ACS 5.5.0.46.7 - Issues with 802.1x Binary Cross Check to AD on 2012R2

Hey gang!
Still in my 802.1x lab.  I have ACS serving as the authentication server, trying to authenticate EVGA PD07 zero clients to my lab AD domain utilizing EAP-TLS.
I've set up NDES services, pushing .pem certificates to my zero clients via SCEP.  I haven't configured auto enroll yet, so I manually issue the cert from the CA, and then export the issued cert (.cer) to a file.  From there, I publish the cert with a user object in AD.
I have the client cert / CA loaded correctly on ACS, all of the LDAP is working as far as querying groups and such is concerned, and I can authenticate the presented zero client certificate against the AD published cert using the Common Name attribute.  The only thing that doesn't work is Binary Cross Check.  The logs throw a 22056 error (subject not in applicable identity store) and reject the attempt.  As soon as I go in to the authentication profile and disable the cross check, it authenticates successfully.
any ideas?
Paul

Hi ,
setup:
Remote clinet VPN (android mobile user)===>Fortigate (VPN Firewall) ====>>CISCO ACS (user authentication radius server.

Similar Messages

  • Issue with Adobe Acrobat 9 and check writer

    My user is having the following issue when running check writer.
    I am having an issue when I try and print the Oracle checks. They run fine, but when I click on the view output which usually brings up a pdf screen of my check. Instead gives me 2 blank screens with a question mark icon.
    I noticed that Adobe Acrobat 9 was installed the same day I started having the isssue.
    Has anyone else had this problem or know if Oracle HRMS R12 is not compatible with Adobe Acrobat 9?
    Thanks!

    My user is having the following issue when running check writer.
    I am having an issue when I try and print the Oracle checks. They run fine, but when I click on the view output which usually brings up a pdf screen of my check. Instead gives me 2 blank screens with a question mark icon.
    I noticed that Adobe Acrobat 9 was installed the same day I started having the isssue.
    Has anyone else had this problem or know if Oracle HRMS R12 is not compatible with Adobe Acrobat 9?Please see (Unable to Load PDF Templates Using XML Publisher Responsibility [ID 1316676.1]).
    Thanks,
    Hussein

  • Cisco ACS 5.4 + Anyconnect 3.1 NAM with 802.1x, problem with changing ACS Radius user password

    Dear all,
    Presently, we are testing 802.1x using Cisco ACS 5.4 and Cisco Anyconnect v3.1 as 802.1x supplicant. We have created predefined NAM profiles (with Cisco Profile Editor) and applied as default in on our test machine. We are using PEAP (MsCHAPv2) and ACS local user credentials for authenticating process. We have noticed that, when we try to authenticate the network with predefined profile (network profile has Administrator Network privileges) and Windows user on test machine has no Admin privileges we are not able to change ACS user password (checked "Change password on next login" in the ACS user profile). In the Monitoring and Report View we get Failure Reason "24203 User need to change password"  but no popup window apears in Anyconnect. When we change Windows local user privileges to Admin or create Anyconnect network profile localy (privileges User Network) then, we are able to finish the process.
    Have you ever been facing the problem described above. Is it Anyconnect bug? How can we fix it?
    Best regards,
    Piotr

    If this happens with all machines then if a microsoft guy can look the app logs/privileges. It seems the app is requesting privilege that it is not authorized to and that's why the propmt window fails to appear. If we know what that privilege is we can probably fix it. If that privilege is not even required for smooth work Cisco need probably to fix this behavior.
    I am sorry if I am not able to help but I am not using the anyconnect for production.
    Regards,
    Amjad
    Rating useful replies is more useful than saying "Thank you"

  • Cisco Trustsec using only ACS 5.2 and a 65k SXI with 802.1X

    Hi
    I hope that this is the correct place for this Q.
    I have setup an ACS 5.2 Server and enaled 802.1X authentication on a 65k running SXI5, as per the following section; Assigning SGT Using IEEE 802.1X User Authentication
    The link can be found below;
    http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/guide_c07-608226.html
    I can sucessfully get a PC to authenticate using dot.1x and according to the monitoring on the ACS box, the SGT is passed to the 65k, however when I do a "sho cts role-based sgt-map all", I can't see the SGT passed to the 65k. Is this because I don't have a Nexus to create the sxp link to?
    Sorry if this is a noddy Q, but I'm trying to do my best to get to grips with trustsec, but not having a 7k means I'm really struggling.
    many thanks

    Hi Nicolas
    Thanks for taking the time to respond. Although Nexus is needed, if a device authenticates using 802.1x and this is configured for SGT, should the SGT configuration not update on the 65k? This is something that I would presume would happen without the need for the Nexus.
    Once again, sorry if this is vague and a very newbie Q.
    Many thanks

  • Wireless Connectivity Issue with 802.11n.

