Integration problem between Cisco Seure ACS 4.2 with LDAP

Hi expert,
I have a problem with the integration between Cisco Secure ACS 4.2 with SUN Java System Directory (LDAP). During the integration, I noticed that user failed to authenticate against LDAP via Cisco Secure ACS. The error message is "Authentication Type is not supported by external DB". In this case the "external DB" refer to LDAP. Anyone of you having an experience on integration on both product before? Can any of you give me some pointers about this. Attached are both screen capture on my ACS server.
Thanks very much,
Daniel

Hi,
Thanks for the compatibility chart. Oh dear ..., it seems that the LDAP does not supports PEAP (EAP-MS CHAPv2) at all. Am not sure if the latest LDAP (particularly for SUN Java System Directory) able to support this authentication protocol.
Just to clarify with you all just in case if you wonder what I'm trying to do; our company wants to implement 802.1x over the network. So, every staff on the network must authenticated before able to access the network resources. Our Linksys switches supports this standard including Cisco switches of course. Our RADIUS server is Cisco Secure ACS 4.2 but all those users information including username and passwords are stored in our directory server (LDAP) which is SUN Java System Directory.
Since most of our staff machines are running on XP and Vista, the only available authentication method (beside certificate based) is PEAP (EAP-MSCHAPv2). Based on the compatibility chart, the generic LDAP does not supports this authentication protocol as what we noted the "authentication type not supported by external database" error message in the ACS logs.
From what I learned that the latest LDAP (version 3.0?) able to support this authentication protocol, but yet to be confirmed on my further research.
So... Anyone can advice me on this matter? Thanks very much !

Similar Messages

  • Looking for successful auth debug between cisco 1113 acs 4.2 and Active Directory

