Issue with ACS 4.2 in Authentication

Similar Messages

• Issue with ACS 4 and AAA. Port scan shows no Radius but does show tacacs

  to start I am new to ACS so if this is an easy issue to solve please forgive me. I am trying to get Authentication working with ACS 4. I setup everything according to the instructions and when I try to test authentication with VPN concentrator I get a No active server found error. I have tried using an Internal user to start and I also have tried an AD account. If I port scan the ACS server I do not see it advertising port 1645 but I do see Port 49 for tacacs and I also see Ports 2000-2002. CSRadius is running.

  Actually, to avoid any issues I made CSRadius listen on BOTH sets of ports :)
  So unless that got changed without my knowing it should be listening on 1645/6 and 1812/3
  Darra

• Ciscoworks 3.2 login issue with ACS

  Hi All,
  I am facing an issue with login into Ciscoworks portal from the LMS server, which is integrated with ACS tool.
  Now I am unable to login to the portal with the username and password, which is already configured in the ACS server.
  I have ended up with reinstalling the ciscoworks software and restored the backup, still problem persists. Please let me know how to fix it.
  If I again reinstall it, how would I restore the backup - since back restoration again gives the login issue.
  If Im using only the dcrcli exported devices list after the reinstallation, all the devices gets stuck in DFM question status, hence I restored the proper backup. Now I am stuckup. please help.

  You need to sort out your DNS get the lookup and reverse lookup working.
  Say your device is a box with
  Fa 0/0 10.10.1.1
  Lo 0    172.32.1.1
  If you get you dns to resolve the address of port Fa 0/0  (10.10.1.1)  to the DNS "name adevice.yournetwork.com".
  Next you get your DNS to resolve the name "adevice.yournetwork.com" to 172.32.1.1 with happens to be to Lo0 interface of the device
  Then you can get LMS to use the address you want as it is configured in DNS
  Cheers,
  Michel

• Dynamic VLAN assignment issue with ACS & WLC

  I have configured an ACS (v4.2) & a WLC 4402 (5.2.193.0) according to the document listed at: http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
  When I attempt to authenticate a user in the ACS local user database, I receive an auth failure.  I have enabled debugging in the WLC's CLI and I see that I get an authentication failure from the ACS.  Upon reviewing the ACS's 'failed attempts' log, I see the username I attempt to authenticare with but it reports 'CN user unknown' even though this user is the local database.
  During troubleshooting, I discovered that if I modify the AAA client for the WLC and change it to 'Cisco Aironet' rather than 'Cisco Airespace', authentication works perfectly, the proper user is authenticated to the local database and I am able to connect to the SSID.  The only issue is that because I'm now using Aironet instead of Airespace, the IETF attributes 064, 065, and 081 (VLAN, 802, and the VLAN ID respectively) do not properly assign the VLAN that the user needs to be on.
  Am I missing something?

  I determined that a NAP was blocking my authentication using Airespace and can successfully authenticate with both Aironet and Airespace now.  I also reviewed the debug output of both types of connections and I can see the proper attributes coming through, but the wireless clients just won't assign to the right VLAN interface.
  I've reviewed all of the configuration settings per the document about 40 or 50 times now and I am certain I'm not missing anything.  I do indeed have override enabled but the configured interface 'management' is still the one the user is assigned to every time, even in the client connection details under the monitor tab.  ARGH!!

• AD Integration issue with ACS 5.1

  Hi
  I had integrated ACS 5.1  with AD successfully but after clicking select button in device group i am not able to see OU list from AD.Can someone help me.

  check if your dns is resolving ad domain name and giving GC IP. If DNS is not providing GC IP to ACS after DNS resolution or providing domain controller IP which is not a GC then you can not see users/groups listing after joining AD but your AD authentication will work from ACS.
  HTH. Please rate if this resolves your query.
  Ninja

• Replication issues with ACS for Windows 3.3.3 build 11

  I have built two ACS for Windows servers on Windows 2003 SP1. The AD environment is Windows 2003 SP1 as well. I have configured the two ACS servers on each box. However, when I go to replicate from box A to box B, the following error appears:
  Inbound database replication from ACS 'acsradius.asu.edu' denied - shared secret mismatch
  I have double checked the shared secret keys on both servers in the Network Configuration AAA servers section. Any idea what the issue is?
  Thanks.

