Problem with certifcate on Cisco ACS
We want to authenticate our internal wireless users using our Cisco ACS running 5.3. GBA questions our Active Directory environment for the user name and password provided. I created a CSR on GBA and it provided to Entrust. They gave me a root certificate, string and server. I've linked the server certificate to the CSR under System Administration > Local Server Certificates > local certificates. I then added the chain and the root certificates to the users of the site and identity stores > autorités. When I try to connect to a laptop client he asks a user name and password, but after entering this information, I am presented with the warning on this certificate below. This certificate is to Entrust and I see the certificate root in the root store on the laptop. Any ideas what would cause this. TAC does not seem to have all the answers. They say it's a problem of the client machine.
In case you want to check your configuration settings.
http://www.Cisco.com/en/us/products/ps10315/products_configuration_example09186a0080bd1100.shtml
~ BR
Jatin kone
* Does the rate of useful messages *.
Tags: Cisco Security
Similar Questions
-
Problem with ping VPN cisco 877
Hi all!
I have a working VPN between a fortigate and a Cisco.
I have a problem with ping network behind the cisco of the network behind the forti.
When I ping to vlan2 cisco without problem (192.168.252.1) interface, but I can't ping a server in the vlan2 (192.168.252.2) behind the cisco.
However the Cisco I can ping the server. In the forti, I see that ping to the interface vlan2 and server in vlan2 take in the same way, and I can see package.
I post my config could see it it as blocking the ping from 10.41.2.36 to 192.168.252.2 while 192.168.252.1 ping is OK?
IPSEC #show run
Building configuration...Current configuration: 3302 bytes
!
! Last modification of the configuration at 14:42:17 CEDT Friday, June 25, 2010
! NVRAM config update at 14:42:23 CEDT Friday, June 25, 2010
!
version 12.4
no service button
horodateurs service debug datetime msec
Log service timestamps datetime localtime show-time zone
encryption password service
!
IPSEC host name
!
boot-start-marker
boot-end-marker
!
logging buffered 1000000
enable secret 5 abdellah
!
No aaa new-model
clock timezone GMT 1
clock to summer time CEDT recurring last Sun Mar 02:00 last Sun Oct 03:00
!
!
dot11 syslog
IP cef
No dhcp use connected vrf ip
DHCP excluded-address IP 192.168.254.0 192.168.254.99
DHCP excluded-address IP 192.168.254.128 192.168.254.255
!
IP dhcp DHCP pool
network 192.168.254.0 255.255.255.0
router by default - 192.168.254.254
Server DNS A.A.A.A B.B.B.B
!
!
no ip domain search
name of the IP-server A.A.A.A
name of the IP-server B.B.B.B
!
!
!
!
!
crypto ISAKMP policy 1
BA aes 256
preshared authentication
Group 5
ISAKMP crypto key ciscokey address IP_forti
!
!
Crypto ipsec transform-set esp - aes 256 esp-sha-hmac vpntest
!
myvpn 10 ipsec-isakmp crypto map
defined by peer IP_forti
Set transform-set vpntest
match address 101
!
Archives
The config log
hidekeys
!
!
!
!
!
interface Tunnel0
IP 2.2.2.1 255.255.255.252
source of Dialer0 tunnel
destination of IP_forti tunnel
myvpn card crypto
!
ATM0 interface
bandwidth 320
no ip address
load-interval 30
No atm ilmi-keepalive
DSL-automatic operation mode
!
point-to-point interface ATM0.1
MTU 1492
bandwidth 160
PVC 8/35
VBR - nrt 160 160
PPPoE-client dial-pool-number 1
!
!
interface FastEthernet0
switchport access vlan 2
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
switchport access vlan 2
!
interface Vlan1
IP 192.168.20.253 255.255.255.0
IP nat inside
no ip virtual-reassembly
!
interface Vlan2
IP 192.168.252.1 255.255.255.0
IP nat inside
IP virtual-reassembly
!
interface Dialer0
bandwidth 128
the negotiated IP address
NAT outside IP
no ip virtual-reassembly
encapsulation ppp
load-interval 30
Dialer pool 1
Dialer-Group 1
KeepAlive 1 2
Authentication callin PPP chap Protocol
PPP chap hostname [email protected] / * /
PPP chap password 7 abdelkrim
myvpn card crypto
!
