ACS authentication - confusing failure

Similar Questions

• 5.6 ACS authentication problem

  We are in the process of upgrading our ACS 4.1 for a 5.6 ACS appliance.

  The unit is installed on the network, etc. correctly licensed.

  I joined the ACS server to the AD domain without problem. I created a few local and external (AD) users for testing.

  I created a network (switch catalyst) as a Ganymede client device + and specified single-connect.

  When I SSH into the switch, I can connect using my AD user name and password, but I can't go into enable mode. It says "authentication failure".

  My aaa settings are

  radius-server host 172.25.50.8
  RADIUS-server timeout 3
  RADIUS-server application made
  radius-server key

  Miss me something somewhere, I don't know where. If I try and download the bundle to support ACS, it says download, but does not say where (or how).

  any advice would be great. I'm new to this product.

  See the document: http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-6/migration/guide/migration_guide/Migration_support.html#pgfId-1014889

• Cisco ACS authentication issues

  Hi all

  I have just set up my ACS for Windows Server. It runs version 4.1 software. I have problems for authentication. I have my setup in the GUI of the ACS use Ganymede to authenticate the AAA Clients. I have the key in the switch and the corresponding keys to ACS server. I have facility users. Here's my config AAA on the switch...

  AAA new-model

  AAA authentication login default group Ganymede + local

  the AAA authentication enable default group Ganymede + activate

  Here is the information of debugging on Ganymede

  183757: 2 sep 10:14:22.131 edt: TAC +: send worm package AUTHENTIC/START = 192 id = 2789804961

  183758: 2 sep 10:14:22.131 edt: TAC +: using Ganymede server-group "Ganymede +" list by default.

  183759: 2 sep 10:14:22.131 edt: TAC +: opening TCP/IP 10.11.8.200/49 Timeout = 5

  183760: 2 sep 10:14:22.135 edt: TAC +: handle opened TCP/IP 0x80E767B8 to 10.11.8.200/49

  183761: 2 sep 10:14:22.135 edt: TAC +: 10.11.8.200 (2789804961) AUTHENTIC/START/CONNECTION/ASCII queued

  183762: 2 sep 10:14:22.335 edt: TAC +: (2789804961) AUTHENTIC/START/CONNECTION/ASCII processed

  183763: 2 sep 10:14:22.335 edt: TAC +: received bad AUTHENTIC package: length = 6 expected 128683

  WC2950-12 #.

  183764: 2 sep 10:14:22.335 edt: TAC +: invalid package AUTHENTIC/START/CONNECTION/ASCII (control keys).

  183765: 2 sep 10:14:22.335 edt: TAC +: connection TCP/IP closing 0x80E767B8 to 10.11.8.200/49

  183766: 2 sep 10:14:22.339 edt: TAC +: using Ganymede server-group "Ganymede +" list by default.

  183767: 2 sep 10:14:22.339 edt: SSH1: password for wcromwell authentication failure

  I have the same keys on the AAA server as I do on my switch...

  Thank you

  Please check the secret key of NDG and main aaa clients. NDG substitute main aaa clients.

  Make sure you have the right key in NDG >

  Kind regards

  ~ JG

  Note the useful messages

• 4.2 ACS authentication and exec flank on router Test mode.

  The goal is to have GBA authenticate my username via ssh and let me go once authenticated privileged exec mode. Details below.

  I have ACS Solution engine 4.2 and I have a router to test with the following commands:

  AAA new-model

  AAA authentication login default group Ganymede + local

  AAA - the id of the joint session

  RADIUS-server host 10.4.4.21 single-connection

  RADIUS-server key $# $& $* #.

  The problem is the following. I can't SSH and login to the router using a user in the database of the CSA but the router does not allow me to use the enable command in exec mode. The error it gives me is:

  AAA_ROUTER_CLIENT > activate

  % Authentication failure.

  AAA_ROUTER_CLIENT >

  I must be missing something in the ACS. Any help would be appreciated.

  You are missing this command

  AAA authorization exec default group Ganymede + authenticated if

  That's what you need on router

  Router (config) # username [username] password]

  GANYMEDE-host [ip]

  radius-server [key] key

  AAA new-model

  AAA authentication login default group Ganymede + local

  AAA authorization exec default group Ganymede + authenticated if

  The GBA

  Bring to users/groups at level 15

  1. go to the user or to set up groups of ACS

  2 down until "settings GANYMEDE +".

