Acs se aaa server problem
HI
I have installed acs se for peap authenetication in a wireless network .
however when i install the acs se it shows me 2 profiles (self and deliverance) after initial config in the aaa server window of network configuration .
The name of the default server is delivernace and its ip is 169.x.x.x which is the default nic ip as u can check it out during the initial startup configuration.
Pls help me to get this fixed
Hi.
The name of the ACS SE listed in AAA Server section is "self".
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/NetCfg.html#wp341780
"In ACS SE, the name of the machine is listed as self."
"deliverance1" is the default ACS SE name(hostname).
Sometimes what happens is, even if we have ACS SE connected to Netowork during initial configuration. And we change the name of the ACS SE from "deliverance1" to something that we want. After changes has been made, on ACS SE, it comes back, and shows the ip 169.x.x.x associated with the new hostname.
NOTE: I am considering that during initial configuration ACS SE was connected to network. If not, then this is supposed to happen.
In order to correct this issue, follow following steps:
[1] On ACS hardware/appliance go to,
Reports and Activity > Appliance Status Page >
From "NIC Configuration", copy the IP address of the ACS SE.
Interface Configuration > Advanced Options > check "Distributed System Settings" > Submit.
Network Configuration > under "AAA Servers" > Search > type the IP address of the ACS hardware/appliance > Search.
Note down the "Name" against the Ip address of the ACS SE.
Now go to, Network Configuration > under "Proxy Distribution Table" > (Default) > make sure that the name that appeared against the Ip address of the ACS Hardware/appliance is in "Forward To" Column, If it is not, move it , and move all other entries under "AAA Servers" column and press "Submit + Restart"
And delete the entry from the AAA Server section, that is associated with IP address 169.x.x.x
[2] Now, if you do not want the name that is shown in the Proxy Distribution Table, and want the one that is there in the section,
System configuration > Appliance Configuration... Hostname section, associated with the correct IP address. Then do this,
Establish Serial Console connection to ACS SE,
Issue the command "set hostname " and then reboot the ACS SE by command, "reboot".
[3] Once ACS SE is backup, go to, Network Configuration > under "Proxy Distribution Table" > (Default) > And make sure that the new name is in "Forward To" Column > Submit + Restart.
Now, the correct IP address will be associated with the correct hostname.
Regards.
Prem
Similar Messages
-
ACS error, AAA Server is a referenced in the Proxy Distribution Table
When installing the ACS appliance (4.1) I have an issue where during the setup it prompts for a static address, Gateway, and DNS. This fine and network connectivity is tested during this time and success.
The issue seems to be fine but that when logging in to the GUI under Network Configuration>AAA servers.
AAA server AAA server IP address AAA server type
self 10.10.10.1 CiscoSecure ACS
ciscoacs 169.254.25.58 CiscoSecure ACS
Under Network Configuration>Proxy Distribution Table
Character String AAA Servers Strip Account
Default ciscoacs no Local
The 2 questions I have how to stop the 169.x.x.x address or why this is being put into the configuration, and how to delete as the following error is obsvered when trying.
ACS error when trying to delete..
âCan not Delete AAA Server, AAA Server is a referenced in the Proxy Distribution Tableâ
Many Thanks MJGo to,
Network configuration > Proxy Distribution Table > (Default).
swap the entry in this section under tables AAA Server and Forward to > Submit + Restart.
Then try to delete 169.x.x.x entry.
Regards,
Prem -
ACS 4.2.0 AAA-server-IP-address changing to 169.254.x.x
Hello,
I have ACS 4.2.0.124.15 installed on a windows server 2008.
In the configuration menu : network config > AAA server , the AAA-server-IP-address change to 169.254.x.x each time I disconnect the ethernet interface of the server.
Allthough, the ip adresse in my network connection of the windows-Lan-connection is set to static.
Whe I reconnect the ethernet interface of the server, it stays in 169.154.x.x. And I need to reconfigure the real static adresse each time.
Do you knows this problem. Is it a way to avoid it ?
