Issue of operability of the ACS as RADIUS with ASA 5.0?
Hello
I'm trying my VPN to get authenticated user with RADIUS (ACS 5.0). and VPN users database is created in AD. Now when I am trying to connect through the Cisco VPN client, I am unable to do so. Infact, I get an error message (through debugging at the level of the SAA for aaa and isakmp) my RADIUS server is DOWN.
Please let me know is there any compatibility issue with ACS 5.0 on it because everything was working fine on my version 4.2 of the ACS.
Concerning
Ritesh
Ritesh,
Yes, there is a lack of ACS 5.0 with vpn authentication.
When you try to connect with the VPN client. you will not see any hits in the follow-up and the views.
The ASDM logs: you'll see radius server is not accessible.
Debugs you show RADIUS period.
This will work with Ganymede.
Access policy rule was does not. Also, could not use RADIUS as hit CSCsy17858
http://cdetsweb-PRD.Cisco.com/apps/goto?identifier=CSCsy17858>; Used Ganymede + instead of RADIUS.
If you want to use the RADIUS then you need to upgrade your version of acs to 5.1
You can down load patch 9 (5-0-0-21 - 9.tar.gpg) and ADE-OS (ACS_5.0.0.21_ADE_OS_1.2_upgrade.tar.gpg) from the below path:
Go to Cisco.com > support > download software > Security > Cisco Secure Access Control System 5.0 > Secure Access Control System Software 5.0.0.21 >
Reference: update of the CSA since version 5.0 to 5.1:
http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.1/installation/guide/csacs_upg.html
HTH
Kind regards
JK
The rate of useful messages-
Tags: Cisco Security
Similar Questions
-
5.3 of the ACS cannot work with two rules of service strategy
Hello my name is Ivan
I have a question about ACS v5.3 appliance.
I have a v 5.3 ACS wo authenticate users wireless, as well as a cisco wlc. A profile is to business users and the second profile is invited.
Business users must authenticate with Active Directory and the guest with WLC. Guest users to authenticate with the local database of GBA.
I have set up two service political selection that correspond with the Radius protocol. The first rule is for users to Active Directory and the second is for users in
the local database of ACS.
When I try to authenticate users with active directory is OK, but when trying to authenticate users with the local database (Portal comments) GBA was trying to find the
internal user in Active Directory, because math the first rule and the second profile cannot authenticate.
When I change the order, first of all the State of users internal and second rule of users from Active Directory, internal users can authenticate in ACS, but
in Active Directory users cannot authenticate.
I think that my ACS authenticate only the first rule of the RADIUS to the Active Directory, not two rules of RADIUS at the same time. Or maybe there is a problem in the BONE of the ACS.
Authentication separately is OK.
Please could you help me to resolv this problem?
I enclose my two rules
Concerning
Hello Ivan,.
To solve your problem, you must configure your ACS so that the first selection policy (active directory) corresponds to only for users of the company and the other strategy of selection service (internal users) does not match.
The second strategy selection of service must be only for guest users.
If you use Cisco WLCs, it will be easier for you.
Why?
Because you can use 'End Station filter' easier to match the SSID.
In feature selection policy, you build your game to the fine filter station (add it via the Customize button).
Now, you must create two filters of end station, one is the ssid of comments and one corresponds to the ssid company. (tell how to create later)
After you create the filter end station and match the selection policy of end station filter function, you have a political service selection matches corporate only guest SSID and other SSP the SSID matches.
Now you can select different identity for the two SSP sources.
Now for the filter end of station:
End station filter is used (in our case) to distinguish the SSID.
If I want to separate applications of different SSID, I use the end station filter to match what SSID I use.
cretae end station filter to your SSID, follow the following image:on point number 4, write resounding brand (*) asteristk of your SSiD (case-sensitive), without spaces. Be sure to avoid spaces before or after.
(I assume you are using cisco WLC. If not, the idea cannot be applied the way I described above).
So far, we're OK, except one point. The default SSID guest is not sent by the Cisco WLC to the radius server when the client tries to connect to it, while the SSID of 802. 1 x is.
To say the WLC to send the guest SSID, you must add this command to the WLC:
RADIUS config callstationidtype ap-macaddr-ssid
I hope I described correctly. Let me know if you got it or if you need more explanation.
Greetings,
Amjad
Rating of useful answers is more useful to say "thank you".
