ACS disconnects network devices randomly
I've got a strange situation where our ACS seems to be disconnecting network devices periodically. Some of the logs make me thinking there's an issue w/ our AD setup, others point to runtime issues w/ in the ACS. Typically its just a quick drop and the other ACS picks up the load, but it seems to be happening more often.
Anyone have any idea where I should start on this one?
Nov 15 14:06:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[239] [daemon]: cdp_parse_version(): version = Linux 2.6.18-194.26.1.el5PAE #1 SMP Fri Oct 29 14:28:58 EDT 2010 CCM:8.6.1.20000-1
Nov 15 14:06:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[849] [daemon]: parse_cdp_packet(): get CDP_PLATFORM_TYPE
Nov 15 14:06:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[263] [daemon]: cdp_parse_platform(): platform = VMware
Nov 15 14:06:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[919] [daemon]: parse_cdp_packet(): ready to add cdpCache record
Nov 15 14:06:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[927] [daemon]: parse_cdp_packet(): done adding cdpCache record
Nov 15 14:06:25 acs01 debugd[2572]: [2959]: cdp:infra: ether-write.c[87] [daemon]: WriteEther(): wrote len: 201
Nov 15 14:06:25 acs01 debugd[2572]: [2959]: cdp:infra: ether-write.c[112] [daemon]: cdpd write succeed... Writing with retransmissiontime 60... : [2959]: cdp:infra: main.c[128] [daemon]:
Nov 15 14:06:30 acs01 adclient[5099]: WARN <fd:53 rt_daemon(16882)> Failed to send message: Timeout during operation
Nov 15 14:06:33 acs01 adclient[5099]: WARN <fd:54 rt_daemon(16882)> Failed to send message: Timeout during operation
Nov 15 14:06:43 acs01 adclient[5099]: WARN <fd:43 CAPIGetObjectByName> daemon.ipcserver Unable to send reply message to client -- disconnecting client.
Nov 15 14:06:54 acs01 adclient[5099]: WARN <fd:43 rt_daemon(16882)> Failed to send message: Timeout during operation
Nov 15 14:06:54 acs01 adclient[5099]: WARN <fd:55 rt_daemon(16882)> Failed to send message: Timeout during operation
Nov 15 14:06:54 acs01 adclient[5099]: WARN <fd:56 rt_daemon(16882)> Failed to send message: Timeout during operation
Nov 15 14:06:54 acs01 adclient[5099]: WARN <fd:41 CAPIGetObjectByName> daemon.ipcserver Unable to send reply message to client -- disconnecting client.
Nov 15 14:06:54 acs01 adclient[5099]: WARN <fd:35 CAPILdapPagedSearch> daemon.ipcserver Unable to send reply message to client -- disconnecting client.
Nov 15 14:06:57 acs01 adclient[5099]: WARN <fd:35 rt_daemon(16882)> Failed to send message: Timeout during operation
Nov 15 14:06:57 acs01 adclient[5099]: WARN <fd:41 rt_daemon(16882)> Failed to send message: Timeout during operation
Nov 15 14:06:58 acs01 adclient[5099]: WARN <fd:51 CAPILdapPagedSearch> daemon.ipcserver Unable to send reply message to client -- disconnecting client.
Nov 15 14:06:58 acs01 adclient[5099]: WARN <fd:31 CAPIGetObjectByName> daemon.ipcserver Unable to send reply message to client -- disconnecting client.
Nov 15 14:06:58 acs01 adclient[5099]: WARN <fd:22 CAPIGetObjectByName> daemon.ipcserver Unable to send reply message to client -- disconnecting client.
Nov 15 14:07:02 acs01 adclient[5099]: WARN <fd:33 CAPIGetObjectByName> daemon.ipcserver Unable to send reply message to client -- disconnecting client.
