Cisco ACS 5.1 802.1x auth fails on LAN when WLAN connected

Similar Messages

• 802.1x Auth-Fail VLAN and Guest-VLan not available

  Hi Pros,
  Having an issue with an 881 I have recently acquired. I'm wanting to setup a Virtual Office scenario. Everything is working fine except for 802.1x...
  I can get the 881 to authenticate things connected to it, but I don't have the options of guest-vlan or auth-fail vlan.
  Idea is if the users takes the router home and someone, either accidentally or on pupose, connects an unauthorized Laptop, they stay off the Corp network but can get to the internet still.
  I found this link on Cisco's site:
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6808/deployment_guide_c07_458259_ns855_Networking_Solutions_White_Paper.html
  That link shows them configuring a guest vlan right on the fa0-3 ports of an 881W. I dont have that option on mine. I can only configure 802.1x on the vlan interface. I have 802.1x working, for things that connect to vlan1, but I would like to have a "fallback" setup.
  EZVPN_Remote(config-if)#int fa1
  EZVPN_Remote(config-if)#dot
  EZVPN_Remote(config-if)#dot1?
  dot1q
  EZVPN_Remote(config-if)#dot1
  EZVPN_Remote(config-if)#int vlan1
  EZVPN_Remote(config-if)#dot1x ?
    default           Configure Dot1x with default values for this port
    host-mode         Set the Host mode for 802.1x on this interface
    max-reauth-req    Max No.of Reauthentication Attempts
    max-req           Max No.of Retries
    pae               Set 802.1x interface pae type
    port-control      set the port-control value
    reauthentication  Enable or Disable Reauthentication for this port
    timeout           Various Timeouts
  Any thoughts why I'm seeing this behavior? Feature-set? IOS Version?
  EZVPN_Remote#sh ver
  Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.1(2)T4, )
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2011 by Cisco Systems, Inc.
  Compiled Tue 12-Jul-11 21:02 by prod_rel_team
  ROM: System Bootstrap, Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1)
  EZVPN_Remote uptime is 6 hours, 1 minute
  System returned to ROM by reload at 14:53:21 UTC Thu Oct 13 2011
  System restarted at 14:52:47 UTC Thu Oct 13 2011
  System image file is "flash:c880data-universalk9-mz.151-2.T4.bin"
  Last reload type: Normal Reload
  Last reload reason: Reload Command
  This product contains cryptographic features and is subject to United
  States and local country laws governing import, export, transfer and
  use. Delivery of Cisco cryptographic products does not imply
  third-party authority to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for
  compliance with U.S. and local country laws. By using this product you
  agree to comply with applicable laws and regulations. If you are unable
  to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  Cisco 881 (MPC8300) processor (revision 1.0) with 236544K/25600K bytes of memor.
  Processor board ID FTX153482GK
  5 FastEthernet interfaces
  1 Virtual Private Network (VPN) Module
  256K bytes of non-volatile configuration memory.
  126000K bytes of ATA CompactFlash (Read/Write)
  License Info:
  License UDI:
  Device#   PID                   SN
  *0        CISCO881-SEC-K9       xxxxxxxx
  License Information for 'c880-data'
      License Level: advipservices   Type: Permanent
      Next reboot license Level: advipservices
  Thanks in advance!

  Shamless bump...

• 802.1x Auth-Fail VLAN --- XP does not recognize

  With Auth-Fail VLAN configured on Cisco 3550 the Switch successfully configures the port to the configured auth-fail vlan upon unsuccessful authentication. The PC even gets the IP address from DHCP.
  However, the Windows XP network icon on the task bar continues to display as if it is trying to configure the network. The popup text displays "Attempting to authenticate" whereas the PC is fully connected and able to communicate on the network.
  Any idea...????

