Acs appliance connectivity issue
i am currently deploying 802.1x auth for wireless clients using peap however every 15-20 mins after getting authenticated thru acs i loose my connectivity form the acs to my layer 2 core and subsequently the wireless clients cannnot be authenticated any further
Is this is an OS bug on the acs or config problem or a hardware issue
Hi,
Make sure that you have this patch applied on clients
http://support.microsoft.com/kb/885453
Regards,
~JG
Please rate helpful posts
Similar Messages
-
ACS Appliance configuration issue.
When I attempt to configure the ACS IP address I am getting the following error:
"Error; Failed to get NIC configuration: <null> <FFFFFFFF>"
The device is connected to a working ethernet port and the the physical layers have been eliminated. Aside from starting from scratch, can anyone suggest a way out of this problem?you need to reimage the ACS appliance.
-
Trunked connections to ACS appliance
We are replacing our Cisco ACS 4x server with a new ACS appliance. It is a Cisco UCS C220.
We went with the hardened Linux option for the underlying OS.
Our old server had multiple network adapters on different subnets so that it could authenticate devices on different VRFs (rings basically).
I see the new appliance has only 2 network adapters in it. Is it possible to configure these as a 802.1q trunk in order to have the device service requests on 4-5 subnets? I haven't seen documentation on how to do this.Hi,
ACS v4.1.1.23 patch 5 is available so go for this new patch.
You should have a pc which can access ACS through web interface. Keep the patch file on the PC.
Follow the steps below on the PC:
[1] Extract zipped file
[2] Look for ?autorun.exe? file and double click on it
[3] It will start a tomcat server on your desktop and you?ll see a web page asking for ACS
SE ip address :
Provide in the ACS SE ip address and press ?Install?
[4] It will prompt for ACS admin username and password as shown below :
Provide in the username and password and login.
[5] Then it bring up ACS GUI, then go to
System Configuration > Appliance Upgrade Status > Download,
Then we?ll get a screen where it will ask for ip address of Install Server :
Provide in ip address of system from where we are applying this patch, in our case our
desktop ip address, then click connect.
[6] It will show us following screen :
Click on ?Download Now?
Then it?ll show us this screen :
Press ?Refresh? Till we see following screen :
[7] Now press ?Apply Upgrade?. Then it?ll ask for confirmation :
Press ?Upgrade?, then we?ll get information regarding the patch.
Click ?Yes?.
It?ll take few minutes to apply that patch on appliance.
Then it?ll show us a confirmation message :
Press ?Done?, then system will reboot.
To confirm that patch has been applied successfully, goto
System Configuration > Appliance Upgrade Status
After everything is fine stop the tomcat server by clicking on ?stop distribution server? or
if you want to apply this patch on some more appliance click on ?Install Next?
Hope this helps.
~Rohit -
For those having EAP auth issue using the ACS appliance
Thought I'd pass along my config and resolution to an issue I was having concerning EAP-TLS auth on an ACS appliance.
We have two ACS Solution Engines (3.2.2) running and doing a database synch and using Generic LDAP as the external database. We did the certificate walk through for the ACS and then turned on EAP-TLS auth. We are trying to use EAP-TLS auth for wireless access through our AP1200s and Windows XP laptops, but we kept getting errors.
After digging for days I found out that when you request a certificate it pulls the CN name. Our CN name in Active Directory did not match our login name. I changed my CN name to match my login name and I was then able to grab a certificate and authenticate using EAP-TLS for our wireless.
I am in the process of upgrading our ACSes to ver 3.3.2 so that I can run the Remote Agent for Windows on a Windos 2003 server and then use the Windows database as the external database and not Generic LDAP.
I hope this helps someone!
JeffThe document discusses the Extensible Authentication Protocol Transport Layer Security (EAP-TLS) authentication protocol deployment in wireless networks.
http://www.cisco.com/warp/public/cc/pd/sqsw/sq/tech/acstl_wp.htm -
ACS Appliance Hardware functionality
Just received a new ACS Appliance and in testing out the functionality I've encountered a couple of curious issues...
