ACS server is not pingable

Similar Messages

• Backup ACS server not used by switch.

  I am experiencing a strange issue: During a primary ACS failure, our switches are not resorting to the backup ACS for login authentication, except for enable mode. This means we can only use the emergency local login, but once logged in we cannot enable due to the switch attempting to authenticate that to the backup ACS.
  Once I created the local user in the backup ACS I was able to log in, and after I removed then re-addded the primary server as a TACACS host it worked as expected - using the backup only. I can't help but think there is some minor command I am missing so that the switches will recognize the failure of the primary ACS.
  What am I missing that a failure of an ACS server does not cause the switches to use other configured servers?

  Richard,
  I have reviewed the information, however, the debugs are not clear enough as the only outputs displayed other than Accounting logs are the following lines:
  012697: Jan  3 22:37:16.866 GMT: AAA/AUTHEN/LOGIN (0000094B): Pick method list 'default'
  012698: Jan  3 22:37:24.743 GMT: AAA/AUTHEN/LOGIN (0000094B): Pick method list 'default'
  There are known issues with IOS devices not triggering the fallback/failover to the secondary ACS/TACACS+ server when the primary returns an "ERROR" response. "ERROR" refers to a process failure on the server side dropping the request and would not be the same as User Invalid or Bad Password responses which are failures referring to the Authentication information and not the process itself.
  Would it be possible for you to collect a capture on the Secondary ACS switchport while the primary is down in order to determine if the IOS device is reaching the secondary server at all?
  Known issue:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsd48175
  Symptoms
  AAA does not failover to the backup tacacs server defined when it receives ERROR
  from the primary server .
  Conditions
  Occurs when tacacs is configured for authentication, and backup servers are
  configured. When the primary server returns error due to csauth not running on
  the primary server, in that case  authentication request does not fail over to
  secondary server.
  Frequency:
  Not a common scenario.
  Workaround:
  None
  NOTES
  1) If you have an ACS for Windows (3.x or 4.x) then you can install Wireshark on the Windows Server and collect the capture.
  2) If you have an ACS Appliance (3.x or 4.x) or an ACS 5.x you might need to configure a SPAN session on the switch.
  After collecting the capture you can use Wireshark > Edit > Preferences > Protocols > TACACS+  > TACACS+ Encryption Key > type the shared secret value. This will  allow you to review the unencrypted packets.
  You can filter the capture as well using ip.addr==x.x.x.x where x.x.x.x is the IOS device IP address.
  Feel free to share the capture with me as well along with the shared secret key. I would gladly review the information.
  NOTE: If the capture shows no traffic going to the secondary unit a useful test would be to configure the "Secondary" server as the primary on the IOS and verify if it works that way.
  NOTE: If possible, a capture on the primary server switchport while it is down might be useful in order to verify how is the IOS determining that the primary server is down as I do not see it trying to contact the primary either... We should see atleast timeouts when contacting the primary ACS.
  Regards.

