[Cisco ACS] 11036 the RADIUS Message Authenticator attribute is invalid
Hello
I had a lot of Cisco AP related to Cisco WLC 2.
On each WLC, I configured a primary and a secondary RADIUS server.
RADIUS servers are Cisco ACS 5.2.0.26 (patch 10)
ACS primary and secondary configurations are synchronized.
There is no problem between primary rules WLC and Cisco ACS (primary and secondary).
When secondary WLC asks primary Cisco ACS, I get this error "11036 the RADIUS Message Authenticator attribute is not valid.
WLC secondary contacts automatically secondary Cisco ACS and it works fine.
Cisco ACS description for this error: "this can be reason of mismatched shared Secrets."
The two Cisco ACS are synchronized, so I should have the same error on them...
Why primary ACS generates this error?
Thanks for your help,
Patrick
Patrick: The shared secret mismatch could be on the side WLC, not on the side of the ACS.
Make sure that the shared secret of the radius primary server is configured correctly on the secondary WLC.
HTH
Amjad
Rating of useful answers is more useful to say "thank you".
Tags: Cisco Security
Similar Questions
-
Cisco ACS 5.1 and RSA Authentication Manager 6.1
Hi all
We recently had a Cisco Secure ACS 1120 and I improved the Unit 5.1 5.0 with all your support
Now, I need to integrate Cisco ACS 5.1 with RSA Authentication Manager 6.1. I have config file of RSA ACE Server successfully downloaded and exported to 1120 ACS.
I also added as NetOS Agent ACS in the RSA server during the process, I found a few warnings. The ACE Server is not able to resolve the IP address to the name (is it necessary?).
I have not created any file of secret key for communication between FAC and RSA and I used encryption is FOR.
Now, when I log into ACS and search for devices in the identity store sequences I am not able to get Sever Token RSA.
Let me know what was wrong, where can I fix and also please tell me what is the communciaction between the RSA and ACS?
Hoping that you guys help me as usual when I'm in a hurry...
Sree
Were you able to successfully create the RSA identity server. After selecting the sdconf.rec and you press on submit what happened? The RSA instance created OK?
If you go to
Users and identity stores > external identity stores > RSA SecurID Token servers, what do you see in the list?
-
[Cisco ACS 5.2] EAP - TLS authentication failure
What we are e
Hello
I set up a WiFi connection on Windows XP and Windows 7 with EAP - TLS (using Cisco WLC 7.0.235.3 and Cisco ACS 5.2.0.26.10). It is configured with the authentication of the computer and computer certificates are automatically registered for Microsoft PKI.
It works well!
Now, I configured Windows 8 with the same configuration.
First authentication works, but if I manually disconnect and reconnect, I got this error on ACS: 22047 username main attribute is missing from the client certificate
In the EAP packets, we could see that Windows 8 sent a TLS session but ticket session has not properly taken over by ACS...
Configuration of the ACS, we checked the option "enable EAP - TLS Session resume' with the session timeout"7200 ".
I found this bug
http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId= CSCtn26538& from = summary
It seems to be my problem but the reboot does not work in my case...
It is set at 5.3 (0.40.2).
I plan to install version 5.4.
Do you know if this fix is supported by 5.4?
Thanks for your help,
Patrick
Hi Patrick,
What is set in point 5.3 must be set in point 5.4.
Even if the same issue appeared with 5.4 there an ID different bug and identified as an independent issue (with different causes, usually)
HTH
Amjad
Rating of useful answers is more useful to say "thank you".
-
Cisco ACS and the domain controller
Hello
We are currently using the Cisco ACS 3.2.3.11 solution engine and using a Windows domain as a remote agent controller.
We now have the ACS to 4.1
1. do I need to upgrade the remote agent on the domain controller as well?
2. any computer on the network can be used as a Distribution Server?
3. after an initial backup and upgrade then to 3.3.3.3 I make another backup before the upgrade to 4.1?
You can use any PC in the network as a Distribution Server.