Nov 15 14:07:03 acs01 adclient[5099]: WARN <fd:31 rt_daemon(16882)> Failed to send message: Timeout during operation
Nov 15 14:07:03 acs01 adclient[5099]: WARN <fd:33 rt_daemon(16882)> Failed to send message: Timeout during operation
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[762] [daemon]: cdp version: 2
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[763] [daemon]: cdp time-to-live: 180
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[798] [daemon]: aifEntry->cdpInterfaceIfIndex=<2>
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[813] [daemon]: parse_cdp_packet(): cdp info code 256
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[814] [daemon]: parse_cdp_packet(): cdp info length 7424
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[815] [daemon]: parse_cdp_packet(): cdp info bytes left 163
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[828] [daemon]: parse_cdp_packet(): get CDP_DEVICE_ID_TYPE
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[54] [daemon]: device name= svtcucm.westfieldgrp.corp
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[832] [daemon]: parse_cdp_packet(): get CDP_ADDRESS_TYPE
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[156] [daemon]: cdp_parse_address(): num_addrs = 1
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[161] [daemon]: cdp_parse_address(): parsing 0 address
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[83] [daemon]: cdp_parse_ip_info(): PT = 1
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[84] [daemon]: cdp_parse_ip_info(): PT length = 1
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[94] [daemon]: cdp_parse_ip_info(): address length = 4
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[99] [daemon]: cdp_parse_ip_info(): got IP address
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[109] [daemon]: cdp_parse_ip_info(): got IP address: 10.10.10.119
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[165] [daemon]: cdp_parse_address(): finished parsing 0 address
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[837] [daemon]: parse_cdp_packet(): get CDP_PORT_ID_TYPE
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[194] [daemon]: cdp_parse_port_id(): port_name = eth0
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[841] [daemon]: parse_cdp_packet(): get CDP_CAPABILITIES_TYPE
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[215] [daemon]: cdp_parse_capabilities(): capability = 0x10
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[861] [daemon]: parse_cdp_packet(): get DUPLEX_TYPE
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[341] [daemon]: cdp_parse_duplex(): is full duplex
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[845] [daemon]: parse_cdp_packet(): get CDP_VERSION_TYPE
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[239] [daemon]: cdp_parse_version(): version = Linux 2.6.18-194.26.1.el5PAE #1 SMP Fri Oct 29 14:28:58 EDT 2010 CCM:8.6.1.20000-1
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[849] [daemon]: parse_cdp_packet(): get CDP_PLATFORM_TYPE
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[263] [daemon]: cdp_parse_platform(): platform = VMware
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[919] [daemon]: parse_cdp_packet(): ready to add cdpCache record
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[927] [daemon]: parse_cdp_packet(): done adding cdpCache record
Nov 15 14:07:06 acs01 adclient[5099]: WARN <fd:40 rt_daemon(16882)> Failed to send message: Timeout during operation
Nov 15 14:07:18 acs01 adclient[5099]: WARN <fd:31 rt_daemon(16882)> Failure while reading message: Incorrect data type
Nov 15 14:07:18 acs01 adclient[5099]: WARN <fd:54 CAPILdapPagedSearch> daemon.ipcserver Unable to send reply message to client -- disconnecting client.
Nov 15 14:07:18 acs01 adclient[5099]: WARN <fd:29 CAPIGetObjectByName> daemon.ipcserver Unable to send reply message to client -- disconnecting client.
Nov 15 14:07:18 acs01 adclient[5099]: WARN <fd:47 CAPIGetObjectByName> daemon.ipcserver Unable to send reply message to client -- disconnecting client.
Nov 15 14:07:25 acs01 debugd[2572]: [2959]: cdp:infra: ether-write.c[87] [daemon]: WriteEther(): wrote len: 201
Nov 15 14:07:25 acs01 debugd[2572]: [2959]: cdp:infra: ether-write.c[112] [daemon]: cdpd write succeed... Nov 15 14:06:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[239] [daemon]: cdp_parse_version(): version = Linux 2.6.18-194.26.1.el5PAE #1 SMP Fri Oct 29 14:28:58 EDT 2010 CCM:8.6.1.20000-1
Nov 15 14:06:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[849] [daemon]: parse_cdp_packet(): get CDP_PLATFORM_TYPE
Nov 15 14:06:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[263] [daemon]: cdp_parse_platform(): platform = VMware
Nov 15 14:06:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[919] [daemon]: parse_cdp_packet(): ready to add cdpCache record
Nov 15 14:06:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[927] [daemon]: parse_cdp_packet(): done adding cdpCache record
Nov 15 14:06:25 acs01 debugd[2572]: [2959]: cdp:infra: ether-write.c[87] [daemon]: WriteEther(): wrote len: 201
Nov 15 14:06:25 acs01 debugd[2572]: [2959]: cdp:infra: ether-write.c[112] [daemon]: cdpd write succeed... Writing with retransmissiontime 60... : [2959]: cdp:infra: main.c[128] [daemon]:
Nov 15 14:06:30 acs01 adclient[5099]: WARN <fd:53 rt_daemon(16882)> Failed to send message: Timeout during operation
Nov 15 14:06:33 acs01 adclient[5099]: WARN <fd:54 rt_daemon(16882)> Failed to send message: Timeout during operation
Nov 15 14:06:43 acs01 adclient[5099]: WARN <fd:43 CAPIGetObjectByName> daemon.ipcserver Unable to send reply message to client -- disconnecting client.
Nov 15 14:06:54 acs01 adclient[5099]: WARN <fd:43 rt_daemon(16882)> Failed to send message: Timeout during operation
Nov 15 14:06:54 acs01 adclient[5099]: WARN <fd:55 rt_daemon(16882)> Failed to send message: Timeout during operation
Nov 15 14:06:54 acs01 adclient[5099]: WARN <fd:56 rt_daemon(16882)> Failed to send message: Timeout during operation
Nov 15 14:06:54 acs01 adclient[5099]: WARN <fd:41 CAPIGetObjectByName> daemon.ipcserver Unable to send reply message to client -- disconnecting client.
Nov 15 14:06:54 acs01 adclient[5099]: WARN <fd:35 CAPILdapPagedSearch> daemon.ipcserver Unable to send reply message to client -- disconnecting client.
