Cisco ACS 5.4 problem

Similar Messages

• Cisco ACS 5.4 + Anyconnect 3.1 NAM with 802.1x, problem with changing ACS Radius user password

  Dear all,
  Presently, we are testing 802.1x using Cisco ACS 5.4 and Cisco Anyconnect v3.1 as 802.1x supplicant. We have created predefined NAM profiles (with Cisco Profile Editor) and applied as default in on our test machine. We are using PEAP (MsCHAPv2) and ACS local user credentials for authenticating process. We have noticed that, when we try to authenticate the network with predefined profile (network profile has Administrator Network privileges) and Windows user on test machine has no Admin privileges we are not able to change ACS user password (checked "Change password on next login" in the ACS user profile). In the Monitoring and Report View we get Failure Reason "24203 User need to change password"  but no popup window apears in Anyconnect. When we change Windows local user privileges to Admin or create Anyconnect network profile localy (privileges User Network) then, we are able to finish the process.
  Have you ever been facing the problem described above. Is it Anyconnect bug? How can we fix it?
  Best regards,
  Piotr

  If this happens with all machines then if a microsoft guy can look the app logs/privileges. It seems the app is requesting privilege that it is not authorized to and that's why the propmt window fails to appear. If we know what that privilege is we can probably fix it. If that privilege is not even required for smooth work Cisco need probably to fix this behavior.
  I am sorry if I am not able to help but I am not using the anyconnect for production.
  Regards,
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Cisco ACS 4.2(1) Certificate problem

  Hi guys,
  I am trying to upgrade the OS from w2k3 to w2k8 STD 32bits.
  I am using Cisco ACS v. 4.2.(1) path level 15 on this OS.
  When i try to activate de EAP-MSCHAPv2 after creating certificates (self sign or using external CA), the follwing problem is registered in windows APP log:
  Faulting application CSAuth.exe, version 0.0.0.0, time stamp 0x4e845055, faulting module CRYPT32.dll, version 6.0.6002.18005, time stamp 0x49e03824, exception code 0xc0000005, fault offset 0x00039f0e, process id 0x10e4, application start time 0x01cca543d1586766.
  What could be the problem here? the version of that DLL is different from w2k3 but ACS 4.2(1) release notes are clear when using w2k8 32Bits with no problems.
  best regards,
  NC

  Anyone?
  I think this maybe some Bug but i am not so sure about that.
  regards,
  NC

• Cisco ACS 4.2.1 authentication problem

  We are using cisco ACS 4.2.1 on windows 2003  to authenticate  with windows 2003 Actice Directory. We have update Active directory server windows 2008 version. We have checked the configuration of ACS on windows database and no problem but we can't see in ACS dynamic user. I have authentication problem ACS 4.2.1 to Windows 2008 R2 active directory.

  Hi there,
  There is a section in the ACS 4.x where you can define if the ACS should show the dynamic users or not, make sure that this option is unchecked, for this go to External User Databases/Unknown User Policy/Configure Caching Unknown Users
  Also if you are facing authentication issues with ACS 4.x and Windows 2008 R2, you may want ready my previous answer.
  Let me know if this helps.

• RSA SecurID and Cisco ACS integration for user(s) with enable mode

  I thought I had this problem figured out but I guess not.
  I have a Cisco 2621 router with IOS 12.2(15)T17. Behind the
  router is a Gentoo linux, RSA SecurID 6.1 and Cisco ACS 3.2.
  I use tacacs+ authentication for logging into the Cisco router
  such as telnet and ssh. In the ACS I use "external user databases"
  for authentication which proxy the request from the ACS over
  to the RSA SecurID Server. I installed RSA Agents with
  sdconf.rec file on the Cisco ACS server. I renamed "user group 1"
  to be "RSA_SecurID" group. In the "External user databases" and
  "database configurations" I assign SecurID to this "RSA_SecurID"
  group.
  Everything is working fine. In the "User Setup" I can see dynamic
  user test1, test2,...testn listed in there as "dynamic users". In
  other words, I can telnet into the router with my two-factor
  SecurID.
  The problem is that if test1 wants to go into "enable" mode with
  SecurID login, I have to go into "test1" user setting and select
  "TACACS+Enable Password" and choose "Use external database password".
  After that, test1 can go into enable mode with his/her SecurID
  credential.
  Well, this works fine if I have a few users. The problem is that
  I have about 100 users that I need to do this. The solution is
  clearly not scalable. Is there a setting from group level that
  I can do this?
  Any ACS "experts" want to help me out here? Thanks.

