ACS Express selection rules

Hi
Have anyone experience about the selection rule?
My problem is:
I've two policy against the same group device:
One use active dir database and PEAP method and the second use local database and eap fast (wifi phone)
How I can discriminate the authentication because if I connect in peap and the first polici is for peap work fine but the wifi phone does not work.
If I put the first policy for eap-fast the wifi phone work fine but the peap device doesn'work.
I thin that the problem is to identify the correct attribute but I'm not able to do.
thanks a lot

You may want to use the Network Access Profile (NAP) feature on ACS, which was introduced starting from version 4.0
Regards,
Prem
Please rate if it helps!

Similar Messages

  • Problem setting up selection rule in ACS Express 5.0

    Hello,
    When creating a Radius access service and then clicking on selection rules and trying to add a device group
    I get this error:
    An error has ocurred.  please see below:
    1. entry has been modified or deleted by another session.  click on cancel or navigation item
    on the left to refresh content.
    Could there be something I missed before trying to create the access service.  I already had set up the external database and added the device to the device group, but every time I try to add the access service I get this error message.
    Thanks in advance,
    Regards,
    Alex

    At any point did you try to restart the services or did you access this option but then try from another machine? It could be that something has this paged locked and the best thing to do is to restart the services and try again. You can restart the services by accessing the console and trying these commands.
    application stop acsexpress
    application start acsexpress
    thanks,
    Tarik

  • ACS Express radius authentication AD authorization

    I work at a University and for some reason we have multiple systems for authentication and authorization.  That being said I am trying to use radius to do authentication and AD for authorization for VPNs.  I have the radius authentication working against our radius server.  I have my ACS express setup to join the AD domain and everything looks good there.  I setup the AD server as a radius object in AAA server groups on my ASA.  Then I add the server below in the servers in selected groups window.  I put all the info in there and when I hit test I click authorization and put in the username that I know is in the domain group I have associated with this on the ACS.  The test fails and with authorization failed with invalid password.  When I look at the logs on the ACS I see
    01/06/2011 20:14:26 acsxp/server Warning Server 0 AD Agent Plain Text Authentication Failed for user: username@domain
    01/06/2011 20:14:26 acsxp/server Warning Server 0 Authentication for user username failed for reason = 0
    01/06/2011 20:14:26 acsxp/server Error Protocol 0 Request from 172.20.5.2: User username rejected . by RemoteServer: AD (InvalidPassword). 
    Username and domain are correct I just edited them for posting.  It seems like it is trying to authenticate rather than authorize.  All I want it to do is say yes the user is in this group or no the user is not in this group?  You can't even fill in the password when testing authorization?  Maybe I have something setup wrong on the ACS side but when I look at AD under users and identity stores, it says it is joined to the domain.  When I do AD domain diagnostics under troubleshooting everything looks good.  I have the ASA I am testing from defined as a device and in the ASA device group.  Under access services in Radius access services I have one service that I setup that connects to the AD and it found the group so I know it is connecting.  Any idea what I am doing wrong or where to look?
    Any help would be GREATLY appreciated!
    Thanks
    Joe

    Hi Joe,
    We could take a deeper look at what is happening through some logs and debugs:
    1. On ACS Express, under
    Reports & Troubleshooting > Troubleshooting > Server Logs
    please set the Express Server Trace Level to 5 and the Web Server Trace Level to 4.
    Also, for the Log Level under OS Logging, please set its value to "Debug".
    If previous old logs are not essential to you, you may also wanna delete all the log files first, so that we capture logs for the last day only.
    2. On the ASA, please enable the following debugs
    debug aaa authentication
    debug aaa authorization
    debug radius
    3. Then please first recreate a successful authentication attempt, and then recreate the authorization test issue with the same user account for which you tested the successful authentication.
    4. After the issue is recreated, please attach the debugs from the ASA and following files from the ACS Server Logs:
    acsxp_adagent.log
    acsxp_agent_server.log
    acsxp_mcd.log
    acsxp_server.log
    acsxp_server_trace.log
    Regards,
    Fede
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • ACS Express integration with Active Directory

