With Cisco Secure ACS For Windows TACACS+, authentication fails with AD

Similar Messages

• With Cisco Secure ACS 4.2 User accounts gets locked at first instance of wrong credentials even if configured for 3 attempts

  Hello Everybody,
  I am working with Cisco Secure ACS 4.2 and it is integrated with Active Directory at a Windows 2008 R2 functional level, user accounts that are set with lockout parameters (3 incorrect attempts) are locked out prematurely after the user enters the wrong credentials just once, the integration is done via LDAP.
  I wonder if anybody has any idea why this is happening, because when I connect to a Cisco device or VPN, and type my password wrongly, on the Active Directory I get extra bad password counts.
  Thanks in advance and regards....

  Hello Scott,
  Thanks for your answer. However we checked the ACS logs and it shows that we entered bad credentials just once, but in the Active Directory our account sometimes is blocked because we get at least 2 and sometimes 3 failures. This problem is only presented when we authenticate Cisco devices or through VPN, in normal circumstances, when users enter bad credentials on their computers, it works fine.
  Thanks and regards...

• Troubleshooting Cisco Secure ACS on Windows - Q&A clarification.

  In a Cisco Press publication "Troubleshooting Cisco Secure ACS on Windows" (http://www.ciscopress.com/articles/article.asp?p=474238&seqNum=6&rl=1), I read the following question:
  How can I disable the users' option to change the password by using Telnet to access the router?
  It has an answer describing certain details. However, the question itself is not clear to me. Could someone explain them a little more clearly?
  Thanks.

  At the command prompt on a router its possible to start a password change request over TACACS to the ACS server.
  I think you enter an empty password twice as I recall.
  This can cause problems if users change their password on a "slave" ACS which is then replicated to from a "master" thus setting the password back to its pre-changed value.

• Directory Caching issue with Cisco Jabber client for Windows

  Hi ,
  I am facing cache issue with Cisco Jabber client for Windows. If I do any change related to modification or deletion of contacts in Active Directory/ Callmanager, it does not reflect in the Jabber. Because jabber takes the contacts from the locally stored cache file in the Windows system.
  Every time I have to remove the cache file to overcome this issue, practically it's not possible to do the same with all the Widows users. As, if any employee leaves the company and still I can see his contact appears in the "Cisco Jabber client". I have not seen this issue with Android/Apple iOS.
  Is there any automated way to remove the cache file? 
  Here is the detail of CUCM,Presence and Jabber.
  CUCM version: 9.1.x
  Presence          : 9.1.X
  Jabber              : 10.5 and 10.6

  Hello
  On our environment we had to install a dedicated Microsoft Certificate Authority "just for Cisco Jabber usage" to house the
  Network Device Enrollment Service.
  Our certificate for the CUPS were generated on this Certification Authority too.
  I discussed this certificate matter with my colleagues this afternoon and nobody seems to remember how these certificates were deployed into the
  Enterprise Trust store for the users.
  But I think they asked all 400 users to accept the 3 certificates by answering "yes" to the popup instead of using a script deployed by GPO...
  I wish you success with that deployment and really hope you have a technical partner that *Knows* this subject.
  Our partner left us alone with that unfortunately.
  Florent
  EDIT: If the "Certutil script method" works, please let me know. This could be useful in our own deployment.

• Cisco Secure ACS and Windows NLB

  Hi,
  I have two ACS servers and have been trying unsuccessfully to setup Windows NLB for them. I can successful setup the NLB but ACS won't respond on the clustered IP. Other services running on the clustered IP will respond so I believe the NLB is working correctly.
  Has anyone had any success with ACS and Microsoft NLB? I can?t find any documentation to suggest that they are incompatible but I think this may be the case.
  Thanks,
  Neil

  Neil,
  ACS is not tested with NLB but if cluster hosts are attempting to communicate with the ACS using their clustered IP then ACS should reply.
  Do you see any hits on acs ? If you sniff the acs interface, what is the source IP address ? Is it clustered ip or clustered host IP ??
  Also on acs --->Network configuration add aaa client with host IP and clustered ip . Now see if acs responds to NLB.
  Regards,
  ~JG

• Security Update for Windows XP KB979482 Fails to Install

  The KB979482 update continually fails to install with a 0x8007F007 error code. It has done so from Boot Camp 2.0 through 3.2. Windows XP Pro SP3 is installed and all other critical and optional updates have installed without problem. Currently running Boot Camp 3.2, OS X 10.5.6. As best as I can determine the error code means the update found the system waiting for a reboot following a previously installed update and cancels the installation. Of course there have been a number of reboots. I have tried to install the update with the Firewall and Bitdefender anti-virus on and off.
  Any help is appreciated.