  Do not run replication to a server installed on Windows 2003. Due to changes in the way Win2003 handles registry changes, each change can take up to 100 times longer and replication can fail and the server hang.

• Issues with ACS replication

  We have 2 ACS appliances that are separated by a WAN.
  Both appliances are at the same software version and I have replication set up per Cisco's (as well as others') directions.
  When I run replication, I get the error "Cannot replicate to 'ciscoacs2' - server not responding".
  If I try replication in the other direction, I get the same error.
  I can ping both appliances and access the web interface from both subnets.
  There is a firewall between them, but I have port 2000 open and I do not see any other deny messages relating to the ACS replication in the firewall logging.
  I ran a sniffer on the receiving appliance's port and got the following:
  10.127.101.5 10.127.80.63 TCP evb-elm > cisco-sccp [SYN] Seq=0 Win=65535 Len=0 MSS=1380
  10.127.101.5 10.127.80.63 TCP evb-elm > cisco-sccp [ACK] Seq=1 Ack=1 Win=65535 Len=0
  10.127.80.63 10.127.101.5 TCP cisco-sccp > evb-elm [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460
  10.127.101.5 10.127.80.63 TCP evb-elm > cisco-sccp [RST] Seq=25 Win=0 Len=0
  10.127.80.63 10.127.101.5 TCP [TCP Dup ACK 1515#1] cisco-sccp > evb-elm [ACK] Seq=1 Ack=1 Win=65535 Len=0
  Logging on the devices themselves is terrible, so I really have no idea what would be causing replication to fail.
  Thanks.
  Jason

  One update if it will help. I've been doing some research and I found that ACS replication doesn't like NAT and replication will fail if the IP address is changed through NAT.
  While NAT is running on the firewall that our ACS appliance is behind, there is a static mapping to basically keep the NAT address the same. So NAT is being applied, but NAT is just giving it the same address.
  I don't know if the NAT process is what's causing the problem? Based on the sniff I posted earlier, the source address of 101.5 is the IP of the ACS appliance.
  Taking the device out from behind the firewall could be an option, but it would be a last resort because we would then need to reconfigure all of our equipment to point to the new address, and we have a lot of equipment.
  Thanks.
  Jason

• ACS 5.2 Authentication Issue with Local & Global ADs

  Hi I am facing authentication issue with ACS 5.2. Below is AAA flow (EAP-TLS),
  - Wireless Users >> Cisco WLC >> ADs <-- everything OK
  - Wireless Users >> Cisco WLC >> ACS 5.2 >> ADs <-- problem
  Last time I tested with ACS, it worked but didn't do migration as there'll be changes from ADs.
  Now my customer wants ACS migration by creating new Group in AD, I also update ACS config.
  For the user from the old group, authentication is ok.
  For the user from the new group, authentication fails. With subject not found error, showing the user is from the old group.
  Seems like ACS is querying from old records (own cache or database). Already restared the ACS but still the same error.
  Can anyone advice to troubleshoot the issue?
  Note: My customer can only access their local ADs (trusted by Global ADs). Local ADs & ACS are in the same network, ACS should go to local AD first.
  How can we check or make sure it?
  Thanks ahead,
  Ye