    We have a 5508 Controller and sixteen 1142 APs.
    Several of our laptops were experiencing connectivity issues over Wireless.  Older laptops that do not support 11n are not having any problems.
    I disabled 802.11n for both 'a' and 'b/g' in the Controller.  Now the newer laptops connect with no issues.
    They would in fact connect to the APs while 11n was available, just no Internet Access - (cannot ping DG, etc).  Disabling/Enabling the laptop WL adapter would allow brief access (sometimes), but they'd quickly lose Internet Access once again.
    Our WLANs are configured for WPA2/AES.
    This looks like a 802.11n configuration issue at either the Controller or the Laptops (or both).  Both are using the Default settings for 801.11n.
    Any recommendations for correcting this?  Are there best practice guidelines for configuring 802.11n?
    Thanks.
    - Jay

    Configure 802.11n on the WLC
    http://www.cisco.com/en/US/customer/products/ps6366/products_tech_note09186a0080a3443f.shtml

  • Issue with BPM while calling store proc

    Hi All,
    We are using BPM to execute/call the store procedure for look up. We are sending the correct request; bu we are not get the expected output form BPM during runtime. No issue with store proc ,we doudble checked
    Is there any way to debug the BPM part of it. Plz advise Any bok or suggestion will be appreciated.
    Thanks & Regards,
    Mohan

    Integration Process monitoring:
    https://www.sdn.sap.com/irj/scn/elearn?rid=/library/uuid/ab3f538e-0d01-0010-07b7-802c90b67eec&overridelayout=true
    Regards,
    Manjusha.

  • I set up the the sync add on and had no errors.When I sync now I get"Sync encountered an error while syncing:Firefox sync server maintenance is underway..."I have gotten this mesaage for the last 10 hours.Should I wait or is there an issue with my setup?

    I just loaded Firefox onto my laptop. I set up the the sync add on and had no errors. When I hit sync now I get "Sync encountered an error while syncing: Firefox sync server maintenance is underway, syncing will resume automatically." I have gotten this message for the last 10 hours. Should I wait or is there an issue with my setup? I checked the Mozilla sync server status and it listed no issues.

    There was a server out last week. see below. now everything works great. thanks for the follow up.
    To:
    Subject: [Bug 744289] sync107.db.scl3 down
    Do not reply to this email. You can add comments to this bug at
    https://bugzilla.mozilla.org/show_bug.cgi?id=744289
    Gregory Szorc [:gps] <[email protected]> changed:
              What    |Removed                     |Added
                Status|UNCONFIRMED                 |RESOLVED
            Resolution|                            |FIXED
               Summary|error in sync               |sync107.db.scl3 down
         Last Resolved|                            |2012-04-10 19:39:11
    --- Comment #2 from Gregory Szorc [:gps] <[email protected]> 2012-04-10
    19:39:11 PDT --- Well, this is embarrassing. It looks like one of our
    servers was down and for whatever reason we didn't notice.
    It should be working now. If you still see errors, please reopen this bug.
    Configure bugmail: https://bugzilla.mozilla.org/userprefs.cgi?tab=email
    ------- You are receiving this mail because: ------- You reported the bug.

  • Issue with Role Defaulting

    Hi friends..
    I am facing a strange issue when i open a BP belonging to the role ZDCBA(Custom role). Sold to party role is getting added in the roles assignment role. i cross checked the roles associated to the BP Number in the table BUT100 and it has only one role that is ZDCBA, but i am not able to investigate how this Soldto(crm000) is getting added by default in WEB UI.
    even i tried debugging, in get related entities methods for the BUILROLESREL, it is retreiveing both ZDCBA & Sold to roles.
    Can some one help me out what could be the reason for this behavior.
    Thanks,
    Udaya

