ACS vlan assignments fail
I currently have a WLC 5508 and ACS 5.1, previously the only access policy was default network access with authorization profile permit access.
My users and machines successfully authenticate against radius via AD.
I want to consolidate some SSID’s and use dynamic vlan assignments via radius. I created new vlan, ssid, a service, service selection rule, and authorization profile end station filters, etc, all this works if the authorization profile is set to permit. When I add the profile with the vlan it begins failing. I have used just the vlan profile and the vlan profile and the default permit profile together in both orders.
If I do not enable radius override on the WLC I get message saying radius overrides globally disabled.
One I turn on overrides and use the authorization profile with the vlan I get web auth failed, radius server disabled.
The radius server log shows could not find network resource or AAA client while accessing NAS by ip during authentication.
What am I missing?
Thanks,
OK while taking screen shots and revving logs to send this moring I discovered the nas ip in the failure log.
On a successful login of my current operations the nas ip is the management ip of the wlc x.x.16.254
On the failed logins with the vlan assignment the nas is the ip of the interfaced assigned to the wlan. In this case x.x.3.5
Once I added 3.5 as an AAA client and the shared key I can successfully authenticate with my test auth profile with vlan assignment.
However I stay in the vlan of the wlan interface, I do not get moved to a new vlan as I should.
I have attached the screen shots. Let me know if there is more info you need.
Thanks,
Similar Messages
-
Dynamic VLAN assignments with ACS
Hello all.
I am trying to do dynamic vlan assignments with dot1x auth. I am using ACS5.3 and Cisco 3560.
I have configured them correctly to the best of my knowledge but it doesn't seem to be working correctly.
aaa group server radius nac_serversserver-private 84.93.219.163 auth-port 1812 acct-port 1813 key 7 xxxxxxaaa authentication dot1x default group nac_serversaaa authorization network default group nac_serversinterface FastEthernet0/2 switchport mode access switchport voice vlan 364 srr-queue bandwidth share 10 10 60 20 srr-queue bandwidth shape 10 0 0 0 priority-queue out authentication event no-response action authorize vlan 303 authentication host-mode multi-domain authentication port-control auto mls qos trust cos auto qos voip trust dot1x pae authenticator
When the user connects I get the following via debug:
Apr 30 15:19:36.303: %AUTHMGR-5-VLANASSIGN: VLAN 300 assigned to Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
However "show int status" still shows the port on vlan 1 and the end device is stuck with a 169.x.x.x address (Windows PC).
Any idea what config I'm missing?
Thanks
PaulHello.
Here is whats left in the log.
Apr 30 15:19:36.253: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
Apr 30 15:19:36.253: EAPOL pak dump rx
Apr 30 15:19:36.253: EAPOL Version: 0x1 type: 0x0 length: 0x007B
Apr 30 15:19:36.253: dot1x-ev:
dot1x_auth_queue_event: Int Fa0/2 CODE= 2,TYPE= 25,LEN= 123
Apr 30 15:19:36.253: dot1x-ev(Fa0/2): Received pkt saddr =70cd.6066.988a , daddr = 0180.c200.0003,
pae-ether-type = 888e.0100.007b
Apr 30 15:19:36.253: dot1x-ev(Fa0/2): dot1x_sendRespToServer: Response sent to the server from 0x55000021 (70cd.6066.988a)
Apr 30 15:19:36.269: dot1x-ev(Fa0/2): Sending EAPOL packet to 70cd.6066.988a
Apr 30 15:19:36.269: dot1x-ev(Fa0/2): Role determination not required
Apr 30 15:19:36.278: dot1x-ev(Fa0/2): Sending out EAPOL packet
Apr 30 15:19:36.278: dot1x-ev(Fa0/2): Role determination not required
Apr 30 15:19:36.278: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
Apr 30 15:19:36.278: EAPOL pak dump rx
Apr 30 15:19:36.278: EAPOL Version: 0x1 type: 0x0 length: 0x002B
Apr 30 15:19:36.278: dot1x-ev:
dot1x_auth_queue_event: Int Fa0/2 CODE= 2,TYPE= 25,LEN= 43
Apr 30 15:19:36.286: dot1x-ev(Fa0/2): Received pkt saddr =70cd.6066.988a , daddr = 0180.c200.0003,
pae-ether-type = 888e.0100.002b
Apr 30 15:19:36.286: dot1x-ev(Fa0/2): dot1x_sendRespToServer: Response sent to the server from 0x55000021 (70cd.6066.988a)
