ACS Appliance 1112 - Authentication Without Enable Secret
Hello Everybody
I have a ACS appliance 1112 to authenticate users by TACACS+ with Active Directory.
The users can access the privileged mode on network devices just with the user AD without typing a enbale secret but after a restart on appliance now the users are asked to typing a enable secret to access the privileged mode.
Is necessary change something on Network Devices or maybe a configuration on ACS ?
Thanks
Please go to the group that belongs to the user in question and make sure we have shell exec checked with priv 15
Bring users/groups in at level 15
1. Go to user or group setup in ACS
2. Drop down to "TACACS+ Settings"
3. Place a check in "Shell (Exec)"
4. Place a check in "Privilege level" and enter "15" in the adjacent field
Also check passed authenticate logs and make sure that user are mapped to the right group of acs.
Regards,
~JG
Do rate helpful posts
Similar Messages
-
ACS Appliance 1112 version 4.1 Web Interface
Hi, I have an ACS 1112 appliance that is currently running on 4.1 and was brought up to patch level 4.1.1.23.3. We were attempting to install patch 4.1.1.23.4 through the Web Console when we lost connectivity and never got it back. After logging in through the serial console, it indicated that an 'upgrade was in progress'. I was able to successfully re-run the install for 4.1.1.23.4 through the serial interface, along with 4.1.1.23.5, however, even after several reboots, I still cannot gain access to the Web Console. I also confirmed that CSAdmin is up and running. Is there anything I can do to remedy this issue without rebuilding the entire device? Thank you.
Make sure that you have the Remote Agent matching you ACS Version 4.1.1.23.5.
I've seen issues where ACS was trying to contact RA and GUI became unresponsive.
Also, by default the ACS allows any TCP ports to be used for Administration HTTP Access, but this could be limited once you gain access.
My point here is that if the web access was working before, it might not be the case, but you could be blocked by a firewall/pix/asa...
Try from a different PC, and a different browser... -
Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance failed
Hi,
I've got a problem with Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance.
ACS4.2 has been configured to use both internal and external database. It's been working fine for a couple or years.
Recently we bought a Cisco 4710 ACE appliance. When I use ACS4.2 internal username and password to login the Cisco 4710 ACE appliance, I have no problem. I can also see the passed authentication log on ACS4.2. However, if I use AD username and password, I couldn't login in. The message is "Login incorrect". I checked the failed attempts log on the ACS4.2, there was no log regarding the failed attempt. My AD username and password works fine on all other cisco routers and switches.
I've posted my AAA configuration of the 4710 ACE below. ACE is running on the latest version A4(1.1). Please help.
tacacs-server key 7 "xxxxxxxxxxxxx"
aaa group server tacacs+ tac_admin
server xx.xx.xx.xx
aaa authentication login default group tac_admin local
aaa authentication login console group tac_admin local
aaa accounting default group tac_adminHi,
Since the ACS is receiving the request.
Could you please ensure that In ACE on every context (including Admin and other) you have following strings:
tacacs-server host x.x.x.x key 7 "xxx"
aaa group server tacacs+ tac_admin
server x.x.x.x
aaa authentication login default group tac_admin local
aaa authentication login console group tac_admin local
aaa accounting default group x.x.x.x
On ACS side for group named "Network Administrators" you should configure in TACACS settting:
1. Shell (exec) enable
2. Privilege level 15
3. Custom attributes:
shell:Admin*Admin default-domain
if you have additional context add next line
shell:mycontext*Admin default-domain
After loging to ACE and issuing sh users command you should see following
User Context Line Login Time (Location) Role Domain(s)
*adm-x Admin pts/0 Sep 21 12:24 (x.x.x.x) Admin default-domain
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you fee your query is resolved. Do rate helpful posts. -
Cisco ACS Appliance and Passed Authentication Logs
I'm seeing something on our ACS appliance logs that looks kind of odd (but it is working fine).
When I look at the "Passed Authentication" logs, the users seem to show up about 3 time a minute (each). Maybe I am missing something, but this seems like some type of over-reporting.
Any ideas why this would be happening? I'm probably missing something obvious, but since I'm new to this I can't find the problem.
