Cisco ACS Local Certificate

Similar Messages

• Cisco ACS 4.2(1) Certificate problem

  Hi guys,
  I am trying to upgrade the OS from w2k3 to w2k8 STD 32bits.
  I am using Cisco ACS v. 4.2.(1) path level 15 on this OS.
  When i try to activate de EAP-MSCHAPv2 after creating certificates (self sign or using external CA), the follwing problem is registered in windows APP log:
  Faulting application CSAuth.exe, version 0.0.0.0, time stamp 0x4e845055, faulting module CRYPT32.dll, version 6.0.6002.18005, time stamp 0x49e03824, exception code 0xc0000005, fault offset 0x00039f0e, process id 0x10e4, application start time 0x01cca543d1586766.
  What could be the problem here? the version of that DLL is different from w2k3 but ACS 4.2(1) release notes are clear when using w2k8 32Bits with no problems.
  best regards,
  NC

  Anyone?
  I think this maybe some Bug but i am not so sure about that.
  regards,
  NC

• CIsco ISE use two different local certificates for EAP

  Hi Experts,
  ISE 1.2.1.198
  It is possible to use two different local certificates on cisco ISE, generated by two different root CA, for EAP?
  Example:
  1 - Microsoft CA for notebooks
  2 - Different CA (public, openssl, other) for mobiles
  And, in case it is possible, which will be the first one presented from the server to the client for EAP-TLS authentication?
  Thanks
  Andrea

  Thanks for your reply,
  i think i'll go for another pair of PSN for the mobiles
  Andrea

• Cisco ACS register to primary with different acs versions

  Hello, I've updated a backup unit of two acs to  version 5.4.0.46.0a first I changed it to standalone, and now I try to register to the main ACS which is running version 5.1.0.44.2
    And I get this error
  This System Failure occurred:  com.cisco.nm.acs.im.certificate.Certificate; local class incompatible: stream classdesc serialVersionUID = 8507982043664257993, local class serialVersionUID = 1927357986028617243. Your changes have not been saved.Click OK to return to the list page.
  What can I do to solve it?
  Kind regards

  The primary and secondary should be running on the same code.
  Jatin Katyal
  - Do rate helpful posts -

• Issue with certifcate on Cisco ACS

  We are wanting to authenticate our internal wireless users using our Cisco ACS running 5.3.  The ACS will poll our Active Directory environment for the username and password provided.  I created a CSR on the ACS and provided it to Entrust.  They provided me with a root, chain and server certificate.  I binded the server certificate to the CSR under System Administration>Local Server Certificates>Local Certificates.  I then added the chain and root certificates to the location Users and Identity Stores>Certificate Authorities.  When I try to connect on a client laptop it asks for a username and password but after entering that information I am presented with the below certificate warning.  This certificate is from Entrust and I see the root certificate in the root store on the laptop.  Any ideas what would cause this.  TAC does not seem to have any answers.  They say it is a client machine problem.

  From the problem description, it's clear that you're attempting to connect user on a wireless network via peap. From the ACS stand point, your configuration looks good. However, I'd like to know what all certificate have you installed on the client side. Do we have complete chain installed on the client that includes Root CA and intermediate (if any). Would you mind emailing me your complete certificate chain for my reference?
  Also, let me know what OS and supplicant are we running on end client?
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• VPN client and Cisco ACS

  hi,
  I'm trying to setup a VPN solution, connecting to a 800 series router and authenticating off a Cisco ACS tacacs server.
  I've basically followed the suggested config at http://www.cisco.com/en/US/customer/tech/tk59/technologies_configuration_example09186a00800a393b.shtml and the setup works fine if I use local authentication, but as soon as I switch to using TACACS the client authentication fails.
  Debugging tacacs on the router i can see the requests being sent to the server, and the replies coming back - the login detail are definitely correct so I'm guessing that TACACS isn't authorising me to use VPN or IPSEC or something. But there is nothing in the ACS logs to suggest why I'm not getting through - no failed attempts are shown.
  Any ideas?