Apr 30 15:19:36.286: dot1x-ev(Fa0/2): Sending EAPOL packet to 70cd.6066.988a
Apr 30 15:19:36.286: dot1x-ev(Fa0/2): Role determination not required
Apr 30 15:19:36.294: dot1x-ev(Fa0/2): Sending out EAPOL packet
Apr 30 15:19:36.294: dot1x-ev(Fa0/2): Role determination not required
Apr 30 15:19:36.294: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
Apr 30 15:19:36.294: EAPOL pak dump rx
Apr 30 15:19:36.294: EAPOL Version: 0x1 type: 0x0 length: 0x002B
Apr 30 15:19:36.294: dot1x-ev:
dot1x_auth_queue_event: Int Fa0/2 CODE= 2,TYPE= 25,LEN= 43
Apr 30 15:19:36.294: dot1x-ev(Fa0/2): Received pkt saddr =70cd.6066.988a , daddr = 0180.c200.0003,
pae-ether-type = 888e.0100.002b
Apr 30 15:19:36.294: dot1x-ev(Fa0/2): dot1x_sendRespToServer: Response sent to the server from 0x55000021 (70cd.6066.988a)
Apr 30 15:19:36.303: %DOT1X-5-SUCCESS: Authentication successful for client (70cd.6066.988a) on Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
Apr 30 15:19:36.303: dot1x-ev(Fa0/2): Sending event (2) to Auth Mgr for 70cd.6066.988a
Apr 30 15:19:36.303: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (70cd.6066.988a) on Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
Apr 30 15:19:36.303: %AUTHMGR-5-VLANASSIGN: VLAN 300 assigned to Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
Apr 30 15:19:37.167: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to up
Apr 30 15:19:37.335: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (70cd.6066.988a) on Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
Apr 30 15:19:37.335: dot1x-ev(Fa0/2): Received Authz Success for the client 0x55000021 (70cd.6066.988a)
Apr 30 15:19:37.335: dot1x-ev(Fa0/2): Sending EAPOL packet to 70cd.6066.988a
Apr 30 15:19:37.335: dot1x-ev(Fa0/2): Role determination not required
Apr 30 15:19:37.335: dot1x-ev(Fa0/2): Sending out EAPOL packet
Hope that helps -
FlexConnect, EAP-TLS and dynamic VLAN assignments
I need to integrate Cisco ISE and WLC5508 with FlexConnect (local switching) using EAP-TLS security for wireless clients across multiple floors (dynamic VLAN assignments based on floor level). The AP model used is 3602.
I have some questions:
- What RADIUS Attribute can be used for dynamic VLAN assignments based on floor level? Is there an option where I can group all LWAPs in same floor for getting certain VLAN from ISE?
- I intend to use WLC software version 7.2 since 7.3 is latest version. Has someone use WLC software version 7.3 without any major bugs/issues pertaining to FlexConnect and EAP-TLS?
- I read some documents saying L3 roaminig is where the associated WLC has changed. However if user move to different subnet but still associated to the same WLC, would this be consider as L3 roaming too?
Can someone assist to clear my confusion here? any reference url for layer 2 and layer 3 roaming details is appreciated. ThanksI'll give this a shot:)
For radius vlan attributes, bothe ACS and ISE in the policies have the ability to just enter the vlan id in the profile. You can either do that or use the IETF attributes.
The RADIUS attributes to configure for VLAN assignment are IETF RADIUS attributes 64, 65, and 81, which control VLAN assignment of users and groups. See RFC 2868 for more information.
64 (Tunnel-Type) should be set to VLAN (Integer = 13)
65 (Tunnel-Medium-Type) should be set to 802 (Integer = 6)
81 (Tunnel-Private-Group-ID) should be set to the VLAN number. This can also be set to VLAN name if using a Cisco IOS device (excludes Aironet and Wireless Controllers however).
You can find this by searching on Google.... A lot of examples out there
v7.2 and v7.3 I have had no issues with, with any type of encryption used. With 7.0 and 7.2, I would use the latest due to the Windows 8 fix.
Layer 3 roaming is what's going to happen if the AP's are in local mode. This means that the client will keep their IP address no matter what ap they are connected to and or WLC as long as the mobility group is the same. So a user who boots up in floor 1 will keep its IP address even if he or she roams to the 12th floor and as long as he or she didn't loose wireless connection.
