Cisco ACS 4.2.1 authentication problem
We are using cisco ACS 4.2.1 on windows 2003 to authenticate with windows 2003 Actice Directory. We have update Active directory server windows 2008 version. We have checked the configuration of ACS on windows database and no problem but we can't see in ACS dynamic user. I have authentication problem ACS 4.2.1 to Windows 2008 R2 active directory.
Hi there,
There is a section in the ACS 4.x where you can define if the ACS should show the dynamic users or not, make sure that this option is unchecked, for this go to External User Databases/Unknown User Policy/Configure Caching Unknown Users
Also if you are facing authentication issues with ACS 4.x and Windows 2008 R2, you may want ready my previous answer.
Let me know if this helps.
Similar Messages
-
[Cisco ACS] 11036 The Message-Authenticator RADIUS attribute is invalid
Hi,
I got many Cisco AP which are linked to 2 Cisco WLC.
On each WLC, I configured a primary and a secondary RADIUS Server.
RADIUS servers are Cisco ACS 5.2.0.26 (patch 10)
Primary and secondary ACS configurations are synchronized.
There are no problem between primary WLC and Cisco ACS (primary and secondary).
When secondary WLC requests primary Cisco ACS, I get this error "11036 The Message-Authenticator RADIUS attribute is invalid"
Secondary WLC automatically contacts secondary Cisco ACS and it works fine.
Cisco ACS description for this error: "This maybe because of mismatched Shared Secrets."
The two Cisco ACS are synchronized so I should have same error on them...
Why does primary ACS generate this error?
Thanks for your help,
PatrickTarik Admani wrote:Amjad,That is a good observation, shouldnt 7.3 (which recently released) help put these types of issues to rest? I hear that the configuration can now be replicated from one controller to the next in a failover setup.Thanks,Tarik Admani
*Please rate helpful posts*
Yes. That is a good point.
With 7.3 you can use high availability (HA) between two WLCs and you can configure only one WLC (the primary) and all the configuraiotn can be replicated and synched to the other WLC (the secondary).
The two WLCs in the HA must be on same subnet though. Otherwise hot-standby HA between WLCs can't be used.
Rating useful replies is more useful than saying "Thank you" -
Using Cisco ACS for Solaris login authentication
Hi all
I am planning to authenticate ssh logins to Solaris 8/9 systems using PAM and radius (while radius is considered the primary solution, tacacs+ could be used, too). The radius/tacacs+ server is provided by a Cisco ACS.
Can anybody out there confirm that the combination "Solaris & PAM & radius/tacacs+ & Cisco ACS" is correctly doing this authentication stuff? Is there anything to specially consider?
Thanks, DavidHard to comment with any certainty but provided the client implementation of RADIUS is sound AND the authentication protocol is one that ACS supports, eg PAP, CHAP, MSCHAP, LEAP, EAP (PEAP/FAST/TLS/GTC/MSCHAP) then should be fine.
-
Cisco ACS 4.2(1) Certificate problem
Hi guys,
I am trying to upgrade the OS from w2k3 to w2k8 STD 32bits.
I am using Cisco ACS v. 4.2.(1) path level 15 on this OS.
When i try to activate de EAP-MSCHAPv2 after creating certificates (self sign or using external CA), the follwing problem is registered in windows APP log:
Faulting application CSAuth.exe, version 0.0.0.0, time stamp 0x4e845055, faulting module CRYPT32.dll, version 6.0.6002.18005, time stamp 0x49e03824, exception code 0xc0000005, fault offset 0x00039f0e, process id 0x10e4, application start time 0x01cca543d1586766.
What could be the problem here? the version of that DLL is different from w2k3 but ACS 4.2(1) release notes are clear when using w2k8 32Bits with no problems.
best regards,
NCAnyone?
I think this maybe some Bug but i am not so sure about that.
regards,
NC -
ACS 4.1 machine authentication problem
Hi,
I'm using the Cisco NAC framework in order to authenticate both users and machines before granting network access. i'm using windows AD to authenticate users and machines.
Under "External User Databases" -> Windows Authentication Configuration, you can configure some machine authentication settings.