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 Dialer0
IP route 10.41.2.32 Tunnel0 255.255.255.240
!
no ip address of the http server
no ip http secure server
The dns server IP
translation of nat IP tcp-timeout 5400
no ip nat service sip 5060 udp port
overload of IP nat inside source list NAT interface Dialer0
!
IP access-list standard BROADCAST
permit of 0.0.0.0
deny all
!
NAT extended IP access list
IP enable any host IP_cisco
deny ip 192.168.252.0 0.0.0.255 10.41.2.32 0.0.0.31
!
access-list 101 permit ip 192.168.252.0 0.0.0.255 10.41.2.32 0.0.0.31
public RO SNMP-server community
3 RW 99 SNMP-server community
SNMP-server community a RO
SNMP-Server RO community oneCommunityRead
not run cdp
!
!
!
control plan
!
!
Line con 0
password 7 abdelkrim
opening of session
no activation of the modem
line to 0
line vty 0 4
password 7 aaaaa
opening of session
escape character 5
!
max-task-time 5000 Planner
NTP-period clock 17175037
Server NTP B.B.B.B
Server NTP A.A.A.Aend
Alex,
It's your GRE tunnel:
interface Tunnel0
IP 2.2.2.1 255.255.255.252
source of Dialer0 tunnel
destination of IP_forti tunnel
myvpn card cryptoYou also have routing set by it.
You don't need a GRE tunnel, nor do you need the road to tunnel if you want just IPsec tunnel.
-
Problem with audio in Cisco IP Communicator
Hello
I have a problem with the audio in a VMware View environment.
I don't know if it's important, but my thin client is a model of WYSE X90LE, and I install the drivers for the USB (property WYSE) support. I use Logitech headset.
When I connect to virtual desktop, I have a sound; but when I start Ip Communicator application I get the following error: "there is no compatible audio device installed on this computer. "Please click 'OK' to exit the"
Anyone have this problem?
Any suggestions?
Best regards
Pedro Velasco
Tarragona, Spain
You must purchase the TCX rich sound of WYSE. They have three licenses that are required for your virtual machine using Wyse terminals to work properly. Multimedia and USB also. $25 per license per device. You will need to upgrade license TCX, they give you in a MNOS. Ini FILE in your FTP server. I hate this cause that they announce that licenses TCX and an FTP server are needed until you call the problems you are having. I threatened to sue them for false advertising. Also reinstall the VMware tools in the virtual machine. Make sure you have the latest version of the software microsoft RDP. I think they are at 6.1.
-
Problem with VLAN between Cisco Catalyst (3560G) and SG300-52
I am having trouble with the creation of a trunk of vlan between a SG300-52 and a Cisco Catalyst 3560 G. I have 4 VLANS (1, 2, 10 and 11) on the 3650 and I need ports on the SG300 to be able to communicate with them.
On the 3560, port 14 is defined as:
interface GigabitEthernet0/14
switchport trunk encapsulation dot1q
switchport mode trunk
spanning tree portfast
On the Sg300 port 52 is defined as:
interface GigabitEthernet52
point to point link type spanningtree
switchport trunk allowed vlan add 1,2,10,11
description macro switch
Try to understand what the problem... Any help would be appreciated.
Thank you
Chris
Hi Chris, the first problem is the spanning tree portfast, it shouldn't be on an interconnection network switch. You may have a mismatch of vlan native as well, but that shouldn't matter.
A suggestion, however, the value of the port SG300 general mode and disable the input filter.
-Tom
Please mark replied messages useful -
Problems with VPN between Cisco PIX 6.3.3 and VPN 3000 Concentrator
Hi guys,.
I hope this is the right place and that someone has encountered this before I don't have much hair left to offset - I'm trying to set up a tunnel between our Pix 6.3.3 performer and a customer using a VPN3000.
