Problem radius authetication ACS 5.4

Hi friends,
Do you know about this problem with radius authenticaction in  ACS 5.
This is la log.
Best regard,
Marco

We are using MC75A terminals. The terminal says wrong username and password, but the user has green color in the ACE log.
Using the following ios radius statements on the NAS:
aaa authentication ppp default group radius local
aaa authorization network default group radius local
radius-server host x.x.x.x auth-port 1645 acct-port 1646
radius-server key 7 XXXX
Works fine with the old tacacs server.
regards
bjornar

Similar Messages

  • Can't auth to Nortels networks devices using RADIUS with ACS 5.1

    Hi,
    I've got a problem with the ACS 5.1 RADIUS Authentication for Nortel network devices (Baystack 470, ERS 5530 5510, Passport 8606).
    After configuring RADIUS on these device (primary serv, secondary serv, secret key, port...) and adding them to my ACS Servers.
    I can't manage to login using RADIUS and i get the following message.
    "Permission denied, please try again" or "No response from RADIUS server"(?) (depending on the device type)
    But in my ACS View, I can see : "Authentication succeeded."
    I've also checked the RADIUS frames, the "Access-Request" and "Access-Accept" are correctly transmitted.
    I've got no problems with RADIUS Auth using other brand devices
    Is there any known issues with Nortels devices using Cisco ACS 5.1 with RADIUS  Authentication ?
    Regards.

    Are you sure that setting up a compound condition will help ?
    To me, the RADIUS Nortel VSA are used for Authorization,and my problem is about Authentication (usually for a simple authentication, we stay in the IETF RADIUS Standards ? no ?)
    Also, does setting this condition will change the Access-Accept packets sent by the ACS to the device ?
    Here is my steps in the ACS View
    11001  Received RADIUS  Access-Request
    11017  RADIUS created a new  session
    Evaluating Service Selection  Policy
    15004  Matched rule
    15012  Selected Access  Service - Default Network Access
    Evaluating Identity Policy
    15006  Matched Default Rule
    15013  Selected Identity  Store - Internal Users
    24210  Looking up User in  Internal Users IDStore - radius
    24212  Found User in Internal  Users IDStore
    22037  Authentication Passed
    Evaluating Group Mapping  Policy
    Evaluating Exception  Authorization Policy
    15042  No rule was matched
    Evaluating Authorization  Policy
    15006  Matched Default Rule
    15016  Selected Authorization  Profile - Permit Access
    11002  Returned RADIUS  Access-Accept
    So I think the ACS does its job

  • Problem in installing ACS trial version

    Hi,
    I am having problem in installing ACS 4.1 trial version. On invoking the progem after installation completion, I get the web page "CiscoSecure ACS Trial 127.0.0.1:2002" opened.
    Appreciate your advise, why I am getting this web page and how to fix it.
    Thanks
    Any

    You need to add the site 127.0.0.1 (or localhost) to the trusted sites list in IE then when you open the link you will get the ACS welcome page. (Make sure you install the Java runtime as well).

  • Cisco ACS 5.4 + Anyconnect 3.1 NAM with 802.1x, problem with changing ACS Radius user password

    Dear all,
    Presently, we are testing 802.1x using Cisco ACS 5.4 and Cisco Anyconnect v3.1 as 802.1x supplicant. We have created predefined NAM profiles (with Cisco Profile Editor) and applied as default in on our test machine. We are using PEAP (MsCHAPv2) and ACS local user credentials for authenticating process. We have noticed that, when we try to authenticate the network with predefined profile (network profile has Administrator Network privileges) and Windows user on test machine has no Admin privileges we are not able to change ACS user password (checked "Change password on next login" in the ACS user profile). In the Monitoring and Report View we get Failure Reason "24203 User need to change password"  but no popup window apears in Anyconnect. When we change Windows local user privileges to Admin or create Anyconnect network profile localy (privileges User Network) then, we are able to finish the process.
    Have you ever been facing the problem described above. Is it Anyconnect bug? How can we fix it?
    Best regards,
    Piotr

    If this happens with all machines then if a microsoft guy can look the app logs/privileges. It seems the app is requesting privilege that it is not authorized to and that's why the propmt window fails to appear. If we know what that privilege is we can probably fix it. If that privilege is not even required for smooth work Cisco need probably to fix this behavior.
    I am sorry if I am not able to help but I am not using the anyconnect for production.
    Regards,
    Amjad
    Rating useful replies is more useful than saying "Thank you"

  • WAP4410N WPA2 Enterprise Mixed authentication problem against Cisco ACS 4.2

    We have 3 x WAP4410N at new office setup in Singapore.
    Customer asked us to setup those 3 AP to make client auth against an ACS 4.2 sitting in US office.
    All the user notebooks were joined to Windows domain in US office, before sent out to Singapore office.
    We configured APs with WPA2 Enterprise Mixed mode and entered radius server address and secrects correctly.
    Logging from ACS shows that users are authenticated successfully but, on the user notebooks, authentication never seems successful and keeps authenticating.
    We have tried with other option (RADIUS) but, problem persists.
    Please help.