    Hello,
    I have ACS Express version 5.0.1 installed on Cisco ADE; I'm trying to get it integreated with an Active Directory without sucess.
    I did packet captures on the ASA that is in between and I can see communication going thru just fine. I ran a diagnostic on the ACS express and got this:
    DIAGNOSTIC USING THE IP ADDRESS OF THE DOMAIN CONTROLLER:
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Tabla normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin:0cm;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    Output of AD Domain Diagnostics:
    IP Diagnostics
    Local host name: he-zfm-acs-01
    Local IP Address: 172.31.67.10
    Not found in DNS!Make sure it is in Reverse Lookup Zone.
    FQDN host name:he-zfm-acs-01.clarocr.americamovil.ca1
    Domain Diagnostics:
    Domain: 172.24.2.93
    Subnet site:
    WARNING! Unable to locate computer's subnet site in Active Directory.
    Ask your Active Directory administrator to add this computer's subnet
    to the appropriate site.
    DNS query for: _ldap._tcp.172.24.2.93
    Found no SRV records!
    Computer Account Diagnostics
    Not joined to any domain
    AD Agent Process Status: Not joined to any domain
    DIAGNOSTIC USING THE AD REALM:
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Tabla normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin:0cm;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    Output of AD Domain Diagnostics:
    IP Diagnostics
    Local host name: he-zfm-acs-01
    Local IP Address: 172.31.67.10
    FQDN host name:he-zfm-acs-02.clarocr.americamovil.ca1
    Domain Diagnostics:
    Domain: CLAROCR.AMERICAMOVIL.CA1
    Subnet site: TELECOM
    DNS query for: _ldap._tcp.CLAROCR.AMERICAMOVIL.CA1
    Found SRV records:
    rom-pro-dc-03.clarocr.americamovil.ca1:389
    Testing Active Directory connectivity:
    Domain Controller: rom-pro-dc-03.clarocr.americamovil.ca1
    ldap: 389/tcp - good
    ldap: 389/udp - good
    smb: 445/tcp - good
    kdc: 88/tcp - good
    kpasswd: 464/tcp - good
    ntp: 123/udp - good
    Domain Controller: rom-pro-dc-03.clarocr.americamovil.ca1:389
    Domain controller type: Windows 2003
    Domain Name: CLAROCR.AMERICAMOVIL.CA1
    isGlobalCatalogReady: TRUE
    domainFunctionality:
    forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000)
    domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
    Forest Name: AMERICAMOVIL.CA1
    DNS query for: _gc._tcp.AMERICAMOVIL.CA1
    Testing Active Directory connectivity:
    Global Catalog: rom-des-dc-01.desa1sv.americamovil.ca1
    gc: 3268/tcp - timeout
    No TCP LDAP response, giving up on rom-des-dc-01.desa1sv.americamovil.ca1
    Global Catalog: rom-amv-dc-02.americamovil.ca1
    gc: 3268/tcp - good
    Global Catalog: rom-tlc-dc-01.telecom.americamovil.ca1
    gc: 3268/tcp - good
    Global Catalog: rom-pro-dc-03.clarocr.americamovil.ca1
    gc: 3268/tcp - good
    Global Catalog: rom-tlc-dc-02.telecom.americamovil.ca1
    gc: 3268/tcp - good
    Global Catalog: rom-amv-dc-01.americamovil.ca1
    gc: 3268/tcp - good
    Domain Controller: rom-amv-dc-02.americamovil.ca1:3268
    Domain controller type: Windows 2003
    Domain Name: AMERICAMOVIL.CA1
    isGlobalCatalogReady: TRUE
    domainFunctionality:
    forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000)
    domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
    Domain Controller: rom-tlc-dc-01.telecom.americamovil.ca1:3268
    Domain controller type: Windows 2003
    Domain Name: TELECOM.AMERICAMOVIL.CA1
    isGlobalCatalogReady: TRUE
    domainFunctionality:
    forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000)
    domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
    Domain Controller: rom-pro-dc-03.clarocr.americamovil.ca1:3268
    Domain controller type: Windows 2003
    Domain Name: CLAROCR.AMERICAMOVIL.CA1
    isGlobalCatalogReady: TRUE
    domainFunctionality:
    forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000)
    domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
    Domain Controller: rom-tlc-dc-02.telecom.americamovil.ca1:3268
    Domain controller type: Windows 2003
    Domain Name: TELECOM.AMERICAMOVIL.CA1
    isGlobalCatalogReady: TRUE
    domainFunctionality:
    forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000)
    domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
    Domain Controller: rom-amv-dc-01.americamovil.ca1:3268
    Domain controller type: Windows 2003
    Domain Name: AMERICAMOVIL.CA1
    isGlobalCatalogReady: TRUE
    domainFunctionality:
    forestFunctionality: 0 = (DS_BEHAVIOR_WIN2000)
    domainControllerFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
    Forest Name: AMERICAMOVIL.CA1
    Computer Account Diagnostics
    Not joined to any domain
    AD Agent Process Status: Not joined to any domain

    Dennis,
    TIme in sync on the ACS and AD servers?
    Faisal

  • Use of Selection Rule in Report Writer.