  I am performing machine authentication against MS AD. It does get an ip address from the authentication VLAN but not before minor delay...(have seen up to a minutes delay in some cases).
  The following is working fine in my case:
  Machine Authenticaiton (S) ---> User Auth (S) then all is good.
  Machine Auth (S) ---> User Auth (F) transition to Auth Fail VLAN
  Machine Auth (F) ---> Machine is in AuthFail VLAN then User Auth (S) Machines transitions to correct access VLAN (or RADIUS assigned VLAN).
  There are times when the behaviour is a bit variable in terms of VLAN assignment. Reading the IOS guide it makes sense if you are not assigning VLAN through RADIUS then switch sometimes tends to leave the port in the currently assigned VLAN, which depending on the port state (success/fail) could be the access VLAN or the AuthFail VLAN.

• 802.1x auth fail through WLC but OK on autonomous APs

  Hello,
  I migrate 1310 APs from Autonomous to Lightweight. Migration is OK with Cisco Upgrade Tool, and AP are registered on my 2504 WLC.
  Previously, a 802.1x network was broadcasted by autonomous APs, supplicants were identified on a freeradius server with MSCHAPv2/PEAP method.
  I send you in attachement a AP config which is OK.
  But on the WLC, supplicants can't auth on Radius server.
  I configured a WLAN with WPA/TKIP/802.1x with my radius server in AAA tab.
  When clients try to authenticate, I get these messages where xxx is login:
  AAA Authentication Failure for UserName:821 User Type: WLAN USER
  AAA Authentication Failure for UserName:200 User Type: WLAN USER
  AAA Authentication Failure for UserName:209 User Type: WLAN USER
  Security info on client page is:
  Security Policy Completed
  No
  Policy Type
  WPA
  Encryption Cipher
  TKIP-MIC
  EAP Type
  PEAP
  SNMP NAC State
  Access
  Radius NAC State
  8021X_REQD
  What is strange, there are some clients which are OK in RUN State, and 50 other % which are not.
  In attachment there is a debug client "mac-address" on a device which cannot authenticate through WLC.
  Thank you,
  Clement

  Hi Amjad,
  I'm not using NAC.
  Clients makes a MSCHAPv2/PEAP auth on a FreeRadius server through the WLC.
  Because network is critical, I do a rollback so I passed the light APs into their autonomous original state.
  Now all clients can successfully auth on the network. I don't understand what happens when APs are in lightweight mode :/
  I have more information about the WLAN clients  :
  - Each client is an infrastructure which have a AXIS wireless modem in bridge mode, which is client of the WLAN. This modem have login/password for MSCHAPv2 auth.
  - Behind the AXIS, there is a switch on which 4 devices in static IP are connected.
  - If the AXIS is successfully authenticated on the WLAN, only one device of four is able to ping servers on the LAN. The others cannot, it seems to be a "token ring" like ?!
  The WLAN clients infrastructures are very proprietary, it's very difficult to debug.
  What I know, is all clients are OK on autonomous AP (auth 100% successfull, ping 100% successfull for 4 devices) and when the clients join a lightweight AP it is (auth 50% successfull, ping 100% successfull for 1 device, 0% successfull for 3 others devices)
  Tell me if you need specific debug logs.
  Clement

