ACS 5.4 - OCSP Debug

Hello world

I currently have questions testing servers OCSP for certificate on ACS 5.4 validation. Server team pretends everything is going well on their side, but all attempts to cause the following error:

12562 response from the OCSP server is not valid

I tried to disable the NONCE extension support and signature validation, which did not really have an effect.

Does anyone know how to debug treatment OCSP or address the problem more specifically another way?

Thanks in advance!

Kind regards

Josef

My assumption would be TERM-crypto, but you can activate the runtime (all) and try to reproduce the problem. If this does not work then go Mgmt.

Thank you

Tarik Admani
* Please note the useful messages *.

Tags: Cisco Security

Similar Questions

  • LEAP authentication fails; that means this exit "debug aaa VAC?

    I'm trying to authenticate from laptop (client of JUMP) and I do not succeed. Can you help me understand what the problem is?

    Comment: Please find attached out of "debug aaa authentication" starting from the journal of Cisco Aironet and 'ACS failed attempts' respective.

    Please note that the ACS 3.3, "Network Configuration", "Devices-> installation of the AAA Client to the AP1", I entered a value for the field "key". However, I found this 'key' in my configuration of gateway as indicated in the attached file. Can you please confirm if I should set up such "Key" and what is the command to do this in access point?

    Thank you very much!

    Marlon

    Marlon,

    at the end of this command:

    RADIUS-server host 163.77.93.83 auth-port 1645 acct-port 1646

    You can add a 0 and the key you defined on the AAA server.

  • ACS and "bad argument key.

    Today our ACS (ver 4.1 on windows 2003 server) suddenly stopped working. We use it to authenticate and authorize the main access to the switches via Ganymede. I see "bad argument key" errors in ACS, but the shared secret is the same on both sides (switch vs ACS), so it's not a problem.

    A "debug" on a switch Ganymede says:

    January 7, 21:32: Telnet2: 1 1 251 1

    January 7, 21:32: TCP2: Telnet sent WILL ECHO (1)

    January 7, 21:32: Telnet2: 2 2 251 3

    January 7, 21:32: TCP2: Telnet sent WILL SUPPRESS-GA (3)

    January 7, 21:32: Telnet2: 80000 80000 253 24

    January 7, 21:32: TCP2: Telnet sent TO TTY-TYPE (24)

    January 7, 21:32: Telnet2: 10000000 10000000 253 31

    January 7, 21:32: TCP2: Telnet sent MAKE the SIZE of the WINDOW (31)

    January 7, 21:32: TAC +: send worm package AUTHENTIC/START = 192 id = 3650164881

    January 7, 21:32: TAC +: using Ganymede server-group "Ganymede +" list by default.

    January 7, 21:32: TAC +: 10.1.2.2 (3650164881) AUTHENTIC/START/CONNECTION/ASCII queued

    January 7, 21:32:05: TAC +: 10.1.2.2 (3650164881) AUTHENTIC/START/CONNECTION/ASCII - TIMED OUT

    January 7, 21:32:05: TAC +: (3650164881) AUTHENTIC/START/CONNECTION/ASCII processed

    January 7, 21:32:05: TAC +: using Ganymede server-group "Ganymede +" list by default.

    January 7, 21:32:05: TAC +: 10.10.10.1 (3650164881) AUTHENTIC/START/CONNECTION/ASCII queued

    January 7, 21:32:10: TAC +: 10.10.10.1 (3650164881) AUTHENTIC/START/CONNECTION/ASCII - TIMED OUT

    January 7, 21:32:10: TAC +: (3650164881) AUTHENTIC/START/CONNECTION/ASCII processed

    January 7, 21:32:10: TAC +: using Ganymede server-group "Ganymede +" list by default.

    (etc.)

    There are two servers, ACS, they sync and they both have the same problem.

    Accessibility is not the problem.

    What should I check for?

    Erik

    Mohamed

    Since it is a new show you could get more and delivers better answers if you start a new thread rather than adding what may appear as most comments on a continuous.

    However, since you asked the question here, I have a comment and a suggestion. This production line:

    QA: TAC +: invalid package AUTHENTIC/START/CONNECTION/ASCII (control keys).

    suggests that something (probably the shared key for authentication of the device) is not properly synchronized between your device and the RADIUS server.

    My suggestion would be to search for in the report of attempts failed on the RADIUS server and see if you see the authentication attempt of this unit. If that is what the GANYMEDE server say about the cause of the failure?

    HTH

    Rick

  • ACS report problem

    Hello...

