ACS Local databse authentication as a failover to Active Directory

Similar Messages

• BO XI 3.1 : Active Directory Authentication failed to get the Active Directory groups

  Dear all 
          In our environment, there are 2 domain (domain A and B); it works well all the time. Today, all the user belong to domain A are not logi n; for user in domain B, all of them can log in but BO server response is very slowly. and there is error message popup when opening Webi report for domain B user. Below are the error message: 
         " Active Directory Authentication failed to get the Active Directory groups for the account with ID:XXXX; pls make sure this account is valid and belongs to an accessible domain"
        Anyone has encountered similar issue?
     BO version: BO XI 3.1 SP5
     Authenticate: Windows AD
  Thanks and Regards

  Please get in touch with your AD team and verify if there are any changes applied to the domain controller and there are no network issues.
  Also since this is a multi domain, make sure you have 2 way transitive forest trust as mentioned in SAP Note : 1323391 and FQDN for Directory servers are maintained in registry as per 1199995
  http://service.sap.com/sap/support/notes/1323391
  http://service.sap.com/sap/support/notes/1199995
  -Ambarish-

• NTLM Authentication with a domain controller/active directory

  Hi,
  I have a requirement to do an NTLM authentication with the MS active directory.
  I am aware that JNDI doesn't support this protocol to communicate with the AD.
  I have looked into couple of online solutions available but that doesn't seem to meet my requirement. Most of the solutions like (Apache commons NTLMScheme/NTCredentials and java.net.Authenticator etc...) are used for only NTLM proxy authentication (where both username, password is sent to the proxy server which does the actual NTLM authentication with the Active Directory.)
  What I need is a solution in Java where I can directly contact Active directory for negotiation of challenge/response mechanism.
  Can any of you guys suggest any alternative to achieve this ?

  it really depends to be honest. I'd probably go something like this though:
  One Small physical server to act as a domain controller - you could put DHCP on this too
  One or Two physical, quite powerful servers to act as Hyper-V hosts - these can be domain joined. 
  Then for your VM's create the following:
  1 x additional domain controller
  For remote desktop services:
  1 x Remote Desktop Session Host
  1 x Connection Broker
  1 x Gateway and web server
  For additional services
  1 or 2 x Exchange
  1 x sharepoint
  1 x IIS
  but it really depends what you want to achieve. 
  The benefit from Virtual machines is that you can keep separate virtual servers for separate applications. 
  If you have two hosts you could then replicate the virtual machines between them if you wanted some layer of fault tolerance. 
  Hope this helps you a bit more. And thanks for positive blog feedback - its appreciated. 
  Regards,
  Denis Cooper
  MCITP EA - MCT
  Help keep the forums tidy, if this has helped please mark it as an answer
  My Blog
  LinkedIn:

• How to ACS 5.0.0.21 Expresss integrate with Active Directory Standar 2003 and authenticate PEAP MSCHAPV2

  Hi:
  My name is Ivan, I have a trouble
  I have a ACS 5.0.0.21 express, and i have to integrate with Active Directory (AD)  2003 Standar. I should authenticate the users of the Domain in the LAN with PEAP MSCHPAV2, using the follow:
  Cisco WLC 4402 + Cisco ACS 5.0.0.21 + Active Directory
  I need to know if i should to install a certificate in the ACS 5.0.0.21 or some agent remote install  in the AD.
  I put in the ACS a external database with the AD, and i already select the users on the domain in the ACS Express.
  Please could you tell me all the steps to autenticate the users on the Domain using the ACS Express and the Active Directory,
  I would like to know wich are the configuration that i have to do in my ACS express to authenticate using PEAP MSCHAPV2
  Regards
  Ivan

  See the below URL - multiple config guides on what you want to do:-
  http://www.cisco.com/en/US/products/ps6366/prod_configuration_examples_list.html
  HTH>

• LMS 2.6 and ACS 4.2 compatible with Windows 2008 R2 Active Directory?