FlexConnect you can do that. The AP's are trunked and need to have the vlans. So what your trying to do will be disruptive to clients. When the roam to another floor ap that is FlexConnect locally switched, they will drop and have to re-associate in order to get a new IP address.
Hope this helps.
Sent from Cisco Technical Support iPhone App -
802.1x Machine and User Auth Vlan assignments
I have machine and user auth working between Win2K PC and ACS 3.3 but not sure how to best use the Vlan assignment feature. I use Vlans for different departments and if I assign a vlan in ACS to a machine when it authenticates but the user is assigned to a different Vlan, I don't get a renewed IP.
Here is how it's working now:
1. Machine authenticates to ACS and assigned to a Vlan
2. User logs in and if they are assigned to the same Vlan as the machine, works fine. If assigned to another vlan, the switchport does get changed but the PC still has an IP from the initial Vlan it was assigned to. Releasing and renewing doesn't work but I really don't expect it to.
So, I figure the solution to this is just not set a per user vlan and only set it per machine. But, the group mapping in ACS looked like a great way to assign Vlans based on a user's Active Directory group but it doesn't appear to recognize the different computer OU's we have. So I can assign vlan's based on user groups but not computer groups. As machines are added to ACS, I could change them to an ACS group with the Vlan set but this would be a lot more work than an automated method like unknown user policy.
So, how are others assigning machines to vlans in large multi-vlan networks using ACS and 802.1x?By default users and computers belong to different global groups. "Domain Users" vs. "Domain Cmpouters" for example.
As for your example, it seems like you have a misbehaving supplicant, and authentication is attempting and then timing out and starting over .. that never actually gets to fail, so the auth-fail stuff won't help.
Note: A good way to troubleshoot this is to notice it in action via show command:
Here's an example of what you should see on a switch port.
AuthSM State = State of the 802.1X Authenticator PAE state machine
VALUES:
AUTHENTICATED -- Auth Succeeded
AUTHENTICATING -- Auth is attempting
CONNECTING -- Dot1x is up and configured and trying to locate a supplicant.
HELD -- Auth probably failed.
BendSM State = State of the 802.1X back-end authentication state machine
VALUES:
IDLE -- Nothing is happening.
REQUEST -- Switch sent some EAP data to AAA, and is waiting to get something back.
RESPONSE -- AAA sent the switch back some data, and the switch in turn asked the supplicant for more data.
NOTE: You should rarely see the RESPONSE state above. If you see it for more than a second or so i nthe middle of an auth attempt, that's a smoking gun that you might have a mis-behaving supplicant, b/c it shouldn't take that long to send an EAPOL frame. The switch will eventually time out, and start auth over.
Hope this helps, -
Patch rollup for Cisco Secure ACS 4.2 fails.
I've got 2 freshly installed ACS 4.2 for Windows servers and I need to apply the latest patch rollup before I build the configurations. I stopped the ACS services and ran Acs-4.2.0.124.15-SW.exe to install the patches. The application begins running fine but fails on upgrading the database and then none of the ACS services would start. I was able to restore the files from the backup that runs with the patch utility and get ACS functioning again. What am I missing - does the patch rollup require any specific Microsoft Patches to be installed or something like that?
ThanksThanks for the feedback. I attempted the patch rollup install again and it failed in the same place - on the database upgrade. I did think of one thing. Do I need to have my antivirus/protection services disabled prior to installing the rollup?
Also my versions are as follows:
Server OS - Windows Server 2003 R2
Cisco Secure ACS - 4.2.(0) Build 124
Thanks,
Richard Jaehne -
ACS DB Replcation Fails Through Cisco Firewalls w/Skinny Policy Inspect
We run Cisco ACS v3.3 (Windows) on two servers over our WAN, and replcate the internal databases for redundancy. The problem is that replications fail between the ACS servers and it is because of the default port the ACS servers use to replicate over...TCP 2000.
Between the two servers are Cisco ASA firewalls running 7.2.2(19). We run Cisco MGCP VoIP phones between the sites as well, which utilize TCP 2000 for call control.
When the policy-inspect skinny command is enabled on the firewalls, the ACS server replcation breaks, because the firewall sees that the TCP 2000 packets for the DB replication are not VoIP call control packets.
Is there a way to reconfigure the ACS servers so they use a different port other than TCP 2000? (Registry hack, ini file edit, something???)