The customer wants us to be able to do checkups on a device without allowing anything to of our range of addresses network side private, just one public IP address. We currently run a VPN to our recovery site to allow off-site replication, but the ACL on the other end of this VPN * does * allow the configuration that we had for our private network side, so traffic was not useful at that. Here is a screenshot of what I tried:
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
nameif ethernet2 dmz1 security50name 172.16.1.48 Cust_DVR1
permit 192.168.1.0 ip access list inside_outbound_nat0_acl 255.255.255.0 255.255.255.255 Cust_DVR1
permit 192.168.1.0 ip access list outside_cryptomap_30 255.255.255.0 255.255.255.255 Cust_DVR1
IP outside X.Y.Z.227 255.255.255.224
IP address inside 192.168.1.1 255.255.255.0location of PDM Cust_DVR1 255.255.255.255 outside
Global 1 X.Y.Z.230 (outside)
Global (dmz1) 1 interface
NAT (inside) 0-list of access inside_outbound_nat0_acl
NAT (inside) 1 192.168.1.0 255.255.255.0 0 0Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
outside_map 30 ipsec-isakmp crypto map
outside_map 30 peer A.B.C.D crypto card game<--- (public="" ip="" of="" customer="">--->
card crypto outside_map 30 match address centura_map_30
card crypto outside_map 30 the transform-set ESP-3DES-MD5 value
outside_map interface card crypto outside
ISAKMP key * A.B.C.D netmask 255.255.255.255 No.-xauth No. config-mode
part of pre authentication ISAKMP policy 30
ISAKMP policy 30 3des encryption
ISAKMP policy 30 md5 hash
30 2 ISAKMP policy group
ISAKMP duration strategy of life 30 86400
My hope is that anything on the 192.168.1.0/24 would be able to get out of the external interface as our only our public IP addresses (i.e. X.Y.Z.230), but the traffic they see on the other end is coming from the 192.168.1.0 network. I tried to remove the line inside_outbound_nat0_acl think she would use then the world but still do not have a bit of luck and the only difference I see on Kiwi Syslogd is that the src_proxy changes to 0.0.0.0 where is shows the IP address of my private side (for the purposes of the config above let's call it 192.168.1.135).
THANKS MUCH FOR ANY HELP!
-Mario
Hello
For example, you can NAT your internal via the tunnel network traffic when you go to this customer.
In this way, they will see your unique internal network as an IP address.
Let's say, rather than them seeing your internal 192.168.1.0/24, eelle will see your traffic like X.Y.Z.227
Is this what you need?
Federico.
-
Cannot save changes to cisco ACS 5.8
Hello
I have a problem with save to Cisco ACS. I'm not saving with the button "save changes". It's hide. Please help me. Thank you
Look at more pictures, looks like you are using firefox version 46.
If yes you must down load and install 5.8 patch3 which includes fixes for specific problems seen when working with this version of the Firefix browser
-
Cisco VPN problem with security update KB3057839 for Vista
Someone had problems with any connection Cisco VPN works after the installation of update of security KB3057839 for Vista? When this update is installed, the pop-up to enter the password and user id not come, need to use the Task Manager to close the program. The first time I went back to the restore point to get my VPN to work, this time I tried to reinstall the VPN but that doesn't work anymore. I started to uninstall updates (had 7 of them), when I got to it, KB3057839, the VPN began working again.
Mike
See this on the real issue:
http://www.chiark.greenend.org.uk/~sgtatham/PuTTY/wishlist/Vista-update-breaks-config.html
It turns out that the logon dialog box is invisible, but still, it agrees to enter you your password and LOG you!
-
Problem with Cisco ACS and different areas
Hello
We are conducting currently a problem with Cisco ACS that we put in place, and I'll try to describe:
We have ACS related directory AD areas, where we have 2 domains and appropriate group mappings.
Then we have our Cisco switches with the following configuration,
AAA new-model
AAA-authentication failure message ^ CCCC
Failled to authenticate!
Please IT networks Contact Group for more information.
^ C
AAA authentication login default group Ganymede + local
AAA authorization exec default group Ganymede + local
AAA authorization network default group Ganymede + local
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.
!
AAA - the id of the joint session
But the problem is that with the users in a domain, we can authenticate, but not the other. Basically, the question is that when we check on the past of authentication, two authentications are passage and the display of 'Authentic OK', but on the side of the switch, there is a power failure.
There may be something wrong with the ACS?
Thank you
Jorge
Try increasing the timeout on IOS device using radius-server timeout 10.
Do we not have journaling enabled on the ACS server remotely?
-Philou
-
Cisco Security Manager integration with Cisco ACS troubleshooting
Hi all!
I have a problem with the integration between Cisco Security Manager and ACS. I've done the integration, but the identity of the user system doesn't have enough privileges. I know what the problem is, but I don't know how I can change the login of the ACS to the local MSC?
I found a file that specifies the following:
Q.
Is there a backend script or command line interface options to change the ACS to local CicsoWorks connection module?
A.
To restore the server LMS ACS local user mode mode, stop the CiscoWorks
demons and run the following script:
NMSROOT/bin/perl ResetLoginModule.pl
(for Solaris)
NMSROOT\bin\perl ResetLoginModule.pl
(for Windows)
Then, restart the daemon.
