Cisco ACS Rouge IP Address issue
we have had rogue IP 192.168.0.1 used for quite a while, I traced it through MAC tables to the ACS. Only one connection (cable) is used that is already using 192.168.0.35 like it should be but also using 19.168.0.1.
Have confirmed by failing to ping 192.168.0.1 with ACS unplugged. Rogue IP address is not listed anywhere in the GUI, must be on CLI somewhere. I do not have access to CLI or what could be an issue
Hi teymur,
I am assuming that you are working with ACS 5.5 version. Please go through the following link that will cover all the information regarding step by step configuration of Backup deployment and licensing in ACS 5.5.
http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-5/user/guide/acsuserguide/viewer_sys_ops.html#wp1052728
Similar Messages
-
issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login
issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login
-
Cisco ACS 5.2 with NX-OS devices (Nexus) - User issues
Hey Community, I am having a really strange issue with Cisco ACS 5.2 and NX-OS Nexus Devices.
I create an account on ACS, let's call it User1, and give it privilege 15. With User1, I'm able to access on all of our IOS, IOS-XE, ASA, and PIX devices with privilege 15.
When I use that same User1 account into our NEXUS devices, I do NOT get privilege 15 access. As you probably know, NEXUS devices have roles: pre-defined or custom-made roles. So I assumed I would get the role of 'network-admin' (priv 15 read/write) with User1 when logging in, but instead I get the role of 'vdc-operator' (priv 1 read-only).
So then I tried to tweak User1 and give it network-admin under Shell profile >> Custom Attributes. I logged into the NEXUS and sure enough I was able to get network-admin access. However, my access to ALL the other devices (IOS, ASA, PIX, etc) doesn't work AT ALL! I'm not even able to log in with my username and password to these devices.
Has anyone ever run into this problem? Please Help!
Thanks,
neocecNeocec,
Yes here is the documentation that provides insight to the this (they make reference to the = and the *.
http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/security/configuration/guide/Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_5.x_chapter6.html#con_1473433
Thanks,
Tarik -
Issue with certifcate on Cisco ACS
We are wanting to authenticate our internal wireless users using our Cisco ACS running 5.3. The ACS will poll our Active Directory environment for the username and password provided. I created a CSR on the ACS and provided it to Entrust. They provided me with a root, chain and server certificate. I binded the server certificate to the CSR under System Administration>Local Server Certificates>Local Certificates. I then added the chain and root certificates to the location Users and Identity Stores>Certificate Authorities. When I try to connect on a client laptop it asks for a username and password but after entering that information I am presented with the below certificate warning. This certificate is from Entrust and I see the root certificate in the root store on the laptop. Any ideas what would cause this. TAC does not seem to have any answers. They say it is a client machine problem.
From the problem description, it's clear that you're attempting to connect user on a wireless network via peap. From the ACS stand point, your configuration looks good. However, I'd like to know what all certificate have you installed on the client side. Do we have complete chain installed on the client that includes Root CA and intermediate (if any). Would you mind emailing me your complete certificate chain for my reference?
Also, let me know what OS and supplicant are we running on end client?
~BR
Jatin Katyal
**Do rate helpful posts** -
ACS 5.0 having issues with different subnet AAA Clients
Dear All,
I am getting weird issue. My ACS 5.0 is in subnet 10.1.1.0/24. All the AAA clients which are in the same subnet can communicate with the ACS but different subnet cannot.
I have checked the firewall between them, Its allow any any with all services.
One more thing I have faced today is that now from only one switch (10.1.2.10) can access ACS but switches in the same subnet (10.1.2.0/24) cant access ACS as same previous issue.
Following are the logs of one switch(10.1.2.10) in different subnet can access ACS :
Working Switch with Same configuration:
SW-A#test aaa group tacacs+ test cisco legacy
Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated.