Michel MisonneHello,I have ACS 4.2.0.124.15 installed on a windows server 2008.In
the configuration menu : network config > AAA server , the
AAA-server-IP-address change to 169.254.x.x each time I disconnect the
ethernet interface of the server.Allthough, the ip adresse in my network connection of the windows-Lan-connection is set to static.Whe
I reconnect the ethernet interface of the server, it stays in
169.154.x.x. And I need to reconfigure the real static adresse each
time.Do you knows this problem. Is it a way to avoid it ?Michel Misonne
Hi Michel,
It was issue in ACS 1113 SE Appliance and clear solution for the above is mentioned in the below link
http://www.ciscosystems.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a00808d9199.shtml#stat
HTH
Ganesh.H -
Problems with 802.1x,ACS and Windows Server 2000
Hi,
My components: ACS 3.3 running on a Server with Windows 2000 Server SP4 , 2950 Catalyst (AAA-Client) ,
Laptop with Windows XP SP2 (802.1x Client)
I have everything configured according to Cisco documentation, but I am getting one error in the ACS's log.( Failed Attempts active.csv)
Authen-Failure-Code : EAP-TLS or PEAP authentication failed during SSL handshake
I have a valide certificate on my Radius(ACS) server and about machine authentication I have a valide certificate on my laptop. (I have installed this certificate before i started to login at the 802.1x port of the switch)
Does anyone have any idea what the problem is?
Here is the Config of the Catalyst 2950 if that will help:
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname ACS-Client1
aaa new-model
aaa authentication dot1x default group radius
enable secret xxxx
username xxxx privilege xxx password xxx
ip subnet-zero
ip ssh time-out 120
ip ssh authentication-retries 3
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
dot1x system-auth-control
interface FastEthernet0/13
switchport mode access
dot1x port-control auto
dot1x timeout quiet-period 3
dot1x timeout reauth-period 1
dot1x reauthentication
interface GigabitEthernet0/2
interface Vlan1
ip address 10.10.3.253 255.255.255.0
no ip route-cache
ip default-gateway 10.10.3.254
ip http server
radius-server host 10.10.3.1 auth-port 1812 acct-port 1813
radius-server retransmit 3
radius-server key radius
line con 0
password xxx
line vty 0 4
password xxx
line vty 5 15
password xxx
endYes we get to solve this problem. Because it is a only a test senario, we installed everything new, win2000 server SP4,the certificate service and the winXP on the client.
The config of the switch is ok, we set the reauth-period and quiet-period to default.
Then we test the whole configuration with the IAS-Radius (MS). After this we install the ACS, following this document:(Certificates were already installed)
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml
Attention, we used the AEGIS Client not the XP Client! -
•1. We have two locations and require Cisco ACS 5.x for each location.
•2. Both locations are connected via MPLS link.
•3. Need to deploy both ACS in Active-Active OR Active-Standby.
•4. The idea is that users in network A will have their primary ACS as ACS A and secondary ACS as ACS B.
•5. Similarly users in network B will have its primary ACS as ACS B local to their LAN.
If ACS in network A goes down, then users in network A should be able to authenticate using ACS B in remote network and vice versa.
•6. Now what we got to understand by reading ACS documents is that incase one of ACS goes down, the accounting logs do not get replicated to secondary ACS and vice versa.
•7. I would like to have a kind of setup where in Accounting logs are also replicated between ACS servers. The idea is that, I should have complete logs of both the servers up to the time till one of the ACS breaks down.
Kindly let me know if the accounting logs can be replicated in the manner as mentioned above.
Also let me know the typical bandwidth utilized during replication of ACS A to ACS B.
We have around 500 users combining both sides.
Our proposal is dependent upon working of the above solution…kindly see if ACS5.x will work in the above scenario as we need to propose the same.I hope I get your question correctly. The AAA group tag is local to the AAA Client and has nothing to do with the AAA Server (e.g. ACS). It is meant to group more than one TACACS/RADIUS server.
Proxy Distribution Table is used when you have Multiple ACS servers and you want to route incoming AAA requests to particular server(s) based on pre-defined criteria. Like user1@NY should be redirected to the NewYork ACS.
Regards
Farrukh -
Hello,
pls which service is actually suspended when the AAA server gives this report.
