Problem with certifcate on Cisco ACS

Similar Questions

• Problem with ping VPN cisco 877

  Hi all!

  I have a working VPN between a fortigate and a Cisco.

  I have a problem with ping network behind the cisco of the network behind the forti.

  When I ping to vlan2 cisco without problem (192.168.252.1) interface, but I can't ping a server in the vlan2 (192.168.252.2) behind the cisco.

  However the Cisco I can ping the server. In the forti, I see that ping to the interface vlan2 and server in vlan2 take in the same way, and I can see package.

  I post my config could see it it as blocking the ping from 10.41.2.36 to 192.168.252.2 while 192.168.252.1 ping is OK?

  IPSEC #show run
  Building configuration...

  Current configuration: 3302 bytes
  !
  ! Last modification of the configuration at 14:42:17 CEDT Friday, June 25, 2010
  ! NVRAM config update at 14:42:23 CEDT Friday, June 25, 2010
  !
  version 12.4
  no service button
  horodateurs service debug datetime msec
  Log service timestamps datetime localtime show-time zone
  encryption password service
  !
  IPSEC host name
  !
  boot-start-marker
  boot-end-marker
  !
  logging buffered 1000000
  enable secret 5 abdellah
  !
  No aaa new-model
  clock timezone GMT 1
  clock to summer time CEDT recurring last Sun Mar 02:00 last Sun Oct 03:00
  !
  !
  dot11 syslog
  IP cef
  No dhcp use connected vrf ip
  DHCP excluded-address IP 192.168.254.0 192.168.254.99
  DHCP excluded-address IP 192.168.254.128 192.168.254.255
  !
  IP dhcp DHCP pool
  network 192.168.254.0 255.255.255.0
  router by default - 192.168.254.254
  Server DNS A.A.A.A B.B.B.B
  !
  !
  no ip domain search
  name of the IP-server A.A.A.A
  name of the IP-server B.B.B.B
  !
  !
  !
  !
  !
  crypto ISAKMP policy 1
  BA aes 256
  preshared authentication
  Group 5
  ISAKMP crypto key ciscokey address IP_forti
  !
  !
  Crypto ipsec transform-set esp - aes 256 esp-sha-hmac vpntest
  !
  myvpn 10 ipsec-isakmp crypto map
  defined by peer IP_forti
  Set transform-set vpntest
  match address 101
  !
  Archives
  The config log
  hidekeys
  !
  !
  !
  !
  !
  interface Tunnel0
  IP 2.2.2.1 255.255.255.252
  source of Dialer0 tunnel
  destination of IP_forti tunnel
  myvpn card crypto
  !
  ATM0 interface
  bandwidth 320
  no ip address
  load-interval 30
  No atm ilmi-keepalive
  DSL-automatic operation mode
  !
  point-to-point interface ATM0.1
  MTU 1492
  bandwidth 160
  PVC 8/35
  VBR - nrt 160 160
  PPPoE-client dial-pool-number 1
  !
  !
  interface FastEthernet0
  switchport access vlan 2
  !
  interface FastEthernet1
  !
  interface FastEthernet2
  !
  interface FastEthernet3
  switchport access vlan 2
  !
  interface Vlan1
  IP 192.168.20.253 255.255.255.0
  IP nat inside
  no ip virtual-reassembly
  !
  interface Vlan2
  IP 192.168.252.1 255.255.255.0
  IP nat inside
  IP virtual-reassembly
  !
  interface Dialer0
  bandwidth 128
  the negotiated IP address
  NAT outside IP
  no ip virtual-reassembly
  encapsulation ppp
  load-interval 30
  Dialer pool 1
  Dialer-Group 1
  KeepAlive 1 2
  Authentication callin PPP chap Protocol
  PPP chap hostname [email protected] / * /
  PPP chap password 7 abdelkrim
  myvpn card crypto
  !
  IP forward-Protocol ND
  IP route 0.0.0.0 0.0.0.0 Dialer0
  IP route 10.41.2.32 Tunnel0 255.255.255.240
  !
  no ip address of the http server
  no ip http secure server
  The dns server IP
  translation of nat IP tcp-timeout 5400
  no ip nat service sip 5060 udp port
  overload of IP nat inside source list NAT interface Dialer0
  !
  IP access-list standard BROADCAST
  permit of 0.0.0.0
  deny all
  !
  NAT extended IP access list
  IP enable any host IP_cisco
  deny ip 192.168.252.0 0.0.0.255 10.41.2.32 0.0.0.31
  !
  access-list 101 permit ip 192.168.252.0 0.0.0.255 10.41.2.32 0.0.0.31
  public RO SNMP-server community
  3 RW 99 SNMP-server community
  SNMP-server community a RO
  SNMP-Server RO community oneCommunityRead
  not run cdp
  !
  !
  !
  control plan
  !
  !
  Line con 0
  password 7 abdelkrim
  opening of session
  no activation of the modem
  line to 0
  line vty 0 4
  password 7 aaaaa
  opening of session
  escape character 5
  !
  max-task-time 5000 Planner
  NTP-period clock 17175037
  Server NTP B.B.B.B
  Server NTP A.A.A.A