• W2k3 Auth failed with KRB5KDC_ERR_ETYPE_NOSUPP when using DES

  We are authenticating users on AD server 2k3, and the users are setup in AD to use DES (checked "Use DES encryption types for this account" in user properties).
  It failed somehow with ETYPE_NOSUPP. From the packet capture, I can find KRB5 AS-REQ contains des-cbc-crc/des-cbc-md5/des-cbc-md4 as encryption types.
  This is the request:
  ++++++++++ REQUEST ++++++++++++++++
  Kerberos AS-REQ
  Pvno: 5
  MSG Type: AS-REQ (10)
  padata: PA-ENC-TIMESTAMP
  Type: PA-ENC-TIMESTAMP (2)
  Value: 303ba003020117a2340432482d36ca7556ebf719421fc8b4... rc4-hmac
  Encryption type: rc4-hmac (23)
  enc PA_ENC_TIMESTAMP: 482d36ca7556ebf719421fc8b4530cfea187d35318fd63bd...
  KDC_REQ_BODY
  Padding: 0
  KDCOptions: 00000010 (Renewable OK)
  .0.. .... .... .... .... .... .... .... = Forwardable: Do NOT use forwardable tickets
  ..0. .... .... .... .... .... .... .... = Forwarded: This is NOT a forwarded ticket
  ...0 .... .... .... .... .... .... .... = Proxiable: Do NOT use proxiable tickets
  .... 0... .... .... .... .... .... .... = Proxy: This ticket has NOT been proxied
  .... .0.. .... .... .... .... .... .... = Allow Postdate: We do NOT allow the ticket to be postdated
  .... ..0. .... .... .... .... .... .... = Postdated: This ticket is NOT postdated
  .... .... 0... .... .... .... .... .... = Renewable: This ticket is NOT renewable
  .... .... ...0 .... .... .... .... .... = Opt HW Auth: False
  .... .... .... ..0. .... .... .... .... = Constrained Delegation: This is a normal request (no constrained delegation)
  .... .... .... ...0 .... .... .... .... = Canonicalize: This is NOT a canonicalized ticket request
  .... .... .... .... .... .... ..0. .... = Disable Transited Check: Transited checking is NOT disabled
  .... .... .... .... .... .... ...1 .... = Renewable OK: We accept RENEWED tickets
  .... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do NOT encrypt the tkt inside the skey
  .... .... .... .... .... .... .... ..0. = Renew: This is NOT a request to renew a ticket
  .... .... .... .... .... .... .... ...0 = Validate: This is NOT a request to validate a postdated ticket
  Client Name (Principal): test
  Name-type: Principal (1)
  Name: test
  Realm: SRV.MYTESTSERVER.LOC
  Server Name (Unknown): krbtgt/SRV.MYTESTSERVER.LOC
  Name-type: Unknown (0)
  Name: krbtgt
  Name: FP.DEREKTESTING.COM
  from: 2011-04-07 08:10:06 (UTC)
  till: 2011-04-08 08:10:06 (UTC)
  Nonce: 1302163806
  Encryption Types: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 rc4-hmac des-cbc-crc des-cbc-md5 des-cbc-md4
  Encryption type: aes256-cts-hmac-sha1-96 (18)
  Encryption type: aes128-cts-hmac-sha1-96 (17)
  Encryption type: des3-cbc-sha1 (16)
  Encryption type: rc4-hmac (23)
  Encryption type: des-cbc-crc (1)
  Encryption type: des-cbc-md5 (3)
  Encryption type: des-cbc-md4 (2)
  ++++++++++ REQUEST ++++++++++++++++
  And this is the response:
  ++++++++++ RESPONSE ++++++++++++++++
  Kerberos KRB-ERROR
  Pvno: 5
  MSG Type: KRB-ERROR (30)
  stime: 2011-04-07 08:10:06 (UTC)
  susec: 247525
  error_code: KRB5KDC_ERR_ETYPE_NOSUPP (14)
  Realm: SRV.MYTESTSERVER.LOC
  Server Name (Unknown): krbtgt/SRV.MYTESTSERVER.LOC
  Name-type: Unknown (0)
  Name: krbtgt
  Name: SRV.MYTESTSERVER.LOC
  e-data
  padata: PA-ENCTYPE-INFO
  Type: PA-ENCTYPE-INFO (11)
  Value: 30443020a003020103a119041746502e444552454b544553... des-cbc-md5 des-cbc-crc
  Encryption type: des-cbc-md5 (3)
  Salt: 46502e444552454b54455354494e472e434f4d6a69616e
  Encryption type: des-cbc-crc (1)
  Salt: 46502e444552454b54455354494e472e434f4d6a69616e
  ++++++++++ RESPONSE ++++++++++++++++
  What could have possibly gone wrong? I also tried to reset the passwords of administrator and the user and restart the kdc services. It didn't help.
  Thanks.

