"Ghost" ACS users

Similar Questions

• Unable to connect wireless, "ACS user exceeded max sessions" users

  Some corporate users are unable to connect to the wireless company.

  On the WLC, I get the following logs:

  Authentication failure AAA for UserName:dto029 user Type: USER WLAN

  The GBA, I get the error:

  Authentic doesn't have a default group for ACS user exceeded max sessions (by default) 192.168.47.46 DTO029......

  That means "user ACS exceeded max Sessions? How can I solve this problem? Connection problem faces few users, while others are able to connect.

  Corporate SSID, Session Timeout & Client Exclusion is not enabled. The WLC version is 7.0.98.0 and the version of the CSA 4.2.0.124

  The problem is solved the ACS is restarted. Is there a permanent solution?

  Thanks in advance.

  Hello

  the error means that the users belong to the ACS Group (or the user themselves) has a "max session" setting, as described here:

  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/Overvw.html#wp826493

  .. and the user exceeds this limit.

  ACS can indeed limit the number of concurrent sessions for the same user name; This counter is based on the RADIUS account management information received from the AAA client: the session counter is increased when receiving a 'Start' accounting and it is decreased when you receive a "Stop" on accounting package.

  ACS for a reason if any don't receive an Acct-Stop, it won't reduce the number of session, so it may happen that your users exceed the max concurrent sessions allowed indeed.

  You can check the active sessions on the "users" ACS report:

  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/LgsRpts.html#wp680304

  If you restart ACS, this info is reset, so everything will work again, as you say; as an alternative, you can also use the options 'Purge logged in users' on the logged users page, but it would be wiser to really solve this problem by checking if... :

  -do you really need the config of max sessions? Otherwise, you can simply disable this on users/groups configuration

  -If you need for this limitation and the problem is related to the session that overlap, which means that the WLC should not send the Acct-Stop because there is always a session active and a new one is created at the same time, you can consider increasing the number of maximum session.

  HTH,

  Federico

  --

  If this answers your question please mark the question as "answered" and write it down, so other users can easily find it.

• Several downloadable ACLs by ACS user group

  It is possible to map several downloadable ACLs to a single user or group of users use ASA and ACS?

  For example, you have an ACL controlling access to servers (ACL A) and another ACL (ACL B) internet access. Is it possible to assign several ACL to a group of users, such as user group can only access the servers, while the user group B can access servers and internet (ACL A + B ACL)?

  Thank you and best regards.

  George,

  The user and group settings only would allow you to select only a single instance of DACL list at once.

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080a9eddc.shtml#configuringtheserverwitfddhias

  Kind regards

  Jousset

  The rate of useful messages-

• ACS - user passwords can be changed with LOCAL database

  Hi all.

  I have a Cisco ACS and I use the local user database.

  Is there a mechanism to allow the user to change his or her password?

  Thank you

  Michele

  I assume, you are referring to the ACS NT/W2k, if yes, depending on what version of GBA, you have, please choose the URL below and select the link to Setup variable user password.

  That should help you.

  http://www.Cisco.com/univercd/CC/TD/doc/product/access/acs_soft/csacs4nt/index.htm

  Thank you

  Christophe

• Cisco ACS user password change?

  Hi all

  Even if I don't check "Change Enable by PEAP password" setting on Cisco ACS, when a user tries to log on to the wireless network, whose domain password is going to expire, receives a popup on Windows XP, saying that their password is about to expire?

  Is this normal?

  PS: Check the screenshot attached.

  ACS is not able to send these messages for wireless users.

  He sends the AD.

• AAA - ACS - users authenticate to different NDG

  Hello...

  We have an ACS appliance integrated with MS AD and the users are authenticated successfully.

  Our requirement is that we have 3 departments with 20 switches each. I created 3 (NDG) network device groups for each Department in ACS with 20 switches each.

  Now, if I create a user, it can open on the switches on the outskirts all 3 of the Department, since it is under the same ACS.

  I want a particular user to authenticate only with his Ministry associated with NDG.

  Hope my Question is simple... Please forward your comments.