Nov 15 14:06:57 acs01 adclient[5099]: WARN <fd:35 rt_daemon(16882)> Failed to send message: Timeout during operation
Nov 15 14:06:57 acs01 adclient[5099]: WARN <fd:41 rt_daemon(16882)> Failed to send message: Timeout during operation
Nov 15 14:06:58 acs01 adclient[5099]: WARN <fd:51 CAPILdapPagedSearch> daemon.ipcserver Unable to send reply message to client -- disconnecting client.
Nov 15 14:06:58 acs01 adclient[5099]: WARN <fd:31 CAPIGetObjectByName> daemon.ipcserver Unable to send reply message to client -- disconnecting client.
Nov 15 14:06:58 acs01 adclient[5099]: WARN <fd:22 CAPIGetObjectByName> daemon.ipcserver Unable to send reply message to client -- disconnecting client.
Nov 15 14:07:02 acs01 adclient[5099]: WARN <fd:33 CAPIGetObjectByName> daemon.ipcserver Unable to send reply message to client -- disconnecting client.
Nov 15 14:07:03 acs01 adclient[5099]: WARN <fd:31 rt_daemon(16882)> Failed to send message: Timeout during operation
Nov 15 14:07:03 acs01 adclient[5099]: WARN <fd:33 rt_daemon(16882)> Failed to send message: Timeout during operation
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[762] [daemon]: cdp version: 2
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[763] [daemon]: cdp time-to-live: 180
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[798] [daemon]: aifEntry->cdpInterfaceIfIndex=<2>
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[813] [daemon]: parse_cdp_packet(): cdp info code 256
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[814] [daemon]: parse_cdp_packet(): cdp info length 7424
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[815] [daemon]: parse_cdp_packet(): cdp info bytes left 163
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[828] [daemon]: parse_cdp_packet(): get CDP_DEVICE_ID_TYPE
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[54] [daemon]: device name= svtcucm.westfieldgrp.corp
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[832] [daemon]: parse_cdp_packet(): get CDP_ADDRESS_TYPE
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[156] [daemon]: cdp_parse_address(): num_addrs = 1
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[161] [daemon]: cdp_parse_address(): parsing 0 address
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[83] [daemon]: cdp_parse_ip_info(): PT = 1
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[84] [daemon]: cdp_parse_ip_info(): PT length = 1
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[94] [daemon]: cdp_parse_ip_info(): address length = 4
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[99] [daemon]: cdp_parse_ip_info(): got IP address
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[109] [daemon]: cdp_parse_ip_info(): got IP address: 10.10.10.119
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[165] [daemon]: cdp_parse_address(): finished parsing 0 address
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[837] [daemon]: parse_cdp_packet(): get CDP_PORT_ID_TYPE
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[194] [daemon]: cdp_parse_port_id(): port_name = eth0
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[841] [daemon]: parse_cdp_packet(): get CDP_CAPABILITIES_TYPE
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[215] [daemon]: cdp_parse_capabilities(): capability = 0x10
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[861] [daemon]: parse_cdp_packet(): get DUPLEX_TYPE
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[341] [daemon]: cdp_parse_duplex(): is full duplex
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[845] [daemon]: parse_cdp_packet(): get CDP_VERSION_TYPE
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[239] [daemon]: cdp_parse_version(): version = Linux 2.6.18-194.26.1.el5PAE #1 SMP Fri Oct 29 14:28:58 EDT 2010 CCM:8.6.1.20000-1
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[849] [daemon]: parse_cdp_packet(): get CDP_PLATFORM_TYPE
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[263] [daemon]: cdp_parse_platform(): platform = VMware
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[919] [daemon]: parse_cdp_packet(): ready to add cdpCache record
Nov 15 14:07:04 acs01 debugd[2572]: [2959]: cdp:infra: cdp-parse.c[927] [daemon]: parse_cdp_packet(): done adding cdpCache record
Nov 15 14:07:06 acs01 adclient[5099]: WARN <fd:40 rt_daemon(16882)> Failed to send message: Timeout during operation
Nov 15 14:07:18 acs01 adclient[5099]: WARN <fd:31 rt_daemon(16882)> Failure while reading message: Incorrect data type
Nov 15 14:07:18 acs01 adclient[5099]: WARN <fd:54 CAPILdapPagedSearch> daemon.ipcserver Unable to send reply message to client -- disconnecting client.
Nov 15 14:07:18 acs01 adclient[5099]: WARN <fd:29 CAPIGetObjectByName> daemon.ipcserver Unable to send reply message to client -- disconnecting client.
Nov 15 14:07:18 acs01 adclient[5099]: WARN <fd:47 CAPIGetObjectByName> daemon.ipcserver Unable to send reply message to client -- disconnecting client.
Nov 15 14:07:25 acs01 debugd[2572]: [2959]: cdp:infra: ether-write.c[87] [daemon]: WriteEther(): wrote len: 201
Nov 15 14:07:25 acs01 debugd[2572]: [2959]: cdp:infra: ether-write.c[112] [daemon]: cdpd write succeed...
