusts between different domains.
Kind regards
Jason -
LMS 3.2 integration with ACS 5.1
Hi
Is it
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;
mso-fareast-language:EN-US;}
possible to integrate LMS 3.2 with ACS 5.1? I know it works with ACS 4.X, but I can't get it to work with ACS 5.1.
Here is a link to how to do it with ACS 4.X:
http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/prod_white_paper0900aecd80613f62.html
Regards
Reidar/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
Thanks Reidar.... hmm very strange. I really wish an expert would respond to this thread as it will help a lot of people who might be planning to deploy these versions and they can help put this matter to rest once and for all. Not sure why LMS 3.2 will not support ACS 5.1 and it might help to know when it will (updates etc). Kindly let me know if you get any further information. My deployment is so large that setting a local username and password on all the devices is not an option unfortunately ....... -
ACS 4.2 with patch 4 Services restart
I have installed ACS 4.2 with patch 4
Scertain period after authentication failed. Giving internal error. I need to restart all the services. What could be proble and pl help me in resolving this issue. I am running short of time.Internal Error is very generic in error. I hope that you had your Logging set to Full, if not then you wont be able to see the exact reason in the debug logs.
You might want to check,
\CSAuth\Logs
And check the debug log when you got the internal error for a particular authentication attempt.
Also, what kind of authentication was failing ? Was it PEAP/EAP-FAST with inner method as MSCHAP machine authentication, then it could be something related to,
CSCsq96755 : ACS needs manual restart to recover machine authentication
Then go for Patch 5 for ACSv4.2
Regards,
Prem
Please rate if it helps! -
Testing Windows 8 Consumer Preview with ACS 5.2 PEAP auth
We are deploying ACS 5.2 to replace our ACS 4.2 in production. I have two wireless networks setup as WPA2-Enterprise. One points at the ACS 4.2 and the other at the ACS 5.2. Both use the same SSL certificate with the same CN. Both authenticate Windows 7 clients. However, Windows 8 CP will only authenticate to the ACS 4.2 and not to ACS 5.2. The error it gives is:
11051 Radius packet contains invalid state attribute
It also shows no authentication method (most of the time).
Occasionally, I get a request that actually shows an authentication method of PEAP (EAP-MSCHAPv2) which is what it should be. On those requests, I get error:
24444 Active Directory operation has failed because of an unspecified error in the ACS.
Both ACs 4.2 and ACS 5.2 are pointed at the same Windows AD source.
Anyone have any ideas? Is there any other information I can provide to help troubleshoot? I know Windows 8 is not even out yet. But, it would be nice to have it working.
Thanks!
JodieThanks Tarik! I appreciate the detailed steps to collect the information to help troubleshoot this issue.
Here are the logs requested:
May 2 08:16:36 sh-netacs2 adclient[7987]: DEBUG daemon.execute executing request 'ping' in thread 3029719968
May 2 08:16:36 sh-netacs2 adclient[7987]: DEBUG daemon.execute executing request 'MS-RPC user authentication' in thread 3054898080
May 2 08:16:36 sh-netacs2 adclient[7987]: DEBUG daemon.execute I:IPCClient1::doNetLogonSamLogon - user=SH-HIS\jcrouch
May 2 08:16:36 sh-netacs2 adclient[7987]: DEBUG base.adagent Find GUID: fa61e77fbfc98044b7153bf5abc9fd78 (7)
May 2 08:16:36 sh-netacs2 adclient[7987]: DEBUG com.centrify.smb.smbserver SMB Connect to server sh-dc03.shv.lsuhsc-s.edu
May 2 08:16:36 sh-netacs2 adclient[7987]: DEBUG base.adagent Domain Level for '' is not PreW2K8
May 2 08:16:36 sh-netacs2 adclient[7987]: DEBUG dns.findsrv FindSrvFromDns(0): _kerberos._tcp.LSUHSC-S._sites.SHV.LSUHSC-S.EDU
May 2 08:16:36 sh-netacs2 adclient[7987]: DEBUG dns.findsrv FindFromDns(0): _kerberos._tcp.LSUHSC-S._sites.SHV.LSUHSC-S.EDU
May 2 08:16:36 sh-netacs2 adclient[7987]: DEBUG dns.findsrv FindSrvFromDns(0): _kerberos._tcp.SHV.LSUHSC-S.EDU
May 2 08:16:36 sh-netacs2 adclient[7987]: DEBUG dns.findsrv FindFromDns(0): _kerberos._tcp.SHV.LSUHSC-S.EDU