  Hello,
  There is an enhacement request open already:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCte92062
  ACS should be able to query only desired DCs
  Symptom:
  Currently on 5.0 and 5.1, the ACS queries the  DNS with the domain, in order to get a list of all the DCs in the domain  and then tries to communicate with all of them.If the connection to even one DC fails, then the ACS connection to the domain is declared as failed.A lot of customers are asking for a change on this behavior.
  It  should be possible to define which DCs to contact and/or make ACS to  interpret  DNS Resource Records Registered by the Active Directory  Domain Controller to facilitate the location of domain controllers.  Active Directory uses service locator, or SRV, records. An SRV record is  a new type of DNS record described in RFC 2782, and is used to identify  services located on a Transmission Control Protocol/Internet Protocol  (TCP/IP) network.
  Conditions:
  Domain with multiple DCs were some are not accessible from the ACS due to security/geographic constraints.
  Workaround:
  Make sure ALL DCs are UP and reachable from the ACS.
  At the moment, we cannot determine which Domain Controller on the AD the ACS will contact. The enhacement request will include a feature on which we can specify the appropriate the Domain Controllers the ACS should contact on a AD Domain.
  Hope this clarifies it.
  Regards.

• ACS SE 4.1.1.23 patch 5 issue with users

  HI There, I am facing very weired issue with ACS SE 4.1.1.23 patch 5. I am trying to add users in ACS it is added successfully but I can not see these users when I click list all users.
  But I can see users are increasing in groups when I add users..but when I do list all users it say there are no users defined. and I tried to login with newly created users from devices  ....I am able to login with those new users.....
  also when I go to that particular group in which I added new users....and say list users in group...I get message from ACS saying that "can not read users from group" ....
  what could be issue any one has any idea....customer complained that he was unable to login to devices...with the users created on ACS...when I saw there was no users in database....then I added 2-3 users by looking at old passed and failed authentication... but I dont know how users got deleted automatically...even I tried to see appliance audit logs...could not see any thing which indicates someone deleted users...
  please help me to solve this issue..
  Thanks

  Issue resolved. The CRL that was being parsed from the cert was one level higher than the CRL that needed to be checked. The User CRL was ppointing to the Intermediate CA's CRL. I had to manually change the URL from this:
  http://DOMAINvmsp.DOMAIN.xxxx-xx.edu/pkipub/DOMAIN%20Intermediate%20CA%201.crl
  to this:
  http://DOMAINvmsp.DOMAIN.xxxx-xx.edu/pkipub/DOMAIN%20User%20CA%201.crl
  Mark

• Cisco ACS 4.2.1 authentication problem

  We are using cisco ACS 4.2.1 on windows 2003  to authenticate  with windows 2003 Actice Directory. We have update Active directory server windows 2008 version. We have checked the configuration of ACS on windows database and no problem but we can't see in ACS dynamic user. I have authentication problem ACS 4.2.1 to Windows 2008 R2 active directory.

  Hi there,
  There is a section in the ACS 4.x where you can define if the ACS should show the dynamic users or not, make sure that this option is unchecked, for this go to External User Databases/Unknown User Policy/Configure Caching Unknown Users
  Also if you are facing authentication issues with ACS 4.x and Windows 2008 R2, you may want ready my previous answer.
  Let me know if this helps.

• ACS 5.x with either AD or RSA Authentication depending on user

  I am trying to implement RSA two-factor authentication for our company for access to secure resources.
  Our current setup before we had RSA, due to PCI restrictions, was based on AD group membership but was still extremely restrictive on even our admin users to ensure that no secure resources could be accessed without two-factor authentication.
  I do not want to have to enable RSA tokens for our entire company - but I would like to be able to allow admins the ability to connect from the outside with two-factor authentication and have access to secure resources in an emergency.
  We have less than ten people that require elevated access privileges so my hope is to enable RSA only for those ten users, and leave the rest of the accounts authenticating normally against AD.
  I cannot figure out how to configure this.  With ACS 4.x such a policy would be simple - just create the user on ACS and point to the Identity Store that I want to authenticate against.  Not as easy with 5.x
  I tried creating an rules based selection for Identity policy, making RSA the first one, configuring it to drop if no users is found, and configuring the RSA to treat user rejects as user not found.  This broke VPN completely.
  From what I can tell it seems like ACS really wants me to choose an Identity store based on the NDG - but in this case it will always be our same ASA VPN device.
  Anyone know how to accomplish this?
  I am running 5.4 with the latest patches.