  I am not sure, the exact behaviour must be specified somewhere, but I was not able to find any precise documentation on the topic. It may be, that the DC preferes AES if allowed by the client and it may colide with the setting on the user account.
  Anyway, why do you use the checkbox at all? If you wanted to enforce DES, you could have enabled the "System Cryptography: Use FIPS compliant algorithms for encryption, hashing and siging" policy which would switch the whole environment to DES or AES automatically.
  The user account setting is meant to only those accounts that are used by non-windows services IMHO.
  ondrej.

• I'm getting DataSource.NotFound: OData: Request failed (404) error when open connection

  Hi,
  I have a simple OData service running in a server. When I try to call him in a browser all works fine. But in Excel Power Query, after the user authentication step, I get this error in Query editor
  DataSource.NotFound: OData: Request failed (404): The remote server returned an error: (404) Not Found.
  Details:
      http://<URL>/GIPJAM/$metadata
  The service is configured in a server and he his public. The URL (working in browser) http://<URL>:91/GIPJAM/
  This may be a port (91) problem? My application runs in port 80. This 91 port is to guarantee that the server is public. For exemple, if I run in my home network, using the name of the machine in the URL (like; http://quiron.blabla.net/GIPJAM/) all works
  in browser and in Excel PQ.
  I've made every test I can remember but i'm newbie in OData services and server, IIS and network configurations. 
  Anyone can help me?
  Regards,
  Filipe Almeida
  EDIT: I have this workaround implemented: https://social.technet.microsoft.com/Forums/en-US/dc0ca6ff-6583-4373-a31f-acb95e8046ef/connecting-to-odata-feed-using-powerquery-216-results-in-404-error?forum=powerquery
  I'm using Power Query 2.16 and Excel 2013, with a Odata V4 Service in Web .NET API 2.2

  It looks like your service probably supports V3 and V4 or you'd be getting a different error message. What I suspect is happening is that the service doesn't know that it's listening on port 91 and so it's returning URLs embedded in your result -- either
  the xml:base on an XML body or the metadata link in a JSON body -- which don't reflect the port number. You can easily verify this by using Fiddler to look at the results. If any of them have an URL that's missing the ":91", that's an indication
  that you'll need to fix this on the service side.

• "Connect to SAP gateway failed" error message when we connecting bex to bw

  any one can help in connecting bex with BW.
  we got a error when we are trying to connect bex to bw from offshore. as we do not have basis consultant we only need to connect bex with BW.
  "Connect to SAP gateway failed".
  RFC_ERROR_COMMUNICATION
  But it is working properly connecting to onsite team.
  this is the first time we are connecting from offshore.

  You didnt answer the first question of when exactly are you getting this error message - during direct logon to BEx or using transaction RRMX. Anyways, I assume both are giving the error.
  Check how the SAP logon pad is configured to access the BW server currently.
  In our case the problem was resolved by using the server machine name instead of the IP address to logon to the BW server.
  If you are currently using the IP address in the logon pad then change it to the server machine name instead.
  Also, make this entry in your hosts file (windows>system32>drivers>etc>hosts) add an entry like:
  <IP Address> <bw_server_machine_name>
  save the file, reboot the system and then try logging onto BEx again.
  If it still does not work - send me screenshots of the logon pad configuration you have for the BW server.
  Hope this helps,
  Regards,
  Nikhil
  Message was edited by: Nikhil Chowdhary

