Problem of GBA
After authentication via switch ACS when I check Repoert and activity I can see the user the step but it seems or save users but in the other side as past authentication or RADIUS Accounting, I see the deteail user information but in connected users in any show.
Salvation Hall.
Which is enabled by default in the RADIUS / accounting logs Ganymede +. Field "NAS IP address".
This is the field that says this only peripheral network is connected with the Radius server.
Kind regards
Prem
Tags: Cisco Security
Similar Questions
-
Problem with authentication of GBA
I am trying to upgrade our network right now and we are replacing the archaic switches with the new 3750 s. In one of the sites, the new switch did not start upward, so I configured a 2950 as a temporary solution. My problem is with the RADIUS authentication. I use GANYMEDE as the first authentication method, with a local database as a backup. But the RADIUS authentication is not the case. He just jumps straight in front of method 1 for local authentication. RADIUS servers are in place and running as other devices you authenticate properly and this 2950 can ping the servers in question. Thus, the key is entered correctly. Any suggestions?
And the output of 'debug Ganymede?
My output looks like this:
APR 17 11:30:27: TAC +: send worm package AUTHENTIC/START = 192 id = 3801177964
APR 17 11:30:27: TAC +: using Ganymede server-group "Ganymede +" list by default.
APR 17 11:30:27: TAC +: opening TCP/IP 10.10.10.24/49 Timeout = 5
APR 17 11:30:27: TAC +: handle opened TCP/IP 0x80EC2700 to 10.10.10.24/49
APR 17 11:30:27: TAC +: 10.10.10.24 (3801177964) AUTHENTIC/START/CONNECTION/ASCII queued
APR 17 11:30:28: TAC +: (3801177964) AUTHENTIC/START/CONNECTION/ASCII processed
APR 17 11:30:28: TAC +: worm = 192 id = 3801177964 received AUTHENTIC status = GETPASS
APR 17 11:30:31: TAC +: sends AUTHENTIC/CONT packet id = 3801177964
APR 17 11:30:31: TAC +: 10.10.10.24 (3801177964) AUTHENTIC/CONT in queue
APR 17 11:30:31: TAC +: (3801177964) AUTHENTIC/CONT processed
APR 17 11:30:31: TAC +: worm = 192 id = 3801177964 received AUTHENTIC status = PASS
APR 17 11:30:31: TAC +: connection TCP/IP closing 0x80EC2700 to 10.10.10.24/49
APR 17 11:30:31: TAC +: previously set server group Ganymede 10.10.10.24 +.
APR 17 11:30:31: TAC +: opening TCP/IP 10.10.10.24/49 Timeout = 5
APR 17 11:30:31: TAC +: handle opened TCP/IP 0x80ED50DC to 10.10.10.24/49
APR 17 11:30:31: TAC +: open 10.10.10.24 index = 1
APR 17 11:30:31: TAC +: 10.10.10.24 (3808800626) AUTHOR/START waiting in line
APR 17 11:30:32: TAC +: AUTHOR/START (3808800626) dealt with
APR 17 11:30:32: TAC +: (3808800626): received the status of response author = PASS_ADD
APR 17 11:30:32: TAC +: connection TCP/IP closing 0x80ED50DC to 10.10.10.24/49
APR 17 11:30:32: TAC +: attribute received 'priv-lvl = 15.
APR 17 11:30:32: TAC +: previously set server group Ganymede 10.10.10.24 +.
APR 17 11:30:32: TAC +: opening TCP/IP 10.10.10.24/49 Timeout = 5
APR 17 11:30:32: TAC +: handle opened TCP/IP 0x80EC2B94 to 10.10.10.24/49
APR 17 11:30:32: TAC +: open 10.10.10.24 index = 1
APR 17 11:30:32: TAC +: 10.10.10.24 (422749886) ACCT/REQUEST/START queued
APR 17 11:30:32: TAC +: ACCT/REQUEST/START (422749886) dealt with
APR 17 11:30:32: TAC +: (422749886): received the status of response acct = SUCCESS
APR 17 11:30:32: TAC +: connection TCP/IP closing 0x80EC2B94 to 10.10.10.24/49
GANYMEDE server + do you use?
-
Problem with certifcate on Cisco ACS
We want to authenticate our internal wireless users using our Cisco ACS running 5.3. GBA questions our Active Directory environment for the user name and password provided. I created a CSR on GBA and it provided to Entrust. They gave me a root certificate, string and server. I've linked the server certificate to the CSR under System Administration > Local Server Certificates > local certificates. I then added the chain and the root certificates to the users of the site and identity stores > autorités. When I try to connect to a laptop client he asks a user name and password, but after entering this information, I am presented with the warning on this certificate below. This certificate is to Entrust and I see the certificate root in the root store on the laptop. Any ideas what would cause this. TAC does not seem to have all the answers. They say it's a problem of the client machine.
