ACS authentication - confusing failure
I have some confusion currently looking into devices that fail the authentication through the ACS. When you look at the tool of reporting for the candidate countries, I see a device (Dell laptop) appear on the same switch port with about 900 authentication attempts failed by day. I followed that with a control on the table of MAC addresses for the switch. I see devices connected (via a hub), but not one that is a failure. On the port, the hub, 2 Dell laptops there (but not the get connected GBA) and a VTC unit.
To add to the confusion, that the VTC unit has an IP address when the firewall ARP table. Don't know where to go from here.
Robert,
I missed your question first, the answer is Yes when authentication fails the customer is not entered on the mac address table since that will allow traffic to pass. Dot1x (mab) is a framework for authentication of l2, which does not allow the mac address to pull until we see the acceptance of the radius server.
So if the client authentication is expected to fail then everything is ok in regards to your deployment will and the behavior of the switch.
Tarik Admani
* Please note the useful messages *.
Tags: Cisco Security
Similar Questions
-
5.6 ACS authentication problem
We are in the process of upgrading our ACS 4.1 for a 5.6 ACS appliance.
The unit is installed on the network, etc. correctly licensed.
I joined the ACS server to the AD domain without problem. I created a few local and external (AD) users for testing.
I created a network (switch catalyst) as a Ganymede client device + and specified single-connect.
When I SSH into the switch, I can connect using my AD user name and password, but I can't go into enable mode. It says "authentication failure".
My aaa settings are
radius-server host 172.25.50.8
RADIUS-server timeout 3
RADIUS-server application made
radius-server keyMiss me something somewhere, I don't know where. If I try and download the bundle to support ACS, it says download, but does not say where (or how).
any advice would be great. I'm new to this product.
See the document: http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-6/migration/guide/migration_guide/Migration_support.html#pgfId-1014889
-
Cisco ACS authentication issues
Hi all
I have just set up my ACS for Windows Server. It runs version 4.1 software. I have problems for authentication. I have my setup in the GUI of the ACS use Ganymede to authenticate the AAA Clients. I have the key in the switch and the corresponding keys to ACS server. I have facility users. Here's my config AAA on the switch...
AAA new-model
AAA authentication login default group Ganymede + local
the AAA authentication enable default group Ganymede + activate
Here is the information of debugging on Ganymede
183757: 2 sep 10:14:22.131 edt: TAC +: send worm package AUTHENTIC/START = 192 id = 2789804961
183758: 2 sep 10:14:22.131 edt: TAC +: using Ganymede server-group "Ganymede +" list by default.
183759: 2 sep 10:14:22.131 edt: TAC +: opening TCP/IP 10.11.8.200/49 Timeout = 5
183760: 2 sep 10:14:22.135 edt: TAC +: handle opened TCP/IP 0x80E767B8 to 10.11.8.200/49
183761: 2 sep 10:14:22.135 edt: TAC +: 10.11.8.200 (2789804961) AUTHENTIC/START/CONNECTION/ASCII queued
183762: 2 sep 10:14:22.335 edt: TAC +: (2789804961) AUTHENTIC/START/CONNECTION/ASCII processed
183763: 2 sep 10:14:22.335 edt: TAC +: received bad AUTHENTIC package: length = 6 expected 128683
WC2950-12 #.
183764: 2 sep 10:14:22.335 edt: TAC +: invalid package AUTHENTIC/START/CONNECTION/ASCII (control keys).
183765: 2 sep 10:14:22.335 edt: TAC +: connection TCP/IP closing 0x80E767B8 to 10.11.8.200/49
183766: 2 sep 10:14:22.339 edt: TAC +: using Ganymede server-group "Ganymede +" list by default.
183767: 2 sep 10:14:22.339 edt: SSH1: password for wcromwell authentication failure
I have the same keys on the AAA server as I do on my switch...
Thank you
Please check the secret key of NDG and main aaa clients. NDG substitute main aaa clients.
Make sure you have the right key in NDG >
Kind regards
~ JG
Note the useful messages
-
4.2 ACS authentication and exec flank on router Test mode.
The goal is to have GBA authenticate my username via ssh and let me go once authenticated privileged exec mode. Details below.
I have ACS Solution engine 4.2 and I have a router to test with the following commands:
AAA new-model
AAA authentication login default group Ganymede + local
AAA - the id of the joint session
RADIUS-server host 10.4.4.21 single-connection
RADIUS-server key $# $& $* #.
The problem is the following. I can't SSH and login to the router using a user in the database of the CSA but the router does not allow me to use the enable command in exec mode. The error it gives me is:
AAA_ROUTER_CLIENT > activate
% Authentication failure.