    Hi Robert,
    Firmware version is 2.0.4.2.
    We have tested with WPA-personal, WPA2-personal and all worked.
    For enterprise, we have tested using WPA-ent, WPA2-ent, WPA2-ent-mixed and RADIUS.
    All did not work.
    Client keeps flapping between auth and validation.
    ACS logs showed that auth OK.
    Syslog from AP showed that client was assiciated but it happened repeatedly.
    <134>Oct 28 16:13:27 MVIS-SG-AP01 kernel: [sg-internal][A0:88:B4:40:41:D4] Open Authentication    10.200.4.12    28/10 16:13:28.720   
    <134>Oct 28 16:13:27 MVIS-SG-AP01 kernel: [sg-internal][A0:88:B4:40:41:D4] Associated    10.200.4.12    28/10 16:13:28.720   
    <134>Oct 28 16:13:29 MVIS-SG-AP01 kernel: [][A0:88:B4:40:41:D4] SUBTYPE_AUTH    10.200.4.12    28/10 16:13:30.720   
    <134>Oct 28 16:13:29 MVIS-SG-AP01 kernel: [sg-internal][A0:88:B4:40:41:D4] Open Authentication    10.200.4.12    28/10 16:13:30.720   
    <134>Oct 28 16:13:29 MVIS-SG-AP01 kernel: [sg-internal][A0:88:B4:40:41:D4] Associated    10.200.4.12    28/10 16:13:30.736   
    <134>Oct 28 16:13:31 MVIS-SG-AP01 kernel: [][A0:88:B4:40:41:D4] SUBTYPE_AUTH    10.200.4.12    28/10 16:13:32.689   
    Below is the diagram for your kind ref.
          US Office          Site-to-Site VPN    SG Office 
    ACS --- ASA ------------ Internet ------------ ASA5505 ------ 2960 PoE SW ----- 3 x WAP4410N
                                                                                                       \ \___ DNS/DHCP Server
                                                                                                        \____ Wired Clients
    Note: SG office ASA is 5505 and outside interface is on Vlan 2, inside interface is on Vlan 1. 2960 switch is configured with all ports in Vlan 2. Vlan feature on WAP4410N is disabled. Layer3 communication among US office ACS, SG office ASA5505, DHCP server and WAP4410N is fine. All wired clients in SG office get IP from DHCP server. I feel this is a bit odd and you may need to know.
    Do feel free to let me know, should you need further input from me. Thanks!

  • ACE Module Radius with ACS 4.2

    Hi,
    I am able to authenticate to my ACE modules via Radius, but when I login it does not give my Admin rights. Does anyone have a fix for this? My ACS admin has been working with TAC since last week to no avail.
    John...

    You have to use a custom AV pair on TACACS server under user setup to make it work. ACE uses RBAC (role based Access Control) and for that you have to pass the context and User Role from Tacacs server to ACE to make it work.If there is no RBAC info is pushed from Tacacs server and user just get authenticated then the default role assigned by ACE is Network-Monitor.
    Following steps (On tacacs server) will make it work
    1. Select your user
    2. goto tacas+ settings
    3. Select " shell (exec)" checkbox
    4. Select "custom attributes" checkbox
    5. Type your context and role information in custom attrib box, using following format
    shell:*
    for e.g (if context name is Admin, domain is default-domain and you want to assign role "Admin" to this user )
    shell:Admin*Admin default-domain
    Hope it helps
    Syed

