Replacement of ACS 1121

    Hi Folks,
     I have a clarification related with ACS 1121. Client needs a solution for ACS feature, instead of investing on ISE Base, is there any model exists as ACS appliance only. I beleive ACS 1121 is going to be EOS and it says SNS 3415 is the replacement model .
What I am confused is , It is an ISE as well as ACS and there is separate licensing for ISE (as base and advanced). What should i do , if i need to select SNS 3415 as ACS appliance ? is it built in or should i need to add anything extra ?
Appreciate your kind help and support .
REgards,
SID                   

End-of-Sale Date of 1121 : February 26, 2013
The last date to order the product through Cisco point-of-sale mechanisms. The product is no longer for sale after this date.
Last Date of Support: HW : August 31, 2018
The last date to receive applicable service and support for the product as entitled by active service contracts or by warranty terms and conditions. After this date, all support services for the product are unavailable, and the product becomes obsolete.
for more information:
http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps5698/ps6767/ps9911/eol__C51-726880.html
The licence will be different for both ACS 5.x and ISE 1.x. When ordering a Secure Network Server, the customer has the flexibility to install the Cisco Identity Services Engine (ISE), Network Admission Control (NAC), or Access Control System (ACS) security applications.
The Cisco Secure Network Server is based on the Cisco UCS C220 Rack Server and is configured specifically to support the Cisco Identity Services Engine (ISE), Network Admission Control (NAC), and Access Control System (ACS) security applications. The Secure Network Server supports these applications in two versions. The Cisco Secure Network Server 3415 is designed for small and medium-sized deployments.
The new Cisco 3415 Secure Access Control System appliance, based on the Cisco UCS C220 M3 platform. Cisco Secure ACS 5.4 will support the Cisco 3415 and 1121 Secure Access Control System appliances. Yes, this box will eventually replace the 1121.
For more info
http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps5698/ps6767/ps9911/data_sheet_c78-715717.html
Jatin Katyal
- Do rate helpful posts -

Similar Messages

  • ACS 1121 to ISE migration

    Hello ALL,
    we have ACS 1121 and are planning to migrate to ISE let me know if its possible if yes what are the license  i need to buy

    Existing NAC and ACS customers with active support contracts on older appliances are entitled to all of the ISE appliance migration SKUs. Given all the potential appliances migration options (NAC 3140 to ISE 3395, ACS 1120 to ISE 3315, NAC 3310 to ISE VM, etc) PMBU decided to not put any restriction on which migration appliances SKUs customers can use. PMBU is not offering credit for older hardware because the focus is on reduced Base or free Advanced migration licenses.

  • ACS 1121 appliance downgrade to 4.2.0.124

    Hi All ,
              Newly shipped cisco  ACS appliance 1121 has been shipped with ACS version 5.0 , I need to downgrade to ACS version 4.2,0 , I could not see recovery CD or DVD for acs 4.2 along with shipment , Is ACS 1121 appliance is comptaible to acs 4.2.0 version ??? .
    My ACS BOM details
    CSACS-1121-K9
    ACS 1121 Appliance With  5.1 SW And Base license
    CON-SAS-51SWK 
    SW APP SUPP Config Option: ACS 5.1 SW Loaded On 1121

    Hi,
    ACS 1121 does not support ACS 4.2. So a downgrade is not possible.
    Hope this helps.
    Regards,
    Anisha
    P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

  • ACS 1121 with v5.0 PAK lost

    It has been more than a year since a customer bought a Cisco ACS 1121. It was unpacked then and the PAK is lost, no where to be found.
    Is there any way to retrive the lost PAK ??? Help needed much.

    You need to send an email to [email protected] with the following information:
    Cisco Sales Order Number
    SAS contract
    You can obtain your software license at this site: http://www.cisco.com/go/license. Once you arrive at this site, you will need to enter in your Cisco.com user ID and your password to access this site. You will also need to enter in your Product Authorization Key (PAK).
    Regards,
    Jatin
    Do rate helpful posts-

  • ACS 1121 Patch10

    I have an issue with applying a patch to an ACS 1121 appliance running version 5.2.0.26. I have 5 units that needed updating and the first one is the unit with the problem. The subsequent ones updated with no issues.
    When I do a show version the 5.2.0.26.10 does not show. When I try to do a reinstall I get back patch all ready exists. When I try to do an uninstall I get back patch does not exist.
    Is there a command can wipe out patch 10, so I can start over? The CLI factory-reset only wipes the web configuration not the running-config or IOS.
    Thank you,
    John

    I have seen the issue come over the aliase before and so am sharing that previous answer:
    We can easily rename the Patch file name and wait the for the process to complete using the new filename. For example:
    - If trying the following drops the error:
    ACS01/admin# acs patch install 5-2-0-26-10.tar.gpg repository Test
    Patch '5-2-0-26-10' is already installed.
    % Error: Failure to open / validate the patch
    - Rename the patch filename and try again. you can rename it to something like: patch_5-2-0-26-10.tar.gpg
    ACS01/admin# acs patch install patch_5-2-0-26-10.tar.gpg repository Test

