ACS 5.4 - OCSP Debug
Hello world
I currently have questions testing servers OCSP for certificate on ACS 5.4 validation. Server team pretends everything is going well on their side, but all attempts to cause the following error:
12562 response from the OCSP server is not valid
I tried to disable the NONCE extension support and signature validation, which did not really have an effect.
Does anyone know how to debug treatment OCSP or address the problem more specifically another way?
Thanks in advance!
Kind regards
Josef
My assumption would be TERM-crypto, but you can activate the runtime (all) and try to reproduce the problem. If this does not work then go Mgmt.
Thank you
Tarik Admani
* Please note the useful messages *.
Tags: Cisco Security
Similar Questions
-
LEAP authentication fails; that means this exit "debug aaa VAC?
I'm trying to authenticate from laptop (client of JUMP) and I do not succeed. Can you help me understand what the problem is?
Comment: Please find attached out of "debug aaa authentication" starting from the journal of Cisco Aironet and 'ACS failed attempts' respective.
Please note that the ACS 3.3, "Network Configuration", "Devices-> installation of the AAA Client to the AP1", I entered a value for the field "key". However, I found this 'key' in my configuration of gateway as indicated in the attached file. Can you please confirm if I should set up such "Key" and what is the command to do this in access point?
Thank you very much!
Marlon
Marlon,
at the end of this command:
RADIUS-server host 163.77.93.83 auth-port 1645 acct-port 1646
You can add a 0 and the key you defined on the AAA server.
-
ACS and "bad argument key.
Today our ACS (ver 4.1 on windows 2003 server) suddenly stopped working. We use it to authenticate and authorize the main access to the switches via Ganymede. I see "bad argument key" errors in ACS, but the shared secret is the same on both sides (switch vs ACS), so it's not a problem.
A "debug" on a switch Ganymede says:
January 7, 21:32: Telnet2: 1 1 251 1
January 7, 21:32: TCP2: Telnet sent WILL ECHO (1)
January 7, 21:32: Telnet2: 2 2 251 3
January 7, 21:32: TCP2: Telnet sent WILL SUPPRESS-GA (3)
January 7, 21:32: Telnet2: 80000 80000 253 24
January 7, 21:32: TCP2: Telnet sent TO TTY-TYPE (24)
January 7, 21:32: Telnet2: 10000000 10000000 253 31
January 7, 21:32: TCP2: Telnet sent MAKE the SIZE of the WINDOW (31)
January 7, 21:32: TAC +: send worm package AUTHENTIC/START = 192 id = 3650164881
January 7, 21:32: TAC +: using Ganymede server-group "Ganymede +" list by default.
January 7, 21:32: TAC +: 10.1.2.2 (3650164881) AUTHENTIC/START/CONNECTION/ASCII queued
January 7, 21:32:05: TAC +: 10.1.2.2 (3650164881) AUTHENTIC/START/CONNECTION/ASCII - TIMED OUT
January 7, 21:32:05: TAC +: (3650164881) AUTHENTIC/START/CONNECTION/ASCII processed
January 7, 21:32:05: TAC +: using Ganymede server-group "Ganymede +" list by default.
January 7, 21:32:05: TAC +: 10.10.10.1 (3650164881) AUTHENTIC/START/CONNECTION/ASCII queued
January 7, 21:32:10: TAC +: 10.10.10.1 (3650164881) AUTHENTIC/START/CONNECTION/ASCII - TIMED OUT
January 7, 21:32:10: TAC +: (3650164881) AUTHENTIC/START/CONNECTION/ASCII processed
January 7, 21:32:10: TAC +: using Ganymede server-group "Ganymede +" list by default.
(etc.)
There are two servers, ACS, they sync and they both have the same problem.
Accessibility is not the problem.
What should I check for?
Erik
Mohamed
Since it is a new show you could get more and delivers better answers if you start a new thread rather than adding what may appear as most comments on a continuous.
However, since you asked the question here, I have a comment and a suggestion. This production line:
QA: TAC +: invalid package AUTHENTIC/START/CONNECTION/ASCII (control keys).
suggests that something (probably the shared key for authentication of the device) is not properly synchronized between your device and the RADIUS server.