    I have GBA 2.6 (4) 4 and all the problems are happening:

    Authentication and authorization of the NAS work normally, but the accountants do not work properly. If I use accounting only exec, in the report connected' GBA users appears; OK, if I add the accounting level 0, 1 or 15 commands, users appears in the report is 'connected', but if I use any command (enable, show..., debug, etc.) users disappears in the report and that commands are presented in TAC + administration. I tried using ACS 3.1 and accounting works normally.

    Is this a BUG? If not, why I solve this problem?

    the configuration of my equipment is:

    ======

    Cisco IOS 2620 (C2600-I-M), Version 12.1 T7 (5)

    ======

    Console rate-limit logging 10 except errors

    AAA new-model

    AAA authentication login default group Ganymede + local

    AAA authentication ppp default to group Ganymede + local

    authorization AAA console

    default AAA authorization exec group Ganymede + none

    default network AAA authorization group Ganymede + none

    AAA accounting update newinfo

    AAA accounting exec default start-stop Ganymede group.

    orders accounting AAA 0 arrhythmic default group Ganymede +.

    orders accounting AAA 1 by default start-stop Ganymede group.

    orders accounting AAA 15 by default start-stop Ganymede group.

    AAA accounting network default start-stop Ganymede group.

    Default connection accounting AAA power Ganymede group.

    ====

    TKS.

    Yep, it's a bug.

    See http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCdv61239

  • How can I use Cisco ACS to save Shell commands

    Hi guys, pleeeease how can I configure Cisco ACS to do command authorization on my Cisco 3660 router. I get the accounting logs and authentication but no newspaper that show orders issued by users - shell and it's the most important paper that I need. I read materails and download articles on the site of Cisco... but the thing is still does not give me the papers.

    I have these lines on my router:

    ...

    AAA authorization config-commands

    AAA authorization exec default group Ganymede +.

    AAA authorization commands 15 default authenticated if

    AAA authorization network default group Ganymede +.

    ...

    It's funny, when I turn on debugging of the authorization of the AAA on the router, it shows me every command being sent by the user on the debug log. But nothing shows under Administration TACAC + on the Cisco Secure ACS. What is responsible for this?

    *****************************************************

    I installed the trial version of the Cisco ACS 90 days and made all necessary settings and I have to say I like what I see already. I'm opening moves to recommend the product to purchase. Thank you guys, I got about the features of this ACS software through this forum, keep up the good work. I recommend the software for those who need to have adapted to the management reports Security Audit logs.

    If I understand what you're asking correctly, the answer is not in the authorization, that it is in accounting. I set up on my routers and send to ACS orders that level 15 privilege users enter on the router.

    orders accounting AAA 15 by default start-stop Ganymede group.

  • No report of Directors GANYMEDE + after upgrading to 4.1 ACS

    Hello

    I was running ACS 4.0 demo version. Everything worked very well.

    After the upgrade, and keep the old configuration, I can't see logs in the reports of the directors of GANYMEDE. I kept the configurations of the router and get the same thing, so I think that the problem lies in the ACS software.

    I tested a few debug, and it seems that the router sends the command that is typed to the ACS.

    Here is the config I have? m using:

    AAA new-model

    GANYMEDE-Server 192.168.X.X XXXXXXXXXXX host key

    AAA authentication telnet connection group Ganymede + activate

    enable console AAA authentication login

    the AAA authentication enable default group Ganymede + activate

    AAA accounting send stop-record an authentication failure

    AAA accounting exec default start-stop Ganymede group.

    orders accounting AAA 1 by default start-stop Ganymede group.

    orders accounting AAA 15 by default start-stop Ganymede group.

    AAA accounting arrhythmic telnet connection group Ganymede +.

    Line con 0

    exec authorization no.-AUTH

    console login authentication

    line vty 0 4

    exec authorization AUTH

    authentication telnet connection

    AUTH AAA authorization exec group Ganymede + none

    AAA authorization config-commands

    No.-AUTH AAA authorization exec no

    AAA authorization commands 0 default group Ganymede + none

    1 default AAA authorization commands group Ganymede + none

    default 15 AAA authorization commands group Ganymede + none

    Hello

    It is a known issue, you must apply the hotfix ACS 4.1.1.23.5 to solve the problem.

    Patch for the unit is available on

    http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-Soleng-3DES

    The patch name: ACS SE 4.1.1.23.5 rollup

    Patch for windows acs is available on

    http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-win-3DES

    The patch name: ACS 4.1.1.23.5 rollup

    That should solve the problem

    Kind regards

    Jagdeep

    Note: If this answers your question, then please mark this thread as solved, so that others can benefit from.