Frankly, it is rather lame of Cisco to implement an already defined port for their DB replication that defined in IETF as a well know port for the skinny protocol. Even worse is that this problem continues to exist into v4.0 as I understand it.
An no...we should not have to disable the inspect-policy for skinny on the ASA's. :-)
Any help to qwell my frustration on this topic would be appreciated.
Thanks,
-ScottScott,
If disabling the inspection of the skinny protocol is not feasible, the following
configuration sample may be incorporated into the firewall configuration so that replication traffic is not affected by the skinny fixup:
In this example, the ACS servers are at IP addresses 10.1.2.3 and 10.4.5.6.
#Define what traffic you want inspected:
access-list skinny_acl extended deny ip host 10.1.2.3 host 10.4.5.6
access-list skinny_acl extended deny ip host 10.4.5.6 host 10.1.2.3
access-list skinny_acl extended permit tcp any any eq 2000
#Create a class map to match the acl
class-map skinny_map
match access-list skinny_acl
#Under the global policy, take the skinny inspection out of the
#class inspection_default, and add it under our new class
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
class skinny_map
inspect skinny
service-policy global_policy global
###Will be inspected for skinny###
FWSM(config-pmap-c)# show service-policy flow tcp host 172.16.1.2 host 172.16.5.6 eq 2000
Global policy:
Service-policy: global_policy
Class-map: skinny_map
Match: access-list skinny_acl
Access rule: permit tcp any any eq 2000
Action:
Input flow: inspect skinny
FWSM(config-pmap-c)#
###Will not be inspected for skinny###
FWSM(config-pmap-c)# show service-policy flow tcp host 10.1.2.3 host 10.4.5.6 eq 2000
Global policy:
Service-policy: global_policy
FWSM(config-pmap-c)#
Regards,
~JG
Please rate if helps ! -
ACS Machine Authentication Fails Every 30 Days
Running ACS5.2, Windows XP Pro, Window Server 2003 and Cisco Anyconnect Client. When the machine name password changes between the PC and the AD server the ACS will error out with "24485 Machine authentication against Active Directory has failed because of wrong password"
TAC has been working with us on this and sees the error in the logs but does not have an answer on with to do to solve this. It has the same problem with Wireless Zero.
Once the PC is rebooted the error goes away for 30 days. We are in a hospital setting so this is a not just a minor problemSo it looks like this is the offical Microsoft answer:
Hello Tom,
I had a discussion with an escalation resource on this case and updated him on what we found so far, From what I understand this is a known issue when the client is using PEAP with computer authentication only and the workarounds to this problem are the 2 solutions lined up in that article that I sent you.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;904943
Regards
Krishna -
Secondary ACS 5.1 fails to Deregister, after IP change on Primary
IP address of Primary had to be changed, to respond to a hardware failure of TACACS server with IP in many device configs.
Now the Secondary fails to respond to repeated "Deregister from Primary" requests, even after reload -
apparently because it cannot reach the Primary at its old IP address.
Requesting Deregister in GUI generates pop-up that says, "This operation will deregister this ACS Instance from the Primary Instance.
Management applications on this ACS instance will be restarted and you will be required to login again. After performing this operation
please wait five minutes for this restart to complete.
Do you wish to contine?" [ OK ]
But, checking back after 10 minutes -- or even the next day -- finds the Secondary's status unchanged.
Also tried Local Mode, Deregister from Primary; this also fails.
Does anyone have HOWTO URL on a total rebuild of ACS application?
Both ACS are CACS-1121-K9 running 5.1.0.44.4.
Thanks in advance for any help...
*** UPDATE: ***
Recommended command, "application reset-config acs", was _exactly_ what was needed.
jrabinow - many thanks! :-)
also, thank you for mentioning that the license would be required, so that I could locate it in advance and have it ready.
Since there were no local certs on the server, we did not need to re-install those.Since this is a secondary it should not have too much in terms of specific configuration
Therefore one possibility is to reset the configuration so it once again becomes just a standalone node and then regsiter back to the deployment as is done for any new node and as you previosuly registered it
reset configuration can be done using the following command at the CLI:
application reset-config acs
Note that after you reset the configuration you will need to reinstall the license so make sure you have this to hand
Also if you has installed a server certificate for the secondary server you would need that too -
CiscoWorks: VLAN creation failed via CM-VLAN Configuration
Hi,
I have trying to create VLAN on single switch via CM-VLAN Configuration and getting below message, although switch is configured with correct snmp and I can backup same device via RME and also delopy config to it via Netconfig.