My suggestion would be to search for in the report of attempts failed on the RADIUS server and see if you see the authentication attempt of this unit. If that is what the GANYMEDE server say about the cause of the failure?
HTH
Rick
-
Hello...
I have GBA 2.6 (4) 4 and all the problems are happening:
Authentication and authorization of the NAS work normally, but the accountants do not work properly. If I use accounting only exec, in the report connected' GBA users appears; OK, if I add the accounting level 0, 1 or 15 commands, users appears in the report is 'connected', but if I use any command (enable, show..., debug, etc.) users disappears in the report and that commands are presented in TAC + administration. I tried using ACS 3.1 and accounting works normally.
Is this a BUG? If not, why I solve this problem?
the configuration of my equipment is:
======
Cisco IOS 2620 (C2600-I-M), Version 12.1 T7 (5)
======
Console rate-limit logging 10 except errors
AAA new-model
AAA authentication login default group Ganymede + local
AAA authentication ppp default to group Ganymede + local
authorization AAA console
default AAA authorization exec group Ganymede + none
default network AAA authorization group Ganymede + none
AAA accounting update newinfo
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 0 arrhythmic default group Ganymede +.
orders accounting AAA 1 by default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.
AAA accounting network default start-stop Ganymede group.
Default connection accounting AAA power Ganymede group.
====
TKS.
Yep, it's a bug.
See http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCdv61239
-
How can I use Cisco ACS to save Shell commands
Hi guys, pleeeease how can I configure Cisco ACS to do command authorization on my Cisco 3660 router. I get the accounting logs and authentication but no newspaper that show orders issued by users - shell and it's the most important paper that I need. I read materails and download articles on the site of Cisco... but the thing is still does not give me the papers.
I have these lines on my router:
...
AAA authorization config-commands
AAA authorization exec default group Ganymede +.
AAA authorization commands 15 default authenticated if
AAA authorization network default group Ganymede +.
...
It's funny, when I turn on debugging of the authorization of the AAA on the router, it shows me every command being sent by the user on the debug log. But nothing shows under Administration TACAC + on the Cisco Secure ACS. What is responsible for this?
*****************************************************
I installed the trial version of the Cisco ACS 90 days and made all necessary settings and I have to say I like what I see already. I'm opening moves to recommend the product to purchase. Thank you guys, I got about the features of this ACS software through this forum, keep up the good work. I recommend the software for those who need to have adapted to the management reports Security Audit logs.
If I understand what you're asking correctly, the answer is not in the authorization, that it is in accounting. I set up on my routers and send to ACS orders that level 15 privilege users enter on the router.
orders accounting AAA 15 by default start-stop Ganymede group.
-
No report of Directors GANYMEDE + after upgrading to 4.1 ACS
Hello
I was running ACS 4.0 demo version. Everything worked very well.
After the upgrade, and keep the old configuration, I can't see logs in the reports of the directors of GANYMEDE. I kept the configurations of the router and get the same thing, so I think that the problem lies in the ACS software.
I tested a few debug, and it seems that the router sends the command that is typed to the ACS.
Here is the config I have? m using:
AAA new-model
GANYMEDE-Server 192.168.X.X XXXXXXXXXXX host key
AAA authentication telnet connection group Ganymede + activate
enable console AAA authentication login
the AAA authentication enable default group Ganymede + activate
AAA accounting send stop-record an authentication failure
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 1 by default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.
AAA accounting arrhythmic telnet connection group Ganymede +.
Line con 0
exec authorization no.-AUTH
console login authentication
line vty 0 4
exec authorization AUTH
authentication telnet connection
AUTH AAA authorization exec group Ganymede + none
AAA authorization config-commands
No.-AUTH AAA authorization exec no
AAA authorization commands 0 default group Ganymede + none
1 default AAA authorization commands group Ganymede + none
default 15 AAA authorization commands group Ganymede + none
Hello
It is a known issue, you must apply the hotfix ACS 4.1.1.23.5 to solve the problem.
Patch for the unit is available on
http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-Soleng-3DES
The patch name: ACS SE 4.1.1.23.5 rollup
Patch for windows acs is available on
http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-win-3DES
The patch name: ACS 4.1.1.23.5 rollup
That should solve the problem
Kind regards
Jagdeep
Note: If this answers your question, then please mark this thread as solved, so that others can benefit from.