  That is not what I want. I want user "test1" to be able to do this:
  C
  Username: test1
  Enter PASSCODE:
  C2960>en
  Enter PASSCODE:
  C2960#
  In other words, test1 user has to type in his/her RSA token password to get
  into exec mode. After that, he/she has to use the RSA token password to
  get into enable mode. Each user can get into "enable" mode with his/her
  RSA token mode.
  The way you descripbed, it seemed like anyone in this group can go directly
  into enable mode without password. This is not what I have in mind.
  Any other ideas? Thanks.

• [Cisco ACS 5.2] Windows XP - EAP-TLS error

  Hi,
  We used RADIATOR with Cisco WLC and Cisco AP in our WiFi architecture.
  We just replaced RADIATOR with Cisco ACS 5.2 .
  Few computers with Windows XP SP3 have this error : 11514 Unexpectedly received empty TLS message; treating as a rejection by the client
  Description:
  While  trying to negotiate a TLS handshake with the client, ACS expected to  receive a non-empty TLS message or TLS alert message, but instead  received an empty TLS message. This could be due to an inconformity in  the implementation of the protocol between ACS and the supplicant. For  example, it is a known issue that the XP supplicant sends an empty TLS  message instead of a non-empty TLS alert message. It might also involve  the supplicant not trusting the ACS server certificate for some reason.  ACS treated the unexpected message as a sign that the client rejected  the tunnel establishment.
  Resolution Steps :
  Ensure  that the client's supplicant does not have any known compatibility  issues and that it is properly configured. Also ensure that the ACS  server certificate is trusted by the client, by configuring the  supplicant with the CA certificate that signed the ACS server  certificate. It is strongly recommended to not disable the server  certificate validation on the client!
  Most of the computers (hundreds of Windows XP and Windows 7) got no problem.
  ACS says "it is a known issue that the XP supplicant sends an empty TLS  message instead of a non-empty TLS alert message".
  If it was a known issue, we would have this error for other computer but we don't have (fortunately )
  Wireless profile is sent to computers using GPO so they trust ACS server certificate...
  Do you know how to correct this issue on XP supplicant? I dont find this issue on Google
  Thanks for your help,
  Patrick

  Patrick,
  One way to troubleshoot is to physically have one of the laptops and see if unchecking the box that validates the server certificate fixes the issue. I have seen the same issue as you are seeing before and I would like for you to verfiy that.
  If that doesnt fix the issue then we will have to proceed to taking a wireshark of the client and running a few debugs on the ACS.
  Thanks,
  Tarik Admani

• Cisco ACS 4.2 - Server Busy

  Hi!
  We're authenticating our Desktops and IP-Phones via 802.1x using two Radius-servers running Cisco ACS v4.2 on Win2k8.
  From time to time we run into the problem, that one of the servers 'get's too busy' and stops answering authentication requests. That results in many failed authentications with our VoIP-phones (Siemens OpenStage).
  What I don't understand is why the ACS acts that way...
  TAC says that all 42 or so threads are in use when the server says it's too busy.
  While the server is 'busy' the CPU runs at 1 - 2 % !! And there's loads of RAM left...
  This is an extract from the CSRadius-Log-File:
  RDS 06/09/2011 07:51:13 E 1495 2072 0x0 Server too busy - request from 10.104.204.249 ignoredRDS 06/09/2011 07:51:13 E 1495 5124 0x0 Server too busy - request from 10.104.204.249 ignoredRDS 06/09/2011 07:51:13 E 1495 5124 0x0 Server too busy - request from 10.100.204.22 ignoredRDS 06/09/2011 07:51:13 E 0958 3712 0x0 Error processing accounting request - no response sent to NASRDS 06/09/2011 07:51:13 E 5947 4916 0x0 Failed to update logged on list for IPPhone (UDB_SERVER_BUSY)RDS 06/09/2011 07:51:13 E 1495 5124 0x0 Server too busy - request from 10.100.204.22 ignoredRDS 06/09/2011 07:51:13 E 0958 1880 0x0 Error processing accounting request - no response sent to NASRDS 06/09/2011 07:51:13 E 6025 3560 0x0 Matching class attribute failed for user IPPhone, no further processing will be done assuming this is out-of-order packet due to UDPRDS 06/09/2011 07:51:13 E 1825 1532 0x0 Error UDB_SERVER_BUSY authenticating host/hostname.xxx.yyy - no response sent to NAS...RDS 06/09/2011 07:51:20 E 3089 2704 0x0 Error AS_NO_FREE_CONNECTIONS authenticating IPPhone - no response sent to NAS
  Did any of you encounter the same problem? Did you find a workaround or fix? Maybe there's a way to increase the number of authentication threads?
  Thanks alot!