-
I have recently restored a HP DV7 3063 cl laptop that died a hot mother (MB). I replaced the MB with a new Board of Directors of HP when the price has been reduced to $100, updated the CPU with an announced as new AMD 640 M and applied Arctic Silver on CPU and graphics chips. I put in 4 G memory cool, got the computer to work and installed Windows 10.
The computer seems to run very hot and stopped twice from overheating during its first period of 2 weeks when it there was not a lot of calculating, fan was run at top speed at all times, and the laptop was high to allow good airflow below.
According to the program of the Open Hardware Monitor, the CPU had reached 97-99 C a few times. I bought support cooling a player and that seems to help a lot, dropping the temperature to 20 ° C.
What is the maximum temperature for safe operation of the DV7 with the upgrade of the 640 M CPU?
Anything more than 90 c is too hot. You can specify the processor and the motherboard you have installed?
Also if this from the Manual:
Thermal paste is used on 1 CPU and heat sink section 2 that the services it. Thermal pads are used on the chip Northbridge 3 and 4, the graphical subsystem chip 5 contact Northbridge and graphics/heatsink contact 6. Thermal material replacement is included with all kits of spare parts of processor, heatsink and system board.
So unless you have changed the cooling system to heat composed on the chip graphic you should have used a thermal buffer. Without the pad, it may leave just a small hallway and destroy the cooling properties. You can use a shim in copper or other piece of something metal to fill the void, but if you just put the heat sink down on the video chip you won't get optimal even with thermal cooling paste.
-
4.2 of the ACS and auth with certificate 802.1 x
Hi all
I have geerated new certificate and installed on my ACS 4.2, it's only auto generated the certificate by the Association. Now, the end user cannot authenticate automatically.
If I mnually install this certificate on the computer of the end user, then the end user is able to authenticate.
Is it possible to authenticate the end user automatically?
Oh, I'm sorry...
Here are the comments;
1.] you must uncheck "Validate server certificate" on the client side, this way, you don't need to install the certificate on the computers of end users.
2. uncheck the option 'Automatically use my windows password and domain name user name' by these users windows credentials will be saved and the client will be connected whenever you log on to the windows machine.
HTH
Rgds, jousset
Note the useful posts ~
-
I am running my VMmark with the agent 6.0 update vCSA 2. Most of the awnsers I found to this problem are the Windows version of vcenter. It looks to its find the deploy.cab file, but for some reason any fails to complete customization. Any help would be apperciated.
I have attacahed my results file.
Please try to see if you can manually deploy your model. Here are the steps:
- The vsphere Web Client, right-click on your deployment model.
- Select "new virtual machine of this model.
- In the name box, enter "DeployVM0".
- Select the correct location of the DC, and then click Next.
- Select your cluster, and then click Next.
- Select your LUNS and click Next.
- Click on the box "Power on a virtual machine after creation" so that it is enabled.
- Check the box "Customize the operating system", and then click Next.
- Select the "StandbyCust" specification, and then click Next.
- Click Finish.
Watch the deployment and customization of vSphere Web Client. You should be able to see the power of the virtual machine and customize from the console without logging in. Wait about 5 minutes to see if all the cloning and the specification of the OS process completed. Then without logging in the newly created DeployVM, from the first client, at a command prompt, type the following.
Ping ping STAF DeployVM0
The correct answer is PONG.
-
Issue at breakpoint in the reactive layout Muse with recaptcha
Hello
I create new sensitive site with Muse 2015.2.1.21
When I insert a contact form with recaptcha, image disappears with small breakpoints, larger version, it works very well.
If I click on the button refresh of recaptcha, new image works fine
How can I solve this problem?
Thank you
Hello
Thanks for providing the files and the URL for the tests. We are able to reproduce this problem at our end and recorded a bug with the developers of Muse. I'm sure that this will be corrected in the next version of Adobe Muse.
Kind regards
Vivek
-
[WRVS4400N] RADIUS with VPN?
Hello
I have an Active Directory with RADIUS server and I intend to buy a wireless router with VPN functionality,
I took a glance at the WRVS4400N documentation and I saw the use of RADIUS with 802. 1 X and wireless, but nothing about its use with VPN...
It is therefore possible to use RADIUS for authentication on the VPN?
Thank you
Hi Mathieu chick and welcome in the community at the homepage of Cisco!
The WRVS440N is managed by the Cisco Small Business Support Community.
For discussions about this product, go here.
-
Hey everybody,
I'm with RADIUS AAA configuration on our Firewall remote ASA. It's pretty simple, but I have some firewall that does not work on. I upgraded the IOS image on the ASA 5510 to ASA804-K8. BIN on each of them. The weird part is some of them work and some of them do not work.