-
ACS 5.6: Problem with deleting a file via cli
Hello world
I am trying to automate the removal of 5.6 ACS network devices.
I have delete.csv file with the list of devices I want to delete:
name:String(64):RequiredTest0Test1
When I connect to ACS CLI and run the command to remove the import file I get this result:.../acsadmin(config-acs)# import-data add device tftp delete.csv delete_res.txt abort-on-error noneCannot start import.Header is incorrect. Download Import Template for required header record.
But when I run the web management import file, everything goes well:-------- Summary --------Total Number of Records Processed 2Number of Records Failed 0Number of Records processed successfully 2
So please, this is where someone who knows what I did wrong? Thank youTo remove devices, try the following command:
import data delete device tftp delete.csv delete - res .txt abort error no
In addition, make sure that the file is plain text only. If you're still having problems, check the following debugging:
mgmt-log debug level debugging
Then repeat the process, download a support package and to look at the logs for clues.
-
Cisco ACS SE GANYMEDE + accounting fails
Hello
I'm under Cisco ACS SE 4.1.23.5. My problem is that the ACS don't Jrnl of the remote switches. I have configured the following accounting commands:
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 0 arrhythmic default group Ganymede +.
orders accounting AAA 15 by default start-stop Ganymede group.
Default connection accounting AAA power Ganymede group.
When I enable aaa accounting debugging, I get the following logs on the switch.
001091: 12 sep 12:06:06.464 TSB: AAA/ACCT: user johndoe, acct type 3 (2684940942): method = Ganymede + (Ganymede +)
001092: 12 sep 12:06:06.665 TSB: TAC +: (2684940942): received the status of response acct = SUCCESS
001093: 12 sep 12:06:11.128 TSB: AAA/ACCT/CMD: user johndoe, tty2, 15 private Port:
'show running-config '.
" 001094: 12 sep 12:06:11.128 TSB: AAA/ACCT/CMD: find the "default" list
001095: 12 sep 12:06:11.346 TSB: AAA/ACCT: user johndoe, acct type 3 (1583033889): method = Ganymede + (Ganymede +)
001096: 12 sep 12:06:12.000 TSB: TAC +: (1583033889): received the status of response acct = SUCCESS
001097: 12 sep 12:08:16.303 TSB: AAA/ACCT/CMD: user johndoe, tty2, 15 private Port:
' configure terminal '.
" 001098: 12 sep 12:08:16.303 TSB: AAA/ACCT/CMD: find the "default" list
001099: 12 sep 12:08:16.303 TSB: AAA/ACCT: user johndoe, acct type 3 (1098049616): method = Ganymede + (Ganymede +)
001100: 12 sep 12:08:16.504 TSB: TAC +: (1098049616): received the status of response acct = SUCCESS
001101: 12 sep 12:08:29.884 TSB: AAA/ACCT/CMD: user johndoe, tty2, 15 private Port:
It seems that the switch is well a response but the CSA record. I have updated the ACS for the latest patch (4.1.23.5), which is supposed to resolve this known bug.
Is there something that I am missing?
Thank you.
ESD
And what you get in the newspapers of Ganymede Administration?
Kind regards
Prem
-
Dynamic assignment of VLANS for MAB / ACS 5.5
Hello
Tried MAB works with ACS 5.5, and the looks part good ACS in the newspapers - the MAC address is sought, the authorization profile is correct. But on the switch, I get the following text:
* 1 mar 00:12:53: AAA/AUTHENTIC/8021 X (00000004): choose method list "by default".
