Unable to integrate WLC with cisco ACS

Similar Messages

• Issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

  issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

  issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

• Unable to generate reports in Cisco ACS 4.2

  Hi All,
  I have configured AAA on Firewall & i am successfully able to login into it using ACS username & password but unable to generate Accounting & Administration logs. Whenever i check either of these logs it shows me blank page. Below is the AAA config on Firewall.
  I have installed Cisco ACS 4.2 on windows 2003 server.
        aaa-server test protocol tacacs+
        aaa-server test (inside) host X.X.X.X
          key **********
        no aaa authentication http console AAA LOCAL
        aaa authentication http console test LOCAL
        no aaa authentication ssh console AAA LOCAL
        aaa authentication ssh console test LOCAL
        aaa authentication telnet console test LOCAL
        aaa authentication enable console test LOCAL
        aaa accounting enable console test
        aaa accounting ssh console test
        aaa accounting telnet console test   
        aaa accounting command test
  Awaiting for soln.
  Thanks in advance.
  Regards,
  Amit.

  I had the same experience. I even reinstalled Remote Desktop on Leopard, which caused all the passwords and machines I had registered were hosed and I could build up the user/password database again.
  Look in your console log. If you see something like:
  Feb 12 10:55:22 dhcp46 [0x0-0x1a01a].com.apple.RemoteDesktopAgent[660]: IpcMemoryCreate: shmget(key=5433001, size=1466368, 03600) failed: Cannot allocate memory
  It means that the postgresql database that is started for collection this information can startup. It will try several times, and then fail. The way to fix this
  -Apple supplies their postgresql with some sensible memory settings for the trivial task they are asking postgresql to do
  -increase the memory settings from the complete system. In Leopard you do that by creating a file called /etc/sysctl.conf
  and add something like this:
  kern.sysv.shmmax=167772160
  kern.sysv.shmmin=1
  kern.sysv.shmmni=32
  kern.sysv.shmseg=8
  kern.sysv.shmall=65536
  See also:
  http://forum.servoy.com/viewtopic.php?p=47461

• EAP Chaining with Cisco ACS 5.x and the Cisco Anyconnect NAM Client

  Hi Guys,
  Whilst I’m well aware of the limitations of the built in the windows Wireless 802.1x supplicant. Is there a way, using the NAM client to authenticate both a computer and a user simultaneously, when used for authentication to wireless networks?
  As has been posted many times before on this forum, this isn’t possible due to windows not authenticating with the 'computer account' whilst the user is logged in, but with the NAM client it seems possible to do both user and computer authentication based on the options it gives you with EAP-Fast and 'EAP Chaining'.
  Can anyone validate this is possible? I have the design guide for exactly this for Cisco ISE but i need it to work on ACS (5.x).
  Thanks in advance.
  SteveH

  Bobby, I ran into the same issue with the "15015 Could not find ID Store" issue.  It turned out to be an issue with communication between the ACS and AD.  It looked like AD was connected successfully, but until I rebooted ACS, I kept getting the same error.  It was like it couldn't see the AD security groups even though it could scan the AD tree successfully.
  So, try rebooting ACS if you haven't already and see if that resolves the error.

• Integrating windows AD with cisco ACS

  hi all i am looking for the requirements and any documents in setting up the acs with windows AD for user authentication.
  i am basically testing this.
  i am having a cisco switch a switch acs serevr 4.1 and windows xp host and windows 2003 server.
  can someone pls tell me the procedure for this on the acs and the AD.
  any help would be appreciated.
  regards
  sushil

  hi thanks for the link.
  but can u tell me when installing the acs where it asks for slecting the database the acs only or the windows database should we select the windows database.
  so when we are configuring the acs for 802.1x authentication and authorisation.
  we should select the create the users as in the AD right.but the password for them should be redirected to the AD right.
  can u pls guide me on this.
  regards
  sushil

• Cisco aironet 1130g and windows 2003 with cisco ACS

    hi
  i  have configured windows 2003 server with  DNS ,Active directory users and dhcp server.  and configured my cisco 1130g AP .
  i have installed cisco access control server 4.0 because i use LEAP authentication protocol and for the ACS for network configuration i give aaa client ip addresss as AP interface ip and  same shared secret for the AP and ACS,.
  so  when i log to wifi it ask username and password
  problem is lap top cannot have a ip address my dhcp server not issue any ip address .
  my hiper terminal massage is like this when i connect to wifi 
  help ...thank you...