  • Problems with New ACS 5.4 install

    I have a fresh install of an ACS 5.4 virtual  appliance. This ACS instance will only be used for TACACS+ AAA for network  device administration. It is up and running on the network. I have time,  timezone, NTP and DNS configured. ACS admin accounts  and logging are configured. I created an internal user, a network  device, a network device group, an internal identity group, a shell  profile, and command set. It is joined to the Enterprise Active  directory domain, and a couple of AD groups have been selected  for use in policies.
    The default network device is enabled and  configured with a TACACS secret. I have a lab router configured and  pointed at ACS and I can SSH to it with the ACS internal user.
    The problem is: I can’t create any rules for any  policies. If I try to add a rule (or edit a default rule) to the “Service Selection Rules” or  “Default Device Admin” or Identity, group mapping or authorization, all I  get is a popup with the message “Resource not  found or Internal  Server error”. If I click “customize” anywhere I  just get empty selection/transfer boxes. If I try to change to a single  result policy from compound rules I get a “System failure – your changes  were not saved” message.  I have installed  this twice now with the same results.
    This is my first experience with ACS. I’ve gotten  through most of the configuration guide but I don’t know ACS well enough  to know if I’m missing something incredibly obvious, or whether it’s  just broken.

    Which version of browser are you using? I am guessing you are using a later version of firefox.
    If so there are two options
    - use ie8 or ie9 in compatibility mode
    - install patch 1 for ACS 5.4. This includes fixes for issues with later versions of firefox. I think relevant CDETS is:
    CSCud33106: ACS5: Pages do not display correct when using FireFox version 16

  • AIRONET 1260 with new radius cisco ACS 4.x

    Hi, I have a new CISCO AIRONET 1260
    I have CISCO ACS 5.1 radius for VPN on ASA and tried to configure an NDG on it for AIRONET 1260 too and worked fine with IEEE 802.1x CISCO EAP-FAST authentication
    As I had some trouble to let users to authenticate only on VPN if are VPN users and only on CISCO AIRONET if need only WIFI AIRONET
    I tried exception policies rules but something not working. VPN was ok but not WIFI access denied for rule policy access
    I decided to install CISCO ACS 4.x on Windows 2003 that is on ACS 5 DVD
    I created NDG as done on ACS 5 put a shared secret , put on AIRONET too as done for ACS 5 but I receive an error against ACS 4.x
    To troubleshout it I tried
    http://www.cisco.com/en/US/partner/tech/tk722/tk720/technologies_configuration_example09186a00807bf3c8.shtml
    but not work ! I think to have done all fine owever on ACS 5 it worked in 5 minutes
    I searched log inside ACS 4 and found "Invalid message authenticator in EAP request" and I found this:
    https://supportforums.cisco.com/docs/DOC-3991
    Changed shared secret more times but ever not workign with ACS 4
    what's wrong?
    I need to have user and password prompt on client trying to authentincate on AIRONET WIFI and I need ACS INTERNAL USER no active directory, no LDAP , no external user database

    I have solved

  • Problems SSHing from ACS 5.2

    When I try to SSH from ACS 5.2 CLI to my SFTP server I get :
    Unable to negotiate a key exchange method.
    On the SFTP server (Tectia) I have the encryption configured with aes256 and hmac-sha1.
    Any help appreciated.
    Thanks,
    G

    Thanks - I don't know - that was the first thing I tried to check on the Tectia sevrer side but the Tectia config doesn't seem to mention what cipher exchange is used or provide a way to change it.

  • Control access using Radius without ACS

    I want to log into my IPS using my existing RSA SecurID using Radius.  Is it possible to use a Radius attribute in the RSA to tell the IPS what privillege\role the user is?  The idea is I dont create users on the IPS, if a user tries to logon it authenticates them via radius running on the RSA server and if the user is allowed to log onto that clietn IP (the IPS) then it will allow them to logon but also pass a message back to the IPS to say this person has full admin access.  Is that possible using an attribute?  ANy guidance would be great.                  

    Yes, you should be able to specify the user role on the radius server.
    http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_setup.html#wp1276213
    Regards,
    Sawan Gupta

  • Microsoft Radius Server vs ACS/Radius

    Hi,
    Is there any differences between Microsoft Radius Server and the Radius in ACS.
    Thanks
    Ali

    I have used both with pretty good success. The one thing I do not like about ACS is the fact that a user can only belong to one group. The documentation for ACS is pretty good and configuring ACS is pretty simple. I was able to import my AP's from a file which was nice since I had around 100 to setup/install. That was really quick and simple.
    The isn't a lot of documentation around for configuring IAS with Cisco Wireless equipment, but there are hints in these forums if you search. I had IAS configured to assign VLANS to certain wireless users (actually groups) and it works fine. There were a few bugs (differences between VxWorks and IOS) that have been corrected I believe. If you run into problems make sure your AP's software is up to date.
    Aside from the fact that a user can belong to only one group, I like ACS. I haven't had much time to finish my configuration as far as Wireless goes, but so far things have been pretty simple to configure.
    If you have any more questions feel free to ask...
    Don Hickey

