LMS 3.2 and ACS 5.1 authentication issues

Similar Messages

• 802.1x between Switch 3750 and ACS 4.2 Authentication faild --need help

  I configured the Switch 3750 and ACS for 802.1x authentication.
  when I used the windows as the 802.1x client, it prompted "click here to enter user name and pasword for the network " as normal.
  The problem is that after I entered username and password (i am sure i enter the identical username and password as in ACS) the authentication failed,
  What is the most possibly problem?
  Thx in advance!!!
  The configuration is Sw3750 is:
  aaa new-model
  aaa authentication login default local
  aaa authentication enable default line
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  dot1x system-auth-control
  interface GigabitEthernet1/0/18
  description Link to test 802.1x
  switchport access vlan 119
  switchport mode access
  dot1x pae authenticator
  dot1x port-control auto
  spanning-tree portfast
  radius-server host 10.1.1.333 auth-port 1645 acct-port 1646
  radius-server source-ports 1645-1646
  radius-server key keepopen0
  In the ACS:
  Network Configuration -->aaa client ip address: 10.1.119.1(the vlan 119's ip address), shared secret: keepopen0
  user setup -->real name:test1, password: test1.
  Attached is the debug information

  What do you see in acs failed attempts?

• ACS 5.2 Authentication Issue with Local & Global ADs

  Hi I am facing authentication issue with ACS 5.2. Below is AAA flow (EAP-TLS),
  - Wireless Users >> Cisco WLC >> ADs <-- everything OK
  - Wireless Users >> Cisco WLC >> ACS 5.2 >> ADs <-- problem
  Last time I tested with ACS, it worked but didn't do migration as there'll be changes from ADs.
  Now my customer wants ACS migration by creating new Group in AD, I also update ACS config.
  For the user from the old group, authentication is ok.
  For the user from the new group, authentication fails. With subject not found error, showing the user is from the old group.
  Seems like ACS is querying from old records (own cache or database). Already restared the ACS but still the same error.
  Can anyone advice to troubleshoot the issue?
  Note: My customer can only access their local ADs (trusted by Global ADs). Local ADs & ACS are in the same network, ACS should go to local AD first.
  How can we check or make sure it?
  Thanks ahead,
  Ye

  Hello,
  There is an enhacement request open already:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCte92062
  ACS should be able to query only desired DCs
  Symptom:
  Currently on 5.0 and 5.1, the ACS queries the  DNS with the domain, in order to get a list of all the DCs in the domain  and then tries to communicate with all of them.If the connection to even one DC fails, then the ACS connection to the domain is declared as failed.A lot of customers are asking for a change on this behavior.
  It  should be possible to define which DCs to contact and/or make ACS to  interpret  DNS Resource Records Registered by the Active Directory  Domain Controller to facilitate the location of domain controllers.  Active Directory uses service locator, or SRV, records. An SRV record is  a new type of DNS record described in RFC 2782, and is used to identify  services located on a Transmission Control Protocol/Internet Protocol  (TCP/IP) network.
  Conditions:
  Domain with multiple DCs were some are not accessible from the ACS due to security/geographic constraints.
  Workaround:
  Make sure ALL DCs are UP and reachable from the ACS.
  At the moment, we cannot determine which Domain Controller on the AD the ACS will contact. The enhacement request will include a feature on which we can specify the appropriate the Domain Controllers the ACS should contact on a AD Domain.
  Hope this clarifies it.
  Regards.

• WLC4402 and ACS receives double authentication request with MS client

  I have a 4402 wlc, ACS 3.3 and we use Microsoft client with WPA-TKIP/MSChapv2.
  We hardly connect to the WLAN, but after 10 minutes we are disconnected.
  We are migrating from LEAP to PEAP, so we create two profiles in the WLC.
  LEAP connects good, but PEAP fails.
  In the ACS log I can see a double authentication request.
  Any idea?

  but that doesen't solve the problem on the ACS right?! On the ACS I have to configure the device with the ip address and the EAP type (ex. "Cisco Aironet" for LEAP or "Cisco IOS/PIX" for PEAP), and how do that?
  Thanks for your feedback

• LMS 2.6 and ACS 4.2 compatible with Windows 2008 R2 Active Directory?