Please advice. Thanks
I am using LMS 3.2.1; CM 5.2.2; RME 4.3.2
Creation of VLAN failed
"There were some errors during operation."
Failed to perform the operation on 10.*.*.* Cause:An error occured while performing SNMP operation.
Action:Examine and save the server log file and report the error to the product administrator for further action.The credentials can be changed under Common Services > Device and Credentials > Device Management. Select the devices and click the Edit Credentials button. Fill in the correct username and password for these devices.
-
Service-policy on Vlan interface failed
Hi, All!
This is my configuration:
class-map match-any voip_control_trust-CMAP
match ip dscp cs3
match ip dscp af31
class-map match-any voip_rtp_trust-CMAP
match ip dscp ef
class-map match-any internetwork-cntrl-CMAP
match ip dscp cs6
policy-map output_qos-PMAP
class voip_rtp_trust-CMAP
priority 56
class voip_control_trust-CMAP
bandwidth percent 2
class internetwork-cntrl-CMAP
bandwidth percent 5
class class-default
fair-queue
random-detect
cisco(config)#int Vlan 2
cisco(config-if)#service-policy output output_qos-PMAP
Configuration failed!
It was tested on 877, 871, 871W, 877W with ios c870-advipservicesk9-mz.124-15.T5.bin, c870-advipservicesk9-mz.124-15.T8.bin, c870-advipservicesk9-mz.124-15.T10.bin, c870-advipservicesk9-mz.124-15.T11.bin, c870-advipservicesk9-mz.124-24.T2.bin
Strange error. Does anybody know what's the problem?Ok, i tried to make workaround solution:
policy-map OUTPUT_QOS_PMAP
class VOIP_RTP_TRUST_CMAP
priority 56
class VOIP_CTRL_TRUST_CMAP
bandwidth percent 2
class INETWORK-CTRL-CMAP
bandwidth percent 5
class class-default
fair-queue
random-detect
service-policy OUTPUT_QOS_PMAP
service-policy output OUTPUT_QOS_PMAP
interface Vlan2
description *** WAN SVI ***
bandwidth 256
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
bridge-group 1
end
interface BVI1
description *** WAN BVI ***
bandwidth 256
ip address 10.96.0.57 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
service-policy output OUTPUT_QOS_PMAP
end
sh policy-map interface
BVI1
Service-policy output: OUTPUT_QOS_PMAP
queue stats for all priority classes:
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
Class-map: VOIP_RTP_TRUST_CMAP (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: ip dscp ef (46)
0 packets, 0 bytes
5 minute rate 0 bps
Priority: 56 kbps, burst bytes 1500, b/w exceed drops: 0
Class-map: VOIP_CTRL_TRUST_CMAP (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: ip dscp cs3 (24)
0 packets, 0 bytes
5 minute rate 0 bps
Match: ip dscp af31 (26)
0 packets, 0 bytes
5 minute rate 0 bps
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 0/0/0
(pkts output/bytes output) 0/0
bandwidth 2% (5 kbps)
Class-map: INETWORK-CTRL-CMAP (match-any)
6 packets, 896 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: ip dscp cs6 (48)
6 packets, 896 bytes
5 minute rate 0 bps
Match: access-group name IKE
0 packets, 0 bytes
5 minute rate 0 bps
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops) 5/0/0
(pkts output/bytes output) 6/1120
bandwidth 5% (12 kbps)
Class-map: class-default (match-any)
11 packets, 660 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Queueing
queue limit 64 packets
(queue depth/total drops/no-buffer drops/flowdrops) 10/0/0/0
(pkts output/bytes output) 11/660
Fair-queue: per-flow queue limit 16
Exp-weight-constant: 9 (1/512)
Mean queue depth: 0 packets
class Transmitted Random drop Tail/Flow drop Minimum Maximum Mark
pkts/bytes pkts/bytes pkts/bytes thresh thresh prob
0 11/660 0/0 0/0 20 40 1/10
1 0/0 0/0 0/0 22 40 1/10
2 0/0 0/0 0/0 24 40 1/10
3 0/0 0/0 0/0 26 40 1/10
4 0/0 0/0 0/0 28 40 1/10
5 0/0 0/0 0/0 30 40 1/10
6 0/0 0/0 0/0 32 40 1/10
7 0/0 0/0 0/0 34 40 1/10
BUT! Until service-policy is on interface works nothing.
