ACS 5.0 with PEAP

Similar Questions

• Authentication of ACS with PEAP / MSCHAPv2 - customer rejecting Server

  Hello

  Have a network setup wireless with Cisco 1131AG towers, c6500 WISN module test (4404-WLC) is authenticating with a Cisco ACS appliance (1113) using PEAP and MSCHAPv2 authentication.

  The laptops have the Cisco SSC customer (in collaboration with Mgmt SSC utility).

  A self-signed certificate created on the fate of ACS and root exported and installed on the laptop computer of TCL.

  IF CSSC box 'validation Server' is not selected, the authentication process works and I am able to connect to the network.

  IF CSSC "Validation of server" is checked, the authentication will fail.

  The problem, it appears that the customer refuses the server certificate:

  "Server certificate chain is not valid.

  The GBA, in the 'fail' authentication logs, message the following is stated:

  "Authentication failed during SSL negotiation" (which obvioously refers to the strand of string not valid)

  Any ideas?

  When you create a self-signed certificate, is there a specific directory, when the server certificate must be located? as c:\cert\certificate.cer

  Also, the certificate name must match host name of GBA?

  i.e." CN ="

  Any advice or pointers would be appreciated.

  Thank you

  Questions, it's that when you check the validation of server Box, you must make sure you have the certification authority in the root Certification Authority trusted. For example, in windows, there is a list of servers CA where you check the server certificate validation and also one of the root certification authority is on the list. If the root CA is not listed, then you must add to the list and check it out.

  You are right on the client rejecting the sever cert... Authentication failed during SSL negotiation

  This doc will give you an overview:

  http://www.Cisco.com/en/us/products/sw/secursw/ps2086/products_configuration_example09186a0080545a29.shtml

• ACS RADIUS timeout with WLC 7.0 5.0

  Hi guys,.

  I'm setting up a device Cisco Secure ACS 1120 running 5.0.0.21 ACS to manage the RADIUS of a Cisco WLC 5508 device query running the 7.0.116.0 version.

  • These devices have open communication on all ports - no firewall or ACL
  • they have successful ping communication

  The following statements illustrate some but not all debugging I did to make sure that each device works properly in isolation.

  • Using the simple windows (radserv2.exe) instead of the Cisco ACS RADIUS server
    • This works and the WLC gets answer my fortune Server RADIUS
  • Using a simple windows EAP client to query the ACS using the RADIUS protocol
    • This works and the FAC processes the RADIUS request and sends a response
  • Placed a customer wireshark on the network to inspect the time-out.
    • Wireshark saves the package to the WLC for GBA using port 1812 but does not see responses to GBA package

  At the moment I have the

  1. WLC accepting wireless client association and
  2. sending the query RADIUS (EAP - TLS, PEAP and EAP-FAST) for GBA,
  3. the WLC receives no answer and generates a timeout message and separates the client.
     1. Note this is not a rejection or a similar message, the simple ACS does not even the package. i.e. There is absolutely nothing in the logs of ACS to suggest that he had even received a package of radius of the WLC.

  In summary the WLC and GBA properly operate independently, but they do not communicate via radius.

  Any help appreciated thanks

  It seems that you use ACS 5.0 without tasks.

  For your information, the version of the product is now up to 5.2 and 5.3 ACS should soon be released

  I recall there was a problem with ACS 5.0 with WLC operations that has been resolved in patch for 5.0

  I'm not sure of the specific CDETS but can be:

  CSCsy17858 Any manipulation of Tunnel-Type & Tunnel-Client-Endpoint uploading incorrect

  ACS 5.0 has a rollup with all the patches being accumulated approach

  My recommendation would be to download the patch 8 for ACS 5.0: 5.0.0.21.8

  Patch can be downloaded from CEC

  To install a patch set a repository on ACS (cumulative patches are larger than 32 MB, you can not use TFTP to it), copy the patch file in the repository, click ACS CLI:

  # acs patch installs repository

• Issue of operability of the ACS as RADIUS with ASA 5.0?

  Hello

  I'm trying my VPN to get authenticated user with RADIUS (ACS 5.0). and VPN users database is created in AD. Now when I am trying to connect through the Cisco VPN client, I am unable to do so. Infact, I get an error message (through debugging at the level of the SAA for aaa and isakmp) my RADIUS server is DOWN.