"Service CSAuth has been stopped or paused by the system. Monitoring will suspend until the service is restarted."
And how can I resolve it.
Also, my backup AAA server is still not replying. If I shutdown the service on the primary acs, the errors i get when i try to login are "auth server down".
What can I do to correct these?To my knowledge, it's the authentication service like Radius or Tacacs+ that is suspended.
-
AAA Server IP Pool based on AAA Client
Hi,
I have a scenario where I need to be able to allocate an IP address to a user group from a pool on the AAA server based on the AAA client that the user authenticates against.
So for example if the user comes in on CPE1 they get assigned an address from Pool A, if they come in on CPE2 they get an address assigned from Pool B.
Any pointers on how to do this (if possible) would be greatly appreciated.
Thanks in advance
AndyWith ACS v4 you could do this....
Define your pools and add your devices to their own NDGs. Then define a NAP which is triggered off each NDG. Each NAP can use its own group mapping scheme which each target group using a different IP pool.
Probably only works when users are external as you need group mapping to make it work.
A bit cludgy.. but should work. -
ACS 4.1 Server and WLAN Bridge
Hi,
we have a Cisco Bridge (with 1310Gs)and have the problem that the non root bridge does not reach the ACS server with its authentication requests (when we use OPEN authentication the bridge works fine).
The authentication requests by the root Bridge are passed to ACS w/o any problems.
How can I tell the Root Bridge to pass on the AUTH-requests by the Non Root Bridge to ACS ? (we do not even see any failed requests from the NON Root AP on ACS - nothing arrives there...). Thanks for helping.
Cheers,
T.Following would be the right section to put this question,
Wireless - Mobility | Security and Network Management.
As issue is not with ACS, but with the way communication takes place between root and non root bridge.
Regards,
Prem -
is the "AAA server group tag" the same as the proxy distribution entry.
trying to setup my asa for tacacs+
cisco# aaa-server ?
WORD < 17 char Enter a AAA server group tagI hope I get your question correctly. The AAA group tag is local to the AAA Client and has nothing to do with the AAA Server (e.g. ACS). It is meant to group more than one TACACS/RADIUS server.
Proxy Distribution Table is used when you have Multiple ACS servers and you want to route incoming AAA requests to particular server(s) based on pre-defined criteria. Like user1@NY should be redirected to the NewYork ACS.
Regards
Farrukh -
Hi I have ACS appliance 4.2.0.124 installed at 2 sites. In one of the Appliance, under (Not Assigned) NDG the AAA server was reflecting as Self with IP address 127.0.0.1 & with the other one under AAA servers exact ip address of the appliance was reflecting with server name AAA. I had added the 1st server in 2nd server's unassigned NDC and 2nd server in 1st's unassigned NDC.
After that I configured the 1st server for outbound replication and 2nd for inbound replication with "Network Configuration Device tables" selected. After manual replication I found in 2nd appliances under unassigned NDG, server entry with name self and IP address 127.0.0.1 , along with teh second entry self and its own IP address are there. Now I am neither able to add the 1st server's entry to NDG grop(Error: host already exist) or DElete/edit the self with 127.0.0.1 ip adress. Can anybody help me to delete this entry from the database pls?
I dont have any backup previously and the ACS is live.Hi all, I am using ACS SE 4.2 . Can i edit the IP address for record "Self" under AAA servers table under not assigned NDG, as the Ip address of self is showing 127.0.0.1???
Also can reinitialize the data base because one of the server's entry is not appearing under Not assigned NDG but during if i am trying to add the server error" Host already exists" comming.
Pls help me as i am stack at this point. -
ACS 4.x server migration
Hi Guys,
We have ACS 4.x server which we are migrating to a new windows machine. Due to standards requirement new ACS will be installed in seperate directory in new machine.
I would like to know if there are any potential issues that I should be aware while doing the database migration from one machine to another machine.
For example Database could point to original directory for logs and replication could fail in new machine since original dir path do not exist in new server installation
Appreciate your inputs..Once you installed ACS on the new machine, you should be able to restore a backup of the database from the original ACS, if you have any problems with this please open a TAC case and we'll help you out.
