Tacacs+ problem with ACS 5.2

Similar Messages

• Tacacs problem with ACS 4.2 NDG and shell authorization sets

  Hi all,
  I am trying to solve this problem without success so far. I have fresh ACS 4.2.15 patch 5 ACS installation and I am tryng to deploy it to our environment. So I have configured one 2960S to be my test client and everything works fine. Problem is when I try to create fine grained policies using network device groups and shell authorization sets.
  I have created shell authorization sets called ReadOnly and FullAccess. I have also created NDG called FloorSwitches and added my 2960. I have 2 user groups called FloorSwitchesReadOnly and FloorSwithcesFullAccess. Now, if I configure group FloorSwitchesFullAccess and assign Shell command authorization set per NDG and then log into the switch, all of my commands are refused as unauthorized.
  One thing that I have noticed is that if I assign shell command authorization set to any device ( in user group settings ) it works fine. Or if I create association with DEFAULT NDG in user group it also works. So my conclusion is that ACS for some reason does not associate my switch with correct group but rather puts it to DEFAULT group for some reason.
  Did anyone had similar problem or is there something that I am doing in a wrong way? Is there another way to achieve such thing without using NDG's?
  Thanks everyone....

  Please upgrade to patch 6, there is a bug in patch 5 and you can check the release notes or the readme for more information.
  What is your user setting set to while you are testing command authorization, did you set it back to the group setting?
  Thanks,
  Tarik Admani

• AD Link Problem with ACS 5.2

       Hello at all,
  we have a Problem with a ACS 5.2. We have installed the Software on a VMware. The Machine ist running without Problems.
  Now i would like connect to our AD. The connection is o.k but i can not see any Groups when i make a search.
  I get a failure Message in the CLI:
  *** glibc detected *** corrupted double-linked list: 0x43b77858 ***
  Did anyone know this Message?
  Thanks for help.

  Hi Erick,
  thanks for your Answer.
  I can solve this Problem. I have Installed the ACS Version 5.2 but without the new Patch.
  With this Patch i can connect to the AD and can see all Groups.
  regards
  Andreas

• Problem with ACS Server

  Good morning;
  I hope this is the right forum so here it goes. I have an ACS server v4 that keep hanging. If I try to restart the server (CSAuth), the service hangs and the only thing I can do is restart the server. Is there something I can do to fix this or troubleshoot it better?
  Thanks

  Good morning,
  I have the same problem with an ACS 3.3.3 that occasionally restarts CSAuth for a configured function to proceed, but the service keep hanging.
  Have you find any solution?
  Thanks

• Juniper SSG TACACS+ Integration with ACS 5

  Hi,
  I'm working on TACACS+ integration on Juniper SSG firewall with ACS 5, but failed login on the SSG. After checked the log on ACS, it passed the authentication. Do I need to import any dictionary file on the ACS 5 first?
  Please advice,
  Cheers,
  Ryan

  I was able to config SSG authenticate using RADIUS.  In order to work with RADIUS, I have to create RADIUS dictionary using netscreen dictionary found @ Juniper.  Attach the dictionary.
  I'm not sure how to import, but I create the dictionary manually.

• Problems with ACS View Eval

  Hi,
  i have installed the eval 4.0 ACS view.
  If i would generate a report following message, comes a windows with:
  Exeption
  Version Mismatch
  See Stack Trace
  Know someone a solution.
  Thank you.

  The problem was not enough disk space. My initial VM had only 32 GB. I got a larger disk and a 50 GB VM and the install went well.

• Problem with ACS 4.1 using certificate

  I have an ACS 4.1 appliance, I have already configured ACS in order to work with certificate. I got the certificate from ACS, I already installed it as the installation guide says . Additionally I configured the card's controller in my PC in order to manage certificate.
  Whe I try to be validated from ACS I can not go on because a message appears and says " click to select a certificate " , after click a windows appears asking user and password however I expected not receive this window.
  The switch's port were configured as follows:
  aaa new-model
  aaa authentication dot1x default group radius+
  dot1x system-auth-control
  interface GigabitEthernet1/0/4
  switchport mode access
  dot1x mac-auth-bypass eap
  dot1x pae authenticator
  dot1x port-control auto
  dot1x timeout quiet-period 15
  dot1x timeout tx-period 3
  dot1x reauthentication
  radius-server host (ip address) auth-port 1645 acct-port 1646
  radius-server source-ports 1645-1646
  radius-server key password
  What am I doing wrong or there is something left???