    Hello Everybody,
    I am trying to make use of selection rule in report writer.   We have a mixed chart of accounts using both IFRS and USGAAP account.  Distinction between USGAAP and IFRS is based on certain value in gl account master data.  Using report writer rule I wish to exclude IFRS account for a specfic report.
    For example
    REPORT = X = Rule to restrict selection to only USGAAP account
    REPORT = Y = Rule to restrict selection to only IFRS account.
    I have created a rule and tried to build user-exit around it.  However during the callup of the selection rule no values are transferred to user-exit and therefore the ABAP consultant is not able to write any specific code.
    Request your inputs on usage of selection rules in report writer.
    Regards
    Jayesh.

    Hi Jayesh,
    Please have a look at the below attachment.
    [http://help.sap.com/saphelp_470/helpdata/en/5b/d22e3843c611d182b30000e829fbfe/content.htm]
    Warm regards,
    Murukan Arunachalam

  • ACS Express 5.0 - "unique authentication" what does it mean?

    Hi to all,
    the ACS Express 5.0 datasheet states: "Cisco ACS Express supports a maximum of 50 AAA clients and 350 unique user logins in a 24-hour period"
    It's clear what's the meaning of the max 50 AAA clients...in fact what is not clear is regarding the max 350 uniques user authentication.
    If I use 802.1 IBNS with PEAP-MSCHAP to do machine authenticaion each machine authentication will count as a unique logon...isn'it? What happens if there are Laptop assigned to sales which spent a lot of time out of the office???
    Each time these laptops reconnect to the network wil count as an extra logon or and increase the logon counter of one or since this laptop is already authenticated on the morning t won't count as an extra unique logon...
    My question is related to the fact that I have a customer who wanto to introduce IBNS-802.1X but have "only" 20-25 AAA clients and max. 200 users (where about 100 are laptop)...and using ACS 5.0 in a redundant way will be too expensive...
    Thanks for a reply
    Omar

    The ACS Express 5.0 Appliance is designed for a maximum of 350 users. This limit does not apply to the number of logins.
    Cisco Secure Access Control Server Express 5.0 QA
    http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps5698/ps6767/ps8543/ps8724/prod_qas0900aecd806d3a4d.html
    Q. How is Cisco Secure ACS Express positioned in comparison to Cisco Secure ACS for Windows (ACS Windows) and Cisco Secure ACS Solution Engine (ACS SE)?
    A. ...Cisco Secure ACS Express is well suited for deployments that need an access control solution for fewer than 350 users and 50 devices. This product is intended to serve small to medium-sized businesses, retail sites and enterprise branch offices where customers need an easy-to-use GUI yet require a comprehensive but simple feature set and a lower price point to address their specific deployment needs.
    For a detailed feature set, please refer to the Cisco Secure ACS Express data sheet at http://www.cisco.com/go/acsexp....

  • How to define Template Selection Rules according to doc language code

    hi All,
    I am using ucm10g, I need to use DC to convert word to html, by defining Template Selection Rules, it worked perfect.
    Question is I have to use different template for different content that use different languages, for example, if a content has a primary file writing in English, that content will be checked in with langCode attribute of "en", and according to this langCode attribute, I will use different template that will show "nextpage" or "previouspage" according to langCode field, other content will use other template that show "nextpage" or "previouspage" in other language.
    I donot think the fields used in Template Selection Rules(such as author, type, profile) in ucm10g can be used in this case, any suggestion?
    Best regards

    I will ask easier.
    is it possible to set in RSCUR -> Exchange rate type 'Y' and Exchange rate from InfoObject '0EXRATE_ACC' AND use it in BEx?
    If yes, how, if now why?
    Thank you
    Standa

  • Advanced Benefits : How to use Person Selection Rule?