  here is some debug from the router:
  Feb 24 12:28:58.973 UTC: TPLUS: processing authentication start request id 129
  Feb 24 12:28:58.973 UTC: TPLUS: Authentication start packet created for 129(vpngroup)
  Feb 24 12:28:58.973 UTC: TPLUS: Using server 10.10.10.10
  Feb 24 12:28:58.973 UTC: TPLUS(00000081)/0/NB_WAIT/823A9F04: Started 5 sec timeout
  Feb 24 12:28:58.989 UTC: TPLUS(00000081)/0/NB_WAIT: socket event 2
  Feb 24 12:28:58.989 UTC: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
  Feb 24 12:28:58.989 UTC: T+: session_id 1729330768 (0x67137E50), dlen 16 (0x10)
  Feb 24 12:28:58.989 UTC: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
  Feb 24 12:28:58.989 UTC: T+: svc:LOGIN user_len:8 port_len:0 (0x0) raddr_len:0 (0x0) data_len:0
  Feb 24 12:28:58.989 UTC: T+: user: vpntest
  Feb 24 12:28:58.989 UTC: T+: port:
  Feb 24 12:28:58.989 UTC: T+: rem_addr:
  Feb 24 12:28:58.989 UTC: T+: data:
  Feb 24 12:28:58.989 UTC: T+: End Packet
  Feb 24 12:28:58.989 UTC: TPLUS(00000081)/0/NB_WAIT: wrote entire 28 bytes request
  Feb 24 12:28:58.993 UTC: TPLUS(00000081)/0/READ: socket event 1
  Feb 24 12:28:58.993 UTC: TPLUS(00000081)/0/READ: Would block while reading
  Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: socket event 1
  Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: read entire 12 header bytes (expect 16 bytes data)
  Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: socket event 1
  Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: read entire 28 bytes response
  Feb 24 12:28:59.009 UTC: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
  Feb 24 12:28:59.009 UTC: T+: session_id 1729330768 (0x67137E50), dlen 16 (0x10)
  Feb 24 12:28:59.009 UTC: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
  Feb 24 12:28:59.009 UTC: T+: msg: Password:
  Feb 24 12:28:59.009 UTC: T+: data:
  Feb 24 12:28:59.009 UTC: T+: End Packet
  s9990-cr#
  Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/823A9F04: Processing the reply packet
  Feb 24 12:28:59.009 UTC: TPLUS: Received authen response status GET_PASSWORD (8)
  "AUTHEN/REPLY status:5" is a permanent fail according to the TACACS RFC
  In the VPN Client log it say "User does not provide any authentication data"
  So to summarise:
  -Same ACS server\router\username combination works fine for telnet access.
  -VPN works fine with local authentication.
  -No login failures showing in the ACS logs.

• How to hide line console parameters through Cisco ACS

  Hi,
  Can any one of you please help me in the following scenario ?
  I want to hide the line console, line aux and line vty configuration parameters of the cisco devices based on user level privillages through Cisco ACS. For example, if a user logs into the devices with privilege level 7, then he should not be able to see the line paramenters on the cisco devices for which he had privilege level 7 access.
  Can you please help me out how to achieve this?? Your help in this regard is highly appriciated.
  Thanks

  This thing is possible with local authorization on IOS device. With ACS this is not possible.
  In acs you can set what all commands a specific user can issue. That feature is called command authorization.
  For show run you need to give priv 15. ACS works in a different way if you compare it with setting up local priv lvls on router/switch.
  Best way to set it up is to give all user priv lvl 15 and then define what all commands user can execute.
  Note : Having priv 15 does not mean that user will able to issue all commands.
  We will set up command authorization on acs to have control on users.
  This is how your config should look,
  aaa authentication login default group tacacs+ local
  aaa authorization exec default group tacacs+ if-authenticated
  aaa authorization commands 1 default group tacacs+ if-authenticated
  aaa authorization commands 15 default group tacacs+ if-authenticated
  aaa authorization config-commands
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  Regards,
  ~JG
  Do rate helpful posts