I did it, but does not work, any idea?
Hello
I guess you can try to go through the question on WSC and GBA integration troubleshooting:
Few things might have gone wrong:
1 - this command must be run on the server MCS cmd prompt (make sure that you are not on the client computer)
2 - NMSROOT is the directory were MSC Server is installed. Is usually c:\Progra~1\CSCOpx
3. you must stop the deamon Manager before performing this action (and restart)
For example if the directory is the one above to reset the connection locally, you can try the following:
net stop crmdmgtd---> that stops the daemon Manager (can be done by the services window)
c:\Progra~1\CSCOpx\bin\perl c:\Progra~1\CSCOpx\bin\ ResetLoginModule.pl---> restores local authentication
net start crmdmgtd---> restart the Daemon Manager
Can you maybe try again and let me know how it goes?
Thank you
-
Cisco ACS 5.2 with NX - OS (Nexus) devices user - questions
Hey, I have a really strange problem with Cisco ACS 5.2 and Nexus NX - OS devices.
I create an account on ACS, let's call him User1 and give privilege 15. With User1, I am able to access on all our IOS, IOS - XE, ASA and PIX devices with privilege 15.
When I use the User1 account in our NEXUS devices, I do NOT receive the access privilege 15. As you probably know, the NEXUS devices have roles: predefined or custom roles. So I assumed I would get the role of "network-admin" (15 private read/write) User1 when you connect, but instead I got the role of 'vdc-operator' (private 1 read-only).
Then I tried to twist User1 and give network-admin under profile Shell > Custom Attributes. I logged in the NEXUS and of course I was able to get a network-admin access. However, my access to ALL other devices (IOS, ASA, PIX, etc.) does NOT work! I am not even able to connect with my login and my password for these devices.
Has anyone ever experience this problem? Help, please!
Thank you
neocec
This is a common problem when you mix with RBAC and IOS devices authorization policies, the pair av that you created must be set 'optional' instead of 'compulsory', please make this change and you will be able to access all your devices.
Thank you
Tarik
-
With the help of Cisco ACS 5.2 (GANYMEDE +) with other than Cisco devices
Hi all
I was hoping that someone could help me with what might be a silly question. I'm trying to implement a solution whereby an operator can control all their nodes (other than Cisco) network via GANYMEDE + involved nodes are
Juniper M10i running Junos 9.2, M120
M320 running Junos 8.5 Juniper
Extremes of BD8810 and BD8806 running 12.4.1.17 XOS
3804 Alpine extreme Extremeware 7.8.3.5 running
My question is, can I use Cisco ACS 5.2 (or 4.2) to authenticate using GANYMEDE + to these other than Cisco devices. Has anyone else done this or I have to use RADIUS? If someone has done this are problems of interoperability with Cisco CS and Junos or XOS extreme. Thank you
/ John
John,
We have a very large deployment of Juniper (T-series, series MX, etc.). We use Cisco ACS and GANYMEDE to manage these devices. The configuration of the ACS is fairly simple. You'll want to create users to connect and match them to the classes on your JUNOS routers. Here is an example:
set system login user uid of engineering 2000
Set system login user engineering genius-class class
set the connection user uid to NOC 2001 System
Set system login user AC AC-class classdefine the system connection Engineering-class idle-timeout 15
define a connection system class engineering-class permissions all
define the system connection AC-class idle-timeout 15
define the connection class AC system class view permissions
Set connection AC-class permissions see the system configurationWe use two classes of genius and NOC. One is defined as a read / write and the second read-only. This is in turn then mapped in ACS (in our case version 4.2) by user or group (preferred). First, you change the configuration of the interface and add a Ganymede junos-exec service and do not enter the Protocol field. Then, you change the attributes of the user group. I've attached screenshots for both on this subject.
Hope this helps.
Derek
-
I'm migrating from ACS v4.2.1 to v5.3. I want the final v5.3 system to assume the IP address of the machine 4.2 of origin so I don't have to change any configs on network devices.
Are there problems with the change of the IP address of the system AFTER the initial installation v5.3?
I tried without problem. I changed the ip address of the WLC several times.
You must ensure that:
1-) you change the switchport accordingly to the appropriate vlan if the new ip address belongs to a subnet of a vlan different.
2-) make sure that all clients AAA configured to use the new IP address of the ACS servers.
