Acs se aaa server problem

Similar Messages

• ACS error, AAA Server is a referenced in the Proxy Distribution Table

  When installing the ACS appliance (4.1) I have an issue where during the setup it prompts for a static address, Gateway, and DNS. This fine and network connectivity is tested during this time and success.
  The issue seems to be fine but that when logging in to the GUI under Network Configuration>AAA servers.
  AAA server AAA server IP address AAA server type
  self 10.10.10.1 CiscoSecure ACS
  ciscoacs 169.254.25.58 CiscoSecure ACS
  Under Network Configuration>Proxy Distribution Table
  Character String AAA Servers Strip Account
  Default ciscoacs no Local
  The 2 questions I have how to stop the 169.x.x.x address or why this is being put into the configuration, and how to delete as the following error is obsvered when trying.
  ACS error when trying to delete..
  “Can not Delete AAA Server, AAA Server is a referenced in the Proxy Distribution Table”
  Many Thanks MJ

  Go to,
  Network configuration > Proxy Distribution Table > (Default).
  swap the entry in this section under tables AAA Server and Forward to > Submit + Restart.
  Then try to delete 169.x.x.x entry.
  Regards,
  Prem

• ACS 4.2.0 AAA-server-IP-address changing to 169.254.x.x

  Hello,
  I have ACS 4.2.0.124.15   installed on a windows server 2008.
  In the configuration menu : network config > AAA server , the AAA-server-IP-address change to 169.254.x.x each time I disconnect the  ethernet interface of the server.
  Allthough, the ip adresse in my network connection of the windows-Lan-connection is set to static.
  Whe I reconnect the ethernet interface of the server, it stays in 169.154.x.x.  And I need to reconfigure the real static adresse each time.
  Do you knows this problem. Is it a way to avoid it ?
  Michel Misonne

  Hello,I have ACS 4.2.0.124.15   installed on a windows server 2008.In
  the configuration menu : network config > AAA server , the
  AAA-server-IP-address change to 169.254.x.x each time I disconnect the
  ethernet interface of the server.Allthough, the ip adresse in my network connection of the windows-Lan-connection is set to static.Whe
  I reconnect the ethernet interface of the server, it stays in
  169.154.x.x.  And I need to reconfigure the real static adresse each
  time.Do you knows this problem. Is it a way to avoid it ?Michel Misonne
  Hi Michel,
  It was issue in ACS 1113 SE Appliance and clear solution for the above is mentioned in the below link
  http://www.ciscosystems.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a00808d9199.shtml#stat
  HTH
  Ganesh.H

• Problems with 802.1x,ACS and Windows Server 2000

  Hi,
  My components: ACS 3.3 running on a Server with Windows 2000 Server SP4 , 2950 Catalyst (AAA-Client) ,
  Laptop with Windows XP SP2 (802.1x Client)
  I have everything configured according to Cisco documentation, but I am getting one error in the ACS's log.( Failed Attempts active.csv)
  Authen-Failure-Code : EAP-TLS or PEAP authentication failed during SSL handshake
  I have a valide certificate on my Radius(ACS) server and about machine authentication I have a valide certificate on my laptop. (I have installed this certificate before i started to login at the 802.1x port of the switch)
  Does anyone have any idea what the problem is?
  Here is the Config of the Catalyst 2950 if that will help:
  version 12.1
  no service pad
  service timestamps debug uptime
  service timestamps log uptime
  no service password-encryption
  hostname ACS-Client1
  aaa new-model
  aaa authentication dot1x default group radius
  enable secret xxxx
  username xxxx privilege xxx password xxx
  ip subnet-zero
  ip ssh time-out 120
  ip ssh authentication-retries 3
  spanning-tree mode pvst
  no spanning-tree optimize bpdu transmission
  spanning-tree extend system-id
  dot1x system-auth-control
  interface FastEthernet0/13
  switchport mode access
  dot1x port-control auto
  dot1x timeout quiet-period 3
  dot1x timeout reauth-period 1
  dot1x reauthentication
  interface GigabitEthernet0/2
  interface Vlan1
  ip address 10.10.3.253 255.255.255.0
  no ip route-cache
  ip default-gateway 10.10.3.254
  ip http server
  radius-server host 10.10.3.1 auth-port 1812 acct-port 1813
  radius-server retransmit 3
  radius-server key radius
  line con 0
  password xxx
  line vty 0 4
  password xxx
  line vty 5 15
  password xxx
  end

  Yes we get to solve this problem. Because it is a only a test senario, we installed everything new, win2000 server SP4,the certificate service and the winXP on the client.
  The config of the switch is ok, we set the reauth-period and quiet-period to default.
  Then we test the whole configuration with the IAS-Radius (MS). After this we install the ACS, following this document:(Certificates were already installed)
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml
  Attention, we used the AEGIS Client not the XP Client!