    Hi Smita,
    I have a business partner with the role ZDCBA created in WEB UI. After creating this account, when i open this bp again, i am seeing sold to party role getting displayed in the roles assigment block along with ZDCBA. I cross checked the same in BUT100 for this BP and i can find only one record with the role ZDCBA. I am not understanding how the sold to party is getting displayed on to web ui. This behavior is not replicated for Ship to party and other roles.
    for investigating the same, i have written a Report program and in the get related entities method, it is giving 2 roles.
    I tried debugging into the method get_related_entities, i am not able to figure from where the CRM000 record is pulled.
    Since it is completely OO ABAP, i am able to see objects and not able to really look the values inside these..
    Any pointers on this will be really very helpful..
    Thanks,
    Udaya
    REPORT  ztest_roles.
    *Parameter: test type c.
    DATA:     lr_core                    TYPE REF TO cl_crm_bol_core,
              lr_entity_partner          TYPE REF TO cl_crm_bol_entity,
              lv_guid                    TYPE crmt_genil_object_guid,
              lr_collection_roles        type ref to if_bol_bo_col,
              ls_attributes              type crmt_bupa_il_roles ,
              lr_itr_roles               type ref to if_bol_bo_col_iterator,
              ls_roles                   type crmt_bupa_il_roles,
              lr_role                    TYPE REF TO cl_crm_bol_entity,
              i_roles                    type table of crmt_bupa_il_roles,
              qs                         type ref to CL_CRM_BOL_QUERY_SERVICE,
              result                     type ref to IF_BOL_ENTITY_COL,
              ent                        type ref to cl_crm_bol_core. "IF_BOL_BO_PROPERTY_ACCESS.
        lv_guid = '548698C7E7E06F4FAD9528162C993358'.
        lr_core = cl_crm_bol_core=>get_instance( ).
        lr_core->start_up('ALL').
        lr_entity_partner = lr_core->get_root_entity( iv_object_name = 'BuilHeader' iv_object_guid = lv_guid )."#EC NOTEXT
    *    qs = cl_crm_bol_query_service=>get_instance('BuilHeader').
    *    qs->set_property( iv_attr_name = 'object_id' iv_value = lv_guid ) .
    *    result ?= qs->get_query_result( ).
    *    ent ?= result->get_first( ).
    *    ent = ent->get_related_entities( 'BuilRolesRel' ).
    *    lr_collection_roles ?= ent->get_related_entities( iv_relation_name = 'BuilRolesRel' ).
        lr_collection_roles ?= lr_entity_partner->get_related_entities( iv_relation_name = 'BuilRolesRel' ).
        IF lr_collection_roles IS BOUND
               AND lr_collection_roles->size( ) GT 0.
          lr_itr_roles ?= lr_collection_roles->get_iterator( ).
          lr_role ?= lr_itr_roles->get_first( ).
          WHILE lr_role IS BOUND.
            CLEAR ls_roles.
            lr_role->get_properties( IMPORTING es_attributes = ls_attributes ).
            ls_roles = ls_attributes-data.
            APPEND ls_roles TO i_roles.
            lr_role ?= lr_itr_roles->get_next( ).
          ENDWHILE.
        ENDIF.
        CLEAR LS_ROLES.
        LOOP AT I_ROLES INTO LS_ROLES.
        WRITE LS_ROLES-PARTNERROLE.
        ENDLOOP.

  • Issue with binary submission

    I have upgraded our app using Viewer Builder 1.5 and submitted the app to Apple. I have received this message from the iTunes Store:
    Dear Developer,
    We have discovered one or more issues with your recent binary submission for "[app name]". Before your app can be reviewed, the following issues must be corrected:
    Invalid Code Signing Entitlements - The signature for your app bundle contains entitlement values that are not supported. For the com.apple.developer.ubiquity-container-identifiers entitlement, the first value in the array must consist of the prefix provided by Apple in the provisioning profile followed by a bundle identifier suffix. The bundle identifier must match the bundle identifier for one of your apps or another app that you are permitted to use as the iCloud container identifier.
    Specifically, value "EH4Y8L86T7.*" for key "com.apple.developer.ubiquity-container-identifiers" in viewer is not supported.
    Invalid Code Signing Entitlements - The signature for your app bundle contains entitlement values that are not supported.
    Specifically, value "EH4Y8L86T7.*" for key "com.apple.developer.ubiquity-kvstore-identifier" in viewer is not supported.
    Once these issues have been corrected, go to the Version Details page and click Ready to Upload Binary. Continue through the submission process until the app status is Waiting for Upload and then use Application Loader to upload the corrected binary.
    Regards,
    The iTunes Store Team
    Do you know what this means? Did I do anything wrong?
    On Apple's iOS Provisioning Portal, under App IDs there is an option to enable iCloud. Should I have not enabled that?
    Thanks,
    Mike