-
Original title: extended attributes
I started getting the following errors with various programs "extended attributes are incompatible" and "Consent UI has stopped working". I tried to do a system restore but get error inconsistent attributes for 'rstrui.exe '. I also had the message to ShellExecuteEX.exe when you try to install an application and even trying to download the Windows 7 Upgrade advisor. Just to check, I tried to run msconfig from the start and even gives me the message attributes. I am running Vista Home Premium with Service Pack 2 installed. Advice please. Thank you, Roger P
Hi Roger P.
· When the issue started?
· Remember to make any hardware or software comes to the computer before this problem?
· What antivirus application is installed on your computer?
Method 1:
You can try to run a SFC scan and check.
This problem may occur if a system file is missing or damaged.
You can refer to the method-the System File Checker tool in the following article:
How to use the System File Checker tool to fix the system files missing or corrupted on Windows Vista or Windows 7
http://support.Microsoft.com/kb/929833
I suggest you to follow these steps and check if that helps.
Methoad 2: try to run the windows recovery option system restore.
What are the system recovery options in Windows Vista?
It could be useful!
-
Limit of Cisco ACS 4.2 Max Auth/authentication devices.
Hi guys.
Can someone tell me how many devices can an ACS works with GANYMEDE 4.2 +?.
Is there a limit? and if there is, who he is and whence Cisco publishes.
Has spent a whole morning and without success, reaching for the info.
Ty in advance.
Carlos.
Hello
I did a search for it and after that I found that GBA 4.2 Solution can support up to 35000 device. Here is the link where I got the information:
http://www.Cisco.com/en/us/prod/collateral/vpndevc/ps5712/ps5338/qa_c67-453393.html
A Cisco Secure ACS appliance server at least follows the same performance of the scalability of a server based on Windows Cisco Secure ACS. Cisco Secure ACS guidelines and performance analysis show that each ACS server can support anywhere from 20 000 to 80 000 users per server and can evolve to support up to 35 000 devices, according to configuration scenarios, the platform and its use
In-house but we have also seen that it is recommended to use a 500 by NDG.
I hope this helps.
Thank you
Waris Hussain.
-
Original title: communication failure 145905 [invalid header]
When you try to install a program I always get this error each time message: Server error 145905 communication failure [invalid header] would appreciate any help that anyone can provide. Thank you.
Hello
That is the application that you are trying to install?
I suggest you follow these methods and check.
Method 1: Run the hotfix to correct the following problems with programs that cannot be installed or uninstalled
http://support.Microsoft.com/mats/Program_Install_and_Uninstall/
Method 2: Perform the clean boot, try to install application.
Follow the suggestions of this link.
http://support.Microsoft.com/kb/310353
NOTE: Once you check the functionality, follow the suggestions under steps to configure Windows to use a Normal startup state.
If the problem is specific to the program, I suggest you please contact the manufacturer of the program for utilities.I hope this helps!
-
I worked on this for 2 days now and I don't know what to do. I have never had any bad problems with my computer far. I did not have my original installation cd and don't know anyone to borrow an of. I get as far as... choose my operating system and the box is empty. I am lost at this point. Help, please.
Thanks in advance.
I just looked at the link you have provided previously. Good information. I get into the BIOS and I have this info. I agree with you that I should get comfortable or pay someone who is. Laughing out loud!!! I've contacted the information I have and see where that gets me. When I put the discs I get to where it asks 'where I want to install windows. The box is empty... no location. Bottom of the screen says 'no found record', ' click on load a driver to provide a disk for installing mass storage. I can't go any further.
Sounds like get you into the BIOS, there may be no player listed. A hardware failure is likely.
-
Cisco ACS wireless authentication
Hello guys,.
I'm testing wireless authentication and authorization with my users wireless via ACS 4.2. I have version 4.2 test on Windows 2003 for the test. I also WLC 5508 and 3602i in my lab. My AD/NPS and CA are Windows 2008 R2.
Windows 2003 is part of the field; and the GBA, if I go to the external database > Database Configuration > Windows database > configure
From there, I chose my domain name, select "devices the EAP - TLS Machine authentication. I've also mapped the domain to the group I created in ACS.