    Hello,
    Does anyone have a successful authentication debug using cisco 1113 acs 4.2 and Active Directory?  I'm not having success in setting this up and would like to see what a successful authentication debug looks.  Below is my current situation:
    Oct  6 13:52:23: TPLUS: Queuing AAA Authentication request 444 for processing
    Oct  6 13:52:23: TPLUS: processing authentication start request id 444
    Oct  6 13:52:23: TPLUS: Authentication start packet created for 444()
    Oct  6 13:52:23: TPLUS: Using server 110.34.5.143
    Oct  6 13:52:23: TPLUS(000001BC)/0/NB_WAIT/46130160: Started 5 sec timeout
    Oct  6 13:52:23: TPLUS(000001BC)/0/NB_WAIT: socket event 2
    Oct  6 13:52:23: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
    Oct  6 13:52:23: T+: session_id 763084134 (0x2D7BBD66), dlen 26 (0x1A)
    Oct  6 13:52:23: T+: type:AUTHEN/START, priv_lvl:15 action:LOGIN ascii
    Oct  6 13:52:23: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:12 (0xC) data_len:0
    Oct  6 13:52:23: T+: user: 
    Oct  6 13:52:23: T+: port:  tty515
    Oct  6 13:52:23: T+: rem_addr:  10.10.10.10
    Oct  6 13:52:23: T+: data: 
    Oct  6 13:52:23: T+: End Packet
    Oct  6 13:52:23: TPLUS(000001BC)/0/NB_WAIT: wrote entire 38 bytes request
    Oct  6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:23: TPLUS(000001BC)/0/READ: Would block while reading
    Oct  6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:23: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 16bytes data)
    Oct  6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:23: TPLUS(000001BC)/0/READ: read entire 28 bytes response
    Oct  6 13:52:23: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
    Oct  6 13:52:23: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
    Oct  6 13:52:23: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:10, data_len:0
    Oct  6 13:52:23: T+: msg:  Username:
    Oct  6 13:52:23: T+: data: 
    Oct  6 13:52:23: T+: End Packet
    Oct  6 13:52:23: TPLUS(000001BC)/0/46130160: Processing the reply packet
    Oct  6 13:52:23: TPLUS: Received authen response status GET_USER (7)
    Oct  6 13:52:30: TPLUS: Queuing AAA Authentication request 444 for processing
    Oct  6 13:52:30: TPLUS: processing authentication continue request id 444
    Oct  6 13:52:30: TPLUS: Authentication continue packet generated for 444
    Oct  6 13:52:30: TPLUS(000001BC)/0/WRITE/46130160: Started 5 sec timeout
    Oct  6 13:52:30: T+: Version 192 (0xC0), type 1, seq 3, encryption 1
    Oct  6 13:52:30: T+: session_id 763084134 (0x2D7BBD66), dlen 15 (0xF)
    Oct  6 13:52:30: T+: AUTHEN/CONT msg_len:10 (0xA), data_len:0 (0x0) flags:0x0
    Oct  6 13:52:30: T+: User msg: <elided>
    Oct  6 13:52:30: T+: User data: 
    Oct  6 13:52:30: T+: End Packet
    Oct  6 13:52:30: TPLUS(000001BC)/0/WRITE: wrote entire 27 bytes request
    Oct  6 13:52:30: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:30: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 16bytes data)
    Oct  6 13:52:30: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:30: TPLUS(000001BC)/0/READ: read entire 28 bytes response
    Oct  6 13:52:30: T+: Version 192 (0xC0), type 1, seq 4, encryption 1
    Oct  6 13:52:30: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
    Oct  6 13:52:30: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
    Oct  6 13:52:30: T+: msg:  Password:
    Oct  6 13:52:30: T+: data: 
    Oct  6 13:52:30: T+: End Packet
    Oct  6 13:52:30: TPLUS(000001BC)/0/46130160: Processing the reply packet
    Oct  6 13:52:30: TPLUS: Received authen response status GET_PASSWORD (8)
    Oct  6 13:52:37: TPLUS: Queuing AAA Authentication request 444 for processing
    Oct  6 13:52:37: TPLUS: processing authentication continue request id 444
    Oct  6 13:52:37: TPLUS: Authentication continue packet generated for 444
    Oct  6 13:52:37: TPLUS(000001BC)/0/WRITE/46130160: Started 5 sec timeout
    Oct  6 13:52:37: T+: Version 192 (0xC0), type 1, seq 5, encryption 1
    Oct  6 13:52:37: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
    Oct  6 13:52:37: T+: AUTHEN/CONT msg_len:11 (0xB), data_len:0 (0x0) flags:0x0
    Oct  6 13:52:37: T+: User msg: <elided>
    Oct  6 13:52:37: T+: User data: 
    Oct  6 13:52:37: T+: End Packet
    Oct  6 13:52:37: TPLUS(000001BC)/0/WRITE: wrote entire 28 bytes request
    Oct  6 13:52:37: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:37: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 33bytes data)
    Oct  6 13:52:37: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:37: TPLUS(000001BC)/0/READ: read entire 45 bytes response
    Oct  6 13:52:37: T+: Version 192 (0xC0), type 1, seq 6, encryption 1
    Oct  6 13:52:37: T+: session_id 763084134 (0x2D7BBD66), dlen 33 (0x21)
    Oct  6 13:52:37: T+: AUTHEN/REPLY status:7 flags:0x0 msg_len:27, data_len:0
    Oct  6 13:52:37: T+: msg:  Error during authentication
    Oct  6 13:52:37: T+: data: 
    Oct  6 13:52:37: T+: End Packet
    Oct  6 13:52:37: TPLUS(000001BC)/0/46130160: Processing the reply packet
    Oct  6 13:52:37: TPLUS: Received Authen status error
    Oct  6 13:52:37: TPLUS(000001BC)/0/REQ_WAIT/46130160: timed out
    Oct  6 13:52:37: TPLUS(000001BC)/0/REQ_WAIT/46130160: No sock_ctx found while handling request timeout
    Oct  6 13:52:37: TPLUS: Choosing next server 101.34.5.143
    Oct  6 13:52:37: TPLUS(000001BC)/1/NB_WAIT/46130160: Started 5 sec timeout
    Oct  6 13:52:37: TPLUS(000001BC)/46130160: releasing old socket 0
    Oct  6 13:52:37: TPLUS(000001BC)/1/46130160: Processing the reply packet
    Oct  6 13:52:49: TPLUS: Queuing AAA Authentication request 444 for processing
    Oct  6 13:52:49: TPLUS: processing authentication start request id 444
    Oct  6 13:52:49: TPLUS: Authentication start packet created for 444()
    Oct  6 13:52:49: TPLUS: Using server 172.24.5.143
    Oct  6 13:52:49: TPLUS(000001BC)/0/NB_WAIT/46130160: Started 5 sec timeout
    Oct  6 13:52:49: TPLUS(000001BC)/0/NB_WAIT: socket event 2
    Oct  6 13:52:49: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
    Oct  6 13:52:49: T+: session_id 1523308383 (0x5ACBD75F), dlen 26 (0x1A)
    Oct  6 13:52:49: T+: type:AUTHEN/START, priv_lvl:15 action:LOGIN ascii
    Oct  6 13:52:49: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:12 (0xC) data_len:0
    Oct  6 13:52:49: T+: user: 
    Oct  6 13:52:49: T+: port:  tty515
    Oct  6 13:52:49: T+: rem_addr:  10.10.10.10
    Oct  6 13:52:49: T+: data: 
    Oct  6 13:52:49: T+: End Packet
    Oct  6 13:52:49: TPLUS(000001BC)/0/NB_WAIT: wrote entire 38 bytes request
    Oct  6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:49: TPLUS(000001BC)/0/READ: Would block while reading
    Oct  6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:49: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 43bytes data)
    Oct  6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:49: TPLUS(000001BC)/0/READ: read entire 55 bytes response
    Oct  6 13:52:49: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
    Oct  6 13:52:49: T+: session_id 1523308383 (0x5ACBD75F), dlen 43 (0x2B)
    Oct  6 13:52:49: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:37, data_len:0
    Oct  6 13:52:49: T+: msg:   0x0A User Access Verification 0x0A  0x0A Username:
    Oct  6 13:52:49: T+: data: 
    Oct  6 13:52:49: T+: End Packet
    Oct  6 13:52:49: TPLUS(000001BC)/0/46130160: Processing the reply packet
    Oct  6 13:52:49: TPLUS: Received authen response status GET_USER (7)
    The 1113 acs failed reports shows:
    External DB is not operational
    thanks,
    james

