MARS 6.0.5 with ACS SE 4.2.1 both as an AAA authentication server and as a reporting device

Similar Messages

• My email account in Mail.app is IMAP, but when I delete emails, they don't delete from other devices connected to the mail server with IMAP. Deleted mail on other devices delete as normal from the server and thus from other devices as normal.

  MacBook Pro, late 2011 version. Up to date Mountain Lion.
  My email account in the Mail.app is set up as IMAP, but when I delete emails in the Mac Mail App, they are not deleted from the mail clients of the other devices that are connected to the mail server with IMAP. IMAP works perfectly between Windows Outlook 2010, iPad Mail App and Android default mail client. Deleted messages behave correctly, as in delete from one device and the mail is deleted from all devices.
  Having just tested in reverse order on the Mac; emails deleted from the email client on Windows, iPad and Android are not deleted in the Mac Mail App.  It appears that the account is behaving like POP rather than IMAP.
  Any advice on how to have IMAP work correctly on the MacBook Pro Mail.app?
  Thank you.

  Hi Csound1, thanks. The email host is 1and1.co.uk, however, i am going to fess up and make myself look like a plonker now -
  the email account in question was set up in Outlook as POP - stupid, stupid, stupid me, wasted an afternoon on this!  I have now changed the Outlook account to IMAP and Mail.app works perfectly - and looks much nicer than Outlook did.  Im in the middle of converting from Windows to a Mac, and still finding my way around the Mac
  The lesson learned, never assume - always double  check!  All my other email addresses with 1and1 are all imap, except this one, and it happened to be the first one I set up in the Mail.app. (bows head in disgrace!)
  Thank you anyway for attempting to help me!
  Cheers

• My memory has fast filled up with "other"since using Lightroom 5 , both on my MAC book pro and iMac , can someone help ?

  @

  My guess is that your operating system got updated to Mavericks and that you are running an old version of Lightroom:
  Sliders are white, look different | Mac OS X 10.9 Mavericks
  Be aware of a Lightroom bug with color management in mavericks that makes shadows too deep in the Develop module: Jao's photo blog: Serious color management bug in Mac OS 10.9 "Mavericks" and Jao's photo blog: Further quantification of the Mavericks color management problem.

• WLC 4402-50 with ACS 3.3

  Hi,
  We want to use ACS to authenticate an ssh or http connection to a WLC 4403-50 4.2.99 using TACACS+. On our ACS 4.2 test server it works fine. Configured identically on an ACS 3.3 appliance we are not able to log in although we do see a successful login in the Passed Authentications report withing ACS.
  Is there an incompatability between the WLC 4402-50 with ACS 3.3?
  thanks
  Bob

  The Cisco Secure Access Control Server (ACS) provides authentication, authorization, and accounting (AAA) services for users of the wireless network.
  It is also possible to employ a WLC controller strategy that uses an N+1 approach. When using N+1 architecture, each WLC is configured with a WLC that is designated as a backup WLC in the event of a failure. This controller is not used until there is a failure event upon which all APs using the failed controller switch to the backup WLC. This cost-effective approach provides a high level of availability in the event of a single WLC failure scenario.

• I cannot get my iMac with built-in airport to allow internet connections to Nook and PS3. The devices access the network, but internet connection fails. Internet sharing is enabled, network security (WEP, WPA) is completely off.  What to check next?

  I cannot get my iMac with built-in airport wi-fi to allow internet connections to Nook and PS3. The devices access the network, but internet connection fails. Internet sharing is enabled, network security (WEP, WPA) is disabled.  What to check next?

  On an additional note, I've purchased a wireless router and everything connected on the first attempt.  It just vexes me that the built-in wireless isn't working as a router.  Is this another example of "Mac only plays with Mac"?

• MARS 5.2.7 integration with ACS 4.1

  Hello
  I cannot find any documentation I can follow to integrate MARS with ACS. I mean I want to use ACS to authenticate user in MARS.
  Any of you know if MARS 5.2.7 has this feature? If yes can please give some info where to find docs?
  Thank you really much
  Best regards Antonello.