sh int bvi1
BVI1 is up, line protocol is up
Hardware is BVI, address is 0025.454a.940d (bia 0024.c495.6780)
Description: *** WAN BVI ***
Internet address is 10.96.0.57/24
MTU 1500 bytes, BW 256 Kbit/sec, DLY 5000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 74
Queueing strategy: Class-based queueing
Output queue: 33/1000/0 (size/max total/drops)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
114 packets output, 11034 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
ping 10.96.0.1 source bvi1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.96.0.1, timeout is 2 seconds:
Packet sent with a source address of 10.96.0.57
Success rate is 0 percent (0/5) -
Vlan.dat Failed retrival
Hello,
I have seen the various posting regarding how LMS copies vlan.dat : ie over tftp.
I have verified login credentials over SNMP and SSH and these come back Ok however I still get :
VLAN
CM0151 VLAN RUNNING Config fetch failed for <switch> Cause: Command failed
VLAN Config fetch is not supported using TFTP.
TELNET: Failed to establish TELNET connection to 10..x.x.x - Cause: Connection refused.
Action: Check if protocol is supported by device and required device package is installed. Check device credentials. Increase timeout value, if required.
So can someone please answer why it it saying it is trying over telnet when it is configured to do it over ssh?Telnet was tried because the retrieval over SSH failed. The way vlan.dat is archived is RME will login to the device via SSH or telnet, then issue a "copy flash:vlan.dat tftp:" command. This means that TFTP must be allowed from the device to the RME server. Make sure this copy command can be executed manually.
-
ACS Expert troubleshooter fails to display existing log entry
Hello everybody,
II ran into the following issue – let say RADIUS log (today) displays there are entries for user ABC (both successful and unsuccessful). BUT – when use the 'expert troubleshooter' to search for exactly the same user (both pass or fail authentication), the search results comes out empty.
This happens for all log entries (=users) and on different computers on different browsers. ACS version is 5.4 (upgraded to different patches to no avail).
Anybody experienced that? An existing bug notice will also be appreciated.Yet, I have not seen any bug for this: You please have a look on the guide to understand the functionally of Expert Troubleshooter:
http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-4/user/guide/acsuserguide/viewer_troubleshooting.html#wp1057685 -
I upgrade ACS from 4.1.4 to 4.2. I need to downgrade back to 4.1.4 without reinstalling W2003 server! But when I remove 4.2 I could not reinstall 4.1.4 because of "4.1.4 must be installed only on top of 4.1.1.x or 4.1.3.x". Using Clean.exe utility does not solve it. Cleaning registry does not solve it. I tried to watch "what was going behind" (find relevant lock file or register) using programs like FileMon anf RegMon, but without success. Thanks for any help in advance. RJ
Hello,
If you have the ACS 4.2 CD there is a support folder -> clean -> clean.exe. If you run this utility it will completely remove ACS from your system. If you do not have the ACS 4.2 CD please open a TAC case if you have a contract and we can provide the media for you. The clean utiltity if version specific so you will need to 4.2 CD to remove the 4.2 install.
--Jesse -
Concerning OTV and VLAN Assignments
I've been looking around but can't find any specific information...
When configuring OTV between data centers, is it required/advisable/best practice to have the VLANs that you need to extend from one DC to another have the same VLAN ID? Does that matter?
For example, VLAN 10 in New York DC is the 172.31.12.0/23 network. I want to extend the 172.31.12.0/23 network to the Los Angeles DC. Does the VLAN ID in the LA DC need to be VLAN 10 or can I use any VLAN ID in this case?
Thanks!Hi Clay,
In my opinion it would be best practice to have the same VLAN numbering across the data centres you're extending VLANs, purely to keep things simple. Obviously if you translate from one VLAN number to another it will add some complexity and so complicate troubleshooting to some extent.
As far as whether having the same IP subnet assigned to different VLAN numbers is possible, I'm afraid you can't do this today. As of November 2012 Cisco were saying support for OTV VLAN translation would be available in the Nexus 7000 NX-OS 6.2 release. If you have Cisco Partner level access you can see the Nexus 7000 Roadmap Update presentation where this is discussed (see slide 11).
Regards -
Hi, running the migration tool, I receive the following request:
Make sure that the database is running.
