Cisco Secure TACACS replication failing

Similar Messages

• Cisco Secure ACS Appliance - Failed to edit ....Reason: The Host no longer exists.

  Hi  Team ,
  I have 2 Appliance from which I am not  able to remove a particuler device from Network Device Group  .
  When I try to remove the the device following error is thrown
  Failed to edit INMUM-VPE-T1-3rdFloor-3750-S....  Reason: The Host no longer exists.
  Appliance is running on Version :  Cisco Secure ACS4.2.0.124
  Could any one come across Such issues  . any one knows the solution .
  Regards
  Vineeth

  Hello Vineeth
  yes, you are can do through GUI.
  On GUI :
  1. ACS gui > network configuration > click "search" and click "search" again.
  2. Complete list of all network device will appear. On top, you will see an option to "download".
  Download the complete file.
  Let me know if it helps.
  thanks
  Devashree Saha

• With Cisco Secure ACS For Windows TACACS+, authentication fails with AD

    I am setting up a Cisco Secure ACS 4.2 server to act as a TACACS server for Switches and Routers  I am using Windows 2003 server for the ACS,
  and a Windows 2003 Active Directory server.  The AD server is fine, as it is used for many other things.
  I have set up ACS as defined nit he installation guide, including all the steps in the 'Member Server' section of the install guide
  when using AD as an external database (i.e. setting up the services to run with a domain admin account, setting up a machine called 'CISCO'
  on the domain etc).
  I've set the unknown user policy to use the Windows database if the internal database doesn;t contain the user details.
  If I add a user to the internal database, the authentication goes through fine, with an entry in the 'Passed Authentications' log,
  02/24/2010,05:07:03,Authen failed,eXXXX,Network Administrators(NDG) ,X.X.X.X,(Default),Internal error,,(geting error message as INternal Error)
  I've scoured google etc, and just cannot come up with any reason why this should be happening.
    I've followed all the install guides to the letter.  I need to get this up and running as soon as possible,
  so am looking forward to finding out if anyone can help me with this one!
  THanks and regards
  Sharan

  Hi  Jesse,
  Thasts a great answer and Soution.
  My previous version was 4.2 and it was installed on 64 bit machine hence getting internal Error.
  After this answer i have upgraded it to ACS4.2.1 and its started working fine
  Thanks very much for the help
  Dipu

• Patch rollup for Cisco Secure ACS 4.2 fails.

  I've got 2 freshly installed ACS 4.2 for Windows servers and I need to apply the latest patch rollup before I build the configurations.  I stopped the ACS services and ran Acs-4.2.0.124.15-SW.exe to install the patches.  The application begins running fine but fails on upgrading the database and then none of the ACS services would start.  I was able to restore the files from the backup that runs with the patch utility and get ACS functioning again.  What am I missing - does the patch rollup require any specific Microsoft Patches to be installed or something like that?
  Thanks

  Thanks for the feedback.  I attempted the patch rollup install again and it failed in the same place - on the database upgrade.  I did think of one thing.  Do I need to have my antivirus/protection services disabled prior to installing the rollup?
  Also my versions are as follows:
  Server OS - Windows Server 2003 R2
  Cisco Secure ACS - 4.2.(0) Build 124
  Thanks,
  Richard Jaehne

• Cisco Anyconnect Secure Mobility Client Fails to Install

  I've followed and contributed to posts about this problem here: https://supportforums.cisco.com/thread/2057631                  
  But this problem isn't only isolated to 2.5 client, so I thought a new discussion might attract a bit more attention and feedback.
  For 5 or 6 users when I try to install the client as new as version 3.0.11042 (any version, not just the newest) I get a failure:
  CustomAction VACon64_Install returned actual error code -536870348 (note this may not be 100% accurate if translation happened inside sandbox)
  Error 1722. There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor.  Action VACon64_Install, location: C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\VACon64.exe, command: -install "C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\\vpnva64.inf" VPNVA
  MSI (s) (44:94) [16:15:05:629]: Product: Cisco AnyConnect VPN Client -- Error 1722. There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor.  Action VACon64_Install, location: C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\VACon64.exe, command: -install "C:\Program Files (x86)\Cisco\Cisco AnyConnect VPN Client\\vpnva64.inf" VPNVA
  Before it rolls back, I try to run the command manually which appears to do something, but doesn't fix the problem.
  This is the step that is trying to install the service VPNVA, but it fails.
  I have cleaned up all the files I know how (which registry entries might I also try?) and rebooted several times, but no luck.
  The documented Cisco solution, and what i've been telling frustrated users one after another is "re-image your machine"
  Does someone have an idea of what else I can try?