  • ACS 5.6: Problem with deleting a file via cli

    Hello world

    I am trying to automate the removal of 5.6 ACS network devices.

    I have delete.csv file with the list of devices I want to delete:

    name:String(64):RequiredTest0Test1
    When I connect to ACS CLI and run the command to remove the import file I get this result:
    .../acsadmin(config-acs)# import-data add device tftp delete.csv delete_res.txt abort-on-error noneCannot start import.Header is incorrect. Download Import Template for required header record.
    But when I run the web management import file, everything goes well:
    -------- Summary --------Total Number of Records Processed 2Number of Records Failed 0Number of Records processed successfully 2
    So please, this is where someone who knows what I did wrong? Thank you

    To remove devices, try the following command:

    import data delete device tftp delete.csv delete - res .txt abort error no

    In addition, make sure that the file is plain text only. If you're still having problems, check the following debugging:

    mgmt-log debug level debugging

    Then repeat the process, download a support package and to look at the logs for clues.

  • Cisco ACS SE GANYMEDE + accounting fails

    Hello

    I'm under Cisco ACS SE 4.1.23.5. My problem is that the ACS don't Jrnl of the remote switches. I have configured the following accounting commands:

    AAA accounting exec default start-stop Ganymede group.

    orders accounting AAA 0 arrhythmic default group Ganymede +.

    orders accounting AAA 15 by default start-stop Ganymede group.

    Default connection accounting AAA power Ganymede group.

    When I enable aaa accounting debugging, I get the following logs on the switch.

    001091: 12 sep 12:06:06.464 TSB: AAA/ACCT: user johndoe, acct type 3 (2684940942): method = Ganymede + (Ganymede +)

    001092: 12 sep 12:06:06.665 TSB: TAC +: (2684940942): received the status of response acct = SUCCESS

    001093: 12 sep 12:06:11.128 TSB: AAA/ACCT/CMD: user johndoe, tty2, 15 private Port:

    'show running-config '."

    001094: 12 sep 12:06:11.128 TSB: AAA/ACCT/CMD: find the "default" list

    001095: 12 sep 12:06:11.346 TSB: AAA/ACCT: user johndoe, acct type 3 (1583033889): method = Ganymede + (Ganymede +)

    001096: 12 sep 12:06:12.000 TSB: TAC +: (1583033889): received the status of response acct = SUCCESS

    001097: 12 sep 12:08:16.303 TSB: AAA/ACCT/CMD: user johndoe, tty2, 15 private Port:

    ' configure terminal '."

    001098: 12 sep 12:08:16.303 TSB: AAA/ACCT/CMD: find the "default" list

    001099: 12 sep 12:08:16.303 TSB: AAA/ACCT: user johndoe, acct type 3 (1098049616): method = Ganymede + (Ganymede +)

    001100: 12 sep 12:08:16.504 TSB: TAC +: (1098049616): received the status of response acct = SUCCESS

    001101: 12 sep 12:08:29.884 TSB: AAA/ACCT/CMD: user johndoe, tty2, 15 private Port:

    It seems that the switch is well a response but the CSA record. I have updated the ACS for the latest patch (4.1.23.5), which is supposed to resolve this known bug.

    Is there something that I am missing?

    Thank you.

    ESD

    And what you get in the newspapers of Ganymede Administration?

    Kind regards

    Prem

  • Dynamic assignment of VLANS for MAB / ACS 5.5

    Hello

    Tried MAB works with ACS 5.5, and the looks part good ACS in the newspapers - the MAC address is sought, the authorization profile is correct. But on the switch, I get the following text:

    * 1 mar 00:12:53: AAA/AUTHENTIC/8021 X (00000004): choose method list "by default".