SW-A#
*Nov 17 00:05:52.041: AAA: parse name=<no string> idb type=-1 tty=-1
*Nov 17 00:05:52.041: AAA/MEMORY: create_user (0x1B1FD04) user='test' ruser='NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
*Nov 17 00:05:52.041: TAC+: send AUTHEN/START packet ver=192 id=3237327729
*Nov 17 00:05:52.041: TAC+: Using default tacacs server-group "tacacs+" list.
*Nov 17 00:05:52.041: TAC+: Opening TCP/IP to 10.1.1.2/49 timeout=5
*Nov 17 00:05:52.041: TAC+: Opened TCP/IP handle 0x1B44D48 to 10.1.1.2/49
*Nov 17 00:05:52.041: TAC+: 10.1.1.2 (3237327729) AUTHEN/START/LOGIN/ASCII queued
SW-A#
*Nov 17 00:05:52.243: TAC+: (3237327729) AUTHEN/START/LOGIN/ASCII processed
*Nov 17 00:05:52.243: TAC+: ver=192 id=3237327729 received AUTHEN status = GETPASS
*Nov 17 00:05:52.243: TAC+: send AUTHEN/CONT packet id=3237327729
*Nov 17 00:05:52.243: TAC+: 10.1.1.2 (3237327729) AUTHEN/CONT queued
*Nov 17 00:05:52.444: TAC+: (3237327729) AUTHEN/CONT processed
*Nov 17 00:05:52.444: TAC+: ver=192 id=3237327729 received AUTHEN status = PASS
*Nov 17 00:05:52.444: AAA/MEMORY: free_user (0x1B1FD04) user='test' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 vrf= (id=0)
Logs from the same subnet switch (10.1.2.20) which cannot access ACS:
SW-B#test aaa group tacacs+ test cisco legacy
Attempting authentication test to server-group tacacs+ using tacacs+
No authoritative response from any server.
SW-B#
*Oct 20 00:54:12.834: AAA: parse name=<no string> idb type=-1 tty=-1
*Oct 20 00:54:12.842: AAA/MEMORY: create_user (0x1A6F3F0) user='test' ruser='NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
*Oct 20 00:54:12.842: TAC+: send AUTHEN/START packet ver=192 id=3281146755
*Oct 20 00:54:12.842: TAC+: Using default tacacs server-group "tacacs+" list.
*Oct 20 00:54:12.842: TAC+: Opening TCP/IP to 10.1.1.2/49 timeout=5
*Oct 20 00:54:12.842: TAC+: Opened TCP/IP handle 0x1B1E888 to 10.1.1.2/49
*Oct 20 00:54:12.842: TAC+: 10.1.1.2 (3281146755) AUTHEN/START/LOGIN/ASCII queued
SW-B#
*Oct 20 00:54:12.943: TAC+: (3281146755) AUTHEN/START/LOGIN/ASCII processed
*Oct 20 00:54:12.943: TAC+: received bad AUTHEN packet: type = 0, expected 1
*Oct 20 00:54:12.943: TAC+: Invalid AUTHEN/START/LOGIN/ASCII packet (check keys).
*Oct 20 00:54:12.943: TAC+: Closing TCP/IP 0x1B1E888 connection to 10.1.1.2/49
*Oct 20 00:54:12.943: TAC+: Using default tacacs server-group "tacacs+" list.
*Oct 20 00:54:12.943: AAA/MEMORY: free_user (0x1A6F3F0) user='test' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 vrf= (id=0)
Waiting for your responses.
Regards,
AnserOk, cool,
So this usually means that the switch is sourcing the requests from a difernet interface that is configured on the ACS.
I would guess that the ACS is reporting unknown NAS...
Can you please use the "ip tacacs source-interface" command to make sure the switch will source the Tacacs+ packets from the interface with the IP address for which you have the ACS configured to?