  HI ,
  LMS 4.0 no longer integrates with ACS the way that LMS 3.x did.  You  can still use ACS for authentication in LMS 4.0, but for authorization,  each user must have a local account in LMS, and the roles will be  assigned using LMS 4.0's new RBAC.  Users are defined under Admin >  System > User Management > Local User Setup, and roles are defined  under Admin > System > User Management > Role Management  Setup.
  By default, if a user does not have an account in LMS, they will receive the Help Desk role
  Please check the below link:
  http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.2/user/guide/admin/security.html#wp1100379
  Thanks-
  Afroz
  [Do rate the useful post]

• 802.1x with ACS 4.2 (RADIUS) problem

  HI all!
  I am trying to configure AAA authentication and authorization with Cisco 3725 (IOS 12.4(17)) for 802.1x and ACS 4.2 with VLAN assignment to my Windows XP client. (trying to assign VLAN 100 in my scenario).
  When user connects to the Router, it passes the authentication process (EAP-MD5). In my debug i see that Router recieves the Radius Attributes BUT does not apply anything!
  My running config:
  Building configuration...
  Current configuration : 1736 bytes
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname R4
  boot-start-marker
  boot-end-marker
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa session-id common
  memory-size iomem 5
  ip cef
  no ip domain lookup
  ip domain name lab.local
  ip device tracking
  dot1x system-auth-control
  interface FastEthernet0/0
  ip address 10.10.0.253 255.255.255.0
  duplex auto
  speed auto
  interface FastEthernet0/1
  no ip address
  shutdown
  duplex auto
  speed auto
  interface FastEthernet1/0
  dot1x port-control auto
  interface FastEthernet1/1
  interface FastEthernet1/2
  interface FastEthernet1/3
  interface FastEthernet1/4
  interface FastEthernet1/5
  interface Vlan1
  ip address 192.168.1.1 255.255.255.0
  interface Vlan100
  ip address 192.168.100.1 255.255.255.0
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  mac-address-table static 0800.27b1.b332 interface FastEthernet1/0 vlan 1
  radius-server host 10.10.0.2 auth-port 1645 acct-port 1646 key cisco
  radius-server vsa send accounting
  radius-server vsa send authentication
  My Radius debug information:
  *Mar  1 00:21:31.487: RADIUS: Pick NAS IP for u=0x65BAF324 tableid=0 cfg_addr=0.0.0.0
  *Mar  1 00:21:31.491: RADIUS: ustruct sharecount=2
  *Mar  1 00:21:31.491: Radius: radius_port_info() success=1 radius_nas_port=1
  *Mar  1 00:21:31.491: RADIUS: added cisco VSA 2 len 15 "FastEthernet1/0"
  *Mar  1 00:21:31.491: RADIUS: Request contains 9 byte EAP-message
  *Mar  1 00:21:31.491: RADIUS: Added 9 bytes of EAP data to request
  *Mar  1 00:21:31.495: RADIUS/ENCODE: Best Local IP-Address 10.10.0.253 for Radius-Server 10.10.0.2