    * 1 mar 00:12:53: RADIUS/ENCODE (00000004): orig. component type = DOT1X

    * 1 mar 00:12:53: RADIUS: AAA Attr not supported: audit-session-id [607] 24

    * 1 mar 00:12:53: RADIUS: [0A8E0FDE00000002] 30 41 38 45 30 46 44 45 30 30 30 30 30 30 30 32

    * 1 mar 00:12:53: RADIUS: 30 30 30 38 30 [00080 41A]

    * 1 mar 00:12:53: RADIUS: AAA Attr not supported: interface [171] 20

    * 1 mar 00:12:53: RADIUS: 47 69 67 61 62 69 74 45 74 68 65 72 65 74 31 [GigabitEthernet1] 6F

    * 1 mar 00:12:53: RADIUS: 2F 30 [/ 0]

    * 1 mar 00:12:53: RADIUS (00000004): Config NAS IP: 0.0.0.0

    * 1 mar 00:12:53: RADIUS / ENCODE (00000004): acct_session_id: 4

    * 1 mar 00:12:53: RADIUS (00000004): send

    * 1 mar 00:12:53: RADIUS/ENCODE: best local IP 10.142.15.222 for Radius server address - 10.54.248.55

    * 1 mar 00:12:53: RADIUS (00000004): send request to access the id 10.54.248.55:1645 1645/5, len 162

    * 1 mar 00:12:53: RADIUS: 5th authenticator FE 17 88 64 41 1 D 09-86 EA 51 BE 78 42 B6 EB

    * 1 mar 00:12:53: RADIUS: username [1] 14 "28924ad5a199".

    * 1 mar 00:12:53: RADIUS: User-Password [2] 18 *.

    * 1 mar 00:12:53: RADIUS: 6 Service-Type call control [6] [10]

    * 1 mar 00:12:53: RADIUS: Framed-MTU [12] 6 1500

    * 1 mar 00:12:53: RADIUS: Called-Station-Id [30] 19 "00-1A-A1-99-9F-82".

    * 1 mar 00:12:53: RADIUS: Calling-Station-Id [31] 19 "28-92-4A-D5-A1-99".

    * 1 mar 00:12:53: RADIUS: Message-Authenticato [80] 18

    * 1 mar 00:12:53: RADIUS: EE F5 B8 E1 70 37 A6 3A AD 89 20 A5 A7 D0 E3 B4 [p7:]

    * 1 mar 00:12:53: RADIUS: EAP-Key-Name [102] 2 *.

    * 1 mar 00:12:53: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]

    * 1 mar 00:12:53: RADIUS: NAS-Port [5] 6 50102

    * 1 mar 00:12:53: RADIUS: NAS-Port-Id [87] 22 'GigabitEthernet1/0/2 '.

    * 1 mar 00:12:53: RADIUS: NAS-IP-Address [4] 6 10.142.15.222

    * 1 mar 00:12:53: RADIUS (00000004): started 5 sec timeout

    * 1 mar 00:12:53: RADIUS: receipt id 1645/5 10.54.248.55:1645, Access-Accept, len 106

    * 1 mar 00:12:53: RADIUS: authenticator 26 B4 B9 AB 3 04 68 DA - 38 AF F6 CD 36 95 73 2 b

    * 1 mar 00:12:53: RADIUS: username [1] 19 "28-92-4A-D5-A1-99".

    * 1 mar 00:12:53: RADIUS: [25] of class 31

    * 1 mar 00:12:53: RADIUS: 43 41 43 53 3 a 41 30 31 44 52 46 4 30 30 32 2F [CACS:A01DRFN002 /]

    * 1 mar 00:12:53: RADIUS: 32 33 31 35 38 38 36 30 31 31 37 38 2F [231588601/178]

    * 1 mar 00:12:53: RADIUS: Tunnel-Type [64] 01: VLAN 6 [13]

    * 1 mar 00:12:53: RADIUS: Tunnel-Medium-Type [65] 6 01:ALL_802 [6]

    * 1 mar 00:12:53: RADIUS: Message-Authenticato [80] 18

    * 1 mar 00:12:53: RADIUS: 91 22 50 8 62 C2 F0 10 C6 OF 70 84 AF 31 6 CD [Pbp1l ""]

    * 1 mar 00:12:53: RADIUS: mount-Auth-Type [81] 6 20003120

    * 1 mar 00:12:53: RADIUS (00000004): receipt of id 1645/5

    * 1 mar 00:12:53: RADIUS: unsupported value 20003120 to the 81 attribute

    * 1 mar 00:12:53: RADIUS/DECODE: Ascend auth type; IN CASE OF FAILURE

    * 1 mar 00:12:53: RADIUS/DECODE: decoder; IN CASE OF FAILURE

    * 1 mar 00:12:53: RADIUS/DECODE: Ascend-Auth-Type attribute; IN CASE OF FAILURE

    * 1 mar 00:12:53: RADIUS/DECODE: analysis response op decode; IN CASE OF FAILURE

    * 1 mar 00:12:53: RADIUS/DECODE: analyze the answer; IN CASE OF FAILURE

    * 1 mar 00:12:53: % MAB-5-FAIL: failure of authentication for the client (2892.4ad5.a199) on the Interface item in gi1/0/2 AuditSessionID 0A8E0FDE0000000200080ABF