• Nslookup scan ip not pingable in rac node

  All,
  I'm planning to install 11.2.0.1 rac on my laptop. As a first step I have configured dns in separate vmware and configured rac1 node as well. Both dns and rac1 public ip addresses are pingable from each others and from host machine.But the rac-scan ip is only pingable from dns server and not pingable from rac1 server.  Will this make any problem if dns server running on 32 bit and rac nodes running on 64 bit server ? Please let me know if I have anything missed here. Thanks again.
  About posting on this forum. I have used [code]  [/code] to format the code previously. But this time it is not working. Also there is no option to preview the code before posting.
  use spaces to separate multiple tags I'm not clear about this. I read https://forums.oracle.com/thread/865295 this article how to post the code. It says to use  \ . If you guide me how to format the code I can use that in future.
  Host OS : Windows 8 64 bit
  Guest OS -1 : dns 32 bit Linux
    [root@dns32 ~]# uname -a
     Linux dns32.testenv.com 2.6.18-164.el5 #1 SMP Thu Sep 3 02:16:47 EDT 2009 i686 i686 i386 GNU/Linux
  Guest OS -2 : rac1 64 bit Linux
    [root@rac1 ~]# uname -a
     Linux rac1 2.6.18-194.el5 #1 SMP Mon Mar 29 22:10:29 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux
  Guest OS-3 : rac2 - yet to configure 64 bit Linux
  @ dns server
  [root@dns32 ~]# nslookup rac-scan
  Server:         192.168.1.26
  Address:        192.168.1.26#53
  Name:   rac-scan.testenv.com
  Address: 192.168.1.57
  Name:   rac-scan.testenv.com
  Address: 192.168.1.58
  Name:   rac-scan.testenv.com
  Address: 192.168.1.59
  [root@dns32 ~]# cat /etc/resolv.conf
  search testenv.com
  nameserver 192.168.1.26
  [root@dns32 ~]# ifconfig -a
  eth0      Link encap:Ethernet  HWaddr 00:0C:29:EF:03:D3
            inet addr:192.168.1.26  Bcast:192.168.1.255  Mask:255.255.255.0
            inet6 addr: fe80::20c:29ff:feef:3d3/64 Scope:Link
            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
            RX packets:2802 errors:0 dropped:0 overruns:0 frame:0
            TX packets:2691 errors:0 dropped:0 overruns:0 carrier:0
            collisions:0 txqueuelen:1000
            RX bytes:210115 (205.1 KiB)  TX bytes:208344 (203.4 KiB)
            Interrupt:67 Base address:0x2024
  lo        Link encap:Local Loopback
            inet addr:127.0.0.1  Mask:255.0.0.0
            inet6 addr: ::1/128 Scope:Host
            UP LOOPBACK RUNNING  MTU:16436  Metric:1
            RX packets:2308 errors:0 dropped:0 overruns:0 frame:0
            TX packets:2308 errors:0 dropped:0 overruns:0 carrier:0
            collisions:0 txqueuelen:0
            RX bytes:5494207 (5.2 MiB)  TX bytes:5494207 (5.2 MiB)
  sit0      Link encap:IPv6-in-IPv4
            NOARP  MTU:1480  Metric:1
            RX packets:0 errors:0 dropped:0 overruns:0 frame:0
            TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
            collisions:0 txqueuelen:0
            RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
  [root@dns32 ~]# ping 192.168.1.26
  PING 192.168.1.26 (192.168.1.26) 56(84) bytes of data.
  64 bytes from 192.168.1.26: icmp_seq=1 ttl=64 time=0.200 ms
  --- 192.168.1.26 ping statistics ---
  1 packets transmitted, 1 received, 0% packet loss, time 0ms
  rtt min/avg/max/mdev = 0.200/0.200/0.200/0.000 ms
  [root@dns32 ~]# ping 192.168.1.27
  PING 192.168.1.27 (192.168.1.27) 56(84) bytes of data.
  64 bytes from 192.168.1.27: icmp_seq=1 ttl=64 time=0.330 ms
  --- 192.168.1.27 ping statistics ---
  1 packets transmitted, 1 received, 0% packet loss, time 0ms
  rtt min/avg/max/mdev = 0.330/0.330/0.330/0.000 ms
  @rac1 node :
  [root@rac1 ~]# cat /etc/resolv.conf
  search testenv.com
  nameserver 192.168.1.26
  [root@rac1 ~]#  nslookup rac-scan
  ;; connection timed out; no servers could be reached
  [root@rac1 ~]# ifconfig -a
  eth0      Link encap:Ethernet  HWaddr 00:0C:29:75:A9:39
            inet addr:192.168.1.27  Bcast:192.168.1.255  Mask:255.255.255.0
            inet6 addr: fe80::20c:29ff:fe75:a939/64 Scope:Link
            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
            RX packets:500 errors:0 dropped:0 overruns:0 frame:0
            TX packets:357 errors:0 dropped:0 overruns:0 carrier:0
            collisions:0 txqueuelen:1000
            RX bytes:52333 (51.1 KiB)  TX bytes:39556 (38.6 KiB)
  eth1      Link encap:Ethernet  HWaddr 00:0C:29:75:A9:43
            inet addr:192.168.2.37  Bcast:192.168.2.255  Mask:255.255.255.0
            inet6 addr: fe80::20c:29ff:fe75:a943/64 Scope:Link
            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
            RX packets:160 errors:0 dropped:0 overruns:0 frame:0
            TX packets:50 errors:0 dropped:0 overruns:0 carrier:0
            collisions:0 txqueuelen:1000
            RX bytes:20359 (19.8 KiB)  TX bytes:6518 (6.3 KiB)
  lo        Link encap:Local Loopback
            inet addr:127.0.0.1  Mask:255.0.0.0
            inet6 addr: ::1/128 Scope:Host
            UP LOOPBACK RUNNING  MTU:16436  Metric:1
            RX packets:1940 errors:0 dropped:0 overruns:0 frame:0
            TX packets:1940 errors:0 dropped:0 overruns:0 carrier:0
            collisions:0 txqueuelen:0
            RX bytes:4783881 (4.5 MiB)  TX bytes:4783881 (4.5 MiB)
  sit0      Link encap:IPv6-in-IPv4
            NOARP  MTU:1480  Metric:1
            RX packets:0 errors:0 dropped:0 overruns:0 frame:0
            TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
            collisions:0 txqueuelen:0
            RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
  [root@rac1 ~]# ping 192.168.1.26
  PING 192.168.1.26 (192.168.1.26) 56(84) bytes of data.
  64 bytes from 192.168.1.26: icmp_seq=1 ttl=64 time=0.284 ms
  64 bytes from 192.168.1.26: icmp_seq=2 ttl=64 time=0.456 ms
  --- 192.168.1.26 ping statistics ---
  2 packets transmitted, 2 received, 0% packet loss, time 1000ms
  rtt min/avg/max/mdev = 0.284/0.370/0.456/0.086 ms
  [root@rac1 ~]# ping 192.168.1.27
  PING 192.168.1.27 (192.168.1.27) 56(84) bytes of data.
  64 bytes from 192.168.1.27: icmp_seq=1 ttl=64 time=0.032 ms
  --- 192.168.1.27 ping statistics ---
  1 packets transmitted, 1 received, 0% packet loss, time 0ms
  rtt min/avg/max/mdev = 0.032/0.032/0.032/0.000 ms
  Thanks
  Arul