  Hi,
  We are planning to upgrade CORP Domain from Windows 2003 Active Directory Schema to Windows 2008 R2 Active Directory Schema.
  I wanted to know if the following applications which are installed on windows (domain member servers) are compatible with windows 2008 server R2 schema?
  CiscoWorks LAN Management Solution 2.6
  Cisco Secure Access Control System 4.2
  Cisco Fabric Manager 1.5
  Any help is much appreciated!

  - CiscoWorks LAN Management Solution 2.6 - Not supported and this software is EOS-EOL.
  www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/prod_end-of-life_notice0900aecd80532c07.html
  - Cisco Secure Access Control System 4.2 - Not supported either:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/installation/guide/windows/install.html#wp1041324
  - Cisco Fabric Manager 1.5 - Was not able to find anything for version 1.5 and not really familiar with this product.  However, according to the below not even version 4.2(7d) supports 2008:
  www.cisco.com/en/US/docs/switches/datacenter/mds9000/sw/fm/release/notes/20325_10.html#wp657668

• LMS and ACS intergration

  Currently we have a ACS 4.2 install in our infrastructure.  We are rolling out Ciscoworks 3.1 and are thinking of upgrading to 4.0.
  Is there a set of recommendations for SNMPv3 and AAA?  More specifically, we are considering RBAC controls and wondering about standards for AAA authorization should be used?  Also what standards for the read write views? Finally syslogging commands.  Is logging informational too much or is logging events better.
  Thanks
  wharrison2000

  If you are considering upgrading to LMS 4.0, then ACS isn't really a consideration.  While LMS 4.0 can use any TACACS+ server for authentication (including ACS), the authorization will be handled internally to LMS.  That is, no ACS integration is required.
  There really isn't any leading practice when it comes to SNMPv3.  It depends on what you want to protect.  If protecting the credentials is sufficient, then you can stick with authNoPriv.  In this case, the SHA-1 hash will offer a bit more security.  If you do want to encrypt the SNMP payload, consider using AES-128 as the privacy algorithm as it is more standard.
  With syslog, it really depends on the messages you need to log as to what logging level you should use.  Are there any informational messages you need to log that are critical to your organization.  If so, then you definitely need to go with logging level 6.  If everything you need is sev 5 and higher, then stick notifications.

• Cisco ACS 5.2 authentication against multiple LDAP servers

  Hi Folks,
  I have a wireless network that uses ACS 5.2 to handle authentication.   The ACS is integrated with an Active Directory LDAP server (my_ldap) and is working correctly at the moment.    The authentication flow looks like this:
   - User tries to associate to WLAN
   - Authentication request is sent to ACS
   - Service selection rule chooses an access-policy (wireless_access_policy)
   - wireless_access_policy is configured to use my_ldap as identity source.
  A sister company is about to move into our offices, and will need access to the same WLAN.    Users in the sister company are members of a separate AD domain (sister_company_ldap).    I would like to modify the wireless_access_policy so that when it receives an authentication request it will query both my_ldap and sister_company_ldap, and return a passed authentication if either attempt is successful.     Is this possible?

  Assuming you're already authenticating using your AD binding and AD1 as your identity source, you can add a further LDAP server as another identity source and add this to your identity store sequence in your access policy to authenticate against both.
  You can also add multiple LDAP servers and add them both to the identity store sequence (if you're not using AD1).

• Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance failed

  Hi,
  I've got a problem with Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance.
  ACS4.2 has been configured to use both internal and external database. It's been working fine for a couple or years.
  Recently we bought a Cisco 4710 ACE appliance. When I use ACS4.2 internal username and password to login the Cisco 4710 ACE appliance, I have no problem. I can also see the passed authentication log on ACS4.2. However, if I use AD username and password, I couldn't login in. The message is "Login incorrect". I checked the failed attempts log on the ACS4.2, there was no log regarding the failed attempt. My AD username and password works fine on all other cisco routers and switches.
  I've posted my AAA configuration of the 4710 ACE below. ACE is running on the latest version A4(1.1). Please help.
  tacacs-server key 7 "xxxxxxxxxxxxx"
  aaa group server tacacs+ tac_admin
    server xx.xx.xx.xx
  aaa authentication login default group tac_admin local
  aaa authentication login console group tac_admin local
  aaa accounting default group tac_admin