  1) Did you install the Certificate file in the local machine? (Right click >> Install Certificate >> And so on..)
  2) Are you using the built-in Dot1x supplication in WIndows XP? Is the setting to MD5?
  3) Did you Selected this installed certificate from the drop-down Menu in the wireless software?
  Regards
  Farrukh

• Problem with ACS 4.2 Database replication

  Greetings,
  I am not able to replicate Database between two ACS SE 4.2. I am getting the following error:
  Inbound database replication from ACS 'ACS_BEX_001' denied - shared secret mismatch.
  The configuration apparently is ok. I am attaching the configuration from both ACS.

  The solution posted by Nevin is correct, but I must add some explanations. I had the problem yesterday and I proceeded like Nevin told:
  - I connected to the console and made a "show".
  - The IP was the correct one, but as indicated I made a "set ip"
  - The system asked for the new IP, showing the old one between brackets: ie "New IP [10.10.10.1]:"
  - I pressed Intro, because the IP is correct.
  - After confirming the IP, mask, gateway and DNS the system asked me to verify connectivity. I did it and was correct.
  - The second time it asked to check connectivity I answered No. and nothing happened.
  - We checked through the web but the "Self" IP was still 127.0.0.1.
  - So I made the process again BUT this time I changed the the IP to another one. After finishing, (when I answered No to check connectivity) I saw that the system was stopping all ACS processes and starting then again.
  - In the web page the "Self" IP was the new one.
  - I made the process again changing the IP to the original one. This time also the system stopped and started all processes.
  - In the web page the "Self" IP was correct.
  - Now the replication worked correctly.
  So the problem was that the system is "inteligent" and if it discover that you don't change the IP (even if you change the DNS), it doesn't reconfigure it. So you must change to another IP (even a dummy one) and the change again to the correct one.
  I hope this can help to other people.

• Authentication Problem with ACS 5.2 Using LDAP

  HI!
  I  want to use LDAP for connecting to active directory but I get this   Error from ACS 5.2 ( 22056 subject not found in the applicable identity  stores).Is there anyone who can HELP me?
  I used this configuration in ACS 5.2:
  Users and Identity Stores / External identity store / ldap / Directory Organization
  Subject ObjectClass : User
  Subject Name attribute ; sAMAccountName
  Group ObjectClass : Group
  Group Map Attribute : MemberOf

  Two questions:
  - did you press "Test Bind to Server" from LDAP "Server Connection" tab and "Test Configuration" from "Directory Organization" tab?
  - did you select the LDAP database as the result in the identity policy?

• ACS problems with Windows 2K3 SP1

  We are facing problems with ACS when we install SP1 on the ACS Server on Windows 2k3 Ent Edition.
  After SP1 is installed, ACS admin web interface hangs whenever a AAA client is added or NDG is added/deleted/modified.
  It hangs on some other changes as well but the NDG/AAA client is a confirmed to hang after the change.
  ACS is running on a Dual-Core Dual Processor machine. The problem is not present on a single processor machine.
  ACS ver. is 4.0(1) (Build 27)
  Any help will be greatly appreciated.

  ACS ver 4.1 has been tested with Dual Processor. Check out the release notes,
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/rnotes/rnacs41.htm#wp140886
  Regards,

• Problems with New ACS 5.4 install

  I have a fresh install of an ACS 5.4 virtual  appliance. This ACS instance will only be used for TACACS+ AAA for network  device administration. It is up and running on the network. I have time,  timezone, NTP and DNS configured. ACS admin accounts  and logging are configured. I created an internal user, a network  device, a network device group, an internal identity group, a shell  profile, and command set. It is joined to the Enterprise Active  directory domain, and a couple of AD groups have been selected  for use in policies.
  The default network device is enabled and  configured with a TACACS secret. I have a lab router configured and  pointed at ACS and I can SSH to it with the ACS internal user.
  The problem is: I can’t create any rules for any  policies. If I try to add a rule (or edit a default rule) to the “Service Selection Rules” or  “Default Device Admin” or Identity, group mapping or authorization, all I  get is a popup with the message “Resource not  found or Internal  Server error”. If I click “customize” anywhere I  just get empty selection/transfer boxes. If I try to change to a single  result policy from compound rules I get a “System failure – your changes  were not saved” message.  I have installed  this twice now with the same results.
  This is my first experience with ACS. I’ve gotten  through most of the configuration guide but I don’t know ACS well enough  to know if I’m missing something incredibly obvious, or whether it’s  just broken.