ACS 4.x DB is not available, Enter ACS 4.x database password(Encrypted Password)
With the plain database password, used during the ACS installation, I receive a fatal error message at the end of the procedure like this: "Fatal Error !! - cannot connect to ACS 4.x DB !!"
Where can I find the ACS encrypted database password ?
Following the migration log:
10-07-2011 11:41:31 MigrationApplicationCLI.getUserInformation(MigrationApplicationCLI.java:953)ERROR - Could not Invoke ACS 4 Password read system.Error at C:\Work\ACS5x\ccweb_views\dgash_acs5_0_lenovo\vob\nm_acs\acs\mgmt\migration\DbPassword\Password.c line 1265, API calle
10-07-2011 11:46:52 MigrationApplicationCLI.getUserInformation(MigrationApplicationCLI.java:953)ERROR - Could not Invoke ACS 4 Password read system.Error at C:\Work\ACS5x\ccweb_views\dgash_acs5_0_lenovo\vob\nm_acs\acs\mgmt\migration\DbPassword\Password.c line 1265, API calle
10-07-2011 11:58:08 JavaUtils.isAttachmentSupported(JavaUtils.java:1308) WARN - Unable to find required classes (javax.activation.DataHandler and javax.mail.internet.MimeMultipart). Attachment support is disabled.
10-07-2011 11:58:28 ACS4Connector.checkDBConnectivity(ACS4Connector.java:137)FATAL - Fatal Error !! - cannot connect to ACS 4.x DB !!
java.sql.SQLException: [Sybase][ODBC Driver][Adaptive Server Anywhere]Invalid user ID or password
at ianywhere.ml.jdbcodbc.IDriver.makeODBCConnection(Native Method)
at ianywhere.ml.jdbcodbc.IDriver.connect(IDriver.java:354)
at java.sql.DriverManager.getConnection(Unknown Source)
at java.sql.DriverManager.getConnection(Unknown Source)
at com.cisco.nm.acs.mgmt.migration.ACS4Connector.getConnecter(ACS4Connector.java:66)
at com.cisco.nm.acs.mgmt.migration.ACS4Connector.checkDBConnectivity(ACS4Connector.java:133)
at com.cisco.nm.acs.mgmt.migration.MigrationApplicationCLI.runExport(MigrationApplicationCLI.java:605)
at com.cisco.nm.acs.mgmt.migration.MigrationApplicationCLI.main(MigrationApplicationCLI.java:266)
I'm running the migration tool on a clone VMware machine, from the console.
thank you in advanceHello, i have the same issue, migration utility can get acs4.x database password, entering the correct password does not change the errror message: "05-07-2014 16:19:41 MigrationApplicationCLI.getUserInformation(MigrationApplicationCLI.java:953)ERROR - Could not Invoke ACS 4 Password read system.Error at C:\Work\ACS5x\ccweb_views\dgash_acs5_0_lenovo\vob\nm_acs\acs\mgmt\migration\DbPassword\Password.c line 1265, API calle"
It seems that there is somewhere in the scripts a coded path to "C:\Work\ACS5x\ccweb_views\dgash_acs5_0_lenovo\vob\nm_acs\acs\mgmt\migration\DbPassword\Password.c"
tried to search within the files in the migration utility directory, but no success.
Does anybody know the answer?
regards
Thomas
Maybe you are looking for
-
Deskjet 3050 Was previously connected to network but won't connect again. Since I can't read the screen to choose the correct options all I can do is print a test page. thanks!! This question was solved. View Solution.
-
TS1368 Error while connect to iTunes store from iPad 3
Hello! I am from Russia. I can't connect to iTunes store from my iPad 3 device. Message is "Не удается подключиться к iTunes Store". That's all... There is no detail information. My wi-fi Internet connection is work fine.
-
[SOLVED] /sys/class/power_supply/BAT0 reads 0 for all power files
I'm on a Macbook 2,1 running Arch and just recently noticed that my conky started showing 2 billion % for my battery's charge. Conky simply uses: ${battery_percent BAT0}% In any case, I've manually dug around as well in /sys/class/power_supply before
-
Opening a New Document is Pages-- no cursor appears?!
I can open recent document with no issues but when I open a New Document, there's no cursor. Pushing a key doesn't make one magically appear. The style menu is also off limits. What's happened?
-
CBS activation of webdynpro DC failing
Hi Experts, I have one DC having 5 webdynpro components. I have deleted one component which was not needed. After deleting the component none of my Activities from NWDS getting activated. The build log says about the deleted component window/applicat