  *Mar  1 00:21:31.507: RADIUS(00000000): Send Access-Request to 10.10.0.2:1645 id 1645/3, len 127
  *Mar  1 00:21:31.511: RADIUS:  authenticator 36 68 24 30 F0 CC E8 3C - 69 48 61 E3 DA 28 52 AC
  *Mar  1 00:21:31.511: RADIUS:  NAS-IP-Address      [4]   6   10.10.0.253
  *Mar  1 00:21:31.511: RADIUS:  NAS-Port            [5]   6   0
  *Mar  1 00:21:31.511: RADIUS:  Vendor, Cisco       [26]  23
  *Mar  1 00:21:31.515: RADIUS:   cisco-nas-port     [2]   17  "FastEthernet1/0"
  *Mar  1 00:21:31.515: RADIUS:  NAS-Port-Type       [61]  6   X75                       [9]
  *Mar  1 00:21:31.515: RADIUS:  User-Name           [1]   6   "user"
  *Mar  1 00:21:31.515: RADIUS:  Calling-Station-Id  [31]  19  "08-00-27-B1-B3-32"
  *Mar  1 00:21:31.515: RADIUS:  Service-Type        [6]   6   Framed                    [2]
  *Mar  1 00:21:31.515: RADIUS:  Framed-MTU          [12]  6   1500
  *Mar  1 00:21:31.515: RADIUS:  EAP-Message         [79]  11
  *Mar  1 00:21:31.515: RADIUS:   02 1D 00 09 01 75 73 65 72                       [?????user]
  *Mar  1 00:21:31.515: RADIUS:  Message-Authenticato[80]  18
  *Mar  1 00:21:31.515: RADIUS:   B1 8B 8F 4C F1 6D C9 A6 4E 96 B8 3D 53 E9 41 12  [???L?m??N??=S?A?]
  *Mar  1 00:21:31.555: RADIUS: Received from id 1645/3 10.10.0.2:1645, Access-Challenge, len 93
  *Mar  1 00:21:31.555: RADIUS:  authenticator DF 38 A1 1B ED 3C 1E B2 - 1A 92 6A D5 58 CE B8 4A
  *Mar  1 00:21:31.555: RADIUS:  EAP-Message         [79]  28
  *Mar  1 00:21:31.555: RADIUS:   01 1E 00 1A 04 10 BE BA B4 B0 26 9D 52 0E 43 BC  [??????????&?R?C?]
  *Mar  1 00:21:31.555: RADIUS:   33 46 8E A8 C6 45 47 4E 53 33                    [3F???EGNS3]
  *Mar  1 00:21:31.555: RADIUS:  State               [24]  27
  *Mar  1 00:21:31.555: RADIUS:   45 41 50 3D 30 2E 31 66 66 2E 39 38 36 2E 31 3B  [EAP=0.1ff.986.1;]
  *Mar  1 00:21:31.559: RADIUS:   53 56 43 3D 30 2E 31 35 3B                       [SVC=0.15;]
  *Mar  1 00:21:31.559: RADIUS:  Message-Authenticato[80]  18
  *Mar  1 00:21:31.559: RADIUS:   22 C8 D5 BB 44 FC FC 14 D3 2C C9 42 A3 9B A4 9E  ["???D????,?B????]
  *Mar  1 00:21:31.563: RADIUS: Found 26 bytes of EAP data in reply (ofs 0)
  *Mar  1 00:21:31.563: RADIUS: Received 26 byte EAP Message in reply
  *Mar  1 00:21:31.587: RADIUS: Pick NAS IP for u=0x65BAF324 tableid=0 cfg_addr=0.0.0.0
  *Mar  1 00:21:31.587: RADIUS: ustruct sharecount=1
  *Mar  1 00:21:31.587: Radius: radius_port_info() success=1 radius_nas_port=1
  *Mar  1 00:21:31.587: RADIUS: added cisco VSA 2 len 15 "FastEthernet1/0"
  *Mar  1 00:21:31.591: RADIUS: Request contains 26 byte EAP-message
  *Mar  1 00:21:31.591: RADIUS: Added 26 bytes of EAP data to request
  *Mar  1 00:21:31.591: RADIUS/ENCODE: Best Local IP-Address 10.10.0.253 for Radius-Server 10.10.0.2
  *Mar  1 00:21:31.591: RADIUS(00000000): Send Access-Request to 10.10.0.2:1645 id 1645/4, len 171