  Ok slap me, the solution was too easy. Did a manual download of the update at the following address. Executed the downloaded file and the update installed. Checked that the updated was successfully installed by running Windows update and it no longer showed up as needing to be done.
  http://www.microsoft.com/downloads/en/details.aspx?familyid=55C05CB8-AA6C-460B-9 AA7-084842DAB280&displaylang=en
  Feeling a little sheepish. Thanks.

• MDT Deployment for Windows 8 (Sysprep failes with generalization setting)

  Here's my issue...
  I'm trying to capture and redeploy Windows 8.  In of itself, the capturing and deploying works well.  Except for one thing, I can't default the desktop nor can I default the Start Tiles for the start tiles.  Upon a visit with Microsoft and
  confirmation of a few colleagues, I tried the tutorial listed here, http://msdn.microsoft.com/en-us/library/jj134269, using method 1 the copyprofile.
  I have this set up for the unattended on the MDT deployment, but my problem is the issue that I'm running into which is the failure in sysprep running the /generalize tag.  Whether I use OOBE or Audit results in the same thing.  I have built a
  couple of fresh images as well and sysprep keeps failing.  I've attached the error log below.  So far research has come up with nada, so I can't even getting started on troubleshooting the error. 
  Here's the error log below.
  2012-10-03 14:36:09, Error                 SYSPRP Package Microsoft.VCLibs.110.00_11.0.50727.1_x86__8wekyb3d8bbwe was installed for a user, but not provisioned for all users.
  This package will not function properly in the sysprep image.
  2012-10-03 14:36:09, Error                 SYSPRP Failed to remove apps for the current user: 0x80073cf2.
  2012-10-03 14:36:09, Error                 SYSPRP Exit code of RemoveAllApps thread was 0x3cf2.
  2012-10-03 14:36:09, Error      [0x0f0082] SYSPRP ActionPlatform::LaunchModule: Failure occurred while executing 'SysprepGeneralize' from C:\Windows\System32\AppxSysprep.dll; dwRet = 0x3cf2
  2012-10-03 14:36:09, Error                 SYSPRP ActionPlatform::ExecuteAction: Error in executing action; dwRet = 0x3cf2
  2012-10-03 14:36:09, Error                 SYSPRP ActionPlatform::ExecuteActionList: Error in execute actions; dwRet = 0x3cf2
  2012-10-03 14:36:09, Error                 SYSPRP SysprepSession::Execute: Error in executing actions from C:\Windows\System32\Sysprep\ActionFiles\Generalize.xml; dwRet = 0x3cf2
  2012-10-03 14:36:09, Error                 SYSPRP RunPlatformActions:Failed while executing SysprepSession actions; dwRet = 0x3cf2
  2012-10-03 14:36:09, Error      [0x0f0070] SYSPRP RunExternalDlls:An error occurred while running registry sysprep DLLs, halting sysprep execution. dwRet = 0x3cf2
  2012-10-03 14:36:09, Error      [0x0f00a8] SYSPRP WinMain:Hit failure while processing sysprep generalize internal providers; hr = 0x80073cf2

  Did you ever figure out how to make this work?
  I have the same problem with my Win8 64 image -- as soon as I installed the 11 Microsoft Metro app updates from "Store", I can no longer sysprep my image without getting the same "fatal error" (with the exact same log -- except for a different "Package"
  listed):
  2012-10-10 15:58:47, Error                 SYSPRP Package Microsoft.WinJS.1.0_1.0.9200.20512_neutral__8wekyb3d8bbwe
  was installed for a user, but not provisioned for all users. This package will not function properly in the sysprep image.
  2012-10-10 15:58:47, Error                 SYSPRP Failed to remove apps for the
  current user: 0x80073cf2.
  2012-10-10 15:58:47, Error                 SYSPRP Exit code of RemoveAllApps thread
  was 0x3cf2.
  2012-10-10 15:58:47, Error      [0x0f0082] SYSPRP ActionPlatform::LaunchModule: Failure occurred while executing
  'SysprepGeneralize' from C:\Windows\System32\AppxSysprep.dll; dwRet = 0x3cf2
  2012-10-10 15:58:47, Error                 SYSPRP ActionPlatform::ExecuteAction:
  Error in executing action; dwRet = 0x3cf2
  2012-10-10 15:58:47, Error                 SYSPRP ActionPlatform::ExecuteActionList:
  Error in execute actions; dwRet = 0x3cf2
  2012-10-10 15:58:47, Error                 SYSPRP SysprepSession::Execute: Error
  in executing actions from C:\Windows\System32\Sysprep\ActionFiles\Generalize.xml; dwRet = 0x3cf2
  2012-10-10 15:58:47, Error                 SYSPRP RunPlatformActions:Failed while
  executing SysprepSession actions; dwRet = 0x3cf2
  2012-10-10 15:58:47, Error      [0x0f0070] SYSPRP RunExternalDlls:An error occurred while running registry
  sysprep DLLs, halting sysprep execution. dwRet = 0x3cf2
  2012-10-10 15:58:47, Error      [0x0f00a8] SYSPRP WinMain:Hit failure while processing sysprep generalize
  internal providers; hr = 0x80073cf2
  The app updates are *coming from Microsoft* -- so why would I need to provision them (according to that article?)  
  This seems like a bug...
  (The workaround, of course, is to just not update Metro apps on my main image, but that seems rather silly to not be
  allowed to do that...)

