Issue of operability of the ACS as RADIUS with ASA 5.0?

Similar Questions

• 5.3 of the ACS cannot work with two rules of service strategy

  Hello my name is Ivan

  I have a question about ACS v5.3 appliance.

  I have a v 5.3 ACS wo authenticate users wireless, as well as a cisco wlc. A profile is to business users and the second profile is invited.

  Business users must authenticate with Active Directory and the guest with WLC. Guest users to authenticate with the local database of GBA.

  I have set up two service political selection that correspond with the Radius protocol. The first rule is for users to Active Directory and the second is for users in

  the local database of ACS.

  When I try to authenticate users with active directory is OK, but when trying to authenticate users with the local database (Portal comments) GBA was trying to find the

  internal user in Active Directory, because math the first rule and the second profile cannot authenticate.

  When I change the order, first of all the State of users internal and second rule of users from Active Directory, internal users can authenticate in ACS, but

  in Active Directory users cannot authenticate.

  I think that my ACS authenticate only the first rule of the RADIUS to the Active Directory, not two rules of RADIUS at the same time. Or maybe there is a problem in the BONE of the ACS.

  Authentication separately is OK.

  Please could you help me to resolv this problem?

  I enclose my two rules

  Concerning

  Hello Ivan,.

  To solve your problem, you must configure your ACS so that the first selection policy (active directory) corresponds to only for users of the company and the other strategy of selection service (internal users) does not match.

  The second strategy selection of service must be only for guest users.

  If you use Cisco WLCs, it will be easier for you.

  Why?

  Because you can use 'End Station filter' easier to match the SSID.

  In feature selection policy, you build your game to the fine filter station (add it via the Customize button).

  Now, you must create two filters of end station, one is the ssid of comments and one corresponds to the ssid company. (tell how to create later)

  After you create the filter end station and match the selection policy of end station filter function, you have a political service selection matches corporate only guest SSID and other SSP the SSID matches.

  Now you can select different identity for the two SSP sources.

  Now for the filter end of station:

  End station filter is used (in our case) to distinguish the SSID.
  If I want to separate applications of different SSID, I use the end station filter to match what SSID I use.
  cretae end station filter to your SSID, follow the following image:

  

  on point number 4, write resounding brand (*) asteristk of your SSiD (case-sensitive), without spaces. Be sure to avoid spaces before or after.

  (I assume you are using cisco WLC. If not, the idea cannot be applied the way I described above).

  So far, we're OK, except one point. The default SSID guest is not sent by the Cisco WLC to the radius server when the client tries to connect to it, while the SSID of 802. 1 x is.

  To say the WLC to send the guest SSID, you must add this command to the WLC:

  RADIUS config callstationidtype ap-macaddr-ssid

  I hope I described correctly. Let me know if you got it or if you need more explanation.

  Greetings,

  Amjad

  Rating of useful answers is more useful to say "thank you".

• HP DV7-3063cl laptop PC: what is the maximum temperature for safe operation of the DV7 3063 cl with the upgrade of the 640 M CPU?

  I have recently restored a HP DV7 3063 cl laptop that died a hot mother (MB). I replaced the MB with a new Board of Directors of HP when the price has been reduced to $100, updated the CPU with an announced as new AMD 640 M and applied Arctic Silver on CPU and graphics chips. I put in 4 G memory cool, got the computer to work and installed Windows 10.

  The computer seems to run very hot and stopped twice from overheating during its first period of 2 weeks when it there was not a lot of calculating, fan was run at top speed at all times, and the laptop was high to allow good airflow below.

  According to the program of the Open Hardware Monitor, the CPU had reached 97-99 C a few times. I bought support cooling a player and that seems to help a lot, dropping the temperature to 20 ° C.

  What is the maximum temperature for safe operation of the DV7 with the upgrade of the 640 M CPU?

  Anything more than 90 c is too hot. You can specify the processor and the motherboard you have installed?

  Also if this from the Manual:

  Thermal paste is used on 1 CPU and heat sink section 2 that the services it. Thermal pads are used on the chip Northbridge 3 and 4, the graphical subsystem chip 5 contact Northbridge and graphics/heatsink contact 6. Thermal material replacement is included with all kits of spare parts of processor, heatsink and system board.