  • ACS 1121 Gigabit 0 not working

    Hi,
    I have an ACS 1121 appliance newly shipped and the gigabit 0 interface worked initially but after reload it didn't anymore.
    Any hints?
    Regards

    Hi k abillama,
    Make sure you have connected to port 6 because port 2 and 5 are the (Blocked) Gigabit Ethernet.
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/installation/guide/csacs_hw_ins.pdf
    As you said that it worked initially but stop working after reload, it could be a hardware issue as well if the conneciton has been made as per document mentioned.
    thanks,
    Vinay

  • Cisco ACS 1121 server configuration

    Hi,
    Anyone can tell me how to configure LAN teaming in Cisco ACS 1121. My requirement is to have virtual IP in the server with two physical IPs in the available 2 interface in the server.
    Regards,
    Haja Shajahan.M

    Currently Gig 0 is supported. Gig 1 is blocked. Check this link ((Blocked) Gigabit Ethernet 1).
    http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.2/installation/guide/csacs_hw_ins.html#wp1119105
    Paps

  • Red Hat OS version in the ACS 1121

                    Does anyone happen to know the Red Hat OS version in the ACS 1121 appliance?

    I don't have an ACS1121 handy but I believe the ADE-OS appliances have a common base.
    Here the output from one running Cisco Prime LMS 4.2.1 (the latest version of that product):
    [*****/root-ade ~]# cat /proc/version
    Linux version 2.6.18-238.1.1.el5 ([email protected]) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-50)) #1 SMP Tue Jan 4 13:32:19 EST 2011

  • ACS 1121 error 5411 EAP session timed out w/Peap Wireless logins

    I am having issues that came up in the last month where all of my wireless client devices (using 4400 WLC and AC 1121 Appliance w/Active Directory integration) using PEAP MSCHAP2 are being prompted multiple times one after another for their userid/password. 
    This is very intermitant with clients sometimes being able to authenticate on the first try and later in the day getting prompted 20 times for authentication before it works.  This affects all brands of laptops/tablets/smartphones and other devices. 
    My ACS log files show an error of 5411 EAP session timed out. 
    I have had a TAC case open for over a month but they still haven't found a solution.
    Has anyone run into this and have any thoughts?  I have already increased my timeout on the controller from the default 2 seconds to 8 seconds but the delay between prompts asking for authentication credentials on clients is less than a second.
    What do you think? 
    Jim