  Please let me know is there any compatibility issue with ACS 5.0 on it because everything was working fine on my version 4.2 of the ACS.

  Concerning

  Ritesh

  Ritesh,

  Yes, there is a lack of ACS 5.0 with vpn authentication.

  When you try to connect with the VPN client. you will not see any hits in the follow-up and the views.
  The ASDM logs: you'll see radius server is not accessible.
  Debugs you show RADIUS period.
  This will work with Ganymede.

  Access policy rule was does not. Also, could not use RADIUS as hit CSCsy17858

  http://cdetsweb-PRD.Cisco.com/apps/goto?identifier=CSCsy17858>; Used Ganymede + instead of RADIUS.

  If you want to use the RADIUS then you need to upgrade your version of acs to 5.1

  You can down load patch 9 (5-0-0-21 - 9.tar.gpg) and ADE-OS (ACS_5.0.0.21_ADE_OS_1.2_upgrade.tar.gpg) from the below path:

  Go to Cisco.com > support > download software > Security > Cisco Secure Access Control System 5.0 > Secure Access Control System Software 5.0.0.21 >

  Reference: update of the CSA since version 5.0 to 5.1:
  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.1/installation/guide/csacs_upg.html

  HTH

  Kind regards

  JK

  The rate of useful messages-

• Getting started with PEAP and Tablet PC

  I tried to get PEAP works with the following devices:

  CiscoSecure ACS 3.1

  Compaq TC1000 Tablet PC with the latest drivers for the integrated wireless card

  Cisco Aironet 1100 AP

  I think that everything is configured correctly on the AP - I checked network EAP and open. No VLANS configured. The ACS has the AP registered as a network device with the same key, as written on the access point itself and with RADIUS (Cisco Aironet) selected.

  Unfortunately, my clients associate but fail to obtain a DHCP address, then pass traffic.

  The Tablet PC is configured for windows XP networking, use of PEAP and dynamic wep key (or the key is provided for me).

  Someone had experience with these devices? We managed to bring the LEAP collaborated with Cisco ACU on a full laptop. The Tablet PC does not have the software of the ACU.

  Edit:

  Just found a few past responses that helped a little clear things upward. Could someone tell me if my reasoning below is correct please?

  ACS version 3.1 supports PEAP for Cisco wireless cards/customers only and doesn't support PEAP for 3 part cards and begging him to Microsoft.

  ACS version 3.2 supports PEAP for Cisco cards, but also supports PEAP Protocol with cards of third parties and the begging of Microsoft.

  So in theory, upgrading to 3.2 would allow us to use Tablet PC as the TC1000 with our wireless access points and the PEAP authentication.

  Kind regards

  ACS 3.2 upgrade should enable PEAP work with your TabletPCs.

• How ACS to communicate with DomainController in different domain controllers?

  Dear Sir

  Our company has 4 ACS, version 5.3, a primary school and three others are secondary.

  They are in the other domain controller, and I do not know which domain controller they communicate, how to check and how to configure ACS5.3 to communicate dedicated DomainController?

  Thank you

  Michael

  Michael,

  Can you try this and see how it goes:

  You can run the following command in the CLI of the ACS to the ACS
  configuration mode-

  ACS / admin # acs - config

  Escape character is CNTL/D.
  User name:
  Password:

  ACS/acsadmin(config-acs) # dns.dc ad-agent-configuration. .com distribution

  You may see a problem with the format of the command. I have not personally tested lately on ACS 5.3.

  Note # using this will force the ACS to authenticate using only this specific DC. If the domain controller
  becomes inaccessible, you must run this command to point the ACS to a different domain controller.

  In addition, this would require a reboot for the services.

  http://www.Cisco.com/c/en/us/TD/docs/net_mgmt/cisco_secure_access_contro...

  Open the TAC case if you are not comfortable running the above command.

  -Jousset

• Authentication problems with PEAP WLC IAS Windows 2 k 3

  Hi all

  I configured a WLC (6.0.182.0 model 2100) with authentiacion PEAP with IAS and DA of Microsoft Windows 2003. I read in the documentation "PEAP under Unified Wireless networks with Microsoft Authentication Service IAS (Internet)" in the process of installing Active Directory, it must select the "Permissions compatible with operating systems prior to Windows 2000 server". In my scenario the other option was selected "Permissions compatible only with Windows Server 2003 operating system or Windows 200".