  3. check "Shell (Exec).

  4 check 'Privilege level' and enter '15' in the adjacent field

  Kind regards

  ~ JG

  Note the useful messages

• ACS 4.1 failure to authenticate Windows users.

  Hello.

  We run Cisco Secure ACS for Windows version 1.0000 b23p5 on a Windows 2000 member server.

  Today, ACS is unable to authenticate users.

  Using the same external user (andrea-meconi) I can check the success or failure of authentication.

  It's the AUTH.log for a request for genericRADIUS...

  AUTH 25/02/2013 15:30:24 I 0396 3900 external DB [NTAuthenDLL.dll]: from [andrea-meconi] user authentication

  AUTH 25/02/2013 15:30:24 I 0396 3900 external DB [NTAuthenDLL.dll]: Windows authentication attempts for user andrea-meconi

  AUTH 25/02/2013 15:30:24 0396 3900 external DB [NTAuthenDLL.dll]: authentication Windows FAILED (error 1783 L)

  AUTH 25/02/2013 15:30:24 I 0396 3900 external DB [ODBCAuthDll.dll]: workers from 1 odbc

  AUTH 25/02/2013 15:30:24 I 0396 3900 external DB [ODBCAuthDll.dll]: DLL initialized OK

  AUTH 25/02/2013 15:30:24 I 0571 3900 AuthenLoadLibrary: external ODBC database DLLS load

  AUTH 25/02/2013 15:30:24 I 1645 3900 pvAuthenticateUser: authenticate 'andrea-meconi"against an external ODBC database

  This is the log for an EAP request...

  AUTH 25/02/2013 16:23:56 I 1645 4568 pvAuthenticateUser: authenticate "venezia\andrea-meconi" against Windows NT/2000

  AUTH 25/02/2013 16:23:56 I 0396 4568 external DB [NTAuthenDLL.dll]: from MSCHAP authentication for the user [venezia\andrea-meconi]

  AUTH 25/02/2013 16:23:56 I 0396 4568 external DB [NTAuthenDLL.dll]: got the CISCO desktop

  AUTH 25/02/2013 16:23:56 I 0396 4568 external DB [NTAuthenDLL.dll]: Windows authentication attempts for user andrea-meconi

  AUTH 25/02/2013 16:23:56 I 0396 4568 external DB [NTAuthenDLL.dll]: authentication Windows successfully (by RVVMDCC01PW)

  AUTH 25/02/2013 16:23:56 I 0396 4568 external DB [NTAuthenDLL.dll]: user mapped to the id of the Group ACS [20]

  Windows AD now on Windows 2008 server, migration since 2003.

  Any idea?

  Thank you.

  Andrea

  Authentication Windows FAILED (error 1783L)

  The error above indicates that the migration happened during the night. To resolve this problem, you must update your ACS to atleast ACS 4.2.0.124 patch 4 or higher.

  Section of OS supported

  -Windows Server 2008, Standard Edition

  -Windows Server 2008, Enterprise Edition

  -Windows Server 2008, Standard Edition, Service Pack 2 Japanese

  -Windows Server 2008, Enterprise Edition, Service Pack 2 Japanese

  NOTE: No ACS 4.x support 2008 R2 version. Only ACS 5.2 support it.

  Kind regards

  Jatin kone

  -Does the rate of useful messages-

• I reinstalled Firefox and still receive an authentication Gateway failure.

  Had a power outage with U-Verse. When power came back on the received message 'bridge of Authentication Failure. I am able to connect to the internet with Google Chrome or MSN but not Firefox. I have Windows on a PC 8.1

  Hello

  Refresh (called "Reset" in older versions of Firefox) can solve a lot of problems in restaurant Firefox as his default factory while saving your bookmarks, history, passwords, cookies, and other essential information.

  Note: When you use this feature, you will lose all the extensions, toolbar customizations, and certain preferences. See article Firefox Refresh - reset modules and parameters for more information.

  Refresh for Firefox:

  1. Open the troubleshooting information page using one of the following methods:
     • Click the menu button

       

       click Help

       

       and select troubleshooting information. Should open a new tab containing your troubleshooting information.

     • If you are unable to access the Help menu, type Subject: support in your address bar to bring up the troubleshooting information page.
  2. At the top right of the page, you should see a button that says 'Refresh Firefox' ('reset Firefox' in older versions of Firefox). Click on it.
  3. Firefox closes. Once the update process is complete, Firefox will display a window with the imported information.
  4. Click Finish and reopen Firefox.