  Hi,
  Since the ACS is receiving the request.
  Could you please ensure that In ACE on every context (including Admin and other) you have  following strings:
  tacacs-server host x.x.x.x key 7 "xxx"
  aaa group server tacacs+  tac_admin
     server x.x.x.x
  aaa authentication login default group  tac_admin local
  aaa authentication login console group  tac_admin local 
  aaa accounting default group x.x.x.x
  On ACS side for group named "Network  Administrators" you should configure in TACACS settting:
  1. Shell  (exec) enable
  2. Privilege level 15
  3. Custom attributes:
             shell:Admin*Admin default-domain
      if you have additional  context add next line
            shell:mycontext*Admin  default-domain
  After  loging to ACE and issuing sh users command you should see following
  User             Context                                                                  Line     Login Time   (Location)        Role   Domain(s)   
  *adm-x        Admin                                                                    pts/0   Sep 21 12:24  (x.x.x.x)    Admin   default-domain
  Hope this helps.
  Regards,
  Anisha
  P.S.: please mark this thread as answered if you fee your query is resolved. Do rate helpful posts.

• 802.1x - ACS authentication issue.....

  I will attempt to explain the history of our wireless controller configurations as best I can.  We are currently using a 4400 controller running 7.x software which authenticates to and ACS 4.1 appliance.  All of this was set up prior to my arrival on the job and the previous engineers had already left with no documentation in place so I'm trying to piece it together.  The ACS is setup to map to AD for specific groups. 
    In the controller we have an SSID called triton which is our corporate SSID that all internal users connect to.  Three different interfaces have been defined, a general one for most users and two others( lets call them INT1 and INT2) that place users on separate ip networks.  The reason for this is those ip networks can reach certain services that are not allowed for general users.  ACS maps those users upon authentication to the Vlans associated with those separate ip networks.
  Problem 1.  When I first took this job, users could not map drives or any services because only user authentication was taking place..After some troubleshooting and realization that ACS was authenticating, placing the "Domain Computers" group as an ACS group mapping fixed that issue, allowing the computers to authenticate prior and therefore execute the login script
  Problem 2.  Recently it has come to my attention that some of the users on one of the other interfaces (INT1 and INT2) that should be placed in the vlans associated with their AD group mapping are not.  Upon further investigation it was discovered that the reason they are not is that the authentication is not correct.  When the computer first authenticates before the user logs on its shows in ACS as host/xxxxx.yyyy.org where the user authentication shows as xxxxx/username .  So some of the computers never change from authenticating as a host to a user and the ip address ends up in the wrong vlan.
  Please help.  I'm not extremely familiar with Cisco 802.1x setup and the documentation is poor at best.

  Ok, maybe I should be asking what the proper way to set up both machine authentication and user authentication through the 4400 and ACS 4.1 is then.
    The topology that I know of is this.  Single 4.1 ACS appliance and single 4400 controller with approximately 35 LWAPP's.  In the past ONLY user authentication was being used which presented problems with Group Policies and login scripts executing.  Adding the AD "Domain Computers" group as an ACS mapped group solved that problem by allowing the domain computers to authenticate and gain access to the network prior to logon (but maybe they were still actually using "user authentication"?).  Not sure if this was the proper way to solve the issue but it worked and we at the time didn't notice any side effects.  Although now we are seeing users end up in the wrong VLans and when we look at the logs in the controller the computer they are on is only registering as host/xxxx.yyyy.org (machine authentication) which drops them into the default vlan instead of the vlan which they should be based upon AD group membership from ACS.
    I am very familiar with other wireless products and controllers such as Aruba.  In the Aruba, when the machine first booted up and gained access to the network it was using machine authentication, but as soon as the user logged on the supplicant would push the user credentials and change the method to user authentication.  In the Aruba we used the windows supplicant.  I'd like to do the same with Cisco. 
    As far as I can tell, there is only a server side (ACS) certificate from Thwate that is used to authenticate.