May 2 08:16:36 sh-netacs2 adclient[7987]: DEBUG dns.controllers Updated controller info: last update = Wed May 2 08:01:16 2012, siteName = 'LSUHSC-S', m_serviceType = KDC, domain = 'SHV.LSUHSC-S.EDU', site list = (sh-dc03.shv.lsuhsc-s.edu:88 sh-dc04.shv.lsuhsc-s.edu:88 sh-epic-dc01.shv.lsuhsc-s.edu:88), inferior list = (afm-dc01.shv.lsuhsc-s.edu:88)
May 2 08:16:36 sh-netacs2 adclient[7987]: DEBUG dns.findkdc Kerberos lookup of SHV.LSUHSC-S.EDU: DNS resolve to sh-dc03.shv.lsuhsc-s.edu:88 sh-dc04.shv.lsuhsc-s.edu:88 sh-epic-dc01.shv.lsuhsc-s.edu:88 afm-dc01.shv.lsuhsc-s.edu:88
May 2 08:16:36 sh-netacs2 adclient[7987]: DEBUG dns.findkdc Kerberos lookup of SHV.LSUHSC-S.EDU: DNS resolve to sh-dc03.shv.lsuhsc-s.edu:88 sh-dc04.shv.lsuhsc-s.edu:88 sh-epic-dc01.shv.lsuhsc-s.edu:88 afm-dc01.shv.lsuhsc-s.edu:88
May 2 08:16:36 sh-netacs2 adclient[7987]: DEBUG base.osutil Module=Kerberos : initSecurityContext - gss_init_sec_context failed (reference ../smb/utils/gsskerberos.cpp:198 rc: -1765328352)
May 2 08:16:36 sh-netacs2 adclient[7987]: DEBUG smb.rpc.schannel SecureChannel::close: m_fh=0x0
May 2 08:16:36 sh-netacs2 adclient[7987]: DEBUG com.centrify.smb.smbserver SMB disconnect from server sh-dc03.shv.lsuhsc-s.edu
May 2 08:16:36 sh-netacs2 adclient[7987]: DEBUG daemon.execute O:IPCClient1::netLogonSamLogon - user=SH-HIS\jcrouch (ntStatus=0xc0000001)
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG daemon.main now = Wed May 2 08:16:46 2012, nextPasswordChange: Wed May 2 08:50:46 2012, lastKrb5ConfUpdate: Thu Jan 1 00:00:00 1970, lastKrb5Renew: Wed May 2 08:03:16 2012, lastBindingRefresh: Wed May 2 08:16:16 2012, lastCacheCleanup: Wed May 2 08:16:16 2012, lastPrevalidate: Wed May 2 08:03:16 2012, lastChkDatadir: Wed May 2 08:12:46 2012, lastAzmanRefresh: Wed May 2 08:15:16 2012
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.bind.healing trying unexpected disconnect reconnect sh-dc03.shv.lsuhsc-s.edu(GC)
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adagent (re)acquiring Init credentials
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.kerberos.adhelpers acquiring machine credentials
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.kerberos.adhelpers Using keytab WRFILE:/etc/krb5.keytab
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adagent Domain Level for '' is not PreW2K8
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG dns.findkdc Kerberos lookup of SHV.LSUHSC-S.EDU: DNS resolve to sh-dc03.shv.lsuhsc-s.edu:88 sh-dc04.shv.lsuhsc-s.edu:88 sh-epic-dc01.shv.lsuhsc-s.edu:88 afm-dc01.shv.lsuhsc-s.edu:88
May 2 08:16:46 sh-netacs2 last message repeated 3 times
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.kerberos.adhelpers Encryption (id 18) is not supported by KDC. Try next in the list
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG dns.findkdc Kerberos lookup of SHV.LSUHSC-S.EDU: DNS resolve to sh-dc03.shv.lsuhsc-s.edu:88 sh-dc04.shv.lsuhsc-s.edu:88 sh-epic-dc01.shv.lsuhsc-s.edu:88 afm-dc01.shv.lsuhsc-s.edu:88
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG dns.findkdc Kerberos lookup of SHV.LSUHSC-S.EDU: DNS resolve to sh-dc03.shv.lsuhsc-s.edu:88 sh-dc04.shv.lsuhsc-s.edu:88 sh-epic-dc01.shv.lsuhsc-s.edu:88 afm-dc01.shv.lsuhsc-s.edu:88
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.kerberos.adhelpers Encryption (id 17) is not supported by KDC. Try next in the list
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.kerberos.adhelpers Encryption (id 23) is not supported by KDC. Try next in the list
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG dns.findkdc Kerberos lookup of SHV.LSUHSC-S.EDU: DNS resolve to sh-dc03.shv.lsuhsc-s.edu:88 sh-dc04.shv.lsuhsc-s.edu:88 sh-epic-dc01.shv.lsuhsc-s.edu:88 afm-dc01.shv.lsuhsc-s.edu:88
May 2 08:16:46 sh-netacs2 last message repeated 3 times
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.osutil Module=Kerberos : KDC refused skey: Clock skew too great (reference base/adhelpers.cpp:215 rc: -1765328347)
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.bind.cache postStart/getInitCreds threw: KDC refused skey: Clock skew too great