  Thank you very much

  Jafar

  Restrictions on access network (OAN) will work in this scenario. Best approach will be creating groups of distinct users for each Department and then enable NAR shared in the group properties, and select appropriate service of NDG in order to restrict access to these user groups.

  For example: user group Dept has access will be denied to NDG from Dept B and C according to the choice and likewise NAR can be applied to the rest of the user groups.

  Hope this helps

  Ahmed

• ACS > User Configuration

  When the user authenticates in ACS v3.3, a profile is created and stored under the User Configuration. When employees leave the company, to delete this profile. We use the external database which is Active Directory.

  Questions

  (1) if the Active Directory account is disabled, the user will be able to connect because the identification information is recorded in the ACS?

  (2) is there a way to expire these credentials as in 24 or 48 hours?

  In ACS3.3, you can expire the account also if the account is disabled and that the user put in cache in ACS points to the database of windows for authentication, in that it should not allow the user.

  Here is where you can set how long the account is active for:

  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/3.3/user/guide/u.html#wp273167

  Thank you

  Tarik

• The ACS user groups

  I have a problem.

  We have 2 groups that are created in ACS, group 1: access Ganymede and 2:Radius Access group. Group 1 has the people that have been created on the server ACS itself. The 2nd group is dynamic to users who are enabled access through Manager users for domains. We do not want to have the 2nd group in order to access our routers and switches with their Accounts of Microsoft, they can now, at least insofar as, at the prompt to activate it. I wish I had 2 completely independent from the other groups. Our group 1 is used only for our administrators to have access to all of our network devices.

  I'm sure some type of filtering or to a group of addresses IP could be implemented on GBA, but I'm not sure where, if this is the case.

  Can someone please!

  Thank you!

  Matt

  You must set up Network Access Restrictions (NAR), group 2 to not be able to access the routers/switches to restrict.

  Make sure the Group and level NAR is checked under the Interface of configuration - Advanced Options. Then go under Group 2, NAR section, check the box "Set IP access restrictions", select Table sets 'Appeal denied Points', and then select each of the routers/switches, using a * for the Port and address and add them to the table.

  It doesn't matter that in Group 2 will refuse to authenticate on one of the routers/switches.

• configurting acs user has readonly access to asdm

  Hello

  How to set up a single user access only readonly GBA to asa through the asdm. Do not have permission to set up. Please help me

  Take a look at the following link that should answer your questions

  https://supportforums.Cisco.com/discussion/10825871/ASDM-and-privilege-level-using-TACACS

  Thank you for evaluating useful messages!

• CS ACS user password change callback

  / * Style definitions * / table. MsoNormalTable {mso-style-name: "Table Normal" "; mso-knew-rowband-size: 0; mso-knew-colband-size: 0; mso-style - noshow:yes; mso-style-priority: 99; mso-style - qformat:yes; mso-style-parent:" ";" mso-padding-alt: 0 cm 0 cm 5.4pt 5.4pt; mso-para-margin: 0 cm; mso-para-margin-bottom: .0001pt; mso-pagination: widow-orphan; font-size: 11.0pt; font family: 'Calibri', 'sans-serif"; mso-ascii-font-family: Calibri; mso-ascii-theme-make: minor-latin; mso-hansi-font-family: Calibri; mso-hansi-theme-make: minor-latin; mso-bidi-font-family: Arial; mso-bidi-theme-make: minor-bidi ;}"}

  We have installed CiscoSecure Access Control System 5.2 device and we are facing the following technical question:

  -When we create a user (not an administrator, but a normal to access network devices user) GBA, we establish the disable the user account after n days if the password is not changed to 90 days and the callback to display after n days after 80 days. in the Cisco Documentation (http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/users_id_stores.html#wp1131174), he says that, for the callback to display after n days field, the description is: displays a reminder after n days to change password; valid options are 1 to 365. This option, when set, only one displays a reminder. It does not prompt you for a new password. My question is this: how the user will be notified if we cannot add an email to the users, and this user has only access to network devices?

  -Users are currently disabled after 90 days because they have not received any reminder and they must manually reset their passwords every time.