Thanks for any suggestions!What version of CSACS are you running? Has this just started happening, or was the problem just identified? It could be a performance issue if in fact everything was reauthenticating every 20 sec. Are all your devices showing up, or just wired or wireless? It could be a slight misconfiguration that could be hard to find. If you have the capability, you might want to capture the traffic going to your CSACS server to see if the authentications are actually happening, or like you mentioned...just reporting issues. I ope this helps.
-
ACS appliance 4.1 - machine authentification from trusted Domain failed
We have a acs appliance 4.1 with a agent running on a X domain controller to authenticate user's from the X domain active directory.
User's and Computer's are able to authenticate without any issue on X domain.
We have recently add a trusted Y domain on this X domain.
User's from Y domain are able to authenticate on our ACS without any issue , but machine are not able to authenticate.
03/14/2011
10:44:32
Authen failed
host/FLADWS0072.Ydomain
Default Group
00-26-82-d6-9b-3f
(Default)
External DB user invalid or bad password
Machine use is the following settings to authenticate :
EAP type : EAP (PEAP)
Authentification method : EAP-MSCHAP v2
On Y domain active directory :
Remote access permission is ok for machine
On ACS applicance :
"Enable PEAP machine authentication" is select + the machine from X Domain are authenticate without any issue.
Any idea where is should start to invetigate ?
Tks in advance for your helpDear Valued Cisco Customer,
I will be out of the office from 03/20/2010 until 04/04/2010. During
this time, I will have no access to email or voicemail. If you require
assistance during my absence, please contact Manivannan Srinivasan via
phone at 469-255-4806 or via email at [email protected] and this
engineer will continue to work any immediate concerns you may have at
this time. If this issue can wait until my return on 04/05/2010, I will
be glad to continue working with you. If you require assistance outside
of our business hours (10:00am - 7:00pm CST), please contact the TAC by
calling 1800-553-2447 or email [email protected] and request to have the
service request re-assigned.
Best Regards,
Abhishek Neelakanata -
Network environment:
- Windows 2003 with enterprise CA
- Cisco ACS appliance 4.1.1.23
- Cisco 1240 AG series APs
Wireless clients:
- Windows XP SP2
Brief steps taken:
- Installed Enterprise CA
- Created copy of web server certificate with option âMark keys as exportableâ enabled. Certificate published.
- Created global group in AD that contains test user and a single laptop that is a member of domain - for auto enrolment.
- Generated certificate request from ACS (1024 key length).
- Submitted server request from ftp server - Submit a certificate request using base 64â¦
- Submitted CA certificate request from ftp server - Retrieve CA certificate or revocation list /base 64 encoded.
- CA & server certificates installed in to ACS appliance (Domain certificate authority approved within ACS)
Brief cofig of ACS appliance
Global config
- PEAP -Selected âAllow EAP-MSCHAPv2â.
- LEAP - Allow LEAP (For Aironet only)
- Selected âAllow MS-CHAP Version 1 & 2 authentication
- Added AAA client (AP) with shared secret with authentication using âRadius (Cisco Aironet)
- Under External user DB//DB config/windows database, âEnable PEAP machine authenticationâ selected.
1240 series AP config
- Under Server Manager, ACS IP with shared secret entered as a Radius server.
- Selected EAP authentication.
- Under SSID Manager selected open Authentication with EAP & selected network EAP.
- Under Encryption Manager selected WEP Encryption & mandatory.
- Selected key 1 and entered 128 bit key
Client (windows XP SP2 domain member) config
- Connected to Enterprise CA web site, base64 encoding/download CA certificate
and installed it in local computer store.
- Under Network authentication selected open with WEP EAP type âprotected EAP (PEAP)
- Authenticate as a computer selected
- Selected my CA under âTrusted Certification Authorities
- Authentication method (EAP-MSCHAP V2)
Errors:
Automatic certificate enrollment to local system failed to contact the AD. The specified domain does not exist or cannot be contacted.
Or
Computer doesn't have correct certificate
Used 43486, 64067, 71929
Any suggestions very much apretiated.ACS Agent is installed on two DC's as well and they are detected by ACS.
Thanks -
ACS appliance -- AD -- RSA Securid Server
I have Cisco ACS appliance running version 3.3.2.2 and Windows Active Directory on Win2000 Advanced Server and RSA v5.2. I already installed successfully the remote agent in Active directory.
Authentication using EAP-FAST from my wireless client going to ACS to AD is successful.
But when authenticating going to RSA failed. I can't find logs that my ACS is communicating successfully with RSA.