I have to enable "Enable Machine Access Restriction" in combination with the group map "no access". Otherwise, even though machine authentication has failed, an authorized user can still login with an unauthorized machine (it will only appear in the failed attempts log but it will not be restricted).
This works, but the problem is the "aging time". The ACS caches the machines for a certain amount of time (12 hours by default). Now if a user logs off and he waits 12 hours to logg back on, authentication will fail (because machine authentication is already performed just after being logged off).
Is it possible to force machine authentication (together with the user authentication) at Windows log on?
Kind regardsACS 4.1 machine authentication can work on windows. This issue occurs in an environment where there is more than one global catalog server for the domain. Restart CSAuth.exe service, and then try to authenticate again (with Machine credentials)
-
Cisco ACS 5.1 Machine Auth Problem
Hi All,
I have a query regarding ACS 5.1 using EAP-PEAP (machine auth plus user name and password). I have successfully setup AD authentication using Machine auth and user credentials and this works ok for corporate wireless devices and users.
My ACS rules are machine auth against AD computers which gives a positive/pass, then a rule against user but ensuring the device is a valid domain device with "was machine authenticated = TRUE".
The problem is when using a Windows 7 device (laptop) and logging in using the local admin account I successfully connect to the network but the local Admin account is not in AD. By default the W7 wireless adapter under security>advanced settings> specify authentication mode is computer authentication only.The W7 client doesn't send over any user credentials?
Has anyone come across this problem before? Do I need to tweek the W7 clients via GP or is there a way of stopping just machine authentication with out a valid user name and password?
Realy appreciate any responses and thank you in advance.
Jasoncheck out
http://technet.microsoft.com/en-us/library/dd759219.aspx -
Cisco ACS Appliance and Passed Authentication Logs
I'm seeing something on our ACS appliance logs that looks kind of odd (but it is working fine).
When I look at the "Passed Authentication" logs, the users seem to show up about 3 time a minute (each). Maybe I am missing something, but this seems like some type of over-reporting.
Any ideas why this would be happening? I'm probably missing something obvious, but since I'm new to this I can't find the problem.
Thanks for any suggestions!What version of CSACS are you running? Has this just started happening, or was the problem just identified? It could be a performance issue if in fact everything was reauthenticating every 20 sec. Are all your devices showing up, or just wired or wireless? It could be a slight misconfiguration that could be hard to find. If you have the capability, you might want to capture the traffic going to your CSACS server to see if the authentications are actually happening, or like you mentioned...just reporting issues. I ope this helps.
-
Cisco ISE AD (Windows Server 2013) Authentication Problem
Background:
Deployed two Cisco ISE 1.1.3. ISE will be used to authenticate wireless users, admin access to WLC and switches. Backend database is Microsoft AD running on Windows Server 2012. Existing Cisco ACS 4.2 still running and authenticating users. There are two Cisco WLCs version 7.2.111.3.
Wireless users authenticates to AD through ACS 4.2 works. Admin access to WLC and switches to AD through ISE works. Wireless authentication using PEAP-MSCHAPv2 and admin access wtih PAP/ASCII.
Problem:
Wireless users cannot authenticate to AD through ISE. The below is the error message "11051 RADIUS packet contains invalid state attribute" & "24444 Active Directory operation has failed because of an unspecified error in the ISE".
Conducted a detailed test of AD from ISE. The test was successful and the output seems all right except for the below:
xxdc01.xx.com (10.21.3.1)
Pinged:0 Mins Ago
State:down
xxdc02.xx.com (10.21.3.2)
Pinged:0 Mins Ago
State:down
xxdc01.xx.com
Last Success:Thu Jan 1 10:00:00 1970
Last Failure:Mon Mar 11 11:18:04 2013
Successes:0
Failures:11006
xxdc02.xx.com
Last Success:Mon Mar 11 09:43:31 2013
Last Failure:Mon Mar 11 11:18:04 2013
Successes:25
Failures:11006
Domain Controller: xxdc02.xx.com:389
Domain Controller Type: Unknown DC Functional Level: 5
Domain Name: xx.COM
IsGlobalCatalogReady: TRUE
DomainFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
ForestFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
Action Taken:
Log on to Cisco ISE and WLC using AD credentials. This rules out AD connection, clock and AAA shared secret as the problem.
