6513 isn't intergrating with ACS


I have a problem with one of the devices, switch 6513. the acs server is directly connected to the switch inside the fwsm.

I am able to ping the MSFC and FWSM ACS server, but it does not take the ACS. I have other 6513 and many other switches and router integrated normally with ACS.

Please I need help.

Kind regards


Incase you are using Ganymede and deliver "Ganymede source control interface ip.

User interface that is listed in the acs network---> switch---> IP address configuration

Switch must use this IP address as the source for the packages of Ganymede

Kind regards

~ JG

Note the useful messages

Tags: Cisco Security

Similar Questions

  • (Redirected) Inspiron 5520 isn't start with Windows 10


    My Inspiron 5520 isn't start with Windows 10. When starting, it shows the Dell logo and it progresses... I can see down to the right options such as the INSTALLATION of F2, F12 BOOT OPTIONS.

    But nothing happens after that... I'm getting a blue mix black screen with the cursor flashes with circult (sign of transformation of windows). If I kept the system - once in a whiel his flashes with / black screen loading nothing. Sometimes, his watch a blurry square colors in the middle of the screen but nothing doing.

    Trid repeatedly check BIOS and Setup F2 or F12 to diagnose, but nothing has worked.

    I completed successfully - Pre - boot System Dell Diagnostics without any problems - all tests passed but still its not start. (I have disconnected all connectors like hdmi, wireless mouse etc.). Problem not solved.

    I am totally stuck... Warranty period of my laptop is complete. Your help is very appreciated.

    Thanks in advance.

    Kind regards

    As you have a laptop, better make this laptop in the computer Forum post here:



  • WLC 4402 impossible to authenticate correctly with ACS 5.2

    For some reason, I can't WLC to authenticate correctly with ACS 5.2. It's very strange in the sense that when I checked the log. ACS authenticates and authorizes the WLC 4402, but I can't log on the WLC. login screen appears, if I typed the username that he jumped

    Controller of >



    No matter what I typed (internal or external users), nothing seems to work.

    It comes to my frustration, I have no problem with authentication of routers and switches except WLC 4402.


    Please delete privilege on the ACS level settings.

    Elements of strategy > authorization and permissions > peripheral Administration > Shell profiles > common tasks

    By default the privilege - do not use.

    Maximum privilege - not in use

    I hope this helps.

    Kind regards


    P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages

  • Permission of AAA with ACS Shell-games

    Hi all

    I use a router cisco 871 running that version 12.4 (11) T advanced IP Services.

    I have difficulty getting permission to AAA to work properly with ACS.

    I am able to configure ACS fine users and assign them shell and private level 7.

    I then install a set of Shell Auth and enter the issuance of orders and configure.

    When I log in as a user, I get an exec with a level of 7 priv no problem, but I never seem to be able to

    to access global configuration mode by typing in conf (or set up) terminal or t.

    If I type con? It is the only command connect, configure is never an option...

    The only way I can get this to work is by entering the command:

    privilege exec level 7 Configure terminal

    I thought the whole purpose of the ACS Shell Set to provide this information to the router?

    It's frustrating

    The ACS server is set up with the Shell Set named Level_7 order authorization

    It is attributed to the relevant groups and I have the 'Unmatched orders' option selected in the 'license '.

    The "unmatched Args allowed" is also selected.

    See an extract of my IOS config below:

    AAA new-model



    AAA group Ganymede Server + ACS



    AAA authentication login default group local ACS

    AAA authorization exec default group ACS

    AAA authorization commands 7 by default local ACS group


    Cisco radius-server host keys



    privilege exec level 7 Configure terminal

    privilege exec level 7 set up

    privilege exec level 7 show running-config

    privileges exec level 7 show


    Hope you can help me with this one...

    PS I tried with orders of privilege on the router and remove the router and just keep getting the same results!


    So now,

    You're actually using two different options and trying to couple then together. What I would say is you either use authorization Command Shell function or play with level privileges. Not mixed together both.

    Above scenario might work, if you move orders to focus on level 6 and give the 7 user privilege level. He couldn't be sure. Try it and share the results.