    Hi James,
    We get External DB is not operational. Could you confirm if under External Databases > Unknown User           Policy, and verify you have the AD/ Windows database at the top?
    this error means the external server might not correctly configured on ACS external database section.
    Another point is to make sure we have remote agent installed on supported windows server.
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/remote_agent/rawi.html#wp289013
    Also provide the Auth logs from the server running remote agent, e.g.:-
    AUTH 10/25/2007 15:21:31 I 0376 1276 External DB [NTAuthenDLL.dll]:
    Attempting Windows authentication for user v-michal
    AUTH 10/25/2007 15:21:31 E 0376 1276 External DB [NTAuthenDLL.dll]: Windows
    authentication FAILED (error 1783L)
    thanks,
    Vinay

  • Cisco Secure ACS 4.2 with Oracle

    hi there...
    Our campus using WisM (WS-SVC-WISM-1-K9) as wireless controller , Cisco  1130 access point and Cisco Secure ACS 4.2 Solution Engine 1113  Appliance as radius server. For username and password, ACS will export the data from Oracle database(production DB).
    The problem that we are facing right now is password that store in oracle database is in  encrypted format. Base feedback from our database administrator, the  encryption is done by oracle - application layer and cannot be decrypt  back. In Oracle they call it "Oracle Stored Procedures"
    My questions :
    1- Can Cisco Secure ACS 4.2 work with Oracle 10G or 11G?
    2- Is there any option to tackle the encrypted password? Can ACS handle the "Oracle Stored Procedures" function?
    Please advice.
    Thanks