    We are running 5.2.0.26.11 on the ACS engine and 7.0.240.0 on the WLC's.  The certificate on the ACS was expired, but for over a year without issues prior to about a month ago (our clients do have the verify certificate box unchecked).  I did renew the certificate on the ACS (self signed, just told it to renew) but that didn't help. 
    The only thing the clients get are multiple prompts for authentication usually a second or 2 apart even though my timeout on the WLC is set to 8 seconds.  A debug on the WLC shows the following.  Any ideas on what could be the issue? 
    (Cisco Controller) >*dot1xMsgTask: Jun 18 11:07:16.318: 00:27:10:c9:91:2c Sending EAP-Request/Identity to mobile 00:27:10:c9:91:2c (EAP Id 8)
    *osapiBsnTimer: Jun 18 11:07:17.317: 00:27:10:c9:91:2c 802.1x 'txWhen' Timer expired for station 00:27:10:c9:91:2c and for message = M0
    *dot1xMsgTask: Jun 18 11:07:17.318: 00:27:10:c9:91:2c dot1x - moving mobile 00:27:10:c9:91:2c into Connecting state
    *dot1xMsgTask: Jun 18 11:07:17.318: 00:27:10:c9:91:2c Sending EAP-Request/Identity to mobile 00:27:10:c9:91:2c (EAP Id 9)
    *osapiBsnTimer: Jun 18 11:07:18.317: 00:27:10:c9:91:2c 802.1x 'txWhen' Timer expired for station 00:27:10:c9:91:2c and for message = M0
    *dot1xMsgTask: Jun 18 11:07:18.318: 00:27:10:c9:91:2c dot1x - moving mobile 00:27:10:c9:91:2c into Connecting state
    *dot1xMsgTask: Jun 18 11:07:18.318: 00:27:10:c9:91:2c Sending EAP-Request/Identity to mobile 00:27:10:c9:91:2c (EAP Id 10)
    *apfLbsTask: Jun 18 11:07:18.319: 00:27:10:c9:91:2c Copy AP LOCP - mode:0 slotId:1, apMac 0x0:1c:b1:6:ee:a0
    *apfLbsTask: Jun 18 11:07:18.319: 00:27:10:c9:91:2c Copy WLAN LOCP EssIndex:2 aid:1 ssid:NPT-SECURE
    *apfLbsTask: Jun 18 11:07:18.319: 00:27:10:c9:91:2c Copy Security LOCP ecypher:0x0 ptype:0x2, p:0x1, eaptype:0x6 w:0x1 aalg:0x0, PMState: 8021X_REQD
    *apfLbsTask: Jun 18 11:07:18.319: 00:27:10:c9:91:2c Copy 802.11 LOCP a:0x0 b:0x0 c:0x0 d:0x0 e:0x0 protocol2:0x1 statuscode 0, reasoncode 99, status 3
    *apfLbsTask: Jun 18 11:07:18.319: 00:27:10:c9:91:2c Copy CCX LOCP 4
    *apfLbsTask: Jun 18 11:07:18.319: 00:27:10:c9:91:2c Copy e2e LOCP 0x1
    *apfLbsTask: Jun 18 11:07:18.319: 00:27:10:c9:91:2c Copy MobilityData LOCP status:0, anchorip:0x0
    *osapiBsnTimer: Jun 18 11:07:19.317: 00:27:10:c9:91:2c 802.1x 'txWhen' Timer expired for station 00:27:10:c9:91:2c and for message = M0
    *dot1xMsgTask: Jun 18 11:07:19.318: 00:27:10:c9:91:2c dot1x - moving mobile 00:27:10:c9:91:2c into Connecting state
    *dot1xMsgTask: Jun 18 11:07:19.318: 00:27:10:c9:91:2c Sending EAP-Request/Identity to mobile 00:27:10:c9:91:2c (EAP Id 11)
    *osapiBsnTimer: Jun 18 11:07:20.317: 00:27:10:c9:91:2c 802.1x 'txWhen' Timer expired for station 00:27:10:c9:91:2c and for message = M0
    *dot1xMsgTask: Jun 18 11:07:20.318: 00:27:10:c9:91:2c dot1x - moving mobile 00:27:10:c9:91:2c into Connecting state
    *dot1xMsgTask: Jun 18 11:07:20.318: 00:27:10:c9:91:2c Sending EAP-Request/Identity to mobile 00:27:10:c9:91:2c (EAP Id 12)
    *osapiBsnTimer: Jun 18 11:07:21.317: 00:27:10:c9:91:2c 802.1x 'txWhen' Timer expired for station 00:27:10:c9:91:2c and for message = M0
    *dot1xMsgTask: Jun 18 11:07:21.318: 00:27:10:c9:91:2c dot1x - moving mobile 00:27:10:c9:91:2c into Connecting state
    *dot1xMsgTask: Jun 18 11:07:21.318: 00:27:10:c9:91:2c Sending EAP-Request/Identity to mobile 00:27:10:c9:91:2c (EAP Id 13)
    *osapiBsnTimer: Jun 18 11:07:22.317: 00:27:10:c9:91:2c 802.1x 'txWhen' Timer expired for station 00:27:10:c9:91:2c and for message = M0
    *dot1xMsgTask: Jun 18 11:07:22.318: 00:27:10:c9:91:2c dot1x - moving mobile 00:27:10:c9:91:2c into Connecting state