Shutdown -- Have tried doing shutdown from both HTTP and Serial connections. Command is accepted and the hard drive light flashes for a bit and then nothing. It does not power off, don't get a message on the serial console saying it is OK to power off. Waited 20 minutes then used the power button. Seems to conflict with the doco.
Can we/How do we use the second Ethernet port? Don't see anything about how to configure it in the doco but when I plug a cable in I do get lights indicating it is active.
I have been able to complete basic configuration and do have connectivity and authentication against Internal User, still fiddling with getting communication with our LDAP User database, So the unit does function.For the 2nd ethernet connection, the doco here (http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp/csapp33/install/ovrvuap.htm#wp1040777) gives the answer:
Ethernet Connectors
Your system has two integrated 10/100/1000-megabit-per-second (Mbps) Ethernet connectors. Cisco Secure ACS Solution Engine supports the operation of either Ethernet connector, but not both connectors. Each Ethernet connector provides all the functions of a network expansion card and supports the 10BASE-T, 100BASE-TX, and 1000BASE-TX Ethernet standards.
Each NIC is configured to automatically detect the speed and duplex mode of the network.
Note The Cisco Secure ACS Solution Engine supports the operation of only one Ethernet connector at a time. Concurrent operation of both Ethernet connectors is not supported.
For the shutdown issue, not sure, haven't seen that before. -
No access to serial console in ACS appliance 111
We have 2 Cisco ACS appliances running version ...
Cisco Secure ACS 3.2.2.5
Appliance Management Software 3.2.2.5
Appliance Base Image 3.2.2.1
The fact is that after initial setup, we have never used the console mainly because in a production environment we manage them through the Web Admin application. Now we have decided to upgrade both appliances to the latest version (3.3.3) and when we tried to connect to the serial console (115200,N,8,1, no flow control) we don't get any response from none of both ACS. It's quiet strange but we have found no way to make them work. We have tried several things I expose to you in case you can give us any hint:
1. We have rebooted the appliance and we can see through the console all the start-up process but when it finally finishes the start-up, we see no login prompt.
2. We have also shutdown the appliance properly and power it off and on again. Same results. The appliances boot normal but still we don't have console access.
3. We have tried boot the appliance with the recovery CD-ROM and the console works fine. I can reset the Admin password, but when it restart from its own system ( I mean without the recovery CD_ROM), I can see all the starting messages but when it finish the start-up process ... no console access.
4. Finally I have connected a monitor and a keyboard to the appliance ( I know Cisco dosn not recommned it but when in trouble....) and I see the full start-up process and it includes the base Windows 2000 server operating system startup. When Windows finishes loading, we get a lock screen in which the appliance informs you that it have started correctly and that we could access it for management through the serial console port or through the web console. 10 seconds later I see a pop up window stating that on or more services have not started correctly and that we shoulkd check the Event viewer, something we wished we could do but as you you, this is a secured system and I don't know if there is a back door method to verify windows services in this appliance.
Any help would be appreciated, as the problem is identical in both the appliances and upgrading them without access to the admin console is difficult and risky.
Kind regards.Hi
I had similair problem being locked out of console after initial configuration wizard.
I think there is a bug within the console session in that if you input a hostname of more than 15 characters, it locks up the ACS service when the server reboots. If you keep your hostname to less than 15 characters, the server reboots and you get console access. If you then access the GUI, you will see that 15 characters is the maximum, and you cannot enetr any more than this. This is not the case with the console, where you can enter more than 15 without getting an error message.
I rescued the server by doing F8 and rebooting server with last known good configuration. from there, you can reset the hostname to something valid. You can check to see which CS services are running through console session, and start any services that may not be running..
deliverance1> start CSAgent
Starting service: CSAgent..
CSAgent is starting
CSAgent is running
Regards
Ian -
New ACS appliance not showing FQDN hostname in GUI
I've installed two new ACS appliances in our environment running 5.3. I've just configured the basics to get it on the network (ie DNS, default GW, IP address). Looking at both running configs, they are identical with exception to the IP addresses. On one appliance in the GUI next to the user name in the top right hand corner, the hostname is "acs01". In the GUI on the other appliance, it shows "acs02.corp.mycompany.com". This is a minor issue but its bugging me. Anyone have an idea what is going on?