    Microsoft SQL Server and Case-Sensitive Passwords
    If you want your passwords to be case sensitive and are using Microsoft SQL Server as your ODBC-compliant relational database, configure your SQL Server to accommodate this feature. If your users are authenticating by using PPP via PAP or Telnet login, the password might not be case sensitive, depending on how you set the case-sensitivity option on the SQL Server. For example, an Oracle database will default to case sensitive, whereas Microsoft SQL Server defaults to case insensitive. However, in the case of CHAP/ARAP, the password is case sensitive if you configured the CHAP stored procedure.
    For example, with Telnet or PAP authentication, the passwords cisco or CISCO or CiScO will all work if you configure the SQL Server to be case insensitive.
    For CHAP/ARAP, the passwords cisco or CISCO or CiScO are not the same, regardless of whether the SQL Server is configured for case-sensitive passwords.
    Sample Routine for Generating a PAP Authentication SQL Procedure
    The following example routine creates a procedure named CSNTAuthUserPap in Microsoft SQL Server, the default procedure that ACS uses for PAP authentication. Table and column names that could vary for your database schema appear in variable text. For your convenience, the ACS product CD includes a stub routine for creating a procedure in SQL Server or Oracle. For more information about data type definitions, procedure parameters, and procedure results, see ODBC Database.
                             if exists (select * from sysobjects where id = object_id (`dbo.CSNTAuthUserPap') and
                             sysstat & 0xf = 4)drop procedure dbo.CSNTAuthUserPap
                             GO
                             CREATE PROCEDURE CSNTAuthUserPap
                             @username varchar(64), @pass varchar(255)
                             AS
                             SET NOCOUNT ON
                             IF EXISTS( SELECT  username
                             FROM  users
                             WHERE  username  = @username
                             AND  csntpassword  = @pass )
                             SELECT 0,csntgroup,csntacctinfo,"No Error"
                             FROM  users
                             WHERE  username  = @username
                             ELSE
                             SELECT 3,0,"odbc","ODBC Authen Error"
                             GO
                             GRANT EXECUTE ON dbo.CSNTAuthUserPap TO ciscosecure
                             GO
    Sample Routine for Generating an SQL CHAP Authentication Procedure
    The following example routine creates in Microsoft SQL Server a procedure named CSNTExtractUserClearTextPw, the default procedure that ACS uses for CHAP/MS-CHAP/ARAP authentication. Table and column names that could vary for your database schema appear in variable text. For more information about data type definitions, procedure parameters, and procedure results, see ODBC Database.
                             if exists (select * from sysobjects where id = object_id(`dbo.CSNTExtractUserClearTextPw') 
                             and sysstat & 0xf = 4) drop procedure dbo.CSNTExtractUserClearTextPw
                             GO
                             CREATE PROCEDURE CSNTExtractUserClearTextPw
                             @username varchar(64)
                             AS
                             SET NOCOUNT ON
                             IF EXISTS( SELECT  username
                             FROM  users
                             WHERE  username  = @username )
                             SELECT 0,csntgroup,csntacctinfo,"No Error",csntpassword
                             FROM  users
                             WHERE  username  = @username
                             ELSE
                             SELECT 3,0,"odbc","ODBC Authen Error"
                             GO
                             GRANT EXECUTE ON dbo.CSNTExtractUserClearTextPw TO ciscosecure
                             GO
    Sample Routine for Generating an EAP-TLS Authentication Procedure
    The following example routine creates in Microsoft SQL Server a procedure named CSNTFindUser, the default procedure that ACS uses for EAP-TLS authentication. Table and column names that could vary for your database schema appear in variable text. For more information about data type definitions, procedure parameters, and procedure results, see ODBC Database.
                             if exists (select * from sysobjects where id = object_id(`dbo.CSNTFindUser') and 
                             sysstat & 0xf = 4) drop procedure dbo.CSNTFindUser
                             GO
                             CREATE PROCEDURE CSNTFindUser
                             @username varchar(64)
                             AS
                             SET NOCOUNT ON
                             IF EXISTS( SELECT  username
                             FROM  users
                             WHERE  username  = @username )
                             SELECT 0,csntgroup,csntacctinfo,"No Error"
                             FROM  users
                             WHERE  username  = @username
                             ELSE
                             SELECT 3,0,"odbc","ODBC Authen Error"
                             GO
                             GRANT EXECUTE ON dbo.CSNTFindUser TO ciscosecure
                             GO
    Reference:
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/d.html#wp355420

  • Integration problem between ACS 5 and AD 2012

    Hi Guys,
    ACS 5.5 is installed on SNS-3415 appliance.
    Integration with Active Directory 2012 has been successfully completed.
    The problem which I'm facing that i can't see all the groups of AD under ACS, i see only few of them.
    Also if i created new Group in AD, i can't see it in ACS.
    I tried to add it manually on ACS, but still it is not working.
    Any clue?
    Regards,
    Rami

    Hi Rami,
    what kind of group is it. ACS support only LOCAL & GLOBAL groups.

  • Communication problem between Cisco 3560 and Cisco SG300.

    Dear Support,
    I have a Cisco SG300 and Cisco 3560 switches.
    3560 is my Core Switch and SG300 is access switch.
    From 3560 VLAN information is not passed to SG300.
    3560 Configuration:
    interface GigabitEthernet0/23
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan 1,2,10,11
    switchport mode trunk
    SG300 Configuration:
    interface gigabitethernet49
    spanning-tree link-type point-to-point
    switchport mode general
    switchport general allowed vlan add 2,10-11 tagged
    macro description switch
    Please suggest how this issue is resolve.
    Regards,
    JItesh Mahajan.