  Hi,
  We are planning to upgrade CORP Domain from Windows 2003 Active Directory Schema to Windows 2008 R2 Active Directory Schema.
  I wanted to know if the following applications which are installed on windows (domain member servers) are compatible with windows 2008 server R2 schema?
  CiscoWorks LAN Management Solution 2.6
  Cisco Secure Access Control System 4.2
  Cisco Fabric Manager 1.5
  Any help is much appreciated!

  - CiscoWorks LAN Management Solution 2.6 - Not supported and this software is EOS-EOL.
  www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/prod_end-of-life_notice0900aecd80532c07.html
  - Cisco Secure Access Control System 4.2 - Not supported either:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/installation/guide/windows/install.html#wp1041324
  - Cisco Fabric Manager 1.5 - Was not able to find anything for version 1.5 and not really familiar with this product.  However, according to the below not even version 4.2(7d) supports 2008:
  www.cisco.com/en/US/docs/switches/datacenter/mds9000/sw/fm/release/notes/20325_10.html#wp657668

• Using Active Directory and ACS for Concentrator 3000 VPN

  Has anyone gone down the path of using Cisco ACS for network access control AND authenticating it with their W2K Active Directory for VPN 3000 concentrators? I did some research on Google, Cisco web, and this group, I did not find a definite answer on the best practice for the architecture and design, can anyone share your experience how you approached this?
  Below is my understanding, I appeciate any help to piece some or all the below together
  (1) The end state is once a VPN user is successfully authenticated, it is assigned to certain network access privilege based on its group's policy. How to accomplish this?
  (2) AD stores a central user database for user authentication. Each user may belong to one or more groups on the AD; ACS is reponsible for network access control for the specific groups and enforces these controls to the users via the concentrators.
  (3) Concentrator is the NAS, and ACS is the RADIUS server
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800949b4.shtml
  (4) Concentrator can link to the AD as an external database: http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_1/gs/gs3mgr.htm
  (5) A single "Tunnel Group" is created on the concentrator
  (6) Mulpile Groups, per corporate infosec policies are created on the AD
  (7) Mulpile Groups, per corporate infosec policies are also created on ACS, need to match with what're in the AD
  TIA.

  In order to restrict access for a specific AD group to specific SSID this is what you need to perform.
  When the WLC sends an authentication request to the  ACS, it will include  the SSID that the user is connecting to, in the  attribute  Calling-Station-Id(31). We can use this information to create  multiple  rules in ACS 5.x in order to take actions based on the  information  contained in the attribute.
  Under the  Users and Indetity Stores > click on Directory Groups > select  > check the group name you want to add and hit ok. Save the changes.
  We  just need to  create a DNIS rule that includes the name of the SSID and  use it as a  condition in any rule that we create for authentication.  The * is  required because the attribute not only contains the SSID but  also a MAC  address so the * is use as a regular expression.
  Now go to access-policies > default-network access > identity should be AD1.
  Go  to authorization > click on customize > move the  AD1:ExternalGroups and end-station filter attribute on the right side  and hit ok.
  After that slect the appropriate ad group for teachers and end-station filter.
  Save changes.
  Jatin Katyal
  - Do rate helpful posts -

• ACS 5.2 does not check Active directory changes

  Hi all,
  I am working with ACS 5.2 and using Radius authentication for vpn client.
  The authentication method used is Active Directory in an Windows enviroment with multiple domains in the same forest.
  My problem occurs when i change a user from one group to another in Active Directory. After that i receive the following message when try to connect:
  15039 Selected Authorization Profile is DenyAccess
  The message is because match the default policy.
  Another user in the same AD group works fine.
  All domain in the forest have trust relation each other.
  I am using universal groups to include users from all domain belongs this forest.
  Can anyone help me?
  Regards