2) Tested wireless authentication using EAP-FAST but same problem occurs.
3) Detailed error message shows the below. This rules out any authentication and authorization polices. Before even hitting the authentication policy, the AD lookup fails.
12304 Extracted EAP-Response containing PEAP challenge-response
11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - AD1
24430 Authenticating user against Active Directory
24444 Active Directory operation has failed because of an unspecified error in the ISE
4) Enabled AD debugging logging and had a look at the logging. Nothing significant and no clues to the problem.
5) Tested wireless on different laptos and mobile phones with same error
6) Delete and add again AAA Client/Devices on both Cisco ISE and WLC
7) Restarted ISE services
8) Rejoin domain on Cisco ISE
9) Checked release notes of ISE 1.1.3 and WLC 7.2.111.3 for any open caveats. Nothing found related to this problem.
10) There are two ISE and two WLC deployed. Tested different combination of ISE1 to WLC1, ISE1 to WLC2 etc. This rules out hardware issue of WLC.
Other possibilities/action:
1) Test it out on a different WLC version. Will have to wait outage approval to upgrade WLC software.
2) Incompatibility of Cisco ISE and AD running on Microsoft Windows Server 2012
Anyone out there experienced something similar of have any ideas on why this is happening?
Thanks.
Update:
1) Built another Cisco ISE 1.1.3 sever in another datacentre that uses the same domain but different domain controller. Thais domain controller is running Windows Server 2008. This works and authentication successful.
2) My colleague tested out in a lab environment of Cisco ISE 1.1.2 with Windows Server 2012. He got the same problem as described.
This leads me to think there is a compatibility issue of Cisco ISE with Windows Server 2012.Does anyone know if ISE 1.1.3 p1 supports AD DCs running 2012, if not which patch is required ot version?
Worryingly when ISE joins a 2012 DC it states it's connected successfully, and if another 2003 DC is available in that datacentre it will perform the auths against that DC whilst actually advertising (Connections in the GUI) that it's connected to the 2012 DC. We ended up mapping 8 PSN IP’s to another datacentre which has one Win2003 servers whilst the old 2003 DC is being promoted back, the 8 ISE servers started working, even though they still advertised they were connected to the 2012 DCs in the original datacentre - I performed a leave and join on one PSN and only then did it advertise that the node was connected to a DC in a different datacentre -
Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance failed
Hi,
I've got a problem with Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance.
ACS4.2 has been configured to use both internal and external database. It's been working fine for a couple or years.
Recently we bought a Cisco 4710 ACE appliance. When I use ACS4.2 internal username and password to login the Cisco 4710 ACE appliance, I have no problem. I can also see the passed authentication log on ACS4.2. However, if I use AD username and password, I couldn't login in. The message is "Login incorrect". I checked the failed attempts log on the ACS4.2, there was no log regarding the failed attempt. My AD username and password works fine on all other cisco routers and switches.
I've posted my AAA configuration of the 4710 ACE below. ACE is running on the latest version A4(1.1). Please help.
tacacs-server key 7 "xxxxxxxxxxxxx"
aaa group server tacacs+ tac_admin
server xx.xx.xx.xx
aaa authentication login default group tac_admin local
aaa authentication login console group tac_admin local
aaa accounting default group tac_adminHi,
Since the ACS is receiving the request.