Here's more info:
In Active Directory, remote agent for ACS installed succesfully. Agent for RSA is also installed succesfully.
In ACS appliance, remote agent was already pointed to AD.
No RSA SecurID Token Server found in my External User Database Configuration list. I think this is the problem.
How can I manage to configure RSA SecurID Token Server in my ACS appliance?Hello,
The configuration guideline for the ACS is described in "Configuring CiscoSecure ACS for Windows NT with ACE Server Authentication" at
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a0080094650.shtml
I had this up and running with a customer. There was no AD involved though, so it is not entirely your case and there might be other obstacles on the way.
ACS with ACE however works, though there were some nasty problems to be solved on the way to success.
One thing to point out straight away also mentioned in the document mabove:
Challenge Handshake Authentication Protocol (CHAP) cannot be used with the ACE tokens alone because of the requirement CHAP RFC (1994) that states:
CHAP requires that the secret be available in plaintext form. Irreversibly encrypted password databases commonly available cannot be used.
This precludes use of the ACE tokens for straight CHAP unless there is a separate CHAP password. For instance:
username: xxxx
password: xxxx
Password Authentication Protocol (PAP) is a better choice here.
This means the user has to enter "username*token" - the customer finally wrote a Java applet to construct the propper combination out of different clearly named input fields to simplify the input for unexperienced users.
Hope this helps! Please rate all posts.
Regards, Martin -
No access to serial console in ACS appliance 111
We have 2 Cisco ACS appliances running version ...
Cisco Secure ACS 3.2.2.5
Appliance Management Software 3.2.2.5
Appliance Base Image 3.2.2.1
The fact is that after initial setup, we have never used the console mainly because in a production environment we manage them through the Web Admin application. Now we have decided to upgrade both appliances to the latest version (3.3.3) and when we tried to connect to the serial console (115200,N,8,1, no flow control) we don't get any response from none of both ACS. It's quiet strange but we have found no way to make them work. We have tried several things I expose to you in case you can give us any hint:
1. We have rebooted the appliance and we can see through the console all the start-up process but when it finally finishes the start-up, we see no login prompt.
2. We have also shutdown the appliance properly and power it off and on again. Same results. The appliances boot normal but still we don't have console access.
3. We have tried boot the appliance with the recovery CD-ROM and the console works fine. I can reset the Admin password, but when it restart from its own system ( I mean without the recovery CD_ROM), I can see all the starting messages but when it finish the start-up process ... no console access.
4. Finally I have connected a monitor and a keyboard to the appliance ( I know Cisco dosn not recommned it but when in trouble....) and I see the full start-up process and it includes the base Windows 2000 server operating system startup. When Windows finishes loading, we get a lock screen in which the appliance informs you that it have started correctly and that we could access it for management through the serial console port or through the web console. 10 seconds later I see a pop up window stating that on or more services have not started correctly and that we shoulkd check the Event viewer, something we wished we could do but as you you, this is a secured system and I don't know if there is a back door method to verify windows services in this appliance.
Any help would be appreciated, as the problem is identical in both the appliances and upgrading them without access to the admin console is difficult and risky.
Kind regards.Hi
I had similair problem being locked out of console after initial configuration wizard.
I think there is a bug within the console session in that if you input a hostname of more than 15 characters, it locks up the ACS service when the server reboots. If you keep your hostname to less than 15 characters, the server reboots and you get console access. If you then access the GUI, you will see that 15 characters is the maximum, and you cannot enetr any more than this. This is not the case with the console, where you can enter more than 15 without getting an error message.
I rescued the server by doing F8 and rebooting server with last known good configuration. from there, you can reset the hostname to something valid. You can check to see which CS services are running through console session, and start any services that may not be running..
deliverance1> start CSAgent
Starting service: CSAgent..
CSAgent is starting
CSAgent is running
Regards
Ian -
Adding a Custom VSA to a Group - ACS Appliance
Hi,
Using a secure ACS Appliance 4.0
I want to add a new RADIUS Vendor and its associated VSA to the ACS configuration. This will then be returned during Authorization.