  *Mar  1 00:21:31.591: RADIUS:  authenticator 0A A2 1F 7C 12 A8 AB F7 - 9F 87 C6 51 A4 0D EA A2
  *Mar  1 00:21:31.595: RADIUS:  NAS-IP-Address      [4]   6   10.10.0.253
  *Mar  1 00:21:31.595: RADIUS:  NAS-Port            [5]   6   0
  *Mar  1 00:21:31.595: RADIUS:  Vendor, Cisco       [26]  23
  *Mar  1 00:21:31.595: RADIUS:   cisco-nas-port     [2]   17  "FastEthernet1/0"
  *Mar  1 00:21:31.595: RADIUS:  NAS-Port-Type       [61]  6   X75                       [9]
  *Mar  1 00:21:31.595: RADIUS:  User-Name           [1]   6   "user"
  *Mar  1 00:21:31.595: RADIUS:  Calling-Station-Id  [31]  19  "08-00-27-B1-B3-32"
  *Mar  1 00:21:31.595: RADIUS:  Service-Type        [6]   6   Framed                    [2]
  *Mar  1 00:21:31.595: RADIUS:  Framed-MTU          [12]  6   1500
  *Mar  1 00:21:31.595: RADIUS:  State               [24]  27
  *Mar  1 00:21:31.595: RADIUS:   45 41 50 3D 30 2E 31 66 66 2E 39 38 36 2E 31 3B  [EAP=0.1ff.986.1;]
  *Mar  1 00:21:31.595: RADIUS:   53 56 43 3D 30 2E 31 35 3B                       [SVC=0.15;]
  *Mar  1 00:21:31.595: RADIUS:  EAP-Message         [79]  28
  *Mar  1 00:21:31.595: RADIUS:   02 1E 00 1A 04 10 AA 09 8E 39 DE 29 E4 CC C6 BC  [?????????9?)????]
  *Mar  1 00:21:31.595: RADIUS:   7F 01 C8 47 EC 74 75 73 65 72                    [???G?tuser]
  *Mar  1 00:21:31.595: RADIUS:  Message-Authenticato[80]  18
  *Mar  1 00:21:31.595: RADIUS:   33 57 82 E2 5C 24 A2 8C 67 CC 0D 8C 25 12 74 13  [3W??\$??g?????t?]
  *Mar  1 00:21:31.731: RADIUS: Received from id 1645/4 10.10.0.2:1645, Access-Accept, len 90
  *Mar  1 00:21:31.731: RADIUS:  authenticator A0 0E DF D7 87 FD 9E B6 - BB 64 04 4F 56 2A 03 89
  *Mar  1 00:21:31.735: RADIUS:  Framed-IP-Address   [8]   6   255.255.255.255
  *Mar  1 00:21:31.735: RADIUS:  EAP-Message         [79]  6
  *Mar  1 00:21:31.735: RADIUS:   03 1E 00 04                                      [????]
  *Mar  1 00:21:31.735: RADIUS:  Tunnel-Type         [64]  6   01:VLAN                   [13]
  *Mar  1 00:21:31.739: RADIUS:  Tunnel-Medium-Type  [65]  6   01:ALL_802                [6]
  *Mar  1 00:21:31.739: RADIUS:  Tunnel-Private-Group[81]  6   01:"100"
  *Mar  1 00:21:31.739: RADIUS:  Class               [25]  22
  *Mar  1 00:21:31.739: RADIUS:   43 41 43 53 3A 30 2F 35 62 31 2F 61 30 61 30 30  [CACS:0/5b1/a0a00]
  *Mar  1 00:21:31.739: RADIUS:   66 64 2F 30                                      [fd/0]
  *Mar  1 00:21:31.739: RADIUS:  Message-Authenticato[80]  18
  *Mar  1 00:21:31.739: RADIUS:   75 BC F2 E0 91 07 6C 12 4D 5C BB 50 A4 FD D3 26  [u?????l?M\?P???&]
  *Mar  1 00:21:31.739: RADIUS: Found 4 bytes of EAP data in reply (ofs 0)
  *Mar  1 00:21:31.739: RADIUS: Received 4 byte EAP Message in reply
  As a result the vlan-switch data based does not change.
  Any help will be appreciated!
  Thanks a lot,
  Chelovekov Alexander

