TACACS auth and RADIUS accounting with ACS
I am having RADIUS accounting issues with an ASA 5520 that uses TACACS for authentication. Both are hosted on the same ACS server. I can send RADIUS info to my Microsoft IAS box but get Syslog ID 113022 errors when trying to send to the ACS RADIUS. A packet capture shows the RADIUS accounting request getting to the ACS box (Windows Server 2003 R2) but syslog shows failedauth. Any ideas?
Thank you for the response. I did verify the syslog explanation you gave below and the AAA server is online as TACACS message are getting to it. My configuration for the ASA for RADIUS is as follows
Server Group - RADIUS
Protocol - RADIUS
Accounting Mode - Simultaneous
Reactivation Mode - Timed
Max Failed attempts - 3
Two servers in the Server Group
ACS - Not working
Microsoft IAS - Working
I have tried removing the IAS server and changing the accounting mode to single and still getting auth failures.
ACS is configured as follows
Network Configuration
AAA Clients - ASA authenticate using TACACS+
AAA Servers - None listed. When I tried to add the ACS machine the error said the server already existed (In another Network Device Group)
Similar Messages
-
APC (UPS) RADIUS authentication with ACS 5.X
I am trying to do RADIUS authentication for APC (UPS) using ACS 5.2 Appliance. It is working fine with ACS 4.2, but unfortunately not with ACS 5.2. I tried creating RADIUS VSA (Vendor Specific Attributes) for APC in ACS 5.2.
According to the APC dictionary file
VENDOR APC 318
# Attributes
ATTRIBUTE APC-Service-Type 1 integer APC
ATTRIBUTE APC-Outlets 2 string APC
VALUE APC-Service-Type Admin 1
VALUE APC-Service-Type Device 2
VALUE APC-Service-Type ReadOnly 3
# For devices with outlet users only
VALUE APC-Service-Type Outlet 4
I have added the attributes in blue(attached), how do I add the VALUE's (shown red) in ACS 5.2? What else should I do to get this working?
The hit count on the ACS shows that it is getting authentication request from the APC appliance.
Thanks in advance.Hi,
I am working on the same issue and i manage to login (using Ldap A/D backend authentication). When using the standard Radius attribute Service-Type (1 for read-only and 6 for admin) i manage to get this working. I am however trying to use the APC VSAs (as above) without any success. The objective is to have outlet management for specific users, admin or read-only others. Did u manage to get this working and how?
./G -
i am a teacher and my school has given all of us a ipad to use. it is set up with my school email and a shared itunues and icloud account. they have told us we can use it for anything that can be used for education purposes. i have downloaded books and other items that i have marked up for my use. however if there is ever a problem i cant identify my applications or books if other teachers have downloaded the same apps or books as well as my documents. is there a way to set up a 2nd itunes account and icloud account so that i may use that when backing up anything that would be personalized by me so that i can find what is rightfully mine. they are ok with it but were unsure how to do this, so can anyone help me? thanks
Sorry, you cannot use more than one iTunes account at a time.
-
My first iTune and iCloud account was set up with a work email address. Last week, I changed my AppleID to a personal email account, but have found that on my iPhone under settings, iCloud, my account still has my work email. How can I change this to reflect my new personal email. I also pay to have extra storage, how is all of this working/tying together? Please help!
Sorry, you cannot use more than one iTunes account at a time.
-
Profit-center determination of bank subaccounts and bank accounts ; with new GL.
The question here-under has been asked a number of times on forums, though never answered really to my knowledge. Let me try to get it formulated once more :
- When a customer invoice is posted, the receivable is properly split per profit-center thanks to the active splitting solution.
- When the customer invoice is paid through a bank transfer, the following happens generally :
The bank statement posts a first area 'debit' bank and 'credit' bank sub-account on a default profit-center (this posting needs to happen first because SAP aims to have the 'bank' posted as quickly as possible 'in the morning' leaving the manual clearing activities 'in the afternoon').
The bank statement posts a second area 'debit' bank sub-account and 'credit' + 'clearing' receivable. There, the combination of passive splitting and inheritence makes sure that the profit center of the invoice receivable line items is also used for this entire posting.