• [Cisco ACS 5.2] Windows XP - EAP-TLS error

  Hi,
  We used RADIATOR with Cisco WLC and Cisco AP in our WiFi architecture.
  We just replaced RADIATOR with Cisco ACS 5.2 .
  Few computers with Windows XP SP3 have this error : 11514 Unexpectedly received empty TLS message; treating as a rejection by the client
  Description:
  While  trying to negotiate a TLS handshake with the client, ACS expected to  receive a non-empty TLS message or TLS alert message, but instead  received an empty TLS message. This could be due to an inconformity in  the implementation of the protocol between ACS and the supplicant. For  example, it is a known issue that the XP supplicant sends an empty TLS  message instead of a non-empty TLS alert message. It might also involve  the supplicant not trusting the ACS server certificate for some reason.  ACS treated the unexpected message as a sign that the client rejected  the tunnel establishment.
  Resolution Steps :
  Ensure  that the client's supplicant does not have any known compatibility  issues and that it is properly configured. Also ensure that the ACS  server certificate is trusted by the client, by configuring the  supplicant with the CA certificate that signed the ACS server  certificate. It is strongly recommended to not disable the server  certificate validation on the client!
  Most of the computers (hundreds of Windows XP and Windows 7) got no problem.
  ACS says "it is a known issue that the XP supplicant sends an empty TLS  message instead of a non-empty TLS alert message".
  If it was a known issue, we would have this error for other computer but we don't have (fortunately )
  Wireless profile is sent to computers using GPO so they trust ACS server certificate...
  Do you know how to correct this issue on XP supplicant? I dont find this issue on Google
  Thanks for your help,
  Patrick

  Patrick,
  One way to troubleshoot is to physically have one of the laptops and see if unchecking the box that validates the server certificate fixes the issue. I have seen the same issue as you are seeing before and I would like for you to verfiy that.
  If that doesnt fix the issue then we will have to proceed to taking a wireshark of the client and running a few debugs on the ACS.
  Thanks,
  Tarik Admani

• Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance failed

  Hi,
  I've got a problem with Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance.
  ACS4.2 has been configured to use both internal and external database. It's been working fine for a couple or years.
  Recently we bought a Cisco 4710 ACE appliance. When I use ACS4.2 internal username and password to login the Cisco 4710 ACE appliance, I have no problem. I can also see the passed authentication log on ACS4.2. However, if I use AD username and password, I couldn't login in. The message is "Login incorrect". I checked the failed attempts log on the ACS4.2, there was no log regarding the failed attempt. My AD username and password works fine on all other cisco routers and switches.
  I've posted my AAA configuration of the 4710 ACE below. ACE is running on the latest version A4(1.1). Please help.
  tacacs-server key 7 "xxxxxxxxxxxxx"
  aaa group server tacacs+ tac_admin
    server xx.xx.xx.xx
  aaa authentication login default group tac_admin local
  aaa authentication login console group tac_admin local
  aaa accounting default group tac_admin

  Hi,
  Since the ACS is receiving the request.
  Could you please ensure that In ACE on every context (including Admin and other) you have  following strings:
  tacacs-server host x.x.x.x key 7 "xxx"
  aaa group server tacacs+  tac_admin
     server x.x.x.x
  aaa authentication login default group  tac_admin local
  aaa authentication login console group  tac_admin local 
  aaa accounting default group x.x.x.x
  On ACS side for group named "Network  Administrators" you should configure in TACACS settting:
  1. Shell  (exec) enable
  2. Privilege level 15
  3. Custom attributes:
             shell:Admin*Admin default-domain
      if you have additional  context add next line
            shell:mycontext*Admin  default-domain
  After  loging to ACE and issuing sh users command you should see following
  User             Context                                                                  Line     Login Time   (Location)        Role   Domain(s)   
  *adm-x        Admin                                                                    pts/0   Sep 21 12:24  (x.x.x.x)    Admin   default-domain
  Hope this helps.
  Regards,
  Anisha
  P.S.: please mark this thread as answered if you fee your query is resolved. Do rate helpful posts.