  Dear all,
  Hope you can help me with a similar issue i am facing on migration from Cisco ACS 4.1.24 to Cisco 5.3.0.40
  and testing Radius authentication for vpn client users.
  The authentication method used is external Active Directory and for some users authenticating to the external AD via ACS, the following message is obtained:
  "15039 Selected Authorization Profile is DenyAcces", which results in Auth failure.
  Other users on the same AD group seem to work fine and there are no changes performed on the AD for any of the  concerned users.
  Looking at the detail report for the user, confirms  that no attributes  are returned to the Radius(under the other  attributes field) from the  external server. The Radius also returns the  following messages:
  "24412 User not  found in Active Directory"
  "22056 Subject not found in the applicable  identity store(s)"
  Within the ACS Identity sequence in the ID store, the  sequence is set to match on AD first and then Internal user.         The  Identity for the default network profile(for Radius users) is  configured to General sequence. The same user/s seem to work fine when  swithced to ACS4.
  We are also looking at possible NTP sync issue with the ACS/AD or  any NTLM/Kerberos auth issues or any issues related to applying the  latest ACS patch to the box.Please let me know if there is any AD related configs to be modified.
  Any help will be appreciated.
  Thanks and Regards.

• Weblogic with Active Directory Authentication provider problem: DN for user ....: null