We are using both EAP-TLS (Primarily for the wireless controllers) <-- This is where we saw the ACS timing out more often.. I increased the wireless controller timeout from 2 sec to 5 sec yesterday.. see if that helps.. Not sure if users are actually getting dropped off or not.. What i'm seeing is the controller deactivating and reactivating the ACS radius servers because it wasn't getting a response.
We've often been seeing radius calls taking up to 3-4 seconds.. which we're being told is expected after opening a case.
We are using PEAP for our wired (Primarily switch based radius calls) <-- these rarely get knocked off, but it happens enough to warrant a look, where the switch will identify a radius (acs) as dead in the middle of the day. The dot1x params on these switches are set to 5 seconds, so I'm assuming this is happening when the ACS is getting busy.. But this really shouldn't be happening with the load we are running,, Thats why i'm trying to investigate if there is another issue somewhere.
Similar Messages
-
How to stop ACS intergated AD users to login in AAA clients(network device)
I have ACS 4.2 Appliance which is integrated with Active directory.
AD users are able to login in network devices. Is there any so that I can stop AD user and other local users to login in AAA clinets (network devices).These types of configurations are a two-way street. ACS must be configured to actually perform the authentication/authorization, and the AAA clients must also be configured for authentication/authorization. I would look at the AAA client configurations, first.
What kind of AAA clients are we talking about? Cisco switches, Cisco WLC's? Swicthing gear from other companies?
For Cisco switches, lines like the following will tell them to use your ACS server for administrative user auth (RADIUS ro TACACS+, respectively):
aaa group server radius rad_admin
server xxx.xxx.xxx.xxx
aaa group server tacacs+ tac_admin
server xxx.xxx.xxx.xxx
If your AAA client is a WLC, then you need to uncheck the "Management" box where the RADIUS server is defined for authentication (Security -> AAA -> RADIUS -> Auth). -
Network drives randomly disconnecting, unable to reconnect
I have been having an issue with network drives randomly disconnecting. When I try and reconnect using the Connect to Server dialog, the share is greyed out. My current workaround has been to open up terminal and run umount /Volume/Share_Name, and I am able to connect again afterwards. This is happening multiple times a day, and across multiple servers. I have poked around the forums and seen some people with similar issues, but the solution of connecting with cifs:// instead of smb:// has not made any difference.
which ultimately means apple didn't do enough testing before releasing the last patch
This is not always, and may not be, the case. What many don't realise is that many 3rd party developers stray from the 802.11 series specifications in an attampt to boost speed and get one up on their competitors. For instance D-Link, amongst others, use a short preamble setting by default in some of their routers to improve performance. However, this is non-standard and when it comes across wireless network adapters that don't support this then you have problems. They assume that their network adapters are being used for "maximum speed and compatibility". Whether Apple should or should not support a short preamble is another subject altogether.
However, I do agree with you in that Apple should put more work into their Airport software. -
AAA authentication for networking devices using ACS 4.1 SE
Hi!!!
I want to perform AAA authentication for networking devices using ACS 4.1 SE.
I do have Cisco 4500, 6500,2960, 3750, 3560, ASA, CSMARS, routers (2821) etc in my network. I want to have radius based authentication for the same.
I want telnet, ssh has,console attempt to be verified by radius server & if ACS goes down then it will be via local enable passwordf.
For all users i need to have different privilege levels based upon which access will be granted.
could u plz send me the config that is required to be done in the active devices as well as ACS!!!!Pradeep,
Are you planning MAC authentication for some users while using EAP for others?
For MAC authentication, just use the following in your AP.
aaa authentication login mac_methods group radius
In your AP, select the radius server for mac authentication. You must have already defined your ACS as a radius server.
In your SSID configuration, under client authentication settings,
check "open authentication" and also select "MAC Authentication" from the drop-down list.
If you want both MAC or EAP, then select "MAC Authentication or EAP" from the dropdown.
Define the mac address as the username and password in ACS. Make sure the format of the mac is without any spaces.
You will not need to change anything in XP.
NOTE: XP normally does not require user authentication if machine has already authenticated but it might behave differently. If it does, I can let you know the registry settings to force the behaviour change.
HTH -
Hello all.
I'm getting an error when I run the migration.bat script to migrate data from ACS 4.1 to 5.2 and analyse the Network Devices in the 4.1 database.
hqssec01
AnalyzeAndExport
Network Device
hqsvg22417k
error
invalid_sharedsecret
Cannot migrate Network Device that has Shared secret key with a name that contains any of the following characters: "'{}
hqssec01
AnalyzeAndExport
Network Device
hqsvg22418k
error
invalid_sharedsecret
Cannot migrate Network Device that has Shared secret key with a name that contains any of the following characters: "'{}
hqssec01
AnalyzeAndExport
Network Device
milswi1a1
error
invalid_sharedsecret
Cannot migrate Network Device that has Shared secret key with a name that contains any of the following characters: "'{}
hqssec01
AnalyzeAndExport
Network Device
DS2000_Storm_Standby
error
invalid_sharedsecret
Cannot migrate Network Device that has Shared secret key with a name that contains any of the following characters: "'{}
We use a common shared secret key for 253 devices to use for TACACS authentication. Unfortunately ACS 4.1 allows you to use the " character in this key but 5.2 doesn't. Is there a way of changing the key in the 4.1 database for all 253 devices without having to manually change all devices individually?
