ACS server not availble

PIX 525 configured for authentication Ganymede + for telnet, ssh etc. access Pix... If Cisco ACS server is not available I can use the Local user database as I do in the world of router. I saw no reference to this

failback AAA was introduced in the 6.3 (4) BONE of PIX. This isn't something I've tried, but this excerpt from a discussion earlier can help you

http://Forum.Cisco.com/eForum/servlet/NetProf?page=NetProf&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1dd60f3e/0#selected_message

See you soon

Tags: Cisco Security

Similar Questions

Secondary ACS authenticates not to dynamic users

Hi all

I have two ACS server for windows with version 4.2. My problem is that, if the primary ACS server is down, dynamic users from the database windows in unable to authenticate with the ACS secondary. Please note that if a user is added to the ACS, this user can authenticate with the windows database. Only the dynamic mapping is not the case with the second ACS server.

A quick response will be appreciated.

What is in the database of Windows in both the points of the unknown user policy? Dynamic users are active under the unknown user policy?

Are these servers ACS for Windows or the ACS SE with a Remote Agent installed on a member of the AD Server?

If they are remote Agents, see the external database > Windows Configuration > selection of the Remote Agent. The same remote Agent is selected on both ACS servers?

Please be aware that if you change the order of the RA he would remove all your group mappings.

SSH after ACS server "locked up" and had to be reconfigured is no longer works.

Hello

I have a VPN tunnel between an ASA5520, and a Cisco 891.

I had the 891 configured with the following text:

AAA server Ganymede group + VTY
Ganymede IP source-interface Loopback0
!
AAA server Ganymede group + GANYMEDE-ACS
Server 10.8.x.x
Server 10.16.y.x
!
AAA authentication login CONSOLE none
Connection authentication AAA VTY Ganymede + local group
VTY AAA authorization exec group Ganymede + local
AAA authorization commands VTY 0 group Ganymede +.
AAA authorization commands 15 VTY Ganymede group.
orders accounting AAA 15 VTY arrhythmic group Ganymede +.
orders accounting AAA 15 CONSOLE arrhythmic group Ganymede +.

!

Ganymede IP source-interface Loopback0

!

RADIUS-server host 10.8.x.x touches yadayadayadayada 7
RADIUS-server host 10.16.y.x touches yadayadayadayada 7
RADIUS-server application made

!

line vty 0 4
access-class 1
authorization of VTY 15 orders
exec authorization VTY
accounting orders 15 VTY
VTY login authentication
entry ssh transport
line vty 5 15
access-class 1
authorization of VTY 15 orders
exec authorization VTY
accounting orders 15 VTY
VTY login authentication
entry ssh transport

I can't access device remotely. I'm sure it has to do with the ACS server, but don't know where to look.

Any help would be greatly appreciated.

Hello

When you say you cannot remote access device you are not able to ssh to the device or there is no rechablity itself?

Is ssh is the problem while you get a login prompt? Error message? Also have you checked ACS has no newspapers for all messages?

Concerning

Najaf

PuTTY and password change issue ACS server

When a new user is created with the checkbox 'Must change the password at the next logon' checked, ACS does not allow the user to change the password. The password prompt displays a message access denied. Could someone point me in the right direction to solve this problem?

I created a new account on cisco ACS server and check the box "user must change password at the next logon". I then used ssh to test the newly created using PuTTY user account. When I ssh to the cisco devices [switch or router] password prompt appears and ask me to type the new password. Once I did this I get a message access denied.

It worked well with secure CRT. But users do not have secure CRT, they are supposed to use PuTTY. Users can connect in devices using PuTTY. The problem is that when we try to change the password.

ACS Version: ACS 4.0

Thank you

Nachi

When a user connects in SSH to the system and uses an expired password GANYMEDE, he is prompted to change their password. However, this password change does not work correctly.

To resolve this problem, you must have the SSH v2 with "Keyboard interactive" authentication for SSH v2 game. Cisco bug ID CSCin91851 addresses this problem.

Symptom:

When you use the router as a ssh server is authenticating with a normal SDI/RADIUS, work of authentication backend. However, neither the new BUGS mode or mode next token dialogues completes successfully.

Conditions:

Problem only occurs in mode again PIN or next token dialogue mode.
Specific SSHv2

Workaround solution:

Use telnet for authentication or to define vty lines to authenticate against RADIUS
(non - SDI) server instead.