    Dear Aleksandra,
    Below Configuration is right or wrong for 3560 and SG300.
    3560 Configuration:
    interface GigabitEthernet0/23
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan remove VLAN 1
    switchport native vlan 1
    switchport trunk allowed vlan 1,2,10,11
    switchport mode trunk
    SG300 Configuration:
    interface gigabitethernet49
    spanning-tree link-type point-to-point
    switchport mode general
    switchport general allowed vlan add 2,10-11 tagged
    macro description switch
    Regards,
    JItesh Mahajan.

  • Integration problem between oracle forms 10g and oracle report 10g

    Hi!
    I've got any error message "Unable to connect to the report server "server name"" when a oracle report is run using run_report_object in the oracle form under oracle form developer 10g. Please advise any settings are required in order to run the report. Thank you very much.
    Best Regards
    Pinga

    The report server is running as the report can be run via URL in the brower. However, it prompts out the error when it is called by oracle form using the run_report_object.

  • Cisco Secure ACS 4.1 with Windows Database

    I have ACS 4.1 integrated with Windows Database (check mark in allow Remote DialIn).
    When we terminate a employee do I have to also delete their ACS User Profile?
    If I delete the user in AD will they automatically delete the user in ACS?
    Where can I read more about this?

    Hi,
    If you delete the user in AD, then it would not authenticate the user even if the dynamic mapped user exists in the ACS database, as the password would not be verified from the AD for the user.
    The dynamically mapped user entry would still exist in ACS and would not get deleted if the user is deleted from AD.
    tnx
    somishra

  • Failed to authenticate user to ACS 5.1 with LDAP as external identity storage

    Hi ,  I have an ACS and Open-LDAP server running on my company network.
    Now, I 'm setting up a new linksys WAP-54G and choose WPA2-Enterprise option with ACS as the radius server.
    first thing first, I created new internal user on ACS, and trying to join the wireless network from my computer. I made it....
    then, I'm moving on external entity (LDAP Server). I've set up the LDAP configuration and identity sequence, also select it on access service.  but when I tried to authenticate from my computer, an error was occurred. I received : 
    the following error 22056 Subject not found in the applicable identity store (s)
    Wonder 'bout this thing, I set up a cisco 1841 router to become AAA client. and surprisingly... it works !!!
    so, is there any problem to authenticate from windows platform to ACS (pointing to LDAP) ?  
    any suggestion ?
    thanks