I can change the AAA client's key with various tools no problem, but the issue is the key stored on the ACS database.
Any help would be great!Just to update.
RDBMS syncronization using csv files is only available on 4.2 so I updated from 4.1 to 4.2.
Using the accountActions.csv file, I made a copy accountActions2.csv and used the action id 225 to dump the NAS database to a file DumpNAS.txt.
I then imported the relevant fields from DumpNAS.txt into a new file accountActions3.csv and used action ID 224 to update the NAS database.
The issue I had was that the Value 3 field "Vendor ID" I could not locate the corrent string to use.
In the end I used the 'File Operations' function in ACS 5.2 and used the network device template to load the devices into ACS 5.2 with the new shared secret. The only thing missing from was Network Device Groups, which had to be created manually and then manually move each device into the relevant NDG.
This may prove useful for anyone having a similar problem. -
ACS web interface hangs on Network Device Group
We are facing problem of ACS web interface stop responding whenever a Network Device Group is edited/added/deleted. This happens regardless of whether the web interface is opened remotely or on the ACS server.
The session needs to be killed and then have to wait several minutes before attempting to edit NDG (although new session to ACS can be opened up almost immediately).
I have checked there are no proxy settings in the browser, no firewall in between, etc.
ACS is installed on Windows 2003 Server Enterprise Edition with SP1.
ACS installation on another server of same hardware specs and java version works fine. The difference is that the OS on the working ACS is Win 2K3 Ent Ed. without SP1. However, according to Cisco, WIN 2K3 Ent Ed with SP1 is a supported platform.
My ACS version is 4.0(1) build 27.
Any ideas?I assume you have a java runtime installed?
alas in the "old days" you could troubleshoot this type of thing by looking in the windows registry. This is all internal to the ACS SQLAnywhere DB now :(
Darran -
Can't auth to Nortels networks devices using RADIUS with ACS 5.1
Hi,
I've got a problem with the ACS 5.1 RADIUS Authentication for Nortel network devices (Baystack 470, ERS 5530 5510, Passport 8606).
After configuring RADIUS on these device (primary serv, secondary serv, secret key, port...) and adding them to my ACS Servers.
I can't manage to login using RADIUS and i get the following message.
"Permission denied, please try again" or "No response from RADIUS server"(?) (depending on the device type)
But in my ACS View, I can see : "Authentication succeeded."
I've also checked the RADIUS frames, the "Access-Request" and "Access-Accept" are correctly transmitted.
I've got no problems with RADIUS Auth using other brand devices
Is there any known issues with Nortels devices using Cisco ACS 5.1 with RADIUS Authentication ?
Regards.Are you sure that setting up a compound condition will help ?
To me, the RADIUS Nortel VSA are used for Authorization,and my problem is about Authentication (usually for a simple authentication, we stay in the IETF RADIUS Standards ? no ?)
Also, does setting this condition will change the Access-Accept packets sent by the ACS to the device ?
Here is my steps in the ACS View
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15004 Matched rule
15012 Selected Access Service - Default Network Access
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - Internal Users
24210 Looking up User in Internal Users IDStore - radius
24212 Found User in Internal Users IDStore
22037 Authentication Passed
Evaluating Group Mapping Policy
Evaluating Exception Authorization Policy
15042 No rule was matched
Evaluating Authorization Policy
15006 Matched Default Rule
15016 Selected Authorization Profile - Permit Access
11002 Returned RADIUS Access-Accept
So I think the ACS does its job -
# lspci
01:00.0 Ethernet controller: Atheros Communications Inc. AR8161 Gigabit Ethernet (rev 08)
02:00.0 Network controller: Broadcom Corporation BCM4313 802.11b/g/n Wireless LAN Controller (rev 01)
Before the kernel update via pacman -Syu both were working. Admittedly it took quite some time to get there as the install medium did not provide any working drivers for the ethernet and the wifi was very unstable, disconnecting every few seconds. Anyway, I got through the installation, I managed to wget the compat-wireless-3.5.4-1-snpc and install them and from there on I could go ahead and install the broadcom-wl drivers from the AUR and thus get both the ethernet as well as wlan working (even though the wlan showed up as eth1 instead of wlan0).
Now, after the kernel update ifconfig -a shows neither of my networking devices. lspci still lists the hardware. Fruther:
#ip link set eth0 up
Cannot find device "eth0"
Same goes for wlan0 and eth1.
There is probably an easier solution to this than downgrading the kernel, but since I'm still not very comfortable with systemd and the way services are handled, I have no idea how to proceed or what I could look for. Any help is very much appreciated, thanks.
edit: marked topic as solved
Last edited by venehan_snakes (2012-10-15 15:52:19)I will try to rebuild them, thanks for the hint. I also just noticed this:
>Please be aware that the releases below contain code from the given version of the Linux kernel. Therefore to add functionality, you should select a version that is later than your kernel version.