• 12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate

  Hi guys,
  I have root CA and intermediate CA in ISE local certificate store trusted for client authentication.
  I have imported both root ca and client certificate in the device I want to authenticate, but ISE keeps spitting out this error :
  12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate

  Refer the link for troubleshooting in page no 22 the issue is mentioned, check it: http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_81_troubleshooting_failed_authc.pdf

• Cisco ACS 5.4 + Anyconnect 3.1 NAM with 802.1x, problem with changing ACS Radius user password

  Dear all,
  Presently, we are testing 802.1x using Cisco ACS 5.4 and Cisco Anyconnect v3.1 as 802.1x supplicant. We have created predefined NAM profiles (with Cisco Profile Editor) and applied as default in on our test machine. We are using PEAP (MsCHAPv2) and ACS local user credentials for authenticating process. We have noticed that, when we try to authenticate the network with predefined profile (network profile has Administrator Network privileges) and Windows user on test machine has no Admin privileges we are not able to change ACS user password (checked "Change password on next login" in the ACS user profile). In the Monitoring and Report View we get Failure Reason "24203 User need to change password"  but no popup window apears in Anyconnect. When we change Windows local user privileges to Admin or create Anyconnect network profile localy (privileges User Network) then, we are able to finish the process.
  Have you ever been facing the problem described above. Is it Anyconnect bug? How can we fix it?
  Best regards,
  Piotr

  If this happens with all machines then if a microsoft guy can look the app logs/privileges. It seems the app is requesting privilege that it is not authorized to and that's why the propmt window fails to appear. If we know what that privilege is we can probably fix it. If that privilege is not even required for smooth work Cisco need probably to fix this behavior.
  I am sorry if I am not able to help but I am not using the anyconnect for production.
  Regards,
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• ACS Local databse authentication as a failover to Active Directory

  Hi all
  Router- 10.10.10.1
  ACS-10.10.10.2
  AD-10.10.10.3
  in AD - created  a group called "telnet users" - added user with name of - john
  I have added cisco router as clients in Cisco ACS 5.1 and integrated with Active directory. when i telnet to 10.10.10.1 , i can logon with Active directory account
  but i want a faiover to active directory with ACS local database
  Can you let me know how to configure?
  In ACS - i have created a user with name of - Test1 and  Identity group : all groups.
  Can any one help please.

  Hi,
  You need to create an Identity Store Sequence and then select that Identity Store under the Identity section of the Access Service.
  1.
  2.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• ISE, BYOD: win clients reject ISE local-certificate

  Hello!
  We are deploying BYOD with Cisco ISE 1.1.2 and WLC (5508) using 802.1x authentication.
  Windows clients cannot connect to 802.1x SSID with the following error on ISE:
       Authentication failed : 12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
  The client doesn't have preconfigured wifi profile or root certificate installed.
  The concept of BYOD suppose that you can connect your device without any installed certificates and preconfigured wifi-profiles.
  The problem is that Windows 7 supplicant does not send TLS alert in pop up window, when connecting to 802.1x SSID.
  If this alert is seen, than you can accept it and proceed the connection. After that you will be asked to install ROOT-cert, get your own cert and etc.
  So, the question is: how to make the windows supplicant to show the pop-up window with TLS alert?
  p.s. the attached file shows the example of pop up TLS-alert window

  Are there any recommendations from Cisco about the issue with Windows?
  I believe there's a new version of smart solution design guide coming up.
  The current one does not mention anything to do with certs in "User Experience" chapter.
  You can check one of the possible approaches in Nico's document:
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml
  (It can be easily expended).
  I think irt. PEAP we will always say that the cert or the root/sub CA cert should be already trusted on the device when perfoming enrollment.
  Will try to dig in, can't say I promise to get something concrete though. 