• AAA server logs replication

  •1.       We have two locations and require Cisco ACS 5.x for each location.
  •2.       Both locations are connected via MPLS link.
  •3.       Need to deploy both ACS in Active-Active OR Active-Standby.
  •4.       The idea is that users in network A will have their primary ACS as ACS A and secondary ACS as ACS B.
  •5.       Similarly users in network B will have its primary ACS as ACS B local to their LAN.
  If ACS in network A goes down, then users in network A should be able to authenticate using ACS B in remote network and vice versa.
  •6.       Now what we got to understand by reading ACS documents is that incase one of ACS goes down, the accounting logs do not get replicated to secondary ACS and vice versa.
  •7.       I would like to have a kind of setup where in  Accounting logs are also replicated between ACS servers. The idea is that, I should have complete logs of both the servers up to the time till one of the ACS breaks down.
  Kindly let me know if the accounting logs can be replicated in the manner as mentioned above.
  Also let me know the typical bandwidth utilized during replication of ACS A to ACS B.
  We have around 500 users combining both sides.
  Our proposal is dependent upon working of the above solution…kindly see if ACS5.x will work in the above scenario as we need to propose the same.

  I hope I get your question correctly. The AAA group tag is local to the AAA Client and has nothing to do with the AAA Server (e.g. ACS). It is meant to group more than one TACACS/RADIUS server.
  Proxy Distribution Table is used when you have Multiple ACS servers and you want to route incoming AAA requests to particular server(s) based on pre-defined criteria. Like user1@NY should be redirected to the NewYork ACS.
  Regards
  Farrukh

• Errors on aaa server

  Hello,
  pls which service is actually suspended when the AAA server gives this report.
  "Service CSAuth has been stopped or paused by the system. Monitoring will suspend until the service is restarted."
  And how can I resolve it.
  Also, my backup AAA server is still not replying. If I shutdown the service on the primary acs, the errors i get when i try to login are "auth server down".
  What can I do to correct these?

  To my knowledge, it's the authentication service like Radius or Tacacs+ that is suspended.

• AAA Server IP Pool based on AAA Client

  Hi,
  I have a scenario where I need to be able to allocate an IP address to a user group from a pool on the AAA server based on the AAA client that the user authenticates against.
  So for example if the user comes in on CPE1 they get assigned an address from Pool A, if they come in on CPE2 they get an address assigned from Pool B.
  Any pointers on how to do this (if possible) would be greatly appreciated.
  Thanks in advance
  Andy

  With ACS v4 you could do this....
  Define your pools and add your devices to their own NDGs. Then define a NAP which is triggered off each NDG. Each NAP can use its own group mapping scheme which each target group using a different IP pool.
  Probably only works when users are external as you need group mapping to make it work.
  A bit cludgy.. but should work.

• ACS 4.1 Server and WLAN Bridge

  Hi,
  we have a Cisco Bridge (with 1310Gs)and have the problem that the non root bridge does not reach the ACS server with its authentication requests (when we use OPEN authentication the bridge works fine).
  The authentication requests by the root Bridge are passed to ACS w/o any problems.
  How can I tell the Root Bridge to pass on the AUTH-requests by the Non Root Bridge to ACS ? (we do not even see any failed requests from the NON Root AP on ACS - nothing arrives there...). Thanks for helping.
  Cheers,
  T.

  Following would be the right section to put this question,
  Wireless - Mobility | Security and Network Management.
  As issue is not with ACS, but with the way communication takes place between root and non root bridge.
  Regards,
  Prem

• AAA server group tag

  is the "AAA server group tag" the same as the proxy distribution entry.
  trying to setup my asa for tacacs+
  cisco# aaa-server ?
  WORD < 17 char Enter a AAA server group tag

  I hope I get your question correctly. The AAA group tag is local to the AAA Client and has nothing to do with the AAA Server (e.g. ACS). It is meant to group more than one TACACS/RADIUS server.
  Proxy Distribution Table is used when you have Multiple ACS servers and you want to route incoming AAA requests to particular server(s) based on pre-defined criteria. Like user1@NY should be redirected to the NewYork ACS.
  Regards
  Farrukh