• Juniper SSG and Cisco ACS v5.x Configuration

  I searched for a long time unsuccessfully trying to find a resolution to my SSG320M and Cisco ACS v5.x TACACS dilemma.  I finally got it working in my network, so I'm posting the resolution here in case anyone else is looking.
  Configure the Juniper (CLI)
    1. Add the Cisco ACS and TACACS+ configuration
       set auth-server CiscoACSv5 id 1
       set auth-server CiscoACSv5 server-name 192.168.1.100
       set auth-server CiscoACSv5 account-type admin
       set auth-server CiscoACSv5 type tacacs
       set auth-server CiscoACSv5 tacacs secret CiscoACSv5
       set auth-server CiscoACSv5 tacacs port 49
       set admin auth server CiscoACSv5
       set admin auth remote primary
       set admin auth remote root
       set admin privilege get-external
  Configure the Cisco ACS v5.x (GUI)
    1. Navigate to Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles
          Create the Juniper Shell Profile.
          Click the [Create] button at the bottom of the page
                  Select the General tab
                          Name:    Juniper
                          Description:  Custom Attributes for Juniper SSG320M
                  Select the Custom Attributes tab
                      Add the vsys attribute:
                          Attribute:                vsys
                          Requirement:       Manadatory
                          Value:                    root
                          Click the [Add^] button above the Attribute field
                      Add the privilege attribute:
                          Attribute:                privilege
                          Requirement:       Manadatory
                          Value:                    root
                                  Note: you can also use 'read-write' but then local admin doesn't work correctly
                          Click the [Add^] button above the Attribute field
                  Click the [Submit] button at the bottom of the page
  2. Navigate to Access Policies > Access Services > Default Device Admin > Authorization
          Create the Juniper Authorization Policy and filter by Device IP Address.
          Click the [Customize] button at the bottom Right of the page
                  Under Customize Conditions, select Device IP Address from the left window
                          Click the [>] button to add it
                  Click the [OK] button to close the window
                  Click the [Create] button at the bottom of the page to create a new rule
                          Under General, name the new rule Juniper, and ensure it is Enabled
                          Under Conditions, check the box next to Device IP Address
                                  Enter the ip address of the Juniper (192.168.1.100)
                          Under Results, click the [Select] button next to the Shell Profile field
                                  Select 'Juniper' and click the [OK] button
                          Under Results, click the [Select] button below the Command Sets (if used) field
                                  Select 'Permit All' and ensure all other boxes are UNCHECKED
                          Click the [OK] button to close the window
                  Click the [OK] button at the bottom of the page to close the window
                  Check the box next to the Juniper policy, then move the policy to the top of the list
                  Click the [Save Changes] button at the bottom of the page
  3.  Login to the Juniper CLI and GUI, and attempt to change something to verify privilege level.

  Cisco Prime LMS is not designed to manage appliances like the ACS. ACS is not on the LMS supported device list and I would doubt that it would be as LMS's functions are mostly not applicable to the appliance or software running on it.
  You can use ACS as an authentication source for LMS, but authorization is still role-based according to the local accounts on the LMS server.

• Auth-Fail Feature and Windows 802.1x Supplicant Compatibility

  As per Cisco IOS design when authentication fails the switch sends a simulated EAP-Success message to the client so that DHCP can be implemented by the client. Taking into consideration the dot1x auth-fail command is configured.
  However we have noticed that when using the built-in Windows XP SP2 802.1x supplicant and authentication fails, the Windows supplicant does not like this Cisco simulated EAP-Success message and drops the packet, therefore never re-initiating the DHCP process.
  I have attached the Microsoft supplicant log indicating the dropped EAP-Success.
  We are using catalyst 3750 with IOS 12.2(25)SEE. We have also tried release 12.2(35)xxx but issue persists.
  Your suggestions would be appreciated.
  Thank You,
  ET