* 1 mar 00:12:53: RADIUS/ENCODE (00000004): orig. component type = DOT1X
* 1 mar 00:12:53: RADIUS: AAA Attr not supported: audit-session-id [607] 24
* 1 mar 00:12:53: RADIUS: [0A8E0FDE00000002] 30 41 38 45 30 46 44 45 30 30 30 30 30 30 30 32
* 1 mar 00:12:53: RADIUS: 30 30 30 38 30 [00080 41A]
* 1 mar 00:12:53: RADIUS: AAA Attr not supported: interface [171] 20
* 1 mar 00:12:53: RADIUS: 47 69 67 61 62 69 74 45 74 68 65 72 65 74 31 [GigabitEthernet1] 6F
* 1 mar 00:12:53: RADIUS: 2F 30 [/ 0]
* 1 mar 00:12:53: RADIUS (00000004): Config NAS IP: 0.0.0.0
* 1 mar 00:12:53: RADIUS / ENCODE (00000004): acct_session_id: 4
* 1 mar 00:12:53: RADIUS (00000004): send
* 1 mar 00:12:53: RADIUS/ENCODE: best local IP 10.142.15.222 for Radius server address - 10.54.248.55
* 1 mar 00:12:53: RADIUS (00000004): send request to access the id 10.54.248.55:1645 1645/5, len 162
* 1 mar 00:12:53: RADIUS: 5th authenticator FE 17 88 64 41 1 D 09-86 EA 51 BE 78 42 B6 EB
* 1 mar 00:12:53: RADIUS: username [1] 14 "28924ad5a199".
* 1 mar 00:12:53: RADIUS: User-Password [2] 18 *.
* 1 mar 00:12:53: RADIUS: 6 Service-Type call control [6] [10]
* 1 mar 00:12:53: RADIUS: Framed-MTU [12] 6 1500
* 1 mar 00:12:53: RADIUS: Called-Station-Id [30] 19 "00-1A-A1-99-9F-82".
* 1 mar 00:12:53: RADIUS: Calling-Station-Id [31] 19 "28-92-4A-D5-A1-99".
* 1 mar 00:12:53: RADIUS: Message-Authenticato [80] 18
* 1 mar 00:12:53: RADIUS: EE F5 B8 E1 70 37 A6 3A AD 89 20 A5 A7 D0 E3 B4 [p7:]
* 1 mar 00:12:53: RADIUS: EAP-Key-Name [102] 2 *.
* 1 mar 00:12:53: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]
* 1 mar 00:12:53: RADIUS: NAS-Port [5] 6 50102
* 1 mar 00:12:53: RADIUS: NAS-Port-Id [87] 22 'GigabitEthernet1/0/2 '.
* 1 mar 00:12:53: RADIUS: NAS-IP-Address [4] 6 10.142.15.222
* 1 mar 00:12:53: RADIUS (00000004): started 5 sec timeout
* 1 mar 00:12:53: RADIUS: receipt id 1645/5 10.54.248.55:1645, Access-Accept, len 106
* 1 mar 00:12:53: RADIUS: authenticator 26 B4 B9 AB 3 04 68 DA - 38 AF F6 CD 36 95 73 2 b
* 1 mar 00:12:53: RADIUS: username [1] 19 "28-92-4A-D5-A1-99".
* 1 mar 00:12:53: RADIUS: [25] of class 31
* 1 mar 00:12:53: RADIUS: 43 41 43 53 3 a 41 30 31 44 52 46 4 30 30 32 2F [CACS:A01DRFN002 /]
* 1 mar 00:12:53: RADIUS: 32 33 31 35 38 38 36 30 31 31 37 38 2F [231588601/178]
* 1 mar 00:12:53: RADIUS: Tunnel-Type [64] 01: VLAN 6 [13]
* 1 mar 00:12:53: RADIUS: Tunnel-Medium-Type [65] 6 01:ALL_802 [6]
* 1 mar 00:12:53: RADIUS: Message-Authenticato [80] 18
* 1 mar 00:12:53: RADIUS: 91 22 50 8 62 C2 F0 10 C6 OF 70 84 AF 31 6 CD [Pbp1l ""]
* 1 mar 00:12:53: RADIUS: mount-Auth-Type [81] 6 20003120
* 1 mar 00:12:53: RADIUS (00000004): receipt of id 1645/5
* 1 mar 00:12:53: RADIUS: unsupported value 20003120 to the 81 attribute
* 1 mar 00:12:53: RADIUS/DECODE: Ascend auth type; IN CASE OF FAILURE
* 1 mar 00:12:53: RADIUS/DECODE: decoder; IN CASE OF FAILURE
* 1 mar 00:12:53: RADIUS/DECODE: Ascend-Auth-Type attribute; IN CASE OF FAILURE
* 1 mar 00:12:53: RADIUS/DECODE: analysis response op decode; IN CASE OF FAILURE
* 1 mar 00:12:53: RADIUS/DECODE: analyze the answer; IN CASE OF FAILURE
* 1 mar 00:12:53: % MAB-5-FAIL: failure of authentication for the client (2892.4ad5.a199) on the Interface item in gi1/0/2 AuditSessionID 0A8E0FDE0000000200080ABF
* 1 mar 00:12:53: % AUTHMGR-7-RESULT: result of the "dead server" authentication "MAB" for the client (2892.4ad5.a199) on the Interface item in gi1/0/2 AuditSessionID 0A8E0FDE0000000200080ABF
* 1 mar 00:12:53: % AUTHMGR-5-FAIL: failed authorization for customer (2892.4ad5.a199) on the Interface item in gi1/0/2 AuditSessionID 0A8E0FDE0000000200080ABF
It recognizes the attributes 64 and 65, but the Tunnel-private-group-id, which contains the actual number of VLAN is not supported. How can I assign the vlan OK if this attribute is not taken in charge? Does not work with a string corresponding to the name VLAN on the switch either.