Other Description of the problem:

Not all ssh clients are supported the dialogue for the new PIN mode or next token to work.

Enable AAA fails on the second ACS server

I have 2 servers Windows 2003 4.2 ACS, who authenticate with AD. I have configured authentication GANYMEDE + both for my PIX 515 running version 7.24. GANYMEDE + authentication works fine on both. However, when I use the 'aaa authentication enable console LOCAL ProsperAdminAuth', the enable password only works with the first ACS server. When the first server is unavailable, it fails on the second ACS server and authentication failed on ACS "ACS invalid password" reports. It does not allow the LOCAL password. I checked all the password and there is no problem there. I know that for you, because GANYMEDE auth works. Someone at - he seen elsewhere issue or know what I might try?

Thank you

Vivek

Hello

Configuration of external database is not replicated between servers ACS so my guess here that is on your ACS secondary if you go to the external-> unknown user policy user databases, you will find that under configure enable password behavior you are on "internal data" instead of "The database which the user profile is required."

-Jesse

Design of ACS server question 4.2 - role - based is a limit?

Currently, I've implemented this ACS server.

An ACS group maps to a group of active live in AD. For example, the Group ACS router_access maps to AD group called $f (gbr) raccess. If the user tries to connect to a router and it has this group in its profile AD, that it will be accepted and if not rejected.

If for example, I want to revoke, allow access to some features I use NARS (for example accept connections from devices switch and router).

It works - but this apparently isn't the way I do things.

The best way is to have a group of ads by device group.

EG for access to the router, you must $g (t) of group routers in your AD profile

To get access to switch the Group $g (t) must spend in your AD profile

Now, we hit the problem - the EC will use the first group in your AD profile to apply for pass/fail.

Let as well as John has $g routers and switch (t) $g (t) group in its AD profile. When he tries to connect to a switch, the ACS attempts to use routers $g (t) because it's the first ACS AD Group in his profile. Subsequently, it fails, which means that ACS will not look through several AD strategies.

I hope this makes sense.

Anyway, I can't get it to work because it keeps failing!

Hi Will,

This is a limitation of how ACS 4.x performs operations. It defines everything based on your local user group on ACS as opposed to your ad groups - so the mapping of the group comes first and then everything else comes later.

If you use Radius (this does not apply to the GANYMEDE) you may be able to use the network access profile feature to substitute some access. If for example you can tell if the user is in the local group, but authentication comes from a certain type of device, you can transmit different attributes. However, in terms of blocking, it is always based on the local group you are a member. He can do some additional checking of LDAP group, but I don't know if that will solve your problem.

Is 5.x ACS to a new level - the entire platform is built as the network access profiles - so you can make rules as granular as you want - that is to say: If you are in a specific ad group (do not need to map - we can draw external groups) and it is a router then go down a permission set with a Pass. If it is a different ad group (or a different device type), then send a failure.

Thank you

Nate

AAA / adding additional ACS server

Hello guys,.

You need to install AAA proposed plan as attaché. We used the current configuration for a very long time for our facilities and data centre devices. Now we want to add a more updated ACS apart from the existing two and need to point out all the data center on the new ACS server devices.

Is it possible to set up groups of many materials and separate ACS server for defined groups? If possible please let me know the commands, and if not, please let me know the two ways.

Hope you could understand my needs and the current configuration. PFA...

Thanks in advance!

Best regards

Anurag.K

Hi Anurag,

You can add the new ACS/Ganymede server and have this server in the upper part of the sequence.

10.16.2.10 RADIUS server host

10.16.2.8 RADIUS server host

10.16.2.9 RADIUS server host

GANYMEDE server key xxxxx

If you really want to create a separate group for the new ACS/Ganymede server then you must have under configuration shown.

AAA server Ganymede group + Group1

Server 10.16.2.8

Server 10.16.2.9

AAA server Ganymede group + group2

Server 10.16.2.10

AAA authentication login default group GROUP1 GROUP2 line

I want to knoiw if you have doubts.

~ BR
Jatin kone

* Does the rate of useful messages *.