I also looking default RADIUS ports 1812 and 1813 the GBA.
On my WLC 5508, I created a WLAN and define the RADIUS IP to the IP address of the ACS. However, I tried to join the wireless network. It keep the default.
I installed the cert of the user on the laptop for EAP - TLS. If I changed the server RADIUS on the WLAN and pointed to AD/NPS that I, my portable test was able to join the network wireless through EAP - TLS.
I'm a little confused on the ACS GANYMEDE +. GANYMEDE + is only used for the connection to network for managing devices or can be used for regular users for authentication and authorization?
For example, a user wireless, which is part of the domain, need to join a corporate network without wire in his office. Can I use GANYMEDE + for it or it must be the RADIUS by ACS 4.2?
Thank you
Yes it's true, and it applies as well in Wired.
On GBA, please add WLC as an AAA client with RADIUS (Cisco airespace)
Configuration of WLC and ACS for the RADIUS settings.
http://www.Cisco.com/en/us/Tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml
You can visit the listed link below to install the certificate on ACS 4.2
~ BR
Jatin kone* Does the rate of useful messages *.
-
With the help of several radius for authentication servers
Hello.
I want to install a PPTP to my router and I wonder if it is possible to use windows multiple IAS servers on a Cisco router?
The scenario is that I have more than one business using this PPTP connection and they all have their own advertising on their own VLAN, I would like the router to forward the authentication request containing the username and password for all IAS of Windows servers that I specify or go through them one at a time until it receives an awnser.
Is this possible?
Best regards Tommy Svensson
Tommy,
This is not possible because if a radius server receives a user name, it will be simple rejection the user and send this response to the Cisco router. The radius Protocol is not throw or send any message to warn the router that the user is not present in its database.
I know that with ACS that if a username has been sent with a special domain can proxy communication on the acs server and the Cisco router based on the user name.
I hope this helps.
Tarik
-
Recivied 3D traced to the radius of mapped memory paged Error Message (5070::0)
Recivied 3D traced to the RADIUS Message error paged memory mapped for Raytracer. Try to update the CUDA driver. (5070::0), I do not have a nivida card ATI Radeon 4870, Cuda shoud pilot does not apply.
Hi Fox 13,
JOHN PIERCE wrote:
Recivied 3D traced to the RADIUS Message error paged memory mapped for Raytracer. Try to update the CUDA driver. (5070::0), I do not have a nivida card ATI Radeon 4870, Cuda shoud pilot does not apply.
See this blog: do not install drivers NVIDIA CUDA on computers with AMD graphics processors
If you update to after effects CC 2014 or later, you should not see this warning. Let us know if this is the case.
Thank you
Kevin
-
Integration of Cisco ACS and Cisco NAC Manager - downloadable ACLs
Hello
I have Setup Cisco NAC in my environment. These are all works well. The users themselves will get authenticated via Cisco NAC Manager. The Cisco NAC Manager meets with Cisco ACS for the part of the user database. These are all works well. I would like to activate downloadable ACLs. I tried to use the CISCO-AV-PAIR method and creating a downloadable ACL entry in the shared components, but nothing works. It's either I'm doing wrong or this configuration of the mine does not support downloadable ACLs? Please advice kindly.
Kind regards
RAM
+ 6 012-2918870
Hello
It is not possible.
You cannot push the ACL in the NAC manager.
If you make the Radius of NAC authentication manager, you can do is create roles the NAC Manager, and on the roles you define traffic strategies.
Using the Radius attributes you can then map users to roles.
Please, take a look at this:
HTH,
Tiago
--
If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.
-
Configuration of the Cisco ACS Radius
Hello
I'm trying to set up authentication radius on cisco ACS but short question. When I set up my group of network devices in the configuration of the AAA Client as one of ray device groups, my authentications fail with authentication as a failure code"
CS invalid password' but when I change my group of devices to "Unassigned", everything started working.
On my AAA client, when authentication fail, I see
Server RADIUS
audit package fails: Please note that the AAA client is a non-cisco device.