AAA_ROUTER_CLIENT >
I must be missing something in the ACS. Any help would be appreciated.
You are missing this command
AAA authorization exec default group Ganymede + authenticated if
That's what you need on router
Router (config) # username [username] password]
GANYMEDE-host [ip]
radius-server [key] key
AAA new-model
AAA authentication login default group Ganymede + local
AAA authorization exec default group Ganymede + authenticated if
The GBA
Bring to users/groups at level 15
1. go to the user or to set up groups of ACS
2 down until "settings GANYMEDE +".
3. check "Shell (Exec).
4 check 'Privilege level' and enter '15' in the adjacent field
Kind regards
~ JG
Note the useful messages
-
ACS 4.1 failure to authenticate Windows users.
Hello.
We run Cisco Secure ACS for Windows version 1.0000 b23p5 on a Windows 2000 member server.
Today, ACS is unable to authenticate users.
Using the same external user (andrea-meconi) I can check the success or failure of authentication.
It's the AUTH.log for a request for genericRADIUS...
AUTH 25/02/2013 15:30:24 I 0396 3900 external DB [NTAuthenDLL.dll]: from [andrea-meconi] user authentication
AUTH 25/02/2013 15:30:24 I 0396 3900 external DB [NTAuthenDLL.dll]: Windows authentication attempts for user andrea-meconi
AUTH 25/02/2013 15:30:24 0396 3900 external DB [NTAuthenDLL.dll]: authentication Windows FAILED (error 1783 L)
AUTH 25/02/2013 15:30:24 I 0396 3900 external DB [ODBCAuthDll.dll]: workers from 1 odbc
AUTH 25/02/2013 15:30:24 I 0396 3900 external DB [ODBCAuthDll.dll]: DLL initialized OK
AUTH 25/02/2013 15:30:24 I 0571 3900 AuthenLoadLibrary: external ODBC database DLLS load
AUTH 25/02/2013 15:30:24 I 1645 3900 pvAuthenticateUser: authenticate 'andrea-meconi"against an external ODBC database
This is the log for an EAP request...
AUTH 25/02/2013 16:23:56 I 1645 4568 pvAuthenticateUser: authenticate "venezia\andrea-meconi" against Windows NT/2000
AUTH 25/02/2013 16:23:56 I 0396 4568 external DB [NTAuthenDLL.dll]: from MSCHAP authentication for the user [venezia\andrea-meconi]
AUTH 25/02/2013 16:23:56 I 0396 4568 external DB [NTAuthenDLL.dll]: got the CISCO desktop
AUTH 25/02/2013 16:23:56 I 0396 4568 external DB [NTAuthenDLL.dll]: Windows authentication attempts for user andrea-meconi
AUTH 25/02/2013 16:23:56 I 0396 4568 external DB [NTAuthenDLL.dll]: authentication Windows successfully (by RVVMDCC01PW)
AUTH 25/02/2013 16:23:56 I 0396 4568 external DB [NTAuthenDLL.dll]: user mapped to the id of the Group ACS [20]
Windows AD now on Windows 2008 server, migration since 2003.
Any idea?
Thank you.
Andrea
Authentication Windows FAILED (error 1783L)
The error above indicates that the migration happened during the night. To resolve this problem, you must update your ACS to atleast ACS 4.2.0.124 patch 4 or higher.
Section of OS supported
-Windows Server 2008, Standard Edition
-Windows Server 2008, Enterprise Edition
-Windows Server 2008, Standard Edition, Service Pack 2 Japanese
-Windows Server 2008, Enterprise Edition, Service Pack 2 Japanese
NOTE: No ACS 4.x support 2008 R2 version. Only ACS 5.2 support it.
Kind regards
Jatin kone
-Does the rate of useful messages-
-
I reinstalled Firefox and still receive an authentication Gateway failure.
Had a power outage with U-Verse. When power came back on the received message 'bridge of Authentication Failure. I am able to connect to the internet with Google Chrome or MSN but not Firefox. I have Windows on a PC 8.1
Hello
Refresh (called "Reset" in older versions of Firefox) can solve a lot of problems in restaurant Firefox as his default factory while saving your bookmarks, history, passwords, cookies, and other essential information.
Note: When you use this feature, you will lose all the extensions, toolbar customizations, and certain preferences. See article Firefox Refresh - reset modules and parameters for more information.
Refresh for Firefox:
- Open the troubleshooting information page using one of the following methods:
- Click the menu button
click Help
and select troubleshooting information. Should open a new tab containing your troubleshooting information.