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
Extra server on cisco ACS engine
I'm a bit curious about the way the cisco ACS engine (the cisco-built hardware) sets up servers initially. Most of the documentation I have is for windows, so I was a bit confused when, after the initial configuration there were two "AAA Servers" shown in the configuration, one called "Self" with the IP address I defined, and the other with the name I defined and a different address.
Has anyone else encountered this? Will it cause problems? and is there a way to get rid of it?
ThanksThat is a known issue with acs appliance, but nothing to worry about. Make sure you have this setting in acs,
acs--->network configuration--->Proxy dis table---> Bring Deleverance1 in the fwd to box and your server name in the left box.
Incase you dont see proxy dis table , then you need to enable it
Interface configuration---> Advance option ---> Put a check in distribution table.
Regards,
~JG
Please do rate helpful posts -
ACS 5.2 reporting issue
Dear,
Concerning the user field (and other too), is it possible to use some sort of wildcard ?
I am having a hard time making reports for several users, for example :
I want to make a "radius session history" report for all PC's starting with host/PO1212
how do I do this ? I can't imagine this isn't possible in ACS.
Lieven Stubbe
Belgian railwaysHi,
We have been testing wireless telephony with Ascom i62 wireless handsets using EAP-TLS. Initial dot1x authentication is successful. Reauthentication sometimes fail on Cisco ACS Version 5.2.0.26.5
The same error mesage was displayed.
22047 Principal username attribute is missing in client certificate
Only rebooting the phone fixes this issue.
Are we hitting bug CSCtn26538 ?
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtn26538&from=summary
Best regards,
Peter -
How to hide line console parameters through Cisco ACS
Hi,
Can any one of you please help me in the following scenario ?
I want to hide the line console, line aux and line vty configuration parameters of the cisco devices based on user level privillages through Cisco ACS. For example, if a user logs into the devices with privilege level 7, then he should not be able to see the line paramenters on the cisco devices for which he had privilege level 7 access.
Can you please help me out how to achieve this?? Your help in this regard is highly appriciated.
ThanksThis thing is possible with local authorization on IOS device. With ACS this is not possible.
In acs you can set what all commands a specific user can issue. That feature is called command authorization.
For show run you need to give priv 15. ACS works in a different way if you compare it with setting up local priv lvls on router/switch.
Best way to set it up is to give all user priv lvl 15 and then define what all commands user can execute.
Note : Having priv 15 does not mean that user will able to issue all commands.
We will set up command authorization on acs to have control on users.
This is how your config should look,
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization config-commands
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
Regards,
~JG
Do rate helpful posts -
[Cisco ACS 5.2] Windows XP - EAP-TLS error
Hi,
We used RADIATOR with Cisco WLC and Cisco AP in our WiFi architecture.
We just replaced RADIATOR with Cisco ACS 5.2 .
Few computers with Windows XP SP3 have this error : 11514 Unexpectedly received empty TLS message; treating as a rejection by the client
Description:
While trying to negotiate a TLS handshake with the client, ACS expected to receive a non-empty TLS message or TLS alert message, but instead received an empty TLS message. This could be due to an inconformity in the implementation of the protocol between ACS and the supplicant. For example, it is a known issue that the XP supplicant sends an empty TLS message instead of a non-empty TLS alert message. It might also involve the supplicant not trusting the ACS server certificate for some reason. ACS treated the unexpected message as a sign that the client rejected the tunnel establishment.
Resolution Steps :
Ensure that the client's supplicant does not have any known compatibility issues and that it is properly configured. Also ensure that the ACS server certificate is trusted by the client, by configuring the supplicant with the CA certificate that signed the ACS server certificate. It is strongly recommended to not disable the server certificate validation on the client!
Most of the computers (hundreds of Windows XP and Windows 7) got no problem.
ACS says "it is a known issue that the XP supplicant sends an empty TLS message instead of a non-empty TLS alert message".
If it was a known issue, we would have this error for other computer but we don't have (fortunately )
Wireless profile is sent to computers using GPO so they trust ACS server certificate...