  The key is to get all of the information needed. Normally when they say it takes too long for the client to answer that is not always the exact fault.
  You may seem to get that answer if the ACS is taking a long time to process the request and the switch or client has basically timed out its requests.
  The information needed is the following
  all of these items really need to be gathered at the same time
  switch debugs including
  debug radius
  debug aaa authen
  debug aaa accounting
  sniffer capture between the switch and the ACS
  logs from ACS with debugs enabled.
  If you are going to AD on the backend you may also want a sniffer capture between the ACS and the AD
  all of these together should tell you where the delay of failure lays and then at that time some changes can be suggested

• Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance failed

  Hi,
  I've got a problem with Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance.
  ACS4.2 has been configured to use both internal and external database. It's been working fine for a couple or years.
  Recently we bought a Cisco 4710 ACE appliance. When I use ACS4.2 internal username and password to login the Cisco 4710 ACE appliance, I have no problem. I can also see the passed authentication log on ACS4.2. However, if I use AD username and password, I couldn't login in. The message is "Login incorrect". I checked the failed attempts log on the ACS4.2, there was no log regarding the failed attempt. My AD username and password works fine on all other cisco routers and switches.
  I've posted my AAA configuration of the 4710 ACE below. ACE is running on the latest version A4(1.1). Please help.
  tacacs-server key 7 "xxxxxxxxxxxxx"
  aaa group server tacacs+ tac_admin
    server xx.xx.xx.xx
  aaa authentication login default group tac_admin local
  aaa authentication login console group tac_admin local
  aaa accounting default group tac_admin

  Hi,
  Since the ACS is receiving the request.
  Could you please ensure that In ACE on every context (including Admin and other) you have  following strings:
  tacacs-server host x.x.x.x key 7 "xxx"
  aaa group server tacacs+  tac_admin
     server x.x.x.x
  aaa authentication login default group  tac_admin local
  aaa authentication login console group  tac_admin local 
  aaa accounting default group x.x.x.x
  On ACS side for group named "Network  Administrators" you should configure in TACACS settting:
  1. Shell  (exec) enable
  2. Privilege level 15
  3. Custom attributes:
             shell:Admin*Admin default-domain
      if you have additional  context add next line
            shell:mycontext*Admin  default-domain
  After  loging to ACE and issuing sh users command you should see following
  User             Context                                                                  Line     Login Time   (Location)        Role   Domain(s)   
  *adm-x        Admin                                                                    pts/0   Sep 21 12:24  (x.x.x.x)    Admin   default-domain
  Hope this helps.
  Regards,
  Anisha
  P.S.: please mark this thread as answered if you fee your query is resolved. Do rate helpful posts.

• Integration of Cisco ACS SE 4.2 and RSA SecurID Token Server

  Hi,
  I would be very appreciated if anyone can share their experience. Thanks in advance.
  Issue:
  I am trying to configure the ACE SE 4.2 to authenticate using RSA SecurID Token Server.
  Problems encountered:
  Authentication failed. In the failed logged attempt the error "External Database not operational" was next to the login name.
  In the auth.log, there was "External DB [SecurID.dll]: aceclnt.dll callback returned error [23]".
  Questions:
  1. Please kindly advise how I should resolve this problem.
  2. Also, is there any successful message once ACS get the sdconf.rec? Will the "Purge Node Secret" button be enabled?
  Troubleshooting steps I have done:
  Below is the steps I took to setup the external DB.
  1. Verified sdconf.rec is not a garbage file using the Test authentication function in RSA client.
  2. FTP sdconf.rec in the external database configuration. (Had used Wireshark and confirm file transfered successfully.)
  2. Defined unknown user policy to check RSA SecurID Token Server to authenticate.
  Thank you.

  I have NO experience with ACS SE 4.2 and
  RSA SecurID Token Server BUT I have
  experiences with Cisco ACS 4.1 running on
  Windows 2003 SP2 Enterprise Edition and
  RSA SecurID Token Server.
  All the troubleshoot you've done is correct.
  In Windows 2003 running Cisco ACS, you can
  install the test authentication RSA client
  and that you can verify that the setup
  is correct (by verifying that the sdconf.rec
  is not corrupted).
  One thing I can think of is that when you
  setup the ACS SE box, under external
  database, configure unknown user policy,
  did you check it to tell how to define users
  when they are not found in the ACS internal
  database. Did you select RSA SecurID token
  server?
  Other than that, from what I understand,
  you've done everything correctly.