  Thanks Saurabh. I have configured dns using this blog " http://dnccfg.blogspot.in/2012/08/dns-configuration-on-linux.html.html
  [root@dns32 etc]# cat named.conf
  // named.caching-nameserver.conf
  // Provided by Red Hat caching-nameserver package to configure the
  // ISC BIND named(8) DNS server as a caching only nameserver
  // (as a localhost DNS resolver only).
  // See /usr/share/doc/bind*/sample/ for example named configuration files.
  // DO NOT EDIT THIS FILE - use system-config-bind or an editor
  // to create named.conf - edits to this file will be lost on
  // caching-nameserver package upgrade.
  options {
          listen-on port 53 { 192.168.1.26; };
          listen-on-v6 port 53 { ::1; };
          directory       "/var/named";
          dump-file       "/var/named/data/cache_dump.db";
          statistics-file "/var/named/data/named_stats.txt";
          memstatistics-file "/var/named/data/named_mem_stats.txt";
          // Those options should be used carefully because they disable port
          // randomization
          // query-source    port 53;
          // query-source-v6 port 53;
          allow-query     { any; };
          allow-query-cache { localhost; };
  logging {
          channel default_debug {
                  file "data/named.run";
                  severity dynamic;
  view localhost_resolver {
          match-clients      { any; };
          match-destinations { 192.168.1.26; };
          recursion yes;
          include "/etc/named.rfc1912.zones";
  [root@dns32 etc]# cat named.rfc1912.zones
  // named.rfc1912.zones:
  // Provided by Red Hat caching-nameserver package
  // ISC BIND named zone configuration for zones recommended by
  // RFC 1912 section 4.1 : localhost TLDs and address zones
  // See /usr/share/doc/bind*/sample/ for example named configuration files.
  zone "." IN {
          type hint;
          file "named.ca";
  zone "testenv.com" IN {
          type master;
          file "forward.zone";
          allow-update { none; };
  zone "localhost" IN {
          type master;
          file "localhost.zone";
          allow-update { none; };
  zone "1.168.192.in-addr.arpa" IN {
          type master;
          file "reverse.zone";
          allow-update { none; };
  [root@dns32 named]# cat forward.zone
  $TTL    86400
  @               IN SOA  dns32.testenv.com. root.dns32.testenv.com. (
                                          42              ; serial (d. adams)
                                          3H              ; refresh
                                          15M             ; retry
                                          1W              ; expiry
                                          1D )            ; minimum
                  IN NS           dns32.testenv.com.
  dns32     IN A 192.168.1.26
  rac1      IN A 192.168.1.27
  rac2      IN A 192.168.1.28
  rac1-priv  IN A 192.168.2.37
  rac2-priv  IN A 192.168.2.38
  rac1-vip  IN A 192.168.1.47
  rac2-vip  IN A 192.168.1.48
  rac-scan  IN A 192.168.1.57
  rac-scan  IN A 192.168.1.58
  rac-scan  IN A 192.168.1.59
  [root@dns32 named]# cat reverse.zone
  $TTL    86400
  @       IN      SOA     dns32.testenv.com. root.dns32.testenv.com.  (
                                        1997022700 ; Serial
                                        28800      ; Refresh
                                        14400      ; Retry
                                        3600000    ; Expire
                                        86400 )    ; Minimum
          IN      NS      dns32.testenv.com.
  26       IN      PTR     dns32.testenv.com.
  27        IN      PTR   rac1.testenv.com.
  28        IN      PTR   rac2.testenv.com.
  47        IN      PTR   rac1-vip.testenv.com.
  48        IN      PTR   rac2-vip.testenv.com.
  57        IN      PTR   rac-scan.testenv.com.
  58        IN      PTR   rac-scan.testenv.com.
  59        IN      PTR   rac-scan.testenv.com.
  Thanks
  Arul