    Hi,
    For processing Open Enrollment we need to run"Participation Process:Scheduled" Concurrent Program for a set of 300 employees.How to create a person Selection Rule for this?
    thanks.

    Okie.....then lets do this..
    FORMULA TEXT:
    /*=========== DATABASE ITEM DEFAULTS BEGIN =====================*/
    /*=========== DATABASE ITEM DEFAULTS ENDS======================*/
    /*============ INPUT VALUES DEFAULT BEGIN ======================*/
    /*============== INPUT VALUES DEFAUT ENDS ======================*/
    /*================= INPUTS SECTION BEGIN ========================*/
    /*================== INPUTS SECTION ENDS ========================*/
    /*================ FORMULA SECTION BEGIN =======================*/
    l_ret = PER_SELECTION_FUN ( hard code all your employee number here like '938114' )
    return l_ret
    Function will be -
    CREATE OR REPLACE FUNCTION test_load_runner (p_employee_number IN NUMBER)
    RETURN VARCHAR2
    IS
    BEGIN
    RETURN 'Y';
    END;
    Lets try this and let me know if this does not resolve ur issue.
    Gaurav

  • ACS express v5.0.1 fail to join AD

    hi,
    i try to integrate my ADE 1010 appliances running on ACS express v5.0.1.1 to my DC running on window 2008 server enterprise edition SP2.
    as i fill in the info at domain configuration and test the connection, it's succeed. but once try to save and join it's failed to join the domain.
    log extract from acsxp_adagent :
    PMOACS AD-SCRIPTS: INFO AD script executed from IP: 10.169.2.100 script: /cgi/adjoindomain.pl/cgi/adjoindomain.pl args: DM=jpmosp.xxx.yy&UN=administrator&CN=OU%3DACS&PDC=jpmosp.xxx.yy&PW=******
    PMOACS AD-SCRIPTS: INFO AD join container used: OU=ACS
    PMOACS AD-SCRIPTS: INFO AD join Preferred Domain Server used: jpmosp.xxx.yy
    PMOACS AD-SCRIPTS: INFO AD join container used: OU=ACS
    PMOACS AD-SCRIPTS: INFO AD join Preferred Domain Server used: jpmosp.xxx.yy
    PMOACS AD-SCRIPTS: INFO AD join command used: /opt/CSCOacsxp/adagent/bin/adjoin -u "administrator" -p "******" -z NULL --noconf "jpmosp.xxx.yy" -s "jpmosp.xxx.yy"
    PMOACS AD-SCRIPTS: CRITICAL Unknown status returned from adjoin
    PMOACS AD-SCRIPTS: WARN --- BEGIN FILE LOG FOR /opt/CSCOacsxp/temp/adjoindata.8870 ---
    PMOACS AD-SCRIPTS: WARN Cannot resolve computer name "pmoacs" in DNS or /etc/hosts
    PMOACS AD-SCRIPTS: WARN Please edit /etc/hosts or your DNS server to set your hostname correctly
    PMOACS AD-SCRIPTS: WARN or use --name option to override this check.
    what i did on my window 2008 server:
    1. log in as the administrator, create a container name "acs", and inside of it create a computer name as "pmoacs"
    2. appliance clock is tally with AD-DC server, no time skew problem.
    what i did on my Cisco ADE 1010:
    1. initial setup only.
    thank you
    N

    Hi,
    This is the relevant error message:
    "WARN Cannot resolve computer name "pmoacs" in DNS or /etc/hosts"
    Please make sure you have the acs hostname configured on the DNS server.
    The ACS must be able to resolve its own hostname, otherwise this will fail.
    HTH,
    Tiago
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • Selection rule for work schedule

    Hi experts ,
    Anyone know the meaning of the selection rule ?
    Rule        D.ty.wkdy            D.typ.Sat.            D.typ.Sun
    01            1 1111111           1 1111111          1 1111111
    02              Blank                      Blank                    Blank
    03             1 1111111               1111111              1 1111111
    10             1 1111111            1 1111111        1 1111111
    Why there is blank in front ? and some blank in between ?
    Anyone can explain to me ?
    Thanks in advance.
    Chris.