- If you are unable to access the Help menu, type Subject: support in your address bar to bring up the troubleshooting information page.
- Click the menu button
- At the top right of the page, you should see a button that says 'Refresh Firefox' ('reset Firefox' in older versions of Firefox). Click on it.
- Firefox closes. Once the update process is complete, Firefox will display a window with the imported information.
- Click Finish and reopen Firefox.
This corrects the problem? Please report to us!
Thank you.
- Open the troubleshooting information page using one of the following methods:
-
ACS authentication with Active Directory based on ad groups
Hello
I'm trying to integrate Cisco ACS 5.4.0.46 with AD and I connected successfully GBA to AD and I used as a successful AD authentication for network devices but my problem now is that anyone with an AD account can connect to network devices that compromises security. I created a group in AD that I would use and I added the group under users and identity stores > external identity stores > Active Directory > groups directory. I also chose source of identity for Default Device Admin as AD1 and under the authorization, an authorization policy that uses a compound condition that uses AD1 and the custom group. However after you have set all that I am still able to connect to the switch with a user not in the custom group. Based on what I have explained to you can someone tell me if Miss me a step?
Thank you
Derek Velez
Thanks for the update and the fence wire. Set default default rules to deny access when user legimitate if does not match a rule set by the administration of the CSA he should get denied access. In your case, it has been updated a permit so that both type of users access (members and non-members of ad groups).
The best way to resolve these issues is to look at the monitoring and troubleshooting > attempt user > magnifying glass. You will see how this user has been allowed access.
~ BR
Jatin kone* Does the rate of useful messages *.
-
In an another (trusted) domain bij Agent ACS ACS authentication
Hello
I had two areas. Domain A is the top level domain. B is the child domain of the domain A.
The ACS Agents are installed on two domain controllers in domain A.
Authentication of clients in domain A is ok.
Authentication of clients in domain B is a problem.
I created a universal group in the field. In this universal group, I put a global group of users from the domain b. authentication not ok.
The ACS "Journal of authentication failed": SAIS: "external DB account Restriction".
What is the problem here?
Gr.
Remco
Check if users are not mapped to a group of people with disabilities. Do not map several windows for ACS group groups. The following link can help you
-
Secure ACS Authentication and Authorization with SecurID
I am able to authenticate connection attempts using an external database (RSA SecurID). The problem is that everyone with a token is authorized to connect on any switch with priv15 or whatever I put (but no way to control who gets what access). How can I allow users based on a certain type of belonging to a group? The SecurID server is already integrated with LDAP, it only checks to see if the user exists in the database.
I need to create two groups, or even only allow a single group and deny everyone, but anyone in the organization with a token is allowed to connect. I can't find guides who do anything beyond authentication when you use a SecurID token.
Thank you.
Hello
Have routers and switches, you given the command "authorization exec default group aaa GANYMEDE", it seems that you have only defined authentication on devices. When the control is in place, user access privileges may be governed by the ACS. In network administrator access by default policy (if you are using the default strategy for GANYMEDE), to set the authorization rule to verify membership in a user group and provide the appropriate profile of shell. Make the default rule to give DenyAccess shell profile to other users.
-
ACS 5.4 failure after installing Patch - 5-4-0-46-4
I installed the last path (5-4-0-46-4) on ACS server and after that I'm getting following error when I try to access
System Administration > ... > Administrators > Administrative access control > Authorization The error message is
This failure has occurred: {0}. your changes have not been saved. Click OK to return to the list page.
I can't get away from this error and I have to disconnect before doing anything else, but whenever I try to access this pageagain authorization, the same error message appears.
Someone tried update 5.4 ACS with the latest patch, have you experienced this error? have you managed to fix it and how please?
Please check if your scenario corresponding to symptoms of the below listed faults.
CSCud78248 Failure of system ACS 5.4 administrative access control
Symptom:
"This failure has occurred: {0}. your changes have not been saved." Click OK to return to the page from the list. "When you navigate to System Administration > administrative access control > authorization
Conditions:
5.4 ACS if there is more than one 'Identity server RADIUS' configured, the message: "this failure has occurred: {0}. your changes have not been saved." Click OK to return to the page from the list. "When you navigate to System Administration > administrative access control > authorization
Workaround solution:
Configure a single server identity
~ BR
Jatin kone* Does the rate of useful messages *.