• Ssh after ACS server "locked up" and had to be reconfigured no longer works.

  Hello
  I have a VPN tunnel between an ASA5520 and a Cisco 891.
  I had the 891 configured with the following:
  aaa group server tacacs+ VTY
   ip tacacs source-interface Loopback0
  aaa group server tacacs+ TACACS-ACS
   server 10.8.x.x
   server 10.16.y.x
  aaa authentication login CONSOLE none
  aaa authentication login VTY group tacacs+ local
  aaa authorization exec VTY group tacacs+ local
  aaa authorization commands 0 VTY group tacacs+
  aaa authorization commands 15 VTY group tacacs+
  aaa accounting commands 15 VTY start-stop group tacacs+
  aaa accounting commands 15 CONSOLE start-stop group tacacs+
  ip tacacs source-interface Loopback0
  tacacs-server host 10.8.x.x key 7 yadayadayadayada
  tacacs-server host 10.16.y.x key 7 yadayadayadayada
  tacacs-server directed-request
  line vty 0 4
   access-class 1 in
   authorization commands 15 VTY
   authorization exec VTY
   accounting commands 15 VTY
   login authentication VTY
   transport input ssh
  line vty 5 15
   access-class 1 in
   authorization commands 15 VTY
   authorization exec VTY
   accounting commands 15 VTY
   login authentication VTY
   transport input ssh
  I no longer can access device remotely. I am sure it has to do with the ACS server, but not sure where to look.
  Any help would be  greatly appreciated.