  Hope you're well!
  I am facing some access issue after completed the ACS (5.1) and AD (Windows 2003) integration, details underneath.
  Enable password for (Router, Switches) is working fine if identify source is "Internal Users", unfortunately after completed the integration between ACS to MS AD, and change the Identity source to "AD1" I got the following result
  1. able to access network device (cisco switch) using MS AD username and password via SSH/Telnet.
  2. Enable password is not working (using the same user password configured in MS AD.
  3. When I revert back and change the ACS identity source from "AD1" to "Internal Users" enable password is working fine.
  Switch Tacacs Configuration
  aaa new-model
  aaa authentication login default none
  aaa authentication login ACS group tacacs+ local
  aaa authentication enable default group tacacs+ enable
  aaa authorization exec ACS group tacacs+ local 
  aaa authorization commands 15 ACS group tacacs+ local 
  aaa accounting exec ACS start-stop group tacacs+
  aaa accounting commands 15 ACS start-stop group tacacs+
  aaa authorization console
  aaa session-id common
  tacacs-server host 10.X.Y.11
  tacacs-server timeout 20
  tacacs-server directed-request
  tacacs-server key gacakey
  line vty 0 4
   session-timeout 5 
   access-class 5 in
   exec-timeout 5 0
   login authentication ACS
   authorization commands 15 ACS
   authorization exec ACS
   accounting commands 15 ACS
   accounting exec ACS
   logging synchronous
  This is my first ACS - AD integration experience, hoping to fix this issue with your support, thanks in advance.
  Regards,

• ACS 5.5.0.46.7 - Issues with 802.1x Binary Cross Check to AD on 2012R2

  Hey gang!
  Still in my 802.1x lab.  I have ACS serving as the authentication server, trying to authenticate EVGA PD07 zero clients to my lab AD domain utilizing EAP-TLS.
  I've set up NDES services, pushing .pem certificates to my zero clients via SCEP.  I haven't configured auto enroll yet, so I manually issue the cert from the CA, and then export the issued cert (.cer) to a file.  From there, I publish the cert with a user object in AD.
  I have the client cert / CA loaded correctly on ACS, all of the LDAP is working as far as querying groups and such is concerned, and I can authenticate the presented zero client certificate against the AD published cert using the Common Name attribute.  The only thing that doesn't work is Binary Cross Check.  The logs throw a 22056 error (subject not in applicable identity store) and reject the attempt.  As soon as I go in to the authentication profile and disable the cross check, it authenticates successfully.
  any ideas?
  Paul

  Hi ,
  setup:
  Remote clinet VPN (android mobile user)===>Fortigate (VPN Firewall) ====>>CISCO ACS (user authentication radius server.

• ACS INTERNAL USER issue with 4.2.(1) build 15

  Hi all,
              I am facing an issue with my ACS server, nothing to difficult,but which bug me. I have an internal user, this user is able to access some cisco devices and can't access some. There is no Network access Restrict set for the username. The log shows when access is granted to a device, the server map the user to correct user group; however,when the user fails authentication the log shows default user group! which indicate that the user not always map to the correct user group.
  Thanks for the help,
  Jean Paul---

  The problem you're running in clearly indicates that either Network access restriction or Network access policies is configured for an user or group. Since you're positive that there is nothing configured on the NAR, lets narrow it down via logs.
  Duplicate the issue again with both the devices (working and non-working)
  With working devices, you would get the passed attempts >> copy and paste the log attempt as it is.
  With Non-working device, you would see failed attempt >> copy and paste the log attempt as it is.
  Regards,
  Jatin
  Do rate helpful posts-