- Manually or through automatic clearing, the bank sub-account gets cleared. Since the 2 sides have different profit-centers, the systems posts adjustment lines to the zero balance clearing account.
My question : for companies that want to achieve an entire balance sheet per profit-center, it is a problem that the bank account debit and bank sub-account credit are still with a default profit-center. I understand that the splitting solution in new GL does not offer a way to solve that. One needs to adjust the profit-center on the bank account and bank-subacccount with an allocation cycle in EC-PCA. Is my understanding correct or is there a better solution available in New GL ?
Thanks for your replies.
José BegheinHello Ronghua,
Many thanks for your reply. This note is extremely interesting and gives a lot of technical information on the differences between classic PCA and new GL PCA.
I nevertheless did not find clearly what is considered the best practice towards splitting bank account positions.
Kind regards.
José Beghein -
No RADIUS accounting with SF 302?
Hello all,
I have configured my SF 302-08P switch to perform 802.1X & MAC authentication. This works fine in both cases but I cannot get the switch to send accounting requests to my RADIUS server. Even when the server sends back an Acct-Interim-Interval attribute in the Access-Accept message, the switch doesn't generate accounting requests. Is it a known restriction or am I missing something?
I'm a little bit surprised since the datasheet claims that both RADIUS authentication and accounting are supported for 802.1X. The switch version is 1.0.0.27.
Regards,
SimonHi Simon,
Yep according to the RFC2866 it states"
When a client is configured to use RADIUS Accounting, at the start of
service delivery it will generate an Accounting Start packet
describing the type of service being delivered and the user it is
being delivered to, and will send that to the RADIUS Accounting
server, which will send back an acknowledgement that the packet has
been received. At the end of service delivery the client will
generate an Accounting Stop packet describing the type of service
that was delivered and optionally statistics such as elapsed time,
input and output octets, or input and output packets. It will send
that to the RADIUS Accounting server, which will send back an
acknowledgement that the packet has been received."
The delay in my response was trying to simulate the scenario, but I don't have all the pieces here.
Have a Chat to the boys/gals at SBSC to get some clarification.
http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html
regards Dave -
Debit and credit accounts with a movement type
Hi,
I want to know how we can get detiils about whenver there is a goods movement then which account will be debited and which account will be credited, in OMWB, we can see all the account but how to know which will be debited and which will be credited.
regards,
zafarHi,
When I check in OMWB - Simulation for one material for movement type 201,
Posting Lines Text VlGCd AGC VCl PK Acct Deb. PK Acct Cr.
Inventory posting 0001 -e- 2000 89 300002 99 300002
Offsetting entry for inventory 0001 2000 81 --Missing- 91 --Missing
Offsetting entry for inventory 0001 2000 81 --Missing- 91 --Missing
Gain/loss from revaluation 0001 -e- 2000 83 233000 93 233000
Inventory posting 0001 -e- 2000 89 300002 99 300002
Cost (price) differences 0001 -e- 2000 83 893022 93 893022
Offsetting entry for inventory 0001 VBR 2000 81 890000 91 890000
Inventory posting 0001 -e- 2000 99 300002
and when I have done one goods movement for materai; with movement type 201, the accounting entry is generated as below
MS10 1 99 300002 Intermediate Goods S 44.00- INR
MS10 2 81 890000 Consumption of SFG 44.00 INR
as per this from account 300002 amount 44 is deducted and in account 890000 Amount 44 is added
now i have not clear in simulation it is showing so amny accounts then how to know whcih account is getting updated debit and credi also what is meaning of -e- IN agc,
regards,
zafar -
WLC 4400 and RADIUS accounting
Have trawled what docs there are and cant find out if the RADIUS accounting messages from the 4400 include the name of the lightweight AP handling the user session.
I'm guessing there might be a new Cisco VSA for it.
Anyone know?
ThanksThe error message could be because of any unused protocol.
