Cisco ACS authentication issues

Similar Questions

• [Cisco ACS 5.2] EAP - TLS authentication failure

  What we are e

  Hello

  I set up a WiFi connection on Windows XP and Windows 7 with EAP - TLS (using Cisco WLC 7.0.235.3 and Cisco ACS 5.2.0.26.10). It is configured with the authentication of the computer and computer certificates are automatically registered for Microsoft PKI.

  It works well!

  Now, I configured Windows 8 with the same configuration.

  First authentication works, but if I manually disconnect and reconnect, I got this error on ACS: 22047 username main attribute is missing from the client certificate

  In the EAP packets, we could see that Windows 8 sent a TLS session but ticket session has not properly taken over by ACS...

  Configuration of the ACS, we checked the option "enable EAP - TLS Session resume' with the session timeout"7200 ".

  I found this bug

  http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId= CSCtn26538& from = summary

  It seems to be my problem but the reboot does not work in my case...

  It is set at 5.3 (0.40.2).

  I plan to install version 5.4.

  Do you know if this fix is supported by 5.4?

  Thanks for your help,

  Patrick

  Hi Patrick,

  What is set in point 5.3 must be set in point 5.4.

  Even if the same issue appeared with 5.4 there an ID different bug and identified as an independent issue (with different causes, usually)

  HTH

  Amjad

  Rating of useful answers is more useful to say "thank you".

• Cisco ACS 5.1 and RSA Authentication Manager 6.1

  Hi all

  We recently had a Cisco Secure ACS 1120 and I improved the Unit 5.1 5.0 with all your support

  Now, I need to integrate Cisco ACS 5.1 with RSA Authentication Manager 6.1. I have config file of RSA ACE Server successfully downloaded and exported to 1120 ACS.

  I also added as NetOS Agent ACS in the RSA server during the process, I found a few warnings. The ACE Server is not able to resolve the IP address to the name (is it necessary?).

  I have not created any file of secret key for communication between FAC and RSA and I used encryption is FOR.

  Now, when I log into ACS and search for devices in the identity store sequences I am not able to get Sever Token RSA.

  Let me know what was wrong, where can I fix and also please tell me what is the communciaction between the RSA and ACS?

  Hoping that you guys help me as usual when I'm in a hurry...

  Sree

  Were you able to successfully create the RSA identity server. After selecting the sdconf.rec and you press on submit what happened? The RSA instance created OK?

  If you go to

  Users and identity stores > external identity stores > RSA SecurID Token servers, what do you see in the list?

• Cisco ACS AD authentication

  Hello!

  IM currently deploying Cisco ACS 5.4 on our netwrok and I'm looking for in some additional measures to ensure authentication and authorization to the devices.

  I would like to ask if anyone has any advice on the following as I may have been embarrassed to do this way myself.

  OK the users that now are authenticated with an external identity store (Active Directory). I would like to know if theres a way also to authenticate these users or allow them to ACS so that when the IT Department adds a user who should not be in a group, but the group is authenticated to a set of devices, this user will be nto be able to access devices.

  A simpler explanation is as follows.

  E.t.c groups are ficitonal

  I have group in AD called "Engineers" that contains 2 users, user A and user B.

  Engineers have a shell on ACS profile that gives permissions/privileges superuser on the devices.

  However, Active Directory is managed by the it Department that could be social designed to add a C user in this group.

  What I need to know is a way to allow the user has and user B to access devices while maintaining the profile of the shell with the Group of ads "engineers."

  I am aware of the conditions is devoted to profiles/authorization rules. Is that mean I have to create both local users and assign their passwords as well?

  Im a bit confused as you can see it...

  Any help will be greatly appreciated!

  Thank you!

  Because user C would be added to the same group that already contains users A and B and the authorization rule is configured to grant access from root of users A and B belonging group engineering, then user C will also be granted this access.

  ACS has no way to know what the users are members of the engineering group, nor can it detect that the user C has been successfully added.

  If you want to use the credentials of the AD and at the same time maintain a canonical list of users for ACS check, you will need to create local GBA users, as you suggested above.

• [Cisco ACS] 11036 the RADIUS Message Authenticator attribute is invalid

  Hello

  I had a lot of Cisco AP related to Cisco WLC 2.

  On each WLC, I configured a primary and a secondary RADIUS server.

  RADIUS servers are Cisco ACS 5.2.0.26 (patch 10)

  ACS primary and secondary configurations are synchronized.

  There is no problem between primary rules WLC and Cisco ACS (primary and secondary).

  When secondary WLC asks primary Cisco ACS, I get this error "11036 the RADIUS Message Authenticator attribute is not valid.

  WLC secondary contacts automatically secondary Cisco ACS and it works fine.

  Cisco ACS description for this error: "this can be reason of mismatched shared Secrets."