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.bind.healing unexpected disconnect reconnect sh-dc03.shv.lsuhsc-s.edu(GC) failed: KDC refused skey: Clock skew too great
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.bind.healing trying unexpected disconnect reconnect sh-dc03.shv.lsuhsc-s.edu
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adagent (re)acquiring Init credentials
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.kerberos.adhelpers acquiring machine credentials
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.kerberos.adhelpers Using keytab WRFILE:/etc/krb5.keytab
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adagent Domain Level for '' is not PreW2K8
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG dns.findkdc Kerberos lookup of SHV.LSUHSC-S.EDU: DNS resolve to sh-dc03.shv.lsuhsc-s.edu:88 sh-dc04.shv.lsuhsc-s.edu:88 sh-epic-dc01.shv.lsuhsc-s.edu:88 afm-dc01.shv.lsuhsc-s.edu:88
May 2 08:16:46 sh-netacs2 last message repeated 3 times
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.kerberos.adhelpers Encryption (id 18) is not supported by KDC. Try next in the list
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG dns.findkdc Kerberos lookup of SHV.LSUHSC-S.EDU: DNS resolve to sh-dc03.shv.lsuhsc-s.edu:88 sh-dc04.shv.lsuhsc-s.edu:88 sh-epic-dc01.shv.lsuhsc-s.edu:88 afm-dc01.shv.lsuhsc-s.edu:88
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG dns.findkdc Kerberos lookup of SHV.LSUHSC-S.EDU: DNS resolve to sh-dc03.shv.lsuhsc-s.edu:88 sh-dc04.shv.lsuhsc-s.edu:88 sh-epic-dc01.shv.lsuhsc-s.edu:88 afm-dc01.shv.lsuhsc-s.edu:88
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.kerberos.adhelpers Encryption (id 17) is not supported by KDC. Try next in the list
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.kerberos.adhelpers Encryption (id 23) is not supported by KDC. Try next in the list
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG dns.findkdc Kerberos lookup of SHV.LSUHSC-S.EDU: DNS resolve to sh-dc03.shv.lsuhsc-s.edu:88 sh-dc04.shv.lsuhsc-s.edu:88 sh-epic-dc01.shv.lsuhsc-s.edu:88 afm-dc01.shv.lsuhsc-s.edu:88
May 2 08:16:46 sh-netacs2 last message repeated 3 times
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.osutil Module=Kerberos : KDC refused skey: Clock skew too great (reference base/adhelpers.cpp:215 rc: -1765328347)
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.bind.cache postStart/getInitCreds threw: KDC refused skey: Clock skew too great
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.bind.healing unexpected disconnect reconnect sh-dc03.shv.lsuhsc-s.edu failed: KDC refused skey: Clock skew too great
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo start updateDomainInfoMap
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo Using existing search marker
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adagent addMap: LSUHSC-S.EDU <-> LSUHSC-S
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adagent addMap: SHV.LSUHSC-S.EDU <-> SH-HIS
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adagent addMap: EAC.LSUHSC-S.EDU <-> LSUMC-EAC
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adagent addMap: LSUHSC.EDU <-> LSUHSC
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adagent addMap: MASTER.LSUHSC.EDU <-> LSUMC-MASTER
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo Using domainInfoMap from cache, it was not expired (size=5)
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo DC=lsuhsc-s,DC=edu
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo CN = LSUHSC-S.EDU
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo SID = S-1-5-21-4197722968-216021789-2322446462
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo TRUST_ATTRS = 0x20
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo TRUST_DIRECTION = 3
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo TRUST_TYPE = 2
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo NTLM NAME = LSUHSC-S
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo LOCAL FOREST = YES
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo DC=shv,DC=lsuhsc-s,DC=edu
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo CN = SHV.LSUHSC-S.EDU