  I think that there is an improvement for this in the 5.2.0.26.2 patch and above, which includes the following:

  CSCtk32168: Add an option to change the password when the password expires (T + and Radius)

  After you install this hotfix, you get an option to the user authentication settings is:

  -Disable the user account

  -Expire the password

  When the expiration period is exceeded

  If password is expired then user will be asked to change password next authentication

  Note this latest patch for 5.2 is 5.2.0.26.4. All patches are cumulative

• How to use ACS 5.2 to create a static ip address user for remote access VPN

  Hi all

  I have the problem. Please help me.

  Initially, I use ACS 4.2 to create the static ip address for VPN remote access user, it's easy, configuration simply to the user defined > address assignment IP Client > assign the static IP address, but when I use ACS 5.2 I don't ' t know how to do.

  I'm trying to add the IPv4 address attribute to the user to read "how to use 5.2 ACS", it says this:

  1Ajouter step to attribute a static IP address to the user attribute dictionary internal:

  Step 2select System Administration > Configuration > dictionaries > identity > internal users.

  Step 3click create.

  Static IP attribute by step 4Ajouter.

  5selectionnez users and identity of the stage stores > internal identity stores > users.

  6Click step create.

  Step 7Edit static IP attribute of the user.

  I just did, but this isn't a job. When I use EasyVPN client to connect to ASA 5520, user could the success of authentication but will not get the static IP I set up on internal users, so the tunnel put in place failed. I'm trying to configure a pool of IP on ASA for ACS users get the IP and customer EasyVPN allows you to connect with ASA, everything is OK, the user authenticates successed.but when I kill IP pool coufigurations and use the "add a static IP address to the user 'configurations, EzVPN are omitted.

  so, what should I do, if anyboby knows how to use ACS 5.2 to create a user for ip address static for remote access VPN, to say please.

  Wait for you answer, no question right or not, please answer, thank you.

  There are a few extra steps to ensure that the static address defined for the user is returned in the Access-Accept. See the instuctions in the two slides attached

• Peripheral IP range network ACS 5.6 overlaps the IP subnet

  Dear Forum,

  When I configured the device network for customers of the AAA, I used the 172.16 IP address range. *. 1 for All_Branch_Router device, he's fine and I could connect with the ACS user for the range of IP addresses on the router.

  Now I want to configure devices with IP range 172.16. *. 2 for device All_Branch_Switch, but I got the error message: ' IP subnets overlap with those defined for the device: All_Branch_Router ".

  I'm assuming that features IP range will not conflict with subnet because she sees 32 prefix. But why I got the subnet overlap error message?
  Is - this bug?

  There was a bug in ACS 5.6 before patch 3. He was even present in the patch 2, even if the notes state otherwise. From personal experience, if you install ACS 5.6.0.22.3, the bug will be solved. For reference, the ID of the bug is CSCut05442.

• ACS Cisco 1113 4.2 1113 configure auth. for Infoblox Appl.

  Hello

  I have a problem with Cisco ACS and an Infoblox appliance. We want to authenticate users, this connection on the Infoblox, through the Cisco ACS. After that the ACS should respond with authentication (RADIUS) passed and answer with an administrative groupname that the user belongs on the Infoblox. To do this, I have to import a VSA to have the option of the CSA to respond with this groupname. On the Infoblox, these groups are already done, and it must be the group that meets the CSA.

  Now I have imported the ASB and configured an AAA (infoblox) client to use the new RADIUS (VSA) to support the Infoblox. In the groupsetting, I lit the Infoblox-Group_info attribute and filled a specific groupname the authenticated user belongs. Now, here's the part where the news of group are returned, but the appliance Infoblox gives me a RADIUS error response message. As I see in the newspapers of the ACS user authentication part is fine. So there must be between the info ACS responds with, when the user connects.

  I have attached the VSA and a *.pcap of wireshark to see what is happening.

  Can we advice to suggest any option that can make this thing work.

  With respect,

  Richard Gosen

  Hi Richard,

  Please find attached the accountsActions to remove it, and you can use your original accountsActions to readd the ASB.

  Hope that works.