  Thank you.
  The workaround works. Yes, using Windows 8.1.
  An HOW TO on how to set this for everyone who is not that computer savvy...
  1. Go to the Start Screen of Windows 8.1 and look for the Cisco Anyconnect Secure Mobility Client icon (or just type it on the Start Screen).
  2. Right click the icon and select 'Open file location'.
  3. Right click the Cisco Anyconnect Secure Mobility Client (Shortcut) and select 'Properties'
  4. Select the 'Compatibility' Tab.
  5. Check the box 'Run this program in compatibility mode for:' and select 'Windows 8' in the drop down.
  6. Click 'OK' to close the window.
  7. Log off and log on again (or reboot the computer).
  Note to point 5. If there are multiple users are using the PC with different user accounts and they're using the Cisco Secure Mobility Client as well, then go to 'Change settings for all users' and there apply point 5. To do so you'll need administrative rights to the computer though.

• Failed to setup Velocity Engine ... in Cisco Security Manager

  Anyone having problems trying to validate syntax in a FlexConfig in Cisco Security Manager?
  CSM version 4.4.0 SP2
  Java 1.6.0_14-b08
  I have heard that there are issues with earlier versions of Java.
  I have also heard that this problem was fixed in CSM
  Any ideas anyone?
  Adrian

  I believe this is where you need to run CSM Configuration Manager as Administrator.  I had that issue, and I think the note about this is in the Install Guide.
  HTH
  Paul

• Reporting & Audit Compliance Solutions for Cisco Secure ACS

  The Cisco Secure ACS Access Control Server is probably the worlds best selling remote access security solutions and its quite likely that you're already using it! Wouldn't it be great to know exactly what it was doing? Further still, when you have to provide audit documentation regarding your policies and how effective they are, how long does this take and what valuable data remains locked inside the ACS database and logs?
  extraxi offer a range of products that deliver a complete solution for harvesting, managing and analyzing your ACS/SBR log data to meet the increasing demands for regulatory compliance (SOX, COBIT) and overall enterprise monitoring and security.
  We are proud to supply customers including Intel, Ford, Lego, T-Mobile, US Dept of State, US Army, British Telecom, First Energy, TNT Express, Kodak and JP Morgan and many more so why not take a look at our industry leading solutions and evaluate the benefits for your organization...
  Featured Products:
  * aaa-reports! enterprise edition - Automated Reporting
  The best reporting system for Cisco Secure ACS and Funk SBR just got a whole lot better! Improved reports, enhanced filtering and query builder and now with up to 48GB internal storage based on SQL Server technology makes this the ideal solution for large or complex AAA deployments and those that need the additional functionality from the standard aaa-reports! tool.
  With aaa-reports! enterprise you have a complete application for reporting including many canned reports (each with flexible filtering options) and a point-n-click query builder for designing custom reports.
  For historic trending, forensics and audit compliance there simply is no better reporting application for Cisco Secure ACS or Funk/Juniper SBR.
  * csvsync - Automated ACS Database & Log File Collection
  csvsync allows you to download CSV log data (RADIUS, TACACS+, Passed/Failed Attempts etc) directly from any number of Cisco Secure ACS servers (Windows & Appliance) via http(s). Version 3.0 now supports the collection of ACS database itself for import into aaa-reports and detailed reporting based on the ACS security policies. Simple, secure and efficient, csvsync is the best solution for harvesting log data from your Cisco Secure ACS servers.
  Download fully working 60 day trial versions at http://www.extraxi.com/rq.asp?utm_source=technet&utm_medium=forum
  Fore more information please visit http://www.extraxi.com/?utm_source=technet&utm_medium=forum

  bump

• Cisco Secure ACS wont' replicate

  Hello Community,
  I wonder if someone could please help me discover why we can't get our primary Cisco Secure ACS, UK-SU-AP091, to replicate with our secondary Cisco Secure ACS, UK-SU-AP092?
  They can both talk to each other, but the replication status is stuck in pending. See attachment.
  Any help will be greatly appreciated..
  Cheers
  Carlton