  This corrects the problem? Please report to us!

  Thank you.

• ACS authentication with Active Directory based on ad groups

  Hello

  I'm trying to integrate Cisco ACS 5.4.0.46 with AD and I connected successfully GBA to AD and I used as a successful AD authentication for network devices but my problem now is that anyone with an AD account can connect to network devices that compromises security. I created a group in AD that I would use and I added the group under users and identity stores > external identity stores > Active Directory > groups directory. I also chose source of identity for Default Device Admin as AD1 and under the authorization, an authorization policy that uses a compound condition that uses AD1 and the custom group. However after you have set all that I am still able to connect to the switch with a user not in the custom group. Based on what I have explained to you can someone tell me if Miss me a step?

  Thank you

  Derek Velez

  Thanks for the update and the fence wire. Set default default rules to deny access when user legimitate if does not match a rule set by the administration of the CSA he should get denied access. In your case, it has been updated a permit so that both type of users access (members and non-members of ad groups).

  The best way to resolve these issues is to look at the monitoring and troubleshooting > attempt user > magnifying glass. You will see how this user has been allowed access.

  ~ BR
  Jatin kone

  * Does the rate of useful messages *.

• In an another (trusted) domain bij Agent ACS ACS authentication

  Hello

  I had two areas. Domain A is the top level domain. B is the child domain of the domain A.

  The ACS Agents are installed on two domain controllers in domain A.

  Authentication of clients in domain A is ok.

  Authentication of clients in domain B is a problem.

  I created a universal group in the field. In this universal group, I put a global group of users from the domain b. authentication not ok.

  The ACS "Journal of authentication failed": SAIS: "external DB account Restriction".

  What is the problem here?

  Gr.

  Remco

  Check if users are not mapped to a group of people with disabilities. Do not map several windows for ACS group groups. The following link can help you

  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/QG.html

• Secure ACS Authentication and Authorization with SecurID

  I am able to authenticate connection attempts using an external database (RSA SecurID).  The problem is that everyone with a token is authorized to connect on any switch with priv15 or whatever I put (but no way to control who gets what access).  How can I allow users based on a certain type of belonging to a group?  The SecurID server is already integrated with LDAP, it only checks to see if the user exists in the database.

  I need to create two groups, or even only allow a single group and deny everyone, but anyone in the organization with a token is allowed to connect.  I can't find guides who do anything beyond authentication when you use a SecurID token.

  Thank you.

  Hello

  Have routers and switches, you given the command "authorization exec default group aaa GANYMEDE", it seems that you have only defined authentication on devices. When the control is in place, user access privileges may be governed by the ACS. In network administrator access by default policy (if you are using the default strategy for GANYMEDE), to set the authorization rule to verify membership in a user group and provide the appropriate profile of shell. Make the default rule to give DenyAccess shell profile to other users.

• ACS 5.4 failure after installing Patch - 5-4-0-46-4

  I installed the last path (5-4-0-46-4) on ACS server and after that I'm getting following error when I try to access

  System Administration >

  ... >

  Administrators >

  Administrative access control >

  Authorization

  The error message is

  This failure has occurred: {0}. your changes have not been saved. Click OK to return to the list page.

  I can't get away from this error and I have to disconnect before doing anything else, but whenever I try to access this pageagain authorization, the same error message appears.

  Someone tried update 5.4 ACS with the latest patch, have you experienced this error? have you managed to fix it and how please?

  Please check if your scenario corresponding to symptoms of the below listed faults.

  CSCud78248    Failure of system ACS 5.4 administrative access control

  Symptom:

  "This failure has occurred: {0}. your changes have not been saved." Click OK to return to the page from the list. "When you navigate to System Administration > administrative access control > authorization

  Conditions:

  5.4 ACS if there is more than one 'Identity server RADIUS' configured, the message: "this failure has occurred: {0}. your changes have not been saved." Click OK to return to the page from the list. "When you navigate to System Administration > administrative access control > authorization

  Workaround solution:

  Configure a single server identity

  ~ BR
  Jatin kone

  * Does the rate of useful messages *.

• NA. Kerberos5: An authentication Handshake failure

  Hi, when connecting to the server Oracle 11 g via the customer oracle 12 c presse3 of .net application, "The handshake Kerberos5 authentication failure" error could not load 'Oracle.ManagedDataAccessIOP '. Application has functioned well when used unmanaged client 11 g (authentication mode: Kerberos). but when upgraded to Managed 12 c drivers, the problem occurs. Help, please!