  The two Cisco ACS are synchronized, so I should have the same error on them...

  Why primary ACS generates this error?

  Thanks for your help,

  Patrick

  Patrick: The shared secret mismatch could be on the side WLC, not on the side of the ACS.

  Make sure that the shared secret of the radius primary server is configured correctly on the secondary WLC.

  HTH

  Amjad

  Rating of useful answers is more useful to say "thank you".

• Cisco ACS. Two-factor authentication.

  Hello.

  We intend to use the connection diagram: cisco asa + cisco acs 5.4 + rsa securid.
  We use two groups on Cisco ACS. Group "A" must use two-factor authentication, and the 'B' group don't.
  How to create this rule?

  Perform the rule base identity selection with dap-tunnel-group-name as a selector.

  ASA will send auth request name of the tunnel group.

  Attached example.

• Cisco ACS 4.1 for external advertising for authentication

  Hello

  We have just configured Cisco ACS 4.1 solution engine and using a Windows 2003 domain controller as a remote agent.we use as Protocol Ganymede.

  Users that are created in ACS himself are able to connect to various network devices. but users in domain (active directory) can not connect. We get the access denied message. same time we get external DB is not operational message in ACS.

  Active directory server where agent that runs in CSWINAgentlog, we get the following error 'NDLIB'... FOUND 0 TRUSTED DOMAIN.

  Could you please help us to isolate the problem.

  Thank you & best regards

  Make sure that the worm of acs and remote agent software is the same. And also execution of remote agent account must have special domain administrator rights, like the act as part of operating system and log in as a service.

  Kind regards

  ~ JG

• Renew the certificate in Cisco ACS for PEAP authentication

  Hi, we installed in laptops wireless customer a certificate created by Cisco ACS to authenticate, but its about to expire.

  How can I do to renew the certificate whithout affecting users.

  (1) Yes, we can generate a new cert but install the latter.

  (2) install generated new cert on the client.

  (3) install the new cert in ACS.

  Good plan and will probably work.

  Kind regards

  ~ JG

  Note the useful messages

• How can I use Cisco ACS to save Shell commands

  Hi guys, pleeeease how can I configure Cisco ACS to do command authorization on my Cisco 3660 router. I get the accounting logs and authentication but no newspaper that show orders issued by users - shell and it's the most important paper that I need. I read materails and download articles on the site of Cisco... but the thing is still does not give me the papers.

  I have these lines on my router:

  ...

  AAA authorization config-commands

  AAA authorization exec default group Ganymede +.

  AAA authorization commands 15 default authenticated if

  AAA authorization network default group Ganymede +.

  ...

  It's funny, when I turn on debugging of the authorization of the AAA on the router, it shows me every command being sent by the user on the debug log. But nothing shows under Administration TACAC + on the Cisco Secure ACS. What is responsible for this?

  *****************************************************

  I installed the trial version of the Cisco ACS 90 days and made all necessary settings and I have to say I like what I see already. I'm opening moves to recommend the product to purchase. Thank you guys, I got about the features of this ACS software through this forum, keep up the good work. I recommend the software for those who need to have adapted to the management reports Security Audit logs.

  If I understand what you're asking correctly, the answer is not in the authorization, that it is in accounting. I set up on my routers and send to ACS orders that level 15 privilege users enter on the router.

  orders accounting AAA 15 by default start-stop Ganymede group.

• ACS authentication with Active Directory based on ad groups

  Hello

  I'm trying to integrate Cisco ACS 5.4.0.46 with AD and I connected successfully GBA to AD and I used as a successful AD authentication for network devices but my problem now is that anyone with an AD account can connect to network devices that compromises security. I created a group in AD that I would use and I added the group under users and identity stores > external identity stores > Active Directory > groups directory. I also chose source of identity for Default Device Admin as AD1 and under the authorization, an authorization policy that uses a compound condition that uses AD1 and the custom group. However after you have set all that I am still able to connect to the switch with a user not in the custom group. Based on what I have explained to you can someone tell me if Miss me a step?

  Thank you

  Derek Velez

  Thanks for the update and the fence wire. Set default default rules to deny access when user legimitate if does not match a rule set by the administration of the CSA he should get denied access. In your case, it has been updated a permit so that both type of users access (members and non-members of ad groups).

  The best way to resolve these issues is to look at the monitoring and troubleshooting > attempt user > magnifying glass. You will see how this user has been allowed access.

  ~ BR
  Jatin kone

  * Does the rate of useful messages *.

• Cisco ACS 5.5

  Hello

  I just installed Cisco ACS 5.5.0.46.  We managed to get Juniper devices to authenticate using RADIUS.

  The problem is that the authentication logs are empty.

  I intend to patch the ACS of Update Rollup 4 for tonight, hoping that it can fix the problem.

  Can someone advise?