ACS server replication request

Hi all

I have two primary & secondary ACS server. New secondary to be deployed in the network server. My primary ACS server got 1000 clients AAA configured with 15000 user id configured in several group profile. My question here is when I have the database replication between primary and secondary, if any database is replicated from my primary server to the secondary as all customers AAA and configuation etc., otherwise it will be the end user interface, profile of the group, replication has restrictions of database.

Totally: AAA & ID customers user will be on the backup of a database or it will reside on different location

kindly clarify me here, thanks.

Hello

The entire database will be written more when a restore of the database.

The ACS database replication allows you to copy various components of the internal database of GBA in other ACSS. This method can help you plan a failover AAA architecture and reduce the complexity of your tasks of configuration and maintenance.

The components that can be replicated are:

User and group database

Database group only

Network device Configuration tables

WBS

Configuration of the interface

Interface security settings

Password validation settings

EAP-FAST master keys and policies

Network access profiles

Configuration of logging (enable/disable settings)

The following link will give you the details of database replication.

http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SCAdv.html#wp756304

I hope this helps.

Kind regards

Anisha

P.S.: Please mark this thread as solved if you feel that your query is resolved. Note the useful messages.

Configuring the ACS server on windows server

Hello

I started to prepare my CCNA security and tried to configure AAA using ACS 4.2 on windows server 2003.

I have configured the router to use the AAA authentication with the laboratory of cbtnuggets from ACS server.

I checked the accessibility of the ACS server to client router and vice versa and also configuration.

The problem is I'm not able to authenticate using ACS server, the router uses local authentication and I have no why the router communicates not eith ACS server.

Help PLZ.

Configuration of my router from AAA.

===============================================

AAA new-model
!
!
AAA authentication login default group Ganymede + local
exact AAA authentication login group Ganymede + local
AAA authorization exec default local

RADIUS-server host 192.168.1.25 single-connection key ciscoacs--> (192.168.1.25 ACS, the key configured on the ACS server server is also ciscoacs)

line vty 0 4
exact connection authentication

================================================

I created a user on ACS server and I believe that when I'm trying to telnet to the router I should use the user name and password configured on the ACS server.

When I try to use, authentication fails, and also if the router accepts locallly configured user details then I think there was no communication between the router and the other GANYMEDE ACS server + will be used for authentication and if no communication between the router and acs server then only it should be the responsibility of local user

Please help me.

reports and activity--> passed authentication

reports and activity--> failed attempts

Rating of useful answers is more useful to say "thank you".

Whence the ACS server get the DNS Info for the IP pools?

I'm changing the DNS servers that my VPN users are assigned from the pools of IP on the ACS server. Where IP pools Gets the DNS server information. I changed the IP addresses of the DNS on windows server and rebooted. But VPN clients are always assigned the old DNS servers.

ACS ip pools do not grow the DNS server information

It is either transmitted from the setup of group for the VPN concentrator or

It is to be send to the setup of the user/group ACS > attributes Radius (VPN 3000) > [026/3076/005] primary DNS.

I hope this helps.

Concerning

Rohit

Cannot restore the ACS server

Hi all

I was trying to restore the configuration to a TFTP server, but it fails.

VIC-acs01 / admin # repository restore ACE-Config-160922 - 1542.tar.gpg repository acs
Restore requires a restart of the ACS services. Continue? (yes/no) Yes
Start the restore. Please wait...
% of ongoing restoration: from restoration... 10% have completed
% of ongoing restoration: recover the repository backup file... 20% completed
GPG: decrypt_message failed: unknown system error
tar: this doesn't look like a tar archive
tar: backup/appcomponent/db/acs.db: not found in archive
tar: backup/appcomponent/db/acs*.log: not found in archive
tar: leave with State failure due to previous errors
% of current restore: backup data decryption... 25% completed
% Error: unable to complete the restore of the ACS: the backup file decryption failed. Key encryption incorrect or corrupted download of the repository)

VIC-acs01 / admin # sh historic restoration
Thu Nov 10 20:06:16 PST 2016: ACE-Config-160922 - 1542.tar.gpg the repository repository restore: error - acs script error
Thu Nov 10 20:19:37 PST 2016: ACE-Config-160922 - 1542.tar.gpg the repository repository restore: error - acs script error
Thu Nov 10 20:28:36 PST 2016: ACE-Config-160922 - 1542.tar.gpg the repository repository restore: error - decrypt failed
Thu Nov 10 20:30:11 PST 2016: ACE-Config-160922 - 1542.tar.gpg the repository repository restore: error - decrypt failed
Thu Nov 10 20:34:00 PST 2016: ACE-Config-160922 - 1542.tar.gpg the repository repository restore: error - decrypt failed
VIC-acs01 / admin #.