  Well that's not your ONLY option. It's by far the best one. The primary server is attempting to communicate with the secondary and for whatever reason not succeeding.
  If there is no reachability problem or firewall blocking the necessary ports in between then my first guess (95% + probability) would be that the services are not up on the secondary server. 
  If you cannot access the cli to check that, then you could do more obscure and less helpful checks like capture the traffic towards the secondary server from the local switch port where it connects to the network and examine for the incoming calls from the primary and the responses (if any) from the secondary. You could do a port scan (i.e. using nmap) on the secondary server and see if it responds to tcp/2000 (database replication) and/or tcp/49 and tcp/1812 (TACACS and RADIUS respectively).
  After all of that and at the end of the day though, you're going to need to get into that secondary server. Not having local admin cli access is not a tenable long term situation to operate a production HA deployment.

• About Cisco secure ACS v3.0

  HI
  I have rebuilt the Tacac server for cisco secure ACS v3.0 and then retore all the data via the "data restore" under the system configuration.
  After rebuilt, it was only working for one day... and then it fails to authenticate users. I checked the event viewer, the error message is:
  ODBC authentication dll failed to initalise, code -1110
  and
  CSMon message: Problem Logging on to CSTacacs. Got as far as Starting Processing in Auth module
  any idea?
  Thanks

  Hi
  When I tried to view it, it says:
  This bug is no longer available in Bug Toolkit. Click bug ID for details.
  would you be able to provide more information for this bug please?
  Thanks
  kind regards
  Rachel

• Features of Cisco Secure ACS Appliance

  Hi,
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Normale Tabelle";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  I’m working on an evaluation of NAC systems. Therefore, I’ve chosen the Cisco Secure ACS as representative of a 802.1X based solution.
  There are a few questions I wasn’t able to answer by reading the product information available on Cisco.com. I hope that someone here might be able to help me. Any information is highly appreciated.
  The questions I wasn’t able to answer are:
  •     Can the ACS work in a heterogeneous environment (i.e. Cisco and Alcatel Switches)?
  •     What happens if the server(s) fail?
              o     Can already authorized users still work?
              o     Can known users still be authorized?
              o     Are unknown users still blocked?
  •     Is the ACS capable of authorizing users through routed networks or VPN tunnels?
  •     Does a change of the assigned VLAN work without relogin (or even reboot) of the client?
  •     Is there (besides of the reports) some kind of status overview with the ACS?
  •     Which kinds of Attacks can the ACS (alone) prevent?
              o     Can it prevent MAC Spoofing?
              o     Can it prevent MAC Flooding?
              o     Can it prevent ARP Attacks?
              o     Can it prevent IP Spoofing?
              o     Can it eliminate rouge DHCP servers?
              o     Can it prevent STP Attacks
  •     And the last one: What happens if I plug in an unknown device into an IP-Phone? Is the switchport to       which the IP-Phone is connected blocked or only the unknown device?
  Thanks for all answers.
  Regards,
  taouri