  An EAP-Failure is by design. This occurs on all failures. The session fails rather normally. After the third (default but configurable) successive failure, the port is conditionally enabled (and placed in the auth-fail-vlan) even though 1X is configured and operating.
  At this point, it's up to the supplicant to access the network if it wants to, since the port has been enabled. Without the notion of a controlled port on a supplicant, there's no reason it shouldn't try and access the network ;-).
  Once a workstation is authorized on the network, and then subsequently fails for whatever reason, and put on the auth-fail vlan then it's also up to the machine to renew it's IP if it needs to. Optionally, you can configure the auth-fail-vlan to be the same as your default vlan. I guess it's worth pointing out, that you'd have this problem without 802.1X (changing VLANs on the fly for example). Some supplicants can deal with this though.
  If an EAPOL-Logoff does not come from a supplicant (and it doesn't by default with Windows-XP) then there's nothing to get the port out of the Auth-Fail-VLAN either (short of link down). You can configure this through registry though. So the answer to your earlier question was no .. it shouldn't.
  I'm not sure I understand the "IB" and "OOB" references here though.
  Hope this helps,

• Cisco ACS 5.4 + Anyconnect 3.1 NAM with 802.1x, problem with changing ACS Radius user password

  Dear all,
  Presently, we are testing 802.1x using Cisco ACS 5.4 and Cisco Anyconnect v3.1 as 802.1x supplicant. We have created predefined NAM profiles (with Cisco Profile Editor) and applied as default in on our test machine. We are using PEAP (MsCHAPv2) and ACS local user credentials for authenticating process. We have noticed that, when we try to authenticate the network with predefined profile (network profile has Administrator Network privileges) and Windows user on test machine has no Admin privileges we are not able to change ACS user password (checked "Change password on next login" in the ACS user profile). In the Monitoring and Report View we get Failure Reason "24203 User need to change password"  but no popup window apears in Anyconnect. When we change Windows local user privileges to Admin or create Anyconnect network profile localy (privileges User Network) then, we are able to finish the process.
  Have you ever been facing the problem described above. Is it Anyconnect bug? How can we fix it?
  Best regards,
  Piotr

  If this happens with all machines then if a microsoft guy can look the app logs/privileges. It seems the app is requesting privilege that it is not authorized to and that's why the propmt window fails to appear. If we know what that privilege is we can probably fix it. If that privilege is not even required for smooth work Cisco need probably to fix this behavior.
  I am sorry if I am not able to help but I am not using the anyconnect for production.
  Regards,
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance failed

  Hi,
  I've got a problem with Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance.
  ACS4.2 has been configured to use both internal and external database. It's been working fine for a couple or years.
  Recently we bought a Cisco 4710 ACE appliance. When I use ACS4.2 internal username and password to login the Cisco 4710 ACE appliance, I have no problem. I can also see the passed authentication log on ACS4.2. However, if I use AD username and password, I couldn't login in. The message is "Login incorrect". I checked the failed attempts log on the ACS4.2, there was no log regarding the failed attempt. My AD username and password works fine on all other cisco routers and switches.
  I've posted my AAA configuration of the 4710 ACE below. ACE is running on the latest version A4(1.1). Please help.
  tacacs-server key 7 "xxxxxxxxxxxxx"
  aaa group server tacacs+ tac_admin
    server xx.xx.xx.xx
  aaa authentication login default group tac_admin local
  aaa authentication login console group tac_admin local
  aaa accounting default group tac_admin

  Hi,
  Since the ACS is receiving the request.
  Could you please ensure that In ACE on every context (including Admin and other) you have  following strings:
  tacacs-server host x.x.x.x key 7 "xxx"
  aaa group server tacacs+  tac_admin
     server x.x.x.x
  aaa authentication login default group  tac_admin local
  aaa authentication login console group  tac_admin local 
  aaa accounting default group x.x.x.x
  On ACS side for group named "Network  Administrators" you should configure in TACACS settting:
  1. Shell  (exec) enable
  2. Privilege level 15
  3. Custom attributes:
             shell:Admin*Admin default-domain
      if you have additional  context add next line
            shell:mycontext*Admin  default-domain
  After  loging to ACE and issuing sh users command you should see following
  User             Context                                                                  Line     Login Time   (Location)        Role   Domain(s)   
  *adm-x        Admin                                                                    pts/0   Sep 21 12:24  (x.x.x.x)    Admin   default-domain
  Hope this helps.
  Regards,
  Anisha
  P.S.: please mark this thread as answered if you fee your query is resolved. Do rate helpful posts.