  As I mentioned now several times already, it is the client and ACS which do the PEAP. The Access point doesn't have to be configured for an eap type. What you did on the AP was setting the AP as a radius server which is duplicate work with what you did on ACS.
  So you need on your client to configure either PEAP or LEAP.
  Nicolas

• Strange issue - unable to establish PPP with Cisco 887 VAG router on one particular ADSL line

  I have a strange problem that I’m struggling to get to the bottom of with my ISP and wondered if anyone could help.
  We have a site with an older Cisco 877 ADSL router which was working happily until a few weeks ago when the connection dropped suddenly (out-of-hours at 2am if that’s of any significance – made me think most likely something carrier/ISP related?)    When connectivity was lost, the router could sync with the BT exchange (we are in the UK) but could not establish PPP.
  We logged fault with our ISP – after some to’ing and fro’ing, they passed it onto BT and their engineers visited site, they fixed “a line fault” (we don’t get much detail on what was actually fixed) but we still could not establish connectivity – same thing, solid CD light but no PPP.
  So, we replaced the router with another 877 – same again, solid CD but no PPP.  We replaced all the cables and microfilter etc but no difference. 
  We tried a different Cisco router (a newer Cisco 887VAG) which, as I understand, uses a different modem chipset but no matter – PPP could still not be established.  We tested this router on another ADSL line with the same ISP and it worked without issue, using the same ADSL account details, it was able to establish connectivity.  So we figured this must still be a BT/ISP issue.
  Since then we’ve had BT out again twice but they say there is no fault.  The ISP say there is no issue with them.  But we still cannot establish ADSL connectivity on this line, despite having tried 3 different ADSL routers and despite the fact the routers work with the same account details on another ADSL line.
  The 887VAG router we have currently connected has 3G backup so that is keeping us going in the meantime and also means I can login to the router remotely to check on the ADSL status. 
  But I’m struggling to pinpoint where the problem may lie.   Strangely, if I turn on PPP negotiation and authentication debug then I’m not actually seeing any output from it at all?
  Yet, the ATM interface is up and shows packets being sent and received:
  ATM0 is up, line protocol is up
    Hardware is MPC ATMSAR, address is bc16.6596.9b00 (bia bc16.6596.9b00)
    MTU 1600 bytes, sub MTU 1600, BW 704 Kbit/sec, DLY 520 usec,
       reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation ATM, loopback not set
    Keepalive not supported
    Encapsulation(s): AAL5
    4 maximum active VCs, 1024 VCs per VP, 1 current VCCs
    VC Auto Creation Disabled.
    VC idle disconnect time: 300 seconds
    Last input 00:00:28, output 00:00:07, output hang never
    Last clearing of "show interface" counters 6d23h
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
    Queueing strategy: Per VC Queueing
    5 minute input rate 0 bits/sec, 0 packets/sec
    5 minute output rate 0 bits/sec, 0 packets/sec
       23886 packets input, 1676964 bytes, 0 no buffer
       Received 0 broadcasts (0 IP multicasts)
       0 runts, 0 giants, 0 throttles
       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
       56469 packets output, 4418592 bytes, 0 underruns
       0 output errors, 0 collisions, 6 interface resets
       0 unknown protocol drops
       0 output buffer failures, 0 output buffers swapped out
  Does anyone have any ideas on where the problem may be and what more I can do to troubleshoot and provide the relevant evidence to our ISP (assuming it is an ISP/BT issue though the fact the same router works ok with the exact same details etc would seem to indicate it must be their issue!)