    * 1 mar 00:12:53: % AUTHMGR-7-RESULT: result of the "dead server" authentication "MAB" for the client (2892.4ad5.a199) on the Interface item in gi1/0/2 AuditSessionID 0A8E0FDE0000000200080ABF

    * 1 mar 00:12:53: % AUTHMGR-5-FAIL: failed authorization for customer (2892.4ad5.a199) on the Interface item in gi1/0/2 AuditSessionID 0A8E0FDE0000000200080ABF

    It recognizes the attributes 64 and 65, but the Tunnel-private-group-id, which contains the actual number of VLAN is not supported. How can I assign the vlan OK if this attribute is not taken in charge? Does not work with a string corresponding to the name VLAN on the switch either.

    The version is 12.2.55SE10 3750G.

    Hello

    Since him debugs if I see that you are missing an attribute to make the assignment of VLANs, in your test it just to send the following items:

    * 1 mar 00:12:53: RADIUS: Tunnel-Type [64] 01: VLAN 6 [13]

    * 1 mar 00:12:53: RADIUS: Tunnel-Medium-Type [65] 6 01:ALL_802 [6]

    But it would be appropriate to send:

    • Tunnel-Type = 64 = VLAN

    • Tunnel-Medium-Type = 802

    • Tunnel-private-Group-ID = 253

    When the "Tunnel-private-Group-ID" is the number/name of vlan to be awarded, the bellows is an example on what it would look like on the profile of the ACS:

    http://www.Cisco.com/c/dam/en/us/support/docs/wireless/5500-series-wirel...

    Note: Please mark as answer as appropriate

  • 2611XM Terminal Server + ACS + new authentication when selecting menu options

    Hello

    I managed to configure ACS authentication on my 2611xm router,

    After you connect to the router, I have an autocommand configuration to run a menu.

    My problem is when you select the option in the menu,

    You are then re invited to reauthenicated against the router before connecting to the line,

    can someone tell me how to prevent it.

    Thank you for your time and effort in advance, I have attached a config below.

    DDRAS01 #sh running-config

    Building configuration...

    Current configuration: 6854 bytes

    !

    ! Last modification of the configuration at 10:28:49 GMT Sunday, February 21, 2010 by

    !  NVRAM config update at 19:25:53 GMT Saturday, February 20, 2010 by

    !

    version 12.4

    horodateurs service debug datetime msec

    Log service timestamps datetime msec

    encryption password service

    Service linenumber

    sequence numbers service

    !

    hostname DDRAS01

    !

    boot-start-marker

    boot-end-marker

    !

    Security of authentication failure rate 3 log

    Passwords security min-length 6

    logging buffered 51200 informational

    record of the rate-limit all 10000

    recording console critical

    enable password 7

    !

    AAA new-model

    !

    !

    AAA authentication login default group Ganymede + local

    AAA authentication login if_needed local

    the AAA authentication enable default

    AAA of authentication ppp default local

    AAA authorization exec default group Ganymede + local authenticated by FIS

    AAA accounting exec default start-stop Ganymede group.

    orders accounting AAA 15 by default start-stop Ganymede group.

    !

    AAA - the id of the joint session

    clock timezone WAS 10

    summer time clock WAS recurring last Sun Oct 02:00 last Sun Mar 03:00

    no location network-clock-participate 1

    No network-clock-participate wic 0

    IP cef

    !

    !

    !

    !

    list of IP domains

    list of IP domains

    IP domain name

    the IP 2033 172.16.1.1 host dd-cr-01F

    ddsws01 host IP 172.16.1.1 2034

    ddsws04 host IP 172.16.1.1 2035

    ddce565 host IP 172.16.1.1 2040

    IP-name server

    IP-name server

    !

    !

    !

    password username d ' operators 15 7 privilege

    !

    !

    property intellectual ssh source interface FastEthernet0/0

    property intellectual ssh event logging

    property intellectual ssh version 2

    !

    !

    interface Loopback0

    IP 172.16.1.1 255.255.255.255

    !

    interface FastEthernet0/0

    IP 255.255.255.0

    Speed 100

    full-duplex

    !

    interface Serial0/0

    no ip address

    Shutdown

    !

    interface BRI0/0

    no ip address

    encapsulation hdlc

    Shutdown

    !

    interface FastEthernet0/1

    no ip address

    Shutdown

    automatic duplex

    automatic speed

    !