• Cisco 1113 ACS 4.2 1113 configure auth. for Infoblox appl.

  Hi there,
  I have an issue with Cisco ACS and an Infoblox appliance. We want to authenticate users, that login on the Infoblox, via the Cisco ACS. After that the ACS should reply with a passed (RADIUS) authentication and reply with an administrative groupname that the user belongs on the Infoblox. To do this I have to import a VSA to have the option in the ACS to reply with this groupname. On the Infoblox these groups are allready made and this must match the group that the ACS replies.
  Now I have imported the VSA and configured an AAA client (infoblox) to use the new RADIUS (VSA) to support the Infoblox. In the groupsetting I've turned on the Infoblox-Group_info  attribute and filled in a specific groupname that the authenticated user belongs to. Now here comes the part where the group info is returned, but the Infoblox Appliance gives me a RADIUS error reply message. As I can see in the logs of the ACS the authentication part of the user is fine. So it has to be between the info that the ACS replies with, when the user logs in.
  I've attach the VSA and a *.pcap of wireshark to see what's going on.
  Can anyone advice of suggest any option that can make this thing work.
  With regards,
  Richard Gosen

  Halijenn,
  Unfortunatly the above solution doesn't do the trick. When I delete the imported VSA, via the attached *.csv, the Infoblox attributes still shows up when I re-add the Infoblox appliance to a network device group en there choose "Radius (Infoblox)" for the authentication. After deleting the VSA I have restarted the ACS SE. The returned acknowledgment from the ACS still presents a malformed packet. When I uncheck the checkbox of the "RADIUS (Infoblox)" attribute in the group settings, then it shows no malformed packet, but no group information is sent either.
  Again I have imported the original accountsAction.csv and restarted the SE, but it still returns malformed packets.
  Any other possibilities?
  Kind regards,
  Richard Gosen

• Auth-fail vlan won't support re-authentication

  We're using ACS 1113 Appliance with ACS version 4.1.4.13. via the RADIUS attributes, clients are re-authenticated every 16 hours. The machine cache is set to 12 hours. This means that, if the user doesn't log off within 16 hours, he will be denied network access because of Machine Access Restriction (which is normal).
  The problem is, at this point, the SSC client keeps trying and trying to authenticate. It never stops trying until the user logs off or reboots (sometimes this can takes days to weeks (f.e. on vacation). This results in a log entry, every 4 seconds (because of timeout tx-period settings), for every user that is in the MAR. Now you can imagine that, in an environment with 4000 users that the loggings become unusable because of the enormous amount of (unnecessary) failed attempts logs.
  I've tried the following dot1x attributes on the switchport but they don't seem to work:
  dot1x max-req 3
  dot1x max-reauth-req 3
  I was hoping they would stop the authentication attempts after 3 unsuccesfull tries, but it doesn't help.
  Then I thought I found a solution: the auth-fail vlan. Then we have only 3 logs before the port falls into auth-fail, which is much better.
  But, once he is into the auth-fail vlan, he never gets out! I tought that, if the user logs off, the network connection is closed, so at that point the machine authentication would be triggered. But he just stays in the auth-fail vlan until rebooted or the cable is removed. Isn't there any way to trigger the authentication when the user is logged off?

  Check if the "Default connection timeout" and "Default Association Timeout" values are configured properly in the client policy. Also check for the "max start" value in the connection settings for 802.1x. http://www.cisco.com/en/US/docs/wireless/wlan_adapter/secure_client/5.1/administration/guide/C2_SetupSSC.html#wp1056892