In both appliances, this statement is identical in the show run:
ip domain-name corp.mycompany.comHi,
So you are using a hardware RAID5 in storage pool as a hard disk. Now you added one more hard disk to the RAID5 with the tool "Dell Server Administrator" but it is not recognized in storage pool.
I think it will not work as hard disk size cannot be changed after storage pool is created. It is by default.
However why you use the hardware RAID in a storage pool? A hardware RAID seems enough for your storage requirement.
If you have any feedback on our support, please send to [email protected] -
I was wondering if someone can help me to upgrade my ACS Appliance with patch 4.1.1.23.4-SW. It was simple to apply this one in a normal server 2000. The ACS appliance I think is different because that we can access by normal terminal, keyboard and mouse.
Some were I read that is necessary a tomcat server?
Please help
adiHi,
ACS v4.1.1.23 patch 5 is available so go for this new patch.
You should have a pc which can access ACS through web interface. Keep the patch file on the PC.
Follow the steps below on the PC:
[1] Extract zipped file
[2] Look for ?autorun.exe? file and double click on it
[3] It will start a tomcat server on your desktop and you?ll see a web page asking for ACS
SE ip address :
Provide in the ACS SE ip address and press ?Install?
[4] It will prompt for ACS admin username and password as shown below :
Provide in the username and password and login.
[5] Then it bring up ACS GUI, then go to
System Configuration > Appliance Upgrade Status > Download,
Then we?ll get a screen where it will ask for ip address of Install Server :
Provide in ip address of system from where we are applying this patch, in our case our
desktop ip address, then click connect.
[6] It will show us following screen :
Click on ?Download Now?
Then it?ll show us this screen :
Press ?Refresh? Till we see following screen :
[7] Now press ?Apply Upgrade?. Then it?ll ask for confirmation :
Press ?Upgrade?, then we?ll get information regarding the patch.
Click ?Yes?.
It?ll take few minutes to apply that patch on appliance.
Then it?ll show us a confirmation message :
Press ?Done?, then system will reboot.
To confirm that patch has been applied successfully, goto
System Configuration > Appliance Upgrade Status
After everything is fine stop the tomcat server by clicking on ?stop distribution server? or
if you want to apply this patch on some more appliance click on ?Install Next?
Hope this helps.
~Rohit -
RDBMS Synchronization problem in ACS Appliance 3.3
Hi,
I was adding multiple AAA Clients on ACS Appliance using RDBMS Synchronization option I followed the complete steps but failed to synchronize accountActions.csv file on ACS my ftp server is working fine and returned the logs saying "accountActions.csv file read recieved file successfully size 0 bytes 0.00 kbps" and RDBMS synchronization logs ACS reported as "No import CSV file on ftp server - nothing to process" I have attached related screen shots. Any help on this issue will be highly appreciated.
Thanks in advance
Best Regards,
AhmedThe format of the accountsaction.csv file is incorrect as a result of which the RDBMS Synchronization is not executed correctly.
I have attached a sample accountsAction.csv file for you.
(i) The AAA Client C7609-X with the ip address 10.10.10.10 has been added with the shared secret key as mikey and is is registered with TACACS+
(ii) The NDG michasisX has been added.
(iii) The device C7609-X has been added to the NDG michasisX
Place the file in the FTP and try performing an RDBMS synchronization. Restart the ACS services.
Then you can add the devices as per the sample file attached.
Also check if the file name is exactly the same in the RDBMS Synchronization page in the ACS
Hope this helps,
Soumya -
I have ACS 3.3 running on Win2k and am looking to upgrade. Would it be a better idea to get the ACS appliance instead? What are the pros/cons?
Hi
Personally I wouldnt choose an appliance over software. Cost aside they are harder to integrate (esp if you use AD), harder to diagnose and patch.
From experience I know ACS sometimes needs a little TLC to keep it working. ACS v3/v4 was not designed as appliance software. This has been retro-fitted with all the issues that go with it.
ACS v5 is supposed to be appliance from day 1 so maybe that'll be ok!