  See inline answers:
  The questions I wasn’t able to answer are:
  •     Can the ACS work in a heterogeneous environment (i.e. Cisco and Alcatel Switches)?
  Yes, as long as those devices support RADIUS and TACACS+ IETF standards.  Some devices require the configuration of vendor-specific AV-pairs to work properly, which the ACS in general can do.  You'll need to get details from the specific vendor on their requirements to insure it'll work.
  •     What happens if the server(s) fail?
              o     Can already authorized users still work?
  This is driven by the AAA client, not the ACS.  In general, if it isn't reauthenticating the users, then yes, they'll still work
              o     Can known users still be authorized?
  In general, no, not by the ACS, but for some cases such as dot1x, it may be possible to configure fallback to local authentication or define a critical VLAN.
              o     Are unknown users still blocked?
  Without contact to the server, the AAA client has no way of knowing what user is known / not known barring the above items.
  •     Is the ACS capable of authorizing users through routed networks or VPN tunnels?
  Yes, as long as the VPN device is capable of sending Radius or TACACS+ requests to the ACS
  •     Does a change of the assigned VLAN work without relogin (or even reboot) of the client?
  Yes, if using a supplicant that detects the EAP success message and knows to refresh the IP.
  •     Is there (besides of the reports) some kind of status overview with the ACS?
  Yes, this is covered in the documentation for the appropriate ACS solution.  Incidentally, the word ACS could mean ACS 4.x, or ACS 5.x, both of which are substantially different.
  •     Which kinds of Attacks can the ACS (alone) prevent?
  ACS authenticates and authorizes users.  It isn't in and of itself a device for prevention of the L2 attacks you list.
              o     Can it prevent MAC Spoofing?
              o     Can it prevent MAC Flooding?
              o     Can it prevent ARP Attacks?
              o     Can it prevent IP Spoofing?
              o     Can it eliminate rouge DHCP servers?
              o     Can it prevent STP Attacks
  •     And the last one: What happens if I plug in an unknown device into an IP-Phone? Is the switchport to       which the IP-Phone is connected blocked or only the unknown device?
  This depends on how you configure the dot1x parameters on the port.  In general, this is often configured in single-host mode with a voice vlan for the phone.  The phone passes through the EAPoL traffic the client passes, and in single host mode we rely on CDP bypass for the phone itself to bypass authentication.  There are excellent documents for the various dot1x configuration options in our IBNS (identity-Based Network Solutions) section here:
  http://www.cisco.com/en/US/customer/products/ps6638/products_ios_protocol_group_home.html

• CiscoSecure ACS 4.1(1) Build 23 Patch 5 :database replication fails; possibly short timeout or dead

  Hi,
  Since some time we are struggling to get database replication working.
  On the primary server it is reporting the following on "Database Replication active.csv""
  07/21/2010
  14:22:58
  SZ0910
  WARNING
  ACS 'SZ0920' not replied to replication request - possibly short timeout or dead
  07/21/2010
  14:12:08
  SZ0910
  INFO
  Outbound replication cycle starting...
  In CSMon.log following is logged:
  CSMon 07/21/2010 14:12:11 A 1544 13760 Pausing the monitoring of CSAuth for duration 600
  CSMon 07/21/2010 14:12:11 A 1544 11640 Pausing the monitoring of CSLog for duration -1
  CSMon 07/21/2010 14:12:14 A 1544 13788 Pausing the monitoring of CSRadius for duration -1
  CSMon 07/21/2010 14:12:18 A 0641 3248 CSAuth: Paused State 0 6 Event Detected Level:2 Message:Service CSAuth has been suspended for a configured function to proceed. Monitoring will suspend until the service is restarted
  CSMon 07/21/2010 14:12:18 A 0641 3248 CSLog: Stopped State 0 6 Event Detected Level:2 Message:Service CSLog has been stopped or paused by the system. Monitoring will suspend until the service is restarted
  CSMon 07/21/2010 14:12:18 A 0641 3248 CSRadius: Stopped State 0 3 Event Detected Level:2 Message:Service CSRadius has been stopped or paused by the system. Monitoring will suspend until the service is restarted
  CSMon 07/21/2010 14:12:18 A 1544 7716 Pausing the monitoring of CSTacacs for duration -1
  CSMon 07/21/2010 14:12:28 A 0904 3248 Analysis: Level 2 'Service CSAuth has been suspended for a configured function to proceed. Monitoring will suspend until the service is restarted. Service CSLog has been stopped or paused by the system. Monitoring will suspend until the service is restarted. Service CSRadius has been stopped or paused by the system. Monitoring will suspend until the service is restarted. '
  CSMon 07/21/2010 14:12:33 E 0351 3248 Failed to log accounting packet to logger localCSLog
  CSMon 07/21/2010 14:12:33 A 0641 3248 CSTacacs: Stopped State 0 2 Event Detected Level:2 Message:Service CSTacacs has been stopped or paused by the system. Monitoring will suspend until the service is restarted
  CSMon 07/21/2010 14:12:43 A 0904 3248 Analysis: Level 2 'Service CSTacacs has been stopped or paused by the system. Monitoring will suspend until the service is restarted. '
  CSMon 07/21/2010 14:12:48 E 0351 3248 Failed to log accounting packet to logger localCSLog
  CSMon 07/21/2010 14:22:18 A 0641 3248 CSAuth: State 0 6 Event Detected Level:4 Message:Service pause timed out. Please check the timeout settings for Replication and Backup
  I have followed this checklist: https://supportforums.cisco.com/docs/DOC-8795 to make sure configs are ok.
  But still replication fails.
  There is no firewall in between.
  Both ACS servers running on MS Windows Server  2003, SP2.
  Can anybody help me in the right direction what could be possible cause of this or where else I can look for logging for further troubleshooting?
  Thanks in advance for your help.