I have already added the new Vendor and the required VSA through RDBMS. I can now see the new vendor as RADIUS (vendor) in NAP Profile etc
However I cannot seem to find a way that how would i set the Value of the Added VSA ? And assign it to a particular group ? I cannot seem to find that VSA anywhere.Add a AAA client with "Authenticate using" Radius(vendor)
then go to Interface Configuration and enable VSA for Group/User
~Rohit -
Eap-tls wireless machine authentication without AD
Hi all,
I'm having problems getting EAP-TLS to work when a client machine needs to connect to a WLAN (before logon)
I can make the user get a cert from my CA, login as local & connect to WLAN through EAP-TLS without any problem.
With admin account I can get windows to put user's cert into the machine store (Machine Account Personal Certificate Store),
but when it comes to a login attempt the RADIUS UserName lookS like "host/username" instead of "username" as user authenticate.
My question is that do I need to configure an Identity Store (like AD) for machine authentication on ACS or I can make use of the configuration as for user previously (on ACS for user authentication, the Identity Store is Certificate Authentication Profile --> Certificate CN value)
Clients are WinXPSP3, and I'm using CiscoACS 5.2, MS Certificate Services CA, WLC 4402, LAP 1252
Note: in my case, each user will have their own laptop so it's best if the machine is authenticated under user's name.
Thanks for your help,Assuming you're using the stock XP wifi client.
When running XPSP3, you need to set two things:
1) force one registry setting.
According to
http://technet.microsoft.com/en-us/library/cc755892%28WS.10%29.aspx#w2k3tr_wir_tools_uzps
You need to force usage of machine cert-store certificate:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]
"AuthMode"=dword:00000002
2) add the ACS certificate signing CA to the specific SSID profile "trusted CA".
- show available wireless networks
- change advanced settings
- wireless networks tab
- select your SSID, and then hit the "properties" button
- select authentication tab, and then hit "properties" button
- search for your signing CA, and check the box.
I did with a not-so-simple autoIT script, using the "native wifi functions" addon.
Unfortunately I'm not allowed to share the script outside the company, but I'll be more than happy to review yours.
please cross reference to
https://supportforums.cisco.com/message/3280232
for a better description of the whole setup.
Ivan -
ACS appliance External Auth to NT 4.0
Hi
I am installing the ACS appliance to do external database authentication to NT 4.0 PDC. It appears with the appliance you have to install a remote agent to make this work. It is my understanding this agent must run on a win2k box. Does the agent have to be installed on the PDC or can it go on any windows server box?
Is there a work around if you do not have a win2k server. This network is still NT4 with now win2k boxes
ThanksThe remote agent was not tested on NT4 and probably wouldn't even install properly. Even if it did work, you would be very limited in the support you'd get if you had strange problems because it is an unsupported configuration.
It doesn't have to go on a PDC, but things just seem to work better if it is on a DC of some sort. At the very least it needs to be on a member server, but as I said, I'd recommend putting it on a BDC from experience.
The release notes/install guide for it is here:
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp/raig/index.htm -
RDBMS Synchronization problem in ACS Appliance 3.3
Hi,
I was adding multiple AAA Clients on ACS Appliance using RDBMS Synchronization option I followed the complete steps but failed to synchronize accountActions.csv file on ACS my ftp server is working fine and returned the logs saying "accountActions.csv file read recieved file successfully size 0 bytes 0.00 kbps" and RDBMS synchronization logs ACS reported as "No import CSV file on ftp server - nothing to process" I have attached related screen shots. Any help on this issue will be highly appreciated.
Thanks in advance
Best Regards,
AhmedThe format of the accountsaction.csv file is incorrect as a result of which the RDBMS Synchronization is not executed correctly.
I have attached a sample accountsAction.csv file for you.
(i) The AAA Client C7609-X with the ip address 10.10.10.10 has been added with the shared secret key as mikey and is is registered with TACACS+
(ii) The NDG michasisX has been added.
(iii) The device C7609-X has been added to the NDG michasisX
Place the file in the FTP and try performing an RDBMS synchronization. Restart the ACS services.
Then you can add the devices as per the sample file attached.
Also check if the file name is exactly the same in the RDBMS Synchronization page in the ACS
Hope this helps,
Soumya -
Cisco AAA and Free Radius enable secret failure
Hi,
I am currently testing aaa authentication with free radius.
I can authenticate users through the radius server, however i cannot authenticate the enable secret.