  I've tried multiple ways to cope with this problem but nothing was helpfull...
  Tunnel-Medium-Type  [65]  6   01:ALL_802
  I use only ACS Radius attributes and chose ony what ACS allows me to choose (Tunnel-medium-type: 802).
  Screenshot n attachment.
  The same situation occurs when i try to use some Vendor Specific Attributes (Cisco-AV-Pair)  - downloadable ACEs to my user, and again, i see Radius attributes in my debug but nothing is applied to my L3 Switch.
  What am i missing?

• Using Multiple AD domains with ACS

  Hi,
  Is it possible to use multiple domains for authentication with ACS? I need to use AAA to authenticate remote users into a centralised location but the users will be from different domains and I was hoping to use a single applicance to cater for all domains. Can this be achieved using LDAP? I understand that ACS can only be part of one AD domain.....
  In essence I am hoping that I will be able to authenticate the user based on their domain\credentials.
  Thanks in advance
  Jason

  Hi Javier,
  I understand that ACS can only join a single AD domain - but can it use LDAP to authenticate users from different AD domains - I don't want to have to established trusts between different domains.
  Kind regards
  Jason

• 802.1x with ACS does not correctly work

  Hello
  I have here a WLan setup with a WDS, some 40 Accesspoints, an ACS 4.1 server and a Windows Domain Controller which has the users configured.
  I have a group mapping in ACS configured which points to a small group in the ADS.
  The groupmapping in ACS points to a specific group in ACS.
  There I've configured the following:
  [009\001] cisco-av-pair
  - ssid=xx-200 (the name of the SSID the clients connect)
  [006] Service-Type
  - Login
  [007] Framed-Protocol
  - PPP
  [025] Class
  - OU=pers; (this is not the special group where those users are in, but they are also in this one)
  [064] Tunnel-Type
  - Tag 1 Value Vlan
  [065] Tunnel-Medium-Type
  - Tag 1 Value 802
  [081] Tunnel-Private-Group-ID
  - Tag 1 Value 200 (the Vlan in which they should go)
  The good thing is, authentication with username password works.
  The bad thing is, every user can authenticate and get into this SSID instead of only the users in the special group which points to this groupmapping.
  The other ADS groups also point to other ACS groups, but they don't have the above values ([009\001] cisco-av-pair, [064] Tunnel-Type, [065] Tunnel-Medium-Type, [081] Tunnel-Private-Group-ID) configured.
  The logfile from the ACS also shows that the wrong users are mapped into the correct group like they should, but they still get access.
  Here the WDS configuration:
  aaa group server radius RADIUS_GROUP_WDS_RADIOMANAGEMENT
  server 10.1.1.30 auth-port 1645 acct-port 1646
  server 10.1.2.30 auth-port 1645 acct-port 1646
  aaa authentication login METHOD_WDS_RADIOMANAGEMENT group RADIUS_GROUP_WDS_RADIOMANAGEMENT
  aaa authentication enable default enable
  aaa session-id common
  radius-server host 10.1.1.30 auth-port 1645 acct-port 1646 key 7 xxxx
  radius-server host 10.1.2.30 auth-port 1645 acct-port 1646 key 7 xxxx
  radius-server retransmit 2
  radius-server timeout 18
  radius-server deadtime 1
  radius-server vsa send accounting
  wlccp authentication-server infrastructure METHOD_WDS_RADIOMANAGEMENT
  wlccp authentication-server client any METHOD_WDS_RADIOMANAGEMENT
  ssid xx-200
  The accesspoint config:
  aaa authentication login METHOD_RAD_WDS_CLIENT group radius
  aaa authentication enable default enable
  aaa session-id common
  dot11 ssid xx-200
  vlan 200
  authentication open eap METHOD_RAD_WDS_CLIENT
  authentication network-eap METHOD_RAD_WDS_CLIENT
  authentication key-management wpa
  interface Dot11Radio0
  encryption vlan 200 mode ciphers aes-ccm
  broadcast-key vlan 200 change 60
  ssid xx-200
  interface Dot11Radio0.200
  description
  encapsulation dot1Q 200
  no ip route-cache
  no cdp enable
  bridge-group 200
  bridge-group 200 subscriber-loop-control
  bridge-group 200 block-unknown-source
  no bridge-group 200 source-learning
  no bridge-group 200 unicast-flooding
  bridge-group 200 spanning-disabled
  interface FastEthernet0.200
  description
  encapsulation dot1Q 200
  no ip route-cache
  bridge-group 200
  no bridge-group 200 source-learning
  bridge-group 200 spanning-disabled
  I hope you can find why any user can authenticate and not just the ones in the groupmapping which has the radius attributes configured.
  Thanks,
  pato

  I have finally found something to look into :/
  000619: Jan 18 16:50:11 A: RADIUS: AAA Unsupported Attr: ssid [263] 6
  000620: Jan 18 16:50:11 A: RADIUS: 48 53 52 2D [xxx-]
  000621: Jan 18 16:50:11 A: RADIUS: AAA Unsupported Attr: interface [156] 4
  000622: Jan 18 16:50:11 A: RADIUS: 32 35 [25]
  This is with various debugging active on the WDS. And this might be the reason why it doesn't work.