From: http://linuxwireless.org/en/users/Download/stable/
So, I guess I should not use the same compat-wireless-3.5.4-1-snpc again but a newer version, or is that of little importance? I rather ask now before I do more damage.
Last edited by venehan_snakes (2012-10-15 14:55:37) -
13017 Received TACACS+ packet from unknown Network Device or AAA Client
I am adding new routers to our Corporate network for a new MPLS network. I am getting 13017 Received TACACS+ packet from unknown Network Device or AAA Client errors for these new routers. They are added to ACS 5.4.0.30 correctly just like all of our other devices. We have never had real routers on the network before, just switches and access points. Is there something special I need to set in ACS for these to work and authenticate correctly? I can only access the currently with built in login locally.
One of the new router configs
Current configuration : 2370 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname T666
boot-start-marker
boot-end-marker
enable secret 5 $1$h7b3$.T2idTKb9H98BQ8Op0MAC/
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa session-id common
clock timezone CST -6
clock summer-time CDT recurring
ip cef
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
voice-card 0
crypto pki trustpoint TP-self-signed-2699490457
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2699490457
revocation-check none
rsakeypair TP-self-signed-2699490457
username netadmin privilege 15 secret 5 $1$SIR2$A3MpShVNeAOlTPyLZESr..
interface FastEthernet0/0
ip address 10.114.2.1 255.255.255.0
ip helper-address 10.30.101.4
duplex auto
speed auto
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
interface Serial0/1/0
ip address X.X.X.X 255.255.255.252
no fair-queue
service-module t1 timeslots 1-24
service-module t1 remote-alarm-enable
service-module t1 fdl ansi
no cdp enable
router bgp 65065
no synchronization
bgp log-neighbor-changes
network 10.114.2.0 mask 255.255.255.0
neighbor X.X.X.X remote-as 209
neighbor X.X.X.X default-originate
default-information originate
no auto-summary
ip forward-protocol nd
ip bgp-community new-format
ip http server
ip http authentication aaa
ip http secure-server
ip tacacs source-interface FastEthernet0/0
no logging trap
tacacs-server host 10.30.101.221 key 7 1429005B5C502225
tacacs-server host 10.30.101.222 key 7 1429005B5C502225
tacacs-server directed-request
control-plane
banner exec ^CC
C
Login OK
^C
banner motd ^CC
C
** UNAUTHORIZED ACCESS TO THIS SYSTEM IS PROHIBITED. USE OF
** THIS SYSTEM CONSTITUES CONSENT TO MONITORING AT ALL TIMES.
** RUAN Transport Corporation
** Network Services
** [email protected]
** 515.245.2512
^C
line con 0
line aux 0
line vty 0 4
exec-timeout 30 0
transport input all
line vty 5 15
exec-timeout 30 0
scheduler allocate 20000 1000
end
T666#AAA Protocol > TACACS+ Authentication Details
Date :
September 19, 2014
Generated on September 19, 2014 10:21:27 AM CDT
Authentication Details
Status:
Failed
Failure Reason:
13017 Received TACACS+ packet from unknown Network Device or AAA Client
Logged At:
Sep 19, 2014 10:21 AM
ACS Time:
Sep 19, 2014 10:21 AM
ACS Instance:
acs01
Authentication Method:
Authentication Type:
Privilege Level:
User
Username:
Remote Address:
Network Device
Network Device:
Network Device IP Address:
10.114.2.1
Network Device Groups:
Access Policy
Access Service:
Identity Store:
Selected Shell Profile:
Active Directory Domain:
Identity Group:
Access Service Selection Matched Rule :
Identity Policy Matched Rule:
Selected Identity Stores:
Query Identity Stores:
Selected Query Identity Stores:
Group Mapping Policy Matched Rule:
Authorization Policy Matched Rule:
Authorization Exception Policy Matched Rule:
Other
ACS Session ID:
Service:
AV Pairs:
Response Time:
Other Attributes:
ACSVersion=acs-5.3.0.40-B.839
ConfigVersionId=359
Device Port=59840
Protocol=Tacacs
Authentication Result
Steps
Received TACACS+ packet from unknown Network Device or AAA Client
Additional Details
DiagnosticsACS Configuration Changes -
TACACS+ packet from unknown Network Device or AAA Client
Hi all,
I can't perform login using the credential set at ACS server, From the log it shown:
"Failure Reason: 13017 Received TACACS+ packet from unknown Network Device or AAA Client"
I know there's some changes on TACACS+ part for new catalyst IOS, so i refer the guide and this is my config snipet:
aaa group server tacacs+ TAC_PLUS
server name AUTH
tacacs server AUTH
address ipv4 10.10.21.251
key xxxxxx
aaa authentication login TAC_PLUS group tacacs+ local line
aaa authorization exec TAC_PLUS group tacacs+ none
aaa authorization commands 15 default if-authenticated
aaa accounting update periodic 1
aaa accounting exec TAC_PLUS start-stop group tacacs+
aaa accounting network TAC_PLUS start-stop group tacacs+
aaa accounting connection TAC_PLUS start-stop group tacacs+
My platform is
- C6500 running on IOS 12.2 (33) SXJ1
- ACS 5.2.0.26
Need guidance on this, thanks
NoelHello,
Is the appropriate IOS IP address defined on the Network Devices and AAA Clients for the ACS? If yes, which IP address is reported on the ACS Failure that includes the error "TACACS+ packet from unknown Network Device or AAA Client"? Is the ACS reporting the IP address as unknown when it is already defined appropriately?
