Cisco ACS Querying

Similar Messages

• Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance failed

  Hi,
  I've got a problem with Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance.
  ACS4.2 has been configured to use both internal and external database. It's been working fine for a couple or years.
  Recently we bought a Cisco 4710 ACE appliance. When I use ACS4.2 internal username and password to login the Cisco 4710 ACE appliance, I have no problem. I can also see the passed authentication log on ACS4.2. However, if I use AD username and password, I couldn't login in. The message is "Login incorrect". I checked the failed attempts log on the ACS4.2, there was no log regarding the failed attempt. My AD username and password works fine on all other cisco routers and switches.
  I've posted my AAA configuration of the 4710 ACE below. ACE is running on the latest version A4(1.1). Please help.
  tacacs-server key 7 "xxxxxxxxxxxxx"
  aaa group server tacacs+ tac_admin
    server xx.xx.xx.xx
  aaa authentication login default group tac_admin local
  aaa authentication login console group tac_admin local
  aaa accounting default group tac_admin

  Hi,
  Since the ACS is receiving the request.
  Could you please ensure that In ACE on every context (including Admin and other) you have  following strings:
  tacacs-server host x.x.x.x key 7 "xxx"
  aaa group server tacacs+  tac_admin
     server x.x.x.x
  aaa authentication login default group  tac_admin local
  aaa authentication login console group  tac_admin local 
  aaa accounting default group x.x.x.x
  On ACS side for group named "Network  Administrators" you should configure in TACACS settting:
  1. Shell  (exec) enable
  2. Privilege level 15
  3. Custom attributes:
             shell:Admin*Admin default-domain
      if you have additional  context add next line
            shell:mycontext*Admin  default-domain
  After  loging to ACE and issuing sh users command you should see following
  User             Context                                                                  Line     Login Time   (Location)        Role   Domain(s)   
  *adm-x        Admin                                                                    pts/0   Sep 21 12:24  (x.x.x.x)    Admin   default-domain
  Hope this helps.
  Regards,
  Anisha
  P.S.: please mark this thread as answered if you fee your query is resolved. Do rate helpful posts.

• Cisco ACS for Unix authentication

  My company is looking for a single sign on for all the windows and unix servers mainly for admins. I was wondering if Cisco ACS will work for this.
  Basically the authentication will be all for the servers and routers ofcourse. I am thinking if I specifies windows AD in ACS config,  Can I get the unix boxes to get authenticated against Radius?
  Any help will be appreciated.
  Manny

  Hi,
  Authentication of unix servers  via ACS over radius protocol can be achiveable,check out the below link client end configuration needs to be done for radius authentication
  Hope that helps out your query !!
  http://www.ibm.com/developerworks/library/l-radius/
  Regards
  Ganesh.H

• ACS Query

  hi,
  I have Cisco ACS-1113. I want to connect this in existing network.
  My query is ACS have two LAN interface. Whats the use of second interface as Cisco documents states "ACS SE supports the operation of either Ethernet connector, but not both connectors".
  Thanks
  Nilesh

  Nilesh,
  ACS do not have routing capabilities. You need to make acs a part of vlan or any network. You need a router or layer 3 switch to do routing.
  ACS can be in any network , please ensure that all network devices can reach acs and tacacs 49 / radius ports are open.
  ACS--->Switch_vlan1 --->router---->switch_vlan2
  Vlan2 devices should be able to communicate with vlan1 & visa versa.
  Please checkout these white papers,
  http://cisco.com/en/US/products/sw/secursw/ps2086/prod_white_papers_list.html
  Regards,
  ~JG
  Do rate helpful posts

• Issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

  issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

  issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

• VPN client and Cisco ACS

  hi,
  I'm trying to setup a VPN solution, connecting to a 800 series router and authenticating off a Cisco ACS tacacs server.
  I've basically followed the suggested config at http://www.cisco.com/en/US/customer/tech/tk59/technologies_configuration_example09186a00800a393b.shtml and the setup works fine if I use local authentication, but as soon as I switch to using TACACS the client authentication fails.
  Debugging tacacs on the router i can see the requests being sent to the server, and the replies coming back - the login detail are definitely correct so I'm guessing that TACACS isn't authorising me to use VPN or IPSEC or something. But there is nothing in the ACS logs to suggest why I'm not getting through - no failed attempts are shown.
  Any ideas?

  here is some debug from the router:
  Feb 24 12:28:58.973 UTC: TPLUS: processing authentication start request id 129
  Feb 24 12:28:58.973 UTC: TPLUS: Authentication start packet created for 129(vpngroup)
  Feb 24 12:28:58.973 UTC: TPLUS: Using server 10.10.10.10
  Feb 24 12:28:58.973 UTC: TPLUS(00000081)/0/NB_WAIT/823A9F04: Started 5 sec timeout
  Feb 24 12:28:58.989 UTC: TPLUS(00000081)/0/NB_WAIT: socket event 2
  Feb 24 12:28:58.989 UTC: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
  Feb 24 12:28:58.989 UTC: T+: session_id 1729330768 (0x67137E50), dlen 16 (0x10)
  Feb 24 12:28:58.989 UTC: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
  Feb 24 12:28:58.989 UTC: T+: svc:LOGIN user_len:8 port_len:0 (0x0) raddr_len:0 (0x0) data_len:0
  Feb 24 12:28:58.989 UTC: T+: user: vpntest
  Feb 24 12:28:58.989 UTC: T+: port:
  Feb 24 12:28:58.989 UTC: T+: rem_addr:
  Feb 24 12:28:58.989 UTC: T+: data:
  Feb 24 12:28:58.989 UTC: T+: End Packet
  Feb 24 12:28:58.989 UTC: TPLUS(00000081)/0/NB_WAIT: wrote entire 28 bytes request
  Feb 24 12:28:58.993 UTC: TPLUS(00000081)/0/READ: socket event 1
  Feb 24 12:28:58.993 UTC: TPLUS(00000081)/0/READ: Would block while reading
  Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: socket event 1
  Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: read entire 12 header bytes (expect 16 bytes data)
  Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: socket event 1
  Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: read entire 28 bytes response
  Feb 24 12:28:59.009 UTC: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
  Feb 24 12:28:59.009 UTC: T+: session_id 1729330768 (0x67137E50), dlen 16 (0x10)
  Feb 24 12:28:59.009 UTC: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
  Feb 24 12:28:59.009 UTC: T+: msg: Password:
  Feb 24 12:28:59.009 UTC: T+: data:
  Feb 24 12:28:59.009 UTC: T+: End Packet
  s9990-cr#
  Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/823A9F04: Processing the reply packet
  Feb 24 12:28:59.009 UTC: TPLUS: Received authen response status GET_PASSWORD (8)
  "AUTHEN/REPLY status:5" is a permanent fail according to the TACACS RFC
  In the VPN Client log it say "User does not provide any authentication data"
  So to summarise:
  -Same ACS server\router\username combination works fine for telnet access.
  -VPN works fine with local authentication.
  -No login failures showing in the ACS logs.

• Cisco ISE 1.2 and Cisco ACS 5.4 patch 6 and support for snmp version 3

  does anyone know if cisco ISE version 1.2 patch 8 and Cisco ACS 5.4 patch 6 support snmp version 3?
  ciscoISE/admin(config)# snmp-server ?
    community  Set community string
    contact    Text for mib object sysContact
    host       Specify hosts to receive SNMP notifications
    location   Text for mib object sysLocation
  ciscoISE/admin(config)# snmp-server
  Ciscoacs/admin(config)# snmp-server ?
    community  Set community string
    contact    Text for mib object sysContact
    host       Specify hosts to receive SNMP notifications
    location   Text for mib object sysLocation
  Ciscoacs/admin(config)# snmp-server