  So unless you have changed the cooling system to heat composed on the chip graphic you should have used a thermal buffer. Without the pad, it may leave just a small hallway and destroy the cooling properties. You can use a shim in copper or other piece of something metal to fill the void, but if you just put the heat sink down on the video chip you won't get optimal even with thermal cooling paste.

• 4.2 of the ACS and auth with certificate 802.1 x

  Hi all

  I have geerated new certificate and installed on my ACS 4.2, it's only auto generated the certificate by the Association. Now, the end user cannot authenticate automatically.

  If I mnually install this certificate on the computer of the end user, then the end user is able to authenticate.

  Is it possible to authenticate the end user automatically?

  Oh, I'm sorry...

  Here are the comments;

  1.] you must uncheck "Validate server certificate" on the client side, this way, you don't need to install the certificate on the computers of end users.

  2. uncheck the option 'Automatically use my windows password and domain name user name' by these users windows credentials will be saved and the client will be connected whenever you log on to the windows machine.

  HTH

  Rgds, jousset

  Note the useful posts ~

• The operation for the entity 'DeployTemplate' failed with the following message: "Cannot complete the customization."

  I am running my VMmark with the agent 6.0 update vCSA 2.  Most of the awnsers I found to this problem are the Windows version of vcenter.  It looks to its find the deploy.cab file, but for some reason any fails to complete customization.  Any help would be apperciated.

  I have attacahed my results file.

  Please try to see if you can manually deploy your model.  Here are the steps:

  1. The vsphere Web Client, right-click on your deployment model.
  2. Select "new virtual machine of this model.
  3. In the name box, enter "DeployVM0".
  4. Select the correct location of the DC, and then click Next.
  5. Select your cluster, and then click Next.
  6. Select your LUNS and click Next.
  7. Click on the box "Power on a virtual machine after creation" so that it is enabled.
  8. Check the box "Customize the operating system", and then click Next.
  9. Select the "StandbyCust" specification, and then click Next.
  10. Click Finish.

  Watch the deployment and customization of vSphere Web Client. You should be able to see the power of the virtual machine and customize from the console without logging in. Wait about 5 minutes to see if all the cloning and the specification of the OS process completed.  Then without logging in the newly created DeployVM, from the first client, at a command prompt, type the following.

  Ping ping STAF DeployVM0

  The correct answer is PONG.

• Issue at breakpoint in the reactive layout Muse with recaptcha

  Hello

  I create new sensitive site with Muse 2015.2.1.21

  When I insert a contact form with recaptcha, image disappears with small breakpoints, larger version, it works very well.

  If I click on the button refresh of recaptcha, new image works fine

  How can I solve this problem?

  Thank you

  Hello

  Thanks for providing the files and the URL for the tests. We are able to reproduce this problem at our end and recorded a bug with the developers of Muse. I'm sure that this will be corrected in the next version of Adobe Muse.

  Kind regards

  Vivek

• [WRVS4400N] RADIUS with VPN?

  Hello

  I have an Active Directory with RADIUS server and I intend to buy a wireless router with VPN functionality,

  I took a glance at the WRVS4400N documentation and I saw the use of RADIUS with 802. 1 X and wireless, but nothing about its use with VPN...

  It is therefore possible to use RADIUS for authentication on the VPN?

  Thank you

  Hi Mathieu chick and welcome in the community at the homepage of Cisco!

  The WRVS440N is managed by the Cisco Small Business Support Community.

  For discussions about this product, go here.

• AAA with RADIUS of ASA

  Hey everybody,

  I'm with RADIUS AAA configuration on our Firewall remote ASA.  It's pretty simple, but I have some firewall that does not work on.  I upgraded the IOS image on the ASA 5510 to ASA804-K8. BIN on each of them.  The weird part is some of them work and some of them do not work.

  I was wondering if anyone else has encountered this before and what information do you need to give me a reference to help.

  Thanks in advance,

  Kimberly

  Hi Kimberly,

  just curious: why 8.0.4 and not 8.0.5?

  What you use radius for? What is the radius server? You have configured all the ASAs of the radius servers? Did you use the right shared secret?