In case you want to check your configuration settings.
http://www.Cisco.com/en/us/products/ps10315/products_configuration_example09186a0080bd1100.shtml
~ BR
Jatin kone* Does the rate of useful messages *.
-
Why HP has not requested we recall because of the failure of the GBA?
I would like to know, why am I facing problem with an HP laptop very common and HP itself is a not call us a reminder?
My laptop has now what they call default GBA, I did a search on Google, and it seems that it is much more common than I thought, but it's expensive.Then why HP has no call us a reminder?
They never actually recalled models dv95xx and higher and they were never part of the class action, even if they are prone to some of the same issues as the previous models. My first suggestion is just to buy a new laptop. If this isn't in the cards, I would say one of the many online stores that set these models using advanced techniques and can probably you get another year or two on it for about US $100. If you know how to remove the motherboard, so you can ship it just to the store, the cost may be closer to $60US. They set the matrix of balls and get you operational return.
It is an example of this type of service:
-
Cisco Secure ACS 3.3 (1)->; 4.0 upgrade problems (1)
Hi all!
I have problems updating my primary ACS since version 3.3-> 4.0
I always get the following error message, then it does the upgrade:
"The record of the CiscoSecure ACS seems to be blocked by another application: C:\Program Files\CiscoSecure ACS v3.3.
Please close all applications... blabla... »
The thing is, I have improved my ACS backup first, and this upgrade worked like a charm.
In both cases, both for the primary and backup I do a takeover with Dameware remote, copied the ACS 4 folder on the hard disk of the server and make the upgrade of this folder.
As I said, the upgrade of backup server worked without a hitch.
That's what I tried:
1. I checked that NO application use the 3.3 ACS file and no Explorer window is open on this folder or subfolders.
I checked using a small program called Filemon.exe from Sysinternals. According to this program, anything accessed said folder.
I also checked it again by renaming actually ACS 3.3 file once I stop all services of the ACS. I could not rename the folder if the services have been started.
2. I tried to stop the ACS services first and then make the configuration, got the same error.
3. I have disabled the antivirus software, got the same error.
Basically I am at my wits end now...
However, I have two options:
1. uninstall ACS 3.3, do a clean install of ACS 4.0 and import the data of all the GBA backup.
Who would not raise by the primary association with the ACS configuration backup? So I think I will need to go on it later and make changes, if necessary?
2 make a backup of the ACS 3.3 with csutil b
Uninstall ACS 3.3, do a clean install of ACS 4.0 and import all the data with csutil - r
Would this work? I've seen conflicting information here in this forum, some say that it works, the other say it's not.
I'm a little confused why it worked so well the GBA backup but fails on the primary ACS.
Any help would be greatly appreciated!
Thank you!
Ivar Thorolfsson
Hello
Folder lock message often appears if newspapers located in the directory of the ACS are too big.
Move the logs of the following directories: -.
CSAdmin\Logs
CSAuth\Logs
CSDBSync\Logs
CSLog\Logs
CSMon\Logs
CSRadius\Logs
CSTacacs\Logs
Newspapers
Then try to upgrade.
Kind regards
Vivek
-
Is there a problem with accounting and 4.1 of the ACS
Good day to all,
I just installed a new server with ACS 4.1.
This new installation 4.1 ACS is approved, I will retire my old server that ACS 3.1.
At this point, the only problem I have with ACS 4.1 is with the accounting.
For example:
I used a test-router with all the necessary config pointing to my old 3.1 ACS. Everything works fine (authentication and accounting). If I enter a command on the router test it's journal on GBA 3.1.
Now, if I change the test-router to point to the new 4.1 ACS, the ACS 4.1 will authenticate the router test correctly, but won't save any command that I enter the router test. I did a shot between the test-router and 4.1 of the ACS and the router test sends accounting statement ACS 4.1.
There are many different configuration of ACS 3.1 4.1, but as far as I can see the config on the two ACS is as similar as possible.
Y at - there anyone out there who could do 4.1 ACS to process accounting properly?
Any idea will help you.
Thank you
Frank
Here is my config:
AAA new-model
AAA authentication login default group Ganymede + local
connection of AAA No.-AUTH authentication no
AAA authorization exec default group Ganymede + local
AAA authorization commands start-stop Group 1 Ganymede +.
AAA authorization commands start-stop group 15 Ganymede +.
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 1 by default start-stop Ganymede group.