  end

  Alex,

  It's your GRE tunnel:

  interface Tunnel0
  IP 2.2.2.1 255.255.255.252
  source of Dialer0 tunnel
  destination of IP_forti tunnel
  myvpn card crypto

  You also have routing set by it.

  You don't need a GRE tunnel, nor do you need the road to tunnel if you want just IPsec tunnel.

• Problem with audio in Cisco IP Communicator

  Hello

  I have a problem with the audio in a VMware View environment.

  I don't know if it's important, but my thin client is a model of WYSE X90LE, and I install the drivers for the USB (property WYSE) support. I use Logitech headset.

  When I connect to virtual desktop, I have a sound; but when I start Ip Communicator application I get the following error: "there is no compatible audio device installed on this computer. "Please click 'OK' to exit the"

  Anyone have this problem?

  Any suggestions?

  Best regards

  Pedro Velasco

  Tarragona, Spain

  You must purchase the TCX rich sound of WYSE. They have three licenses that are required for your virtual machine using Wyse terminals to work properly. Multimedia and USB also. $25 per license per device. You will need to upgrade license TCX, they give you in a MNOS. Ini FILE in your FTP server. I hate this cause that they announce that licenses TCX and an FTP server are needed until you call the problems you are having. I threatened to sue them for false advertising. Also reinstall the VMware tools in the virtual machine. Make sure you have the latest version of the software microsoft RDP. I think they are at 6.1.

• Problem with VLAN between Cisco Catalyst (3560G) and SG300-52

  I am having trouble with the creation of a trunk of vlan between a SG300-52 and a Cisco Catalyst 3560 G.  I have 4 VLANS (1, 2, 10 and 11) on the 3650 and I need ports on the SG300 to be able to communicate with them.

  On the 3560, port 14 is defined as:

  interface GigabitEthernet0/14

  switchport trunk encapsulation dot1q

  switchport mode trunk

  spanning tree portfast

  On the Sg300 port 52 is defined as:

  interface GigabitEthernet52

  point to point link type spanningtree

  switchport trunk allowed vlan add 1,2,10,11

  description macro switch

  Try to understand what the problem... Any help would be appreciated.

  Thank you

  Chris

  Hi Chris, the first problem is the spanning tree portfast, it shouldn't be on an interconnection network switch. You may have a mismatch of vlan native as well, but that shouldn't matter.

  A suggestion, however, the value of the port SG300 general mode and disable the input filter.

  -Tom
  Please mark replied messages useful

• Problems with VPN between Cisco PIX 6.3.3 and VPN 3000 Concentrator

  Hi guys,.

  I hope this is the right place and that someone has encountered this before I don't have much hair left to offset - I'm trying to set up a tunnel between our Pix 6.3.3 performer and a customer using a VPN3000.

  The customer wants us to be able to do checkups on a device without allowing anything to of our range of addresses network side private, just one public IP address.  We currently run a VPN to our recovery site to allow off-site replication, but the ACL on the other end of this VPN * does * allow the configuration that we had for our private network side, so traffic was not useful at that.  Here is a screenshot of what I tried:

  ethernet0 nameif outside security0
  nameif ethernet1 inside the security100
  nameif ethernet2 dmz1 security50

  name 172.16.1.48 Cust_DVR1

  permit 192.168.1.0 ip access list inside_outbound_nat0_acl 255.255.255.0 255.255.255.255 Cust_DVR1

  permit 192.168.1.0 ip access list outside_cryptomap_30 255.255.255.0 255.255.255.255 Cust_DVR1