    *dot1xMsgTask: Jun 18 11:07:22.318: 00:27:10:c9:91:2c Sending EAP-Request/Identity to mobile 00:27:10:c9:91:2c (EAP Id 14)
    *osapiBsnTimer: Jun 18 11:07:23.317: 00:27:10:c9:91:2c 802.1x 'txWhen' Timer expired for station 00:27:10:c9:91:2c and for message = M0
    *dot1xMsgTask: Jun 18 11:07:23.318: 00:27:10:c9:91:2c dot1x - moving mobile 00:27:10:c9:91:2c into Connecting state
    *dot1xMsgTask: Jun 18 11:07:23.318: 00:27:10:c9:91:2c Sending EAP-Request/Identity to mobile 00:27:10:c9:91:2c (EAP Id 15)
    *osapiBsnTimer: Jun 18 11:07:24.317: 00:27:10:c9:91:2c 802.1x 'txWhen' Timer expired for station 00:27:10:c9:91:2c and for message = M0
    *dot1xMsgTask: Jun 18 11:07:24.318: 00:27:10:c9:91:2c dot1x - moving mobile 00:27:10:c9:91:2c into Connecting state
    *dot1xMsgTask: Jun 18 11:07:24.318: 00:27:10:c9:91:2c Sending EAP-Request/Identity to mobile 00:27:10:c9:91:2c (EAP Id 16)
    *osapiBsnTimer: Jun 18 11:07:25.317: 00:27:10:c9:91:2c 802.1x 'txWhen' Timer expired for station 00:27:10:c9:91:2c and for message = M0
    *dot1xMsgTask: Jun 18 11:07:25.318: 00:27:10:c9:91:2c dot1x - moving mobile 00:27:10:c9:91:2c into Connecting state
    *dot1xMsgTask: Jun 18 11:07:25.318: 00:27:10:c9:91:2c Sending EAP-Request/Identity to mobile 00:27:10:c9:91:2c (EAP Id 17)
    *osapiBsnTimer: Jun 18 11:07:26.317: 00:27:10:c9:91:2c 802.1x 'txWhen' Timer expired for station 00:27:10:c9:91:2c and for message = M0
    *dot1xMsgTask: Jun 18 11:07:26.318: 00:27:10:c9:91:2c dot1x - moving mobile 00:27:10:c9:91:2c into Connecting state
    *dot1xMsgTask: Jun 18 11:07:26.318: 00:27:10:c9:91:2c Sending EAP-Request/Identity to mobile 00:27:10:c9:91:2c (EAP Id 18)
    *osapiBsnTimer: Jun 18 11:07:27.317: 00:27:10:c9:91:2c 802.1x 'txWhen' Timer expired for station 00:27:10:c9:91:2c and for message = M0
    *dot1xMsgTask: Jun 18 11:07:27.318: 00:27:10:c9:91:2c dot1x - moving mobile 00:27:10:c9:91:2c into Connecting state
    *dot1xMsgTask: Jun 18 11:07:27.318: 00:27:10:c9:91:2c Sending EAP-Request/Identity to mobile 00:27:10:c9:91:2c (EAP Id 19)
    *osapiBsnTimer: Jun 18 11:07:28.317: 00:27:10:c9:91:2c 802.1x 'txWhen' Timer expired for station 00:27:10:c9:91:2c and for message = M0
    *dot1xMsgTask: Jun 18 11:07:28.318: 00:27:10:c9:91:2c dot1x - moving mobile 00:27:10:c9:91:2c into Connecting state
    *dot1xMsgTask: Jun 18 11:07:28.318: 00:27:10:c9:91:2c Sending EAP-Request/Identity to mobile 00:27:10:c9:91:2c (EAP Id 20)
    *osapiBsnTimer: Jun 18 11:07:29.317: 00:27:10:c9:91:2c 802.1x 'txWhen' Timer expired for station 00:27:10:c9:91:2c and for message = M0
    *dot1xMsgTask: Jun 18 11:07:29.318: 00:27:10:c9:91:2c dot1x - moving mobile 00:27:10:c9:91:2c into Connecting state
    *dot1xMsgTask: Jun 18 11:07:29.318: 00:27:10:c9:91:2c Sending EAP-Request/Identity to mobile 00:27:10:c9:91:2c (EAP Id 21)
    *dot1xMsgTask: Jun 18 11:07:29.318: 00:27:10:c9:91:2c Reached Max EAP-Identity Request retries (21) for STA 00:27:10:c9:91:2c
    *dot1xMsgTask: Jun 18 11:07:29.318: 00:27:10:c9:91:2c Sent Deauthenticate to mobile on BSSID 00:1c:b1:06:ee:a0 slot 1(caller 1x_auth_pae.c:3121)
    *dot1xMsgTask: Jun 18 11:07:29.319: 00:27:10:c9:91:2c Scheduling deletion of Mobile Station:  (callerId: 6) in 10 seconds
    *dot1xMsgTask: Jun 18 11:07:29.319: 00:27:10:c9:91:2c dot1x - moving mobile 00:27:10:c9:91:2c into Disconnected state
    *dot1xMsgTask: Jun 18 11:07:29.319: 00:27:10:c9:91:2c Not sending EAP-Failure for STA 00:27:10:c9:91:2c
    *spamReceiveTask: Jun 18 11:07:29.979: 00:27:10:c9:91:2c Received Idle-Timeout from AP 00:1d:71:0a:de:70, slot 1 for STA 00:27:10:c9:91:2c
    *spamReceiveTask: Jun 18 11:07:29.979: 00:27:10:c9:91:2c Warning, ignore the DELETE_MOBILE_PAYLOAD from AP: 00:1d:71:0a:de:70, slot 1. STA connecting AP: 00:1c:b1:06:ee:a0, slot 1