AAA accounting command 15 by default start-stop Ganymede group
!
192.168.100.16 host key radius-server *.
(the above command is the only command I change to point the finger 3.1 ACS or ACS 4.1)
RADIUS-server application made
Please use the following link. It has 4.1 cumulative patch that contains the hotfix for bug.
http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-win-3DES
Don't forget to download the readme text also.
Rate me if it helps.
-
Hello...
I have GBA 2.6 (4) 4 and all the problems are happening:
Authentication and authorization of the NAS work normally, but the accountants do not work properly. If I use accounting only exec, in the report connected' GBA users appears; OK, if I add the accounting level 0, 1 or 15 commands, users appears in the report is 'connected', but if I use any command (enable, show..., debug, etc.) users disappears in the report and that commands are presented in TAC + administration. I tried using ACS 3.1 and accounting works normally.
Is this a BUG? If not, why I solve this problem?
the configuration of my equipment is:
======
Cisco IOS 2620 (C2600-I-M), Version 12.1 T7 (5)
======
Console rate-limit logging 10 except errors
AAA new-model
AAA authentication login default group Ganymede + local
AAA authentication ppp default to group Ganymede + local
authorization AAA console
default AAA authorization exec group Ganymede + none
default network AAA authorization group Ganymede + none
AAA accounting update newinfo
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 0 arrhythmic default group Ganymede +.
orders accounting AAA 1 by default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.
AAA accounting network default start-stop Ganymede group.
Default connection accounting AAA power Ganymede group.
====
TKS.
Yep, it's a bug.
See http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCdv61239
-
A problem when authentication via Radius ASA
Hi all
Please give me a helping hand. I have a problem when through ASA 5520 via Radius Authentication for ACS 4.0 via the VPN device. I need to configure secure authentication and NAC for remote user VPN. It simply does not work, but it works when you use Ganymede so all the connection seems to be ok as ACS succesfully authenticate a remote via MS AD VPN user when you use Ganymede. But I read that I can not use NAC when Ganymede using, I'm good? ASA and ACS journals indicate a problem with the shared key but I already double checked the key on both sides, the IP address is correct on SAA and I also tried all possible methods of RADIUS on SAA. Any idea where might be a problem?
Hello
When you use ACS 4.0, then make sure that the AAA Client for ASA entry you created on GBA, if under a NDG, then make sure that there is no key to the NDG level.
Otherwise, pass entry client ASA as RADIUS ACS in NDG (Unassigned) on ACS.
Kind regards
Prem
-
GANYMEDE + Administration problem reports
Once we improved GBA to 4.1 Build 23 (1) 3.3.4 we no longer get the information in the report of Administration GANYMEDE files +.
AAA new-model
AAA-authentication failure message ^ CC connection failed, Please Try Again. ^ C
prompt password authentication AAA Non_TACACS_Password:
AAA-guest authentication username Non_TACACS_Username:
AAA authentication login default group Ganymede + local
AAA authentication login no_tacacs local
the AAA authentication enable default group Ganymede + activate
AAA authorization config-commands
AAA authorization exec default group Ganymede + local
AAA authorization commands 0 default group Ganymede + local
AAA authorization commands 1 default group Ganymede + local
AAA authorization commands 15 default group Ganymede + local
AAA authorization network default group Ganymede +.
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 0 arrhythmic default group Ganymede +.
orders accounting AAA 0 NetAdmins arrhythmic group Ganymede +.
orders accounting AAA 1 by default start-stop Ganymede group.
orders accounting AAA 7 by default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.
AAA accounting system default start-stop Ganymede group.
Hello
It is a known issue, you must apply the hotfix ACS 4.1.1.23.5 to solve the problem.
Patch for the unit is available on
http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-Soleng-3DES
The patch name: ACS SE 4.1.1.23.5 rollup
Patch for windows acs is available on
http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-win-3DES
The patch name: ACS 4.1.1.23.5 rollup
That should solve the problem
Kind regards
Jagdeep
Note: If this answers your question, then please mark this thread as solved, so that others can benefit from.
-
force GBA v.5 to join the domain with a certain domain controller
Hello world
I try to join a CBS c. 5.3 to the domain. My acs in A location, I can join without problem using my account. When I try to join the ACS in location B to the same domain with the same account, it does not work.
I looked for the ad client debugging logs and noticed that the ACS in location B goes to some a domain controller. However, I would have expected the ACS to contact a different DC, located on the same site that GBA... This does not happen.
My question: how to determine what contact DC GBA? Is it possible to force HQ to reach by connecting a certain DC?
Thanks for any help or ideas?