  Hi Jody,
  thanks for the suggestions.  Here's what I see from the ppp debugs (but I'm not sure how to interpret?)
  Jan  6 14:50:22.838: pppoe_send_padi:
  contiguous pak, size 74
           00 01 09 00 AA AA 03 00 80 C2 00 07 00 00 FF FF
           FF FF FF FF BC 16 65 96 9B 00 88 63 11 09 00 00
           00 10 01 01 00 00 01 03 00 08 0C 00 00 01 00 00
           04 A3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
           00 00 00 00 00 00 00 00 ...
  Jan  6 14:50:22.878: PPPoE 0: I PADO  R:0030.8810.000b L:bc16.6596.9b00 0/38  ATM0.1
  contiguous pak, size 71
           BC 16 65 96 9B 00 00 30 88 10 00 0B 88 63 11 07
           00 00 00 33 01 03 00 08 0C 00 00 01 00 00 04 A3
           01 02 00 1F 62 72 61 73 2D 72 65 64 37 2E 6C 73
           2D 62 61 73 2D 42 32 32 36 45 34 37 30 39 45 30
           31 34 5A 01 01 00 00
  Jan  6 14:50:24.885: OUT PADR from PPPoE Session
  contiguous pak, size 85
           00 01 09 00 AA AA 03 00 80 C2 00 07 00 00 00 30
           88 10 00 0B BC 16 65 96 9B 00 88 63 11 19 00 00
           00 33 01 03 00 08 0C 00 00 01 00 00 04 A3 01 02
           00 1F 62 72 61 73 2D 72 65 64 37 2E 6C 73 2D 62
           61 73 2D 42 32 32 36 45 ...
  Jan  6 14:50:35.125: OUT PADR from PPPoE Session
  contiguous pak, size 85
           00 01 09 00 AA AA 03 00 80 C2 00 07 00 00 00 30
           88 10 00 0B BC 16 65 96 9B 00 88 63 11 19 00 00
           00 33 01 03 00 08 0C 00 00 01 00 00 04 A3 01 02
           00 1F 62 72 61 73 2D 72 65 64 37 2E 6C 73 2D 62
           61 73 2D 42 32 32 36 45 ...
  Jan  6 14:50:45.364: OUT PADR from PPPoE Session
  contiguous pak, size 85
           00 01 09 00 AA AA 03 00 80 C2 00 07 00 00 00 30
           88 10 00 0B BC 16 65 96 9B 00 88 63 11 19 00 00
           00 33 01 03 00 08 0C 00 00 01 00 00 04 A3 01 02
           00 1F 62 72 61 73 2D 72 65 64 37 2E 6C 73 2D 62
           61 73 2D 42 32 32 36 45 ...
  Jan  6 14:50:55.603: OUT PADR from PPPoE Session
  contiguous pak, size 85
           00 01 09 00 AA AA 03 00 80 C2 00 07 00 00 00 30
           88 10 00 0B BC 16 65 96 9B 00 88 63 11 19 00 00
           00 33 01 03 00 08 0C 00 00 01 00 00 04 A3 01 02
           00 1F 62 72 61 73 2D 72 65 64 37 2E 6C 73 2D 62
           61 73 2D 42 32 32 36 45 ...
  Jan  6 14:51:05.843: OUT PADR from PPPoE Session
  contiguous pak, size 85
           00 01 09 00 AA AA 03 00 80 C2 00 07 00 00 00 30
           88 10 00 0B BC 16 65 96 9B 00 88 63 11 19 00 00
           00 33 01 03 00 08 0C 00 00 01 00 00 04 A3 01 02
           00 1F 62 72 61 73 2D 72 65 64 37 2E 6C 73 2D 62
           61 73 2D 42 32 32 36 45 ...
  Jan  6 14:51:16.114: OUT PADR from PPPoE Session
  contiguous pak, size 85
           00 01 09 00 AA AA 03 00 80 C2 00 07 00 00 00 30
           88 10 00 0B BC 16 65 96 9B 00 88 63 11 19 00 00
           00 33 01 03 00 08 0C 00 00 01 00 00 04 A3 01 02
           00 1F 62 72 61 73 2D 72 65 64 37 2E 6C 73 2D 62
           61 73 2D 42 32 32 36 45 ...
  Jan  6 14:51:26.353: [0]PPPoE 0: O PADT  R:0000.0000.0000 L:0000.0000.0000 0/38  ATM0.1
  contiguous pak, size 74
           00 01 09 00 AA AA 03 00 80 C2 00 07 00 00 00 00
           00 00 00 00 00 00 00 00 00 00 88 63 11 A7 00 00
           00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
           00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
           00 00 00 00 00 00 00 00 ...
  Jan  6 14:51:46.576: pppoe_send_padi:
  contiguous pak, size 74
           00 01 09 00 AA AA 03 00 80 C2 00 07 00 00 FF FF
           FF FF FF FF BC 16 65 96 9B 00 88 63 11 09 00 00
           00 10 01 01 00 00 01 03 00 08 0C 00 00 01 00 00
           04 A3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
           00 00 00 00 00 00 00 00 ...
  Jan  6 14:51:46.608: PPPoE 0: I PADO  R:0030.8810.000b L:bc16.6596.9b00 0/38  ATM0.1
  contiguous pak, size 71
           BC 16 65 96 9B 00 00 30 88 10 00 0B 88 63 11 07
           00 00 00 33 01 03 00 08 0C 00 00 01 00 00 04 A3
           01 02 00 1F 62 72 61 73 2D 72 65 64 37 2E 6C 73
           2D 62 61 73 2D 42 32 32 36 45 34 37 30 39 45 30
           31 34 5A 01 01 00 00
  Provider wouldn't have bumped us from ADSL to VDSL - but here's the output of show controller vdsl 0:
  Controller VDSL 0 is UP
  Daemon Status:           Up
                          XTU-R (DS)              XTU-C (US)
  Chip Vendor ID:         'BDCM'                   'IFTN'
  Chip Vendor Specific:   0x0000                   0x71C8
  Chip Vendor Country:    0xB500                   0xB500
  Modem Vendor ID:        'CSCO'                   '    '
  Modem Vendor Specific:  0x4602                   0x0000
  Modem Vendor Country:   0xB500                   0x0000
  Serial Number Near:    FCZ1111C08V C887VAG 15.2(4)M
  Serial Number Far:
  Modem Version Near:    15.2(4)M
  Modem Version Far:     0x71c8
  Modem Status:            TC Sync (Showtime!)
  DSL Config Mode:         AUTO
  Trained Mode:            G.992.1 (ADSL) Annex A
  TC Mode:                 ATM
  Selftest Result:         0x00
  DELT configuration:      disabled
  DELT state:              not running
  Trellis:                 ON                       ON
  SRA:                     disabled                        disabled
   SRA count:              0                       0
  Bit swap:                enabled                         enabled
   Bit swap count:         1                       8
  Line Attenuation:        54.5 dB                 31.5 dB
  Signal Attenuation:      54.5 dB                  0.0 dB
  Noise Margin:             6.7 dB                 11.0 dB
  Attainable Rate:        2132 kbits/s             888 kbits/s
  Actual Power:            16.7 dBm                12.7 dBm
  Total FECC:             546                      0
  Total ES:               6                        0
  Total SES:              0                        0
  Total LOSS:             0                        0
  Total UAS:              486                      486
  Total LPRS:             0                        0
  Total LOFS:             0                        0
  Total LOLS:             0                        0
  Full inits:             14
  Failed full inits:      1
  Short inits:            0
  Failed short inits:     1
  Firmware        Source          File Name (version)
  VDSL            user config     flash:vdsl.bin-A2pv6C035d_d23j (10)
  Modem FW  Version:      110802_1752-4.02L.03.A2pv6C035d.d23j
  Modem PHY Version:      A2pv6C035d.d23j
  Vendor Version:
                    DS Channel1     DS Channel0   US Channel1       US Channel0
  Speed (kbps):             0             1664             0               704
  SRA Previous Speed:       0                0             0                 0
  Previous Speed:           0             1600             0               736
  Total Cells:              0          2786872             0                 0
  User Cells:               0               68             0                 0
  Reed-Solomon EC:          0              546             0                 0
  CRC Errors:               0                9             0                 0
  Header Errors:            0               10             0                 0
  Interleave (ms):       0.00             8.00          0.00              8.00
  Actual INP:            0.00             1.12          0.00              1.28
  Training Log :  Stopped
  Training Log Filename : flash:vdsllog.bin
  And here's the output from the ATM and dialer interfaces:
  interface ATM0
   no ip address
   ip flow ingress
   no atm ilmi-keepalive
  end
  interface ATM0.1 point-to-point
   ip flow ingress
   pvc 0/38
    pppoe-client dial-pool-number 2
  end
  interface Dialer2
   description OUTSIDE
   ip address negotiated
   ip access-group firewall in
   ip mtu 1492
   ip flow ingress
   ip nat outside
   ip inspect DEFAULT100 out
   ip virtual-reassembly in
   encapsulation ppp
   dialer pool 2
   dialer-group 2
   ppp authentication chap callin
   ppp chap hostname ###removed###
   ppp chap password ###removed###
   no cdp enable
   crypto map dcvpn
  end
  As I say though, config-wise, everything should be correct - the same router works fine on another line (which should also confirm the authentication details are correct - at least in as far as it matches what the ISP have on their RADIUS)
  Any further thoughts?