• ACS 4.2 NDG problem

  Hi I have ACS appliance 4.2.0.124 installed at 2 sites. In one of the Appliance, under (Not Assigned) NDG the AAA server was reflecting as Self with IP address 127.0.0.1 & with the other one under AAA servers exact ip address of the appliance was reflecting with server name AAA. I had added the 1st server in 2nd server's unassigned NDC and 2nd server in 1st's unassigned NDC.
  After that I configured the 1st server for outbound replication and 2nd for inbound replication with "Network Configuration Device tables" selected. After manual replication I found in 2nd appliances under unassigned NDG, server entry with name self and IP address 127.0.0.1 , along with teh second entry self and its own IP address are there. Now I am neither able to add the 1st server's entry to NDG grop(Error: host already exist) or DElete/edit the self with 127.0.0.1 ip adress. Can anybody help me to delete this entry from the database pls?
  I dont have any backup previously and the ACS is live.

  Hi all, I am using ACS SE 4.2 . Can i edit the IP address for record "Self" under AAA servers table under not assigned NDG, as the Ip address of self is showing 127.0.0.1???
  Also can reinitialize the data base because one of the server's entry is not appearing under Not assigned NDG but during if i am trying to add the server error" Host already exists" comming.
  Pls help me as i am stack at this point.

• ACS 4.x server migration

  Hi Guys,
  We have ACS 4.x server which we are migrating to a new windows machine. Due to standards requirement new ACS will be installed in seperate directory in new machine.
  I would like to know if there are any potential issues that I should be aware while doing the database migration from one machine to another machine.
  For example  Database could point to original directory for logs and replication could fail in new machine since original dir path do not exist in new server installation
  Appreciate your inputs..

  Once you installed ACS on the new machine, you should be able to restore a backup of the database from the original ACS, if you have any problems with this please open a TAC case and we'll help you out.

• How to configure router to use ip pool on the aaa server for vpn clients

  how to configure router to use ip pool on the aaa server for vpn clients . i want to use vpn clients to connect to the router. authenticate using the aaa server username databse and also use the ip pool cretaed on the aaa server. i am not able to find the command on the router pointing to use the pool created on the aaa server. can u some one help me with this command.
  sebastan

  Hello Sebastan,
  what do you use as AAA server (e.g. ACS with TACACS+ or RADIUS) ?
  Regards,
  GNT

• AAA Accounting problems

  I have questions regarding the aaa accounting of NX-OS. In N7K and  N5K is not done the accounting of show commands, only the config command's. Unlike the IOS. Is there any way to enable accounting of show commands as well?
  Another question is related to the Nexus 1000V, which only supports PAP or MSCHAP. Does not support the command "aaa authentication login ascii-authentication".  Is there way to enable? Or is it some restriction.

  Larry,
  1) Please set up enable authentication to get the actual user name,
  aaa authentication enable console tacacs-auth LOCAL
  On ACS user setup you need to set up tacacs+ enable password.
  3) Since you have defined both server for authentication and accounting ie 219 and 218 it is sending accounting to 218, as it is also defined as accounting server and firewall it active.
  Use only
  aaa-server tacacs-auth (dept-outside) host 10.1.26.218 key tacacs-secret
  aaa-server tacacs-acct (dept-outside) host 10.1.26.219 key tacacs-secret
  Now auth should go to 218 and acc to 219.
  Regards,
  ~JG
  Do rate helpful posts

• How to fix "server problem" error message when trying to use PhoneGap build service.

  I have a site that is now optimized for mobile devices and want to use the PhoneGap Build service in Dreamweaver CS6 to make a native app.  Unfortunately, I keep getting the "We seem to be having server problems." error message when I try to create a new project.  I did notice that the configuration file was created at the site root.  I've seen a few other similar threads on this, but no solution.  I've checked on any firewall issues (none) and know that the PhoneGap server is not down.  The problem is on my end.
  Thanks,
  Loren

  Not an answer to the server problem, but I have posted the PhoneGap Build process here: http://forums.adobe.com/message/4669054#4669054. It might help anyone still having problems.

• [Fwd: Starting Managed server problem ......]