  I have a java application (SSO via SAML2) that uses Weblogic as a Identity Service Provider. All works well using users created directly in Weblogic. However, I need to add support for Active Directory. So, as per documentation:
  - I defined an Active Directory Authentication provider
  - changed it's order in the Authentication Providers list so that it comes first
  - set the control flag to SUFFICIENT and configured the Provider Specific; here's the concerned part in config.xml:
  <sec:authentication-provider xsi:type="wls:active-directory-authenticatorType">
          <sec:name>MyOwnADAuthenticator</sec:name>
          <sec:control-flag>SUFFICIENT</sec:control-flag>
          <wls:propagate-cause-for-login-exception>true</wls:propagate-cause-for-login-exception>
          <wls:host>10.20.150.4</wls:host>
          <wls:port>5000</wls:port>
          <wls:ssl-enabled>false</wls:ssl-enabled>
          <wls:principal>CN=tadmin,CN=wl,DC=at,DC=com</wls:principal>
          <wls:user-base-dn>CN=wl,DC=at,DC=com</wls:user-base-dn>
          <wls:credential-encrypted>{AES}deleted</wls:credential-encrypted>
          <wls:cache-enabled>false</wls:cache-enabled>
          <wls:group-base-dn>CN=wl,DC=at,DC=com</wls:group-base-dn>
  </sec:authentication-provider>
  I configured a AD LDS instance(Active Directory Lightweight Directory Services) on a Windows Server 2008 R2. I created users and one admin user "tadmin" which was added to Administrators members. I also made sure to set msDS-UserAccountDisabled property to FALSE.
  After restarting Weblogic I can see that the AD LDS's users and groups are correctly fetched in Weblogic. But, when I try to connect with my application, using Username:tadmin and Password:<...> it does not work.
  Here's what I see in the log file:
  <BEA-000000> <LDAP Atn Login username: tadmin>
  <BEA-000000> <authenticate user:tadmin>
  <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
  <BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>
  <BEA-000000> <DN for user tadmin: null>
  <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
  <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
  <BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)>
  <BEA-000000> <DN for user tadmin: null>
  <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://10.20.150.4:5000 ldapVersion:3 bindDN:"CN=tadmin,CN=wl,DC=at,DC=com"}>
  <BEA-000000> <javax.security.auth.login.FailedLoginException: [Security:090302]Authentication Failed: User tadmin denied
    at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:229)
    at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
  So, I tried to look why do I have: <DN for user tadmin: null>. Using Apache Directory Studio I reproduced the ldap search request used in Weblogic and, sure enough, I get no results. But, changing the filter to only "(&(cn=tadmin)(objectclass=user))" (NOTICE, no userAccountControl), it works; here's the result from Apache Directory Studio:
  #!SEARCH REQUEST (145) OK
  #!CONNECTION ldap://10.20.150.4:5000
  #!DATE 2014-01-23T14:52:09.324
  # LDAP URL     : ldap://10.20.150.4:5000/CN=wl,DC=at,DC=com?objectClass?sub?(&(cn=tadmin)(objectclass=user))
  # command line : ldapsearch -H ldap://10.20.150.4:5000 -x -D "[email protected]" -W -b "CN=wl,DC=at,DC=com" -s sub -a always -z 1000 "(&(cn=tadmin)(objectclass=user))" "objectClass"
  # baseObject   : CN=wl,DC=at,DC=com
  # scope        : wholeSubtree (2)
  # derefAliases : derefAlways (3)
  # sizeLimit    : 1000
  # timeLimit    : 0
  # typesOnly    : False
  # filter       : (&(cn=tadmin)(objectclass=user))
  # attributes   : objectClass
  #!SEARCH RESULT DONE (145) OK
  #!CONNECTION ldap://10.20.150.4:5000
  #!DATE 2014-01-23T14:52:09.356
  # numEntries : 1
  (the "[email protected]" is defined as userPrincipalName in the tadmin user on AD LDS)
  As you can see, "# numEntries : 1" (and I can see as result the entry "CN=tadmin,CN=wl,DC=at,DC=com"  in Apache Directory Studio's interface); if I add the userAccountControl filter I get 0.
  I've read that the AD LDS does not use userAccountControl but "uses several individual attributes to hold the information that is contained in the flags of the userAccountControl attribute"; among those attributes is msDS-UserAccountDisabled which, as I said, I already set to FALSE.
  So, my question is, how do I make it work? Why do I have "<DN for user tadmin: null>" ? Is it the userAccountControl ? If it is, do I need to do some other configuration on my AD LDS ? Or, how can I get rid of the userAccountControl filter in Weblogic?
  I didn't seem to find it in config files or in the interface: I only have "User From Name Filter: (&(cn=%u)(objectclass=user))", there's no userAccountControl.
  Another difference I noticed is that, even though in Weblogic I have set ssl-enabled flag to false, in the logs I see ldaps and not ldap ( I'm not looking to setup something production-ready and I don't want SSL for the moment ).
  Here are some other things I tried but did not change anything:
  - the other "msDS-" attributes were not set so I tried initializing them to some value
  - I tried other users defined in AD LDS, not tadmin
  - in Weblogic I added users that were imported from AD LDS in Roles and Policies> Realm Roles > Global Roles > Roles > Admin
  - I removed all userAccountControl occurrences that I found in xml files in Weblogic (schema.ms.xml, schema.msad2003.xml)
  Any thoughts?
  Thanks.

  I managed to narrow it down: the AD LDS does not support the userAccountControl.
  Anyone knows how I can configure my Active Directory Authentication Provider in Weblogic so that it does not implicitly use userAccountControl as filter?
  <BEA-000000> <getDNForUser search("CN=wl,DC=at,DC=com", "(&(&(cn=tadmin)(objectclass=user))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", base DN & below)> 

• ACS 5.2 Authentication Issue with Local & Global ADs

  Hi I am facing authentication issue with ACS 5.2. Below is AAA flow (EAP-TLS),
  - Wireless Users >> Cisco WLC >> ADs <-- everything OK
  - Wireless Users >> Cisco WLC >> ACS 5.2 >> ADs <-- problem
  Last time I tested with ACS, it worked but didn't do migration as there'll be changes from ADs.
  Now my customer wants ACS migration by creating new Group in AD, I also update ACS config.
  For the user from the old group, authentication is ok.
  For the user from the new group, authentication fails. With subject not found error, showing the user is from the old group.
  Seems like ACS is querying from old records (own cache or database). Already restared the ACS but still the same error.
  Can anyone advice to troubleshoot the issue?
  Note: My customer can only access their local ADs (trusted by Global ADs). Local ADs & ACS are in the same network, ACS should go to local AD first.
  How can we check or make sure it?
  Thanks ahead,
  Ye