-
How to configure router to use ip pool on the aaa server for vpn clients
how to configure router to use ip pool on the aaa server for vpn clients . i want to use vpn clients to connect to the router. authenticate using the aaa server username databse and also use the ip pool cretaed on the aaa server. i am not able to find the command on the router pointing to use the pool created on the aaa server. can u some one help me with this command.
sebastanHello Sebastan,
what do you use as AAA server (e.g. ACS with TACACS+ or RADIUS) ?
Regards,
GNT -
I have questions regarding the aaa accounting of NX-OS. In N7K and N5K is not done the accounting of show commands, only the config command's. Unlike the IOS. Is there any way to enable accounting of show commands as well?
Another question is related to the Nexus 1000V, which only supports PAP or MSCHAP. Does not support the command "aaa authentication login ascii-authentication". Is there way to enable? Or is it some restriction.Larry,
1) Please set up enable authentication to get the actual user name,
aaa authentication enable console tacacs-auth LOCAL
On ACS user setup you need to set up tacacs+ enable password.
3) Since you have defined both server for authentication and accounting ie 219 and 218 it is sending accounting to 218, as it is also defined as accounting server and firewall it active.
Use only
aaa-server tacacs-auth (dept-outside) host 10.1.26.218 key tacacs-secret
aaa-server tacacs-acct (dept-outside) host 10.1.26.219 key tacacs-secret
Now auth should go to 218 and acc to 219.
Regards,
~JG
Do rate helpful posts -
How to fix "server problem" error message when trying to use PhoneGap build service.
I have a site that is now optimized for mobile devices and want to use the PhoneGap Build service in Dreamweaver CS6 to make a native app. Unfortunately, I keep getting the "We seem to be having server problems." error message when I try to create a new project. I did notice that the configuration file was created at the site root. I've seen a few other similar threads on this, but no solution. I've checked on any firewall issues (none) and know that the PhoneGap server is not down. The problem is on my end.
Thanks,
LorenNot an answer to the server problem, but I have posted the PhoneGap Build process here: http://forums.adobe.com/message/4669054#4669054. It might help anyone still having problems.
-
Forwarding to the security news group...
-------- Original Message --------
Subject: Starting Managed server problem ......
Date: 1 Jun 2004 23:02:53 -0700
From: Sameer <barsatkiraat2001>
Newsgroups: weblogic.developer.interest.management
Hi All,
I need you guy's help in this regard, that I am using solaris 8 and
installed Weblogic8.1 Server.
My Scenario is;
Have configured Admin Server and Managed server with nodemanager on one
unix machine.
So, what am facing the problem;
I am not able to get run Managed server after starting the nodemanager
and admin server, getting the error in nodemanager logs that is :
<Jun 2, 2004 9:44:26 AM GMT 04:00> <Warning> <Security> <BEA-090482>
<BAD_CERTIFICATE alert was received from PortalQA - 10.12.10.94. Check
the peer to determine why it rejected the certificate chain (trusted CA
configuration, hostname verification). SSL debug tracing may be required
to determine the exact reason the certificate was rejected.>
And in Admin Server logs it's saying;
<Jun 2, 2004 9:44:26 AM GMT 04:00> <Warning> <Security> <BEA-090504>
<Certificate chain received from PortalQA - 10.12.10.94 failed hostname
verification check. Certificate contained AdminQA but check expected
PortalQA>
The WebLogic Server did not start up properly.
Exception raised:
'weblogic.management.configuration.ConfigurationException: Due to faulty
SSL configuration, this server is unable to establish a connection to
the node manager.'
<Jun 2, 2004 9:44:26 AM GMT 04:00> <Warning> <NodeManager> <BEA-300038>
<The node manager is unable to monitor this server. Could not create an
SSL connection to the node manager. Reason :
[Security:090504]Certificate chain received from PortalQA - 10.12.10.94
failed hostname verification check. Certificate contained AdminQA but
check expected PortalQA>
Reason: weblogic.management.configuration.ConfigurationException: Due to
faulty SSL configuration, this server is unable to establish a
connection to the node manager.