The version is 12.2.55SE10 3750G.
Hello
Since him debugs if I see that you are missing an attribute to make the assignment of VLANs, in your test it just to send the following items:
* 1 mar 00:12:53: RADIUS: Tunnel-Type [64] 01: VLAN 6 [13]
* 1 mar 00:12:53: RADIUS: Tunnel-Medium-Type [65] 6 01:ALL_802 [6]
But it would be appropriate to send:
Tunnel-Type = 64 = VLAN
Tunnel-Medium-Type = 802
Tunnel-private-Group-ID = 253
When the "Tunnel-private-Group-ID" is the number/name of vlan to be awarded, the bellows is an example on what it would look like on the profile of the ACS:
http://www.Cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wirel...
Note: Please mark as answer as appropriate
-
2611XM Terminal Server + ACS + new authentication when selecting menu options
Hello
I managed to configure ACS authentication on my 2611xm router,
After you connect to the router, I have an autocommand configuration to run a menu.
My problem is when you select the option in the menu,
You are then re invited to reauthenicated against the router before connecting to the line,
can someone tell me how to prevent it.
Thank you for your time and effort in advance, I have attached a config below.
DDRAS01 #sh running-config
Building configuration...
Current configuration: 6854 bytes
!
! Last modification of the configuration at 10:28:49 GMT Sunday, February 21, 2010 by
! NVRAM config update at 19:25:53 GMT Saturday, February 20, 2010 by
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
Service linenumber
sequence numbers service
!
hostname DDRAS01
!
boot-start-marker
boot-end-marker
!
Security of authentication failure rate 3 log
Passwords security min-length 6
logging buffered 51200 informational
record of the rate-limit all 10000
recording console critical
enable password 7
!
AAA new-model
!
!
AAA authentication login default group Ganymede + local
AAA authentication login if_needed local
the AAA authentication enable default
AAA of authentication ppp default local
AAA authorization exec default group Ganymede + local authenticated by FIS
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.
!
AAA - the id of the joint session
clock timezone WAS 10
summer time clock WAS recurring last Sun Oct 02:00 last Sun Mar 03:00
no location network-clock-participate 1
No network-clock-participate wic 0
IP cef
!
!
!
!
list of IP domains
list of IP domains
IP domain name
the IP 2033 172.16.1.1 host dd-cr-01F
ddsws01 host IP 172.16.1.1 2034
ddsws04 host IP 172.16.1.1 2035
ddce565 host IP 172.16.1.1 2040
IP-name server
IP-name server
!
!
!
password username d ' operators 15 7 privilege
!
!
property intellectual ssh source interface FastEthernet0/0
property intellectual ssh event logging
property intellectual ssh version 2
!
!
interface Loopback0
IP 172.16.1.1 255.255.255.255
!
interface FastEthernet0/0
IP
255.255.255.0 Speed 100
full-duplex
!
interface Serial0/0
no ip address
Shutdown
!
interface BRI0/0
no ip address
encapsulation hdlc
Shutdown
!
interface FastEthernet0/1
no ip address
Shutdown
automatic duplex
automatic speed
!
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0
!