    IP forward-Protocol ND

    IP route 0.0.0.0 0.0.0.0

    !

    IP http server

    no ip http secure server

    Ganymede IP source interface FastEthernet0/0

    !

    radius of the IP source interface FastEthernet0/0

    exploitation forest installation local6

    logging

    SNMP-server RO community

    SNMP-server RW community

    SNMP server location

    contact Server SNMP d ' operators

    !

    title of menu ddras01 ^ C

    Server Terminal Server for Cisco

    Select number from the list below

    Use "ctrl + shift + 6" then 'x' to switch to the menu

    ^ C

    text of ddras01 to menu 1 connect to the DD-CR-01

    order of menu 1 ddras01 resume JJ-cr-01 / dd-cr-01 2033 telnet connection

    ddras01 text menu 2 connect to DDSWS01

    order of menu 2 ddras01 resume ddsws01 / ddsws01 2034 telnet connection

    text menu 3 ddras01 connect to DDSWS04

    order of menu 3 ddras01 resume ddsws04 / ddsws04 2035 telnet connection

    text menu 8 ddras01 connect to DDCE565

    order of menu 8 ddras01 resume ddce565 / ddce565 2040 telnet connection

    menu 9 ddras01 text output

    menu ddras01 command menu-exit 9

    ddras01 menu clear-screen

    menu ddras01-status line

    menu-ddras01 line mode

    radius-server host 10.2.0.50

    RADIUS-server application made

    radius-server key 7

    !

    control plan

    !

    privilege exec 15 level write terminal

    writing level 15 privileges exec

    Ping privileges exec level 1

    privilege exec 10 undebug ip icmp level

    privilege exec 10 undebug ip level

    level of privilege exec 10 undebug all

    privilege exec 10 undebug level

    terminal monitor exec level 10 privileges

    privilege exec 10 level terminals

    privilege exec 15 level show running-config

    See configuration at the privileged exec level 5

    show privileges exec level 5

    privilege exec 10 debug ip icmp level

    privilege exec level 10 debug ip

    privilege exec 10 level debug all

    debugging privileges exec level 10

    clear interface of privileges exec level 10

    clear counters at level 10 privilege exec

    level of privilege exec 10 clear

    !

    Line con 0

    password 7

    Synchronous recording

    line 33 64

    No exec-banner

    exec-timeout 0 0

    no activation-character

    No exec

    preferred transport telnet

    transport of entry all

    character of exhaust-27

    StopBits 1

    FlowControl hardware

    line to 0

    line vty 0 4

    password 7

    Synchronous recording

    ddras01 menu autocommand

    line vty 5 181

    password 7

    Synchronous recording

    ddras01 menu autocommand

    !

    NTP-period clock 17208487

    source NTP FastEthernet0/0

    NTP server

    end

    Hello

    You have aaa login default configured for authentication, with this you get invited

    When you try to access the line.

    Under line VTY 5 181 try adding:

    authentication of the connection /NOAUTH

    exec authorization /NOAUTH

    Add the lines of aaa:

    /NOAUTH AAA authentication login no

    /NOAUTH AAA authorization exec no

    This should stop the authentication to the lines.

    -Jesse

  • Issue of operability of the ACS as RADIUS with ASA 5.0?

    Hello

    I'm trying my VPN to get authenticated user with RADIUS (ACS 5.0). and VPN users database is created in AD. Now when I am trying to connect through the Cisco VPN client, I am unable to do so. Infact, I get an error message (through debugging at the level of the SAA for aaa and isakmp) my RADIUS server is DOWN.

    Please let me know is there any compatibility issue with ACS 5.0 on it because everything was working fine on my version 4.2 of the ACS.

    Concerning

    Ritesh

    Ritesh,

    Yes, there is a lack of ACS 5.0 with vpn authentication.

    When you try to connect with the VPN client. you will not see any hits in the follow-up and the views.
    The ASDM logs: you'll see radius server is not accessible.
    Debugs you show RADIUS period.
    This will work with Ganymede.

    Access policy rule was does not. Also, could not use RADIUS as hit CSCsy17858

    http://cdetsweb-PRD.Cisco.com/apps/goto?identifier=CSCsy17858>; Used Ganymede + instead of RADIUS.