Could you please ensure that In ACE on every context (including Admin and other) you have following strings:
tacacs-server host x.x.x.x key 7 "xxx"
aaa group server tacacs+ tac_admin
server x.x.x.x
aaa authentication login default group tac_admin local
aaa authentication login console group tac_admin local
aaa accounting default group x.x.x.x
On ACS side for group named "Network Administrators" you should configure in TACACS settting:
1. Shell (exec) enable
2. Privilege level 15
3. Custom attributes:
shell:Admin*Admin default-domain
if you have additional context add next line
shell:mycontext*Admin default-domain
After loging to ACE and issuing sh users command you should see following
User Context Line Login Time (Location) Role Domain(s)
*adm-x Admin pts/0 Sep 21 12:24 (x.x.x.x) Admin default-domain
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you fee your query is resolved. Do rate helpful posts. -
Dear all,
Presently, we are testing 802.1x using Cisco ACS 5.4 and Cisco Anyconnect v3.1 as 802.1x supplicant. We have created predefined NAM profiles (with Cisco Profile Editor) and applied as default in on our test machine. We are using PEAP (MsCHAPv2) and ACS local user credentials for authenticating process. We have noticed that, when we try to authenticate the network with predefined profile (network profile has Administrator Network privileges) and Windows user on test machine has no Admin privileges we are not able to change ACS user password (checked "Change password on next login" in the ACS user profile). In the Monitoring and Report View we get Failure Reason "24203 User need to change password" but no popup window apears in Anyconnect. When we change Windows local user privileges to Admin or create Anyconnect network profile localy (privileges User Network) then, we are able to finish the process.
Have you ever been facing the problem described above. Is it Anyconnect bug? How can we fix it?
Best regards,
PiotrIf this happens with all machines then if a microsoft guy can look the app logs/privileges. It seems the app is requesting privilege that it is not authorized to and that's why the propmt window fails to appear. If we know what that privilege is we can probably fix it. If that privilege is not even required for smooth work Cisco need probably to fix this behavior.
I am sorry if I am not able to help but I am not using the anyconnect for production.
Regards,
Amjad
Rating useful replies is more useful than saying "Thank you" -
Please help me configure authentic connection with Caller ID via ISDN 30B+D using Cisco ACS
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
Hi all
I have set up a dial up connection between to PC's at remote site and center. It using ISDN 30B+D which is configured on Router 3845. Currently I have configured authentic connection with username and password using Cisco ACS. To enhance the security configuration I want to authenticate both the phone number which dialup with Cisco ACS. And currently I have not done this. Please help me solve this problem.
Thanks so much
Longn1) I deleted bridge-utils, netcfg
2) I edited /etc/hostapd/hostapd.conf:
interface=wlan0
#bridge=br0
edited /etc/dnsmasq.conf:
interface=wlan0
dhcp-range=192.168.0.2,192.168.0.255,255.255.255.0,24h
and edited /etc/rc.local:
ifconfig wlan0 192.168.0.1 netmask 255.255.255.0
ifconfig wlan0 up
3) I added in autostart these daemons: hostapd, dnsmasq and iptables.
Profit! -
ACE 4700 and Cisco ACS aaa authentication
ACE version Software
loader: Version 0.95
system: Version A1(7b) [build 3.0(0)A1(7b)
Cisco ACS version 4.0.1
I am trying to authenticate admin users with AAA authentication for ACE management.
This is what I've done:
ACE-lab/Admin(config)# tacacs-server host 192.168.3.10 key 123456 port 49
warning: numeric key will not be encrypted
ACE-lab/Admin(config)# aaa group server tacacs+ cciesec
ACE-lab/Admin(config-tacacs+)# server ?
<A.B.C.D> TACACS+ server name
ACE-lab/Admin(config-tacacs+)# server 192.168.3.10
can not find the TACACS+ server
specified TACACS+ server not found, please configure it using tacacs-server host ... and then retry
ACE-lab/Admin(config-tacacs+)#
Why am I getting this error? I have full
connectivity between the ACE and the ACS
server. Furthermore, the ACS server
works fine with other Cisco IOS devices.
Please help. Thanks.Thanks. Now I have another problem. I CAN
log into the ACE via tacacs+ account(s).
However, I get error when I try going into
configuration mode:
ACE-lab login: ngx1
Password:
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 1985-2007 by Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
ACE-lab/Admin# conf t
^
% invalid command detected at '^' marker.
ACE-lab/Admin#
The ngx1 account can access other Cisco
routers/switches just fine and can go into
enable mode just fine. Only issue on the ACE.
Any ideas? Thanks. -
Cisco ACS 4.2 and Radius authentication?