  It is not a fully managed Kerberos implementation. Unmanaged ODP.NET uses the MIT Kerberos libraries that are part of the Oracle Client. With ODP.NET managed, these Kerberos libraries must be installed. You can install MIT Kerberos yourself or install client Oracle DB 12 c, which includes MIT Kerberos. Managed ODP.NET includes a second DLL, Oracle.ManagedDataAccessIOP.dll, who works the Kerberos libraries. There is a 32-bit IOP DLL and 64-bit, depending on whether you are using 32-bit libraries or 64 bits of Kerberos.

  There is more info in the doc:

  http://docs.Oracle.com/CD/E56485_01/win.121/e55744/featConnecting.htm#ODPNT8270

• The ACS authentication

  We have ACS running without any problem. We have a special VLAN to a public kiosk that clients can use to surf the internet. The kiosk is wireless and is configured for automatic connection with a specific account. The access point uses the vlan 1 and vlan 40 terminal wireless. When the kiosk machine authenticates to ACS running on our domain controller (who resides on the vlan 10)-is the kiosk machine communicates with the domain controller or the kiosk machine communicates with the access point, which, in turn, communicates with the ACS server? I would like to block 40 access vlan in the vlan 10 but if the kiosk machine must communicate with the domain controller, I don't think I can. Any help is appreciated. Thank you.

  Unreliable kiosk machine only communicates with the AP. The AP will send credentials on the ACS server, which in turn, will try to authenticate them on the Windows domain controller.

• With Ganymede ACS authentication problem

  My organization was using ACS with AD to authenticate users for access to network devices.

  But lately, it does not work. There has been no known changes.

  Can anyone help point the possible problems or links to see how the actual configuration of the CSA to be or look like for that to work.

  My apologies if this is naïve question, am not not so easy with ACS.

  Thank you!

  Hello

  There are two ways to correct the message 'windows dialin permission required. You can either add permissions to call on the user accounts on your database of Windows, or you can remove the option "Require Dialin permissions" ACS. To do this, go to "External user databases" and select "Database Configuration". Then go in your database of Windows and click "configure". The first option is a

  box that gives you the opportunity to "make sure that grant dialin permission is checked.

  Checking this box will cause the error you get if your windows users do not have permissions to call. If you uncheck this box, it must clarify this.

  HTH

  JK

• Verification verification of authentic software failure

  I downloaded a trial version of Photoshop CS6 since Download Manager Adobe, and when it tries to install it says that he is not an authentic Adobe software and appears to be counterfeit. Is that what I can do about it?

  Your download is corrupt.  Delete the currently downloaded installation files and repeat the download.  Did you receive an error during the download process?

• 2611XM Terminal Server + ACS + new authentication when selecting menu options

  Hello

  I managed to configure ACS authentication on my 2611xm router,

  After you connect to the router, I have an autocommand configuration to run a menu.

  My problem is when you select the option in the menu,

  You are then re invited to reauthenicated against the router before connecting to the line,

  can someone tell me how to prevent it.

  Thank you for your time and effort in advance, I have attached a config below.

  DDRAS01 #sh running-config

  Building configuration...

  Current configuration: 6854 bytes

  !

  ! Last modification of the configuration at 10:28:49 GMT Sunday, February 21, 2010 by

  !  NVRAM config update at 19:25:53 GMT Saturday, February 20, 2010 by

  !

  version 12.4

  horodateurs service debug datetime msec

  Log service timestamps datetime msec

  encryption password service

  Service linenumber

  sequence numbers service

  !

  hostname DDRAS01

  !

  boot-start-marker

  boot-end-marker

  !

  Security of authentication failure rate 3 log

  Passwords security min-length 6

  logging buffered 51200 informational

  record of the rate-limit all 10000

  recording console critical

  enable password 7

  !

  AAA new-model

  !

  !

  AAA authentication login default group Ganymede + local

  AAA authentication login if_needed local

  the AAA authentication enable default

  AAA of authentication ppp default local

  AAA authorization exec default group Ganymede + local authenticated by FIS

  AAA accounting exec default start-stop Ganymede group.

  orders accounting AAA 15 by default start-stop Ganymede group.

  !