  Hello,
  There is an enhacement request open already:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCte92062
  ACS should be able to query only desired DCs
  Symptom:
  Currently on 5.0 and 5.1, the ACS queries the  DNS with the domain, in order to get a list of all the DCs in the domain  and then tries to communicate with all of them.If the connection to even one DC fails, then the ACS connection to the domain is declared as failed.A lot of customers are asking for a change on this behavior.
  It  should be possible to define which DCs to contact and/or make ACS to  interpret  DNS Resource Records Registered by the Active Directory  Domain Controller to facilitate the location of domain controllers.  Active Directory uses service locator, or SRV, records. An SRV record is  a new type of DNS record described in RFC 2782, and is used to identify  services located on a Transmission Control Protocol/Internet Protocol  (TCP/IP) network.
  Conditions:
  Domain with multiple DCs were some are not accessible from the ACS due to security/geographic constraints.
  Workaround:
  Make sure ALL DCs are UP and reachable from the ACS.
  At the moment, we cannot determine which Domain Controller on the AD the ACS will contact. The enhacement request will include a feature on which we can specify the appropriate the Domain Controllers the ACS should contact on a AD Domain.
  Hope this clarifies it.
  Regards.

• Local Radius Authentication - Fails

  Hello all,
  Access Point 1230AG (c1200-k9w7-mx.123-2.JA)
  Client Adapter ABG (PCI)
  I am new to Wireless Lan configuration with Aironet products (first project). I am configuring an Access Point for a small LAN and i can not get local radius authentication working. The password always fails if I try:
  test aaa group radius xxxxx port 1812 new-code
  although the password is matching..........
  another thing is that in the configuration, it always defaults to 'nthash' mode. is this normal? in other words if i type:
  radius-server local
  user dgarnett password xxxx
  when i do a 'show run' it displays as
  user xxxx
  I also get the following during a debug:
  There is no RADIUS DB Some Radius attributes may not be stored
  any help greatly appreciated
  ap#test aaa group radius dgarnett 123456789 port 1812 new-code
  Trying to authenticate with Servergroup radius
  User rejected
  ap#
  Feb 19 20:57:44.535: RADIUS(00000000): Config NAS IP: 10.14.14.14
  Feb 19 20:57:44.535: RADIUS(00000000): Config NAS IP: 10.14.14.14
  Feb 19 20:57:44.535: RADIUS(00000000): sending
  Feb 19 20:57:44.535: RADIUS(00000000): Send Access-Request to 10.14.14.14:1812 id 21645/14, len 64
  Feb 19 20:57:44.535: RADIUS: authenticator 9C C4 E8 64 80 8B 64 8A - E7 5F 0A 64 14 2F 5D B6
  Feb 19 20:57:44.536: RADIUS: User-Password [2] 18 *
  Feb 19 20:57:44.536: RADIUS: User-Name [1] 10 "dgarnett"
  Feb 19 20:57:44.536: RADIUS: Service-Type [6] 6 Login [1]
  Feb 19 20:57:44.536: RADIUS: NAS-IP-Address [4] 6 10.14.14.14
  Feb 19 20:57:44.536: RADIUS: Nas-Identifier [32] 4 "ap"
  Feb 19 20:57:44.537: RADSRV: Client dgarnett password failed
  Feb 19 20:57:44.537: RADIUS: Received from id 21645/14 10.14.14.14:1812, Access-Reject, len 88
  Feb 19 20:57:44.538: RADIUS: authenticator 3C B3 9A 7F 61 27 3A A6 - 84 39 B6 DF 22 DF 45 26
  Feb 19 20:57:44.538: RADIUS: State [24] 50
  Feb 19 20:57:44.538: RADIUS: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF [????????????????]
  Feb 19 20:57:44.539: RADIUS: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF [????????????????]
  Feb 19 20:57:44.539: RADIUS: 6B 7C 18 EA F0 20 A4 E5 B1 28 0E BD 57 61 24 9A [k|??? ???(??Wa$?]
  Feb 19 20:57:44.539: RADIUS: Message-Authenticato[80] 18 *
  Feb 19 20:57:44.539: RADIUS(00000000): Received from id 21645/14
  Feb 19 20:57:44.539: RADIUS(00000000): Unique id not in use
  Feb 19 20:57:44.540: RADIUS/DECODE(00000000): There is no RADIUS DB Some Radius attributes may not be stored