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo SID = S-1-5-21-341470825-1660045691-689510791
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo TRUST_ATTRS = 0x20
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo TRUST_DIRECTION = 3
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo TRUST_TYPE = 2
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo NTLM NAME = SH-HIS
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo LOCAL FOREST = YES
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo DC=eac,DC=lsuhsc-s,DC=edu
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo CN = EAC.LSUHSC-S.EDU
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo SID = S-1-5-21-1451108202-1290631035-623647154
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo TRUST_ATTRS = 0x20
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo TRUST_DIRECTION = 3
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo TRUST_TYPE = 2
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo NTLM NAME = LSUMC-EAC
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo LOCAL FOREST = YES
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo CN=lsuhsc.edu,CN=System,DC=lsuhsc-s,DC=edu
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo CN = LSUHSC.EDU
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo SID = S-1-5-21-2419512895-2621689230-2851238096
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo TRUST_ATTRS = 0x8
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo TRUST_DIRECTION = 3
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo TRUST_TYPE = 2
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo NTLM NAME = LSUHSC
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo LOCAL FOREST = NO
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo CN=master.lsuhsc.edu,CN=System,DC=shv,DC=lsuhsc-s,DC=edu
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo CN = MASTER.LSUHSC.EDU
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo SID = S-1-5-21-2113824390-172908180-308554878
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo TRUST_ATTRS = 0x4
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo TRUST_DIRECTION = 2
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo TRUST_TYPE = 2
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo NTLM NAME = LSUMC-MASTER
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo LOCAL FOREST = NO
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG util.except (TryAgain) : start up not complete (reference base/adagent.cpp:2201 rc: 0)
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG daemon.main Delay /etc/krb5.conf update, start up not complete
May 2 08:16:59 sh-netacs2 debugd[2553]: [8075]: locks:file: lock.c[357] [daemon]: obtained repos-mgr lock
May 2 08:16:59 sh-netacs2 debugd[2553]: [8075]: config:repository: rm_repos_cfg.c[251] [daemon]: scanning the tmp dir
May 2 08:16:59 sh-netacs2 debugd[2553]: [8075]: locks:file: lock.c[371] [daemon]: released repos-mgr lock
May 2 08:16:59 sh-netacs2 debugd[2553]: [8075]: locks:file: lock.c[357] [daemon]: obtained repos-mgr lock
May 2 08:16:59 sh-netacs2 debugd[2553]: [8075]: config:repository: rm_repos_cfg.c[251] [daemon]: scanning the tmp dir
May 2 08:16:59 sh-netacs2 debugd[2553]: [8075]: locks:file: lock.c[371] [daemon]: released repos-mgr lock -
ACS 5.x with either AD or RSA Authentication depending on user
I am trying to implement RSA two-factor authentication for our company for access to secure resources.
Our current setup before we had RSA, due to PCI restrictions, was based on AD group membership but was still extremely restrictive on even our admin users to ensure that no secure resources could be accessed without two-factor authentication.
I do not want to have to enable RSA tokens for our entire company - but I would like to be able to allow admins the ability to connect from the outside with two-factor authentication and have access to secure resources in an emergency.
We have less than ten people that require elevated access privileges so my hope is to enable RSA only for those ten users, and leave the rest of the accounts authenticating normally against AD.