  Hi,
  This is configuration issue.
  Have you added the loop back interface ip of router on to AAA server as a AAA client?
  Are the shared key same on both router and aaa?
  If both the above are fine the remove the entire aaa configuration and apply them frsh as below.
  no aaa new mode
  enable password ***********
  username admin privilege 15 password *********
  aaa new-model 
  aaa group server tacacs+ VTY
   server 10.8.x.x
   server 10.16.y.x
  aaa authentication login VTY group tacacs+ local
  aaa authentication enable VTY group Tacacs+ enable
  tacacs-server host 10.8.x.x key 7 xxxxx (xxxxx should be the same key used in ACS)
  tacacs-server host 10.16.y.x key 7 xxxxx (xxxxx should be the same key used in ACS)
  line vty 0 4
  login authentication VTY
  Hope that helps
  Regards
  Najaf

• How many concurrent connections that an ACS server version 4.2 latest patch can handle?

  I have about 50 routers and layer-3 switches that autheticate via tacacs+.  The AAA server used to be on a Linux machine running open-source tacacs+ built by me.  I have a perl script that will log into all 50 devices at the same time to collect statistics.  This script is multi-threaded.  Everything is working fine so far.
  I recently out-sourced the AAA function to a 3rd party company, not by my choice.  The 3rd party uses Cisco ACS version 4.2 with the latest patch running on Windows 2003 Enterprise Server with 16GB RAM and quad processors with quad-cores, IBM x3650-M2 hardware. The connectivity between the 3rd party and my company is through a DS-3 connection.  Maximum bandwidth over this DS-3 connection is less than 10Mbps at most.
  I noticed that for the past 3 months I have multiple failures with this perl script due to authentication failure with the ACS server.  If I just run the script again a few routers/switches, there are no issues; however, whenever I started the script to log into 50 devices all at the same time, it will fail.  If I made the configuration on all routers/switches to point back to the old open-source tacacs+ server, the issue goes away.  The minute I switched back to the
  new ACS server, the issue came back.  If I modified the script to hit one device at a time, it works fine.  I think it is the ACS server can not handle a lot
  of AAA requests at the same time.
  Does anyone know how many concurrent connections that an ACS 4.2, with latest patches on Windows 2003 Enterprise Server with lot of memory and CPU power, can handle?  I can't seem to find this anywhere on Cisco website.
  Thanks in advance.

  No, Im not saying ACS cannot cope.
  Concurrency and latency are very different things. ACS CSTacacs can handle many 100s of simple authentications/authorisations per second with users in the internal database. If 1000s of devices all send traffic in the same instant it would take some seconds to work through the backlog of traffic.
  Also, worth considering that a limited number of tasks within ACS (or threads) can actually handle a much greater number of "logins" because they are generally multi-message allowing ACS to keep lots of plates spinning.
  If users are in an external databases the latency (per authentication) can increase depending on where the users are (eg Windows AD) and if bad enough can have a serious effect on the overall authentication rate. At which point customers normally turn to load balancing.
  If your device timeouts are 20 seconds (totally reasonable) I suggest the issue is more likely to be something else... a bug, perhaps specific to v4.2?

• Not able to install or generate acs server certificate

  Hi,
  I have one test set-up with one layer 3 switch and one autonomous AP 1131. I have configured one SSID and without any authentication and it was not able to connect successfully.
  But now i want to try enable WPA2 enterprise ( Actually , after checking with the test set up , i am going to implement in live set-up where i have to configure WPA2 enterprise so that i would like to go for testing wpa2 enterprise not wpa2 personal ).
  I have ACS server 3.0 trial version and installed on windows server 2000 and
  on AP 1131 i have configured radius server commands
  ( aaa- new model  and radius server host ... ip address ... key ..... shared secret ... password .. ).
  I am confused with certificate which is required to install on acs server but i am not able to generate the certificate or not able to get the certificate from anywhere in acs server option.
  how to generate acs server certificate in trial version 3.0 and after generating how to install in acs server and what about client ... will it be same certificate which i need to install in cllient PC's and if yes how to add in client pc's and if not , where will i get cllient certificate ,..
  if i buy ACS software which i will be installed windows platform , i will get two certificate ,,,,,,,,, what about acs trial version software .... will i be able to get certificate .......
  i am trying to refer so many documents but it could not help me ..
  Your help will be appreciative.
  Looking for proper information.