IP http server
no ip http secure server
Ganymede IP source interface FastEthernet0/0
!
radius of the IP source interface FastEthernet0/0
exploitation forest installation local6
logging
SNMP-server
RO community SNMP-server
RW community SNMP server location
contact Server SNMP d ' operators
!
title of menu ddras01 ^ C
Server Terminal Server for Cisco
Select number from the list below
Use "ctrl + shift + 6" then 'x' to switch to the menu
^ C
text of ddras01 to menu 1 connect to the DD-CR-01
order of menu 1 ddras01 resume JJ-cr-01 / dd-cr-01 2033 telnet connection
ddras01 text menu 2 connect to DDSWS01
order of menu 2 ddras01 resume ddsws01 / ddsws01 2034 telnet connection
text menu 3 ddras01 connect to DDSWS04
order of menu 3 ddras01 resume ddsws04 / ddsws04 2035 telnet connection
text menu 8 ddras01 connect to DDCE565
order of menu 8 ddras01 resume ddce565 / ddce565 2040 telnet connection
menu 9 ddras01 text output
menu ddras01 command menu-exit 9
ddras01 menu clear-screen
menu ddras01-status line
menu-ddras01 line mode
radius-server host 10.2.0.50
RADIUS-server application made
radius-server key 7
!
control plan
!
privilege exec 15 level write terminal
writing level 15 privileges exec
Ping privileges exec level 1
privilege exec 10 undebug ip icmp level
privilege exec 10 undebug ip level
level of privilege exec 10 undebug all
privilege exec 10 undebug level
terminal monitor exec level 10 privileges
privilege exec 10 level terminals
privilege exec 15 level show running-config
See configuration at the privileged exec level 5
show privileges exec level 5
privilege exec 10 debug ip icmp level
privilege exec level 10 debug ip
privilege exec 10 level debug all
debugging privileges exec level 10
clear interface of privileges exec level 10
clear counters at level 10 privilege exec
level of privilege exec 10 clear
!
Line con 0
password 7
Synchronous recording
line 33 64
No exec-banner
exec-timeout 0 0
no activation-character
No exec
preferred transport telnet
transport of entry all
character of exhaust-27
StopBits 1
FlowControl hardware
line to 0
line vty 0 4
password 7
Synchronous recording
ddras01 menu autocommand
line vty 5 181
password 7
Synchronous recording
ddras01 menu autocommand
!
NTP-period clock 17208487
source NTP FastEthernet0/0
NTP server
end
Hello
You have aaa login default configured for authentication, with this you get invited
When you try to access the line.
Under line VTY 5 181 try adding:
authentication of the connection /NOAUTH
exec authorization /NOAUTH
Add the lines of aaa:
/NOAUTH AAA authentication login no
/NOAUTH AAA authorization exec no
This should stop the authentication to the lines.
-Jesse
-
Issue of operability of the ACS as RADIUS with ASA 5.0?
Hello
I'm trying my VPN to get authenticated user with RADIUS (ACS 5.0). and VPN users database is created in AD. Now when I am trying to connect through the Cisco VPN client, I am unable to do so. Infact, I get an error message (through debugging at the level of the SAA for aaa and isakmp) my RADIUS server is DOWN.
Please let me know is there any compatibility issue with ACS 5.0 on it because everything was working fine on my version 4.2 of the ACS.
Concerning
Ritesh
Ritesh,
Yes, there is a lack of ACS 5.0 with vpn authentication.
When you try to connect with the VPN client. you will not see any hits in the follow-up and the views.
The ASDM logs: you'll see radius server is not accessible.
Debugs you show RADIUS period.
This will work with Ganymede.Access policy rule was does not. Also, could not use RADIUS as hit CSCsy17858
http://cdetsweb-PRD.Cisco.com/apps/goto?identifier=CSCsy17858>; Used Ganymede + instead of RADIUS.