I cannot figure out how to configure this. With ACS 4.x such a policy would be simple - just create the user on ACS and point to the Identity Store that I want to authenticate against. Not as easy with 5.x
I tried creating an rules based selection for Identity policy, making RSA the first one, configuring it to drop if no users is found, and configuring the RSA to treat user rejects as user not found. This broke VPN completely.
From what I can tell it seems like ACS really wants me to choose an Identity store based on the NDG - but in this case it will always be our same ASA VPN device.
Anyone know how to accomplish this?
I am running 5.4 with the latest patches.Hope you're well!
I am facing some access issue after completed the ACS (5.1) and AD (Windows 2003) integration, details underneath.
Enable password for (Router, Switches) is working fine if identify source is "Internal Users", unfortunately after completed the integration between ACS to MS AD, and change the Identity source to "AD1" I got the following result
1. able to access network device (cisco switch) using MS AD username and password via SSH/Telnet.
2. Enable password is not working (using the same user password configured in MS AD.
3. When I revert back and change the ACS identity source from "AD1" to "Internal Users" enable password is working fine.
Switch Tacacs Configuration
aaa new-model
aaa authentication login default none
aaa authentication login ACS group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec ACS group tacacs+ local
aaa authorization commands 15 ACS group tacacs+ local
aaa accounting exec ACS start-stop group tacacs+
aaa accounting commands 15 ACS start-stop group tacacs+
aaa authorization console
aaa session-id common
tacacs-server host 10.X.Y.11
tacacs-server timeout 20
tacacs-server directed-request
tacacs-server key gacakey
line vty 0 4
session-timeout 5
access-class 5 in
exec-timeout 5 0
login authentication ACS
authorization commands 15 ACS
authorization exec ACS
accounting commands 15 ACS
accounting exec ACS
logging synchronous
This is my first ACS - AD integration experience, hoping to fix this issue with your support, thanks in advance.
Regards, -
Radius Authentication in ACS 5.2 with AD
Friend,
I have a questión about radius authenticaction with AD, when I log in into the network with user in AD and I make a mistake in password my radius authenticaction event in ACS 5.2 dont show me this logg. only show the authentication succeeded but dont show me the authentication failed. Maybe i must to enable same service to show the authentiaction failed. The Voice authetication works fine..
This is the confg in the port of the switch:
interface FastEthernet0/12
switchport mode access
switchport access vlan 2
switchport voice vlan 10
authentication port-control auto
authentication host-mode multi-domain
authentication violation protect
authentication event fail action authorize vlan 11
authentication event fail retry 2 action authorize vlan 11
authentication event no-response action authorize vlan 11
authentication periodic
authentication timer reauthenticate 60
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x max-reauth-req 3
spanning-tree portfast
end
Vlan 2: DATA
Vlan 10: VOICE
Vlan 11: GUEST
thank...
MarcoHi Marco,
When you type in the wrong password do you see the login fail on the device you entered it? Depending on how you have configured fallback mechanisms on ACS, an attempt can still be permited eventhough the authentication failed.
It would be best to take a look at the authentication steps under the RADIUS authentication log for an attempt you beleive should have failed to see what ACS is doing with the request.
Steve. -
ACS 5.4 with 4.x deployment
Hi guys.
Need to solve the further task:
I have a large deployment of independent ACS 4.x servers (every server has his own zone of responsibility). And there is a need to deploy two central ACS servers with the whole database from every independent ACS 4.x ().
I want to deploy two latest ACS 5.4 as central cluster (replicate everything from ACS 4.x to ACS 5.4 using Cisco Migration Tool; secondary unit in a cluster as a backup and a log collector), and all of 4.x severs as secondary servers.
So I have a couple of questions:
1) Will this deployment work like it should with Medium ACS Deployment from Cisco guide for ACS 5.4:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/installation/guide/csacs_deploy.html
The point is: can I manage the whole ACS network from the central 5.4 cluster and will the database be replicated partially to ACS 4.x servers?
2) If the answer to the first question is "no", can I use 4.x as relay servers or it's totally meaningless and I just should point all clients to a central cluster?