Any suggestions?
It seems that you run ACS 4.x. You are facing this problem because the key is set on the excessive rides of the level (Group of devices network XYZ in your case) NDG key at the level of the AAA client. Please make sure that you don't have different secret key on the client inside the NDG AAA and on the NDG himself.
Not affected is working because it has no key defined in the NDG.
"Each device that is assigned to the network device group will use the shared key you enter here. The key that has been attributed to the device when it has been added to the system is ignored. If the Enter key is null, the key of the AAA client is used. »
~ BR
Jatin kone* Does the rate of useful messages *.
-
Hello
I am working to get my shipment of Cisco ISE of Fortigate RSSO accounting messages (simple RADIUS sign) to work on the Fortigate firewall. I tried to add the Fortigate for logging targets at a distance and added the Fortigate under the categories of logging (accounting & Radius Accounting). In doing so, I ran a wireshark capture and found that the ISE send accounting messages to Fortigate in SYSLOG format. I need ISE to send the accounting information in the format RADIUS for RSSO to work on Fortigate firewall.
I already had this work using Windows server (NPS) radius. So based on what I did in Windows I tried to reproduce the same thing to the ISE. I added Fortigate as external Radius server. I added the sequence Radius Server with Radius attribute as a class and I have a key in a custom for her string. I've also matched in the same attribute to Fortigate. And then selecting "use Proxy Service", I added an authentication strategy (uses the Radius Server sequence I created) instead of "Licensed protocols".» I brought this policy upwards.
Then, I created a permission for the same policy. In the results of the authorization profile--> authorization policy, I added the attribute class. But every time that I add here, after registration, the attribute class is sitting next to the ASA VPN.
Please confirm if my settings are ok or y at - it another way to get send ISE accounting messages in the form of RADIUS to Fortigate.
PS: I only need to pass newspapers accounting and no need to send the authentication requests. There was an option to the Windows radius server where I could specify that authentication should happen on the radius of Windows and send accounting information to the remote radius server group.
Any help with this is appreciated.
Best regards
SSK
I am facing the same problem to send Radius accounting information to a Web proxy to perform filtering of content / granularity. Does anyone have any news about this? Maybe a Cisco support person.
Rgds,
Vanderlei
-
How 2 Configure ACS 4.2 to delegate authentication to the radius server
Hello
We need run the following scenario:
Cisco VPN client (or any connect, Cisco SSL VPN client)---> Cisco ASA 5520---> Cisco ACS 4.2---> CAT Authentication Server
The CAT authentication server is a Radius server. It can receive Radius authentication requests and respond. It is used for strong authentication TFA WBS similar to RSA OTP tokens.
The question is: how we set up the 4.2 ACS to delegate authentication request to another Radius server.
Thnx
Add the RSA server as an external database, configure the drop user profile or a group to authenticate on the new external database rather than ACS DB Local (or Windows DB).
Easy as pie!
Please rate if this is useful.
Maybe you are looking for
-
How to import movies from disney
I got Star Wars The Force wakes up and when I try to link my account with iTunes to get the movie on iTunes it leads me to download iTunes screen! I only ready iTunes so I downloaded again and he always gave me the same result! I tried logging on my
-
How to group artists on view from the Playlist?
Usually, I like to see all the songs, but sometimes I need to see only the artists that sometimes I dragged an artist in the list of erroneous reading.
-
HP 255 G3: Problem of PCI device driver
I want to install drivers for a new laptop and I had problems with the pci device driver. The driver section downloads Hp did not work. Thank you.
-
How can I disable the message from Microsoft for WINDOWS 7 that "7cannot Windows Installer while your battery is in your laptop".I have pluged my power cord power supply for a constant regular to diet at the same time?
-
Upgrade to WM 6 Pro but which? Need your help and advice
Nice day! I recently bought a Treo 750 here in Taiwan and I want to update my device from WMPro 5 WMPro 6... I've seen 2 different updates both of palm support . This link, I got a palm Online Chinese community. This update is for version 2.23 and la