Cisco ACS 4.2 internal error

Good evening. I have problem with ACS 4.2 and AD, autification on PC I have an internal error. In RDS.log, I have this line:

Error authentication UDB_NT_UNKNOWN_ERR (DOMAIN)------(USERNAME) - no response sent to the NAS

I already checked coat of physhic problems, dot1x switch configured, agent remote ciscosecure installed.

Hello

Is the file also considered Auth.log "Windows authentication FAILED (error 6L)" for the same RDS timestamps and failures?

Also, what version of ACS (include the Patch) are you using? You log on Windows Server 2003 or 2008 or 2008 R2 AD?

NOTE: Remember that 2008 R2 AD is not supported by any 4.x version of ACS.

Also, make sure that you have complied with the following requirements:

http://www.Cisco.com/en/us/partner/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/remote_agent/Rawi.html#wp311476

Check that apply to you as there are has two options: Member Server Windows or a Windows domain controller.

Kind regards.

Tags: Cisco Security

Similar Questions

  • ACS 4.2 - internal error

    Since yesterday, the newspaper has no authentication is showing Internal Error when people attempt to authenticate by using their AD credentials.  Until a few weeks ago, the ACS (windows 2003 SP2) server has been configured with two controllers/Server DNS - one was Win2003 and the other was Win2008.

    The controller Win2003 was demoted and replaced by a controller 2008-R2-, but this internal error problem appeared only yesterday.

    If I restart the ACS - normal authentication server using AD recover during a short period of time - but then the problem reappears.

    Any ideas?

    Hello

    The following link describes the migration of ACS 4.2 to 5.2 ACS.

    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/migrate.html

    I hope this helps.

    P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages.

  • Cisco ACS SE "set ip" error: could not set up new NETWORK card configuration.

    Hello

    I get the error "error: could not set up new NETWORK card configuration." When I try to set the IP ACS SE.

    When I called into the device image and tried to do an initial installation, the IP to not hold after the restart and went back to the default value.

    I went by NetPro and apparently it is a common problem. One person it is solved re-imaging unit, but who has not worked for me.

    Someone there with a solid solution? I use NIC 1 FYI.

    EDD.

    Ed,

    Please make sure that if ACS is associated with active before setting Ethernet connection

    or change the IP address of your ACS system engineer.

    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.0/installation/guide/appliance/admap.html#wp1109621

    Kind regards

    ~ JG

  • [Cisco ACS] 11036 the RADIUS Message Authenticator attribute is invalid

    Hello

    I had a lot of Cisco AP related to Cisco WLC 2.

    On each WLC, I configured a primary and a secondary RADIUS server.

    RADIUS servers are Cisco ACS 5.2.0.26 (patch 10)

    ACS primary and secondary configurations are synchronized.

    There is no problem between primary rules WLC and Cisco ACS (primary and secondary).

    When secondary WLC asks primary Cisco ACS, I get this error "11036 the RADIUS Message Authenticator attribute is not valid.

    WLC secondary contacts automatically secondary Cisco ACS and it works fine.

    Cisco ACS description for this error: "this can be reason of mismatched shared Secrets."

    The two Cisco ACS are synchronized, so I should have the same error on them...

    Why primary ACS generates this error?

    Thanks for your help,

    Patrick

    Patrick: The shared secret mismatch could be on the side WLC, not on the side of the ACS.

    Make sure that the shared secret of the radius primary server is configured correctly on the secondary WLC.

    HTH

    Amjad

    Rating of useful answers is more useful to say "thank you".

  • Problem with certifcate on Cisco ACS

    We want to authenticate our internal wireless users using our Cisco ACS running 5.3.  GBA questions our Active Directory environment for the user name and password provided.  I created a CSR on GBA and it provided to Entrust.  They gave me a root certificate, string and server.  I've linked the server certificate to the CSR under System Administration > Local Server Certificates > local certificates.  I then added the chain and the root certificates to the users of the site and identity stores > autorit├⌐s.  When I try to connect to a laptop client he asks a user name and password, but after entering this information, I am presented with the warning on this certificate below.  This certificate is to Entrust and I see the certificate root in the root store on the laptop.  Any ideas what would cause this.  TAC does not seem to have all the answers.  They say it's a problem of the client machine.