    *apfMsConnTask_0: Jun 18 11:07:30.834: 00:27:10:c9:91:2c Association received from mobile on AP 00:1d:71:0a:de:70
    *apfMsConnTask_0: Jun 18 11:07:30.834: 00:27:10:c9:91:2c 0.0.0.0 8021X_REQD (3) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1633)
    *apfMsConnTask_0: Jun 18 11:07:30.834: 00:27:10:c9:91:2c Applying site-specific IPv6 override for station 00:27:10:c9:91:2c - vapId 2, site 'none', interface 'management'
    *apfMsConnTask_0: Jun 18 11:07:30.834: 00:27:10:c9:91:2c Applying IPv6 Interface Policy for station 00:27:10:c9:91:2c - vlan 0, interface id 0, interface 'management'
    *apfMsConnTask_0: Jun 18 11:07:30.834: 00:27:10:c9:91:2c STA - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
    *apfMsConnTask_0: Jun 18 11:07:30.834: 00:27:10:c9:91:2c Processing RSN IE type 48, length 22 for mobile 00:27:10:c9:91:2c
    *apfMsConnTask_0: Jun 18 11:07:30.834: 00:27:10:c9:91:2c Received RSN IE with 0 PMKIDs from mobile 00:27:10:c9:91:2c
    *apfMsConnTask_0: Jun 18 11:07:30.834: 00:27:10:c9:91:2c pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
    *apfMsConnTask_0: Jun 18 11:07:30.834: 00:27:10:c9:91:2c 0.0.0.0 8021X_REQD (3) Deleted mobile LWAPP rule on AP [00:1c:b1:06:ee:a0]
    *apfMsConnTask_0: Jun 18 11:07:30.834: 00:27:10:c9:91:2c Updated location for station old AP 00:1c:b1:06:ee:a0-1, new AP 00:1d:71:0a:de:70-1
    *apfMsConnTask_0: Jun 18 11:07:30.834: 00:27:10:c9:91:2c 0.0.0.0 8021X_REQD (3) Initializing policy
    *apfMsConnTask_0: Jun 18 11:07:30.834: 00:27:10:c9:91:2c 0.0.0.0 8021X_REQD (3) Change state to AUTHCHECK (2) last state 8021X_REQD (3)
    *apfMsConnTask_0: Jun 18 11:07:30.834: 00:27:10:c9:91:2c 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)
    *apfMsConnTask_0: Jun 18 11:07:30.834: 00:27:10:c9:91:2c 0.0.0.0 8021X_REQD (3) DHCP Not required on AP 00:1d:71:0a:de:70 vapId 2 apVapId 2for this client
    *apfMsConnTask_0: Jun 18 11:07:30.834: 00:27:10:c9:91:2c Not Using WMM Compliance code qosCap 00
    *apfMsConnTask_0: Jun 18 11:07:30.835: 00:27:10:c9:91:2c 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 00:1d:71:0a:de:70 vapId 2 apVapId 2
    *apfMsConnTask_0: Jun 18 11:07:30.835: 00:27:10:c9:91:2c apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 00:27:10:c9:91:2c on AP 00:1d:71:0a:de:70 from Associated to Associated
    *apfMsConnTask_0: Jun 18 11:07:30.835: 00:27:10:c9:91:2c Stopping deletion of Mobile Station: (callerId: 48)
    *apfMsConnTask_0: Jun 18 11:07:30.835: 00:27:10:c9:91:2c Sending Assoc Response to station on BSSID 00:1d:71:0a:de:70 (status 0) ApVapId 2 Slot 1
    *apfMsConnTask_0: Jun 18 11:07:30.835: 00:27:10:c9:91:2c apfProcessAssocReq (apf_80211.c:5276) Changing state for mobile 00:27:10:c9:91:2c on AP 00:1d:71:0a:de:70 from Associated to Associated
    *dot1xMsgTask: Jun 18 11:07:30.838: 00:27:10:c9:91:2c Disable re-auth, use PMK lifetime.
    *dot1xMsgTask: Jun 18 11:07:30.838: 00:27:10:c9:91:2c Station 00:27:10:c9:91:2c setting dot1x reauth timeout = 0
    *dot1xMsgTask: Jun 18 11:07:30.838: 00:27:10:c9:91:2c Stopping reauth timeout for 00:27:10:c9:91:2c
    *dot1xMsgTask: Jun 18 11:07:30.838: 00:27:10:c9:91:2c dot1x - moving mobile 00:27:10:c9:91:2c into Connecting state
    *dot1xMsgTask: Jun 18 11:07:30.838: 00:27:10:c9:91:2c Sending EAP-Request/Identity to mobile 00:27:10:c9:91:2c (EAP Id 1)
    *osapiBsnTimer: Jun 18 11:07:31.717: 00:27:10:c9:91:2c 802.1x 'txWhen' Timer expired for station 00:27:10:c9:91:2c and for message = M0
    *dot1xMsgTask: Jun 18 11:07:31.718: 00:27:10:c9:91:2c dot1x - moving mobile 00:27:10:c9:91:2c into Connecting state
    *dot1xMsgTask: Jun 18 11:07:31.718: 00:27:10:c9:91:2c Sending EAP-Request/Identity to mobile 00:27:10:c9:91:2c (EAP Id 2)