    Hi friend,
    Check:
    Time Management -> Work Schedules -> Period Work Schedules -> Define Period Work Schedules
    btw, you should check factory Holiday calendar (Tcode: SCAL) and generate Work schedule for year.
    IMG: Time Management -> Work Schedules -> Work Schedule Rules and Work Schedules -> Generate Work Schedules in Batch
    Regard,
    Michael.

  • Unknown CA failure on ACS express

    Hi forumers
    i try to let user access to the network authenticate using ACS express, then map to the AD server.
    somehow i get the error from the authentication report is FAILURE REASON: UNKNOWN CA
    i try and use self-singed certificate, then download the certificate, open and copy the CSR and paste to my CA server.
    I'm using Window's advance certificate request "submit a certificate request by  using a based 64-encoded CMC or PKCS#10 files..." this option.
    somehow i got this error message. (see attachment)
    Question1: is it the right way to do CSR to window CA server? am i doing it right?
    Question2: if i am wrong, any guide for a proper way doing certificate installation for ACS express in order talk to AD server?
    thanks
    Noel

    Hi,
    Actually you do not need to have a signed certificate on the ACS Express to be able to join the AD...
    However, if you still want to do it, then can you please send me the CSR? I can take a look and see if everything is ok...
    HTH,
    Tiago
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • Define Selection Rules

    Hi
    can any one explain the Selection rules in Time Management and how we can define them.
    Thanks
    Sirisha

    Hi Sirisha,
    If none of these three, which one were you asking ?
    The three listed by me:
    1.Seletion rule/Variants, I have already explained.
    2.Day Type selection rule is defined to set your Pay conditions, wether company want to pay to the employee on particular week day keeping Holiday class on that day in mind.
    TM>Work Schedule>Day Type-->Define Seletion rules.
    3.Based on Time Quota grouping and a Quota type selection group,
    We have to define Selection rule for the particular absence quota.
    Which is dependent on Applicablility conditions, accrual period,Base Entitlement,
    accrual entitlementand total entitlement etc.
    Go to TM>Time data Recording>Managing time accounts using Att/Abs.quotas>Calculating Absence Entitlement>Rules for Generating absence Quotas-->
    Define Generation Rules for Quota Type Selection-->Selection rule.
    I am sorry if my answer confused you more, as all these three concepts need detailed understanding, before we configure them...
    Regards,
    Dev

  • ACS Express 5.0 vs ACS 5.0

    What's the difference between the two?
    - Cisco Secure ACS Express 5.0
    - Cisco Secure Access Control System 5.0

    ACS Express 5.0
    http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps5698/ps6767/ps8543/ps8724/product_data_sheet0900aecd806d3b78.html
    ACS 5
    http://cisco.com/en/US/prod/collateral/netmgtsw/ps5698/ps6767/ps9911/ps9915/product_bulletin_c25-504495.html

  • Disable SSH version1 in ACS Express 5.0

    Hi,
    Does anybody knows if it is possible to disable SSH v1 in ACS express installed in ADE 1010?
    Appreciate anybody's feedback
    Thanks.
    NetMaint

    Hi,
    This was required by our client to disable SSH v1 after the infosec audit.
    Can this be done? I tried digging but can't find any info. If this can't be done at least provide me some link so I can feedback to our client.
    Appreciate your reply.
    Regards, NetMaint

  • What Files are required to install R12 VISION with out Express selection???

    Hi,
    I had installed R12 before, and i could nt received any error. installation was OK,
    Now i am installing in same way on diffrent machine now i am getting error
    E:\oracle\....\visdb\....\temp\oradun91.cmd (Some thing like that). I think i have missed some files.
    this error come at setp 1 of 5.
    when 91 files unzipped successfully.
    I want to know which file is missing. LOG file does not shows the name of missing of folder or directory name.
    What Files are required to install R12 VISION with out Express selection on Windows server 2003.
    so that i extract that file again.....
    thanks a lot
    regards.
    kalash

    Please check the following log files for any further details about the error:
    1) <RDBMS ORACLE_HOME>/appsutil/log/$CONTEXT_NAME/<MMDDHHMM>.log
    2) <RDBMS ORACLE_HOME>/appsutil/log/$CONTEXT_NAME/dbInstall.log
    I assume you are using the same Stage area, so it should work fine no matter what instance you are trying to install.
    What Files are required to install R12 VISION with out Express selection on Windows server 2003What do you mean by missing and required files? As stated above, you should have the complete stage area staged properly.

Maybe you are looking for