Here is the router configurations
aaa new-model
aaa authentication login default group radius local
aaa authentication login localauth local
aaa authentication ppp default if-needed group radius local
aaa authentication enable default group radius enable
aaa authorization exec default group radius local
aaa authorization network default group radius local
aaa accounting delay-start
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
radius-server host 192.168.0.135 auth-port 1812 acct-port 1813 key cisco
I have created a user for the enable secret as such:
$enable15$ Auth-Type := local
Service-Type = NAS-Prompt-User
The router cannot authenticate when logging for priviliged mode. I cannot find any log on the radius server as well.
PLease help.It should be $enab15$ as the user that IOS sends to the radius server.
Sent from Cisco Technical Support iPhone App -
I obtained the 3.3 release from Cisco. I'm currently running v3.2. When I go to System Configuration -> Appliance Upgrade Status -> Download -> Connect -> Download Now, it returns "No Distribution in Appliance". I can see the 3.3.3.11 in the software install table. but it returns the error above when trying to transfer the file. I'm running Apache / Windows XP SP2. Anyone seen this before?
Hi,
Without Distribution server, normally you need to load the new image into the current ACS appliance itself before execute the upgrade process. The new image can be transferred via serial or ACS web-based 'system upgrade' option.
If I am not mistaken, the error you're getting was due to unavailability of distribution server.
If you stuck with the image transfer, try to use CLI/console mode.
Typicall upgrade method has 3 steps:
1. Load new image (download from Cisco or using CD) onto a distribution server.
2. Load the upgrade image onto the Cisco Secure ACS Appliance from the distribution server. Do it either from within the HTML interface, or from the serial console. The Cisco Secure ACS Appliance will verify the transferred files to ensure that they have not been corrupted.
3. Apply the Cisco Secure ACS Appliance system upgrade. You can do this either from within the HTML interface, or from the serial console.
Refer to the following url for complete upgrade processes & options:
http://www.cisco.com/en/US/partner/products/sw/secursw/ps5338/products_installation_guide_chapter09186a0080203004.html#wp1044616
Rgds,
AK -
ACS Appliance Hardware functionality
Just received a new ACS Appliance and in testing out the functionality I've encountered a couple of curious issues...
Shutdown -- Have tried doing shutdown from both HTTP and Serial connections. Command is accepted and the hard drive light flashes for a bit and then nothing. It does not power off, don't get a message on the serial console saying it is OK to power off. Waited 20 minutes then used the power button. Seems to conflict with the doco.
Can we/How do we use the second Ethernet port? Don't see anything about how to configure it in the doco but when I plug a cable in I do get lights indicating it is active.
I have been able to complete basic configuration and do have connectivity and authentication against Internal User, still fiddling with getting communication with our LDAP User database, So the unit does function.For the 2nd ethernet connection, the doco here (http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp/csapp33/install/ovrvuap.htm#wp1040777) gives the answer:
Ethernet Connectors
Your system has two integrated 10/100/1000-megabit-per-second (Mbps) Ethernet connectors. Cisco Secure ACS Solution Engine supports the operation of either Ethernet connector, but not both connectors. Each Ethernet connector provides all the functions of a network expansion card and supports the 10BASE-T, 100BASE-TX, and 1000BASE-TX Ethernet standards.
Each NIC is configured to automatically detect the speed and duplex mode of the network.
Note The Cisco Secure ACS Solution Engine supports the operation of only one Ethernet connector at a time. Concurrent operation of both Ethernet connectors is not supported.
For the shutdown issue, not sure, haven't seen that before.
Maybe you are looking for
-
How Do I transfer music from my ipod to a new Mac?
Hi... i just got a new Mac Book Pro and I want to transfer my music on my ipod to it? Its the only place i have my music stored currently so I want to make sure I do it correctly. If I sync it will the library on the mac take precendence and wipe the
-
Mac mini Core Duo as HTPC...please post links.
Pretty self explanatory. Thanks in advance, SX
-
Help.. best way to share FC projects between 4 computers
Hi There, We are a small video production company and we use four computers to edit, one Mac Pro, two iMacs and a Macbook Pro. The problem we have is that we often need to move the projects from one computer to another, so different members of the te
-
To Change the Readonly Property
Hi, In Portal Personal data Screen for belgium , Country of Birth field (Drop Down Box) is Read Only. We have to change the readonly property. I tried through iView personalisation ,the property of that field is Not readonly. 2) In the WD java Appl
-
My Iphone 5 switched itself off lastnight and has still not came back on. I have had the phone on charge so that is not the problem. Is there any suggestions on what the problem is?