    *osapiBsnTimer: Jun 18 11:07:32.717: 00:27:10:c9:91:2c 802.1x 'txWhen' Timer expired for station 00:27:10:c9:91:2c and for message = M0
    *dot1xMsgTask: Jun 18 11:07:32.718: 00:27:10:c9:91:2c dot1x - moving mobile 00:27:10:c9:91:2c into Connecting state
    *dot1xMsgTask: Jun 18 11:07:32.718: 00:27:10:c9:91:2c Sending EAP-Request/Identity to mobile 00:27:10:c9:91:2c (EAP Id 3)
    *osapiBsnTimer: Jun 18 11:07:33.717: 00:27:10:c9:91:2c 802.1x 'txWhen' Timer expired for station 00:27:10:c9:91:2c and for message = M0
    *dot1xMsgTask: Jun 18 11:07:33.718: 00:27:10:c9:91:2c dot1x - moving mobile 00:27:10:c9:91:2c into Connecting state
    *dot1xMsgTask: Jun 18 11:07:33.718: 00:27:10:c9:91:2c Sending EAP-Request/Identity to mobile 00:27:10:c9:91:2c (EAP Id 4)
    *apfLbsTask: Jun 18 11:07:34.318: 00:27:10:c9:91:2c Copy AP LOCP - mode:0 slotId:1, apMac 0x0:1d:71:a:de:70
    *apfLbsTask: Jun 18 11:07:34.319: 00:27:10:c9:91:2c Copy WLAN LOCP EssIndex:2 aid:1 ssid:NPT-SECURE
    *apfLbsTask: Jun 18 11:07:34.319: 00:27:10:c9:91:2c Copy Security LOCP ecypher:0x0 ptype:0x2, p:0x1, eaptype:0x6 w:0x1 aalg:0x0, PMState: 8021X_REQD
    *apfLbsTask: Jun 18 11:07:34.319: 00:27:10:c9:91:2c Copy 802.11 LOCP a:0x0 b:0x0 c:0x0 d:0x0 e:0x0 protocol2:0x1 statuscode 0, reasoncode 99, status 3
    *apfLbsTask: Jun 18 11:07:34.320: 00:27:10:c9:91:2c Copy CCX LOCP 4
    *apfLbsTask: Jun 18 11:07:34.320: 00:27:10:c9:91:2c Copy e2e LOCP 0x1
    *apfLbsTask: Jun 18 11:07:34.320: 00:27:10:c9:91:2c Copy MobilityData LOCP status:0, anchorip:0x0
    *osapiBsnTimer: Jun 18 11:07:34.717: 00:27:10:c9:91:2c 802.1x 'txWhen' Timer expired for station 00:27:10:c9:91:2c and for message = M0
    *dot1xMsgTask: Jun 18 11:07:34.718: 00:27:10:c9:91:2c dot1x - moving mobile 00:27:10:c9:91:2c into Connecting state
    *dot1xMsgTask: Jun 18 11:07:34.718: 00:27:10:c9:91:2c Sending EAP-Request/Identity to mobile 00:27:10:c9:91:2c (EAP Id 5)
    *osapiBsnTimer: Jun 18 11:07:35.717: 00:27:10:c9:91:2c 802.1x 'txWhen' Timer expired for station 00:27:10:c9:91:2c and for message = M0
    *dot1xMsgTask: Jun 18 11:07:35.718: 00:27:10:c9:91:2c dot1x - moving mobile 00:27:10:c9:91:2c into Connecting state
    *dot1xMsgTask: Jun 18 11:07:35.718: 00:27:10:c9:91:2c Sending EAP-Request/Identity to mobile 00:27:10:c9:91:2c (EAP Id 6)
    *osapiBsnTimer: Jun 18 11:07:36.717: 00:27:10:c9:91:2c 802.1x 'txWhen' Timer expired for station 00:27:10:c9:91:2c and for message = M0
    *dot1xMsgTask: Jun 18 11:07:36.718: 00:27:10:c9:91:2c dot1x - moving mobile 00:27:10:c9:91:2c into Connecting state
    *dot1xMsgTask: Jun 18 11:07:36.718: 00:27:10:c9:91:2c Sending EAP-Request/Identity to mobile 00:27:10:c9:91:2c (EAP Id 7)
    *osapiBsnTimer: Jun 18 11:07:37.717: 00:27:10:c9:91:2c 802.1x 'txWhen' Timer expired for station 00:27:10:c9:91:2c and for message = M0
    *dot1xMsgTask: Jun 18 11:07:37.718: 00:27:10:c9:91:2c dot1x - moving mobile 00:27:10:c9:91:2c into Connecting state
    *dot1xMsgTask: Jun 18 11:07:37.718: 00:27:10:c9:91:2c Sending EAP-Request/Identity to mobile 00:27:10:c9:91:2c (EAP Id 8)
    *osapiBsnTimer: Jun 18 11:07:38.717: 00:27:10:c9:91:2c 802.1x 'txWhen' Timer expired for station 00:27:10:c9:91:2c and for message = M0
    *dot1xMsgTask: Jun 18 11:07:38.718: 00:27:10:c9:91:2c dot1x - moving mobile 00:27:10:c9:91:2c into Connecting state
    *dot1xMsgTask: Jun 18 11:07:38.718: 00:27:10:c9:91:2c Sending EAP-Request/Identity to mobile 00:27:10:c9:91:2c (EAP Id 9)
    *osapiBsnTimer: Jun 18 11:07:39.717: 00:27:10:c9:91:2c 802.1x 'txWhen' Timer expired for station 00:27:10:c9:91:2c and for message = M0
    *dot1xMsgTask: Jun 18 11:07:39.718: 00:27:10:c9:91:2c dot1x - moving mobile 00:27:10:c9:91:2c into Connecting state