  I test this scenario and it does not work.

  Is there a configuration in the WLC so that it can operate without having to reinstall the AD?

  Thank you

  In most cases the WLC does not care about the type of authentication is used. It's really just the transmission by proxy requests between the client and the Radius server.

  I'll make sure that your timer EAP are extensive with the commands:

  Advanced Configuration eap identity-request-timeout 10

  Advanced Configuration eap request-timeout 10

• Cisco ACS 5.2 with NX - OS (Nexus) devices user - questions

  Hey, I have a really strange problem with Cisco ACS 5.2 and Nexus NX - OS devices.

  I create an account on ACS, let's call him User1 and give privilege 15. With User1, I am able to access on all our IOS, IOS - XE, ASA and PIX devices with privilege 15.

  When I use the User1 account in our NEXUS devices, I do NOT receive the access privilege 15. As you probably know, the NEXUS devices have roles: predefined or custom roles. So I assumed I would get the role of "network-admin" (15 private read/write) User1 when you connect, but instead I got the role of 'vdc-operator' (private 1 read-only).

  Then I tried to twist User1 and give network-admin under profile Shell > Custom Attributes. I logged in the NEXUS and of course I was able to get a network-admin access. However, my access to ALL other devices (IOS, ASA, PIX, etc.) does NOT work! I am not even able to connect with my login and my password for these devices.

  Has anyone ever experience this problem? Help, please!

  Thank you

  neocec

  This is a common problem when you mix with RBAC and IOS devices authorization policies, the pair av that you created must be set 'optional' instead of 'compulsory', please make this change and you will be able to access all your devices.

  Thank you

  Tarik

• ACS 5.1 with a problem of aerohive AP

  We authenticate clients for Aerohive APs on our ACS 5.1 servers.  Currently, our logs fill up with the spam of the invalid radius attributes.  I opened a case with them to see what is sending the request.  The message is '11014 RADIUS packet contains invalid attributes' is there someone to filter this message in the newspaper in the meantime?  It is causing us to lose all our servers in 30 minutes logging information about.

  I have seen this error in the following cases:

  Send a query radius with zero length ACS password or, use the IOS configuration so it sends the same test regularly the "192.0.2.1 radius server host username test1-idle time 1.

  It happens with zero length password

  Not sure if this is your problem

  Note that I think that it is possible to filter these messages:

  Reach:

  Configuration of the analysis >... > System Configuration > Collection of filters and define a filter based on attributes in the syslog

• PAK for ACS ios download with license keys

  Hello, I am new on the product license and registration of Cisco. I want to download the latest version of the ACS software and the registration keys. I know I have to get a PAK started with Cisco, but I have no idea how to do to start the process, another thing that confuses me is that I need a Smartnet account and I tried via chat Cisco but redirected me to a phone number and then delivered four times until disconnected...

  Help, please!

  Kind regards

  Gary

  When you buy GBA, you should get a PAK of dealer by delivery. IF you have not received one, please contact your dealer. If they claim ignorance, they control the tools CCW and CSCC (Workspace of trade of Cisco and Cisco Service contract - tools used by Cisco resellers to manage customer orders and support right).

  SMARTnet is optional and mandatory for the upgrade eligibility and support of TAC.

  A registered cisco.com (Smartnet not required) account is required to get the key, once you have the PAK in hand.

• ACS any Version with Windows Server 2008 R2 64-bit domain controller

  Hi all

  Is there any version of ACS is currently working with Windows Server 2008 R2 domain controllers?

  Our server controls has recently upgraded domain controllers to 2008r2 and off 2003 servers. This did not our ACS 4.1.4 really happy.

  I read now serveral messages about problems with the ACS and Server 2008r2 and hope to find a solution (not to mention that switching to LDAP, yukk).

  Thank you

  Pato

  ACS currently cannot be installed on a server running Windows 2008 R2.

  As an alternative, you can install ACS on a member server.  Authentication

  ACS uses the local machine net API authentication both compared to a 2008

  R2 domain will work.  The Remote Agent can also be installed on a 2008 R2

  Server if you use devices.