  No support SNMP v3 on ISE v1.2 and 1.3 except for profilling
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/cli_ref_guide/ise_cli/ise_cli_app_a.html#12768
   http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/cli_ref_guide/b_ise_CLIReferenceGuide/b_ise_CLIReferenceGuide_chapter_0100.html#ID-1364-00000d30

• Linksys WAP54G connecting to CISCO ACS via LEAP

  I understand that Linksys WAP54G support WPA and 802.1x authentication. Will a cisco compatible client card get connected to the WAP54G via LEAP authentication to a Cisco ACS server ?
  Connection scenario:-
  Cisco compatible client card <-WPA/LEAP-> WAP54G <-WPA/LEAP-> Cisco ACS3.1
  Pls advise if such setting is feasible.
  Tks

  This is really a question for Linksys support. The Cisco wireless BU has no involvement with the Linksy's product line. They operate as a totally separate wholly own subsidiary of Cisco.
  As for LEAP, no, to my knowledge the Linksys AP does not support LEAP, which is not tested or part of the WPA certification program. To my knowledge the ONLY APs that support LEAP are Cisco Aironet APs.
  If the Linksys supports WPA-Enterprise, then any client that supports WPA-Enterprise should work using EAP-TLS. The Cisco ACS server supports EAP-TLS.
  One word of caution. Early CCX cards do not necessarily support WPA. The CCX specification and certification were out before WPA was released. You will need to check with the actual vendor of the card to verify WPA compatibility.;
  Also there are two types of WPA. WPA-Personal, which supports only the WPA encryption, and the keys are handles by a Pre-shared Key input system (no radius server) and WPA-Enterprise, which is certified using WPA encryption an 802.1x EAP-TLS radius server (in fact using Microsoft and Funk Software servers). make sure that the Linksys supports WPA-enterprise, or it may not support 802.1x.
  Bruce Alexander, Cisco

• Using Cisco ACS for Solaris login authentication

  Hi all
  I am planning to authenticate ssh logins to Solaris 8/9 systems using PAM and radius (while radius is considered the primary solution, tacacs+ could be used, too). The radius/tacacs+ server is provided by a Cisco ACS.
  Can anybody out there confirm that the combination "Solaris & PAM & radius/tacacs+ & Cisco ACS" is correctly doing this authentication stuff? Is there anything to specially consider?
  Thanks, David

  Hard to comment with any certainty but provided the client implementation of RADIUS is sound AND the authentication protocol is one that ACS supports, eg PAP, CHAP, MSCHAP, LEAP, EAP (PEAP/FAST/TLS/GTC/MSCHAP) then should be fine.

• CS-MARS user authentication using Cisco ACS

  Hi,
  I would like CS-MARS (Web Interface) user authenticaiton to be done by Cisco ACS Server. Please let me know, either it is possible or not? And if possible then reply how to configure it.
  Thanks and Regards,
  Ahmed Shahzad.

  Hi,
  I would like CS-MARS (Web Interface) user authenticaiton to be done by Cisco ACS Server. Please let me know, either it is possible or not? And if possible then reply how to configure it.
  Thanks and Regards,
  Ahmed Shahzad.

• RSA SecurID and Cisco ACS integration for user(s) with enable mode

  I thought I had this problem figured out but I guess not.
  I have a Cisco 2621 router with IOS 12.2(15)T17. Behind the
  router is a Gentoo linux, RSA SecurID 6.1 and Cisco ACS 3.2.
  I use tacacs+ authentication for logging into the Cisco router
  such as telnet and ssh. In the ACS I use "external user databases"
  for authentication which proxy the request from the ACS over
  to the RSA SecurID Server. I installed RSA Agents with
  sdconf.rec file on the Cisco ACS server. I renamed "user group 1"
  to be "RSA_SecurID" group. In the "External user databases" and
  "database configurations" I assign SecurID to this "RSA_SecurID"
  group.
  Everything is working fine. In the "User Setup" I can see dynamic
  user test1, test2,...testn listed in there as "dynamic users". In
  other words, I can telnet into the router with my two-factor
  SecurID.
  The problem is that if test1 wants to go into "enable" mode with
  SecurID login, I have to go into "test1" user setting and select
  "TACACS+Enable Password" and choose "Use external database password".
  After that, test1 can go into enable mode with his/her SecurID
  credential.
  Well, this works fine if I have a few users. The problem is that
  I have about 100 users that I need to do this. The solution is
  clearly not scalable. Is there a setting from group level that
  I can do this?
  Any ACS "experts" want to help me out here? Thanks.