Regards. -
I have a couple of HP 8200 desktops that I think might have bad nics. When I PXE boot them and start my LiteTouch, I get a Wizard error that says
A connection to the deployment share (\\mydpshare\share) could not be made. The following networking device did not have a driver installed
PCI\VEN_8086&DEV_1502&SUBSYS_1496103C&REV_04
I have that driver in MDT and it works on other HP 8200s. Looking into the Wpeinit.log, it looks like the driver loads but maybe the nic is bad:
Installing device root\kdnic X:\WINDOWS\INF\kdnic.inf succeeded
Installing device pci\ven_8086&dev_1502 X:\WINDOWS\INF\net1ic64.inf succeeded
Spent 16903ms installing network drivers
QueryAdapterStatus: no adapters found
Spent 0ms confirming network initialization; status 0x80004005
WaitForNetworkToInitialize failed; ignoring error
Has anyone seen this before?
Orange County District AttorneyHi,
According to your description, it should be Intel NIC driver problem. I have checked HP official website, there is new NIC driver released, please access to the link below to download the NIC driver for test:
http://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/psi/swdDetails/?sp4ts.oid=5037932&spf_p.tpst=swdMain&spf_p.prp_swdMain=wsrp-navigationalState%3Didx%253D2%257CswItem%253Dvc_111651_1%257CswEnvOID%253D4060%257CitemLocale%253D%257CswLang%253D%257Cmode%253D4%257Caction%253DdriverDocument&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken
Roger Lu
TechNet Community Support -
HP Network Devices Support service will not start
Product: HP Photosmart Premium All-in-one (C309g)
OS: Vista Business 32 bit
Errors:
When running the "Add Device" portion of set up to add the printer to my PC so it can be accessed wirelessly this pops up in the back ground: "The specified service does not exist as an installed service."
The result of the above process is the following message in the HP installer screen: "The HP software that enables networking is not responding. Cancel the installation and restart the PC."
As you may guess, I've had this printer for a while couple/few years at least, and I've been running it wireleslly for quite some time.
The printer is active on my wireless network, printing Wireless Network Test Report from the printer proves this. I can also access the printer's webpage by entering its IP in a web browser.
We first perceived the issue when HP Solution Center reported that the Printer was no longer connected. And it suggested doing something with the install, which sent me down the road of unintalls and installs.
I've run the HP Print and Scan Doctor, which tells me the printer is installed for use via USB, but the networked instance is not installed.
I still have the orginal instal CD for this printer. Running setup off the root of the CD, i get the "Later Version already installed" or something to that extent. I've also downloaded the most recent Basic and Full Feature Instals from HP site.
I've used Revo Uninstaller to do my uninstalls and I've run CCleaner after all the apps are gone from the program list.
I've read somewhere that this is related to the "HP Network Devices Support" service.
In computer management I can see that its not running, and it is set to start "Automatically (Delayed Start)"
When I try to start this service I get this: "Windows could not start the HP Network Devices Support service on local computer Error 2: They system could not find the file specified"
Somethings that have been done on this machine recently, i'm not sure when the Printer problem started...
Installed Quicken 2013
Installed iTunes
Changed my home network from Public to private on this machine so I could set up some media servers.
I've check through all the quarantined files of my antivirus and there didn't seem to be any HP files in there.
I'm hoping my issue is in fact this service, and somehow replacing the missing file its refferencing will fix it all.
My next step is to uninstall everything again, and make sure that service drops out of the list too, then reinstall from HP download.
This question was solved.
View Solution.I would suggest using the software scrubber built into the install to clean everything out. The steps below will walk you through it. Before doing step 10 from a CD or step 15 from a download, check the both program files folder to make sure that the HP folders get deleted.
From original printer installation CD:
1. Insert CD into drive, and then cancel the installer
2. Open My Computer, and then right click on the CD drive and chose open
3. Open folder Util
4. Open folder CCC
5. Run the uninstall_ L4.bat for non-HP computers. For HP computers run the Uninstall_L3.bat
6. When the uninstall has completed restart the computer
7. Run Disk cleanup from Accessories\ System Tools
8. Download and install the latest version of Adobe flash player
http://www.adobe.com/support/flashplayer/downloads.html
9. Use this tool to clean the registry. Note: This utility is not HP sponsored or approved. HP and I are not responsible for damages or loss of data caused by the utility. This step is optional. You can skip it if you want.
http://download.cnet.com/Advanced-SystemCare/3000-2086_4-10407614.html?part=dl-6271865&subj=dl&tag=b...
10. Download the full feature software and drivers
http://h10025.www1.hp.com/ewfrf/wc/softwareDownloadIndex?softwareitem=mp-73652-3&cc=us&dlc=en&lc=en&...