• Using TACACS+ auth from ACS 5.1.0.44 to ACE. Having Issues with Shell (Exec)

  Using TACACS+ auth from ACS 5.1.0.44 to ACE. Having Issues with Shell (Exec)
  So I am trying to get TACACS+ auth to work for my ACE.
  The command string that I have on the ACE is as follows:
  tacacs-server host 172.16.101.4 key 7 XXXYYYZZZ timeout 15
  aaa group server tacacs+ tacacs+
    server 172.16.101.4
  aaa authentication login default group tacacs+ local
  aaa authentication login console local
  aaa accounting default group tacacs+ local
  But to finish getting this enabled I need to create some sort of shell (exec) string in the ACS that tells the ACE what permission level to allocate.
  I do not know how to do this on the ACS 5.1.0.44.
  Anyone know?
  TAC made a good suggestion but the command path doesn't seem to line up with my version of ACS.
  Thanks for your reply. About this question:
  shell:<Context>*<Role> <Domain>
  What I meant is that you need to check the following couple of things on
  your ACS server in order to have AAA Tacacs users to login into the
  ACE over the context with superuser ritghts.
  Group setup ‑> users ‑> TACACS + Settings ‑> enable Shell(exec)
  ‑> enable Custom attributes ‑> right below this part you need to
  use the following sintax to link the ACE context that this user
  has access to.
  For example:
  shell:<Context>*<Role> <Domain>
  shell:Admin*Admin default‑domain
  Where this user will have access to the Admin context with the role
  admin using the 'default‑domain'

  Wilfred,
  What you will have to do on your version of ACS is modify the shell profile that your admins are hitting for other IOS devices or you can create another shell profile under Policy Elements -> Device Administration ->
  Once you get into this shell profile select the Custom Attributes tab and put in the following fields close to the bottom of the screen, from the example you provided type shell:Admin for the attribute field and then default-domain for the value field, and make sure you select this requirement as optional, if you select mandatory and other IOS devices use this same shell profile you will force this av pair to these devices also which will impact the priv levels that then need for authentication.
  After you add this attribute, save your changes and then test, also make sure that your Aceess Policy is calling this shell profile under the authorization profile for default device admin.
  Thanks,
  Tarik Admani

• Configuring ASA w/8.2(1) to work with ACS 3.3- enable issues.

  Hello all-
  Having an issue with the ASA devices. Here is the relevant part of the configuration:
  <aaa commands>
  aaa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ (outside) host <host ip>
  key <key>
  aaa-server TACACS+ (outside) host <host2 ip>
  key <key>
  aaa authentication ssh console TACACS+ LOCAL
  aaa authentication enable console LOCAL
  aaa authentication serial console LOCAL
  aaa authentication http console TACACS+ LOCAL
  aaa authorization command TACACS+
  The problem is that when we put the devices into the server database, we can use our TACACS+ accounts, but it only lets us into privilege level 1 and does not allow us to go to enable mode at all.
  When we remove the devices from the server (thus attempting to fall back to local authentication) we can get in and into enable using the local admin password, but we can't do anything from the enable mode with out getting the 'command authorization failed' message.
  We have tried to go into the user definition on the ACS (v3.3) server and set the max privilege to 15, but it doesn't seem to have any affect.
  Does anybody have any idea of what is happening?

  well well , i guess you are getting the lovely enable 15 user account on ACS failed attempts for failed authorization.
  so cool ha:)
  It is the ASA trying to force the authorization using that lovely account , what you need to overcome that is having the enable authentication done against the ACS itself.
  By adding the following command on the ASA:
  aaa authentication login console TACACS+ local
  on the ACS make sure that enable password authentication is enabled for the user.
  There you have three options: either you use the same PAP password or spearate one or if you are trying with user
  defined on external db with that user password on the external db.
  Please Don't Forget to rate correct answers