• Advice for Buying Cisco Secure ACS 3.3 for Windows

  Just need advice on what other things I NEED to order apart from the Windows server when I want to iplement ACS and I want to use CISCO SECURE ACS 3.3 FOR WINDOWS
  Hope someone will help

  Hi,
  This is all what you require:
  Supported Operating System
  Cisco Secure ACS for Windows Servers 3.3 supports the Windows operating systems listed below. Both the operating system and the service pack must be English-language versions.
  •Windows 2000 Server, with Service Pack 4 installed
  •Windows 2000 Advanced Server, with the following conditions:
  –with Service Pack 4 installed
  –without features specific to Windows 2000 Advanced Server enabled
  •Windows Server 2003, Enterprise Edition
  •Windows Server 2003, Standard Edition
  Note The following restrictions apply to support for Microsoft Windows operating systems:
  •We have not tested and cannot support the multi-processor feature of any supported operating system.
  •We cannot support Microsoft clustering service on any supported operating system.
  •Windows 2000 Datacenter Server is not a supported operating system.
  Please refer to the following link for more information:
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/win33sdt.htm
  Thanx & Regards

• Cisco Secure ACS 4.2 for Windows web-based Admin Console log in problems

  To Whomever Can Assist,
        I am running two deployments of Cisco Secure ACS for Windows 4.2 and I can login into the admin web-console just fine.  However, when I create a new or test user that mirror my configuration that user cannot login to the admin web-console.  The user can login it to devices with the appropriate privileges, but can't administer his/her account within ACS.  This has proven very problematic and needs a remedy.  Thanks for the assistance.

  Bradbryant.dhs,
  Where are you creating the new admin user who should have access to ACS web gui under internal users or administration.
  Internal user and ACS administrator accounts are completely different. 
  Adding administrator account
  http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4-2/user/guide/ACS4_2UG/Admin.html
  Regards,
  Jatin Katyal
  ** Do rate helpful posts **

• Reporting & Audit Compliance Solutions for Cisco Secure ACS

  The Cisco Secure ACS Access Control Server is probably the worlds best selling remote access security solutions and its quite likely that you're already using it! Wouldn't it be great to know exactly what it was doing? Further still, when you have to provide audit documentation regarding your policies and how effective they are, how long does this take and what valuable data remains locked inside the ACS database and logs?
  extraxi offer a range of products that deliver a complete solution for harvesting, managing and analyzing your ACS/SBR log data to meet the increasing demands for regulatory compliance (SOX, COBIT) and overall enterprise monitoring and security.
  We are proud to supply customers including Intel, Ford, Lego, T-Mobile, US Dept of State, US Army, British Telecom, First Energy, TNT Express, Kodak and JP Morgan and many more so why not take a look at our industry leading solutions and evaluate the benefits for your organization...
  Featured Products:
  * aaa-reports! enterprise edition - Automated Reporting
  The best reporting system for Cisco Secure ACS and Funk SBR just got a whole lot better! Improved reports, enhanced filtering and query builder and now with up to 48GB internal storage based on SQL Server technology makes this the ideal solution for large or complex AAA deployments and those that need the additional functionality from the standard aaa-reports! tool.
  With aaa-reports! enterprise you have a complete application for reporting including many canned reports (each with flexible filtering options) and a point-n-click query builder for designing custom reports.
  For historic trending, forensics and audit compliance there simply is no better reporting application for Cisco Secure ACS or Funk/Juniper SBR.
  * csvsync - Automated ACS Database & Log File Collection
  csvsync allows you to download CSV log data (RADIUS, TACACS+, Passed/Failed Attempts etc) directly from any number of Cisco Secure ACS servers (Windows & Appliance) via http(s). Version 3.0 now supports the collection of ACS database itself for import into aaa-reports and detailed reporting based on the ACS security policies. Simple, secure and efficient, csvsync is the best solution for harvesting log data from your Cisco Secure ACS servers.
  Download fully working 60 day trial versions at http://www.extraxi.com/rq.asp?utm_source=technet&utm_medium=forum
  Fore more information please visit http://www.extraxi.com/?utm_source=technet&utm_medium=forum