• ACS 5.3 and Command Auth

  I am rolling out the Latest 5.3.0.40.6 patched ACS 1121 in a redundant pair mode.   I have build user based auth without issue but am having an issue with Command auth.  once I add command auth to the test router and modify the shell profile and command set for privilege 1 nd 15,  none of the commands are authenticated and the report indicates the "DenyCommand" default.  I have followed the user guide and the step by step from Security Solutions. ( link below) 
  I still get no joy.   Also Cisco changed the GUI and the way command sets are built
  (http://www.security-solutions.co.za/Cisco-ACS-5.2-Role-Based-Authentication-Authorization-For-Different-Privilege-Levels-Configuration-Example.html )
  Any help would be appreciated
  Patrick Connor

  Tarik,  thanks for the response.  I cannot get screen shots but can define the options sets.
  I created 2 command sets
  Pri-15  has only the permit all command not in the table below check box checked
  Pri-1  has a single permit "show"  with no arguments
  the Auth rule has 2 rules
  rule 1  identity group "network Admin"  any any any pri-15
  rule 2 identity group "network monitor" any any any pri-1
  service selection rule    rule 1  condition ( match system: protocol match TACACS)  result Default Device Admin   hit count 98
  the report indicated the a FAIL "13025 command failed to match a Permit rule)  and the Selected Command Set = (DentAllCommands) 
  So it looks like the command set is not being recognized.  but I cannot see why?
  Thanks,
  Pat 

• Cisco ACS 4.2 - Server Busy

  Hi!
  We're authenticating our Desktops and IP-Phones via 802.1x using two Radius-servers running Cisco ACS v4.2 on Win2k8.
  From time to time we run into the problem, that one of the servers 'get's too busy' and stops answering authentication requests. That results in many failed authentications with our VoIP-phones (Siemens OpenStage).
  What I don't understand is why the ACS acts that way...
  TAC says that all 42 or so threads are in use when the server says it's too busy.
  While the server is 'busy' the CPU runs at 1 - 2 % !! And there's loads of RAM left...
  This is an extract from the CSRadius-Log-File:
  RDS 06/09/2011 07:51:13 E 1495 2072 0x0 Server too busy - request from 10.104.204.249 ignoredRDS 06/09/2011 07:51:13 E 1495 5124 0x0 Server too busy - request from 10.104.204.249 ignoredRDS 06/09/2011 07:51:13 E 1495 5124 0x0 Server too busy - request from 10.100.204.22 ignoredRDS 06/09/2011 07:51:13 E 0958 3712 0x0 Error processing accounting request - no response sent to NASRDS 06/09/2011 07:51:13 E 5947 4916 0x0 Failed to update logged on list for IPPhone (UDB_SERVER_BUSY)RDS 06/09/2011 07:51:13 E 1495 5124 0x0 Server too busy - request from 10.100.204.22 ignoredRDS 06/09/2011 07:51:13 E 0958 1880 0x0 Error processing accounting request - no response sent to NASRDS 06/09/2011 07:51:13 E 6025 3560 0x0 Matching class attribute failed for user IPPhone, no further processing will be done assuming this is out-of-order packet due to UDPRDS 06/09/2011 07:51:13 E 1825 1532 0x0 Error UDB_SERVER_BUSY authenticating host/hostname.xxx.yyy - no response sent to NAS...RDS 06/09/2011 07:51:20 E 3089 2704 0x0 Error AS_NO_FREE_CONNECTIONS authenticating IPPhone - no response sent to NAS
  Did any of you encounter the same problem? Did you find a workaround or fix? Maybe there's a way to increase the number of authentication threads?
  Thanks alot!

  The key is to get all of the information needed. Normally when they say it takes too long for the client to answer that is not always the exact fault.
  You may seem to get that answer if the ACS is taking a long time to process the request and the switch or client has basically timed out its requests.
  The information needed is the following
  all of these items really need to be gathered at the same time
  switch debugs including
  debug radius
  debug aaa authen
  debug aaa accounting
  sniffer capture between the switch and the ACS
  logs from ACS with debugs enabled.
  If you are going to AD on the backend you may also want a sniffer capture between the ACS and the AD
  all of these together should tell you where the delay of failure lays and then at that time some changes can be suggested