  • ACS 1121 (5.4) Username Prefix/Suffix Stripping

    Hi.
    Is it possible to strip the suffix from a username to authenticate against an active directory in ACS 5.4? I can find this when using an external proxy service, but not for network access.
    Thanks.

    Hey
    Username suffix/prefix stripping is possible when using:
    LDAP
    Radius Identity server
    External Proxy
    With AD, the option is unavailable.
    Self proxy + AD is a workaround but that has some limitations and is a complex configuration.
    Rate if Useful :)
    Sharing knowledge makes you Immortal.
    Regards,
    Ed

  • Can the ACS 1121 5.2 act as a syslog server?

    Hello all,
     Can the ACS 5.2 act as syslog server to Cisco catalyst switches and nexus switches??
    Thanks in advance for any help with this!

    Hi ,
    So far PI can only show Severity 0 ,1 and 2 syslogs under Operate > Alarms & Events >syslogs
    If you are not able to see them also then try to restrat the PI services (ncs stop and ncs start ) and check the issue again
    Thanks-
    Afroz
    ****Ratings Encourages Contributors ****

  • Cisco ACS 1121 version 5.3 - Logging

    Hi There
    I'm new to Cisco ACS 5.X. From what I have read, the Cisco ACS can act as a Logging Server. Does this mean, all the syslog messages from all the other ACS and network devices can be stored by ACS? I'm a bit confused on this part.
    Lastly, I understand that Cisco ACS has many or maybe 2 instances? When do we use these instance? What is this instance?
    Regards,
    Ram

    In the distributed deployment, you should specify one acs server as the Logcollector. All other servers send logs to the Logcollecter.
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/logging.html
    In distributed deployment, each acs server is one instance. So you have one primary instance and multiple secondary instances.
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/introd.html#wp1058054
    Sent from Cisco Technical Support iPad App

  • Replaced Expired Cert on ACS

    Hi,
    I replaced an ACS certificate that had been installed i then did the following:
    1. Created a certificate request.
    2. Issued the request to the enterprise CA.
    3. Copied the certificate to an ftp server.
    4. Installed the certificate on the ACS.
    5. Configured the CTL again.
    6. Restarted the ACS service.
    8. Enable EAP-TLS.
    The problem is when i try and enable EAP i get the message no ACS certificate installed.
    I searched on cisco and it said to disable the CSA and follow the same process which i have done to no avail.
    Any help appreciated.
    Thanks
    Kev

    I found this book in the version of the ACS:
    CSCef61785 Bug Details Bug #79 of 92 | < Previous | Next >
    ACS Appliance fails to recognize installed certificate Symptom
    ACS appliance does not recognize the installed certificate.
    Conditions
    Cisco Security Agent is running.
    1. Install a certificate. The web interface will report the certificate as installed and validated.
    2. Enable PEAP.
    3. An error appears: Failed to initialize PEAP or EAP-TLS authentication protocol because CA certificate is not installed. Install the CA certificate using ACS Certification Authority Setup page.
    Workaround
    Disable the Cisco Security Agent and repeat the installation procedure. Re-enable the Cisco Security Agent.
    Possibly worth upgrading?
    If so can some one help me with the upgrade stages as im finding them a bit confusing.
    Thanks
    Kev

  • ACS 5.3 and Command Auth

    I am rolling out the Latest 5.3.0.40.6 patched ACS 1121 in a redundant pair mode.   I have build user based auth without issue but am having an issue with Command auth.  once I add command auth to the test router and modify the shell profile and command set for privilege 1 nd 15,  none of the commands are authenticated and the report indicates the "DenyCommand" default.  I have followed the user guide and the step by step from Security Solutions. ( link below) 
    I still get no joy.   Also Cisco changed the GUI and the way command sets are built
    (http://www.security-solutions.co.za/Cisco-ACS-5.2-Role-Based-Authentication-Authorization-For-Different-Privilege-Levels-Configuration-Example.html )
    Any help would be appreciated
    Patrick Connor