If you want to use the RADIUS then you need to upgrade your version of acs to 5.1
You can down load patch 9 (5-0-0-21 - 9.tar.gpg) and ADE-OS (ACS_5.0.0.21_ADE_OS_1.2_upgrade.tar.gpg) from the below path:
Go to Cisco.com > support > download software > Security > Cisco Secure Access Control System 5.0 > Secure Access Control System Software 5.0.0.21 >
Reference: update of the CSA since version 5.0 to 5.1:
http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.1/installation/guide/csacs_upg.htmlHTH
Kind regards
JK
The rate of useful messages-
-
Cisco ACS authentication issues
Hi all
I have just set up my ACS for Windows Server. It runs version 4.1 software. I have problems for authentication. I have my setup in the GUI of the ACS use Ganymede to authenticate the AAA Clients. I have the key in the switch and the corresponding keys to ACS server. I have facility users. Here's my config AAA on the switch...
AAA new-model
AAA authentication login default group Ganymede + local
the AAA authentication enable default group Ganymede + activate
Here is the information of debugging on Ganymede
183757: 2 sep 10:14:22.131 edt: TAC +: send worm package AUTHENTIC/START = 192 id = 2789804961
183758: 2 sep 10:14:22.131 edt: TAC +: using Ganymede server-group "Ganymede +" list by default.
183759: 2 sep 10:14:22.131 edt: TAC +: opening TCP/IP 10.11.8.200/49 Timeout = 5
183760: 2 sep 10:14:22.135 edt: TAC +: handle opened TCP/IP 0x80E767B8 to 10.11.8.200/49
183761: 2 sep 10:14:22.135 edt: TAC +: 10.11.8.200 (2789804961) AUTHENTIC/START/CONNECTION/ASCII queued
183762: 2 sep 10:14:22.335 edt: TAC +: (2789804961) AUTHENTIC/START/CONNECTION/ASCII processed
183763: 2 sep 10:14:22.335 edt: TAC +: received bad AUTHENTIC package: length = 6 expected 128683
WC2950-12 #.
183764: 2 sep 10:14:22.335 edt: TAC +: invalid package AUTHENTIC/START/CONNECTION/ASCII (control keys).
183765: 2 sep 10:14:22.335 edt: TAC +: connection TCP/IP closing 0x80E767B8 to 10.11.8.200/49
183766: 2 sep 10:14:22.339 edt: TAC +: using Ganymede server-group "Ganymede +" list by default.
183767: 2 sep 10:14:22.339 edt: SSH1: password for wcromwell authentication failure
I have the same keys on the AAA server as I do on my switch...
Thank you
Please check the secret key of NDG and main aaa clients. NDG substitute main aaa clients.
Make sure you have the right key in NDG >
Kind regards
~ JG
Note the useful messages
-
Using ACS to refuse to see the support
I'm trying to refuse technical support of show control using authorization of Cisco Secure ACS (photo included) orders games. All others refuse orders are working (is show running-config) but no matter what I do the tech show is unsuccessful. Any ideas?
You have these orders of authorization configured?
AAA new-model
AAA authentication login default group Ganymede + local
AAA authorization exec default group Ganymede + local
AAA authorization commands 0 default group Ganymede + local
AAA authorization commands 1 default group Ganymede + local
AAA authorization commands 15 default group Ganymede + local
RADIUS-server host 10.1.1.1 key cisco123
Debug aaa author should display:
AAA/AUTHOR/CMD: tty2 user (2846421758) = "switchuser.
AAA/AUTHOR/CMD (2846421758): send service AV = shell
AAA/AUTHOR/CMD (2846421758): send cmd = AV display
AAA/AUTHOR/CMD (2846421758): send AV cmd - arg = technical support
AAA/AUTHOR/CMD (2846421758): send cmd - arg = AV
AAA/AUTHOR/CMD (2846421758): found list "default".
AAA/AUTHOR/CMD (2846421758): method = Ganymede + (Ganymede +)
AAA/AUTHOR/TAC +: (2846421758): user = switchuser
AAA/AUTHOR/TAC +: (2846421758): send service AV = shell
AAA/AUTHOR/TAC +: (2846421758): send cmd = AV display
AAA/AUTHOR/TAC +: (2846421758): send AV cmd - arg = technical support
AAA/AUTHOR/TAC +: (2846421758): send cmd - arg = AV
TAC +: Ganymede server-group using "Ganymede +" list by default.