Do you know how to correct this issue on XP supplicant? I dont find this issue on Google
Thanks for your help,
PatrickPatrick,
One way to troubleshoot is to physically have one of the laptops and see if unchecking the box that validates the server certificate fixes the issue. I have seen the same issue as you are seeing before and I would like for you to verfiy that.
If that doesnt fix the issue then we will have to proceed to taking a wireshark of the client and running a few debugs on the ACS.
Thanks,
Tarik Admani -
Cisco ACS 5.3 patch 8 OPT Volume
Hello,
We currently have 12 ACS appliance with one of them being a dedicated Log Collector. We have 802.1x authentication configured for both network port and wireless access. We are authenticating desktop, laptops, smart phones, etc on our network.
The problem we are having is the OPT volume exceeding 30% volume size recommended by Cisco TAC every few months. We have recently added more network resources to our network (merger). We are now hitting the 30% size in about 1 month.
In the past we have called Cisco TAC when we had issues with Log Collector performance. At that time is was also authenticating 802.1x clients. We added a new appliance and made it a dedicated Log Collector. They would check the OPT volume and find that it was at about 70% use size. They would run the Root Console patch and delete the DB and then recreate it. We have done that about 2 times before we started to monitor the OPT volume size.
This last time we ran into the 30% volume size quicker then we have previously had. I had Cisco TAC delete the OPT volume and recreate it.
Cisco TAC has recommended we reduce the amount of logs that are being sent to the Log Collector. We are currently exploring that option.
The questions I have is:
At what percentage size for the OPT volume should we be concerned before it starts impacting the performance of the Log Collector?
Is there something else we can be do to reduce the amount of logs that are being sent to the Log Collector?
We have Data Purging set to 30 days. We are performing Full and Incremental backups of database. We are also sending the local logs a Syslog server.
We are testing making changes to send only the AAA Audit and System Statistics logs to Log Collector.
Thanks,In distributed setup, its recommended to configure a dedicated secondary server as a log collector. However you've a large deployment so I'm sure authentication rate would be high too causing view-database size keep on increasing.
In order to prevent running out of disk space we need to manage it. That means identifying the files that are created and written to by processes on the system, allocating a space budget to them such that if the files stay within their budget all services can be supported without interruption, and then defining and implementing facilities to keep those files within their budget.
There are two mechanisms to reduce this size and prevent it from exceeding the maximum limit.
1. Purge: In this mechanism the data will be purged based on the configured data retention period or upon reaching the upper limit of the database. In Patch 6 new option provided to do on demand purge as well.
2. Compress: This mechanism frees up unused space in the database without deleting any records. Before the compress option could only be run manually. In ACS 5.3 Patch 6 there are enhancements so it will run daily at a predefined time, automatically when specific criteria are met.
At what percentage size for the OPT volume should we be concerned before it starts impacting the performance of the Log Collector?
TAC recommendations are right. You will able to utilize all feature of ACS if /opt is below 30%.
Is there something else we can be do to reduce the amount of logs that are being sent to the Log Collector?
It seems you're using most of the features/mechanisms to have /opt low. However, you may be intrested to read more on data purging and data compression enhancements http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/release/notes/acs_54_rn.html
- Please use System Administration > Configuration > Log Configuration > Logging Categories > Global To configure sending only the required logs to the ACS View log-collector.
- Provide the fresh screenshot of the page Monitoring Configuration > System Operations > Data Management > Removal and Backup.
- With the below listed command you can check the actual and physical size of the MnT database
acs-config
Username: acsadmin
Password: ***********
acsview show-dbsize
There are few known defects on the same issue. However, the version you're running improves database management processes.
CSCto47203: ACS 5 runs out of disk space
CSCua51804: View backup fails even when there is space in disk
Jatin Katyal
- Do rate helpful posts - -
Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance failed
Hi,
I've got a problem with Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance.