  • 802.1X for wired environments using Radius/ACS for Dynamic Vlan Assignment

    Currently Being Moderated
    802.1X for wired environments  using Radius/ACS for Dynamic Vlan Assignment
    Could someone please provide me with a simplest set of configuration steps to fire up Radius in ACS and 802.1X for dynamic vlan assignment. The objective is to roll out NAC L2 OOB using the 802.1X method for dymamic vlan assignments.
    If possible show:
    1. ACS/Radius Configurations.
    2. End User Switch Configurations
    Variables:
    Switch A
    MAC Address aaaa.bbbb.cccc     Vlan 10
                bbbb.cccc.dddd     Vlan 20
    Also, if someone posts the Pros and Cons of using Radius/ACS/802.1X for Dynamic Vlan Assignments.
    Other technology sets that can be used for Dynamic Vlan assignment EXCEPT from deprecated/obsolete VMPS.
    Thanks in advance. .

    Hi Guys,
        Hmmm, well if your just looking for Mac based authentication the good news is that is very easy.  Just set create your Radius server, ACS, FreeRadius, Steelbelted radius etc.  Then create user with the name of the Mac address, in other words if the mac address is 0012.0021.1122 the the name would be 001200211122 and the password would be the mac address.  Then you set the vlan and tunnel stuff, like so tunnel-Type would be vlan, Tunnel-medium would be 802 and Tunnel-Private-Group-ID is the name of the vlan(not the vlan number)
       So for the Cisco ACS 4.x you would create a user as specified above, fill in all the password boxes with MAC address, I believe the mac has to be all lower case in the name and the password.  Then check the Separate(Chap/MS-Chap/ARAP) box.  Then you pick the group the machine belongs to, the group is the part that defines what vlan it is on.
       Before you create the user, create the group with info I wrote above and in addition specify the Service-Type as Authenticate Only.
        Freeradius is a bit harder to configure the specifics and I am just now testing a freeradius server so I do not know the process for Machine authentication.
        If, however, you are trying to authenticate a user that gets a bit trickier and is not so straight forward.

  • ACS 3.3 for windows - Win AD and eap-tls problem

    Hi,
    I have a problem with an ACS to authenticate users with certificate on MS AD.
    Working things:
    PEAP authentication with the MS AD;
    EAP-TLS authentication with the local DB.
    Not working things:
    EAP-TLS authentication with MS AD.
    Because I'm able to auth users with PEAP on MS AD, I guess my config on MS AD is correct.
    Because I'm able to auth users with certif in EAP-TLS, I guess my certif config is correct.
    So, why it's not working with the combination EAP-TLS and MS AD.
    I receive the error 'External DB Account Restriction'
    Thanks for your help.

    Hi,
    This is what is interesting,
    AuthenProcessResponse: process response for 'phd' against Windows Database
    Unknown User 'phd' was not authenticated
    Done RQ1027, client 50, status -2125
    The field that is being picked from certificate has the value 'phd', check you check which field is it.
    And was the logging at full?, I think something is missing in the logs.
    Lets do a sanity check, and go through following link again,
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a008068d45a.shtml
    Regards,
    Prem

  • ASA to ACS Radius - restrict by group

    Hi Everyone, this may not be the correct forum for this, but since it relates to the ASA...
    So we currently use RADIUS to authenticate users accessing our AnyConnect access... the thing is, with everything working, we want to restrict the access to only members of a specified AD group, "VPN Users". 
    So, I'm trying to figure out whether that restriction goes into the RADIUS on ACS or whether there is a setting in the ASA to restrict it...
    Can someone point me in the right direction?  (And no, I don't want to change to LDAP authentication).
    Ken

    I guess this should be possible with a feature called NAP,( network access profiles). Here you can define which database to use for any specific request. We can filter request on the basis of attributes sent in the authentication request.
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/NAPs.html
    Regards,
    ~JG

  • ACS v4 & radius

    A device wants to talk to the ACS server to get authentication services. It wants to use CHAP. Where is the CHAP option as applied to the radius authentication function? How do  you set up radius in ACS to accept CHAP passwords authentication for radius requests?
    Specifically, Qradar wants to query Cisco ACS v4.2 to see if users logging into Qradar are authorized to do so. This fails because I can't find the place (if any) in ACS where CHAP can be used.

    ACS can act as both as RADIUS and TACACS server,
    when you say what kind of issues to expect: you need to check for open caveats in the release notes of ACS 4.1.
    http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/index.htm

Maybe you are looking for