• Wireless Virtual LAN - SSID and ACS User Mapping

  Hi Everybody
  We have the following senario:
  - WLC 4402 and ACS 3.3
  - 2 SSID's , One for Emploies - one for gests
  - All users are (guest and emploies) are authentication against the ACS Server.
  We would like to only permit Guest users to use the Guest SSID.
  I've been reading the Wireless Virtual LAN Deployment Guide :
  http://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/wvlan_an.pdf
  and have tried to use methode 1.
  - RADIUS-based SSID access control:
  "Upon successful 802.1X or MAC address authentication, the RADIUS server
  passes back the allowed SSID list for the WLAN user to the access point or bridge. If the user used an SSID on the allowed SSID list, then the user is allowed to associate to the WLAN. Otherwise, the user is disassociated from the access point or bridge."
  "This is configured by enableling the ?[026/009/001] cisco-av-pair? option. On the ACS Server
  - Enable and configure Cisco IOS/PIX RADIUS Attribute,
  009\001 cisco-av-pair
  - Example: ssid=LEAP_WEP"
  I've tried this, but regardless of wich SSID the user(-group) has configured, it sill can access all SSID's?
  Does anyone have any idea of what I'm doing wrong?
  Does this setting only apply to Accesspoint, or is it also valid for the WLC 44xx series?
  Greetings
  Jarle

  Hi I'm sorry but this still does not help.
  We have now upgraded ACS to version 4.0 and I'm still having the same problems.
  This is what i have configured:
  WLC:
  - WLAN
  - SSID : Public
  - WLAN id = 3
  - L2 Security : 802.1x
  - Interface Name : GuestVLAN
  - Controller - Interface
  - management - Untagged
  - GuestVLAN - VLAN 112
  - Security
  - RADIUS Servers
  When authenticating a Guest(belonging to the proper group in acs) - the right VLAN is used, IP Adresses from DHCP is recieved, and the Guest can access internet.
  Switch:
  - Port connected to WLC uses Trunking.
  - Guests are connected to VLAN 112 and "native VLAN" is used to connect the Private Users.
  ACS:
  - AAA Client is the WLC, Authenticating using Cisco Airespace
  - Guest Users are member of Group 11
  - Private Users are member of Group 1
  Group 11
  - Use Per Group NAR to only allow WLAN Access
  - Cisco Airespace RADIUS Attributes
  x 14179\001 - Aire-WLAN-ID = 3
  - Cisco IOS / PIX RADIUS Attributes
  x 009\001 Ciso-av-pair = "ssid=Public"
  - IETF Radius Attributes
  x 006 Service Type = Login
  x 007 Framed-Prot = ppp
  x 064 Tunnel-Type = VLAN
  x 065 Tunnel-Medium-tye = 802.1x
  x 081 Tunnel-Private-Group-ID = 112
  Group (default Group)
  - Cisco Airespace RADIUS
  x 14179\001 Aire-WLAN-ID = 1
  - Cisco IOS/PIX Radius Attrib
  x 009\001 Cisco-av-pair = "ssid=Private"
  - IETF RADIUS
  x 008 Service-type = Login
  x 064 Tunnel-Type = VLAN
  x 065 Tunnel-Medium-tye = 802.1x
  x 081 Tunnel-Private-Group-ID = 1
  Do you have any idea of what i should change?
  Greetings
  Jarle

• 802.1x, 350AP, 3550 Switch, and ACS 3.0

  Yikes!
  Whatta mess I got myself into! Im trying to implement a couple of security features (at the same time) due to higher corporate directives. I am trying to implement Radius, 802.1x port authentication on a Cat 3550 switch, and mac address athuentication for wireless clients. The idea was:
  1. The 3550 has port based authentication on it and should authenticate access points as well as any workstations that will/may connect to it.
  2. The wireless clients will be MAC authenticated via the access point passing requests to the radius server.
  Confused? I am too, help!
  Thanks

  Nilesh, Thanks for the reply.
  But I do have a few further questions if you are willing:
  1. Getting the AP to use 802.1x and talk with the radius server seems to be the big problem. I have not been able to find clear enough instructions on how to set the AP to do 802.1x through the switch. I do realize the LEAP is just cisco's implementation of 802.1x but we are trying to use non-proprietary protocols.
  2. We already have the clients MAC addresses in the AP's but want to get away from this (network mgt issues) by using the ACS server.
  I guess what makes this confusing for me is the chain of events and if they are possible to do. Here are the steps as I see them, please advise if this is not possible to do.
  1. Access point is plugged into 3550 and uses 802.1x authentication with radius through the switch. Once the switchport is authorized, then the wireless clients can try to associate with AP. To do this the MAC address of the client , is sent to ACS for authorization and when authorized allowed to communicate. Then the wireless client retrieves an IP address through DHCP.
  Whew.