  Hi,
  Since some time we are struggling to get database replication working.
  On the primary server it is reporting the following on "Database Replication active.csv""
  07/21/2010
  14:22:58
  SZ0910
  WARNING
  ACS 'SZ0920' not replied to replication request - possibly short timeout or dead
  07/21/2010
  14:12:08
  SZ0910
  INFO
  Outbound replication cycle starting...
  In CSMon.log following is logged:
  CSMon 07/21/2010 14:12:11 A 1544 13760 Pausing the monitoring of CSAuth for duration 600
  CSMon 07/21/2010 14:12:11 A 1544 11640 Pausing the monitoring of CSLog for duration -1
  CSMon 07/21/2010 14:12:14 A 1544 13788 Pausing the monitoring of CSRadius for duration -1
  CSMon
  07/21/2010 14:12:18 A 0641 3248 CSAuth: Paused State 0 6 Event Detected
  Level:2 Message:Service CSAuth has been suspended for a configured
  function to proceed. Monitoring will suspend until the service is
  restarted
  CSMon 07/21/2010 14:12:18 A 0641 3248 CSLog: Stopped State
  0 6 Event Detected Level:2 Message:Service CSLog has been stopped or
  paused by the system. Monitoring will suspend until the service is
  restarted
  CSMon 07/21/2010 14:12:18 A 0641 3248 CSRadius: Stopped
  State 0 3 Event Detected Level:2 Message:Service CSRadius has been
  stopped or paused by the system. Monitoring will suspend until the
  service is restarted
  CSMon 07/21/2010 14:12:18 A 1544 7716 Pausing the monitoring of CSTacacs for duration -1
  CSMon
  07/21/2010 14:12:28 A 0904 3248 Analysis: Level 2 'Service CSAuth has
  been suspended for a configured function to proceed. Monitoring will
  suspend until the service is restarted. Service CSLog has been stopped
  or paused by the system. Monitoring will suspend until the service is
  restarted. Service CSRadius has been stopped or paused by the system.
  Monitoring will suspend until the service is restarted. '
  CSMon 07/21/2010 14:12:33 E 0351 3248 Failed to log accounting packet to logger localCSLog
  CSMon
  07/21/2010 14:12:33 A 0641 3248 CSTacacs: Stopped State 0 2 Event
  Detected Level:2 Message:Service CSTacacs has been stopped or paused by
  the system. Monitoring will suspend until the service is restarted
  CSMon
  07/21/2010 14:12:43 A 0904 3248 Analysis: Level 2 'Service CSTacacs has
  been stopped or paused by the system. Monitoring will suspend until the
  service is restarted. '
  CSMon 07/21/2010 14:12:48 E 0351 3248 Failed to log accounting packet to logger localCSLog
  CSMon
  07/21/2010 14:22:18 A 0641 3248 CSAuth: State 0 6 Event Detected
  Level:4 Message:Service pause timed out. Please check the timeout
  settings for Replication and Backup
  I have followed this checklist: https://supportforums.cisco.com/docs/DOC-8795 to make sure configs are ok.
  But still replication fails.
  There is no firewall in between.
  Both ACS servers running on MS Windows Server  2003, SP2.
  Can
  anybody help me in the right direction what could be possible cause of
  this or where else I can look for logging for further troubleshooting?
  Thanks in advance for your help.
  Hi,
  Also check the port number TCP 2000 this is the replication port which needs to be opened between the primary and secondary ACS.
  Hope to Help !!
  Ganesh.H