• [Cisco ACS] 11036 The Message-Authenticator RADIUS attribute is invalid

  Hi,
  I got many Cisco AP which are linked to 2 Cisco WLC.
  On each WLC, I configured a primary and a secondary RADIUS Server.
  RADIUS servers are Cisco ACS 5.2.0.26 (patch 10)
  Primary and secondary ACS configurations are synchronized.
  There are no problem between primary WLC and Cisco ACS (primary and secondary).
  When secondary WLC requests primary Cisco ACS, I get this error "11036 The Message-Authenticator RADIUS attribute is invalid"
  Secondary WLC automatically contacts secondary Cisco ACS and it works fine.
  Cisco ACS description for this error: "This maybe because of mismatched Shared Secrets."
  The two Cisco ACS are synchronized so I should have same error on them...
  Why does primary ACS generate this error?
  Thanks for your help,
  Patrick

  Tarik Admani wrote:Amjad,That is a good observation, shouldnt 7.3 (which recently released) help put these types of issues to rest? I hear that the configuration can now be replicated from one controller to the next in a failover setup.Thanks,Tarik Admani
  *Please rate helpful posts*
  Yes. That is a good point.
  With 7.3 you can use high availability (HA) between two WLCs and you can configure only one WLC (the primary) and all the configuraiotn can be replicated and synched to the other WLC (the secondary).
  The two WLCs in the HA must be on same subnet though. Otherwise hot-standby HA between WLCs can't be used.
  Rating useful replies is more useful than saying "Thank you"

• Rendering a Cisco ACS page is broken in Firefox 15

  Since updating to Firefox 15, a page inside my Cisco ACS appliance does not render: Access Policies > Access Services > Default Network Access > Authorization.
  The page has historically taken 15-20 seconds to fully load its contents, and the page now renders as if Firefox 15 got sick of waiting and just displayed what content it had. Is this a problem with rendering the page or perhaps did the value of a timer get changed in Firefox 15?
  The Cisco appliance is not public-facing, so I am happy to do a screen-sharing session with a Mozilla engineer if it would help troubleshoot. Thanks.

  Still broken in 16... Great, now I have to run a version that is 2 versions old.

• Migrating a Cisco ACS Database

  Hi,
  Can there be any potential problems, if we want to migrate an existing Cisco ACS Database to a different physical Server (Keeping the same IP information etc) ?
  We were running Cisco ACS evaluation version for Cisco NAC (CTA) and now want to make it production while moving it to a different server.
  Regards \\ Naman

  Hi,
  I'm not an expert for the ACS but when you look into System configuration you will find the feature 'Database Replication'. With an eval version you should be able to test this feature.
  Cheers,

• Cisco ACS database tuning

  Hi
  I would like to know best ways for tuning Cisco ACS database.  Now the database size has grown up and causing performance problems.  We are running Cisco ACS 4.2 on Windows server 2003 R3. SP2
  What is the best possible way to tune Cisco ACS performance.
  What is the best possible design consideration in deploying 6 ACS servers and in replicating mode? Can i use one database for all the 6 ACS servers. Is this feasible?
  Any docs which talks about all these would be helpful.
  Thanks in advance.
  SK

  Hi there,
  About the database size growing issue, I have seen issue similar in the past and could be related to the Service Control option, make sure it's configured Low. This option is located under System Configuration.
  Regards the replication issue, in the past I have seen even 7 servers in cascade replicating fine, although depending on different factors like distance, devices in between, amount of data, etc. The replication may flow may get affected. I am not sure which will be your requierements but using one server to replicate the information to the other units is a good option, I prefer this one than cascade replication.

• Vulnerabilities in Cisco ACS

  Hi,
  I've red that there are some vulnerabilitied in Cisco ACS.
  The advisory is that: cisco-sa-20070105-csacs
  I have two installation of CiscoSecure ACS Release 3.3(3) Build 11.
  One is ok while the second installation, few days ago, noticed me a crash in CSADmin.
  Meanwhile I was trying to revolve this problem, there was a problem with the server's disk so now the server is off.
  Anyone could tell me if it is possibile that there is a relationship between crash and the problems in advisory.
  Is always recomandable to install the patch in the advisory?
  Thanks in advance
  Antonio

  Antonio,
  We need to look at the CSAdmin log to see if the service crashed due to the problem mentioned in the advisory. But it is highly unlikely that the disk could have crashed because of any ACS Service.
  It is recomended to patch up the vulnerability. You will need to mov eup to 3.3.4

• CISCO ACS

  Hi All
  I am new to the CISCO ACS software ,at present our vpn clients are being authenticated using the cisco acs
  My problem is when they get connected they are being assigned with a subnet mask and gateway can any one help me to find out where it is configured and how can it be changed .
  NOTE :- there is no radius attribute IETF configured on the acs

  VPN users do not necessarily receive their ip address and mask etc via radius. This may very well be performed by an ip pool on the vpn device. In that case, only the authentication would be done via ACS.
  What device are you using?
  Can you post the config?
  regards,
  Leo