  Is there something different between the ASAs working and does lack those? Configuration, location in the network, etc.?

  If the above does not help, please post the config of ASA failure (or at least the relevant items and be sure to remove all sensitive data) and the output of:

  Debug RADIUS

  Debug aaa authentic

  Debug aaa 254 Commons

  You can test only the part of RADIUS with the command «test aaa-server authentication cli...» »

  HTH

  Herbert

• Join the ACS 5.4 AD strange question

  Hello

  We have two ACS boxes with the same version of software (5.4.0.46.0a), we have been able to join the domain a that only ACS and other ACS are given the error attached.

  When we checked "main-acs-01 / admin # acs troubleshooting adcheck , he gave the same error for the two candidate countries, however an ACS successfully joined the domain and still others we failed."

  principal-acs-01 / admin # acs troubleshooting adcheck<>

  This command is only for advanced troubleshooting and could suffer a lot of network traffic

  Do you want to continue?  (yes/no) Yes

  OSCHK: Check that it is operating system: pass

  PATCH: Patch Linux check: pass

  PERL: Check that perl is present and is a good version: pass

  SAMBA: Inspection of the installation of Samba: pass

  SPACECHK: Check if there is enough space in/var/usr/tmp: pass

  HOSTNAME: Check the hostname parameter: pass

  NSHOSTS: Check the hosts line in /etc/nsswitch.conf: pass

  DNSPROBE: Probe Server DNS 172.24.1.1: pass

  DNSPROBE: Probe Server DNS 172.24.1.2: pass

  DNSCHECK: Analyze the health of DNS servers database: pass

  WHATSSH: Is it a SSH DirectControl works perfectly with: pass

  SSH: SSHD version and configuration: Note

  : You are running OpenSSH_5.3p1, CiscoSSL 0.9.8r.1.3.

  DOMNAME: Check that the domain name is reasonable: pass

  ADDC: Search for domain controllers in the DNS: pass

  ADDNS: Search DNS DC xxxx.                      : Pass

  ADPORT: Scan of Port DC xxxx.                       : Pass

  ADDNS: Search DNS DC xxxx.                     : Pass

  ADPORT: Scan of Port DC xxxx.                      : Pass

  ADDNS: Search DNS DC xxxx.                      : Failed

  : Could not resolve the IP address of xxxx.hmc.org.qa.

  ADDNS: Search DNS DC xxxx.                      : Pass

  ADPORT: Scan of Port DC xxxx.                       : Pass

  ADDNS: Search DNS DC xxxx.                   : Pass

  ADPORT: Scan of Port DC xxxx.                    : Pass

  ADDNS: Search DNS DC xxxx.                     : Pass

  ADPORT: Scan of Port DC xxxx.                      : Warning

  : One or several ports did not respond correctly. Either:

  (: a) the domain controller is offline

  (: b) a firewall prevents access to a port

  : The following is a list of ports has failed:

  : ldap 389/udp - timeout

  : 445/tcp smb - denied

  : ldap 389/tcp - denied

  ADDNS: Search DNS DC xxxx.                        : Pass

  ADPORT: Scan of Port DC xxxx.                         : Pass

  ADDNS: Search DNS DC xxxx.                        : Pass

  ADPORT: Scan of Port DC xxxx.                         : Pass

  ADDNS: Search DNS DC xxxx.                           : Pass

  ADPORT: Scan of Port DC xxxx.                            : Pass

  ADDNS: Search DNS DC xxxx.                    : Pass

  ADPORT: Scan of Port DC xxxx.                     : Pass

  ADDNS: Search DNS DC xxxx.                      : Pass

  GCPORT: Port scan of GC xxxx.                       : Pass

  ADDNS: Search DNS DC xxxx.                     : Pass

  GCPORT: Port scan of GC xxxx.                      : Pass

  ADDNS: Search DNS DC xxxx.                      : Failed

  : Could not resolve the IP address of airportdc1. .