• NAC-L2-802.1x (EAP-FAST) and Cisco Secure Services Client 5.0 in wired net

  Hi!
  (Sorry, if this is a wrong forum.)
  Does anybody have any success with Cisco SSC and EAP-FAST in the wired network?
  I'm going to use NAC, so I'm trying to set up EAP-FAST. I see the pop-up window on the client to enter user credentials and I see a lot of "debug radius" messages on my 3750 12.2(44)SE switch:
  Access-Requests with User-Name="anonymous"
  Access-Challenges (I see certificate is sent from ACS)
  Access-Reject
  CS ACS Failed Attempts Report shows "ACS user unknown" failure for "anonymous".
  So far as I understood, EAP-FAST is a tunneled method and it uses "anonymous" to protect user's identity during phase 0 / phase 1 transactions. The actual username is sent in phase 2 transaction.
  The following is excerpt from the CS ACS documentation:
  "EAP-FAST can protect the username in all EAP-FAST transactions. ACS does not perform user authentication based on a username that is presented in phase one; however, whether the username is protected during phase one depends on the end-user client. If the end-user client does not send the real username in phase one, the username is protected. The Cisco Aironet EAP-FAST client protects the username in phase one by sending FAST_MAC address in place of the username. After phase one of EAP-FAST, all data is encrypted, including username information that is usually sent in clear text."
  SSC 5.0 is indeed set up with "Unprotected Identity Pattern"=anonymous and "Protected Identity Pattern"=[username] using sscManagementUtility.exe
  So, the question is: Why is ACS 4.1 trying to authenticate username "anonymous" if it knows that the user is fake? Does anybody have working configuaration for EAP-FAST in a wired network?
  Any help is greatly appreciated.

  Correct, ACS database wasn't selected on the NAP Authentication page. It works now, but I constantly get the following message in the Windows event log: "The Cisco Secure Services Client service hung on starting". This is Windows 2000 Advanced Server system with SP4. SSC was set up with no domain authentication, no machine authentication, single sign-on. After some time the SSC service starts, but at that time my PC is already put into the guest VLAN by the switch (the tx-period is 10 seconds):
  POD1-SW#sh run int fa1/0/1
  Building configuration...
  Current configuration : 378 bytes
  interface FastEthernet1/0/1
  switchport access vlan 999
  switchport mode access
  dot1x mac-auth-bypass
  dot1x pae authenticator
  dot1x port-control auto
  dot1x timeout reauth-period server
  dot1x timeout tx-period 10
  dot1x reauthentication
  dot1x critical
  dot1x critical recovery action reinitialize
  dot1x guest-vlan 91
  dot1x critical vlan 11
  spanning-tree portfast
  end
  After all the VLAN is reassigned by the switch, but the delay is too high. How can I troubleshoot this?
  Thx.

• Authentication an admin user on AP1200 with Cisco Secure

  Hello,
  I am trying to configure a Radius authentication for an administrator logging on an AP1200 via HTTP. On the Cisco Secure ACS server I can see that the authentication was successful and with a trace I can see also the 'Radius Pass' answer coming back to the AP1200.
  Unfortunately the administrators gets no access to the AP1200 Web page, and the login windows still ask for username/password. The log of the AP1200 does not give any error message.
  The software versions are following:
  AP1200 version 12.02A (the last one non-IOS available)
  CiscoSecure ACS v2.6 for Windows 2000/NT
  Release 2.6(3) Build 2
  The return packet 'Radius Pass' answer coming back to the AP1200 is the following:
  0000: 00 0b 46 aa a0 e8 00 a0 8e 77 de 75 08 00 45 00 |..F......w.u..E.|
  0010: 00 36 0b 70 00 00 7b 11 8b 0e ac 13 58 fd ac 12 |.6.p..{.....X...|
  0020: f8 15 06 6d 06 fd 00 22 05 f3*02 2b 00 1a 95 ad |...m..."...+....|
  0030: c4 60 e7 21 54 67 2a 60 0e 79 da b1 8f a6 08 06 |.`.!g*`.y......|
  0040: ff ff ff ff |....|
  I suspect that the the last ff ff ff ff (255.255.255.255) shall be equal to the IP address of the AP1200 which was send within the initial Radius request packet.
  Thanks in advance for your answer