-
HOw can I achive command accounting via acs I have configured devices as below but no luck
aaa accounting exec aaa-list start-stop group bwaaa
aaa accounting commands 1 aaa-list start-stop group bwaaa
aaa accounting commands 15 aaa-list start-stop group bwaaa
aaa accounting system default start-stop group bwaaa
any idea about itHi, I am using 4.2 version appliance. I am using tacacs+ u can s below config for your reference
aaa new-model
aaa group server tacacs+ bwaaa
server 10.2.6.1
server 10.2.6.2
ip tacacs source-interface Vlan1111
aaa authentication login aaa-list group bwaaa local
aaa authentication enable default group bwaaa enable
aaa authorization exec aaa-list group bwaaa local
aaa accounting exec aaa-list start-stop group bwaaa
aaa accounting commands 1 aaa-list start-stop group bwaaa
aaa accounting commands 15 aaa-list start-stop group bwaaa
aaa accounting system default start-stop group bwaaa
aaa session-id common
tacacs-server host 10.2.6.1 timeout 25
tacacs-server host 10.2.6.2 timeout 25
tacacs-server timeout 25
tacacs-server directed-request
tacacs-server key cisco123 -
Machine Authentication and User Authentication with ACS v5.1... how?
Hi!
I'm having trouble setting up Machine Authentication and User Authentication on ACS v5.1 using WinXP SP3 (or SP2) as supplicant.
This is the goal:
On wireless (preferably on wired too) networks, get the WinXP to machine authenticate against AD using certificates so the machine is possible to reach via for example ping, and it can also get GPO Updates.
Then, when the user actually logs in, I need User Authentication, so we can run startup scripts, map the Home Directory and so on.
I have set up a Windows Sertificate server, and the client (WinXP) are recieving both machine and user certificates just fine.
I have also managed to set up so Machine Authenticaton works, by setting up a policy rule that checks on certificate only:
"Certificate Dictionary:Common Name contains .admin.testdomain.lan"
But to achieve that, I had to set EAP Type in WinXP to Smart Card or other Certificate, and then no PEAP authentication occurs, which I assume I need for User Authentication? Or is that possible by using Certificates too?
I just don't know how to do this, so is there a detailed guide out there for this? I would assume that this is something that all administrators using wireless and WinXP would like to achieve.
Thank you.Hello again.
I found out how to do this now..
What I needed to do was to add a new Certificate Authentication Profile that checks against Subject Alternative Name, because that was the only thing I could find that was the same in both user certificate and machine certificate.
After adding that profile to the Identity Store Sequences, and making tthe appropriate rule in the policy, it works.
You must also remember to change the AuthMode option in Windows XP Registry to "1".
What I really wanted to do was to use the "Was Machine Authenticated" condition in the policies, but I have never gotten that conditon to work, unfortunately.
That would have plugged a few security holes for me. -
IPhone and EAP-TLS with ACS & 5508
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
I have a large customer that is moving into a new building and adding some
new wireless.
They are using a 5508 with 1142's and an ACS server.
They will have the following SSID's
SSID01 -> WPA-EAP-TLS
SSID02 -> WPA2-EAP-TLS (future use)
SSID03 -> Guest Access (internet access only)
They currently use this design across the enterprise which has worked well.
The problem is to get certificates pushed down to the client for the EAP-TLS
they always connect the machine once by wire and log on to the domain so a
GPO pushes the cert to the machine.
This creates a problem that I don't know how to solve as they want to use
iPhones on the new deployment.
Does anyone have any ideas on how to get a cert down to the iPhones for use
with the SSID's?
Thanks in advance for any assistance.I don't think we can push certs from windows server to iphones . Probably set up a webpage say a accessible from a different ssid from which clients can download and install cert. ?
-
HTTP Basic Auth and Username Authentication with Symmetric Key
Hi,
I have a webservice happily running on tomcat 5.5 using "Username Authentication with Symmetric Key" I have certificates setup and everything works fine. I can even connect a .net client and use the service.
Now I have an additional requirement of authorization per operation basis so I'm planning on using the roles. My current setup uses tomcat-users.xml to configure users but I seem unable to identify the role of the user from within my code as wsContext.isUserInRole("briefing") always returns false even when it clearly isn't. Where wsContext = @Resource private WebServiceContext wsContext.
So I figure perhaps I need to add HTTP Basic Auth to tomcat for it to gather this information so I added security-constraints to the web.xml and this seems to do the trick: at least it does for my .net client.