  Hi,
  Thanks for your response ....
  obivously , This ACS 3.0 is end of supprt but when i tried to install the acs 4.0 or later , I am not getting an error saying " basic platform should be installed first , that is ACS 3.0 ".
  That is the reason i have gone for this edition .
  Should i go for upgrading the acs 3.0 to 4.1 or later version ?
  if so , will it be possible on trail version ?
  please give me your suggestion.

• Ip not excluded in dhcp server with acs server in the network

  Someone could explain me that problem could have, if I have the following situation:
  A dhcp Server, ACS Server, and various switches 3750 interconnected. But a hosts in the network has assigned statically one of the directions that the dhcp Server can assign to the computers.
  Rank of IP to assign for dhcp Server: 172.23.8.1 – 172.23.8.100
  Ip static of the host of network: 172.23.8.17
  The ip 172.23.8.17 not this excluded in the dhcp Server.

  Hola,
  I am not totally clear on what you are asking: do you want to statically assign IP 172.23.8.17 to your server ? Can you clarify ?
  Saludos,
  GNT

• How do I create a default account with an ACS Server

  Has anyone seen this. I have an ACS Solution engine appliance with Several devices using it for authentication and accounting. It all seems to work great.
  When I add a new device (router or switch) i noticed that it will let me login via the acs based authentication even before i even setup the aaa-client account for this device in the acs appliance. I do have the tacacs key and all the appropriate information on the router or switch but i dont have an entry for it in the acs appliance yet. This has puzzled me Where is this default account setup. I have another ACS server (Windows Based) It seems to have a completely different behavior when it encounters an unconfigured AAA-client compared to the ACS Appliance. Can anyone tell me how to configure the ACS server to do the same and where these configuration options exist?
  This really concerns me from a security perspective.

  Hmm, ACS should not (by default) accept traffic from any old device.
  Could it be you have a wild-card IP Addr in your ACS network config somewhere that accidentally includes the new device?
  Or possibly a DNS name (instead of an IP Addr) that resolves to the address of the new device?
  Try changing the shared secret in the device - you should find you get errors in the Failed Attempts Log.
  Also check the Passed Authenications report as this included the ACS network config device name in the Access-Device column.

• How enable read only access for ACS server itself

  Hi,
  We would like to know whether its possible to create a read only access to the ACS server. Currenlty ACS server has a generic login with full admin rights.
  We need to create a login to couple of users to log into ACS to check the "Report and Activity" tab. Access to all other tabs should be disabled.
  We are using ACS4.0 verison. Please let me know whether its possible.
  Thanks
  Nachi

  Hi,alexchy8
  We can make use of 2 PowerShell commands to achieve this goal.
  Add-MailboxPermission and Add-MailboxFolderPermission.
  Execute the Add-MailboxPermission command to delegate the read permission at mailbox level.
  Execute the Add-MailboxFolderPermission command to delegate the required permissions on specific folders inside the mailbox.
  You can read the following article as reference:
  http://www.exchangedictionary.com/articles/assign-read-only-mailbox-permission-on-exchange-2010-2013-powershell
  Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety,
  or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.
  Best Regards.