  Which version of browser are you using? I am guessing you are using a later version of firefox.
  If so there are two options
  - use ie8 or ie9 in compatibility mode
  - install patch 1 for ACS 5.4. This includes fixes for issues with later versions of firefox. I think relevant CDETS is:
  CSCud33106: ACS5: Pages do not display correct when using FireFox version 16

• Using TACACS+ auth from ACS 5.1.0.44 to ACE. Having Issues with Shell (Exec)

  Using TACACS+ auth from ACS 5.1.0.44 to ACE. Having Issues with Shell (Exec)
  So I am trying to get TACACS+ auth to work for my ACE.
  The command string that I have on the ACE is as follows:
  tacacs-server host 172.16.101.4 key 7 XXXYYYZZZ timeout 15
  aaa group server tacacs+ tacacs+
    server 172.16.101.4
  aaa authentication login default group tacacs+ local
  aaa authentication login console local
  aaa accounting default group tacacs+ local
  But to finish getting this enabled I need to create some sort of shell (exec) string in the ACS that tells the ACE what permission level to allocate.
  I do not know how to do this on the ACS 5.1.0.44.
  Anyone know?
  TAC made a good suggestion but the command path doesn't seem to line up with my version of ACS.
  Thanks for your reply. About this question:
  shell:<Context>*<Role> <Domain>
  What I meant is that you need to check the following couple of things on
  your ACS server in order to have AAA Tacacs users to login into the
  ACE over the context with superuser ritghts.
  Group setup ‑> users ‑> TACACS + Settings ‑> enable Shell(exec)
  ‑> enable Custom attributes ‑> right below this part you need to
  use the following sintax to link the ACE context that this user
  has access to.
  For example:
  shell:<Context>*<Role> <Domain>
  shell:Admin*Admin default‑domain
  Where this user will have access to the Admin context with the role
  admin using the 'default‑domain'

  Wilfred,
  What you will have to do on your version of ACS is modify the shell profile that your admins are hitting for other IOS devices or you can create another shell profile under Policy Elements -> Device Administration ->
  Once you get into this shell profile select the Custom Attributes tab and put in the following fields close to the bottom of the screen, from the example you provided type shell:Admin for the attribute field and then default-domain for the value field, and make sure you select this requirement as optional, if you select mandatory and other IOS devices use this same shell profile you will force this av pair to these devices also which will impact the priv levels that then need for authentication.
  After you add this attribute, save your changes and then test, also make sure that your Aceess Policy is calling this shell profile under the authorization profile for default device admin.
  Thanks,
  Tarik Admani

• Issue with ACS 4 and AAA. Port scan shows no Radius but does show tacacs

  to start I am new to ACS so if this is an easy issue to solve please forgive me. I am trying to get Authentication working with ACS 4. I setup everything according to the instructions and when I try to test authentication with VPN concentrator I get a No active server found error. I have tried using an Internal user to start and I also have tried an AD account. If I port scan the ACS server I do not see it advertising port 1645 but I do see Port 49 for tacacs and I also see Ports 2000-2002. CSRadius is running.

  Actually, to avoid any issues I made CSRadius listen on BOTH sets of ports :)
  So unless that got changed without my knowing it should be listening on 1645/6 and 1812/3
  Darra