    If you want to use the RADIUS then you need to upgrade your version of acs to 5.1

    You can down load patch 9 (5-0-0-21 - 9.tar.gpg) and ADE-OS (ACS_5.0.0.21_ADE_OS_1.2_upgrade.tar.gpg) from the below path:

    Go to Cisco.com > support > download software > Security > Cisco Secure Access Control System 5.0 > Secure Access Control System Software 5.0.0.21 >

    Reference: update of the CSA since version 5.0 to 5.1:
    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.1/installation/guide/csacs_upg.html

    HTH

    Kind regards

    JK

    The rate of useful messages-

  • Cisco ACS authentication issues

    Hi all

    I have just set up my ACS for Windows Server. It runs version 4.1 software. I have problems for authentication. I have my setup in the GUI of the ACS use Ganymede to authenticate the AAA Clients. I have the key in the switch and the corresponding keys to ACS server. I have facility users. Here's my config AAA on the switch...

    AAA new-model

    AAA authentication login default group Ganymede + local

    the AAA authentication enable default group Ganymede + activate

    Here is the information of debugging on Ganymede

    183757: 2 sep 10:14:22.131 edt: TAC +: send worm package AUTHENTIC/START = 192 id = 2789804961

    183758: 2 sep 10:14:22.131 edt: TAC +: using Ganymede server-group "Ganymede +" list by default.

    183759: 2 sep 10:14:22.131 edt: TAC +: opening TCP/IP 10.11.8.200/49 Timeout = 5

    183760: 2 sep 10:14:22.135 edt: TAC +: handle opened TCP/IP 0x80E767B8 to 10.11.8.200/49

    183761: 2 sep 10:14:22.135 edt: TAC +: 10.11.8.200 (2789804961) AUTHENTIC/START/CONNECTION/ASCII queued

    183762: 2 sep 10:14:22.335 edt: TAC +: (2789804961) AUTHENTIC/START/CONNECTION/ASCII processed

    183763: 2 sep 10:14:22.335 edt: TAC +: received bad AUTHENTIC package: length = 6 expected 128683

    WC2950-12 #.

    183764: 2 sep 10:14:22.335 edt: TAC +: invalid package AUTHENTIC/START/CONNECTION/ASCII (control keys).

    183765: 2 sep 10:14:22.335 edt: TAC +: connection TCP/IP closing 0x80E767B8 to 10.11.8.200/49

    183766: 2 sep 10:14:22.339 edt: TAC +: using Ganymede server-group "Ganymede +" list by default.

    183767: 2 sep 10:14:22.339 edt: SSH1: password for wcromwell authentication failure

    I have the same keys on the AAA server as I do on my switch...

    Thank you

    Please check the secret key of NDG and main aaa clients. NDG substitute main aaa clients.

    Make sure you have the right key in NDG >

    Kind regards

    ~ JG

    Note the useful messages

  • Using ACS to refuse to see the support

    I'm trying to refuse technical support of show control using authorization of Cisco Secure ACS (photo included) orders games. All others refuse orders are working (is show running-config) but no matter what I do the tech show is unsuccessful. Any ideas?

    You have these orders of authorization configured?

    AAA new-model

    AAA authentication login default group Ganymede + local

    AAA authorization exec default group Ganymede + local

    AAA authorization commands 0 default group Ganymede + local

    AAA authorization commands 1 default group Ganymede + local

    AAA authorization commands 15 default group Ganymede + local

    RADIUS-server host 10.1.1.1 key cisco123

    Debug aaa author should display:

    AAA/AUTHOR/CMD: tty2 user (2846421758) = "switchuser.

    AAA/AUTHOR/CMD (2846421758): send service AV = shell

    AAA/AUTHOR/CMD (2846421758): send cmd = AV display

    AAA/AUTHOR/CMD (2846421758): send AV cmd - arg = technical support

    AAA/AUTHOR/CMD (2846421758): send cmd - arg = AV

    AAA/AUTHOR/CMD (2846421758): found list "default".

    AAA/AUTHOR/CMD (2846421758): method = Ganymede + (Ganymede +)

    AAA/AUTHOR/TAC +: (2846421758): user = switchuser

    AAA/AUTHOR/TAC +: (2846421758): send service AV = shell

    AAA/AUTHOR/TAC +: (2846421758): send cmd = AV display

    AAA/AUTHOR/TAC +: (2846421758): send AV cmd - arg = technical support

    AAA/AUTHOR/TAC +: (2846421758): send cmd - arg = AV

    TAC +: Ganymede server-group using "Ganymede +" list by default.