    In case you want to check your configuration settings.

    http://www.Cisco.com/en/us/products/ps10315/products_configuration_example09186a0080bd1100.shtml

    ~ BR
    Jatin kone

    * Does the rate of useful messages *.

  • Cisco ACS 4.1 for external advertising for authentication

    Hello

    We have just configured Cisco ACS 4.1 solution engine and using a Windows 2003 domain controller as a remote agent.we use as Protocol Ganymede.

    Users that are created in ACS himself are able to connect to various network devices. but users in domain (active directory) can not connect. We get the access denied message. same time we get external DB is not operational message in ACS.

    Active directory server where agent that runs in CSWINAgentlog, we get the following error 'NDLIB'... FOUND 0 TRUSTED DOMAIN.

    Could you please help us to isolate the problem.

    Thank you & best regards

    Make sure that the worm of acs and remote agent software is the same. And also execution of remote agent account must have special domain administrator rights, like the act as part of operating system and log in as a service.

    Kind regards

    ~ JG

  • CSM (Cisco Security Manager) 4.10 error discovery of ASA with service-policy

    Hello

    I have a problem with the CSM 4.10 and ASA. When I try to discover a CSM ASA I get two internal errors:

    Failure of the policy of discovery: com.cisco.nm.vms.discovery.DiscoveryException: internal error

    Exception, important political group: id = 7992934205670, type = PG firewall. InspectRule, name = .fw - namePG.FIREWALL.InspectRule.

    If I remove the global "service-policy global_policy" line, everything works fine.

    I tested ASA 5505 (7.2.5) and ASA 5512 X (9.1.6.11).

    Any suggestions?

    Hello

    You can try with the following solution, please make a backup of the prior agreement of the CSM Database to apply it, in case

    1. stop the daemon manager.

    2 reset the password for the database "vms".

    To do this, open a command prompt in the CSCOpx/bin directory and issue the following command 'perl dbpasswd.pl dsn = npwd = admin vms'

    * This resets the password DB "admin".

    3. to connect to the DB using the utility program.

    4. run the following query.

    5. validate the changes:

    Type 'make' utility and press "run".

    6 close the utility tool, and then restart the daemon manager.

    I would like to know how everything goes, and in the case the issue persists, then open a case with TAC

  • Cisco ACS to tool Migration of ISE

    Hi all.

    I am gtrying to migrate using the migration tool in our LABORATORY ACS 5.3 to ISE 1.2 and I take advantage of this error:

    D:\migTool>migration.bat
    log4j: WARN no such property [encoding] in com.cisco.acs.positron.migration.utils.Log4jTextAreaAppender.
    INFO [main] MigrationApplicationDriver.main:56: applies from the main method.
    Exception in thread "main" org.springframework.beans.factory.BeanDefinitionStoreException: cannot read the candidate class component: file [D:\migTool\bin\com\cisco\acs\positron\migra
    tion\gui\components\treetable\JTreeTable.class]; nested exception is java.lang.ArrayIndexOutOfBoundsException: 3145
    at org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider.findCandidateComponents(ClassPathScanningCandidateComponentProvider.java:237)
    at com.cisco.acs.positron.migration.MigrationApplicationDriver.main(MigrationApplicationDriver.java:61)
    Caused by: java.lang.ArrayIndexOutOfBoundsException: 3145
    at org.springframework.asm.ClassReader.readClass (unknown Source)
    at org.springframework.asm.ClassReader.accept (unknown Source)
    at org.springframework.asm.ClassReader.accept (unknown Source)
    to org.springframework.core.type.classreading.SimpleMetadataReader. (SimpleMetadataReader.java:54)
    at org.springframework.core.type.classreading.SimpleMetadataReaderFactory.getMetadataReader(SimpleMetadataReaderFactory.java:80)
    at org.springframework.core.type.classreading.CachingMetadataReaderFactory.getMetadataReader(CachingMetadataReaderFactory.java:82)
    at org.springframework.core.type.classreading.SimpleMetadataReaderFactory.getMetadataReader(SimpleMetadataReaderFactory.java:76)
    at org.springframework.core.type.filter.AbstractTypeHierarchyTraversingFilter.match(AbstractTypeHierarchyTraversingFilter.java:105)
    at org.springframework.core.type.filter.AbstractTypeHierarchyTraversingFilter.match(AbstractTypeHierarchyTraversingFilter.java:76)
    at org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider.isCandidateComponent(ClassPathScanningCandidateComponentProvider.java:280)
    at org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider.findCandidateComponents(ClassPathScanningCandidateComponentProvider.java:214)

    Hello Juan Carlos.