  bump

• Cisco Secure ACS with UCP assistance and enable password

  I am running Cisco Secure ACS version 4.2 running on a
  Standalone Windows 2003 Enterprise 2003with the lastest
  windows service pack and update. Secure ACS is running
  fine and I can authenticate with Cisco routers and
  switches. The Windows 2003 server is also running Microsoft
  IIS Server. In other words, the IIS server and Cisco
  Secure ACS is running on the same windows 2003 server.
  I am trying to get Cisco User-Changeable password to work
  with Cisco Secure ACS. I followed the release notes lines
  by lines and the work around provided below:
  Also server require more privileges for the internal windows user that runs CSusercgi.exe.
  The name of the windows user that runs UCP is IUSR_<machine_name>.
  Workaround steps:
  1) Install UCP 4 on a machine that runs IIS server.
  2) Open IIS manager
  3) Locate Default Web Site
  4) Double click on the virtual name 'securecgi-bin'
  5) Right click on CSusercgi.exe and choose Properties
  6) Choose 'File Security' tab
  7) Choose 'Edit' in 'Authentication and access control' area
  8) Change username from IUSR_<machine_name> to 'Administrator' and enter his
  password (make sure that 'Integrated Windows authentication' is checked)
  I still can NOT get this to work. I got this error:
  It says:
  The page cannot be found
  The page you are looking for might have been removed,
  had its name changed, or is temporarily unavailable.
  HTTP Error 404 - File or directory not found.
  Internet Information Services (IIS)
  I modified everything in the Windows 2003 to be "ALLOWED" by
  EVERYONE. In other words, there are NO security on the windows 2003.
  It is still NOT working.
  The other question I have is that can Cisco UCP allow user
  to change his/her enable password?
  Can someone help? Thanks.

  Yes bastien,
  Thank you.
  But one thing more i want to know that in its Redundant AAA server, when i try to open IIS 6.0 window 2003; it prompts for Username and Password.
  I've given it several time; also going through Administrator account with administrative credentials but it always failed.
  Any suggestions/solution/?
  This time many thanks in advance.
  Regards
  Mehdi Raza

• Cisco Secure ACS wont' replicate

  Hello Community,
  I wonder if someone could please help me discover why we can't get our primary Cisco Secure ACS, UK-SU-AP091, to replicate with our secondary Cisco Secure ACS, UK-SU-AP092?
  They can both talk to each other, but the replication status is stuck in pending. See attachment.
  Any help will be greatly appreciated..
  Cheers
  Carlton

  Well that's not your ONLY option. It's by far the best one. The primary server is attempting to communicate with the secondary and for whatever reason not succeeding.
  If there is no reachability problem or firewall blocking the necessary ports in between then my first guess (95% + probability) would be that the services are not up on the secondary server. 
  If you cannot access the cli to check that, then you could do more obscure and less helpful checks like capture the traffic towards the secondary server from the local switch port where it connects to the network and examine for the incoming calls from the primary and the responses (if any) from the secondary. You could do a port scan (i.e. using nmap) on the secondary server and see if it responds to tcp/2000 (database replication) and/or tcp/49 and tcp/1812 (TACACS and RADIUS respectively).
  After all of that and at the end of the day though, you're going to need to get into that secondary server. Not having local admin cli access is not a tenable long term situation to operate a production HA deployment.

• Password History Validation - ACS for Windows 4.2.x

  Hello,
  I'm evaluating the Secure ACS for Windows v4.2 platform against PCI DSS v2.0, specifically the "Implement Strong Access Control Measures" section.
  We currently run version 4.0(1) Build 27 and use local user and password management.
  For a variety of reasons I'd prefer to maintain this approach rather than pursue integration with an external identity store such as AD, but I need to know whether or not the in-bult password validation options are stringent enough to meet all of the relevant requirements.
  I believe from the research I've done so far that version 4.2.x should meet the majority, but there is one in partiuclar about validation of previously used passwords that I'm still unclear on.
  In the "Local Password Management" section of the ACS 4.2.1 User Guide (Text Part Number: OL-20208-01) it states that the password validation options include "Password is different from the previous value".
  The PCI standard states: "Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used."
  Q) How many previous passwords is the newly submitted password validated against? Is it just the last one or will it check against more? Is there any way to configure how many it checks against?
  Any help or guidance very much appreciated.
  Cheers,
  Nick