  I had a similar problem with the 350 series. I receieved the following information that resolved my issues.
  Using RADIUS, You need to use cisco AV-Pair attribute for admin users with following syntex
  aironet:admin-capability=write+ident+admin+firmware
  Here is the procedure for the admin user you to define the Cisco AV pair Attributes .
  a) On acs select the interface configuration and go to the advance option ,
  selct "per-user Tacacs/ radius attribute " click on submit .
  b)On ACS , Select network configuration ,
  1) check if you have configuration >> Radio ( IOS /PIX available ) on the ACS
  if not add NAS type Radius IOS/PIX , note that this needed for IOS / PIX attribute
  2) After adding IOS/PIX device , select interface configuration >>Radius ( IOS / PIX )
  Enable [026/009/001] "cisco av-pair" option , again make sure that you enable
  at user and group level click on submit
  3) Add a user ( User setup >> ADD/EDIT ) to restrict administrator access control
  1) enable and configure cisco 09\001 cisco av-pair using
  aironet:admin-capability=write+ident+admin+firmware
  http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo_350/accsspts/ap350scg/ap350ch8.htm#1073082

• Cisco Secure ACS with UCP assistance and enable password

  I am running Cisco Secure ACS version 4.2 running on a
  Standalone Windows 2003 Enterprise 2003with the lastest
  windows service pack and update. Secure ACS is running
  fine and I can authenticate with Cisco routers and
  switches. The Windows 2003 server is also running Microsoft
  IIS Server. In other words, the IIS server and Cisco
  Secure ACS is running on the same windows 2003 server.
  I am trying to get Cisco User-Changeable password to work
  with Cisco Secure ACS. I followed the release notes lines
  by lines and the work around provided below:
  Also server require more privileges for the internal windows user that runs CSusercgi.exe.
  The name of the windows user that runs UCP is IUSR_<machine_name>.
  Workaround steps:
  1) Install UCP 4 on a machine that runs IIS server.
  2) Open IIS manager
  3) Locate Default Web Site
  4) Double click on the virtual name 'securecgi-bin'
  5) Right click on CSusercgi.exe and choose Properties
  6) Choose 'File Security' tab
  7) Choose 'Edit' in 'Authentication and access control' area
  8) Change username from IUSR_<machine_name> to 'Administrator' and enter his
  password (make sure that 'Integrated Windows authentication' is checked)
  I still can NOT get this to work. I got this error:
  It says:
  The page cannot be found
  The page you are looking for might have been removed,
  had its name changed, or is temporarily unavailable.
  HTTP Error 404 - File or directory not found.
  Internet Information Services (IIS)
  I modified everything in the Windows 2003 to be "ALLOWED" by
  EVERYONE. In other words, there are NO security on the windows 2003.
  It is still NOT working.
  The other question I have is that can Cisco UCP allow user
  to change his/her enable password?
  Can someone help? Thanks.

  Yes bastien,
  Thank you.
  But one thing more i want to know that in its Redundant AAA server, when i try to open IIS 6.0 window 2003; it prompts for Username and Password.
  I've given it several time; also going through Administrator account with administrative credentials but it always failed.
  Any suggestions/solution/?
  This time many thanks in advance.
  Regards
  Mehdi Raza

• Cisco security Manager Backup error

  i  am getting  the below  error  after the backup in Cisco Security  Manager 3.2
  [Sun Dec 20 00:00:05 2009]  ERROR(313): D:/backup.LOCK file exists
  Most probably another backup process is running
  [Sun Dec 20 00:00:05 2009]  Backup failed: 2009/12/20 00:00:05
  i have deleted the backup.LOCK file and tried  it is giving the same error.
  any one help me in this.
  thanks in advance.

  Update:
  WHen performing the same action through the client interface, rather than from the server interface the backup has appeared to work.
  Is this a feature?
  Needless to say I was able to run a backup.
  Steve