• Why the ACS is blocking my connection to the Console?

  I have aaa to my SWs one routers, but wen my server goes down that I can't have access to the console port.

  My config is attached and debug aaa authorization.

  These are debugs it for each access: Telnet user, consoling Ganymede user Ganymede and testing of Pentecost the local user.

  Telnet access

  Oct 15 01:03:09: AAA: analyze name = tty2 BID type =-1 ATS = - 1

  Oct 15 01:03:09: AAA: name = tty2 flags = 0 x 11 type = 5 shelf = 0 = 0 = 0 = channel 2 = 0 port adapter slot

  Oct 15 01:03:09: AAA/MEMORY: create_user (0x2778E84) user = ruser 'NULL' = 'NULL' ds0 = 0 port = 'tty2' rem_addr'10.10.10.23 = 'authen_type = ASCII service = CONNECTION priv = 1 initial_task_id = ' 0', vrf = (id = 0)

  Oct 15 01:03:10: CDP-4-NATIVE_VLAN_MISMATCH %: incompatibility of VLAN native on GigabitEthernet0/37 (102), was discovered with tst1-s2 GigabitEthernet0/1 (1).

  Oct 15 01:03:11: AAA/MEMORY: free_user (0x28E1BFC) user = ruser 'ACS-USER' = 'NULL' port = 'tty2' rem_addr = '10.10.10.23' authen_type = ENABLE priv = 15 = ASCII service

  Oct 15 01:03:13: AAA/MEMORY: free_user (0x2778E84) user = ruser 'ACS-USER' = 'NULL' port = 'tty2' rem_addr = '10.10.10.23' authen_type = ASCII = priv = 1 CONNECTION service

  Access to consoles (work of Pentecost the ACS user)

  Oct 15 01:08:57: AAA: analyze name = tty0 BID type =-1 ATS = - 1

  Oct 15 01:08:57: AAA: name = tty0 flags = 0 x 11 type = 4 shelf = 0 = 0 = 0 = 0 = 0 channel port adapter slot

  Oct 15 01:08:57: AAA/MEMORY: create_user (0x28AA8E4) user = ruser 'NULL' = 'NULL' ds0 = 0 port = "tty0" rem_addr = "async" authen_type = service ASCII = CONNECTION priv = 1 initial_task_id = '0', vrf = (id = 0)

  Oct 15 01:09:11: AAA/MEMORY: free_user (0x27C0DC4) = user tweak "ACS-USER" = "NULL" port = "tty0" rem_addr = "async" authen_type = ASCII service = ENABLE priv = 15

  Oct 15 01:09:18: AAA/MEMORY: free_user (0x28AA8E4) = user tweak "ACS-USER" = "NULL" port = "tty0" rem_addr = "async" authen_type = ASCII = priv = 1 CONNECTION service

  Access console (not working whit the local user)

  Oct 15 01:05:24: AAA: analyze name = tty0 BID type =-1 ATS = - 1

  Oct 15 01:05:24: AAA: name = tty0 flags = 0 x 11 type = 4 shelf = 0 = 0 = 0 = 0 = 0 channel port adapter slot

  Oct 15 01:05:24: AAA/MEMORY: create_user (0x27C1310) user = ruser 'NULL' = 'NULL' ds0 = 0 port = "tty0" rem_addr = "async" authen_type = service ASCII = CONNECTION priv = 1 initial_task_id = '0', vrf = (id = 0)

  Oct 15 01:05:36: AAA/MEMORY: free_user_quiet (0x27C1310) = user tweak "LOCAL_USER" = "NULL" port = "tty0" rem_addr = "async" authen_type = 1 = 1 = 1 private service

  Oct 15 01:05:36: AAA: analyze name = tty0 BID type =-1 ATS = - 1

  Oct 15 01:05:36: AAA: name = tty0 flags = 0 x 11 type = 4 shelf = 0 = 0 = 0 = 0 = 0 channel port adapter slot

  Oct 15 01:05:36: AAA/MEMORY: create_user (0x28D201C) user = ruser 'NULL' = 'NULL' ds0 = 0 port = "tty0" rem_addr = "async" authen_type = service ASCII = CONNECTION priv = 1 initial_task_id = '0', vrf = (id = 0)