• Issue with ACS 4.2 in Authentication

  Hey guys.
  I ve got a problem with the ACS 4.2 just in authentication
  I have a 3750 Catalyst and installed an ACS 4.2 both in 1 zone. They can ping each other and there is no problem in their connectivity. I ve created a user called “test” in ACS local database, defined the switch in ACS database and configured 3750 with below commands:
  aaa new-model
  aaa authentication attempts login 10
  aaa authentication login default group tacacs+ local enable
  aaa authentication enable default group tacacs+ enable
  tacacs-server host 192.168.149.30
  tacacs-server directed-request
  tacacs-server key 7 046803071F
  When I try to login via the “test” user the below problem is appeared in my screen while debugging the authentication process in switch:
  Apr  1 05:29:11: AAA/BIND(00000049): Bind i/f
  Apr  1 05:29:11: AAA/AUTHEN/LOGIN (00000049): Pick method list 'default'
  Apr  1 05:29:11: TPLUS: Queuing AAA Authentication request 73 for processing
  Apr  1 05:29:11: TPLUS: processing authentication start request id 73
  Apr  1 05:29:11: TPLUS: Authentication start packet created for 73(test)
  Apr  1 05:29:11: TPLUS: Using server 192.168.149.30
  Apr  1 05:29:12: TPLUS(00000049)/0/NB_WAIT/82F6C3C: Started 5 sec timeout
  Apr  1 05:29:12: TPLUS(00000049)/0/NB_WAIT: socket event 2
  Apr  1 05:29:12: TPLUS(00000049)/0/NB_WAIT: wrote entire 39 bytes request
  Apr  1 05:29:12: TPLUS(00000049)/0/READ: socket event 1
  SW48-3#
  Apr  1 05:29:12: TPLUS(00000049)/0/READ: Would block while reading
  Apr  1 05:29:12: TPLUS(00000049)/0/READ: socket event 1
  Apr  1 05:29:12: TPLUS(00000049)/0/READ: errno 32
  Apr  1 05:29:12: TPLUS(00000049)/0/82F6C3C: Processing the reply packet
  Apr  1 05:29:12: AAA/LOCAL/LOGIN(00000049): user test not found
  Apr  1 05:29:12: AAA/LOCAL/LOGIN(00000049): get password
  Apr  1 05:29:12: AAA/LOCAL/LOGIN(00000049): failover
  Apr  1 05:29:12: AAA/AUTHEN/ENABLE(00000049): Processing request action LOGIN
  Apr  1 05:29:12: AAA/AUTHEN/ENABLE(00000049): Done status GET_PASSWORD
  SW48-3#
  Apr  1 05:29:16: AAA/AUTHEN/ENABLE(00000049): Processing request action LOGIN
  Apr  1 05:29:16: AAA/AUTHEN/ENABLE(00000049): Done status FAIL - bad password
  Just to confirm that the password is definitely correct and there is not any authorization process.
  I will be very thankful if someone can help me to troubleshoot this matter.  (or any doc that shows how to authenticate a user via ACS 4.2)
  Moe

  Hi Mohammad,
  I think I see the problem right away.
  The ACS is dropping the packet due to IP mismatch.
  Check the IP addresses.
  The IP that you have defined is 147.23
  The IP that the device is using is 149.24
  It seems that you have multiple interfaces on the device and its using its own routing table.
  If you want to force the device to use a specific IP for T+, then use "ip tacacs source-interface "
  or if you want to change this on the server end, then define, 149.24 as a network device.
  **Share your knowledge. It’s a way to achieve immortality.
  --Dalai Lama**
  Please Rate if helpful.
  Regards
  Ed

• Problems with clients on a 1220 AP with LEAP auth

  I am having some problems with all clients on one access point that have this state:
  0018.de99.bafe 0.0.0.0 4500-radio TN1AP01OFF self EAP-Assoc
  Here is the config:
  service timestamps debug datetime localtime
  service timestamps log datetime localtime
  service password-encryption
  hostname xx
  logging buffered informational
  aaa new-model
  aaa group server radius rad_eap
  server 10.1.50.160 auth-port 1645 acct-port 1646
  aaa authentication login default group tacacs+ local
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authentication enable default group tacacs+ enable
  aaa authorization console
  aaa authorization exec default group tacacs+ local
  aaa session-id common
  enable secret 5
  username imperbalene privilege 15 secret 5
  clock timezone CST -6
  clock summer-time CST recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
  ip subnet-zero
  ip domain name accuridecorp.com
  no dot11 igmp snooping-helper
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption mode wep mandatory
  ssid accuwireless
  authentication open eap eap_methods
  authentication network-eap eap_methods
  speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
  rts threshold 2339
  rts retries 32
  power local 100
  packet retries 32
  channel 2462
  fragment-threshold 2338
  station-role root
  no cdp enable
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface BVI1
  description bvi1
  ip address 10.150.0.101 255.255.0.0
  no ip route-cache
  ip default-gateway 10.150.0.1
  ip http server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/iv
  ip http authentication aaa
  ip radius source-interface BVI1
  logging trap debugging
  logging 10.1.50.5
  snmp-server community diff133>>// RO
  no snmp-server enable traps tty
  snmp-server host 10.1.50.5 diff133>>//
  tacacs-server host 10.1.50.160 key
  radius-server host 10.1.50.160 auth-port 1645 acct-port 1646
  radius-server retransmit 3
  radius-server key 7
  radius-server authorization permit missing Service-Type
  radius-server vsa send accounting
  radius-server vsa send authentication
  I have a Cisco ACS server on the backend authenticating just fine, but it seems either the clients are misconfigured or there is something in the AP that needs to be changed.

  What is the behavior you're seeing?
  1.) The client shows up in the association table on the AP, so WLAN configs must match.
  2.) ACS shows a passed authentication? So the clients have an appropriate IP address and are able to pass traffic...
  Can you ping the GW of the network?