ACS4.2 has been configured to use both internal and external database. It's been working fine for a couple or years.
Recently we bought a Cisco 4710 ACE appliance. When I use ACS4.2 internal username and password to login the Cisco 4710 ACE appliance, I have no problem. I can also see the passed authentication log on ACS4.2. However, if I use AD username and password, I couldn't login in. The message is "Login incorrect". I checked the failed attempts log on the ACS4.2, there was no log regarding the failed attempt. My AD username and password works fine on all other cisco routers and switches.
I've posted my AAA configuration of the 4710 ACE below. ACE is running on the latest version A4(1.1). Please help.
tacacs-server key 7 "xxxxxxxxxxxxx"
aaa group server tacacs+ tac_admin
server xx.xx.xx.xx
aaa authentication login default group tac_admin local
aaa authentication login console group tac_admin local
aaa accounting default group tac_adminHi,
Since the ACS is receiving the request.
Could you please ensure that In ACE on every context (including Admin and other) you have following strings:
tacacs-server host x.x.x.x key 7 "xxx"
aaa group server tacacs+ tac_admin
server x.x.x.x
aaa authentication login default group tac_admin local
aaa authentication login console group tac_admin local
aaa accounting default group x.x.x.x
On ACS side for group named "Network Administrators" you should configure in TACACS settting:
1. Shell (exec) enable
2. Privilege level 15
3. Custom attributes:
shell:Admin*Admin default-domain
if you have additional context add next line
shell:mycontext*Admin default-domain
After loging to ACE and issuing sh users command you should see following
User Context Line Login Time (Location) Role Domain(s)
*adm-x Admin pts/0 Sep 21 12:24 (x.x.x.x) Admin default-domain
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you fee your query is resolved. Do rate helpful posts. -
Cisco ACS 5.4.0.46.6 - Cannot join to domain
I am not able to join Cisco ACS to domain. I get the error "wrong domain". Nslookup resolves the domain correctly. ACS troubleshoot adcheck shows the below error
ADGC : Check Global Catalog servers
: There is no GC in site "INGUA"
: It is recommended that a GC exist in each site.
Checked with AD team and they confirm that GC does exist at this site. It is a Windows 2008 R2. I am able to telnet to the required ports from the ACS console. Tried applying the latest patch. Tried re-imaging the ACS server. Still the issue remains. Any help appreciated.
Cisco Application Deployment Engine OS Release: 2.0
ADE-OS Build Version: 2.0.3.063
ADE-OS System Architecture: i386
Copyright (c) 2005-2011 by Cisco Systems, Inc.
All rights reserved.
Hostname: ZINGUA6001
Version information of installed applications
Cisco ACS VERSION INFORMATION
Version : 5.4.0.46.6
Internal Build ID : B.221
Patches :
5-4-0-46-6Hi Minakshi,
I perform the update before your post and I test without deregister all server.
So far, all was good.
I had no issue and the update tooks me very less time without following the full UPGRADE procedure.
The command had also a rollback for the update, so I take the risk.
This is certainly not the case for upgrade but update seems to easier.
Kind regards.
Steve -
Hi Everyone,
I have a Primary Cisco ACS, called CiscoACS1, version 5.4 patch 6 with an IP address of 1.1.1.1/24 and a Secondary ACS, called CiscoACS2, version 5.4 patch 6 with an IP address of 1.1.1.2/24.
Connectivity between them is ok, same subnets. I register CiscoACS2 with CiscoACS1 and everything is working fine, including Active Directory. Both of these ACSes are used to authenticate my network devices.
Every time I use the webUI to log into the Secondary ACS (https://CiscoACS2), I can see that the CiscoACS2 is synced with CiscoACS1, the status is always "UPDATED"
However, if I webUI into the Primary ACS (https://CiscoACS1), I always see CiscoACS2 as "pending".