    That's what I suggest that orders back to a normal level.

    Provided below are the steps to set up the shell command authorization:


    Follow these steps on the router:


    ! - is the desired username

    ! - is the password

    ! create - us a local user name and password

    ! - in case we are not able to get authenticated via

    ! - our Ganymede server +. To provide a backdoor.

    password username 15 privilege

    ! - To apply the aaa on the router model

    AAA new-model

    ! - Following command is to specify our ACS

    ! - location of the server, where is the

    ! - ip address of the ACS server. And

    ! - is the key which must be the same during the FAC and the router.

    radius-server host key

    ! - To get the authentication of users through ACS, when they try to log - in

    ! - If our router is unable to join the ACS, we will use

    ! - our local user name & the password that we created above. This

    ! - we prevent locking.

    AAA authentication login default group Ganymede + local

    AAA authorization exec default group Ganymede + local

    AAA authorization config-commands

    AAA authorization commands 0 default group Ganymede + local

    AAA authorization commands 1 default group Ganymede + local

    AAA authorization commands 15 default group Ganymede + local

    ! - Sequence of commands are for posting to the activity of the user.

    ! - When the user connects to the device.

    AAA accounting exec default start-stop Ganymede group.

    AAA accounting system default start-stop Ganymede group.

    orders accounting AAA 0 arrhythmic default group Ganymede +.

    orders accounting AAA 1 by default start-stop Ganymede group.

    orders accounting AAA 15 by default start-stop Ganymede group.


    ACS configuration


    [1] Goto 'Profile components shared' a-> 'Shell command authorization sets'-> 'Add '.

    Provide any name at all.

    provide sufficient description (if necessary)

    (a) for full administrative access set.

    In the unmatched controls, select 'allow '.

    (b) for all access limited.

    In the unmatched controls, select "decline."

    And in the field above 'Add a command' box, type in the box below and the main command "permit unmatched Args" Order under allow.

    For example: If we want the user to only have access to the following commads:

    opening of session






    Then, the configuration should be:


    -Allowed unparalleled Args.


    connection permit

    permit disconnection

    exit permits

    Select the permit

    disable the permit

    license terminal configuration

    ethernet interface license

    permits 0

    to see the running-config


    in example above, user will be allowed to run only from commands. If the user tries to run the interface ethernet 1', the user will get "failed command authorization.

    [2] press 'submit '.

    [3] Goto Group on which we want to apply these command authorization set. Select 'change settings '.


  • Integration of ASA with ACS

    Hi all

    I try to incorporate some ASA (8,6) with ACS (5,7), here is the configuration of the SAA.

    SH run | in aaa
    RADIUS Protocol RADIUS AAA server
    GANYMEDE + Protocol Ganymede + AAA-server
    AAA-server GANYMEDE + (management) host
    GANYMEDE + LOCAL console for AAA of http authentication
    authentication AAA ssh console GANYMEDE + LOCAL
    Console telnet authentication GANYMEDE + LOCAL AAA
    AAA accounting console GANYMEDE + ssh
    AAA accounting command 15 GANYMEDE privilege +.
    Console telnet accounting AAA GANYMEDE +.
    AAA authorization exec-authentication server
    AAA authorization GANYMEDE + loCAL command

    The problem is that I can get connected to ASA, but I can't type all commands in the CLI, I get the error message "failure of command approval.

    I have the same sets of commands and the shell profiles created for switches and it works perfectly.

    This is the behavior of ACS journals

    1. once I am having authenticated, I can see the logs in ACS with my username
    2 but when I type any commnds, is put down my permission and I see in the newspapers of the authorization of the CSA that this username is "enable_15".

    Can someone help me identify what the problem is

    Thank you

    This happens when we have control permission enabled on ASA and try to run any command level 15 on SAA. To correct this problem you must check enable authentication of a user against GBA / GANYMEDE.

    AAA authentication enable console LOCAL + GANYMEDE

    After above listed licensing order, ASA will start to check the enable password against ACS/Ganymede and you use Ganymede activate the password that we can put on by user.