    If your query is resolved, then mark them as response.

    Thank you

  • Cisco ACS installation problem

    Hello everyone.
    I have Cisco acs 4.2 on windows 2008 64 bit installation and get a very strange error when installing. V: ismg_israel_acs it gives some encryption error.
    Can someone please help me on this who have encountered the same problem. My project is stopped cause of it.
    Thanks in advance.

    Sent by Cisco Support technique Android app

    Hi Rizwan,

    If you're upgrading some version prerequisites ACS then I think you get something like this V:\ismg_israel_acs\Acs\Crypto\init.cpp

    You need to locate the old CryptoAPI container used by ACS, which may still be on the system.  This is normally located in C:\Documents and Settings\username that installed ACS> \Application\Data\Microsoft\Crypto\RSA.

    There will be one or more files will be very long filenames hexdecimal. You must identify the right one.

    Open a command prompt in that folder and type "findstr /I CiscoSecure *.» ' * ' - the file name that appears should be the

    old container of ACS.

    Let me know if you will be able to search for any file.

    ~ BR
    Jatin kone

    * Does the rate of useful messages *.

  • Cisco ACS 5.2 VMware 'Management' process hangs

    Hello

    We recently purchased the Cisco ACS 5.2 VMware must be installed on VMware ESXi 4.1.  However, after commissioning the virtual machine with the requirements set out in the Cisco installation guide, GBA is unable to start properly.

    We don't get messages visible error, but when checking on the process of the CSA, I see that the process of 'management' is suspended in the "initializing" State

    Any ideas how to solve this problem?

    Thank you

    Gilbert

    ESX 4.1 is not supported with ACS 5.1

    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.2/device_support/sdt52.html#wp75825

    Virtual Machine requirements

    The minimum configuration for the virtual machine must be similar to the hardware configuration of the server series CSACS-1120.

    Table 6-1 lists the minimum system requirements to install ACS 5.2 on a VMware virtual machine.

    Table 6-1. minimum system requirements

    Type of requirement
    Minimum requirements

    CENTRAL PROCESSING UNIT

    Intel Core2; 2.13 GHz

    Memory

    4 GB OF RAM

    Hard drives

    500 GB of disk storage

    NIC

    1 GB NETWORK interface

    Hypervisor

    VMware ESX 3.5 or 4.0

    Installation of ACS 5.2 on VMware

    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.2/installation/guide/csacs_vmware.html#wp1057864

    Kind regards

    Jousset

  • [Cisco ACS 5.2] EAP - TLS authentication failure

    What we are e

    Hello

    I set up a WiFi connection on Windows XP and Windows 7 with EAP - TLS (using Cisco WLC 7.0.235.3 and Cisco ACS 5.2.0.26.10). It is configured with the authentication of the computer and computer certificates are automatically registered for Microsoft PKI.

    It works well!

    Now, I configured Windows 8 with the same configuration.

    First authentication works, but if I manually disconnect and reconnect, I got this error on ACS: 22047 username main attribute is missing from the client certificate

    In the EAP packets, we could see that Windows 8 sent a TLS session but ticket session has not properly taken over by ACS...

    Configuration of the ACS, we checked the option "enable EAP - TLS Session resume' with the session timeout"7200 ".

    I found this bug

    http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId= CSCtn26538& from = summary

    It seems to be my problem but the reboot does not work in my case...

    It is set at 5.3 (0.40.2).

    I plan to install version 5.4.

    Do you know if this fix is supported by 5.4?

    Thanks for your help,

    Patrick

    Hi Patrick,

    What is set in point 5.3 must be set in point 5.4.

    Even if the same issue appeared with 5.4 there an ID different bug and identified as an independent issue (with different causes, usually)

    HTH

    Amjad

    Rating of useful answers is more useful to say "thank you".