  Oct 15 01:06:09: AAA/MEMORY: free_user_quiet (0x28D201C) = user tweak "NULL" = "NULL" port = "tty0" rem_addr = "async" authen_type = 1 = 1 = 1 private service

  Oct 15 01:06:09: AAA: analyze name = tty0 BID type =-1 ATS = - 1

  Oct 15 01:06:09: AAA: name = tty0 flags = 0 x 11 type = 4 shelf = 0 = 0 = 0 = 0 = 0 channel port adapter slot

  Oct 15 01:06:09: AAA/MEMORY: create_user (0 x 2773004) = user tweak 'NULL' = 'NULL' ds0 = 0 port = "tty0" rem_addr = "async" authen_type = service ASCII = CONNECTION priv = 1 initial_task_id = '0', vrf = (id = 0)

  Oct 15 01:06:41: AAA/MEMORY: free_user (0 x 2773004) = user tweak "NULL" = "NULL" port = "tty0" rem_addr = "async" authen_type = ASCII = priv = 1 CONNECTION service

  Thanks for your help.

  Change your orders

  AAA of default login authentication group Ganymede + activate

  the AAA authentication enable default group Ganymede +.

  TO

  AAA authentication login default group Ganymede + local

  the AAA authentication enable default group Ganymede + activate

  Kind regards

  Prem

  Please if it helps!

• 3015 stops working with ACS, when updated to 3.1

  Hello

  We´ve uses the 3015 with 3.5.2 for a few months.

  It s been using ACS 3.0 with Radius set up exactedly as described in "using Cisco Secure ACS for Windows with the.

  3000 Concentrator VPN - IPSec.

  Now, we have improved the ACS to 3.1 and it stops working.

  When you try to TEST the communication between the 3015 and ACS we get "rejected authentication: password group is."

  not configured", and if looking in the logg you can see what follows.

  09:01:43.990 02/28/2003 191, SEV = 8 AUTHDBG/58 RPT = 2

  AUTH_Callback (514afe4, 0, 0)

  192 09:01:43.990 02/28/2003 SEV = 6 RPT AUTH/4 = 2

  Successful authentication: manage 12, server = 192.168.244.48 =, user = borta

  193 09:01:43.990 02/28/2003 SEV = 3 RPT AUTH/5 = 10

  Authentication was rejected: reason = group of password is not configured

  manage 12, server = 192.168.244.48 =, user = borta, area =

  09:01:43.990 195 02/28/2003 SEV = 8 RPT AUTHDBG/2 = 2

  AUTH_Close (12)

  Any ideas?

  ACS 3.1 is slightly changed it returns the class attribute in its packages to respond when a user authenticates, this was done for session management purposes. Normally, this has no effect on everything that you are authenticating against, but the 3000 uses this class attribute to force VPn users in a specific group. For example, you can force the VPN users in specific groups of 3000 by returning the class attribute so that the user with a specific group VPN3000 name, so any group they have actually configured in the VPN client, they find themselves in this other group and inherit all settings in this group.

  The error "password of group is not configured" comes from the fact that ACS3.1 returns a string in the format "dfhsdfjsdfshhhhghgkgekjfkjguwywe" (or something like that anyway :-)) in the Class attribute. The 3,000 who interprets as you want to force this user in this group. Of course this group name does not exist on the 3000, and you get rejected.

  There are two ways around this:

  -Move the hub to what anyone higher than what you're running. From v3.5.3 ignored 3000 this format of the attribute and access connections works very well even if ACS always sends the return attribute.

  -Change the user or group ACS and actually return the appropriate form the class attribute:

  UO = groupname;

  where groupname is the name of group VPN3000 you want this user to be placed in (it may or may be not the same as the one they set up in their client). Make sure that UO is in capital letters and do not forget the semicolon. The attribute Class is so just check 25, RADIUS (IETF) attribute cela and off you go, you may need to activate under Interface Config - RADIUS (IETF) Firstly if you see under the ACS user/group.