• 802.1x with alcatel phone with cisco acs 5.0

  Hi All, can any one  has done the implementation of 802.1x with alcatel phone where pc will be behind the phone and cisco switch ports are configured as trunk. Trunk native vlan is data vlan for pc and trunk carrying voice vlan.
  when trunk mode is enabled I can not configure 802.1x on trunk interface. does any one help me to get rid of this situation..
  Thanks

  Hi,
  Did you find any solution?. Did you tried with the command switchport voice vlan?.
  Regards,
  Mauricio

• Unable to integrate Spring with Coherence

  It throws following exception
  org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: Unable to locate NamespaceHandler for namespace [http://www.springmodules.org/schema/coherence]
  Offending resource: URL [file:/C:/MyWorkspaces/EnterpriseServicesPlatform/ContractService/ContractDbConnector/src/main/resources/META-INF/spring.xml]
       at org.springframework.beans.factory.parsing.FailFastProblemReporter.error(FailFastProblemReporter.java:68)
       at org.springframework.beans.factory.parsing.ReaderContext.error(ReaderContext.java:85)
       at org.springframework.beans.factory.parsing.ReaderContext.error(ReaderContext.java:80)
       at org.springframework.beans.factory.xml.BeanDefinitionParserDelegate.error(BeanDefinitionParserDelegate.java:261)
       at org.springframework.beans.factory.xml.BeanDefinitionParserDelegate.parseCustomElement(BeanDefinitionParserDelegate.java:1111)
       at org.springframework.beans.factory.xml.BeanDefinitionParserDelegate.parseCustomElement(BeanDefinitionParserDelegate.java:1104)
       at org.springframework.beans.factory.xml.DefaultBeanDefinitionDocumentReader.parseBeanDefinitions(DefaultBeanDefinitionDocumentReader.java:133)
       at org.springframework.beans.factory.xml.DefaultBeanDefinitionDocumentReader.registerBeanDefinitions(DefaultBeanDefinitionDocumentReader.java:90)
       at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.registerBeanDefinitions(XmlBeanDefinitionReader.java:458)
       at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:353)
       at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:303)
       at org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:280)
       at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:131)
       at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:147)
       at org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:173)
       at org.springframework.test.AbstractSingleSpringContextTests.createApplicationContext(AbstractSingleSpringContextTests.java:198)
       at org.springframework.test.AbstractSingleSpringContextTests.loadContextLocations(AbstractSingleSpringContextTests.java:179)
       at org.springframework.test.AbstractSingleSpringContextTests.loadContext(AbstractSingleSpringContextTests.java:158)
       at org.springframework.test.AbstractSpringContextTests.getContext(AbstractSpringContextTests.java:105)
       at org.springframework.test.AbstractSingleSpringContextTests.setUp(AbstractSingleSpringContextTests.java:87)
       at junit.framework.TestCase.runBare(TestCase.java:125)
       at org.springframework.test.ConditionalTestCase.runBare(ConditionalTestCase.java:69)
       at junit.framework.TestResult$1.protect(TestResult.java:106)
       at junit.framework.TestResult.runProtected(TestResult.java:124)
       at junit.framework.TestResult.run(TestResult.java:109)
       at junit.framework.TestCase.run(TestCase.java:118)
       at org.eclipse.jdt.internal.junit.runner.junit3.JUnit3TestReference.run(JUnit3TestReference.java:130)
       at org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
       at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:460)
       at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:673)
       at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:386)
       at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:196)Here is what i have in my spring configuration file.
  <beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:aop="http://www.springframework.org/schema/aop"
       *+xmlns:coherence="http://www.springmodules.org/schema/coherence+"*     
       xmlns:p="http://www.springframework.org/schema/p"
       xmlns:jee="http://www.springframework.org/schema/jee"
       xmlns:tx="http://www.springframework.org/schema/tx"
       xmlns:util="http://www.springframework.org/schema/util"
       xmlns:ehcache="http://www.springmodules.org/schema/ehcache"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
                             http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee-2.0.xsd
                             http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-2.0.xsd
                             http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-2.0.xsd
                             http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-2.0.xsd
                             *+http://www.springmodules.org/schema/coherence http://www.springmodules.org/schema/cache/springmodules-tangosol.xsd+*                          http://www.springmodules.org/schema/ehcache http://www.springmodules.org/schema/cache/springmodules-ehcache.xsd"
       default-autowire="no" default-lazy-init="false"
       default-dependency-check="none">