  That is not what I want. I want user "test1" to be able to do this:
  C
  Username: test1
  Enter PASSCODE:
  C2960>en
  Enter PASSCODE:
  C2960#
  In other words, test1 user has to type in his/her RSA token password to get
  into exec mode. After that, he/she has to use the RSA token password to
  get into enable mode. Each user can get into "enable" mode with his/her
  RSA token mode.
  The way you descripbed, it seemed like anyone in this group can go directly
  into enable mode without password. This is not what I have in mind.
  Any other ideas? Thanks.

• How to hide line console parameters through Cisco ACS

  Hi,
  Can any one of you please help me in the following scenario ?
  I want to hide the line console, line aux and line vty configuration parameters of the cisco devices based on user level privillages through Cisco ACS. For example, if a user logs into the devices with privilege level 7, then he should not be able to see the line paramenters on the cisco devices for which he had privilege level 7 access.
  Can you please help me out how to achieve this?? Your help in this regard is highly appriciated.
  Thanks

  This thing is possible with local authorization on IOS device. With ACS this is not possible.
  In acs you can set what all commands a specific user can issue. That feature is called command authorization.
  For show run you need to give priv 15. ACS works in a different way if you compare it with setting up local priv lvls on router/switch.
  Best way to set it up is to give all user priv lvl 15 and then define what all commands user can execute.
  Note : Having priv 15 does not mean that user will able to issue all commands.
  We will set up command authorization on acs to have control on users.
  This is how your config should look,
  aaa authentication login default group tacacs+ local
  aaa authorization exec default group tacacs+ if-authenticated
  aaa authorization commands 1 default group tacacs+ if-authenticated
  aaa authorization commands 15 default group tacacs+ if-authenticated
  aaa authorization config-commands
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  Regards,
  ~JG
  Do rate helpful posts

• [Cisco ACS 5.2] Windows XP - EAP-TLS error

  Hi,
  We used RADIATOR with Cisco WLC and Cisco AP in our WiFi architecture.
  We just replaced RADIATOR with Cisco ACS 5.2 .
  Few computers with Windows XP SP3 have this error : 11514 Unexpectedly received empty TLS message; treating as a rejection by the client
  Description:
  While  trying to negotiate a TLS handshake with the client, ACS expected to  receive a non-empty TLS message or TLS alert message, but instead  received an empty TLS message. This could be due to an inconformity in  the implementation of the protocol between ACS and the supplicant. For  example, it is a known issue that the XP supplicant sends an empty TLS  message instead of a non-empty TLS alert message. It might also involve  the supplicant not trusting the ACS server certificate for some reason.  ACS treated the unexpected message as a sign that the client rejected  the tunnel establishment.
  Resolution Steps :
  Ensure  that the client's supplicant does not have any known compatibility  issues and that it is properly configured. Also ensure that the ACS  server certificate is trusted by the client, by configuring the  supplicant with the CA certificate that signed the ACS server  certificate. It is strongly recommended to not disable the server  certificate validation on the client!
  Most of the computers (hundreds of Windows XP and Windows 7) got no problem.
  ACS says "it is a known issue that the XP supplicant sends an empty TLS  message instead of a non-empty TLS alert message".
  If it was a known issue, we would have this error for other computer but we don't have (fortunately )
  Wireless profile is sent to computers using GPO so they trust ACS server certificate...
  Do you know how to correct this issue on XP supplicant? I dont find this issue on Google
  Thanks for your help,
  Patrick