• Issue with ACS 4.2 in Authentication

  Hey guys.
  I ve got a problem with the ACS 4.2 just in authentication
  I have a 3750 Catalyst and installed an ACS 4.2 both in 1 zone. They can ping each other and there is no problem in their connectivity. I ve created a user called “test” in ACS local database, defined the switch in ACS database and configured 3750 with below commands:
  aaa new-model
  aaa authentication attempts login 10
  aaa authentication login default group tacacs+ local enable
  aaa authentication enable default group tacacs+ enable
  tacacs-server host 192.168.149.30
  tacacs-server directed-request
  tacacs-server key 7 046803071F
  When I try to login via the “test” user the below problem is appeared in my screen while debugging the authentication process in switch:
  Apr  1 05:29:11: AAA/BIND(00000049): Bind i/f
  Apr  1 05:29:11: AAA/AUTHEN/LOGIN (00000049): Pick method list 'default'
  Apr  1 05:29:11: TPLUS: Queuing AAA Authentication request 73 for processing
  Apr  1 05:29:11: TPLUS: processing authentication start request id 73
  Apr  1 05:29:11: TPLUS: Authentication start packet created for 73(test)
  Apr  1 05:29:11: TPLUS: Using server 192.168.149.30
  Apr  1 05:29:12: TPLUS(00000049)/0/NB_WAIT/82F6C3C: Started 5 sec timeout
  Apr  1 05:29:12: TPLUS(00000049)/0/NB_WAIT: socket event 2
  Apr  1 05:29:12: TPLUS(00000049)/0/NB_WAIT: wrote entire 39 bytes request
  Apr  1 05:29:12: TPLUS(00000049)/0/READ: socket event 1
  SW48-3#
  Apr  1 05:29:12: TPLUS(00000049)/0/READ: Would block while reading
  Apr  1 05:29:12: TPLUS(00000049)/0/READ: socket event 1
  Apr  1 05:29:12: TPLUS(00000049)/0/READ: errno 32
  Apr  1 05:29:12: TPLUS(00000049)/0/82F6C3C: Processing the reply packet
  Apr  1 05:29:12: AAA/LOCAL/LOGIN(00000049): user test not found
  Apr  1 05:29:12: AAA/LOCAL/LOGIN(00000049): get password
  Apr  1 05:29:12: AAA/LOCAL/LOGIN(00000049): failover
  Apr  1 05:29:12: AAA/AUTHEN/ENABLE(00000049): Processing request action LOGIN
  Apr  1 05:29:12: AAA/AUTHEN/ENABLE(00000049): Done status GET_PASSWORD
  SW48-3#
  Apr  1 05:29:16: AAA/AUTHEN/ENABLE(00000049): Processing request action LOGIN
  Apr  1 05:29:16: AAA/AUTHEN/ENABLE(00000049): Done status FAIL - bad password
  Just to confirm that the password is definitely correct and there is not any authorization process.
  I will be very thankful if someone can help me to troubleshoot this matter.  (or any doc that shows how to authenticate a user via ACS 4.2)
  Moe

  Hi Mohammad,
  I think I see the problem right away.
  The ACS is dropping the packet due to IP mismatch.
  Check the IP addresses.
  The IP that you have defined is 147.23
  The IP that the device is using is 149.24
  It seems that you have multiple interfaces on the device and its using its own routing table.
  If you want to force the device to use a specific IP for T+, then use "ip tacacs source-interface "
  or if you want to change this on the server end, then define, 149.24 as a network device.
  **Share your knowledge. It’s a way to achieve immortality.
  --Dalai Lama**
  Please Rate if helpful.
  Regards
  Ed