  I figured out the error was due to the following configuration
  <coherence:methodMapInterceptors
    cachingInterceptorId="cachingInterceptor"
    >
    <coherence:caching
      *methodFQN="com.XX.CustomerCoherenceDao.getXXX"*
      cacheName="contractCache" />
  </coherence:methodMapInterceptors>In the above configuration, what if i want to apply on all the methods instead of getXXX(). It doesnt work either on single method like getXXX() or all the methodes denoted "*"

• Cisco ACS 5.1 Tacacs with Juniper Srx 210

  Hi all,
  I am trying to do authentication for Juniper SRX 210 FW With Cisco ACS 5.1 Tacacs but I am unable to acheive it ..
  Can any one help me how to add Junos service in ACS 5.1..How to Intergarte Juniper SRX 210 in Cisco ACS 5.1

  Hello Pranav
  As Nicolas said, you really need to know what attributes Juniper SRX is using. It also depends on what you're looking for, for example it's very different "password authentication" from "command authorization". I answered a similar question here https://supportforums.cisco.com/thread/2111466
  You don't need to enable any new service. ACS is capable to attend any TACACS (or RADIUS) device as long as you tell ACS what are the TACACS (or RADIUS) attributes needed for that device.
  This is an example in which I have configured ACS 5.x with an attribute called "local-user-name" which JunOS router use for authentication. For that you need to go to "Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles".
  If you don't know the attributes you can capture the packets and troubleshoot from Juniper cli and from "ACS view" side. That's how I find out the "local-user-name" attribute.
  Please rate if it helps. Kind regards

• Please help me configure authentic connection with Caller ID via ISDN 30B+D using Cisco ACS

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  Hi all
  I have set up a dial up connection between to PC's at remote site and center. It using ISDN 30B+D which is configured on Router 3845. Currently I have configured authentic connection with username and password using Cisco ACS. To enhance the security configuration I want to authenticate both the phone number which dialup with Cisco ACS. And currently I have not done this. Please help me solve this problem.
  Thanks so much
  Longn

  1) I deleted bridge-utils, netcfg
  2) I edited /etc/hostapd/hostapd.conf:
  interface=wlan0
  #bridge=br0
  edited /etc/dnsmasq.conf:
  interface=wlan0
  dhcp-range=192.168.0.2,192.168.0.255,255.255.255.0,24h
  and edited /etc/rc.local:
  ifconfig wlan0 192.168.0.1 netmask 255.255.255.0
  ifconfig wlan0 up
  3) I added in autostart these daemons: hostapd, dnsmasq and iptables.
  Profit!

• Cisco ACS 5.2 with NX-OS devices (Nexus) - User issues

  Hey Community, I am having a really strange issue with Cisco ACS 5.2 and NX-OS Nexus Devices.
  I create an account on ACS, let's call it User1, and give it privilege 15. With User1, I'm able to access on all of our IOS, IOS-XE, ASA, and PIX devices with privilege 15.
  When I use that same User1 account into our NEXUS devices, I do NOT get privilege 15 access. As you probably know, NEXUS devices have roles: pre-defined or custom-made roles. So I assumed I would get the role of 'network-admin' (priv 15 read/write) with User1 when logging in, but instead I get the role of 'vdc-operator' (priv 1 read-only).
  So then I tried to tweak User1 and give it network-admin under Shell profile >> Custom Attributes. I logged into the NEXUS and sure enough I was able to get network-admin access. However, my access to ALL the other devices (IOS, ASA, PIX, etc) doesn't work AT ALL! I'm not even able to log in with my username and password to these devices.
  Has anyone ever run into this problem? Please Help!
  Thanks,
  neocec

  Neocec,
  Yes here is the documentation that provides insight to the this (they make reference to the = and the *.
  http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/security/configuration/guide/Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_5.x_chapter6.html#con_1473433
  Thanks,
  Tarik

• Configuring Cisco ACS 5.1 with Juniper Netscreen Firewall wit Radius & Tacacs+

  Hello,
  Can anybody tell me the step-by-step configuration of Cisco ACS 5.1, to configured it with Juniper Netscreen Firewall for radius & tacacs+ authentication and authorization?
  I am able to configure this with Cisco ACS 4.2 with customise VSA file but can't understand how to configure it on ACS 5.1.
  Thanks in Advance.