  Patrick,
  One way to troubleshoot is to physically have one of the laptops and see if unchecking the box that validates the server certificate fixes the issue. I have seen the same issue as you are seeing before and I would like for you to verfiy that.
  If that doesnt fix the issue then we will have to proceed to taking a wireshark of the client and running a few debugs on the ACS.
  Thanks,
  Tarik Admani

• Cisco ACS 4.2 - Server Busy

  Hi!
  We're authenticating our Desktops and IP-Phones via 802.1x using two Radius-servers running Cisco ACS v4.2 on Win2k8.
  From time to time we run into the problem, that one of the servers 'get's too busy' and stops answering authentication requests. That results in many failed authentications with our VoIP-phones (Siemens OpenStage).
  What I don't understand is why the ACS acts that way...
  TAC says that all 42 or so threads are in use when the server says it's too busy.
  While the server is 'busy' the CPU runs at 1 - 2 % !! And there's loads of RAM left...
  This is an extract from the CSRadius-Log-File:
  RDS 06/09/2011 07:51:13 E 1495 2072 0x0 Server too busy - request from 10.104.204.249 ignoredRDS 06/09/2011 07:51:13 E 1495 5124 0x0 Server too busy - request from 10.104.204.249 ignoredRDS 06/09/2011 07:51:13 E 1495 5124 0x0 Server too busy - request from 10.100.204.22 ignoredRDS 06/09/2011 07:51:13 E 0958 3712 0x0 Error processing accounting request - no response sent to NASRDS 06/09/2011 07:51:13 E 5947 4916 0x0 Failed to update logged on list for IPPhone (UDB_SERVER_BUSY)RDS 06/09/2011 07:51:13 E 1495 5124 0x0 Server too busy - request from 10.100.204.22 ignoredRDS 06/09/2011 07:51:13 E 0958 1880 0x0 Error processing accounting request - no response sent to NASRDS 06/09/2011 07:51:13 E 6025 3560 0x0 Matching class attribute failed for user IPPhone, no further processing will be done assuming this is out-of-order packet due to UDPRDS 06/09/2011 07:51:13 E 1825 1532 0x0 Error UDB_SERVER_BUSY authenticating host/hostname.xxx.yyy - no response sent to NAS...RDS 06/09/2011 07:51:20 E 3089 2704 0x0 Error AS_NO_FREE_CONNECTIONS authenticating IPPhone - no response sent to NAS
  Did any of you encounter the same problem? Did you find a workaround or fix? Maybe there's a way to increase the number of authentication threads?
  Thanks alot!

  The key is to get all of the information needed. Normally when they say it takes too long for the client to answer that is not always the exact fault.
  You may seem to get that answer if the ACS is taking a long time to process the request and the switch or client has basically timed out its requests.
  The information needed is the following
  all of these items really need to be gathered at the same time
  switch debugs including
  debug radius
  debug aaa authen
  debug aaa accounting
  sniffer capture between the switch and the ACS
  logs from ACS with debugs enabled.
  If you are going to AD on the backend you may also want a sniffer capture between the ACS and the AD
  all of these together should tell you where the delay of failure lays and then at that time some changes can be suggested

• Cisco ACS / Trend Micro Office / Cisco Trust Agent

  We currently utilize Cisco ACS Server and Trend Micro OfficeScan and would like to deploy Cisco Trust Agent 2.0 on a few laptops.  Has anyone been involved with such a deployment?  If so, any suggestions, documentation, suggestions?
  Thanks,

  CTR uses the admin shares to connect to a windows server.
  Depending on how you configured it: It will try a nmap fingerprint scan, use static OS mappings or perform a level 2 scan by using the admin shares.
  If you are using it through firewalls, the fingerprinting does not work properly.
  You will also notice that since version 2.0.3 there hasn't been any new agents developed for it. Also 2.0.5 started to upgrade all port scans etc whereas before it didn't.
  I would look to speaking to your cisco account team about the next version of Cisco IPS instead.