Here is the procedure how to change the ip address of the interface (according to the doc of cisco):
I also changed parIP normal address and it works. but of course, the server must be autonomous before doing this step (i.e. no secondary ACSS registered to him and he is not on the other ACSS in a distributoin).
HTH
Amjad
-
Problem with switch Cisco SG300
Hi guys,.
I have a problem with switch Cisco SG300-20. After the failure of the switch boots in a kind of mode. It requires
MAC address and serial number to be entered manually for the device. I tried to find information on this mode, but without success.
My question is: what is this mode and how to make the start switch in this mode?
How can I turn on the switch in this mode on purpose if it happens again and I enter the wrong information by accident.
Thank you
Hi Aegx, this is a rare case where the switch basically forget his identity. Although the switch is recoverable, it is recommended the switch RMA.
If you are certain that you have neither taken under warranty, all the information that is asked is on the bottom of the switch sticker. If the thumbnail is is not present you wouldn't able to do this is correct.
In addition, if you make a typographical error, the switch will have undesirable failures that are permanent, such as the inability to update software.
-
Problems with the management of the CSC/Cisco (associated with SSO) site
Dear friends,
I came across a problem with single sign - on (SSO) used in the Cisco's Web site and CSC which begins to be more and more awkward:
- I visit the CSC and connect you to reply to a thread. Then I start to reply to a message.
- In response, I need to consult the technical documentation, guides, configuration or other documents on Cisco's Web site. In another tab in my browser, I visit the Cisco's Web site and do my search/navigation.
- At some point, Cisco's Web site acknowledges that I am already connected to the CSC and begins to produce URLs with the /partner/ inside component (for example in the search results). By clicking on this URL causes me be redirected to the page of connection again. This is the first question - why do I have to log in again because I am already connected and SSO is supposed to take care of this?
- Well, I re-enter my credentials, get connected, access the necessary document, then I go back to my post on the CSC, finish it and submit it. KABOOM - CCS quickly informs me that I am without permission to perform this action, lose my answer in the process! Logging on to the Web site (as described in step 3) Cisco obviously invalid my current session on CSC! I need to connect again to the SCC (until I do that, she considers me as a guest once again, but when I click on the login link, I suddenly make me connected without enter my credentials) and, well, write again my answer. Sometimes, a part is recoverable, but usually, it is only a small fragment.
Would it not be possible to correct this behavior? I lost a lot of time my lost rewrite responses.
Best regards
Peter
Hi Peter,.
I wanted to give you a quick update on the two issues.
First question:
We are currently working on a long term and short fix for this problem. Unfortunately the long-term solution will be a drawn out effort as we begin our new data of all content in our heritage Center. The team is currently testing the short-term solution, will keep you posted on the progress that I get more details.
Second question:
We currently do analysis of the root causes of this problem and give you updated each week on this issue that deploy us the patch.
Thanks a lot again for you continued support and patience.
Sainaba.
-
Problem with the Cisco VPN and Vista client
Hello
I have an easy VPN server configured on a c2811 and users use the Cisco VPN client. Lately, I have users running Windows Vista 64 bit and I need to know what is the correct version of the vpn client, I have to use and the compatibility problems with the server, I configured.
Thank you and best regards.
Cisco VPN Client doesn't have any version that is compatible with Vista 64 bit OS. The only customer that Cisco has released that supports the 64 bit OS's AnyConnect, but it is only supported on the CISCO ASA Appliance
Maybe you are looking for
-
Certificate of authentication based on cisco ACS
Hi the friend and experts I have an ACS 5.8 System. When users connect to ACS via a Web browser (443), used I: acsadmin & password. Now my boss he wants me config ACS certificate based authentication. Please help me Guild and me and for me. What is t
-
Download DataServer User/Pass/host with ODI Variable to use in the ODI tools
Hi guys.I was thinking about a way to dynamically modify the ODI tool based on the parameters of a root.So I created a dummy DataServer with host that the IP address of the server I want to reach and define the user/pass I will use to authenticate.Th
-
I just buy photoshop and it won't let me download
I can't download photoshop and I buy it
-
What is the best way to change the IP address of management vmkernel on a vDS?
Hi allI'm changing the IP address of the management interface vmkernel with as little downtime as possible and markets.The interface is part of a distributed switch and the host is part of a cluster on the vCenter server.As for now, here's what I do:
-
Canon 5 d tethering with Lightroom CC, why it does not work?
HelloWhy can I not use my canon 5 d in tethering with the latest version of LR?I can see the raw file, but I don't work to attach.It supported this camera?Thank you