  Concerning

  Vijay

  Good to hear your issue was resolved. Also, thank you for taking the time to come back and post the solution to the problem! (+ 5 from me). Now, if your issue is resolved, please check the thread as "answered" :)

• Access to Motorola RF controller via Cisco ACS

  Hi all

  I want to be able to use authentication on our Motorola RF using Cisco ACS 5.2 controllers remotely. We have the responsible ASB and you can choose different user roles outside of "Super User".

  The reason is that the ID attribute for the role of 'Super user' is 32768 and but ID attribute within the ACS can take only 3 digits (see fig. 1 gasket)

  Anyone had any experience of this or know how to edit this field for more than 3 digits?

  Any help will be much appreciated.

  Thank you

  John

  I can see the issue you are referring to and does not seem to be a bug - dig when it exist and if is not open

  An entire book would not use an enumeration attribute Type but rather an unsigned integer

  Then you must enter the value directly in the authorization profile rather than selecting from a list

• Design of authentication issues and wireless security

  Wireless newbie here... I had to quicky throws a wireless deployment in a new office/warehouse building. I have the basic net upward and the work. My remote access point associated the 2106 in the main office and users can associate and authenticate to the AP 1130 G and can access the office network. I did the basic configs and now seeks to tighten security. My questions are the following:

  (1) the user clients are Dell laptops with built-in radio. They authenticate using JUMP... How to migrate to EAP or I have to. I have a Cisco ACS as RADIUS authentication.

  (2) can I use sort of a supplicant client on laptops?

  (3) how to filter mac while rogue AP and clients of thugs can not try and associate.

  (4) am I correct in assuming the connections between the AP 1130 and 2106 are secure and if so what I need to change anything to strengthen them?

  (5) I have an AP in the main building, I want Setup to detect rogue AP I associate him as a regular access point and push a kind of policy so that it becomes a detector?

  I have attached a diagram to explain. Any help would be appreciated.

  v/r

  Chad

  1 JUMP is a form of EAP, so you already have something to terminate your EAP sessions. The WLC can do to an extent, or ACS. We chose you will be based on your needs for the rich functionality, scalability, and manageability. I would say that PEAP-MSCHAPv2 offers a good compromise between ease of use and safety and that it is significantly better than LEAP.

  2 No, begging stick with Windows XP SP2. This can be configured by using the domain policy (2 k 3 SP1 or higher) and is pretty good. Just make sure that your laptops have new Intel drivers on them. Dell in particular have been pretty bad with sends former pilots in the builds.

  3 MAC authentication is now lergely, considered to be a waste of time. It's so easy to spoof a MAC address, it is ridiculous, and there is a fair amount of work for the privΘ.

  4. the tunnel LWAPP crypt all management / config / traffic safety between the AP and WLC, while user data are simply wrapped in LWAPP, so it can potentially be read if the packets are captured.

  5. any will to detecting rogue APs, must really dedicated APs unless you are REALLY paranoid. The major advantage is the fastest detection, but the downside is that the "detector" AP do service customers.

  Kind regards

  Richard

• Problem with Cisco ACS and different areas

  Hello

  We are conducting currently a problem with Cisco ACS that we put in place, and I'll try to describe:

  We have ACS related directory AD areas, where we have 2 domains and appropriate group mappings.

  Then we have our Cisco switches with the following configuration,

  AAA new-model

  AAA-authentication failure message ^ CCCC

  Failled to authenticate!

  Please IT networks Contact Group for more information.

  ^ C

  AAA authentication login default group Ganymede + local

  AAA authorization exec default group Ganymede + local

  AAA authorization network default group Ganymede + local

  AAA accounting exec default start-stop Ganymede group.

  orders accounting AAA 15 by default start-stop Ganymede group.

  !

  AAA - the id of the joint session

  But the problem is that with the users in a domain, we can authenticate, but not the other. Basically, the question is that when we check on the past of authentication, two authentications are passage and the display of 'Authentic OK', but on the side of the switch, there is a power failure.

  There may be something wrong with the ACS?

  Thank you

  Jorge

  Try increasing the timeout on IOS device using radius-server timeout 10.

  Do we not have journaling enabled on the ACS server remotely?

  -Philou

• Cisco ACS 5.8 CLI admin account lockout

  Hi all

  We recently deployed device Cisco ACS 3495 and running on a version 5.8.

  Everything seems well while our for the CLI admin account was locked out.

  Found a bug in Cisco for the same problem with version 5.5, but no solution yet...

  ACS 5.5 CLI Admin account locked and no Log Message
  CSCur37203
  Someone out there who might have encountered the same issue and can help advise?
  Thank you and best regards,
  NDA

  Hello

  Unfortunately, the only solution for this is the DVD of password recovery.

  Once fixed, you can increase the car locked out amounted to something greater than the default value of Cisco.