    You should not enable the iCloud option. The Viewer Builder now creates viewers that store folios in the caches directory, not the Documents directory. Files cannot be backed up from the caches directory, so Apple rejected the app. Re-configure your App ID with iCloud deselected and re-create your mobileprovision files -- you should be able to use your same p12 certificates -- and then submit the app again.
    For what it's worth, I accidentally submitted one app with iCloud turned on and one with it turned off, and Apple approved both.

  • Issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

    issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

    issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

  • Issue with Network configuration - ACS 4113 Appliance

    We are having issues with two particular devices. I am trying to remove and add the devices, but when I do a search and go to their IP, I receive.
    Failed to edit blahblah.ourdomain.... Reason: The Host no longer exists.
    How do I get rid of this so I can readd the devices?
    Thanks
    Dwane

    Yes, ACS SE doesn't support csutil. Please use RDBMS with solution engine and see if that helps.
    Creating, Reading, Updating and Deleting AAA clients
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/configuration/guide/rdbms_sync.html#wp1011624
    Regds,
    JK
    Do rate helpful posts-

  • Issue with changing Access Service in ACS 5.2

    Hi,
    I am working on lab setup where I installed ACS 5.2 I created new access service and used it in existing service selection rule (Rule-2) earlier but it didn't work. Later I created new service selection rule and applied new service access rule. However even after this change it keeps applying predefined default access access service. Please refer attached picture for better understanding.
    As shown, I want Aks-Rule to work and apply service 'Lab-Policy' however it keeps referring Rule-2 and applies 'Default Device Admin' access service even after I disable it. 
    I have to restart ACS service from CLI console to make it work. Is this a bug or am I missing anything. Please advise guys.
    Regards,
    Akshay

    Since the policy AKS is top in sequence under service selection rule so it should hit for sure. As you wrote that even after disabling the default device admin, then also request is hitting the same and restarting the ACS services resolved the issue. The symptoms of your issue are exactly same as stated in this defect.
    CSCuo93378    Certain browsers cause ACS database corruption
    Due to this issue we have seen cases where request hits the disable and default policies without any reason. Actually accessing ACS via chrome mess around with all the operators in conditions.
    The only workaround is to access all the rules and conditions in supported browser. Ensure all the operators are correct, save the changes and restart the ACS services.
    The issue seems to be fixed in ACS 5.5 patch 5
    Regards,
    Jatin

  • ACS 5.2 Authentication Issue with Local & Global ADs

    Hi I am facing authentication issue with ACS 5.2. Below is AAA flow (EAP-TLS),
    - Wireless Users >> Cisco WLC >> ADs <-- everything OK
    - Wireless Users >> Cisco WLC >> ACS 5.2 >> ADs <-- problem
    Last time I tested with ACS, it worked but didn't do migration as there'll be changes from ADs.
    Now my customer wants ACS migration by creating new Group in AD, I also update ACS config.
    For the user from the old group, authentication is ok.
    For the user from the new group, authentication fails. With subject not found error, showing the user is from the old group.
    Seems like ACS is querying from old records (own cache or database). Already restared the ACS but still the same error.
    Can anyone advice to troubleshoot the issue?
    Note: My customer can only access their local ADs (trusted by Global ADs). Local ADs & ACS are in the same network, ACS should go to local AD first.
    How can we check or make sure it?
    Thanks ahead,
    Ye