TAC +: opening TCP/IP 10.1.1.1/49 Timeout = 5
TAC +: open handle TCP/IP 0x2E8FEA4 to 10.1.1.1/49
TAC +: 10.1.1.1 (2846421758) AUTHOR/START waiting in line
TAC +: AUTHOR/START (2846421758) dealt with
TAC +: (-1448545538): received the status of response author = FAIL
Be sure to change the initial authorization of the ACS Shell command...
refuse technical assistance rather than deny tech.
-
Connection Error 1120 ACS cisco acs 5.0 web gui
Hi all
I installed the unit acs 1120 as follows
entered in the installation in console mode command
aiinstalle licensevia gui mode
But when I access the gui mode it disconnect regularly
When I ping ping is successful and shows life 128
but after some time, the connection is estabalished and when I ping the TTL shows 64
can someone help with this problem
Thank you very much
Hello
I couldn't quite follow the description of your problem. Can clarify you the problem more in detail.
You then mention access to the ACS GUI mode it to disconnect regularly. You lose any IP to GBA connectivity, or is the problem only through the user interface?
Please can you include ACS cli:
view the status of the acs application
See the versionShow tech
Would also be relevant to see the output of 'display the acs application state"when the problem occurs.
Additional troubleshooting, the support beam will also relevant information during problem occurrence timestamp. You need to enable the debug logs, for ex:
GBA cli:
admin #conf t
exploitation forest admin (config) # loglevel 7
exit admin (config) #.
# acs admin - config
After a few seconds,.
You can then log in with the credentials of user/password for GUI of the CSA name.acsadmin(config-ACS) # debug level mgmt-acsview of-journal of debugging
acsadmin(config-ACS) # debug level to debug-log duration
output acsadmin(config-ACS) #.Following the appearance of the problem, the support beam then downloadable GUI Monitoring & Report Viewer > troubleshooting > ACS support Bundle.We will need to check on the timestamp of the problem newspapers.
But for now, more details about the problem seem necessary as well as the output display orders of cli ACS mentioned above.
Thank you
Alex
-
Any user can get authenticated ACS SE 4.1
Hi all
I'm having a devil of a time to get a new 4.1 SE ACS configured in a new network. I have a 3560 now that I first try but I can't authenicated. I have the user/group account set up, the group is correspondence in my AAA statements although I saw some errors on the Group has not been configured. I even created two different groups and tried different names, but again, no luck. I'm just using the internal PB, nothing special. I read the administration guide, but it has not helped. When I turn on debugging, I don't see a lot of activity, only on the group to be wrong, but I don't understand how that's possible. I'm short on time, I would really appreciate the help. Thanks in advance!
When we EXEC permission, give the ACS/authorization server exec privileges the user for example.
Under users/settings group looking for check "Shell (exec)" this. This should allow you to. If you want you must also get certain privileges directly that you log, and then also check 'privilège level' and type the value in the box, 0-15.
I recommend referring to,.
If this is your first configuration of authorization.
Kind regards
Prem
Please rate if this can help!
Maybe you are looking for
-
I downloaded FF 41.0.2. Now it has disappeared. I'm okay?
Simple question. I saw a new version of FF 41.0.2 when I saw him at https://www.mozilla.org/en-US/firefox/releases/ . Now it has disappeared. Am I at risk of something horrible. It can still be seen at https://ftp.mozilla.org/pub/mozilla.org/firefox/
-
How to regain the ability to send a link when I'm on a Web site?
Before this latest Fire Fox update, a golden box appeared in the upper left corner. I could do a right click on this box and get a menu including "send a link". Now that the box is gone and I don't know how to send a link when I read an article.
-
No device found wireless!
I just bought a refurbished, x61s who would have a card Intel 802.11 wireless agn(n-disabled). There's even a sticker on its underside that says 802.11 agn. But the computer does not recognize the wireless card, and it does not appear in Device Manag
-
401SA HP G61: upgrade hard drive
Hello. Can someone help me with regard to the compatibility of a Seagate 1 TB SSHD for my HP G61 401SA laptop. The existing drive is low on free space and that it is a 9mm disc I was hoping that I could replace it with this 1 TB drive, but I don't kn
-
DD - WRT or not, that is the question!
I just bought the WRT610N (on sale for $145 =)) and I see that version 2 of this router is now supported for DD - WRT My implementation is download torrents on my Windows Home Server, and I stream video of my Popcorn Hour of this machine as well. I h