  Hi Lomon,
  After login in to ACS application. You can click on the Cisco logo on top left... You can find the patch version.please refer the below screen shot.
  Please do rate if the given information helps.
  By
  Karthik

• Cisco secure ACS - RDBMS Rename a Group-

  Hi,
  I'm currently working with Cisco secure ACS 3.1 and I'm trying to use RDBMS synchronisation with a csv file. I create a accountactions.csv file where I create a new user.
  1,0,TESTuser,,100,,,,,,0,,,0
  2,0,TESTuser,,102,,test,,,,0,,,0
  Until here, all is working fine. But now, I would like to put this user into a Group. This should be done with :
  3,0,TESTuser,Group 30,106,,,,,,0,,,0
  But I would like to know if it's possible to rename or create one Group (e.g rename Group 30 with Group TEST) directly in my csv file ?
  Thank you
  Regards
  Pascal TOURNIER

  Here is what i found works for renaming a default group, as you cannot create more groups beyond what is there.
  SequenceId,Priority,UserName,GroupName,Action,ValueName,Value1,Value2,Value3,DateTime,MessageNo,ComputerNames,AppId,Status
  1,1,,Group 100,210,,BPM,,,,0,,,0
  2,2,,Group 101,210,,CHANNEL SECURE OPS,,,,0,,,0
  3,3,,Group 102,210,,CISCO CNC,,,,0,,,0
  4,4,,Group 103,210,,CISCO NOS,,,,0,,,0
  5,5,,Group 104,210,,CTS,,,,0,,,0
  6,6,,Group 105,210,,DCI,,,,0,,,0
  line 1
  Rename "Group 100" to named group "BPM" using code 210 to perform the Action
  Gerald

• Delete proxy config on Cisco Secure ACS 4.1 for Windows ?

  We have a pair of ACS 4.1 servers (Windows Server 2003 R2). Let's call them ACS1 and ACS2.
  We don't want either one of them to proxy to any AAA server, including each other. We're using mostly TACACS authentication.
  While troubleshooting a general problem, I'm guessing that one of us did this on ACS1:
  pressed the Network Configuration button,
  saw the Proxy Distribution Table
  clicked (Default)
  moved ACS1 from the AAA Servers column to the Forward To column.
  So, essentially, we're telling ACS1 to proxy all requests to itself, which doesn't seem to make sense. I don't know for sure whether it should work when configured to "self proxy," but in that state, it does not authenticate anyone and gives merely "Internal error" as the reason.
  If I change the configuration so that "ACS2" appears in the Forward To column, and I move "ACS1" back to AAA Servers and restart, ACS1 starts responding correctly to TACACS requests. Of course, ACS1 is just proxying all requests to ACS2, so having two servers isn't doing much good.
  I cannot simply remove ACS1 from the Forward To column and leave it empty. The interface complains that it can't forward to zero servers. Of course, on ACS2, there are no servers in the Forward To column, since we never touched the Proxy Distribution Table there.
  Is there any way to return the Proxy Distribution Table to its default setup, that is, no servers appear in the "Forward To" column?
  We're planning to upgrade to version 4.2 very soon, so this question is mostly academic, unless the same problem exists in 4.2.
  For full disclosure, I should mention that the problem we were troubleshooting was loss of connectivity to our Windows Domain Controllers from our ACS servers. We had missed adding some exceptions in our firewalls to allow for four new DCs. As far as we can tell from testing, connectivity to the DCs is now fine. The firewall rules group ACS1 and ACS2 together, so connectivity should be the same, and ACS2 authenticates users correctly.

  Hello Jeffrey,
  By default the ACS 4.x Proxy Distribution Settings should have the ACS entry for itself on the Forward To box. Your ACS1 entry should be on the Forward To box.
  The Internal Error message on the ACS should be highligthing a different issue on your ACS1. Also, the message stating that we cannot have zero servers on the "Forward To" box is expected.
  Set your ACS1 for Full Logging Detail (System Configuration > Service Control) and configure the ACS1 entry under the Forward To box. Recreate the authentication issue and collect a package.cab file. If you have an ACS for Windows, under the ACS Installation folder look for the CSAuth folder > Logs and share the auth.log file with a failure timestamp for us to review the ACS logs when failing with Internal Error.
  If this was helpful please rate.
  Regards.