I've tried to do "full replication" and eventually it will show up as "UPDATED" but a few hours later, it will show up as "PENDING".
Anyone knows why? Is this a "bug"?
Thanks in advance.Hi,
If replication status on ACS1 GUI is showing pending then you know, full replication happens over the Sybase DB TCP port 2638, so your port need to be open in firewall. -
Cisco ACS 4.2.1 authentication problem
We are using cisco ACS 4.2.1 on windows 2003 to authenticate with windows 2003 Actice Directory. We have update Active directory server windows 2008 version. We have checked the configuration of ACS on windows database and no problem but we can't see in ACS dynamic user. I have authentication problem ACS 4.2.1 to Windows 2008 R2 active directory.
Hi there,
There is a section in the ACS 4.x where you can define if the ACS should show the dynamic users or not, make sure that this option is unchecked, for this go to External User Databases/Unknown User Policy/Configure Caching Unknown Users
Also if you are facing authentication issues with ACS 4.x and Windows 2008 R2, you may want ready my previous answer.
Let me know if this helps. -
Integration of Cisco ACS SE 4.2 and RSA SecurID Token Server
Hi,
I would be very appreciated if anyone can share their experience. Thanks in advance.
Issue:
I am trying to configure the ACE SE 4.2 to authenticate using RSA SecurID Token Server.
Problems encountered:
Authentication failed. In the failed logged attempt the error "External Database not operational" was next to the login name.
In the auth.log, there was "External DB [SecurID.dll]: aceclnt.dll callback returned error [23]".
Questions:
1. Please kindly advise how I should resolve this problem.
2. Also, is there any successful message once ACS get the sdconf.rec? Will the "Purge Node Secret" button be enabled?
Troubleshooting steps I have done:
Below is the steps I took to setup the external DB.
1. Verified sdconf.rec is not a garbage file using the Test authentication function in RSA client.
2. FTP sdconf.rec in the external database configuration. (Had used Wireshark and confirm file transfered successfully.)
2. Defined unknown user policy to check RSA SecurID Token Server to authenticate.
Thank you.I have NO experience with ACS SE 4.2 and
RSA SecurID Token Server BUT I have
experiences with Cisco ACS 4.1 running on
Windows 2003 SP2 Enterprise Edition and
RSA SecurID Token Server.
All the troubleshoot you've done is correct.
In Windows 2003 running Cisco ACS, you can
install the test authentication RSA client
and that you can verify that the setup
is correct (by verifying that the sdconf.rec
is not corrupted).
One thing I can think of is that when you
setup the ACS SE box, under external
database, configure unknown user policy,
did you check it to tell how to define users
when they are not found in the ACS internal
database. Did you select RSA SecurID token
server?
Other than that, from what I understand,
you've done everything correctly.
Maybe you are looking for
-
Ipod touch is not showing up as a device in itunes, how can I sync it?
Hi just wondering how to sync my ipod touch using itunes - when the ipod will not show up as a device. I am having trouble with the ipod as it is displaying the incorrect date, will not access my email etc. However when I go to sync it (thinking thi
-
I am using windows and iTunes. I have been downloading my cds to my iTunes, but some of the artwork isn't displaying. After downloading the music, I click on "Get Album Artwork". Sometimes it works, other times not. Not a big deal. When it doesn't
-
Print Preview with in the browsers
Is it possible that we view the pdf Print with in the browsers instead of a seprate file. If yes how?
-
I'm having trounble with PNG transparency in Firefox
After I publish my site I see all the PNG transparency in Firefox but in other browsers the PNG transparency works well. Is there a fix for this?
-
RV220W Firmware - I need the 1.0.2.1 or 1.0.2.3
Hello, i have a RV220W and absolutly nothings functional on this stupid Router, no NAT , no Port Forwarding and i cant assecc my Network from Outside. Maybe someone has the firmware and can send me a link for download to one of my emailadress . This