      This is the log when using windows 7 as authentication client (Failed) :
    Steps
    11001  Received RADIUS  Access-Request
    11017  RADIUS created a new session
    Evaluating Service Selection Policy
    15004  Matched rule
    15012  Selected Access Service - Default Network  Access
    11507  Extracted  EAP-Response/Identity
    12500  Prepared EAP-Request proposing EAP-TLS with  challenge
    11006  Returned RADIUS  Access-Challenge
    11001  Received RADIUS  Access-Request
    11018  RADIUS is re-using an existing  session
    12301  Extracted EAP-Response/NAK requesting to use  PEAP instead
    12300  Prepared EAP-Request proposing PEAP with  challenge
    11006  Returned RADIUS  Access-Challenge
    11001  Received RADIUS  Access-Request
    11018  RADIUS is re-using an existing  session
    12302  Extracted EAP-Response containing PEAP  challenge-response and accepting PEAP as negotiated
    12318  Successfully negotiated PEAP version  0
    12800  Extracted first TLS record; TLS handshake  started.
    12805  Extracted TLS ClientHello  message.
    12806  Prepared TLS ServerHello  message.
    12807  Prepared TLS Certificate  message.
    12810  Prepared TLS ServerDone  message.
    12305  Prepared EAP-Request with another PEAP  challenge
    11006  Returned RADIUS  Access-Challenge
    11001  Received RADIUS  Access-Request
    11018  RADIUS is re-using an existing  session
    12304  Extracted EAP-Response containing PEAP  challenge-response
    12318  Successfully negotiated PEAP version  0
    12812  Extracted TLS ClientKeyExchange  message.
    12804  Extracted TLS Finished  message.
    12801  Prepared TLS ChangeCipherSpec  message.
    12802  Prepared TLS Finished  message.
    12816  TLS handshake succeeded.
    12310  PEAP full handshake finished  successfully
    12305  Prepared EAP-Request with another PEAP  challenge
    11006  Returned RADIUS  Access-Challenge
    11001  Received RADIUS  Access-Request
    11018  RADIUS is re-using an existing  session
    12304  Extracted EAP-Response containing PEAP  challenge-response
    12313  PEAP inner method started
    11521  Prepared EAP-Request/Identity for inner EAP  method
    12305  Prepared EAP-Request with another PEAP  challenge
    11006  Returned RADIUS  Access-Challenge
    11001  Received RADIUS  Access-Request
    11018  RADIUS is re-using an existing  session
    12304  Extracted EAP-Response containing PEAP  challenge-response
    11522  Extracted EAP-Response/Identity for inner  EAP method
    11806  Prepared EAP-Request for inner method  proposing EAP-MSCHAP with challenge
    12305  Prepared EAP-Request with another PEAP  challenge
    11006  Returned RADIUS  Access-Challenge
    11001  Received RADIUS  Access-Request
    11018  RADIUS is re-using an existing  session
    12304  Extracted EAP-Response containing PEAP  challenge-response
    11808  Extracted EAP-Response containing EAP-MSCHAP  challenge-response for inner method and accepting EAP-MSCHAP as  negotiated
    Evaluating Identity Policy
    15006  Matched Default Rule
    15013  Selected Identity Store -
    22043  Current Identity Store does not support the  authentication method; Skipping it.
    24210  Looking up User in Internal Users IDStore -  xxxxx
    24216  The user is not found in the internal users  identity store.
    22016  Identity sequence completed iterating the  IDStores
    22056  Subject not found in the applicable identity  store(s).
    22058  The advanced option that is configured for  an unknown user is used.
    22061  The 'Reject' advanced option is configured  in case of a failed authentication request.
    11815  Inner EAP-MSCHAP authentication  failed
    11520  Prepared EAP-Failure for inner EAP  method
    22028  Authentication failed and the advanced  options are ignored.
    12305  Prepared EAP-Request with another PEAP  challenge
    11006  Returned RADIUS  Access-Challenge
    11001  Received RADIUS  Access-Request
    11018  RADIUS is re-using an existing  session
    12304  Extracted EAP-Response containing PEAP  challenge-response
    12307  PEAP authentication failed
    11504  Prepared EAP-Failure
    11003  Returned RADIUS Access-Reject
    This is the log when using 1841 router as authentication client (succeded)  :
    Steps
    11001  Received RADIUS  Access-Request
    11017  RADIUS created a new session
    11049  Settings of RADIUS default network will be  used
    Evaluating Service Selection Policy
    15004  Matched rule
    15012  Selected Access Service - Default Network  Access
    Evaluating Identity Policy
    15006  Matched Default Rule
    15013  Selected Identity Store -  LDAPyyyy
    24031  Sending request to primary LDAP  server
    24015  Authenticating user against LDAP  Server
    24022  User authentication  succeeded
    22037  Authentication Passed
    22023  Proceed to attribute  retrieval
    22038  Skipping the next IDStore for attribute  retrieval because it is the one we authenticated against
    24210  Looking up User in Internal Users IDStore -   xxxxx
    24216  The user is not found in the internal users  identity store.
    22016  Identity sequence completed iterating the  IDStores
    Evaluating Group Mapping Policy
    Evaluating Exception Authorization  Policy
    15042  No rule was matched
    Evaluating Authorization Policy
    15006  Matched Default Rule
    15016  Selected Authorization Profile - Permit  Access
    11002  Returned RADIUS Access-Accept
    I realized that Windows is using PEAP-MSCHAPv2 while Router is using PAP-ASCII as it's protocol.
    so now, why PEAP-MSCHAPv2 can't authenticate to LDAP ?
    is there anything I can do to make it work ?

  • Cisco Secure ACS 4.0 Solution engine problem

    Hi,
    I have a probleme with a Cisco Secure ACS 4.0 Solution Engine (CSACSE-1113-K9).
    I try to power up the engine, but the light in the power button stay blinking all the time. Anyone have a idea why ?
    Last week, I boot it for the first time (It's brand new), every things goes fine.
    I made " shutdown " then wait the message to press 4 seconds power button to turn it off. This morning, nothing come up.
    I see one thing in the console "Press <SpaceBar> to update BIOS." after that, blank. No bios detection, no harddrive dectection, no windows boot.
    Any idea ?
    Thank you

    No, I'm sur.
    Then we have version 1113 of ACS.
    See: http://www.cisco.com/application/pdf/en/us/guest/products/ps6731/c2001/ccmigration_09186a008068f7bd.pdf
    Page 32(1-8) #2.
    I let the engine off about 6hours after my first post, then I try back. The engine start.
    What can cause this problem ?