  ADDNS: Search DNS DC xxxx.                      : Pass

  GCPORT: Port scan of GC xxxx.                       : Pass

  ADDNS: Search DNS DC xxxx.                   : Pass

  GCPORT: Port scan of GC xxxx.                    : Pass

  ADDNS: Search DNS DC xxxx.                     : Pass

  GCPORT: Port scan of GC xxxx. : WARNING

  : One or several ports did not respond correctly. Either:

  (: a) the GC is offline now

  (: b) a firewall prevents access to a port

  : The following is a list of ports has failed:

  : gc 3268/tcp - denied

  ADDNS: Search DNS DC xxxx.                        : Pass

  GCPORT: Port scan of GC xxxx.                         : Pass

  ADDNS: Search DNS DC xxxx.                        : Pass

  GCPORT: Port scan of GC xxxx.                         : Pass

  ADDNS: Search DNS DC xxxx.                           : Pass

  GCPORT: Scan of Port GC xxxx : pass

  ADDNS: Search DNS DC xxxx.                    : Pass

  GCPORT: Port scan of GC xxxx.                     : Pass

  ADGC: Check Global catalog servers: spend

  DCUP: Search for operational controllers : pass

  SITEUP: Check DCs for in our site: go

  DNSSYM: Check the symmetry of DNS server: pass

  ADSITE: Verify that the subnet of this machine is in a site known as AD: pass

  GSITE: See if we think it is the correct site: pass

  TIME: Synchronization of clocks Check: pass

  2 serious issues have been encountered during the audit. These must be fixed before proceeding

  2 warnings were encountered during the audit. We recommend that you check these before proceeding

  principal-acs-01 / admin #.

  The one facing this problem before and grateful if someone can tell how to solve this problem.

  It is a known issue with ACS 5.3 However, we had this problem in ACS 5.3 patch 7 and 5.4 of the ACS

  Since you're under 5.4 ACS, it should not trigger.

  CSCtx53223    After update 5.3 ACS fail to join the domain AD - lack of license Centrify

  Symptom:

  After the upgrade from 5.2 to 5.3, ACS is unable to join the domain. AD connection worked for several days, until the services have been restarted. After this, ACS is unable to join AD with the following in ACSADAgent.log error message:

  Jan 20 02:36:32 CBR1BACS01 Bordes [6814]: DEBUGGING cli.adjoin Join to area is permitted only with a licensed copy of DirectControl. Obtain a license or learn more about Centrify following http://www.centrify.com/express

  Jan 20 02:36:32 CBR1BACS01 Bordes [6814]: DEBUGGING cli.adjoin without a permit, you can connect to a domain via Auto Zone by specifying Bordes w Test.Test

  Conditions:

  Move from 5.2 to 5.3. Restart the services thereafter.

  Workaround solution:

  Save the ACS db and recreate the picture on the box to 5.3

  How upgrade to 5.4 ACS

  1.] updated to 5.3 to 5.4 using the upgrade package.

  2.] reianged with ACS 5.4 ISO and restored the database ACS 5.3.

  I suggest you to prosecute on this TAC. [Most likely you must reimage the server and restore the database if you had crossed with option 1.]

  ~ BR
  Jatin kone

  * Does the rate of useful messages *.

• Authentication Radius 4.2 ACS and RADIUS Accounting

  Is it possible to configure 4.2 ACS to authenticate users of a wireless network (with autonomous APs) through RADIUS while I use the same ACS to provide the command represent the points of access via GANYMEDE +? This issue came out because when I configure the APs 'AAA Clients' under 'Network Configuration' of the ACS server (necessary config for authentication APs and end users), the authentication method used is the RADIUS (Cisco Aironet) and it prevents the generation GANYMEDE server command accounting reports under "reports and activities > GANYMEDE + Administration.

  Any idea on how to solve this problem?

  Thank you

  Antonio

  Hello

  Need to add a different hostname for the AP... IE, RPOS and APt, where you can use the same IP n but use radius for Ganymede and the other.

  Thank you

  Tarik Admani
  * Please note the useful messages *.

• Issue of operator on XT1033 Messages

  Now, this is a major issue. Operator messages tell me about the use of my data have to be repeated several times over a period of a few seconds. And when I leave my phone aside and come back, I see more than 100 same messages. Now usually when I move from 2G to WiFi, I would get 1 message and it's always the same. However, after awhile, they start to repeat over and over again and I have to use the phone on the data rather than WiFi because I'm completely paralyzed. They keep popping up continually and hinder everything. A restarting temporarily solves the problem.