  Just as an update.......I set this up authenticating to an external (ACSNT) Radius server and it authenticates successfully. But still will not for the local dbase. My goal is to use the Corporate ACS as primary and the local as backup. I think my problem has to do with the Radius attributes 24 (State) and 80 (Message Auth). I also think that it points back to the NTHash stuff. Please advise as I am not new security practices and wireless, but I am new to Cisco Wireless networking.

• Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance failed

  Hi,
  I've got a problem with Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance.
  ACS4.2 has been configured to use both internal and external database. It's been working fine for a couple or years.
  Recently we bought a Cisco 4710 ACE appliance. When I use ACS4.2 internal username and password to login the Cisco 4710 ACE appliance, I have no problem. I can also see the passed authentication log on ACS4.2. However, if I use AD username and password, I couldn't login in. The message is "Login incorrect". I checked the failed attempts log on the ACS4.2, there was no log regarding the failed attempt. My AD username and password works fine on all other cisco routers and switches.
  I've posted my AAA configuration of the 4710 ACE below. ACE is running on the latest version A4(1.1). Please help.
  tacacs-server key 7 "xxxxxxxxxxxxx"
  aaa group server tacacs+ tac_admin
    server xx.xx.xx.xx
  aaa authentication login default group tac_admin local
  aaa authentication login console group tac_admin local
  aaa accounting default group tac_admin

  Hi,
  Since the ACS is receiving the request.
  Could you please ensure that In ACE on every context (including Admin and other) you have  following strings:
  tacacs-server host x.x.x.x key 7 "xxx"
  aaa group server tacacs+  tac_admin
     server x.x.x.x
  aaa authentication login default group  tac_admin local
  aaa authentication login console group  tac_admin local 
  aaa accounting default group x.x.x.x
  On ACS side for group named "Network  Administrators" you should configure in TACACS settting:
  1. Shell  (exec) enable
  2. Privilege level 15
  3. Custom attributes:
             shell:Admin*Admin default-domain
      if you have additional  context add next line
            shell:mycontext*Admin  default-domain
  After  loging to ACE and issuing sh users command you should see following
  User             Context                                                                  Line     Login Time   (Location)        Role   Domain(s)   
  *adm-x        Admin                                                                    pts/0   Sep 21 12:24  (x.x.x.x)    Admin   default-domain
  Hope this helps.
  Regards,
  Anisha
  P.S.: please mark this thread as answered if you fee your query is resolved. Do rate helpful posts.

• 802.1x between Switch 3750 and ACS 4.2 Authentication faild --need help

  I configured the Switch 3750 and ACS for 802.1x authentication.
  when I used the windows as the 802.1x client, it prompted "click here to enter user name and pasword for the network " as normal.
  The problem is that after I entered username and password (i am sure i enter the identical username and password as in ACS) the authentication failed,
  What is the most possibly problem?
  Thx in advance!!!
  The configuration is Sw3750 is:
  aaa new-model
  aaa authentication login default local
  aaa authentication enable default line
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  dot1x system-auth-control
  interface GigabitEthernet1/0/18
  description Link to test 802.1x
  switchport access vlan 119
  switchport mode access
  dot1x pae authenticator
  dot1x port-control auto
  spanning-tree portfast
  radius-server host 10.1.1.333 auth-port 1645 acct-port 1646
  radius-server source-ports 1645-1646
  radius-server key keepopen0
  In the ACS:
  Network Configuration -->aaa client ip address: 10.1.119.1(the vlan 119's ip address), shared secret: keepopen0
  user setup -->real name:test1, password: test1.
  Attached is the debug information

  What do you see in acs failed attempts?