  Hi Eduardo,
  Can you tell me how to map ACS 4.2?
  service=junos-exec
  local-user-name=Engineering
  Into the new "shell profiles" on ACS 5.2? How do I verify these attributes are passed onto ACS 5.2? I don't have access to a sniffer or tap nor do I have writes on this box. I have to instruct our systems folks to investigate. It has been a back and forth battle.
  Also, I'd like to see where I'd map this on ACS 5.2.  Keep in mind in both cases I have a JUNOS config mapping to a login user Engineer and operations respectively.
  local-user-name=opertions
  allow-commands=((^ping *)|(^mtrace *)|(^traceroute *)|(^monitor *))
  deny-commands= ((^start *)|(^file delete *)|(^file rename *)|(^request *)|(^set cli restart-on-upgrade *)|(^set cli prompt *)|(^set chassis *)|(^set date *)|(^test *)|(^clear *)|(^op *))

• [Cisco ACS 5.2] Windows XP - EAP-TLS error

  Hi,
  We used RADIATOR with Cisco WLC and Cisco AP in our WiFi architecture.
  We just replaced RADIATOR with Cisco ACS 5.2 .
  Few computers with Windows XP SP3 have this error : 11514 Unexpectedly received empty TLS message; treating as a rejection by the client
  Description:
  While  trying to negotiate a TLS handshake with the client, ACS expected to  receive a non-empty TLS message or TLS alert message, but instead  received an empty TLS message. This could be due to an inconformity in  the implementation of the protocol between ACS and the supplicant. For  example, it is a known issue that the XP supplicant sends an empty TLS  message instead of a non-empty TLS alert message. It might also involve  the supplicant not trusting the ACS server certificate for some reason.  ACS treated the unexpected message as a sign that the client rejected  the tunnel establishment.
  Resolution Steps :
  Ensure  that the client's supplicant does not have any known compatibility  issues and that it is properly configured. Also ensure that the ACS  server certificate is trusted by the client, by configuring the  supplicant with the CA certificate that signed the ACS server  certificate. It is strongly recommended to not disable the server  certificate validation on the client!
  Most of the computers (hundreds of Windows XP and Windows 7) got no problem.
  ACS says "it is a known issue that the XP supplicant sends an empty TLS  message instead of a non-empty TLS alert message".
  If it was a known issue, we would have this error for other computer but we don't have (fortunately )
  Wireless profile is sent to computers using GPO so they trust ACS server certificate...
  Do you know how to correct this issue on XP supplicant? I dont find this issue on Google
  Thanks for your help,
  Patrick

  Patrick,
  One way to troubleshoot is to physically have one of the laptops and see if unchecking the box that validates the server certificate fixes the issue. I have seen the same issue as you are seeing before and I would like for you to verfiy that.
  If that doesnt fix the issue then we will have to proceed to taking a wireshark of the client and running a few debugs on the ACS.
  Thanks,
  Tarik Admani

• [Cisco ACS] 11036 The Message-Authenticator RADIUS attribute is invalid

  Hi,
  I got many Cisco AP which are linked to 2 Cisco WLC.
  On each WLC, I configured a primary and a secondary RADIUS Server.
  RADIUS servers are Cisco ACS 5.2.0.26 (patch 10)
  Primary and secondary ACS configurations are synchronized.
  There are no problem between primary WLC and Cisco ACS (primary and secondary).
  When secondary WLC requests primary Cisco ACS, I get this error "11036 The Message-Authenticator RADIUS attribute is invalid"
  Secondary WLC automatically contacts secondary Cisco ACS and it works fine.
  Cisco ACS description for this error: "This maybe because of mismatched Shared Secrets."
  The two Cisco ACS are synchronized so I should have same error on them...
  Why does primary ACS generate this error?
  Thanks for your help,
  Patrick

  Tarik Admani wrote:Amjad,That is a good observation, shouldnt 7.3 (which recently released) help put these types of issues to rest? I hear that the configuration can now be replicated from one controller to the next in a failover setup.Thanks,Tarik Admani
  *Please rate helpful posts*
  Yes. That is a good point.
  With 7.3 you can use high availability (HA) between two WLCs and you can configure only one WLC (the primary) and all the configuraiotn can be replicated and synched to the other WLC (the secondary).
  The two WLCs in the HA must be on same subnet though. Otherwise hot-standby HA between WLCs can't be used.
  Rating useful replies is more useful than saying "Thank you"