IDA
Hello
Please check your sites and services in your DNS configuration to see if the right domain controllers are sent to the ACS when attempting to connect to the domain. This function is essential and allows to optimize the links that GBA chooses to join the domain.
The way this works is that ACS is trying to resolve dns records for the global catalog servers and domain controllers for the dns server configured in the initial installation script. Then the dns makes a decision based on the source ip address of the dns request and think that the ACS is in a specific site and returns the result which domain controllers and global catalogs is configured in this specific site.
Let me know if this helps.
Tarik Admani
* Please note the useful messages *. -
Replaced the Cert has expired on GBA
Hello
I replaced an ACS certificate that had been installed then I did the following:
1 has created a certificate request.
2A issued the request to the certification of company.
3. copy the certificate to an ftp server.
4 install the certificate on GBA.
5 configure the CTL again.
6 restart the ACS.
8 enable EAP - TLS.
The problem is when I try to enable PAE I get the message no certificate ACS isn't installed.
I searched on cisco and he said to turn off the CSA and follow the same process as I did without success.
Any help appreciated.
Thank you
KeV
What is the current version?
-
Authentication (Windows Server 2013) AD Cisco ISE problem
Background:
Has deployed two Cisco ISE 1.1.3. ISE will be used to authenticate users wireless access admin WLC and switches. Database backend is Microsoft running on Windows Server 2012 AD. Existing Cisco ACS 4.2 still running and authenticate users. There are two Cisco WLCs version 7.2.111.3.
Wireless users authenticates to AD, through works of GBA 4.2. Access admin WLC and switches to the announcement through ISE works. Authentication with PEAP-MSCHAPv2 access and admin PAP/ASCII wireless.
Problem:
Wireless users cannot authenticate to the announcement through ISE. This is the error message '11051 RADIUS packet contains invalid state attribute' & '24444 Active Directory failed because of an error that is not specified in the ISE'.
Conducted a detailed test of the AD of the ISE. The test was a success and the result seems fine except for the below:
xxdc01.XX.com (10.21.3.1)
Ping: 0 Mins Ago
Status: down
xxdc02.XX.com (10.21.3.2)
Ping: 0 Mins Ago
Status: down
xxdc01.XX.com
Last success: Thu Jan 1 10:00 1970
March 11 failure: read 11:18:04 2013
Success: 0
Chess: 11006
xxdc02.XX.com
Last success: Fri Mar 11 09:43:31 2013
March 11 failure: read 11:18:04 2013
Success: 25
Chess: 11006
Domain controller: xxdc02.xx.com:389
Domain controller type: unknown functional level DC: 5
Domain name: xx.COM
IsGlobalCatalogReady: TRUE
DomainFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
ForestFunctionality: 2 = (DS_BEHAVIOR_WIN2003)
Action taken:
Log Cisco ISE and WLC by using the credentials of the AD. This excludes the connection AD, clock and AAA shared secret as the problem.
(2) wireless authentication tested using EAP-FAST, but same problem occurs.
(3) detailed error message shows below. This excludes any authentication and authorization policies. Even before hitting the authentication policy, the AD search fails.
12304 extract EAP-response containing PEAP stimulus / response
11808 extracted EAP-response containing EAP - MSCHAP VERSION challenge response to the internal method and accepting of EAP - MSCHAP VERSION such as negotiated
Evaluate the politics of identity
15006 set default mapping rule
15013 selected identity Store - AD1
24430 Authenticating user in Active Directory
24444 active Directory operation failed because of an error that is not specified in the ISE
(4) enabled the registration of debugging AD and had a look at the logging. Nothing significant, and no clue about the problem.
(5) wireless tested on different mobile phones with the same error and laptos
(6) delete and add new customer/features of AAA Cisco ISE and WLC
(7) ISE services restarted
(8) join domain on Cisco ISE
(9) notes of verified version of ISE 1.1.3 and WLC 7.2.111.3 for any open caveats. Find anything related to this problem.
10) there are two ISE and two deployed WLC. Tested a different combination of ISE1 to WLC1, ISE1 to WLC2, etc. This excludes a hardware problem of WLC.
Other possibilities/action:
1) test it on another version WLC. Will have to wait for approval of the failure to upgrade the WLC software.
(2) incompatibility between Cisco ISE and AD running on Microsoft Windows Server 2012
Did he experienced something similar to have ideas on why what is happening?
Thank you.
Update:
(1) built an another Cisco ISE 1.1.3 sever in another data center that uses the same domain but other domain controller. Thai domain controller running Windows Server 2008. This work and successful authentication.
(2) my colleague tested in a lab environment Cisco ISE 1.1.2 with Windows Server 2012. He has had the same problem as described.