    ~ Jousset

  • Admin Auth LMS with ACS 5.3

    Hey people, I need to integrate LMS4 with ACS 5.x for LMS user auth. 2 roles are necessary, Admin and monitor. Y at - it all Documentation, example Configuration, or other useful information? Any help welcome.

    Best regards, Michael

    Hi Michael,

    Perhaps these threads will give you enough details:


    Best regards


  • Cisco 1121 unit installed with ACS 4.2 SE version

    Hi all

    Sorry, we could install version to 4.2 on the Cisco 1121 device acs?

    Could we use 1120 ACS 4.2 image DVD to install on 1121?

    Or any workaround?


    Calvin Su

    Hi Calvin,

    Unfortunately, 1121 hardware doesn't support version 4.2.0 acs so downgrade is not an option for 1121. It can only be used with ACS 5.x

    Kind regards


    The rate of useful messages-

  • Authentication EAP - TLS with ACS 5.2

    Hi all

    I have question on EAP - TLS with ACS 5.2.

    If I want to implement the EAP - TLS with Microsoft CA, how authentication computer and user will be held?

    Understand that the cert is required on the client and the server end, but is this certificate to the computer links or links to individual users?

    If the links to the user, and I have a shared PC connection by few users, is that each user account will have their own certificates?

    And each individual user will have to manually get the CA cert? is there another method that my environment has more than 3000 PCs.

    And also if it binds to the user, any user can get their CA cert with their AD username and password, if they bring in their own device and try to get the CA certificate, they will be able to properly install the cert in their device on the right?

    I hope you guys can help with that. Thank you.

    Hope this will answer most of your questions:

    Client certificate or user


    Computer certificate


    In the case of EAP - TLS we have the certificate of computer and user installed on the machines.

    Kind regards


    The rate of useful messages-

  • Restrict calls remote modem with ACS


    Using ACS I try to limit the reverse telnet access to a modem which will later be used by TTYredirector. I want users to have access to the modem only. We are on 3.01 ACS (yes I know old)...

    When to use access to the network with device restrictions: 2065: * (being the assigned line port 2065) subscribe to the denied service service = raccess tty65 in the journal of the attempts failed.

    Do I need to add this service to the GANYMEDE + under Interface Config?... What is the params? I tried to just raccess in services which added a section under user/group that I chose but nothing else.

    I have the router:

    AAA for authorization Ganymede + default reverse-access group

    Welcome tips, google has attracted so far zero.



    It's not the NAR causing the problem-, this would result in a message 'filtered user' in the failed attempts.

    Looks like the problem is that your group configuration is not allow the raccess service.

    Because this isn't a standard service preset in ACS you config sys goto then Ganymede + (ACS) and define a service personalized Ganymede. Call it "raccess". In the settings group, you will then be to activate and define all the attributes you need.


  • Control access to the network with ACS device

    Hi all!

    I currently have in place an Appliance, Cisco Secure ACS using Windows as main server authentication. Cisco Secure acts as a GANYMEDE server +. I have two groups defined in Cisco Secure: Netadmins and security ITD. Users of the Netadmins group need access to all switches and routers on the network. ITD security must only access async line 53 on a router 2611 for a band of a firewall and no other access to all network devices offline. How can I limit access to the Cisco Secure security ITD group to line 53 only?

    My current config on this router is:

    AAA new-model

    AAA authentication login netadmins group Ganymede + line

    connection ITDSEC authentication group Ganymede + line of AAA.

    RADIUS-server host 10.30.X.X

    RADIUS-server host 10.18.X.X

    key radius-server XXXXXXX

    line 53

    No exec

    authentication of the connection ITDSEC

    transport of entry all

    StopBits 1

    Speed 115200

    line vty 0 4

    exec-timeout 30 0

    login timeout 120 response

    login authentication netadmins

    but users in the ITD security can still access by vty and then reverse telnet to any asynchronous line on the router. In addition, security ITD always access any switch or router using telnet: what should be my setup on these devices? I do an ACS configuration?