    Hello,
    There is an enhacement request open already:
    http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCte92062
    ACS should be able to query only desired DCs
    Symptom:
    Currently on 5.0 and 5.1, the ACS queries the  DNS with the domain, in order to get a list of all the DCs in the domain  and then tries to communicate with all of them.If the connection to even one DC fails, then the ACS connection to the domain is declared as failed.A lot of customers are asking for a change on this behavior.
    It  should be possible to define which DCs to contact and/or make ACS to  interpret  DNS Resource Records Registered by the Active Directory  Domain Controller to facilitate the location of domain controllers.  Active Directory uses service locator, or SRV, records. An SRV record is  a new type of DNS record described in RFC 2782, and is used to identify  services located on a Transmission Control Protocol/Internet Protocol  (TCP/IP) network.
    Conditions:
    Domain with multiple DCs were some are not accessible from the ACS due to security/geographic constraints.
    Workaround:
    Make sure ALL DCs are UP and reachable from the ACS.
    At the moment, we cannot determine which Domain Controller on the AD the ACS will contact. The enhacement request will include a feature on which we can specify the appropriate the Domain Controllers the ACS should contact on a AD Domain.
    Hope this clarifies it.
    Regards.

  • ACS SE 4.1.1.23 patch 5 issue with users

    HI There, I am facing very weired issue with ACS SE 4.1.1.23 patch 5. I am trying to add users in ACS it is added successfully but I can not see these users when I click list all users.
    But I can see users are increasing in groups when I add users..but when I do list all users it say there are no users defined. and I tried to login with newly created users from devices  ....I am able to login with those new users.....
    also when I go to that particular group in which I added new users....and say list users in group...I get message from ACS saying that "can not read users from group" ....
    what could be issue any one has any idea....customer complained that he was unable to login to devices...with the users created on ACS...when I saw there was no users in database....then I added 2-3 users by looking at old passed and failed authentication... but I dont know how users got deleted automatically...even I tried to see appliance audit logs...could not see any thing which indicates someone deleted users...
    please help me to solve this issue..
    Thanks

    Issue resolved. The CRL that was being parsed from the cert was one level higher than the CRL that needed to be checked. The User CRL was ppointing to the Intermediate CA's CRL. I had to manually change the URL from this:
    http://DOMAINvmsp.DOMAIN.xxxx-xx.edu/pkipub/DOMAIN%20Intermediate%20CA%201.crl
    to this:
    http://DOMAINvmsp.DOMAIN.xxxx-xx.edu/pkipub/DOMAIN%20User%20CA%201.crl
    Mark

  • ACS INTERNAL USER issue with 4.2.(1) build 15

    Hi all,
                I am facing an issue with my ACS server, nothing to difficult,but which bug me. I have an internal user, this user is able to access some cisco devices and can't access some. There is no Network access Restrict set for the username. The log shows when access is granted to a device, the server map the user to correct user group; however,when the user fails authentication the log shows default user group! which indicate that the user not always map to the correct user group.
    Thanks for the help,
    Jean Paul---

    The problem you're running in clearly indicates that either Network access restriction or Network access policies is configured for an user or group. Since you're positive that there is nothing configured on the NAR, lets narrow it down via logs.
    Duplicate the issue again with both the devices (working and non-working)
    With working devices, you would get the passed attempts >> copy and paste the log attempt as it is.
    With Non-working device, you would see failed attempt >> copy and paste the log attempt as it is.
    Regards,
    Jatin
    Do rate helpful posts-

Maybe you are looking for

  • HR Headcount and Personnel Actions(0PA_C01) std routines not working

    Hi Friends, I have loaded data for Headcount and Personnel Actions(0PA_C01) cube. Here the fields below mentioned are not populating data which are with standard routines. I checked code and also gone through sdn and also with SAP notes but every thi

  • Finding std query for Time booking report in BW

    Hello,   Time booking for service engineers are done in CRM Service. Need to furnish report on this time booking in BI portal.Can anyone help me in finding std. query built in BI on time booking. Regards Devika.S

  • How do I diagnose inability to normally shutdown?

    I'm running 8.1.7 and everything appears to be fine, execpt today it would not complete a normal shutdown, although it does an abort shutdown and then startup. There are no users or jobs running when the shutdown command is given. What should I first

  • Some files in my trash wont delete??? Aaaaah!

    Hi. I have deleted some applications using an application delete program and there are some files in my trash that just wont delete. Is says the file localized.rsrc is in use and the operation cannot be competed. Has anyone got any advice on how i wo

  • Submit button in distributed form don't work.

    I created a form in LiveCycle Designer.  It has 2 submit buttons, both to the same email address.  They link back to a hidden button to send the email.  The form works undistributed, but when I distribute the form to track respsonses, the buttons no