  • Integration between Cisco VOice gateway & Ericcsion MD110 EPBX

    Hi
    Need to know what parameters needs to match in between Cisco VG & Ericcsion PBX while integration(india off is going to connect through MPLS link(E1) via VG to US, in US we have avaya PBX)
    We have a E1 connection (trunk) between VG & PBX.
    Also need physical connectivity details like cross or stratght cable details.
    Send important doc link also
    Regards
    Naga.

    Hello,
    the pinout for the router is documented at at:
    http://cisco.com/en/US/products/hw/modules/ps2641/products_module_installation_guide_chapter09186a008007cb4c.html
    You will need to configure both PBXs for ISDN PRI as described at;
    http://cisco.com/en/US/partner/products/ps6350/products_configuration_guide_chapter09186a00800ca716.html
    Note the correct command is "isdn incoming-voice voice" and not "modem" as the documentetion wrong in this.
    Hope this helps, please rate post if it does!

  • Cisco Secure ACS 3.3(1) - 4.0(1) upgrade problems

    Hi all!
    I'm having problems upgrading my primary ACS from version 3.3 -> 4.0
    I always get the following error message while it's doing the upgrade:
    "The CiscoSecure ACS folder appears to be locked by another application: C:\Program Files\CiscoSecure ACS v3.3
    Please close any applications...blabla.."
    The thing is, I upgraded my backup ACS first and that upgrade worked like a charm.
    In both cases, both for the primary and backup I do a remote takeover with Dameware, copied the ACS 4 folder to the hard drive of the server and do the upgrade from that folder.
    As I said, the backup server upgrade worked without a hitch.
    This is what I've tried:
    1. I've verified that NO application is using the ACS 3.3 folder and no explorer window is open on that folder or subfolders.
    I verified this by using a small program called Filemon.exe from Sysinternals. According to that program nothing was accessing said folder.
    I also verified it again by actually renaming the ACS 3.3 folder after I shut down all the ACS services. I could not rename the folder if the services were started.
    2. I've tried to stop the ACS services first and then do the setup, got the same error.
    3. I disabled the antivirus software, got the same error.
    I'm basically at my wits end now...
    I have two options though:
    1. Un-install ACS 3.3, do a clean install of ACS 4.0 and import the all data from the backup ACS.
    Wouldn't that bring up the primary ACS with the backup ACS config? So I'm guessing I would need to go over it afterwards and do changes where appropriate ?
    2. Do a backup of the ACS 3.3 with csutil -b
    Uninstall ACS 3.3, do a clean install of ACS 4.0 and import all the data with csutil -r
    Would that work? I've seen conflicting information here in this forum, some say it works, other say it doesn't.
    I'm pretty much confused why this worked so well on the backup ACS but fails on the primary ACS.
    Any help would be greatly appreciated!
    Thanks!
    Ivar Thorolfsson

    Hi,
    The folder lock message is often seen if the logs in the ACS directory are too big.
    Move the Logs from the following Directories :-
    CSAdmin\Logs
    CSAuth\Logs
    CSDBSync\Logs
    CSLog\Logs
    CSMon\Logs
    CSRadius\Logs
    CSTacacs\Logs
    Logs
    Then try to upgrade.
    Regards,
    Vivek

  • Cisco Secure ACS 4.2 for Windows web-based Admin Console log in problems

    To Whomever Can Assist,
          I am running two deployments of Cisco Secure ACS for Windows 4.2 and I can login into the admin web-console just fine.  However, when I create a new or test user that mirror my configuration that user cannot login to the admin web-console.  The user can login it to devices with the appropriate privileges, but can't administer his/her account within ACS.  This has proven very problematic and needs a remedy.  Thanks for the assistance.