11. Run the download to reinstall the printer
From a download:
1. Run disk cleanup on your computer
2. Download and run the software and drivers below.
http://h10025.www1.hp.com/ewfrf/wc/softwareDownloadIndex?softwareitem=mp-73652-3&cc=us&dlc=en&lc=en&...
3. Once the download is done extracting, cancel the download.
4. Click the start menu.
5. Click Run.
6. Type %temp% in the run field
7. Look for, and open the folder starting with 7z (Example: 7zS2356)
8. Open folder Util
9. Open folder CCC
10. Run the uninstall_ L4.bat for non-HP computers. For HP computers run the Uninstall_L3.bat
11. When the uninstall has completed restart the computer
12. Run Disk cleanup from Accessories\ System Tools
13. Download and install the latest version of Adobe flash player
http://www.adobe.com/support/flashplayer/downloads.html
14. Use this tool to clean the system and registry. Note: This utility is not HP sponsored or approved. HP and I are not responsible for damages or loss of data caused by the utility. This step is optional. You can skip it if you want.
http://download.cnet.com/Advanced-SystemCare/3000-2086_4-10407614.html?part=dl-6271865&subj=dl&tag=b...
15. Download the full feature software and drivers
http://h10025.www1.hp.com/ewfrf/wc/softwareDownloadIndex?softwareitem=mp-73652-3&cc=us&dlc=en&lc=en&...
16. Run the download to reinstall the printer
-------------How do I give Kudos? | How do I mark a post as Solved? -------------------------------------------------------- -
ISE 1.2 network device editing
I have upgraded to ISE 1.2 and the latest patch and noticed a bug where editing network devices, you are unable to save changes as the "Save" button is greyed out. It also appears to have SNMP unchecked for all devices even though there is configuration for them.
Hi
Make sure that you have defined Security Group Access (SGA)-enabled devices in Cisco ISE to process requests from SGA-enabled devices that can be part of the Cisco SGA solution. Any device that supports the Security Group Access solution is an SGA-enabled device.
SGA devices do not use the IP address. Instead, you must define other settings so that SGA devices can communicate with Cisco ISE.
If you are importing network devices from previous release then You cannot import network devices in Cisco ISE, Release 1.2 that are exported in previous Cisco ISE, Releases 1.1 and 1.1.x as the import template for these releases are different.
You can import a list of device definitions into a Cisco ISE node using a comma-separated value (CSV) file. You must first update the imported template before you can import network devices into Cisco ISE. You cannot run an import of the same resource type at the same time. For example, you cannot concurrently import network devices from two different import files. -
How to import network devices on ISE 1.2
Hi, experts,
I'm trying to import network devices on ISE 1.2.0.899
so I downloaded the template and opened with notepad and wrote all the nessesarry information.
and I tried to upload to ISE, and it just said import failed. no reason..
does anyone know how to do it ?Hi jiyoung
This import failed error might occur due to following reasons so please make sure that :
You are not running two import jobs of the same resource type at the same time. For example, you cannot concurrently run two import jobs to import network devices from two different import files.
More over please make sure that while configuring the network devices you are performing job from a super admin or network device admin group.
Best Regards:
Muhammad Munir
Hi, experts,
I'm trying to import network devices on ISE 1.2.0.899
so I downloaded the template and opened with notepad and wrote all the nessesarry information.
and I tried to upload to ISE, and it just said import failed. no reason..
does anyone know how to do it ? -
Connect Apple TV to networked devices
I have a science lab with (2) Visio LCD TVs, an NEC projector, a SMART board, and a Dell computer w/ Windows 7. All of these devices are connected by HDMI cables and/or VGA cables.
Can an Apple TV be connected to these networked devices so that the Apple TV will play on all devices selected?The ATV is connected to a source via HDMI (i.e. LCD HDTV) and can utilize airplay/home-sharing to connect to your computer and other IOS devices.
Maybe you are looking for
-
I transferred all of my music from an older PC to my new one with Windows 7. Now I cannot edit selected songs. The information is greyed out and I can't type over it (on all my music except NEW downloads). Can anyone help? I even have a few songs
-
Adding Transparency/alpha to Embedded Font
Hi guys, I have embedded a font type in my application. Its working fine inside a text area. Now i need to add 60% transparency to it. In fact I need multiple transparency levels. Like - 60 % transparency for TextARea 70% for WindowShade Header etc.
-
Changing color from Swatch to Spot color
Hello, I have almsot figured this out but have on hangup. I am trying to replace a color with another color from a Pantone library. I am using Illustrator CS6. I have this script which I found on here: #target illustrator var docRef = app.activeDocu
-
Trouble With E-Mail Notifications
I'm having some problems getting e-mails to my pager. I have two e-mails set up: [email protected] [email protected] When I test the two e-mail addresses, I receive the e-mail. However, when an alert is encountered, email is only sent to the first e-
-
PowerPivot 2013 | Drill to Details returns all rows
When double-clicking on a measure, or a value within a powerpivot pivot table, the drill to details sheet returns all the rows in the dataset. Is this normal behavior? Is there a workaround for this? Thank you!