This leads me to think that there is a compatibility issue of Cisco ISE with Windows Server 2012.
Yes, it seems that 1.1.3 doesn't support Server 2012 as of yet.
External identity Source OS/Version
Microsoft Windows Active Directory 2003 R2 32-bit and 64-bit
Active Directory Microsoft Windows 2008 32-bit and 64-bit
Microsoft Windows Active Directory 2008 R2 64-bit only
Microsoft Windows Active Directory 2003 32-bit only
http://www.Cisco.com/en/us/docs/security/ISE/1.1/compatibility/ise_sdt.PDF
-
What version of ACS that supported for the host agent (for example IP phone, printer, etc.)?
I have GBA v3.1, it is supported?
Is there a solution to authenticate devices by MAC address?
Thank you
AW
Configuring the host agent is supported in 4.2 and ACS version 4.0,4.1. Many guests who authenticates the ACS are running the agent software that requests access to network resources and receives approval from the ACS. However, some hosts are not the agent software running. ACS solves this problem by using the MAC address of the host device to identify and authenticate the host. This technique is called the authentication MAC (MAB) workaround.
-
How to separate requests for authentication to GBA 4.2
Hello
I have a 4.2 ACS for AAA. Right now I use this server to authenticate users this connection for all my devices cisco (routers, switches, ASAs, APs) and also to authenticate users for remote access VPN to ASA.
The problem I have is that VPN users residing on another group in ACS are able to authenticate to log to manage network devices and it is a problem of security. I need the vpn users only being able to authenticate to the vpn and not be able to authenticate to connect to network devices.
Any ideas? is it possible to separate requests for access radius and vpn connection?
Hi Fernando,
Yes it is possible to restrict your users only VPN to VPN - ASA. If you want that they do not have telnet/ssh/http access with other devices in the network, then you can go for NAR (network access restriction).
The only thing you need to know what we are calling-station-id. I think it's an ip address. You can check this activity and reports > past authentication for VPN users.
Here are the steps:
GBA > go to the VPN group > Edit > search for NAR > under Ip based NAR > set the action to "DECLINED" > select the devices (routers/switches) you want to deny access to > put * for the port field and address > click on submit + restart.
Doing this will of users can connect through vpn and unable to do ssh and telnet.
I have attached the screenshot of the same thing (I did for 6509 switch)
HTH
JK
Please evaluate the useful messages-
-
GANYMEDE + SSH authentication problem Fo ASA
Dear Sir
I managed an ASA 5540 assets/failover pair. SSH authentication is performed via GANYMEDE + ACS located 4.2 in the same VLAN as the inside interface of the firewall. I have added two firewalls on the ACS using their inside as the interface IP addresses (using addresses active and reserve). I can succesfully authenticate and connect to the ASA assets without any problem. But on the SAA on hold, I get SSH prompt but I couldn't connect. When I see the log of failed attempts under GBA, I noticed that "Unknown SIN" for the ASA. How can I solve this problem?
Best regards
Abebe Amare
Engineer network, VivaCell
Hi Abebe,
On the ASA high school, please check the following:
SH failover---> and make sure that the secondary image is waiting ready and not missed.
HS-Server aaa---> check the output and see if the ASA marked the radius server under the name 'UP' and the exchange of packets.
Activate the following debugs and perform an authentication test as shown:
Debug aaa authentication
debugging Ganymede
Debug ssh
aaa-server host username authentication test "insert name of" passes "insert a password."
Provide me with him debugs after taking on your username in it so that I can analyze.
See you soon,.
Christian V
Maybe you are looking for
-
iBooks missing from the library
My iBook library disappeared. There are a few recent items, but most have disappeared. I always have the items on my iPad iBooks library but don't see a way to get back them on my MacBook Pro. I'm running that latest round operating systems. Anyone k
-
Since the update of this morning of firefox it does not display my Bt toolbar that it won't show my yahoo toolbar that I lost 3 hours trying to solve this problem please help me I am at my wits end...
-
Can someone help me with a countdown. in about 30 seconds. He fires and stopped. can someone show me how to 1 activate alarm. 2. stop alarm (automatically) and repeat the count down until the stop button is pushed. I'm not too familiar with the RUN C
-
How can I remove the Windows, "Windows Picture and Fax Viewer" program from my computer
I use another software Photo and picture Windows and Fax Viewer interferes with my work with the other program. Therefore, I would like to remove the Windows, "Windows picture and Fax Viewer" program from my computer.
-
I've had this laptop for about 3 months and it seems that I can't read without them flash videos stop prematurely. Is there any solution for this?