Thanks for reading this, I hope you can help me.Hello Alex:
1-) no. if you use 5.4 the config is not replicated to the 4.x version.
2-) you can use both 5.4 and 4.x as radius server for your clients. the point is you have to configure the policies on both of them independently. for example, internal users - if any - must be created independently on both server. so, you need to maintain the consistency between both versions (i.e. make sure that the auth requests will be processed -almost-the same on both servers. You don't of course need one server to accept an auth while the other server (different versoin) reject it).
3-) The logs of both 5.4 servers are maintained on the log collector. However, if you use the 4.x on the AAA servers list on your clients besides the 5.4 servers then the logs on the 4.x version will not be logged to the log collector of the 5.4 servers. They are stored on the 4.x only (locally or also remotely if you configured remote logging). So, if you need to search for an auth attempt you need to check both versions logs (5.4 and 4.x logs).
I want to mention also that the migration tool does not migrate everything from the 4.x server. there are things that the migration tool can not migrate. The full list of unsupported elements in the migration process are listed here:
http://tiny.cc/61v51w
HTH
Amjad
Rating useful replies is more useful than saying "Thank you" -
Dynamic Vlan Assigment on 2950 with acs 4.2
Hello to everyone
We have a problem with Cisco 2950G 48 EI and ACS (version 4.2) providing dynamic Vlan assignment based on groups
On the ACS we configured the following attributes for the specific group
64 = VLAN
65 = 802
81 = VLAN Name
We tried for the 81 attribute both Vlan name and Vlan ID but we get the same results
In detail, we need the machine to be placed on Vlan ID 6 named vlan_sio so we inserted these value in the attribute field
Before we configured the switch to speak with ACS:
aaa new-model
aaa group server radius Switch
server 172.16.0.93 auth-port 1812 acct-port 1813
dot1x system-auth-control
radius-server host 172.16.0.93 auth-port 1812 acct-port 1813 key xxxxxx
radius-server retransmit 3
Configured the ports for the use of dot1.x.
switchport mode access
dot1x port-control auto
dot1x guest-vlan 7
spanning-tree portfast
The users are correctly authenticated but the ports are always connected to the default Vlan of the ports
We tried to debug with the debug dot1.x events command and we get the following errors:
Feb 16 12:00:04.017: Attribute 64 6 0100000D
Feb 16 12:00:04.017: Attribute 65 6 01000006
Feb 16 12:00:04.017: Attribute 81 4 01360806
Feb 16 12:00:04.025: dot1x-ev:Received VLAN is No Vlan
Feb 16 12:00:04.037: dot1x-ev:Received VLAN Id -1
Feb 16 12:00:04.041: dot1x-ev:dot1x_port_authorized: clearing HA table from vlan 1
Feb 16 12:00:04.049: dot1x-ev:dot1x_port_authorized: Added 0006.1bdb.6a09 to HA table on vlan 1
Does anyone know what we could have missed?
Thank’ssolved
It was just missing the command
aaa authorization network default group XXXX -
Failed to authenticate user to ACS 5.1 with LDAP as external identity storage
Hi , I have an ACS and Open-LDAP server running on my company network.
Now, I 'm setting up a new linksys WAP-54G and choose WPA2-Enterprise option with ACS as the radius server.
first thing first, I created new internal user on ACS, and trying to join the wireless network from my computer. I made it....
then, I'm moving on external entity (LDAP Server). I've set up the LDAP configuration and identity sequence, also select it on access service. but when I tried to authenticate from my computer, an error was occurred. I received :
the following error 22056 Subject not found in the applicable identity store (s)
Wonder 'bout this thing, I set up a cisco 1841 router to become AAA client. and surprisingly... it works !!!
so, is there any problem to authenticate from windows platform to ACS (pointing to LDAP) ?
any suggestion ?