-
NA. Kerberos5: An authentication Handshake failure
Hi, when connecting to the server Oracle 11 g via the customer oracle 12 c presse3 of .net application, "The handshake Kerberos5 authentication failure" error could not load 'Oracle.ManagedDataAccessIOP '. Application has functioned well when used unmanaged client 11 g (authentication mode: Kerberos). but when upgraded to Managed 12 c drivers, the problem occurs. Help, please!
It is not a fully managed Kerberos implementation. Unmanaged ODP.NET uses the MIT Kerberos libraries that are part of the Oracle Client. With ODP.NET managed, these Kerberos libraries must be installed. You can install MIT Kerberos yourself or install client Oracle DB 12 c, which includes MIT Kerberos. Managed ODP.NET includes a second DLL, Oracle.ManagedDataAccessIOP.dll, who works the Kerberos libraries. There is a 32-bit IOP DLL and 64-bit, depending on whether you are using 32-bit libraries or 64 bits of Kerberos.
There is more info in the doc:
http://docs.Oracle.com/CD/E56485_01/win.121/e55744/featConnecting.htm#ODPNT8270
-
We have ACS running without any problem. We have a special VLAN to a public kiosk that clients can use to surf the internet. The kiosk is wireless and is configured for automatic connection with a specific account. The access point uses the vlan 1 and vlan 40 terminal wireless. When the kiosk machine authenticates to ACS running on our domain controller (who resides on the vlan 10)-is the kiosk machine communicates with the domain controller or the kiosk machine communicates with the access point, which, in turn, communicates with the ACS server? I would like to block 40 access vlan in the vlan 10 but if the kiosk machine must communicate with the domain controller, I don't think I can. Any help is appreciated. Thank you.
Unreliable kiosk machine only communicates with the AP. The AP will send credentials on the ACS server, which in turn, will try to authenticate them on the Windows domain controller.
-
With Ganymede ACS authentication problem
My organization was using ACS with AD to authenticate users for access to network devices.
But lately, it does not work. There has been no known changes.
Can anyone help point the possible problems or links to see how the actual configuration of the CSA to be or look like for that to work.
My apologies if this is naïve question, am not not so easy with ACS.
Thank you!
Hello
There are two ways to correct the message 'windows dialin permission required. You can either add permissions to call on the user accounts on your database of Windows, or you can remove the option "Require Dialin permissions" ACS. To do this, go to "External user databases" and select "Database Configuration". Then go in your database of Windows and click "configure". The first option is a
box that gives you the opportunity to "make sure that grant dialin permission is checked.
Checking this box will cause the error you get if your windows users do not have permissions to call. If you uncheck this box, it must clarify this.
HTH
JK
-
Verification verification of authentic software failure
I downloaded a trial version of Photoshop CS6 since Download Manager Adobe, and when it tries to install it says that he is not an authentic Adobe software and appears to be counterfeit. Is that what I can do about it?
Your download is corrupt. Delete the currently downloaded installation files and repeat the download. Did you receive an error during the download process?
-
2611XM Terminal Server + ACS + new authentication when selecting menu options
Hello
I managed to configure ACS authentication on my 2611xm router,
After you connect to the router, I have an autocommand configuration to run a menu.
My problem is when you select the option in the menu,
You are then re invited to reauthenicated against the router before connecting to the line,
can someone tell me how to prevent it.
Thank you for your time and effort in advance, I have attached a config below.
DDRAS01 #sh running-config
Building configuration...
Current configuration: 6854 bytes
!
! Last modification of the configuration at 10:28:49 GMT Sunday, February 21, 2010 by
! NVRAM config update at 19:25:53 GMT Saturday, February 20, 2010 by
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
Service linenumber
sequence numbers service
!
hostname DDRAS01
!
boot-start-marker
boot-end-marker
!
Security of authentication failure rate 3 log
Passwords security min-length 6
logging buffered 51200 informational
record of the rate-limit all 10000
recording console critical
enable password 7
!
AAA new-model
!
!
AAA authentication login default group Ganymede + local
AAA authentication login if_needed local
the AAA authentication enable default
AAA of authentication ppp default local
AAA authorization exec default group Ganymede + local authenticated by FIS
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.
!
AAA - the id of the joint session
clock timezone WAS 10
summer time clock WAS recurring last Sun Oct 02:00 last Sun Mar 03:00
no location network-clock-participate 1
No network-clock-participate wic 0
IP cef
!
!
!
!
list of IP domains
list of IP domains
IP domain name
the IP 2033 172.16.1.1 host dd-cr-01F
ddsws01 host IP 172.16.1.1 2034
ddsws04 host IP 172.16.1.1 2035
ddce565 host IP 172.16.1.1 2040
IP-name server
IP-name server
!