I was wondering if anyone else has encountered this before and what information do you need to give me a reference to help.
Thanks in advance,
Kimberly
Hi Kimberly,
just curious: why 8.0.4 and not 8.0.5?
What you use radius for? What is the radius server? You have configured all the ASAs of the radius servers? Did you use the right shared secret?
Is there something different between the ASAs working and does lack those? Configuration, location in the network, etc.?
If the above does not help, please post the config of ASA failure (or at least the relevant items and be sure to remove all sensitive data) and the output of:
Debug RADIUS
Debug aaa authentic
Debug aaa 254 Commons
You can test only the part of RADIUS with the command «test aaa-server authentication cli...» »
HTH
Herbert
-
Join the ACS 5.4 AD strange question
Hello
We have two ACS boxes with the same version of software (5.4.0.46.0a), we have been able to join the domain a that only ACS and other ACS are given the error attached.
When we checked "main-acs-01 / admin # acs troubleshooting adcheck
, he gave the same error for the two candidate countries, however an ACS successfully joined the domain and still others we failed." principal-acs-01 / admin # acs troubleshooting adcheck<>
This command is only for advanced troubleshooting and could suffer a lot of network traffic
Do you want to continue? (yes/no) Yes
OSCHK: Check that it is operating system: pass
PATCH: Patch Linux check: pass
PERL: Check that perl is present and is a good version: pass
SAMBA: Inspection of the installation of Samba: pass
SPACECHK: Check if there is enough space in/var/usr/tmp: pass
HOSTNAME: Check the hostname parameter: pass
NSHOSTS: Check the hosts line in /etc/nsswitch.conf: pass
DNSPROBE: Probe Server DNS 172.24.1.1: pass
DNSPROBE: Probe Server DNS 172.24.1.2: pass
DNSCHECK: Analyze the health of DNS servers database: pass
WHATSSH: Is it a SSH DirectControl works perfectly with: pass
SSH: SSHD version and configuration: Note
: You are running OpenSSH_5.3p1, CiscoSSL 0.9.8r.1.3.
DOMNAME: Check that the domain name is reasonable: pass
ADDC: Search for domain controllers in the DNS: pass
ADDNS: Search DNS DC xxxx.
: Pass ADPORT: Scan of Port DC xxxx.
: Pass ADDNS: Search DNS DC xxxx.
: Pass ADPORT: Scan of Port DC xxxx.
: Pass ADDNS: Search DNS DC xxxx.
: Failed : Could not resolve the IP address of xxxx.hmc.org.qa.
ADDNS: Search DNS DC xxxx.
: Pass ADPORT: Scan of Port DC xxxx.
: Pass ADDNS: Search DNS DC xxxx.
: Pass ADPORT: Scan of Port DC xxxx.
: Pass ADDNS: Search DNS DC xxxx.
: Pass ADPORT: Scan of Port DC xxxx.
: Warning : One or several ports did not respond correctly. Either:
(: a) the domain controller is offline
(: b) a firewall prevents access to a port
: The following is a list of ports has failed:
: ldap 389/udp - timeout
: 445/tcp smb - denied
: ldap 389/tcp - denied
ADDNS: Search DNS DC xxxx.
: Pass ADPORT: Scan of Port DC xxxx.
: Pass ADDNS: Search DNS DC xxxx.
: Pass ADPORT: Scan of Port DC xxxx.
: Pass ADDNS: Search DNS DC xxxx.
: Pass ADPORT: Scan of Port DC xxxx.
: Pass ADDNS: Search DNS DC xxxx.
: Pass ADPORT: Scan of Port DC xxxx.
: Pass ADDNS: Search DNS DC xxxx.
: Pass GCPORT: Port scan of GC xxxx.
: Pass ADDNS: Search DNS DC xxxx.
: Pass GCPORT: Port scan of GC xxxx.
: Pass ADDNS: Search DNS DC xxxx.
: Failed : Could not resolve the IP address of airportdc1.
. ADDNS: Search DNS DC xxxx.
: Pass GCPORT: Port scan of GC xxxx.
: Pass ADDNS: Search DNS DC xxxx.
: Pass GCPORT: Port scan of GC xxxx.
: Pass ADDNS: Search DNS DC xxxx.
: Pass GCPORT: Port scan of GC xxxx.