<Jun 2, 2004 9:44:26 AM GMT 04:00> <Emergency> <WebLogicServer>
<BEA-000342> <Unable to initialize the server:
weblogic.management.configuration.ConfigurationException: Due to faulty
SSL configuration, this server is unable to establish a connection to
the node manager.>
If some one can help me, I do appreciate in all due respect.
Sameer.Hello Satya/All,
I'm also experiencing the exact problem you are facing. It would be great if
somebody could help in this regard at the earliest.
Thanks, senthil
Satya Ghattu <[email protected]> wrote:
Forwarding to the security news group...
-------- Original Message --------
Subject: Starting Managed server problem ......
Date: 1 Jun 2004 23:02:53 -0700
From: Sameer <barsatkiraat2001>
Newsgroups: weblogic.developer.interest.management
Hi All,
I need you guy's help in this regard, that I am using solaris 8 and
installed Weblogic8.1 Server.
My Scenario is;
Have configured Admin Server and Managed server with nodemanager on one
unix machine.
So, what am facing the problem;
I am not able to get run Managed server after starting the nodemanager
and admin server, getting the error in nodemanager logs that is :
<Jun 2, 2004 9:44:26 AM GMT 04:00> <Warning> <Security> <BEA-090482>
<BAD_CERTIFICATE alert was received from PortalQA - 10.12.10.94. Check
the peer to determine why it rejected the certificate chain (trusted
CA
configuration, hostname verification). SSL debug tracing may be required
to determine the exact reason the certificate was rejected.>
And in Admin Server logs it's saying;
<Jun 2, 2004 9:44:26 AM GMT 04:00> <Warning> <Security> <BEA-090504>
<Certificate chain received from PortalQA - 10.12.10.94 failed hostname
verification check. Certificate contained AdminQA but check expected
PortalQA>
The WebLogic Server did not start up properly.
Exception raised:
'weblogic.management.configuration.ConfigurationException: Due to faulty
SSL configuration, this server is unable to establish a connection to
the node manager.'
<Jun 2, 2004 9:44:26 AM GMT 04:00> <Warning> <NodeManager> <BEA-300038>
<The node manager is unable to monitor this server. Could not create
an
SSL connection to the node manager. Reason :
[Security:090504]Certificate chain received from PortalQA - 10.12.10.94
failed hostname verification check. Certificate contained AdminQA but
check expected PortalQA>
Reason: weblogic.management.configuration.ConfigurationException: Due
to
faulty SSL configuration, this server is unable to establish a
connection to the node manager.
<Jun 2, 2004 9:44:26 AM GMT 04:00> <Emergency> <WebLogicServer>
<BEA-000342> <Unable to initialize the server:
weblogic.management.configuration.ConfigurationException: Due to faulty
SSL configuration, this server is unable to establish a connection to
the node manager.>
If some one can help me, I do appreciate in all due respect.
Sameer.
Maybe you are looking for
-
I bought a new iMac last year and was busy so I didn't use it much. Along with a trackpad and a wireless mouse. The mouse works as expected however the trackpad will not scroll a Safari Window. It will scroll when connected to my 5 year old Macbook.
-
Apple TV mirroring only working for iTunes
When I first got my apple TV, my Macbook Pro 17" worked with display mirroring. After upgrading to OSX 10.8.1, only iTunes will mirror to the TV. I have tried rebooting all devices ... What gives/ Why did this break!? Thanks! sean
-
Upgrade to xorg 7.0 causes ati-driver panic
Not sure what is different with xorg 7.0 but ati-drivers cause a kernel panic after starting up X. Or is it because ATI hasn't released 7.0 drivers?
-
X-Fi, ASIO and Latency... need he
I still cannot figure out how to lower the latency in ASIO mode on the X-Fi ExtremeMusic card. According to Creative, latency can be as low as ms, but when I use my X-Fi card with Sonar 6 in ASIO mode, the lowest the latency slider will go is 50ms, w
-
LV RT - String to double conversion
Hello, I want to convert a string to a double on my Real Time device (PXI-8101. When I use the "scan value" or "Fract/Exp String To Number Function" VI the numbers after comma dissapear. This does not happen on the Host (PC). So for example on the h