• Configuring a 1230 AP as a "Local Radius Authenticator"

  Configuring a 1230 AP as a "Local Radius Authenticator"
  CCO-URL: Configuring an Access Point as a Local Authenticator
  http://www.cisco.com/en/US/partner/products/hw/wireless/ps4570/products_configuration_guide_chapter09186a0080184a9b.html
  this is the minimal config, i think:
  AP# configure terminal
  AP(config)# radius-server local
  AP(config-radsrv)# nas 1.1.1.1 key 111
  AP(config-radsrv)# group clerks
  AP(config-radsrv-group)# vlan 2
  AP(config-radsrv-group)# ssid batman
  AP(config-radsrv-group)# reauthentication time 1800
  AP(config-radsrv-group)# lockout count 2 time 600
  AP(config-radsrv-group)# exit
  AP(config-radsrv)# user jsmith password twain74 group clerks
  AP(config-radsrv)# end
  whereas 1.1.1.1 is the IP of the AP himself ?
  is there a must for additional config commands like this:
  radius-server host 1.1.1.1 auth-port 1812 acct-port 1813 key 111
  aaa group server radius rad_eap
  server 1.1.1.1 auth-port 1812 acct-port 1813
  aaa group server radius rad_admin
  server 1.1.1.1 auth-port 1812 acct-port 1813
  all attempts didn't work
  "station <MAC> authentication failed"
  is there anything else nessecary ???

  You seem to be missing the following commands;
  authentication network-eap eap_methods
  authentication key-management cckm optional
  The following commands are useful for diagnosis;
  • Show radius local statistics
  • show interface dot11Radio 0 aaa client
  • Debug dot11 aaa dot1x state
  • Debug dot11 mgmt interface
  Local authentication is designed as a fall-back service for when the primary RADIUS server fails. We not encourage the use of Local authentication as a replacement for a radius server.
  * With an ACS you get Authentication, Authorization and Accounting. With Local authentication you only get Authentication.
  * ACS scales, supports external user-databases, supports multiple authentication types, supports database backup and replication, etc, etc... Local authentication supports a maximum of 50 users, internal static configuration only, and LEAP only.
  Following is an IOS configuration, that I have tested, and works on an AP1200 (should work on an 1100 too, I just haven’t tested it);
  · This configuration enables a single AP to do local authentication. No WDS is included for fast roaming.
  · This configuration can be cut-and-pasted into an AP that has been write-erased (blank config), and it will configure all the parameters to allow a client to LEAP authenticate to it (even if no Ethernet cable is connected to it)
  · Replace usernames/passwords with your own usernames/passwords
  · Replace ip-addresseswith the APs IP address
  · I added DHCP configuration so you can connect to a stand-alone AP with your DHCP-enabled laptop (with a profile that matches the test APs SSID and LEAP settings).
  conf t
  host loc-auth-ap-name
  enable secret cisco
  no ip domain-lookup
  line vty 0 4
  password cisco
  exec-timeout 0 0
  login
  int bvi 1
  ip address 10.11.12.13 255.255.255.0
  Interface dot11 0
  no ssid tsunami
  encryption mode ciphers ckip-cmic
  ssid test-loc-auth
  authentication network-eap eap_methods
  authentication key-management cckm optional
  ip dhcp excluded-address 10.11.12.13
  ip dhcp pool temp
  network 10.11.12.0 255.255.255.0
  interface BVI1
  ip address 10.11.12.13 255.255.255.0
  no ip route-cache
  aaa new-model
  aaa group server radius rad_eap
  ! add a real AAA server (with auth-port 1645) before
  ! the following statement if you are configuring a
  ! fallback authentication service instead of a
  ! standalone service
  server 10.11.12.13 auth-port 1812 acct-port 1646
  aaa authentication login eap_methods group rad_eap
  ! add a real AAA server (with auth-port 1645) before
  ! the following statement if you are configuring a
  ! fallback authentication service instead of a
  ! standalone service
  radius-server host 10.11.12.13 auth-port 1812 acct-port 1646 key 0 l0cal-key-secret
  radius-server deadtime 10
  dot11 holdoff-time 1
  ip radius source-interface BVI1
  radius-server local
  nas 10.11.12.13 key 0 l0cal-key-secret
  user testuser password 0 testuser-key-secret
  exit
  exit
  wri