: WARNING : One or several ports did not respond correctly. Either:
(: a) the GC is offline now
(: b) a firewall prevents access to a port
: The following is a list of ports has failed:
: gc 3268/tcp - denied
ADDNS: Search DNS DC xxxx.
: Pass GCPORT: Port scan of GC xxxx.
: Pass ADDNS: Search DNS DC xxxx.
: Pass GCPORT: Port scan of GC xxxx.
: Pass ADDNS: Search DNS DC xxxx.
: Pass GCPORT: Scan of Port GC xxxx
: pass ADDNS: Search DNS DC xxxx.
: Pass GCPORT: Port scan of GC xxxx.
: Pass ADGC: Check Global catalog servers: spend
DCUP: Search for operational controllers
: pass SITEUP: Check DCs for
in our site: go DNSSYM: Check the symmetry of DNS server: pass
ADSITE: Verify that the subnet of this machine is in a site known as AD: pass
GSITE: See if we think it is the correct site: pass
TIME: Synchronization of clocks Check: pass
2 serious issues have been encountered during the audit. These must be fixed before proceeding
2 warnings were encountered during the audit. We recommend that you check these before proceeding
principal-acs-01 / admin #.
The one facing this problem before and grateful if someone can tell how to solve this problem.
It is a known issue with ACS 5.3 However, we had this problem in ACS 5.3 patch 7 and 5.4 of the ACS
Since you're under 5.4 ACS, it should not trigger.
CSCtx53223 After update 5.3 ACS fail to join the domain AD - lack of license Centrify
Symptom:
After the upgrade from 5.2 to 5.3, ACS is unable to join the domain. AD connection worked for several days, until the services have been restarted. After this, ACS is unable to join AD with the following in ACSADAgent.log error message:
Jan 20 02:36:32 CBR1BACS01 Bordes [6814]: DEBUGGING cli.adjoin Join to area is permitted only with a licensed copy of DirectControl. Obtain a license or learn more about Centrify following http://www.centrify.com/express
Jan 20 02:36:32 CBR1BACS01 Bordes [6814]: DEBUGGING cli.adjoin without a permit, you can connect to a domain via Auto Zone by specifying Bordes w Test.Test
Conditions:
Move from 5.2 to 5.3. Restart the services thereafter.
Workaround solution:
Save the ACS db and recreate the picture on the box to 5.3
How upgrade to 5.4 ACS
1.] updated to 5.3 to 5.4 using the upgrade package.
2.] reianged with ACS 5.4 ISO and restored the database ACS 5.3.
I suggest you to prosecute on this TAC. [Most likely you must reimage the server and restore the database if you had crossed with option 1.]
~ BR
Jatin kone* Does the rate of useful messages *.
-
Authentication Radius 4.2 ACS and RADIUS Accounting
Is it possible to configure 4.2 ACS to authenticate users of a wireless network (with autonomous APs) through RADIUS while I use the same ACS to provide the command represent the points of access via GANYMEDE +? This issue came out because when I configure the APs 'AAA Clients' under 'Network Configuration' of the ACS server (necessary config for authentication APs and end users), the authentication method used is the RADIUS (Cisco Aironet) and it prevents the generation GANYMEDE server command accounting reports under "reports and activities > GANYMEDE + Administration.
Any idea on how to solve this problem?
Thank you
Antonio
Hello
Need to add a different hostname for the AP... IE, RPOS and APt, where you can use the same IP n but use radius for Ganymede and the other.
Thank you
Tarik Admani
* Please note the useful messages *. -
Issue of operator on XT1033 Messages
Now, this is a major issue. Operator messages tell me about the use of my data have to be repeated several times over a period of a few seconds. And when I leave my phone aside and come back, I see more than 100 same messages. Now usually when I move from 2G to WiFi, I would get 1 message and it's always the same. However, after awhile, they start to repeat over and over again and I have to use the phone on the data rather than WiFi because I'm completely paralyzed. They keep popping up continually and hinder everything. A restarting temporarily solves the problem.
I talked to the local officials to care about it, and they suggested that I should delete the cache partition. I did, but there is no improvement. I am desperately looking for a solution. Please help me as soon as POSSIBLE.
If the above commands is ambiguous, please forgive me. I have attached a screenshot for better understanding. Thanks in advance.
Then try switching off your mobile data when u turn on WiFi...try itonce... May help...
-
Is there a problem with accounting and 4.1 of the ACS
Good day to all,
I just installed a new server with ACS 4.1.
This new installation 4.1 ACS is approved, I will retire my old server that ACS 3.1.