• CSM 4.0.1 is removing ACS Server password and then cannot add a new

  Hi,
  We just wanted to use CSM 4.0.1 to change ACS Server keyword on a FWSM 3.2(5) but in the transcript I see how he removes the key and then the next statement is to add a 127.0.0.1 ACS Server that I have never defined and that failes because the connection is lost.
  Can CSM be used to change the ACS keyword and not loose the connection before changing it? The product allows such a change and does not stop albeit it should now that this is unsuccessful.
  Here is the transcript!
  Line# 2. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): no snmp-server host fwsm-admin-context xxxx poll community comm1
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 3. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): aaa-server aaa-central (fwsm-admin-context) host xxxx
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 4. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010):  no key oldkey
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 5. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): exit
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 6. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): no logging host fwsm-admin-context xxxx
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 7. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): ssh timeout 30
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 8. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): ssh version 2
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 9. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): logging buffer-size 1048576
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 10. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): no logging debug-trace
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 11. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): logging trap informational
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 12. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): logging asdm debugging
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 13. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): logging buffered debugging
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 14. (ERROR) Sent (Thu Dec 16 16:22:13 CET 2010): aaa-server aaa-central host 127.0.0.1
  Received (Thu Dec 16 16:22:14 CET 2010): ERROR: Interface "(inside)" does not exist. Please specify a valid interface name for this server
  ! COMMENT: Device reported error here and stopped accepting further commands
  ! COMMENT: BULK END
  Line# 15. (ERROR) Sent (Thu Dec 16 16:22:14 CET 2010): https://xxxx/config?context=admin Received (Thu Dec 16 16:22:14 CET 2010): 24300 : Login failed
  Caused by: Authentication failed on device [193.47.16.28]. Check the credentials.
  Error: Server returned HTTP response code: 401 for URL: https://xxxx/config?context=admin
  I think there are multiple problems, first it removes the key but does not add one and then it wants to add 127.0.0.1 to it and does not use an interface?

  I would say that it it the interface problem but not that it had no interface but it had another interface.
  The whole interface story is somewhat stupefying for me.
  What I wanted to do is to use a single AAA Server definition for all my contexts on a FWSM, due to multiple imports in the beginning I ended up having 40 or so in the objects.
  Each interface that we have on a context has a different name and it looks like CSM has a problem with this. We have tried to use interface with wildcards, but you cannot specify something like *context* or *vlan*. For us *context* is inside and *vlan* is outside.
  This verification of the AAA Server should be done before trying to deploy and then not having access. Luckily all our contexts had their own AAA connection setup, so I could make changes. Because we have not used the local use for more than 3 years and had 3 weeks to search it. We almost rebooted the FWSM this Sunday (using a maintenance window) but found the password last thursday.

• Upgrading an ACS Server from 5.0 to 5.1

  I'wont to upgade my ACS server 5.0.0.21 to 5.1 . I wont to use Active Directory .  it's seem that  in my curent version AD is not supported !
  I try to do it by CLI
  what CLi command I use and what patch ?
  Thanks !

  in the monitoring and report I have this
  AAA Protocol > TACACS+ Authentication
  Authentication Status :
  Pass or Fail
  Date :
  December 09, 2009
  Dec 9,09 11:52:20.200 AM
  13029 Requested privilege level too high
  admin.ad
  switch
  Device Type:All Device Types, Location:All Locations
  Default Device Admin
  AD1
  Thanks !

• EAP-TLS or PEAP authentication failed during SSL handshake to the ACS serve

  We are running the LWAPP (2006 wlc's and 1242 AP's) and using the ACS 4.0 for authentication. Our users are
  experiencing an issue, where they are successfully authenticated the first time, however as the number of them is increasing, they're starting to drop the connections and being prompted to re-authenticate. At this point, they are not being able to authenticate again.
  We're using PEAP for the authentication and Win XP SP2 clients as the supplicants. The error message that we are seeing on the ACS for that controller is "EAP-TLS or PEAP authentication failed during SSL handshake to the ACS server"...Not sure if this error msg is relevant since we have other WLC's that are working OK and still generating the same error msg on the ACS...
  Thanks..