    TAC +: opening TCP/IP 10.1.1.1/49 Timeout = 5

    TAC +: open handle TCP/IP 0x2E8FEA4 to 10.1.1.1/49

    TAC +: 10.1.1.1 (2846421758) AUTHOR/START waiting in line

    TAC +: AUTHOR/START (2846421758) dealt with

    TAC +: (-1448545538): received the status of response author = FAIL

    Be sure to change the initial authorization of the ACS Shell command...

    refuse technical assistance rather than deny tech.

  • Connection Error 1120 ACS cisco acs 5.0 web gui

    Hi all

    I installed the unit acs 1120 as follows

    entered in the installation in console mode command

    aiinstalle licensevia gui mode

    But when I access the gui mode it disconnect regularly

    When I ping ping is successful and shows life 128

    but after some time, the connection is estabalished and when I ping the TTL shows 64

    can someone help with this problem

    Thank you very much

    Hello

    I couldn't quite follow the description of your problem. Can clarify you the problem more in detail.

    You then mention access to the ACS GUI mode it to disconnect regularly. You lose any IP to GBA connectivity, or is the problem only through the user interface?

    Please can you include ACS cli:

    view the status of the acs application
    See the version

    Show tech

    Would also be relevant to see the output of 'display the acs application state"when the problem occurs.

    Additional troubleshooting, the support beam will also relevant information during problem occurrence timestamp. You need to enable the debug logs, for ex:

    GBA cli:
    admin #conf t
    exploitation forest admin (config) # loglevel 7
    exit admin (config) #.
    # acs admin - config
    After a few seconds,.
    You can then log in with the credentials of user/password for GUI of the CSA name.

    acsadmin(config-ACS) # debug level mgmt-acsview of-journal of debugging

    acsadmin(config-ACS) # debug level to debug-log duration
    output acsadmin(config-ACS) #.

    Following the appearance of the problem, the support beam then downloadable GUI Monitoring & Report Viewer > troubleshooting > ACS support Bundle.We will need to check on the timestamp of the problem newspapers.

    But for now, more details about the problem seem necessary as well as the output display orders of cli ACS mentioned above.

    Thank you

    Alex

  • Any user can get authenticated ACS SE 4.1

    Hi all

    I'm having a devil of a time to get a new 4.1 SE ACS configured in a new network. I have a 3560 now that I first try but I can't authenicated. I have the user/group account set up, the group is correspondence in my AAA statements although I saw some errors on the Group has not been configured. I even created two different groups and tried different names, but again, no luck. I'm just using the internal PB, nothing special. I read the administration guide, but it has not helped. When I turn on debugging, I don't see a lot of activity, only on the group to be wrong, but I don't understand how that's possible. I'm short on time, I would really appreciate the help. Thanks in advance!

    When we EXEC permission, give the ACS/authorization server exec privileges the user for example.

    Under users/settings group looking for check "Shell (exec)" this. This should allow you to. If you want you must also get certain privileges directly that you log, and then also check 'privilège level' and type the value in the box, 0-15.

    I recommend referring to,.

    http://www.Cisco.com/en/us/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

    If this is your first configuration of authorization.

    Kind regards

    Prem

    Please rate if this can help!

Maybe you are looking for

  • I downloaded FF 41.0.2. Now it has disappeared. I'm okay?

    Simple question. I saw a new version of FF 41.0.2 when I saw him at https://www.mozilla.org/en-US/firefox/releases/ . Now it has disappeared. Am I at risk of something horrible. It can still be seen at https://ftp.mozilla.org/pub/mozilla.org/firefox/

  • How to regain the ability to send a link when I'm on a Web site?

    Before this latest Fire Fox update, a golden box appeared in the upper left corner. I could do a right click on this box and get a menu including "send a link". Now that the box is gone and I don't know how to send a link when I read an article.

  • No device found wireless!

    I just bought a refurbished, x61s who would have a card Intel 802.11 wireless agn(n-disabled). There's even a sticker on its underside that says 802.11 agn. But the computer does not recognize the wireless card, and it does not appear in Device Manag

  • 401SA HP G61: upgrade hard drive

    Hello. Can someone help me with regard to the compatibility of a Seagate 1 TB SSHD for my HP G61 401SA laptop. The existing drive is low on free space and that it is a 9mm disc I was hoping that I could replace it with this 1 TB drive, but I don't kn

  • DD - WRT or not, that is the question!

    I just bought the WRT610N (on sale for $145 =)) and I see that version 2 of this router is now supported for DD - WRT My implementation is download torrents on my Windows Home Server, and I stream video of my Popcorn Hour of this machine as well. I h