This is my own personal view, Im sure there are a lot of happy appliance owners out there.
Main differences
1) Appliance cant talk direct to AD. You need to install an agent somewhere (possibly requiring a dedicated windows server.. ouch what happened to lower TCO!)
2) No native ODBC, RSA (done via RADIUS instead)
3) Logging. CSVs hard coded to rollover at 10MB. Requires log agent or extraxi csvsync to collect logs.
If you like to be "hands on" stick with s/w -
I obtained the 3.3 release from Cisco. I'm currently running v3.2. When I go to System Configuration -> Appliance Upgrade Status -> Download -> Connect -> Download Now, it returns "No Distribution in Appliance". I can see the 3.3.3.11 in the software install table. but it returns the error above when trying to transfer the file. I'm running Apache / Windows XP SP2. Anyone seen this before?
Hi,
Without Distribution server, normally you need to load the new image into the current ACS appliance itself before execute the upgrade process. The new image can be transferred via serial or ACS web-based 'system upgrade' option.
If I am not mistaken, the error you're getting was due to unavailability of distribution server.
If you stuck with the image transfer, try to use CLI/console mode.
Typicall upgrade method has 3 steps:
1. Load new image (download from Cisco or using CD) onto a distribution server.
2. Load the upgrade image onto the Cisco Secure ACS Appliance from the distribution server. Do it either from within the HTML interface, or from the serial console. The Cisco Secure ACS Appliance will verify the transferred files to ensure that they have not been corrupted.
3. Apply the Cisco Secure ACS Appliance system upgrade. You can do this either from within the HTML interface, or from the serial console.
Refer to the following url for complete upgrade processes & options:
http://www.cisco.com/en/US/partner/products/sw/secursw/ps5338/products_installation_guide_chapter09186a0080203004.html#wp1044616
Rgds,
AK -
is it possible to configure syslog on ACS appliance running ver 3.3?
Please take a look at extraxi csvsync. Its our http(s) client that can download logs from ACS v2 or later (software or appliance).
You simply create an Administrator account on the ACS with access rights to the "reports & activity" page plus each log types you want to download. On a PC somewhere you can schedule csvsync to connect and download all new logs (csvsync keeps a history of what its previously downloaded) over http.
By doing a once (perhaps twice) a day bulk download you reduce the inefficient "drip drip" of syslog traffic that can be a problem over WAN. Also, you're guarunteed to get the log data - remember syslog is a non-acknowledged "fire and forget" protocol... ACS can be firing but the other end might be forgetting!
csvsync also supports filename postfixing - so you dont get name clashes when downloading from multiple ACS servers.
Used on its own csvsync is a great way to bulk archive the valuable ACS log data, however used in conjunction with extraxi aaa-reports! and you have a full log collection and reporting application.
For more on csvsync or aaa-reports! please visit http://www.extraxi.com - free 60 day eval versions available. -
Cisco ACS Appliance and Passed Authentication Logs
I'm seeing something on our ACS appliance logs that looks kind of odd (but it is working fine).
When I look at the "Passed Authentication" logs, the users seem to show up about 3 time a minute (each). Maybe I am missing something, but this seems like some type of over-reporting.
Any ideas why this would be happening? I'm probably missing something obvious, but since I'm new to this I can't find the problem.
Thanks for any suggestions!What version of CSACS are you running? Has this just started happening, or was the problem just identified? It could be a performance issue if in fact everything was reauthenticating every 20 sec. Are all your devices showing up, or just wired or wireless? It could be a slight misconfiguration that could be hard to find. If you have the capability, you might want to capture the traffic going to your CSACS server to see if the authentications are actually happening, or like you mentioned...just reporting issues. I ope this helps.
-
ACS appliance 4.1 - machine authentification from trusted Domain failed
We have a acs appliance 4.1 with a agent running on a X domain controller to authenticate user's from the X domain active directory.
User's and Computer's are able to authenticate without any issue on X domain.
We have recently add a trusted Y domain on this X domain.
User's from Y domain are able to authenticate on our ACS without any issue , but machine are not able to authenticate.