• WPA2 enterprise, Can not authenticate with ACS

  Hi, I am setting up WPA2 enterprise for wireless users with PEAP authentication, but can not get authentication server to authenticate them, and failed reason is generic "EAP-TLS or PEAP authentication failed during SSL handshake"
  The AP I am using is 1240AG running 12.3(8)JA, Radius server is ACS 4.0, I don't have any problem to get dot1x with PEAP authentication working for wired access, and I have almost identical client side configuration for wired and wireless user.
  From ACS's point of view, it should not be aware of any difference between wired and wireless user, but ACS log shows otherwise:
  1)AP is connected to a cat4k switch, I suppose AP should be the authenticator for wireless users, but ACS "failed attempts" log for attempted wireless user shows that the NAS IP is cat4k in stead of AP, why?
  2)I am using the same laptop for both wireless/wired testing, ACS "failed attempts" log shows that for wired user, it correctly interpreted cached domain\login name, but for failed wireless user, the user-name field is totally different, yet debug on AP clearly shows that correct domain\login has been received by AP.
  Debug output on AP is attached, hope experts here can quickly identify the problem.

  Got it working by adding radius server configuration under GUI generated configuration:
  aaa group server radius your-AAA-group-name
  server your-radius-server#1-IPaddress auth-port 1645 acct-port 1646

• LMS 3.2 integration with ACS 5.1

  Hi
  Is it
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin-top:0cm;
  mso-para-margin-right:0cm;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0cm;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;
  mso-fareast-language:EN-US;}
  possible to integrate LMS 3.2 with ACS 5.1? I know it works with ACS 4.X, but I can't get it to work with ACS 5.1.
  Here is a link to how to do it with ACS 4.X:
  http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/prod_white_paper0900aecd80613f62.html
  Regards
  Reidar

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin-top:0cm;
  mso-para-margin-right:0cm;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0cm;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  Thanks Reidar.... hmm very strange. I really wish an expert would respond to this thread as it will help a lot of people who might be planning to deploy these versions and they can help put this matter to rest once and for all. Not sure why LMS 3.2 will not support ACS 5.1 and it might help to know when it will (updates etc). Kindly let me know if you get any further information. My deployment is so large that setting a local username and password on all the devices is not an option unfortunately .......

• Cisco WCS 7.x TACACS+ with ACS 5.2

  Ok, so I took my bday off today so I could stay home and setup my lab for ie v2 and have the birthday wish of 'leave daddy alone for awhile' come true.  Here we are at 7:00pm and everything is flowing good including my blue moons and I decided to get tacacs working on an eval version of acs 5.2 per the ie list of lab equipment. frack me.  Instead of walking away and coming back later and going 'doh!', I'm going to whine instead....
  So I'm trying to get WCS to work with TACACS per this document:
  http://www.cisco.com/en/US/docs/wireless/wcs/7.0/configuration/guide/7_0admin.html#wp1191980
  However, after having to enter EVERY SINGLE TASK, once you get down to:
  Creating Service Selection Rules for TACACS
  To create service selection rules for TACACS, perform the following steps:
  Step 1 Choose Access Policies > Access Services > Service Selection Rules.
  Step 2 Click Create.
  Step 3 Select the protocol as TACACS and Service as Default Device Admin (see Figure 18-49).
  I'm alittle confused as to where it wants me to do click 'Create' at.  I of course did the 'hunt and peck' method and the only place I see where there is a 'create' buttong is under
  Access Policies >
  Access Services >
  Default Device Admin >
  Authorization
  but it's grayed out.  Someone wanna tell me what the crap.. and really, why 5.2 cisco.. why.

  Yeah, I've heard that, but in trying to stick with the IE list of used equipment/software I'm going for 5.2.  I've learned it's best to stick with the list so that you are not only familliar with that exact software, but that exact versions 'issues' as well.  No panic in the lab from ACS going NO NO NO, NOT IN MY HOUSE.

• 802.1x with ACS 3.3 and windowsXP

  We are using RADIUS IETF in ACS and EAP MD5.
  My switch is 2950 whith this commands:
  radius-server host a.b.c.d
  radius-server key cisco
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  dot1x system-auth-control
  int fa 0/1
  dot1x port-control auto
  When we try authenticate appears this error: "CS user unknown" in ACS reports.
  Has somethings that we forget?
  Where I configure the respective VLAN to user when he authenticate?
  Thanks