At this point, the only problem I have with ACS 4.1 is with the accounting.
For example:
I used a test-router with all the necessary config pointing to my old 3.1 ACS. Everything works fine (authentication and accounting). If I enter a command on the router test it's journal on GBA 3.1.
Now, if I change the test-router to point to the new 4.1 ACS, the ACS 4.1 will authenticate the router test correctly, but won't save any command that I enter the router test. I did a shot between the test-router and 4.1 of the ACS and the router test sends accounting statement ACS 4.1.
There are many different configuration of ACS 3.1 4.1, but as far as I can see the config on the two ACS is as similar as possible.
Y at - there anyone out there who could do 4.1 ACS to process accounting properly?
Any idea will help you.
Thank you
Frank
Here is my config:
AAA new-model
AAA authentication login default group Ganymede + local
connection of AAA No.-AUTH authentication no
AAA authorization exec default group Ganymede + local
AAA authorization commands start-stop Group 1 Ganymede +.
AAA authorization commands start-stop group 15 Ganymede +.
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 1 by default start-stop Ganymede group.
AAA accounting command 15 by default start-stop Ganymede group
!
192.168.100.16 host key radius-server *.
(the above command is the only command I change to point the finger 3.1 ACS or ACS 4.1)
RADIUS-server application made
Please use the following link. It has 4.1 cumulative patch that contains the hotfix for bug.
http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-win-3DES
Don't forget to download the readme text also.
Rate me if it helps.
-
AAA GANYMEDE + accounting - CLI question by user not appear in the report of the ACS.
Can I know why CLI cancelled by the user does not show on GANYMEDE ACS accounting report. The length of time is displayed, but I also wanted to connect what is the commands issued by the user.
WHA is missing here?
enable AAA authentication login VTY P1_ACS local group
Group default AAA authorization exec local P1_ACS authenticated by FIS
AAA authorization exec CONSOLE none
AAA exec by default start-stop accounting P1_ACS group
AAA commands 5 default start-stop accounting P1_ACS group
AAA commands 15 arrhythmic default accounting P1_ACS group
Accounting logs command is stroed in the newspapers of the administration of Ganymede.
There is also a known issue on ver 4.1.1 and we must
apply the ACS 4.1.1.23.5 patch to fix the problem.
Patch for the unit is available on
http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-Soleng-3DES
The patch name: ACS SE 4.1.1.23.5 rollup
Acs hotfix for windows is available on
http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-win-3DES
The patch name: ACS 4.1.1.23.5 rollup
CCIE Security
-
the ACS 5.1 and cisco ACE module
Hello
I would like to configure Ganymede + aaa Catalyst 6500 Cisco application control engine module. In the configuration guide for ACE it is advice that you need to configure additional parameters to be returned by the RADIUS server (shell:
= ...) ) for authorization of virtual context Cisco ACE. My question is: where exactly should I put these settings in the ACS 5.1? Is there a document describing ACE + ACS 5.1 configuration Ganymede? Thank you
WM
Here is the doc.
Post edited by: jkatyal
-
Administrator rights to the ACS using Active Directory groups
Good afternoon
We must be able to use administrative accounts for our device ACS who reside in an Active Directory group, if possible. If this is not possible, what other safer options would we be able to use (RADIUS authentication or authentication RSA 2)?
Thanks in advance
You can only use the locally stored accounts within the ACS.
Maybe you are looking for
-
How do I view my history of navigation or in other show the last sites I visited my newtabs
-
I was wondering why "Private browsing" is indicated only when it is turned on for aindividual session, and NOT when it is started automatically at startup of Firefox. Sometimes, Iforgot that I am in private browsing mode, so the things I want to keep
-
Not to receive text messages on Android
I dropped my Iphone in the toilet then it is no longer active. I bought an Android but don't receive text messages. Is there a way to fix this without using my dead iphone?
-
Basic and unknown system in Device Manager device
Hello!! (Everyone here is awesome btw... thank you so much for the help!) I have two unknowns in the Device Manager. Base system device PCI\VEN_197B & DEV_2392 & SUBSYS_161C103C & REV_30 PCI\VEN_197B & DEV_2392 & SUBSYS_161C103C PCI\VEN_197B & DEV_23
-
Yoga 3 pro - screen will not stop flickering since installing windows 10!
Hello. I hope someone can help. I just upgraded to Windows 10 and my screen constantly flickers! I guess it's because as his clashes with some pre installed software lenovo. someone at - it the same problem? I don't think its any other software that