• Cisco ACS 5.1 Tacacs with Juniper Srx 210

  Hi all,
  I am trying to do authentication for Juniper SRX 210 FW With Cisco ACS 5.1 Tacacs but I am unable to acheive it ..
  Can any one help me how to add Junos service in ACS 5.1..How to Intergarte Juniper SRX 210 in Cisco ACS 5.1

  Hello Pranav
  As Nicolas said, you really need to know what attributes Juniper SRX is using. It also depends on what you're looking for, for example it's very different "password authentication" from "command authorization". I answered a similar question here https://supportforums.cisco.com/thread/2111466
  You don't need to enable any new service. ACS is capable to attend any TACACS (or RADIUS) device as long as you tell ACS what are the TACACS (or RADIUS) attributes needed for that device.
  This is an example in which I have configured ACS 5.x with an attribute called "local-user-name" which JunOS router use for authentication. For that you need to go to "Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles".
  If you don't know the attributes you can capture the packets and troubleshoot from Juniper cli and from "ACS view" side. That's how I find out the "local-user-name" attribute.
  Please rate if it helps. Kind regards

• Juniper SSG and Cisco ACS v5.x Configuration

  I searched for a long time unsuccessfully trying to find a resolution to my SSG320M and Cisco ACS v5.x TACACS dilemma.  I finally got it working in my network, so I'm posting the resolution here in case anyone else is looking.
  Configure the Juniper (CLI)
    1. Add the Cisco ACS and TACACS+ configuration
       set auth-server CiscoACSv5 id 1
       set auth-server CiscoACSv5 server-name 192.168.1.100
       set auth-server CiscoACSv5 account-type admin
       set auth-server CiscoACSv5 type tacacs
       set auth-server CiscoACSv5 tacacs secret CiscoACSv5
       set auth-server CiscoACSv5 tacacs port 49
       set admin auth server CiscoACSv5
       set admin auth remote primary
       set admin auth remote root
       set admin privilege get-external
  Configure the Cisco ACS v5.x (GUI)
    1. Navigate to Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles
          Create the Juniper Shell Profile.
          Click the [Create] button at the bottom of the page
                  Select the General tab
                          Name:    Juniper
                          Description:  Custom Attributes for Juniper SSG320M
                  Select the Custom Attributes tab
                      Add the vsys attribute:
                          Attribute:                vsys
                          Requirement:       Manadatory
                          Value:                    root
                          Click the [Add^] button above the Attribute field
                      Add the privilege attribute:
                          Attribute:                privilege
                          Requirement:       Manadatory
                          Value:                    root
                                  Note: you can also use 'read-write' but then local admin doesn't work correctly
                          Click the [Add^] button above the Attribute field
                  Click the [Submit] button at the bottom of the page
  2. Navigate to Access Policies > Access Services > Default Device Admin > Authorization
          Create the Juniper Authorization Policy and filter by Device IP Address.
          Click the [Customize] button at the bottom Right of the page
                  Under Customize Conditions, select Device IP Address from the left window
                          Click the [>] button to add it
                  Click the [OK] button to close the window
                  Click the [Create] button at the bottom of the page to create a new rule
                          Under General, name the new rule Juniper, and ensure it is Enabled
                          Under Conditions, check the box next to Device IP Address
                                  Enter the ip address of the Juniper (192.168.1.100)
                          Under Results, click the [Select] button next to the Shell Profile field
                                  Select 'Juniper' and click the [OK] button
                          Under Results, click the [Select] button below the Command Sets (if used) field
                                  Select 'Permit All' and ensure all other boxes are UNCHECKED
                          Click the [OK] button to close the window
                  Click the [OK] button at the bottom of the page to close the window
                  Check the box next to the Juniper policy, then move the policy to the top of the list
                  Click the [Save Changes] button at the bottom of the page
  3.  Login to the Juniper CLI and GUI, and attempt to change something to verify privilege level.

  Cisco Prime LMS is not designed to manage appliances like the ACS. ACS is not on the LMS supported device list and I would doubt that it would be as LMS's functions are mostly not applicable to the appliance or software running on it.
  You can use ACS as an authentication source for LMS, but authorization is still role-based according to the local accounts on the LMS server.