thanksThis is the log when using windows 7 as authentication client (Failed) :
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15004 Matched rule
15012 Selected Access Service - Default Network Access
11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12301 Extracted EAP-Response/NAK requesting to use PEAP instead
12300 Prepared EAP-Request proposing PEAP with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318 Successfully negotiated PEAP version 0
12800 Extracted first TLS record; TLS handshake started.
12805 Extracted TLS ClientHello message.
12806 Prepared TLS ServerHello message.
12807 Prepared TLS Certificate message.
12810 Prepared TLS ServerDone message.
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12318 Successfully negotiated PEAP version 0
12812 Extracted TLS ClientKeyExchange message.
12804 Extracted TLS Finished message.
12801 Prepared TLS ChangeCipherSpec message.
12802 Prepared TLS Finished message.
12816 TLS handshake succeeded.
12310 PEAP full handshake finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12313 PEAP inner method started
11521 Prepared EAP-Request/Identity for inner EAP method
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11522 Extracted EAP-Response/Identity for inner EAP method
11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store -
22043 Current Identity Store does not support the authentication method; Skipping it.
24210 Looking up User in Internal Users IDStore - xxxxx
24216 The user is not found in the internal users identity store.
22016 Identity sequence completed iterating the IDStores
22056 Subject not found in the applicable identity store(s).
22058 The advanced option that is configured for an unknown user is used.
22061 The 'Reject' advanced option is configured in case of a failed authentication request.
11815 Inner EAP-MSCHAP authentication failed
11520 Prepared EAP-Failure for inner EAP method
22028 Authentication failed and the advanced options are ignored.
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12307 PEAP authentication failed
11504 Prepared EAP-Failure
11003 Returned RADIUS Access-Reject
This is the log when using 1841 router as authentication client (succeded) :
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
11049 Settings of RADIUS default network will be used
Evaluating Service Selection Policy
15004 Matched rule
15012 Selected Access Service - Default Network Access
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - LDAPyyyy
24031 Sending request to primary LDAP server
24015 Authenticating user against LDAP Server
24022 User authentication succeeded
22037 Authentication Passed
22023 Proceed to attribute retrieval
22038 Skipping the next IDStore for attribute retrieval because it is the one we authenticated against
24210 Looking up User in Internal Users IDStore - xxxxx
24216 The user is not found in the internal users identity store.
22016 Identity sequence completed iterating the IDStores
Evaluating Group Mapping Policy
Evaluating Exception Authorization Policy
15042 No rule was matched
Evaluating Authorization Policy
15006 Matched Default Rule
15016 Selected Authorization Profile - Permit Access
11002 Returned RADIUS Access-Accept
I realized that Windows is using PEAP-MSCHAPv2 while Router is using PAP-ASCII as it's protocol.
so now, why PEAP-MSCHAPv2 can't authenticate to LDAP ?
is there anything I can do to make it work ? -
EAP-TLS authentication with ACS 5.2
Hi all,
I have question on EAP-TLS with ACS 5.2.
If I would like to implement the EAP-TLS with Microsoft CA, how will the machine and user authentication take place?
Understand that the cert are required on both client and server end, but is this certificate ties to the machine or ties to individual user?
If ties to user, and I have a shared PC which login by few users, is that mean every user account will have their own certificates?
And every individual user will have to manually get the cert from CA? is there any other method as my environment has more than 3000 PCs.
And also if it ties to user, all user can get their cert from CA with their AD login name and password, if they bring in their own device and try to get the cert from CA, they will be able to successfully install the cert into their device right?
Hope you guys can help on this. THanks.Yes, you can configure:
machine authentication only
user authentication only
Machine and user authentication.
Machine or user authentication
So machine authentication only is quite common scenarion. Correct, as long as machine is a part of a domain, you will be authenticated via machine authentication.
PEAP-based machine authentication uses PEAP (EAP-MS-CHAPv2) and the password for the computer established automatically when it was added to the Microsoft Windows domain. The computer sends its name as the username and the format is:
host/computer.domain
If the machine is a valid machine in the domain then during the boot process, once the HAL is loaded, the system begins loading device drivers to support the various hardware devices configured on the client in question. After loading the device drivers, the network interface is initialized. At this point, machine start getting ip address and once it done, the user may have access to most of the network.
Regards,
Jatin -
WLC 4402-50 with ACS 3.3
Hi,
We want to use ACS to authenticate an ssh or http connection to a WLC 4403-50 4.2.99 using TACACS+. On our ACS 4.2 test server it works fine. Configured identically on an ACS 3.3 appliance we are not able to log in although we do see a successful login in the Passed Authentications report withing ACS.