  I talked to the local officials to care about it, and they suggested that I should delete the cache partition. I did, but there is no improvement. I am desperately looking for a solution. Please help me as soon as POSSIBLE.

  If the above commands is ambiguous, please forgive me. I have attached a screenshot for better understanding. Thanks in advance.

  Then try switching off your mobile data when u turn on WiFi...try itonce... May help...
  

• Is there a problem with accounting and 4.1 of the ACS

  Good day to all,

  I just installed a new server with ACS 4.1.

  This new installation 4.1 ACS is approved, I will retire my old server that ACS 3.1.

  At this point, the only problem I have with ACS 4.1 is with the accounting.

  For example:

  I used a test-router with all the necessary config pointing to my old 3.1 ACS. Everything works fine (authentication and accounting). If I enter a command on the router test it's journal on GBA 3.1.

  Now, if I change the test-router to point to the new 4.1 ACS, the ACS 4.1 will authenticate the router test correctly, but won't save any command that I enter the router test. I did a shot between the test-router and 4.1 of the ACS and the router test sends accounting statement ACS 4.1.

  There are many different configuration of ACS 3.1 4.1, but as far as I can see the config on the two ACS is as similar as possible.

  Y at - there anyone out there who could do 4.1 ACS to process accounting properly?

  Any idea will help you.

  Thank you

  Frank

  Here is my config:

  AAA new-model

  AAA authentication login default group Ganymede + local

  connection of AAA No.-AUTH authentication no

  AAA authorization exec default group Ganymede + local

  AAA authorization commands start-stop Group 1 Ganymede +.

  AAA authorization commands start-stop group 15 Ganymede +.

  AAA accounting exec default start-stop Ganymede group.

  orders accounting AAA 1 by default start-stop Ganymede group.

  AAA accounting command 15 by default start-stop Ganymede group

  !

  192.168.100.16 host key radius-server *.

  (the above command is the only command I change to point the finger 3.1 ACS or ACS 4.1)

  RADIUS-server application made

  Please use the following link. It has 4.1 cumulative patch that contains the hotfix for bug.

  http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-win-3DES

  Don't forget to download the readme text also.

  Rate me if it helps.

• AAA GANYMEDE + accounting - CLI question by user not appear in the report of the ACS.

  Can I know why CLI cancelled by the user does not show on GANYMEDE ACS accounting report. The length of time is displayed, but I also wanted to connect what is the commands issued by the user.

  WHA is missing here?

  enable AAA authentication login VTY P1_ACS local group

  Group default AAA authorization exec local P1_ACS authenticated by FIS

  AAA authorization exec CONSOLE none

  AAA exec by default start-stop accounting P1_ACS group

  AAA commands 5 default start-stop accounting P1_ACS group

  AAA commands 15 arrhythmic default accounting P1_ACS group

  Accounting logs command is stroed in the newspapers of the administration of Ganymede.

  There is also a known issue on ver 4.1.1 and we must

  apply the ACS 4.1.1.23.5 patch to fix the problem.

  Patch for the unit is available on

  http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-Soleng-3DES

  The patch name: ACS SE 4.1.1.23.5 rollup

  Acs hotfix for windows is available on

  http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-win-3DES

  The patch name: ACS 4.1.1.23.5 rollup

  CCIE Security

• the ACS 5.1 and cisco ACE module

  Hello

  I would like to configure Ganymede + aaa Catalyst 6500 Cisco application control engine module. In the configuration guide for ACE it is advice that you need to configure additional parameters to be returned by the RADIUS server (shell:= ...) ) for authorization of virtual context Cisco ACE. My question is: where exactly should I put these settings in the ACS 5.1? Is there a document describing ACE + ACS 5.1 configuration Ganymede?

  Thank you

  WM

  Here is the doc.

  Post edited by: jkatyal

• Administrator rights to the ACS using Active Directory groups

  Good afternoon

  We must be able to use administrative accounts for our device ACS who reside in an Active Directory group, if possible.  If this is not possible, what other safer options would we be able to use (RADIUS authentication or authentication RSA 2)?

  Thanks in advance

  You can only use the locally stored accounts within the ACS.