    Tarik,  thanks for the response.  I cannot get screen shots but can define the options sets.
    I created 2 command sets
    Pri-15  has only the permit all command not in the table below check box checked
    Pri-1  has a single permit "show"  with no arguments
    the Auth rule has 2 rules
    rule 1  identity group "network Admin"  any any any pri-15
    rule 2 identity group "network monitor" any any any pri-1
    service selection rule    rule 1  condition ( match system: protocol match TACACS)  result Default Device Admin   hit count 98
    the report indicated the a FAIL "13025 command failed to match a Permit rule)  and the Selected Command Set = (DentAllCommands) 
    So it looks like the command set is not being recognized.  but I cannot see why?
    Thanks,
    Pat 

  • ACS loses connection with AD occasionally after upgrade from 5.2 to 5.3.0.40

    ACS had been integrated with Active Directory before ACS upgrade to 5.3. After the ACS 5.3 upgrade users aren’t able to login to AAA devices occasionally. Error message is:
    {AuthenticationResult=Error; Type=Authentication; Authen-Reply-Status=Error; }
    24429 Could not establish connection with Active Directory
    At the same time, when this issue occurs, ACS connection to AD works fine (checked with Users and Identity Stores> External Identity Stores > Active Directory “Test Connection”)

    I had the same problem, I opened a Cisco TAC case and my issue was resolved.
    Sent: Tuesday, 14 August 2012 9:58 AM
    Subject: RE: 622739355 HelpDesk#SVR328332-2 : Troubleshoot Cisco ACS 1121 v5.3 With Windows Active Directory
    Hi Ramraj,
    Thanks for the link to the article, but from what I’ve seen in the logs I’m not sure that we’ve got the same root cause to the issue.
    From the ACSADAgent.log files I can see log messages like:
    Aug 11 11:10:56 CSSC-TPM-DC-ACS-1 adclient[5524]: DEBUG network.state NST: SniffList: postfailsort=mykulad11p.cssc.dksh.net
    Aug 11 11:10:56 CSSC-TPM-DC-ACS-1 adclient[5524]: DEBUG base.kerberos.adhelpers Encryption (id 1) is not supported by KDC. Try next in the list
    Aug 11 11:10:56 CSSC-TPM-DC-ACS-1 adclient[5524]: DEBUG base.osutil Module=Kerberos : KDC refused skey: KDC has no support for encryption type (reference base/adhelpers.cpp:216 rc: -1765328370)
    Aug 11 11:10:56 CSSC-TPM-DC-ACS-1 adclient[5524]: DEBUG base.adagent Unable to refresh computer credentials: KDC refused skey: KDC has no support for encryption type
    This lines up with the error message that we see in the TACACS+ Authentication logs:
    24493 ACS has problems communicating with Active Directory using its machine credentials.
    I have come across a NETBIOS limitation (it’s not an ACS bug, but a bug has been filed for tracking and documentation purposes) that prevents two ACSs from being connected to Active Directory at the same time if the first 15 characters of their hostnames are the same. The bug ID is CSCtj62342 and its externally visible details are available here: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtj62342
    The hostname of the primary ACS is : MYMY-TPM-DC-ACS-1
    The hostname of the secondary ACS is: MYMY-TPM-DC-ACS-2
    From the hostnames, we can see that the first 16 characters of the hostnames are the same. What this means is that once the primary is connected to AD, after some time passes (this will depend on when the secondary goes an talks to AD) the secondary will lose its connection to AD and any authentications hitting the secondary will fail with the same error: 24493 ACS has problems communicating with Active Directory using its machine credentials.
    To resolve this issue, the hostnames of the ACSs will need to be changed so that the first 15 characters of their respective hostnames are not the same. Please keep in mind that this is a NETBIOS limitation and not a software bug.

Maybe you are looking for

  • Itunes crashed during download

    Hello all: Recently, I purchased Pearl Jam's "Ten" from iTunes when the application crashed during the process. I have the receipt from iTunes charging me for the full download but only have 4 of the songs from the album. Is there anyway that someone

  • Amazon Q&A : E2500 - Setup as access point

    Does this work as a wireless access point?

  • Problem connecting new hd box

    Hello I have just been given a new hd box by sky to replace the old sky+ box. In the instructions is says i can connect via hdmi cable if i have an hd ready tv, or skart lead if not. (It is not hd ready) However my old sky box connected with an aeria

  • Spell check option to skip master pages

    I'm still running CS3 so perhaps this has already been solved for but I need a spell check option to ignore the master pages. I'm a magazine designer and our master pages contain placeholder text so we can work our layouts before we have final copy.

  • Canon GL1 Issues

    I just bought a new iMac two days ago. Today, I decided to have some fun and capture DV from my Canon GL1 using Firewire. The problem is that the camera is not being recognized in either iMovieHD or iMovie08 (I am not daisy chaining any other compone