  IP outside X.Y.Z.227 255.255.255.224
  IP address inside 192.168.1.1 255.255.255.0

  location of PDM Cust_DVR1 255.255.255.255 outside

  Global 1 X.Y.Z.230 (outside)
  Global (dmz1) 1 interface
  NAT (inside) 0-list of access inside_outbound_nat0_acl
  NAT (inside) 1 192.168.1.0 255.255.255.0 0 0

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  outside_map 30 ipsec-isakmp crypto map

  outside_map 30 peer A.B.C.D crypto card game<--- (public="" ip="" of="" customer="">

  card crypto outside_map 30 match address centura_map_30

  card crypto outside_map 30 the transform-set ESP-3DES-MD5 value

  outside_map interface card crypto outside

  ISAKMP key * A.B.C.D netmask 255.255.255.255 No.-xauth No. config-mode

  part of pre authentication ISAKMP policy 30

  ISAKMP policy 30 3des encryption

  ISAKMP policy 30 md5 hash

  30 2 ISAKMP policy group

  ISAKMP duration strategy of life 30 86400

  My hope is that anything on the 192.168.1.0/24 would be able to get out of the external interface as our only our public IP addresses (i.e. X.Y.Z.230), but the traffic they see on the other end is coming from the 192.168.1.0 network.  I tried to remove the line inside_outbound_nat0_acl think she would use then the world but still do not have a bit of luck and the only difference I see on Kiwi Syslogd is that the src_proxy changes to 0.0.0.0 where is shows the IP address of my private side (for the purposes of the config above let's call it 192.168.1.135).

  THANKS MUCH FOR ANY HELP!

  -Mario

  Hello

  For example, you can NAT your internal via the tunnel network traffic when you go to this customer.

  In this way, they will see your unique internal network as an IP address.

  Let's say, rather than them seeing your internal 192.168.1.0/24, eelle will see your traffic like X.Y.Z.227

  Is this what you need?

  Federico.

• Cannot save changes to cisco ACS 5.8

  Hello

  I have a problem with save to Cisco ACS. I'm not saving with the button "save changes". It's hide. Please help me. Thank you

  Look at more pictures, looks like you are using firefox version 46.

  If yes you must down load and install 5.8 patch3 which includes fixes for specific problems seen when working with this version of the Firefix browser

• Cisco VPN problem with security update KB3057839 for Vista

  Someone had problems with any connection Cisco VPN works after the installation of update of security KB3057839 for Vista? When this update is installed, the pop-up to enter the password and user id not come, need to use the Task Manager to close the program. The first time I went back to the restore point to get my VPN to work, this time I tried to reinstall the VPN but that doesn't work anymore. I started to uninstall updates (had 7 of them), when I got to it, KB3057839, the VPN began working again.

  Mike

  See this on the real issue:

  http://www.chiark.greenend.org.uk/~sgtatham/PuTTY/wishlist/Vista-update-breaks-config.html

  It turns out that the logon dialog box is invisible, but still, it agrees to enter you your password and LOG you!

• Problem with Cisco ACS and different areas

  Hello

  We are conducting currently a problem with Cisco ACS that we put in place, and I'll try to describe:

  We have ACS related directory AD areas, where we have 2 domains and appropriate group mappings.

  Then we have our Cisco switches with the following configuration,

  AAA new-model

  AAA-authentication failure message ^ CCCC

  Failled to authenticate!

  Please IT networks Contact Group for more information.

  ^ C

  AAA authentication login default group Ganymede + local

  AAA authorization exec default group Ganymede + local

  AAA authorization network default group Ganymede + local

  AAA accounting exec default start-stop Ganymede group.

  orders accounting AAA 15 by default start-stop Ganymede group.

  !

  AAA - the id of the joint session

  But the problem is that with the users in a domain, we can authenticate, but not the other. Basically, the question is that when we check on the past of authentication, two authentications are passage and the display of 'Authentic OK', but on the side of the switch, there is a power failure.

  There may be something wrong with the ACS?

  Thank you

  Jorge

  Try increasing the timeout on IOS device using radius-server timeout 10.

  Do we not have journaling enabled on the ACS server remotely?

  -Philou

• Cisco Security Manager integration with Cisco ACS troubleshooting

  Hi all!

  I have a problem with the integration between Cisco Security Manager and ACS. I've done the integration, but the identity of the user system doesn't have enough privileges. I know what the problem is, but I don't know how I can change the login of the ACS to the local MSC?