    All other devices:

    AAA new-model

    AAA authentication login netadmins group Ganymede + line

    RADIUS-server host 10.30.X.X

    RADIUS-server host 10.18.X.X

    key radius-server XXXXXXX

    Line con 0

    password 7 141C015C5806

    login authentication netadmins

    line vty 0 4

    password 7 11020A 524310

    login authentication netadmins

    line vty 5 15

    password 7 11020A 524310

    login authentication netadmins

    Any help will be greatly appreciated.


    In the security group, I would create a Restriction of access to IP network with an entry permit. Essentially to allow access to the single port on 2611 only.

    The AAA Client field is the name that you gave to the 2611 in the network config. Address will be * unless you want to restrict access to the ip or address. Port... never quite sure with async if the port value must be "async 53" or "line 53".

    If you look in the pass/fail for the nas-port attribute, you'll see what that T + sends to the ACS. This should help you know what to put in the NAR.


  • WLC4402, SSC 4.0, EAP FAST with ACS 4.1.23 and Active Directory

    Hi all

    I have a problem where my client software SSC (Cisco Secure Services)-wireless on laptops don't will authenticate the windows domain users if they enter the user name and passwords manually. The unique signature feature will not work. I am using EAP-FAST. It is an ACS appliance based server that I restored from the recovery CD.

    When I look at the failure of authentication request I can see that she is trying to send [email protected] / * / during an attempt to SSO on. The log shows that it is a bad user name or password. Note that the end of the domain name is missing.

    I can see the authentication attempt in the log of the remote agent (CSWINagent.log) on the domain controller, so I don't know that it sends the connection request to the domain controller. The Remote Agent is the same version as the ACS server. When I authenticate successfully (manually) it sends not the domain part of the user.

    This is a new installation. Initially, I had 2 remote agents, both on the service domain controllers has been run under an account with sufficient privileges windows domain administrator. After a planned turn off weekend windows authentication has stopped working completely. I found a post in this forum that says to use the local system to start the remote agent service. This led windows authentication to life, but now I have this problem. I don't know that until I changed it the manual connection is also required in domain (IE user domain\username). I can't be sure that this is the case!

    Can anyone help me to get windows AD to accept these credentials, because they are sent to the client connection? Otherwise if I can make it work with the user account, he worked with initially then that would be great.

    Thank you very much

    As you mentioned that SSC transmits the username "[email protected] / * /" in SSO.

    Is what I think for the moment, to use the feature of Distribution of Proxy on ACS.

    that is, demand to come as it is "[email protected] / * /', let's make ACS Stip off"@domaine"and"username"to RA for AD verification."


    After stripping '@domaine' send the request back to the ACS it itself, i.e. in the column forward to, ensure that we have input of the ACS.

    And let me know if it works for you?

    Kind regards


  • Local use and authentication AD with ACS 5.6

    I have an ACS 5.6 unit configured to use AD authentication for my default network access and rules. It works very well.

    I tried to implement some features, put them in a group and give only locally defined ACS to users access to these devices.

    Problem, after you have created the local accounts on ACS creates a group of local identity, and trying to authenticate with a camera, I always get "object not found in the identity store.

    Is there a way to have the hybrid authentication like that? How do we?

    Hi Colin,

    One thing that comes to mind is "sequence of identity store. Ensure that you have "internal users" listed in there otherwise that demand would never be mapped against the internal users.

    I also want to double check the source of identity under default device admin or any service that you created. Ensure that internal users.

    Take a look at the document below for more details on the identity store sequence.


    Kind regards


    Note: Please check if they are useful.

  • WLC with ACS 5.1 (RADIUS) for management * AND * Network users


    I have authentication RADIUS of installation for the users of the network AND management on my NM - WLC (5.2 ongoing execution) against ACS 5.1

    My Question is:-

    For users to log in to Admin, I need to come back "Service-Type = Administrative - User" in order to make it work.

    Because the ACS sees all applications from the same device (WLC) for Admin and network users,

    the way I am currently treats it is by creating a filter based on the user name

    Thus, users that contain 'admin' in their ID, use a set of

    Network access policy authorization, who has an authorization associated with the attributes RADIUS profile.