  I`m using 2950 and Cisco ACS. In my Windows XP, I did only this"Ativar authenticaçao IEEE 802.1x para esta rede -->MD5 Challenge". I create one user in ACS database and assign the following IETF RADIUS attributes to this user:
  [64] Tunnel-Type = VLAN
  [65] Tunnel-Medium-Type = 802
  [81] Tunnel-Private-Group-Id = teste
  At my network icon apears: Authentication Fail
  See some debug message on my switch:
  03:09:14: dot1x-ev:Received AuthStart from Authenticator for supp_info=80D607DC
  03:09:14: dot1x-ev:Managed Timer in sub-block attached as leaf to master
  03:09:14: dot1x-ev:Going to Send Request to AAA Client on RP for id = 0 and length = 25
  03:09:14: dot1x-ev:Got a Request from SP to send it to Radius with id 7
  03:09:14: dot1x-ev:Couldn't Find a process thats already handling the request for this id 0
  03:09:14: dot1x-ev:Inserted the request on to list of pending requests
  03:09:14: dot1x-ev:Found a free slot at slot 0
  03:09:14: dot1x-ev:Found a free slot at slot 0
  03:09:14: dot1x-ev:Request id = 7 and length = 25
  03:09:14: dot1x-ev:The Interface on which we got this AAA Request is FastEthernet0/1
  03:09:14: dot1x-ev:Username is SMSTESTE\joe
  03:09:14: dot1x-ev:MAC Address is 0026.540f.5555
  03:09:14: dot1x-ev:MAC Address copied is 0026.540f.4c43
  03:09:15: dot1x-ev:dot1x_post_message_to_auth_sm: Skipping tx for req_id for default supplicant
  03:09:34: dot1x-err:EAP packet not recvd
  03:09:34: dot1x-ev:going to send to backend on SP, length = 4
  03:09:34: dot1x-ev:Received VLAN is No Vlan
  03:09:34: dot1x-ev:Enqueued the response to BackEnd
  03:09:34: dot1x-ev:Received QUEUE EVENT in response to AAA Request
  03:09:34: dot1x-ev:Dot1x matching request-response found
  03:09:34: dot1x-ev:Length of recv eap packet from radius = 4
  03:09:34: dot1x-ev:Received VLAN Id -1
  03:09:34: dot1x-ev:dot1x_bend_fail_enter:0026.540f.5555: Current ID=0
  Can you help me?
  Thanks,

• Dynamic Vlan Assigment on 2950 with acs 4.2

  Hello to everyone
  We have a problem with Cisco 2950G 48 EI and ACS (version 4.2) providing dynamic Vlan assignment based on groups
  On the ACS we configured the following attributes for the specific group
  64 = VLAN
  65 = 802
  81 = VLAN Name
  We tried for the 81 attribute both Vlan name and Vlan ID but we get the same results
  In detail, we need the machine to be placed on Vlan ID 6 named vlan_sio so we inserted these value in the attribute field
  Before we configured the switch to speak with ACS:
  aaa new-model
  aaa group server radius Switch
                                 server 172.16.0.93 auth-port 1812 acct-port 1813
  dot1x system-auth-control
                  radius-server host 172.16.0.93 auth-port 1812 acct-port 1813 key xxxxxx
  radius-server retransmit 3
  Configured the ports for the use of dot1.x.
  switchport mode access
                 dot1x port-control auto
                 dot1x guest-vlan 7
                 spanning-tree portfast
  The users are correctly authenticated but the ports are always connected to the default Vlan of the ports
  We tried to debug with the debug dot1.x events command and we get the following errors:
  Feb 16 12:00:04.017:         Attribute 64 6 0100000D
  Feb 16 12:00:04.017:         Attribute 65 6 01000006
  Feb 16 12:00:04.017:         Attribute 81 4 01360806
  Feb 16 12:00:04.025: dot1x-ev:Received VLAN is No Vlan
  Feb 16 12:00:04.037: dot1x-ev:Received VLAN Id -1
  Feb 16 12:00:04.041: dot1x-ev:dot1x_port_authorized: clearing HA table from vlan 1
  Feb 16 12:00:04.049: dot1x-ev:dot1x_port_authorized: Added 0006.1bdb.6a09 to HA table on vlan 1
  Does anyone know what we could have missed?
  Thank’s

  solved
  It was just missing the command
  aaa authorization network default group XXXX