  I found a file that specifies the following:

  Q.

  Is there a backend script or command line interface options to change the ACS to local CicsoWorks connection module?

  A.

  To restore the server LMS ACS local user mode mode, stop the CiscoWorks

  demons and run the following script:

  NMSROOT/bin/perl ResetLoginModule.pl

  (for Solaris)

  NMSROOT\bin\perl ResetLoginModule.pl

  (for Windows)

  Then, restart the daemon.

  I did it, but does not work, any idea?

  Hello

  I guess you can try to go through the question on WSC and GBA integration troubleshooting:

  http://www.Cisco.com/en/us/docs/security/security_management/cisco_security_manager/security_manager/3.0/troubleshooting/guide/rbacts.html#wp1043629

  Few things might have gone wrong:

  1 - this command must be run on the server MCS cmd prompt (make sure that you are not on the client computer)

  2 - NMSROOT is the directory were MSC Server is installed. Is usually c:\Progra~1\CSCOpx

  3. you must stop the deamon Manager before performing this action (and restart)

  For example if the directory is the one above to reset the connection locally, you can try the following:

  net stop crmdmgtd---> that stops the daemon Manager (can be done by the services window)

  c:\Progra~1\CSCOpx\bin\perl c:\Progra~1\CSCOpx\bin\ ResetLoginModule.pl---> restores local authentication

  net start crmdmgtd---> restart the Daemon Manager

  Can you maybe try again and let me know how it goes?

  Thank you

• Cisco ACS 5.2 with NX - OS (Nexus) devices user - questions

  Hey, I have a really strange problem with Cisco ACS 5.2 and Nexus NX - OS devices.

  I create an account on ACS, let's call him User1 and give privilege 15. With User1, I am able to access on all our IOS, IOS - XE, ASA and PIX devices with privilege 15.

  When I use the User1 account in our NEXUS devices, I do NOT receive the access privilege 15. As you probably know, the NEXUS devices have roles: predefined or custom roles. So I assumed I would get the role of "network-admin" (15 private read/write) User1 when you connect, but instead I got the role of 'vdc-operator' (private 1 read-only).

  Then I tried to twist User1 and give network-admin under profile Shell > Custom Attributes. I logged in the NEXUS and of course I was able to get a network-admin access. However, my access to ALL other devices (IOS, ASA, PIX, etc.) does NOT work! I am not even able to connect with my login and my password for these devices.

  Has anyone ever experience this problem? Help, please!

  Thank you

  neocec

  This is a common problem when you mix with RBAC and IOS devices authorization policies, the pair av that you created must be set 'optional' instead of 'compulsory', please make this change and you will be able to access all your devices.

  Thank you

  Tarik

• With the help of Cisco ACS 5.2 (GANYMEDE +) with other than Cisco devices

  Hi all

  I was hoping that someone could help me with what might be a silly question. I'm trying to implement a solution whereby an operator can control all their nodes (other than Cisco) network via GANYMEDE + involved nodes are

  Juniper M10i running Junos 9.2, M120

  M320 running Junos 8.5 Juniper

  Extremes of BD8810 and BD8806 running 12.4.1.17 XOS

  3804 Alpine extreme Extremeware 7.8.3.5 running

  My question is, can I use Cisco ACS 5.2 (or 4.2) to authenticate using GANYMEDE + to these other than Cisco devices. Has anyone else done this or I have to use RADIUS? If someone has done this are problems of interoperability with Cisco CS and Junos or XOS extreme. Thank you

  / John

  John,

  We have a very large deployment of Juniper (T-series, series MX, etc.). We use Cisco ACS and GANYMEDE to manage these devices. The configuration of the ACS is fairly simple. You'll want to create users to connect and match them to the classes on your JUNOS routers. Here is an example:

  set system login user uid of engineering 2000
  Set system login user engineering genius-class class
  set the connection user uid to NOC 2001 System
  Set system login user AC AC-class class

  define the system connection Engineering-class idle-timeout 15
  define a connection system class engineering-class permissions all
  define the system connection AC-class idle-timeout 15
  define the connection class AC system class view permissions
  Set connection AC-class permissions see the system configuration

  We use two classes of genius and NOC. One is defined as a read / write and the second read-only. This is in turn then mapped in ACS (in our case version 4.2) by user or group (preferred). First, you change the configuration of the interface and add a Ganymede junos-exec service and do not enter the Protocol field. Then, you change the attributes of the user group. I've attached screenshots for both on this subject.