!
!
password username d ' operators 15 7 privilege
!
!
property intellectual ssh source interface FastEthernet0/0
property intellectual ssh event logging
property intellectual ssh version 2
!
!
interface Loopback0
IP 172.16.1.1 255.255.255.255
!
interface FastEthernet0/0
IP
255.255.255.0 Speed 100
full-duplex
!
interface Serial0/0
no ip address
Shutdown
!
interface BRI0/0
no ip address
encapsulation hdlc
Shutdown
!
interface FastEthernet0/1
no ip address
Shutdown
automatic duplex
automatic speed
!
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0
!
IP http server
no ip http secure server
Ganymede IP source interface FastEthernet0/0
!
radius of the IP source interface FastEthernet0/0
exploitation forest installation local6
logging
SNMP-server
RO community SNMP-server
RW community SNMP server location
contact Server SNMP d ' operators
!
title of menu ddras01 ^ C
Server Terminal Server for Cisco
Select number from the list below
Use "ctrl + shift + 6" then 'x' to switch to the menu
^ C
text of ddras01 to menu 1 connect to the DD-CR-01
order of menu 1 ddras01 resume JJ-cr-01 / dd-cr-01 2033 telnet connection
ddras01 text menu 2 connect to DDSWS01
order of menu 2 ddras01 resume ddsws01 / ddsws01 2034 telnet connection
text menu 3 ddras01 connect to DDSWS04
order of menu 3 ddras01 resume ddsws04 / ddsws04 2035 telnet connection
text menu 8 ddras01 connect to DDCE565
order of menu 8 ddras01 resume ddce565 / ddce565 2040 telnet connection
menu 9 ddras01 text output
menu ddras01 command menu-exit 9
ddras01 menu clear-screen
menu ddras01-status line
menu-ddras01 line mode
radius-server host 10.2.0.50
RADIUS-server application made
radius-server key 7
!
control plan
!
privilege exec 15 level write terminal
writing level 15 privileges exec
Ping privileges exec level 1
privilege exec 10 undebug ip icmp level
privilege exec 10 undebug ip level
level of privilege exec 10 undebug all
privilege exec 10 undebug level
terminal monitor exec level 10 privileges
privilege exec 10 level terminals
privilege exec 15 level show running-config
See configuration at the privileged exec level 5
show privileges exec level 5
privilege exec 10 debug ip icmp level
privilege exec level 10 debug ip
privilege exec 10 level debug all
debugging privileges exec level 10
clear interface of privileges exec level 10
clear counters at level 10 privilege exec
level of privilege exec 10 clear
!
Line con 0
password 7
Synchronous recording
line 33 64
No exec-banner
exec-timeout 0 0
no activation-character
No exec
preferred transport telnet
transport of entry all
character of exhaust-27
StopBits 1
FlowControl hardware
line to 0
line vty 0 4
password 7
Synchronous recording
ddras01 menu autocommand
line vty 5 181
password 7
Synchronous recording
ddras01 menu autocommand
!
NTP-period clock 17208487
source NTP FastEthernet0/0
NTP server
end
Hello
You have aaa login default configured for authentication, with this you get invited
When you try to access the line.
Under line VTY 5 181 try adding:
authentication of the connection /NOAUTH
exec authorization /NOAUTH
Add the lines of aaa:
/NOAUTH AAA authentication login no
/NOAUTH AAA authorization exec no
This should stop the authentication to the lines.
-Jesse
Maybe you are looking for
-
How can I backup my configuration settings
is there a way to save the configuration of the browser. so I can try the updated version and back to the old if I decide without having to redo all the pref.settings/addons/plugins etc...(or is there a "config" file I can copy? where would it be loc
-
Stop Vista automatically on the Satellite A200-14F (PSAECE)
System stops - but re - start automatically. Have updated the BIOS, but still no luck. Have tried all the settings on Vista power options.
-
Hello I've looked everywhere for the v06.10.07.2 (T) of Toshiba BT Stack with ActiveSync 4.5 on the functioning of Windows Mobile 6. I still didn't find any solution. Everything that I found is a tutorial from this site, how to get a Toshiba pc synch
-
Prints only the header of the page.
Original title: printer problems My printer was printing fine until today. Now only the title of the page prints, and I can't understand why. When printing there is no error message on the printer or the computer.
-
I have a computer dell Inspiron 1525 laptop. Hardward is good but need to reinstall the operating system from Windows Vista displays icons desktop but partial and just a loop. I need to recover all the data files and pictures before I have reinstal