  Forwarding to the security news group...
  -------- Original Message --------
  Subject: Starting Managed server problem ......
  Date: 1 Jun 2004 23:02:53 -0700
  From: Sameer <barsatkiraat2001>
  Newsgroups: weblogic.developer.interest.management
  Hi All,
  I need you guy's help in this regard, that I am using solaris 8 and
  installed Weblogic8.1 Server.
  My Scenario is;
  Have configured Admin Server and Managed server with nodemanager on one
  unix machine.
  So, what am facing the problem;
  I am not able to get run Managed server after starting the nodemanager
  and admin server, getting the error in nodemanager logs that is :
  <Jun 2, 2004 9:44:26 AM GMT 04:00> <Warning> <Security> <BEA-090482>
  <BAD_CERTIFICATE alert was received from PortalQA - 10.12.10.94. Check
  the peer to determine why it rejected the certificate chain (trusted CA
  configuration, hostname verification). SSL debug tracing may be required
  to determine the exact reason the certificate was rejected.>
  And in Admin Server logs it's saying;
  <Jun 2, 2004 9:44:26 AM GMT 04:00> <Warning> <Security> <BEA-090504>
  <Certificate chain received from PortalQA - 10.12.10.94 failed hostname
  verification check. Certificate contained AdminQA but check expected
  PortalQA>
  The WebLogic Server did not start up properly.
  Exception raised:
  'weblogic.management.configuration.ConfigurationException: Due to faulty
  SSL configuration, this server is unable to establish a connection to
  the node manager.'
  <Jun 2, 2004 9:44:26 AM GMT 04:00> <Warning> <NodeManager> <BEA-300038>
  <The node manager is unable to monitor this server. Could not create an
  SSL connection to the node manager. Reason :
  [Security:090504]Certificate chain received from PortalQA - 10.12.10.94
  failed hostname verification check. Certificate contained AdminQA but
  check expected PortalQA>
  Reason: weblogic.management.configuration.ConfigurationException: Due to
  faulty SSL configuration, this server is unable to establish a
  connection to the node manager.
  <Jun 2, 2004 9:44:26 AM GMT 04:00> <Emergency> <WebLogicServer>
  <BEA-000342> <Unable to initialize the server:
  weblogic.management.configuration.ConfigurationException: Due to faulty
  SSL configuration, this server is unable to establish a connection to
  the node manager.>
  If some one can help me, I do appreciate in all due respect.
  Sameer.

  Hello Satya/All,
  I'm also experiencing the exact problem you are facing. It would be great if
  somebody could help in this regard at the earliest.
  Thanks, senthil
  Satya Ghattu <[email protected]> wrote:
  Forwarding to the security news group...
  -------- Original Message --------
  Subject: Starting Managed server problem ......
  Date: 1 Jun 2004 23:02:53 -0700
  From: Sameer <barsatkiraat2001>
  Newsgroups: weblogic.developer.interest.management
  Hi All,
  I need you guy's help in this regard, that I am using solaris 8 and
  installed Weblogic8.1 Server.
  My Scenario is;
  Have configured Admin Server and Managed server with nodemanager on one
  unix machine.
  So, what am facing the problem;
  I am not able to get run Managed server after starting the nodemanager
  and admin server, getting the error in nodemanager logs that is :
  <Jun 2, 2004 9:44:26 AM GMT 04:00> <Warning> <Security> <BEA-090482>
  <BAD_CERTIFICATE alert was received from PortalQA - 10.12.10.94. Check
  the peer to determine why it rejected the certificate chain (trusted
  CA
  configuration, hostname verification). SSL debug tracing may be required
  to determine the exact reason the certificate was rejected.>
  And in Admin Server logs it's saying;
  <Jun 2, 2004 9:44:26 AM GMT 04:00> <Warning> <Security> <BEA-090504>
  <Certificate chain received from PortalQA - 10.12.10.94 failed hostname
  verification check. Certificate contained AdminQA but check expected
  PortalQA>
  The WebLogic Server did not start up properly.
  Exception raised:
  'weblogic.management.configuration.ConfigurationException: Due to faulty
  SSL configuration, this server is unable to establish a connection to
  the node manager.'
  <Jun 2, 2004 9:44:26 AM GMT 04:00> <Warning> <NodeManager> <BEA-300038>
  <The node manager is unable to monitor this server. Could not create
  an
  SSL connection to the node manager. Reason :
  [Security:090504]Certificate chain received from PortalQA - 10.12.10.94
  failed hostname verification check. Certificate contained AdminQA but
  check expected PortalQA>
  Reason: weblogic.management.configuration.ConfigurationException: Due
  to
  faulty SSL configuration, this server is unable to establish a
  connection to the node manager.
  <Jun 2, 2004 9:44:26 AM GMT 04:00> <Emergency> <WebLogicServer>
  <BEA-000342> <Unable to initialize the server:
  weblogic.management.configuration.ConfigurationException: Due to faulty
  SSL configuration, this server is unable to establish a connection to
  the node manager.>
  If some one can help me, I do appreciate in all due respect.
  Sameer.