• CSM 3.1 local user authentication problem

  Hi every one.i have strange problem with local user authentication.in our csm i have configured csm to auhenticate users using TACACS+ from our acs server which every thing is ok about this configurtion but also i have configured fall back authentication for user admin.here is the problem even when connection to ACS server is ok and server can send authentication requests to ACS we can authenticate with ACS and Local admin which i think this is wrong because using local admin is configured as fallback.so what do you think about this problem which CSM authenticates users with ACS and local database same time??

  You probably need to go under the system context and create the interface and also allocate vlans to it in CSM before you configure the context itself.
  I hope it helps.
  PK

• ACS 5.3, EAP-TLS Machine Authentication with Active Directory

  I have ACS 5.3. I am testing EAP-TLS Machine Authentication using Active Directory as an external Identity Store. II was testing and everything was going fine until I did some failure testing.
  My problem: I deleted my computer account out of Active Directory and tried to authenticate my wireless laptop and it still worked when it should have failed.
  Here is some of the output of the ACS log. You can see that the computer could not be found in AD and this was returned to the ACS. However, ACS still went ahead and authenticated the computer successfully.
  Evaluating Identity Policy
  15006 Matched Default Rule
  22037 Authentication Passed
  22023 Proceed to attribute retrieval
  24433 Looking up machine/host in Active Directory - LAB-PC-PB.VITS.attcst.sbc.com
  24437 Machine not found in Active Directory
  22016 Identity sequence completed iterating the IDStores
  Evaluating Group Mapping Policy
  12506 EAP-TLS authentication succeeded
  11503 Prepared EAP-Success
  Evaluating Exception Authorization Policy
  15042 No rule was matched
  Evaluating Authorization Policy
  15006 Matched Default Rule
  15016 Selected Authorization Profile - Permit Access
  22065 Max sessions policy passed
  22064 New accounting session created in Session cache
  11002 Returned RADIUS Access-Accept
  I was assuming that if the computer was not found, the Identity Policy would fail, so I did not configure any authorization policy. Do I need an authorization policy to tell the ACS to fail the authentication if the machine cannot be found in AD? If I need an authorization policy, how do I configure it?
  Note: In my Identity Store Sequence, I did enable the option:
  For Attribute Retrieval only:
  If internal user/host not found or disabled then exit sequence and treat as "User Not Found"
  but this only seems to work for internal identity stores (at least based on my testing)
  Under my Access Policy Identity tab, I configured the following Advanced features:
  Advanced Options
  If authentication failed
  RejectDropContinue
  If user not found
  RejectDropContinue
  If process failed
  RejectDropContinue
  And that didn't do anything either.
  Any ideas? Thanks in advance.

  Can try the following. Define an attribute to be retrieved from Active Directory and that exists for all objects. When defining the attribute it can be given a default value. Assign a default value which is a value that will never be returned for a real machine entry (eg "DEFAULTVALUE") and give it a "Policy Condition Name"
  Then can make a rule in the authorization policy such as
  If "Policy Condition Name" equals "DEFAULTVALUE" then "DenyAccess"