  Here are some configs you can try:
  config advanced eap identity-request-timeout 120
  config advanced eap identity-request-retries 20
  config advanced eap request-timeout 120
  config advanced eap request-retries 20
  save config

• AAA Radius Authentication for Remote VPN With ACS Server Across L2L VPN

  Hi,
  I have an ASA running fine on the network which provide L2L tunnel to remote site and provide Remote VPN for remote access users.
  Currently, there is a need for the users to authenticate against an ACS server that located across the L2L VPN tunnel.
  The topology is just simple with 2 interfaces on the ASA, inside and outside, and a default route pointing to the ISP IP Address.
  I can ping the IP address of the ACS Server (which located at the remote site, IP addr: 10.10.10.56) from the ASA:
  ping inside 10.10.10.56
  However when I configure the ASA for the AAA group with commands:
  aaa-server ACSAuth protocol radius
  aaa-server ACSAuth host (inside) 10.10.10.56 key AcsSecret123
  Then when I do the show run, here is the result:
  aaa-server ACSAuth protocol radius
  aaa-server host 10.10.10.56
  key AcsSecret123
  From what I thought is, with this running config, traffic is not directed to the L2L VPN tunnel
  (seems to be directed to the default gateway due to the default route information) which cause failure to do the AAA authentication.
  Does anybody ever implement such this thing and whether is it possible? And if yes, how should be the config?
  Your help will be really appreciated!
  Thanks.
  Best Regards,
  Jo

  AAA is designed to enable you to dynamically configure the type of authentication and authorization you want on a per-line (per-user) or per-service (for example, IP, IPX, or VPDN) basis. You define the type of authentication and authorization you want by creating method lists, then applying those method lists to specific services or interfaces.
  http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/schaaa.html

• ACS Failover is not working

  We are running primary and secondary ACS servers 4.0 on appliance and it has been configured for automatic replication every 6 hours between them. When the primary server goes offline bcos of network issue, the secondary is supposed to authenticate but it is not happening. Hence we are forced to use the local accounts configured in the networking device to login and make configuration. Please note all our devices are configured to use both primary and secondary ACS servers.
  have anyone in this group has come across such a problem?

  Sudipto
  There could be several things that cause your problem.
  My first question would be whether the network devices and the backup server are correctly configured for each other. If you change the configuration of some network device, removing the definition of the primary ACS server so that the only server configured is the backup, does the network device authenticate with the backup?
  My second question would be when there is a network issue with the primary server is it possible that the network issue also impacts connectivity to the backup server? Can you check the logs on the backup server and see whether it received authentication requests? If it did receive authentication requests what was its response (were they authenticated or denied)?
  My third question is whether the network devices are attempting to failover. The best way to determine this would be from the output of some debugs. I suggest that on the router you configure debug aaa authentication and debug tacacs authentication (or radius if you are using radius instead of tacacs) . If you could post the debug output, taken when the problem is going on, it would help us to analyze your problem.
  I have had some experience with certain failure modes on the ACS server in which the network devices would not fail over to the backup. I had a TAC case on this which resulted in a bugID. I am aware of several other bugIDs for similar issues where failover did not occur on remote devices due to certain failure modes on the server. But in these cases there was connectivity to the server and the server was sending a response which was not expected by the remote network device. From your description it sounds like there is no connectivity, so I assume it is not the same issue.
  If you can answer the questions that I listed and provide the debug output I hope that we can help to resolve your issue.
  HTH
  Rick

• ACS Server certificate export

  Hello,
  We are in the process of renewing a certificate for our ACS server (v3.2). Is there a way to export the certificate currently in use?
  We don't want to lose it if we install a certificate that does not work. We are also exploring using a self-signed certificate, but we're not sure if that will meet our needs.
  Thanks!

  Thanks for the info...unfortunately, we tried doing the self-signed certificate, but clients couldn't connect to our wireless network (we use that to authenticate wireless users). We then tried to do a restore from a backup taken earlier this morning and it's still trying to restore - as if something is hung and won't shut down.
  This is ACS 3.2 running on a Windows 2003 server.