Hi,
I have a Cisco ACS 4.2 installed and using it to authenticate users that log on to switches using TACACS+, when I use local password database, everything is working. But if i try to use external database authentication using a windows 2008 radius server, I have problem that I can only use PAP, not CHAP. Anyone who know if it's possible to use CHAP with external radius authentication?To access network devices for administrative purpose, we have only three methods available :
[1] Telnet : Which uses PAP authentication protocol between client and the NAS device. So the communication between Client and NAS is unencrypted, and when this information flows from NAS to IAS server gets encrypted using the shared secret key configured on device/IAS server.
[2] SSH : Which uses public-key cryptography for encrypting information between client and the NAS device, i.e, information sent between client
and NAS is fully secure. And the communication between NAS and IAS is encrypted using shared secret same as above. Good point on SSH side is that commincation channel is secure all the time.Again the authentication type would remain same that is PAP.
[3] Console:Which is also the same it will not allow to use MSCHAP as there is no need to secure it as you laptop is connected directly to the NAS and then if you are using TACACS it will encrypt the payload .
Summarizing, we cannot use CHAP, MS-CHAP, MS-CHAP V2 for communication between client and NAS device or administrative access.
And the most secure way to administer a device is to use SSH.
Rgds, Jatin
Do rate helpful post~ -
Hello
Did anyone experience problem with Service Selection Rules in Cisco ACS. When I click this tab ( it only works for me in google Chrome), configuration is normally opened. But when I want to edit one of two default rules (rules that match radius and tacacs) nothing happens. If I want to add new rule, popup window in normally opened but I am not able to add any conditions or results. It is just nothing to choose from. I have some attributtues under "customize window". It looks like some gui problems.
I am using
acs/admin# sh application version acs
Cisco ACS VERSION INFORMATION
Version : 5.4.0.46.0a
Internal Build ID : B.221
with trial license. I am running ACS on vmware player (1 GB of RAM and 1 proc).
Thanks in advance
General
Name:
Status:
Enabled Disabled Monitor Only
The Customize button in the lower right area of the policy rules screen controls which policy conditions and results are available here for use in policy rules.
Conditions
ResultsWhen dealing with Cisco ACS and Cisco ISE you have to be very careful with your web browsers. For example there's a major bug when using Cisco ISE 1.1.x and Chrome.
Back to ACS, please refer to the release notes to see the validated web browsers.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/release/notes/acs_54_rn.html#wp222016
I have used ACS and ISE a lot, and we had many problems when using Internet Explorer and Chrome. That's why I prefer Firefox, but even with firefox we had little problems once in a while.
Please rate if this helps -
Cisco ACS for Unix authentication
My company is looking for a single sign on for all the windows and unix servers mainly for admins. I was wondering if Cisco ACS will work for this.
Basically the authentication will be all for the servers and routers ofcourse. I am thinking if I specifies windows AD in ACS config, Can I get the unix boxes to get authenticated against Radius?
Any help will be appreciated.
MannyHi,
Authentication of unix servers via ACS over radius protocol can be achiveable,check out the below link client end configuration needs to be done for radius authentication
Hope that helps out your query !!
http://www.ibm.com/developerworks/library/l-radius/
Regards
Ganesh.H
Maybe you are looking for
-
Hi everyone, I have created a maual tabular form with the help of (HOW TO) document in OTN.For that I wrote maual update and manual delete process and evething is working fine.But in the manual update process i did not include the code to compare the
-
Progress bar completion function
How do we control the progress bar completion functions @ the end of the pages, so they reflect reasonably correct amounts?
-
Hi guys, Does anybody know what this error mean and how to resolve it: To SYSADMIN Sent 25-JUN-09 14:17:38 ID 4706955 The notification with the ID of experienced problems when attempting to dispatch an ema
-
IPad mini multitasking gestures ios diagnostic appears
I recently sent an ios diagnostic report to Apple, then I updated from ios 7.1 to 7.1.1, after that when using multitasking gestures, ios diagnostic window keeps appearing. How do I turn it off?? Thanks guys
-
Hp envenvy won't wake up after windows 10 upgrade
Hello, I have an hp envy and after I upgraded to windows 10, my laptop doesn't want to wake up after it goes to sleep, so i have no other option but to do a force restart. I read on another forum that I could try troubleshooting the power and it se