    Normal users have a ' network access policy authorization different rule ", with a different profile.

    While this DOES WORK fine, still me I was wondering if there is a better way to do it, rather than create a rule

    based on the user name.

    I could use GANYMEDE + for the management, but I don't think that ACS allows the same client AAA (WLC) to use both protocols.

    Thank you

    I think it's something very common for things to do

    You may notice that ACS 5 comes preinstalled with a selection policy of service that differentiates them the Protocol-based queries and orders or service 'Access to the network by default' or "Default Device Admin" out of the box

    If you want only to RAY can either disable or delete the rule for applications of GANYMEDE + or not choose GANYMEDE + in the definitions of the unit

  • 802. 1 x EAP - TLS for wired users with ACS 5.5

    Hi all

    We are setting up a new configuration for wired users authentication with 802.1 x (EAP - TLS). ACS 5.5 we use as an authentication server.

    We have added the certificate (internal) CA root and certifcate for ACS signed by CA. Now, we want to check that authentication works or not. I hope that the CA root and identity certifcate also we need to install in laptop computers. But I don't know how to download the certifcates for client machine manually to CA.

    Please suggest on how to get certificates for clients both manually and automatically?

    Thank you


    Hi Vijay,

    for Wired 802.1 x (EAP - TLS) you must have the following certificates:

    Intermediate server on ACS - Root CA, CA certificate,

    The customer - Root CA, intermediate CA, user certificate (in the case of user authentication) or Machine certificae (in the case of authentication of the computer)

    I do not know what third-party certificate you use, if its Microsoft in the House or any other certificate server, you need to download the client certificate to the server itself.

    In the case of Microsoft, there will be a user certificate template. You can select and create user certificate

    This is an old document, but a computer certificate for the user configuration steps, you can see the steps to download the certificate user if his server from Microsoft:


    In case you use the third serevr certificate, then you must check with them on how to download the certificate of the user

    See you soon

    Mohammed (rate useful message)

  • Group-lock for users of vpn with acs


    Is it possible to controll what VPN profile, a user is allowed to use by Cisco ACS or the router?

    2811 router IOS 12.4 worm, ACS 4.1 using

    I just want to be sure that the VPN allows the user only the Client Profile assigned to them and no other profile groups.


    User123abc gets their hands on a profile of co-wokers.



    User123abc belongs to the Department of human resources and should be able to authenticate with HR_User_Profile. If User123abc is trying to authenticate by using the access SALES_User_Profile should be rejected.

    Any documentation explaining how to set up?

    The ASA will be your option. This should be controlled by the values of tunnel-group and class-group policy, group-lock, ACS and ASA

Maybe you are looking for

  • Control Center missing on iPad Air options

    Hello - I have improved my ipad to ios 10 Air and I noticed that the control center (slide up) is lack of many functions. When I slide up, its divided into two sections - half right displays an icon of ipad and ipad with a tick, said that she (but ca

  • How can I remove a 10 iOS app? There is no mention that a menu

    How can I remove a 10 iOS app? All 10 iOS did when I press and hold, is to bring up a menu - which is a feature new, unexpected and undesirable new iOS operating system 10. This action is used to make the icons to move, I could press the "x" on the a

  • Clip/window source moved to 170 individual clips in the project. Advice please?

    After copy and pasting of 170 clips individually to a new project to find a corrupted clip, (as when exporting the original file, I was getting the error-50 message), each window source of clip on the initial project evolved, 170 individual clips. (i

  • mouse control, LCD Brightness and sound volume

    Hi, I am designing a VI that allows people with disabilities (with no hands) to use the PC-control with the mouse, the brightness of the LCD screen and the sound volume through several sensors. I found how to do to control the mouse but still cannot

  • HP psc 2410 high-resolution scanning in windows 7

    I have a hp psc 2410 photosmart all-in-one.  My OS is windows 7 64-bit.  I would like to know how to use the assisted 19200 dpi setting for the scanner.