• Incompatibility issue - WLC 5508 and ACS 5.4

  Hi,
  This is my scenario:
  Cisco WLC 5508 firmware 7.4.110.20 and ACS 5.4, two WLAN eap/tls, many client  can't connect to WLAN and on ACS i receive the following error:
  Authentication failed : 11051 RADIUS packet contains invalid state attribute
  workaround:
  1 -Check the network device or AAA Client for hardware problems.
  2-known RADIUS compatibility issues.
  3-Check the network that connects the device to ACS for hardware problems
  there are some incompatibility issue between WLC and ACS ? the compatibility matrix document for wireless imposes the 7.5 firmware for WLC.
  What do you think is possibile ?

  Are there any other errors shown in the details of the failed authentication?
  We may need to look at service logs in debug mode, opening a TAC case would be the best way to go about this.
  Javier Henderson
  Cisco Systems

• Using Active Directory and ACS for Concentrator 3000 VPN

  Has anyone gone down the path of using Cisco ACS for network access control AND authenticating it with their W2K Active Directory for VPN 3000 concentrators? I did some research on Google, Cisco web, and this group, I did not find a definite answer on the best practice for the architecture and design, can anyone share your experience how you approached this?
  Below is my understanding, I appeciate any help to piece some or all the below together
  (1) The end state is once a VPN user is successfully authenticated, it is assigned to certain network access privilege based on its group's policy. How to accomplish this?
  (2) AD stores a central user database for user authentication. Each user may belong to one or more groups on the AD; ACS is reponsible for network access control for the specific groups and enforces these controls to the users via the concentrators.
  (3) Concentrator is the NAS, and ACS is the RADIUS server
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800949b4.shtml
  (4) Concentrator can link to the AD as an external database: http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_1/gs/gs3mgr.htm
  (5) A single "Tunnel Group" is created on the concentrator
  (6) Mulpile Groups, per corporate infosec policies are created on the AD
  (7) Mulpile Groups, per corporate infosec policies are also created on ACS, need to match with what're in the AD
  TIA.

  In order to restrict access for a specific AD group to specific SSID this is what you need to perform.
  When the WLC sends an authentication request to the  ACS, it will include  the SSID that the user is connecting to, in the  attribute  Calling-Station-Id(31). We can use this information to create  multiple  rules in ACS 5.x in order to take actions based on the  information  contained in the attribute.
  Under the  Users and Indetity Stores > click on Directory Groups > select  > check the group name you want to add and hit ok. Save the changes.
  We  just need to  create a DNIS rule that includes the name of the SSID and  use it as a  condition in any rule that we create for authentication.  The * is  required because the attribute not only contains the SSID but  also a MAC  address so the * is use as a regular expression.
  Now go to access-policies > default-network access > identity should be AD1.
  Go  to authorization > click on customize > move the  AD1:ExternalGroups and end-station filter attribute on the right side  and hit ok.
  After that slect the appropriate ad group for teachers and end-station filter.
  Save changes.
  Jatin Katyal
  - Do rate helpful posts -

• Cisco Works LMS R3.1 with ACS R5.1

  I search on internet about the AAA integration between LMS R3.1 y ACS R5.1, and all the information that I found it's related to ACS R4.1. It's possible to integrate with ACS R5.1.
  Regards and thanks in advanced
  Luis Martinez

  Nael,
  Sorry to batter you, but I was trying to migrate my Cisco Works LMS R3.1 to R3.2 and from the support page of CISCO I just can donwload the following version LMS R3.2.1 (LMS R3.2 service pack 1). I tried to install that version but i got an error that saids "LMS R3.2.1 needs LMS R3.2 installed on the server"
  Could you please tell me where can I download the complete and initial LMS R3.2.
  Thanks in advanced for your kindly help.
  Luis Martinez

• Two standalone ACS for TACacs authentication

  Dear All,
  I am having a network consists of some 30 routers and I have 2 ACS 5.3 appliances.
  I am planing to configure the acs (a,b) boxes in the standalone mode .
  and i want to configure both the acs as the TACACS server in all my routers
  with ACS A as the primary in some routers and ACS B as the primary in some routers.
  and there is no configuration sync between the ACS boxes.
  Does this setup will have any issue in authentication in case if any of the acs fails ....
  thanks in advance ...
  Selva

  There will be no issue, unless the configuration is not same. My personal opinion distributed deployment is the best method if you are planning to keep more than one ACS with in a domain.