03/14/2011
10:44:32
Authen failed
host/FLADWS0072.Ydomain
Default Group
00-26-82-d6-9b-3f
(Default)
External DB user invalid or bad password
Machine use is the following settings to authenticate :
EAP type : EAP (PEAP)
Authentification method : EAP-MSCHAP v2
On Y domain active directory :
Remote access permission is ok for machine
On ACS applicance :
"Enable PEAP machine authentication" is select + the machine from X Domain are authenticate without any issue.
Any idea where is should start to invetigate ?
Tks in advance for your helpDear Valued Cisco Customer,
I will be out of the office from 03/20/2010 until 04/04/2010. During
this time, I will have no access to email or voicemail. If you require
assistance during my absence, please contact Manivannan Srinivasan via
phone at 469-255-4806 or via email at [email protected] and this
engineer will continue to work any immediate concerns you may have at
this time. If this issue can wait until my return on 04/05/2010, I will
be glad to continue working with you. If you require assistance outside
of our business hours (10:00am - 7:00pm CST), please contact the TAC by
calling 1800-553-2447 or email [email protected] and request to have the
service request re-assigned.
Best Regards,
Abhishek Neelakanata -
Hello,
We have been continously getting the below messages on ACS appliance.
monit[4578]: 'adclient' process is not running
monit[4578]: 'adclient' trying to restart
monit[4578]: 'adclient' start: /opt/CSCOacs/bin/exec_wrapper.sh
ACS adclient INFO: Run, Initializing DB query...
ACS adclient ERROR: log4j:WARN No appenders could be found for logger (org.hibernate.cfg.Environment).
ACS adclient ERROR: log4j:WARN Please initialize the log4j system properly.
Also we have been facing issues where intermittently clients are not able to authenticate. We are using WPA2/802.1x. The ACS appliance is running on 5.1.
Any help appreciated.
Thank you.Hello,
I am experiencing the same problem with a secondary ACS running in a virtual appliance. The ACS version is 5.2.0.26.6. Rebooting the VM didn't solve the problem. I'm still able to collect some logs and here is what I found :
Oct 6 18:50:47 ACSSLAVE2 monit[5031]: 'adclient' process is not running
Oct 6 18:50:47 ACSSLAVE2 monit[5031]: 'adclient' trying to restart
Oct 6 18:50:47 ACSSLAVE2 monit[5031]: 'adclient' start: /opt/CSCOacs/bin/exec_wrapper.sh
Oct 6 18:50:47 ACSSLAVE2 ACS adclient INFO: Run, Initializing DB query...
Oct 6 18:50:47 ACSSLAVE2 ACS adclient ERROR: log4j:WARN No appenders could be found for logger (org.hibernate.cfg.Environment).
Oct 6 18:50:47 ACSSLAVE2 ACS adclient ERROR: log4j:WARN Please initialize the log4j system properly.
Oct 6 18:50:48 ACSSLAVE2 monit[5031]: 'adclient' failed to start
Did you manage to solve your problem and make the "adclient" process started?
Thanks,
Vincent
Maybe you are looking for
-
Hi All, The audio is fine but no pic. Using Panther 10.3.9 and QT 6.5.2 with my 500mhz Cube, 1.2g ram, 120g HD, Geforce2 MX Cube Mac OS X (10.3.9) Apples since IIe
-
So does anyone from Apple read the posts on here
With the battery drain issues being experienced by so many, especially those with iPhone 5, I'm wondering if anyone from Apple may have actually read these posts.With all due respect to the experts, it is clear to me that the iOS 7.1 update is causin
-
I want to buy something and you won't let me. Are you people crazy
-
How to programmatically upload roles to Portals.
How can we programmatically upload roles from CUA to Portal. Are there any BAPI's or any other methods that we can use to accomplish this. We currently have a program that runs as a job every night to create users and assigns them roles in R/3, EBP a
-
For 2 wks get a crash report when I quit photoshop. report sent whynothing fixed?
for 2 weeks get a crash report everytime i quit photoshop. crash report submitted everytime with details on when this happens yet nothing has been fixed. what is purpose of sending crash reports if they are ignored and problem continues?