  • Installation of Cisco ACS 5.4

    I am setting up Cisco ACS 5.4 for my org. The way I put it in place, ACS passes authentication to a RADIUS server. The problem is that it does for the user and the password to enable on each account. Is there a a way to configure ACS to review on-site in its stores of internal identity for the enable password but keep passing on the user part of RADIUS?

    Hi Jessica,.

    I went through your query and it seems that you would like to authentication of the connection to be checked with another external radius (radius proxy server) server and can be verified with the password to enable configured locally on GBA.

    I don't think that if this cannot be done with the Protocol radius with Ganymede, however we can use service attribute and that you can set in the identity > selection if the service corresponds to point of AD database connection or if the matches allow it to point to the internal database based on rules. I've attached a screenshot of the same thing for your reference. The source of identity could be anything configured databases.

    ~ BR
    Jatin kone

    * Does the rate of useful messages *.

  • Cisco ACS 5.3 Newbie

    Hi guys,.

    I'm looking to implement a Cisco ACS 5.3 for MAC address based VLAN on a 2960 switch.

    like all the world done this before? Basiacally I want is

    1. do you have a list of the devices specified in the ACS with their MAC address

    2. connect the swicth for GBA

    3. where a device is plugged in, the swicth should check with the ACS on what VLAN, the host must be on.

    Thank you.

    In ACS, you must configure to authenticate by using the 'internal hosts' (which is the database of the mac address) and authorize using 'profiles of authentication' (this is where you configure what VLAN to use)

    If you are a beginner I recommend you test authentication only. If all goes well, you can add the permission.

    ON the side of the switch, you need to configure something like this

    AAA new-model

    key PASSWORD on the RADIUS server host x.x.x.x
    RADIUS vsa server send authentication

    RADIUS AAA server group ACS
    Server x.x.x.x
    !
    !
    AAA dot1x of default authentication group ACS
    AAA authorization network default group ACS
    AAA accounting dot1x default start-stop group ACS

    Interface GigabitEthernetX / X
    MAB
    authentication order mab
    Auto control of the port of authentication
    dot1x EAP authenticator

    Please rate if this can help

  • Selection rule for the 5.2 Cisco ACS Service

    Hello dear,

    I'm trying to configure the Cisco ACS 5.2 to Dot1x of authentication for clients on windows 7 & windows XP, I did all the steps but I could not create Service rule, it gives me an error message that you can see in the attached screenshot.

    After that I specify the allowed protocols it gives me the choice to choose the choice of identity and the is ' t it give me this error.

    your help is very appreciated.

    Kind regards

    Ibrahim

    Try another browser like Hussam suggested and let us know the results.

    I updated FireFox to 15.0.1 and now I am not able to manipulate many parameters with ACS 5.3
    Version of this browser is extremely stupid with ACS 5.x, but it shows not all message boxes. It just does not display the page when you click on the link.

    If different browsers show the same question, I would say that you restart the machine (physical or virtual) completely and try again.

    It is also best to upgrade to the latest patch, if this is not already the case.

    Greetings,

    Amjad

    Rating of useful answers is more useful to say "thank you".

  • Internal error 2738 of VPN client

    Hello.

    I internal error 2738 unstall away. How to fix the error?

    Ghana you.
    Sent by Cisco Support technique iPad App

    That's nice.

    Good day

    Rate Helful messages

Maybe you are looking for

  • Deauthorize computers

    I have said tunes that I have 5 computers authorized. I have only 2 computers. How can I get rid of the other 3?

  • Is there a change of cursor in tiara event?

    Hi all I'm quite new script in DIAdem, so am not sure of what he is capable (I am before all a LabVIEW Developer). For the application I have in mind, we will have several video files that have been captured over time. We would like the user to scrol

  • CC494A: CP4525 won't print black

    After having changed the black toner on our HP Color LaserJet CP4525 have stoped the black color printing. I first thought that the problem is a simple tones isue. But we now test an another new toner cartridge and a printing of the same type, and it

  • Please help me, I forgot my password

    I forgot my password of the user, but I can't activate password, how do I telnet to the router?

  • don't send email IMAP account

    Hello I recently bought a laptop Windows 8. As I tried to use the email app it worked fine for the Microsoft Mail (Hotmail and live). But when I added an email account Imap, I couldn't send an e-mail. He remained in the Outbox. Receive emails is not