VIC-acs01 / admin # sh run | repo b
repository repository
URL of tftp://10.10.79.13/
!

VIC-acs01 / admin # repository repository sh
% Protocol can't list directories
VIC-acs01 / admin #.

Any help would be appreciated.

FC

Hey FK,.

Yes, you can add another repository.

Kind regards

Kanwal

Note: Please check if they are useful.

a new datastore iSCSI (disk/lun) appears in the inventory. Warehouses of data, but not availble for quick vMotioning...

Hello
We have added the new datastore iSCSI (disk/lun)
This new data store appears in the inventory. Warehouses of data, but not availble for quick vMotioning or the creation of a new virtual machine.
did we miss a step?
Ty
r

The reason is that the data store is not presented to all hosts in a cluster. When you create the VM in vCenter Server, only warehouses of data visible to the host on which the virtual machine is created are displayed.

Make sure the presentation on your storage system is correct and rescan your hosts.

To check the above, take a look at the Configuration-> Storage for guests.

André

Server not found

EVERY Web site I click on give me this error on my Mac Book Pro page:

Server not found

Firefox can't find the server at www.weather.com.
```
   Check the address for typing errors such as ww.example.com instead of www.example.com
   If you are unable to load any pages, check your computer's network connection.
   If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.
```
What is rong?

You have security software that would block websites?

Try disabling IPv6 (also check other possible causes).
- https://support.Mozilla.org/KB/Firefox-cant-load-websites-other-browsers-can

Work around for server not found problems on FF36

I found a work around for all people with server not found problems with FF36.

If you manually set your DNS network adapter to an external DNS server (as opposed to your local ISP) then the problem disappears. I set mine to use the google DNS servers:
```
 Preferred: 8.8.8.8
 Alternate: 8.8.4.4
```
No idea why this works, but it is 100% success on my desktop PC, whereas before I could not connect to a Web page with FF36 without updating the multiple page and a lot of frustration, although FF35 was fine and back to FF35 turnover was as beautiful.

Something has changed in FF36 and how it manages the DNS or the mode of operation with certain network cards.

There is nothing to do with the Add - ons, profiles or software firewall as I tried all these things and that the DNS change makes a difference. I even copied on a full profile and directory of program files to work for Mozilla on my laptop which saw no problem and the problem still exists on the desktop, which is why I started watching the network adapater since everything between the working PC and no work was identical.

I hope that this will help the developers to identify the real cause of the problem and fix it in the next version.

AG - your problem looks different you had FF36 work.

Considering that the problem of many of us that when we spend FF35 in FF36 we get a lot of server is found errors when you try to load Web pages.

Sometimes they load and then they stop loading and then if you click Refresh a lot that they sometimes then charge again, or you have to wait a minute or two and then they load.

For some reason any using an external DNS server {see # 698286 answer _{~ J99}} has stopped this problem completely, as does return to FF35.

We need an expert on to Mozilla DNS resolution to focus on this. [*] ^{See my note under ~ J99} Seems to me that you use an external DNS server adds some latency to name resolution and maybe this is necessary for the network card in the PC that encounter this issue to resolve the addresses of Web page.

Obviously something changed in FF36 FF35 to cause this problem. I'm open to Mozilla contact me by E-mail if they want me to try something else to help pin it down.

*

change Note the John99
Mozilla can consider WHETHER we are able to provide evidence to support this. We must be able to complete a report of bug with right steps to reproduce (STR). Developers should be able to see themselves the problem before we can expect to focus on this.

After installing the version 36.0 whenever I go to a Web site, I get "server not found" and I have to refresh

After installing the version 36.0 (yesterday) on the desktop and laptop, whenever I go to a site that I get "server not found" and I update the site to access.

I checked my firewall and it is configured correctly.

And I changed the proxy for 'no proxy '.

Still not fixed.

Thanks in advance.
David

I went back to the 35.0.1 version and it seems to have solved the problem.

ACS server not availble

Similar Questions

*

Maybe you are looking for