If I do:
Service service = new Service();
Port client = service.getPort();
BindingProvider bp = (BindingProvider)client;
bp.getRequestContext().put(BindingProvider.USERNAME_PROPERTY, "myusername");
bp.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, "mypassword");Then it all works fine. However, I'd like a little less transparency: I don't want to have to do this every time I make a call.
My question(s) is:
1) Am I going about this the right way (perhaps I am somehow getting the incorrect reference to the WebServiceContext)
2) If I am going about this the right way I imagine the whole BindingProvider code needs to be added to as a policy configuration but I'm really not sure where to start especially as I'm using wsimport to generate everything: I'm not even sure where to configure this so it will not get overwritter.
Thanks for any help.Doh! Ok So I've added a SOAP Handler to automatically add the username and password for the HTTP Basic Auth.
All in all does this setup sound right? -
Mail app and google account with two step verification fail
Hi,
I try to add my gmail account to Mail app, but it says that login or password is incorrect. I'm using google 2 step verification, that means that I should generate an app-special password each time I use a new application with this google account. I've generated the password for gmail app and logged in successfully, but it doesn't work for Mail app (each application has it's own password).
iOS 5.1.1 (9B206).
Gmail app v. 1.2.7182
Thank you in advance.Аnonym wrote:
I've read every discussion about that problem, though I found no solution there. So I started another one.
I'm sorry. You misunderstood what I was saying - or perhaps I should say that I said it wrong. I meant that I was unfamiliar with this problem - that's all that I meant.
The link for 4.0 is simply for iPads that are running iOS 4.0 or higher. That is what the link refers to. This is copied from the website
Note: These setup instructions are for Apple devices running software version 4.0.
View instructions for older software.
It does not state it specifically, but it means 4.0 or higher. Google hasn't updated anything further for higher than iOS 5 that's all.
But if you checked it out already or don't want to check it out because you think it doesn't apply - that's your prerogative.
EDIT - your problem was solved as soon as I posted. Glad you got it all worked out! -
IPhone and business accounts with AT&T
AT&T is telling me that I can not activate iPhones under my business plan with them. Has anyone else had issues with this? They told me this was part of the contract with Apple - has anyone heard anything about this?
Thanks.For discussion purposes I will venture a few guesses:
a) ATT has been trying to get rid of the business discounts for quite some time, what better way to get business accounts switched over to personal accounts than something enticing like the iPhone (once you switch over, your business discounts are gone forever)
b) The iPhone has very few business features a road warrior would want
c) From the outset, the Business sector has compained that there might be too many security flaws in the iPhone - long before the iPhone came out
d) There are no business applications on the phone
e) ATT makes more money from personal accounts than from business accounts - no discounts, no need to keep a corporate entity happy
f) Many corporate networks forbid iTunes on their computer systems, and iTunes is required to activate and sync the iPhone, for updates, and everything else.
Those are just a few quick things I can think of off the top of my head. If I think of some others, I'll come back and edit and add them. -
I am trying to activate and iCloud account with no luck
I am trying to activate an iCloud account, but there is no option in the System prefs panel. The only option is a button that says to move my .me account to the cloud, I don't have a .me account 8( If I go to the icloud site, it says that I must activate the account in my system prefs, but I can't.
Welcome to the Apple Community.
Your system doesn't support iCloud, iCloud only comes with OS X 10.7.2 or better.
You can update your OS at the Mac App store, if your hardware does not support the upgrade you will be told at the time you try.
Maybe you are looking for
-
Hello every time i launch the app it starts to load then disappears on my macbook air help
the app pops up with the load page then just crashes ....
-
Forcing Face Detection for All Pictures in an Event
Aperture 3.0 fails to detect all faces in all photos in an Event. Is there a way to force face detection for all photos in an Event? As it stands now, one cannot tag photos for faces if Aperture decides (erroneously) that photos don't contain a face.
-
How to reference LONG field in trigger
I am trying to create a trigger (update and delete) for auditing purposes. The source table has a long field and I need to insert all columns (which includes the long field) into an audit table if any column in the source record changes or if the sou
-
Photoshop transfer to Epson printer
How do you print two A6 documents on one A5? I can only get one image to print and it is centered. I have done a image capture to view my settings of what I am doing wrong. Regards, Kathy
-
I need help on my ipod touch 2g it has been frozen the last two days it froze on the connect to itunes logo