Is there an incompatability between the WLC 4402-50 with ACS 3.3?
thanks
BobThe Cisco Secure Access Control Server (ACS) provides authentication, authorization, and accounting (AAA) services for users of the wireless network.
It is also possible to employ a WLC controller strategy that uses an N+1 approach. When using N+1 architecture, each WLC is configured with a WLC that is designated as a backup WLC in the event of a failure. This controller is not used until there is a failure event upon which all APs using the failed controller switch to the backup WLC. This cost-effective approach provides a high level of availability in the event of a single WLC failure scenario. -
MARS 5.2.7 integration with ACS 4.1
Hello
I cannot find any documentation I can follow to integrate MARS with ACS. I mean I want to use ACS to authenticate user in MARS.
Any of you know if MARS 5.2.7 has this feature? If yes can please give some info where to find docs?
Thank you really much
Best regards Antonello.HI ,
LMS 4.0 no longer integrates with ACS the way that LMS 3.x did. You can still use ACS for authentication in LMS 4.0, but for authorization, each user must have a local account in LMS, and the roles will be assigned using LMS 4.0's new RBAC. Users are defined under Admin > System > User Management > Local User Setup, and roles are defined under Admin > System > User Management > Role Management Setup.
By default, if a user does not have an account in LMS, they will receive the Help Desk role
Please check the below link:
http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.2/user/guide/admin/security.html#wp1100379
Thanks-
Afroz
[Do rate the useful post] -
Integrating WCS 7.0 with ACS 5.1
Has anybody got any experience with trying the config as depicted in the WCS 7 config guide?
I have tried today to integrate WCS 7 with ACS 5.1 and got a partial success. I have created a unique Shell Profile that invokes for the WCS only which contains 1 role (role0=Root) and 73 task entries (as copied from the WCS group pages) and I can log in to WCS with the new account, but some things I dont appear to have priviledges for, such as Reports. Is there any way to debug which task WCS thinks I dont have to do this? Any other ideas?Turned on trace in WCS and saw info like this: (abreviated)
01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task14 = View Alerts and Events
01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task51 = Performance Reports
01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task15 = Email Notification
01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] rejecting task: task50 = Device Reports is not a valid task
01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task53 = Network Summary Reports
01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task16 = Delete and Clear Alerts
01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task48 = Mesh Reports
01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] rejecting task: task47 = Config Audit Dashboard is not a valid task
01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task42 = Monitor Chokepoints
01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task41 = Monitor Security
01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task40 = Monitor Tags
01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task46 = RRM Dashboard
01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task45 = Monitor Interferers
01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task44 = Monitor Spectrum Experts
01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task43 = Monitor WiFi TDOA Receivers
01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding role: role0 = Root
01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] Disconnecting from authorization socket - From Server: 10.9.2.253 - For User: acstest
01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] Total permissions for user acstest : tasks 68 : roles 1 : virtual-domains 0
all i did was copy and paste in all tasks from the WCS export list???
Maybe you are looking for
-
Hello Experts, My BW system is connected to a SRM system. In a confirmation details report, the Confirmation Number is not appearing for the Purchase Order Number. I have checked in the back-end and the Confirmation exists for the particular PO, in t
-
i have an iphone 4 for verizon and i am going to switch phones and get a droid motorolla 4g phone and the droid doesnt have a sim card. does my iphone 4 have a sim card that i can put in the droid? can i buy sim cards separately online for the droid?
-
Format of CSV file generated through iBot
What is the default format of csv file generated through iBot (UNICODE / UTF) ? How can we configure a single iBot to generate CSVs, for example, in UTF format instead of UNICODE (assuming UNICODE is default). -Jimit
-
Purchase Order For Cost Center
Hi, 1. Please explain as I am trying to create a PO and i gave Account type: K(Cost center). I got the following error "Create Account 140000 as a cost element in controlling area 4000 " How can i solve this problem. I actually created a cost center
-
Use the apple tv with jack audio
Hey there, I would like to connect my AppleTv2 to my home cinnema set, but my home cinema set has a jack port and not optical audio. Is there a transformer, so that i can use my home cinema set with my ATV2? Thanks