    Bradbryant.dhs,
    Where are you creating the new admin user who should have access to ACS web gui under internal users or administration.
    Internal user and ACS administrator accounts are completely different. 
    Adding administrator account
    http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4-2/user/guide/ACS4_2UG/Admin.html
    Regards,
    Jatin Katyal
    ** Do rate helpful posts **

  • With Cisco Secure ACS 4.2 User accounts gets locked at first instance of wrong credentials even if configured for 3 attempts

    Hello Everybody,
    I am working with Cisco Secure ACS 4.2 and it is integrated with Active Directory at a Windows 2008 R2 functional level, user accounts that are set with lockout parameters (3 incorrect attempts) are locked out prematurely after the user enters the wrong credentials just once, the integration is done via LDAP.
    I wonder if anybody has any idea why this is happening, because when I connect to a Cisco device or VPN, and type my password wrongly, on the Active Directory I get extra bad password counts.
    Thanks in advance and regards....

    Hello Scott,
    Thanks for your answer. However we checked the ACS logs and it shows that we entered bad credentials just once, but in the Active Directory our account sometimes is blocked because we get at least 2 and sometimes 3 failures. This problem is only presented when we authenticate Cisco devices or through VPN, in normal circumstances, when users enter bad credentials on their computers, it works fine.
    Thanks and regards...

  • Cisco Secure ACS wont' replicate

    Hello Community,
    I wonder if someone could please help me discover why we can't get our primary Cisco Secure ACS, UK-SU-AP091, to replicate with our secondary Cisco Secure ACS, UK-SU-AP092?
    They can both talk to each other, but the replication status is stuck in pending. See attachment.
    Any help will be greatly appreciated..
    Cheers
    Carlton

    Well that's not your ONLY option. It's by far the best one. The primary server is attempting to communicate with the secondary and for whatever reason not succeeding.
    If there is no reachability problem or firewall blocking the necessary ports in between then my first guess (95% + probability) would be that the services are not up on the secondary server. 
    If you cannot access the cli to check that, then you could do more obscure and less helpful checks like capture the traffic towards the secondary server from the local switch port where it connects to the network and examine for the incoming calls from the primary and the responses (if any) from the secondary. You could do a port scan (i.e. using nmap) on the secondary server and see if it responds to tcp/2000 (database replication) and/or tcp/49 and tcp/1812 (TACACS and RADIUS respectively).
    After all of that and at the end of the day though, you're going to need to get into that secondary server. Not having local admin cli access is not a tenable long term situation to operate a production HA deployment.

  • Routing issue between Cisco Nexus and Cisco 4510 R+E Chassis

    We have configured Cisco Nexus 7K9 as core and Cisco 4510 R+E as access switches for Server connectivity.
    We are experiencing problem in terms of ARP learning and Ping issues between Cisco Nexus and end hosts.

    Hi,
    So you have N7k acting as L3 with servers connected to 4510?.
    Do you see the MAC associated with failing ARP in 4510?. Is it happening with all or few servers?. Just to verify if it is connectivity issue between N7k and 4510, you can configure an SVI on 4510 and assign address from same raneg (server/core range) and perform a ping.
    This will help narrow down if issue is between server to 4510 or 4510 to N7k.
    Thanks,
    Nagendra

Maybe you are looking for

  • How to get a running balance on a report

    How do I get a running balance for one customer. Please look at the data set as a example and advise.  Customer A  Apples 1.00 Paid Customer A Pears 2.00 Paid Customer A Oranges 2.50 Open Balance  2.50 What expression am I to use in report builder  T

  • How to get Mail to stop rewriting addresses in mail headers

    Here is the scenerio: - I have an address book entry for "Bob and Alice Smith" with an email address "[email protected]" - Bob sends me email. He has his email client set up to send a From: line to be "Robert Smith <[email protected]>" to differentia

  • Help required in the code

    CREATE OR REPLACE procedure pt_load_withouttran1(tabname in varchar2 , tabname2 in varchar2, condition in varchar2) is --tabname varchar2(100) := 'atlanta_operator'; -- tabname2 varchar2(100) := 'pt_atlanta_operator'; sql_text varchar2(2000) := 'decl

  • Attachment file type .vcf not shown when send by android gmail

    When thunderbird 31.3.0 receives a .vcf attachment (contacts list made by android phone contacts) send from android gmail, it shows the attachment icon next to the list of new messages, but when opening it disappears. In the message no attachment sho

  • How can I get the tabs to stop showing the pages I just visited

    I don't want the sites/pages I visited to show up in thumbnails. How can I get this to stop?