  Hope this helps.

  Derek

• Are there problems with changing the IP address of a system of v5.3 ACS after the initial Setup?

  I'm migrating from ACS v4.2.1 to v5.3.  I want the final v5.3 system to assume the IP address of the machine 4.2 of origin so I don't have to change any configs on network devices.

  Are there problems with the change of the IP address of the system AFTER the initial installation v5.3?

  I tried without problem. I changed the ip address of the WLC several times.

  You must ensure that:

  1-) you change the switchport accordingly to the appropriate vlan if the new ip address belongs to a subnet of a vlan different.

  2-) make sure that all clients AAA configured to use the new IP address of the ACS servers.

  Here is the procedure how to change the ip address of the interface (according to the doc of cisco):

  http://goo.GL/0BYqVT

  I also changed parIP normal address and it works. but of course, the server must be autonomous before doing this step (i.e. no secondary ACSS registered to him and he is not on the other ACSS in a distributoin).

  HTH

  Amjad

• Problem with switch Cisco SG300

  Hi guys,.

  I have a problem with switch Cisco SG300-20. After the failure of the switch boots in a kind of mode. It requires

  MAC address and serial number to be entered manually for the device. I tried to find information on this mode, but without success.

  My question is: what is this mode and how to make the start switch in this mode?

  How can I turn on the switch in this mode on purpose if it happens again and I enter the wrong information by accident.

  Thank you

  Hi Aegx, this is a rare case where the switch basically forget his identity. Although the switch is recoverable, it is recommended the switch RMA.

  If you are certain that you have neither taken under warranty, all the information that is asked is on the bottom of the switch sticker. If the thumbnail is is not present you wouldn't able to do this is correct.

  In addition, if you make a typographical error, the switch will have undesirable failures that are permanent, such as the inability to update software.

• Problems with the management of the CSC/Cisco (associated with SSO) site

  Dear friends,

  I came across a problem with single sign - on (SSO) used in the Cisco's Web site and CSC which begins to be more and more awkward:

  1. I visit the CSC and connect you to reply to a thread. Then I start to reply to a message.
  2. In response, I need to consult the technical documentation, guides, configuration or other documents on Cisco's Web site. In another tab in my browser, I visit the Cisco's Web site and do my search/navigation.
  3. At some point, Cisco's Web site acknowledges that I am already connected to the CSC and begins to produce URLs with the /partner/ inside component (for example in the search results). By clicking on this URL causes me be redirected to the page of connection again. This is the first question - why do I have to log in again because I am already connected and SSO is supposed to take care of this?
  4. Well, I re-enter my credentials, get connected, access the necessary document, then I go back to my post on the CSC, finish it and submit it. KABOOM - CCS quickly informs me that I am without permission to perform this action, lose my answer in the process! Logging on to the Web site (as described in step 3) Cisco obviously invalid my current session on CSC! I need to connect again to the SCC (until I do that, she considers me as a guest once again, but when I click on the login link, I suddenly make me connected without enter my credentials) and, well, write again my answer. Sometimes, a part is recoverable, but usually, it is only a small fragment.

  Would it not be possible to correct this behavior? I lost a lot of time my lost rewrite responses.

  Best regards

  Peter

  Hi Peter,.

  I wanted to give you a quick update on the two issues.

  First question:

  We are currently working on a long term and short fix for this problem. Unfortunately the long-term solution will be a drawn out effort as we begin our new data of all content in our heritage Center. The team is currently testing the short-term solution, will keep you posted on the progress that I get more details.

  Second question:

  We currently do analysis of the root causes of this problem and give you updated each week on this issue that deploy us the patch.

  Thanks a lot again for you continued support and patience.

  Sainaba.

• Problem with the Cisco VPN and Vista client

  Hello

  I have an easy VPN server configured on a c2811 and users use the Cisco VPN client. Lately, I have users running Windows Vista 64 bit and I need to know what is the correct version of the vpn client, I have to use and the compatibility problems with the server, I configured.

  Thank you and best regards.

  Cisco VPN Client doesn't have any version that is compatible with Vista 64 bit OS. The only customer that Cisco has released that supports the 64 bit OS's AnyConnect, but it is only supported on the CISCO ASA Appliance