  If you install ACS on a member instead server here is how to configure services

  to authenticate properly with the domain:

  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/installation/guide/Windows/postin.html#wp1041304

  -Jesse

• Replication of ACS and integration with the Active directory database

  Hi all

  I have to configure two ACS SE with the internal database replication. I have also a server active directory that must integrate with ACS. My doubt is that I need to configure the IP address of the ACS during installation of the remote agent on active directory or only the primary ACS

  No need to give the IP of two ACS. Give the primary IP of ACS.

  Kind regards

  ~ JG

  Note the useful messages

• ACS 5.5 with EAP - TLS SHA 256 certificates

  Hi all

  Well, I just want to confirm that ACS 5.5 supports EAP - TLS with certificates SHA2.

  Thank you

  Manel

  Manel salvation,

  There was a time long deposited back enhancement to support EAP - TLS SHA 256 and obtained certificates fixed ACS 5.2 leave.

  CSCtd34175    Support for SHA2 certificates

  To answer your question, ACS 5.5 does support SHA2 certificates with eap - tls.

  ~ BR

  Jatin kone

  * Does the rate of useful messages *.

• ACS 5.4 with AD domains

  I read the release notes and the user guide for 5.4 ACS which mentions the ability to reach the nodes of GBA of the same deployment to different areas of the AD.  But each node can be attached to a single AD domain.  My question is this... in a failover situation that it buy me?

  Hypothetical:

  I have two sites, each with a CBS, and each has its own AD domain.  The ACSS is deployed in a primary/secondary relationship, devices to ACS use A of the Site A site as principal for authentication, devices to site B use of the ACS Site B as principal for authentication.

  Scenarios:

  1. The ACS Site A if Site A devices will attempt to join the Site B ACS for authentication.  But if they use different AD Site domains a user cannot authenticate and would be denied access.  Fix?
  2. If a Site B user trying to access a device to A Site, this device attempts to authenticate the user using the Site to ACS.  This will fail because the ACS Site A reference only the AD Site A domain?

  I'm missing what advantage I deploy the two SACRED if they cannot use or access the users on the two areas.  Maybe I'm not understanding something here.  Can someone shed light on this or point me to a document that could help?

  Thank you...

  I second you on that fact, it is not very well documented. In almost every deployment, the role of the secondary server (located on another site) is to provide a total where the failure of the primary ACS server redundancy.

  In your case, if you have both the ACS are attached to two different areas, as

  Site (ACS1-primary) - domain a.

  Site B (ACS2-secondary) - area B

  We have to make sure that domain A to trust domain B and vice versa because if the secondary server is configured for replication of the primary, which means that the authorization rules will be same on both GBA. Have full 2-way trust between the two domains would be you can extract the ACS 1 B domain groups and domain from DCC 2 groups.

  The ONLY advantage of this feature will come into play during authentication. If the users in the domain B showed up at ACS2 for authentication, group recovery time would be less if it's a direct field instead of across the field.

  The purpose of redundancy will fail where there is no possibility of 2-way trust. It is not right to these deployments.

  Hope it adds few specifics.

  ~ BR
  Jatin kone

  * Does the rate of useful messages *.

• ACS same username with two other group, two profiles of shell

  Hello

  In my ACS 5.4 I want to have same useranme using two profiles of shell. This is the requirement.

  Profile of a shell with privileges for admin peripheral IOS 15 and another with different privilege admin WCS. Because there may be two profiles of shell on the same profile authroization, I created two different profiles and correspondence with the name of the local group of ACS. However, whenever the user tries to access it always hits 1 profiles.

  I'm not sure that I missing something, if someone has or knows how to do this please advise.

  Thank you

  Hello

  What you can do is to create two authorization rules based on the ip address.

  Use two rules:

  rule 1: If the ip address is wcs ip address then use WCS-Shell-profile

  rul3 2: If the ip address of the device do not match the wcs ip address then use: other-Shell-profile

  If you don't see the ip address in the rule options, you can always customize what options you want to compare from the button customize at the bottom right of the page.

  HTH

  Amjad

  Rating of useful answers is more useful to say "thank you".