  AAA - the id of the joint session

  clock timezone WAS 10

  summer time clock WAS recurring last Sun Oct 02:00 last Sun Mar 03:00

  no location network-clock-participate 1

  No network-clock-participate wic 0

  IP cef

  !

  !

  !

  !

  list of IP domains

  list of IP domains

  IP domain name

  the IP 2033 172.16.1.1 host dd-cr-01F

  ddsws01 host IP 172.16.1.1 2034

  ddsws04 host IP 172.16.1.1 2035

  ddce565 host IP 172.16.1.1 2040

  IP-name server

  IP-name server

  !

  !

  !

  password username d ' operators 15 7 privilege

  !

  !

  property intellectual ssh source interface FastEthernet0/0

  property intellectual ssh event logging

  property intellectual ssh version 2

  !

  !

  interface Loopback0

  IP 172.16.1.1 255.255.255.255

  !

  interface FastEthernet0/0

  IP 255.255.255.0

  Speed 100

  full-duplex

  !

  interface Serial0/0

  no ip address

  Shutdown

  !

  interface BRI0/0

  no ip address

  encapsulation hdlc

  Shutdown

  !

  interface FastEthernet0/1

  no ip address

  Shutdown

  automatic duplex

  automatic speed

  !

  IP forward-Protocol ND

  IP route 0.0.0.0 0.0.0.0

  !

  IP http server

  no ip http secure server

  Ganymede IP source interface FastEthernet0/0

  !

  radius of the IP source interface FastEthernet0/0

  exploitation forest installation local6

  logging

  SNMP-server RO community

  SNMP-server RW community

  SNMP server location

  contact Server SNMP d ' operators

  !

  title of menu ddras01 ^ C

  Server Terminal Server for Cisco

  Select number from the list below

  Use "ctrl + shift + 6" then 'x' to switch to the menu

  ^ C

  text of ddras01 to menu 1 connect to the DD-CR-01

  order of menu 1 ddras01 resume JJ-cr-01 / dd-cr-01 2033 telnet connection

  ddras01 text menu 2 connect to DDSWS01

  order of menu 2 ddras01 resume ddsws01 / ddsws01 2034 telnet connection

  text menu 3 ddras01 connect to DDSWS04

  order of menu 3 ddras01 resume ddsws04 / ddsws04 2035 telnet connection

  text menu 8 ddras01 connect to DDCE565

  order of menu 8 ddras01 resume ddce565 / ddce565 2040 telnet connection

  menu 9 ddras01 text output

  menu ddras01 command menu-exit 9

  ddras01 menu clear-screen

  menu ddras01-status line

  menu-ddras01 line mode

  radius-server host 10.2.0.50

  RADIUS-server application made

  radius-server key 7

  !

  control plan

  !

  privilege exec 15 level write terminal

  writing level 15 privileges exec

  Ping privileges exec level 1

  privilege exec 10 undebug ip icmp level

  privilege exec 10 undebug ip level

  level of privilege exec 10 undebug all

  privilege exec 10 undebug level

  terminal monitor exec level 10 privileges

  privilege exec 10 level terminals

  privilege exec 15 level show running-config

  See configuration at the privileged exec level 5

  show privileges exec level 5

  privilege exec 10 debug ip icmp level

  privilege exec level 10 debug ip

  privilege exec 10 level debug all

  debugging privileges exec level 10

  clear interface of privileges exec level 10

  clear counters at level 10 privilege exec

  level of privilege exec 10 clear

  !

  Line con 0

  password 7

  Synchronous recording

  line 33 64

  No exec-banner

  exec-timeout 0 0

  no activation-character

  No exec

  preferred transport telnet

  transport of entry all

  character of exhaust-27

  StopBits 1

  FlowControl hardware

  line to 0

  line vty 0 4

  password 7

  Synchronous recording

  ddras01 menu autocommand

  line vty 5 181

  password 7

  Synchronous recording

  ddras01 menu autocommand

  !

  NTP-period clock 17208487

  source NTP FastEthernet0/0

  NTP server

  end

  Hello

  You have aaa login default configured for authentication, with this you get invited

  When you try to access the line.

  Under line VTY 5 181 try adding:

  authentication of the connection /NOAUTH

  exec authorization /NOAUTH

  Add the lines of aaa:

  /NOAUTH AAA authentication login no

  /NOAUTH AAA authorization exec no

  This should stop the authentication to the lines.

  -Jesse