RADIUS does not not on Cisco ACS SE v4.1 (1)
Hello
I have a CiscoSecure ACS version 4.1 (1) build 23.
I can't configure the Cisco ACS for granular control of access router. I have a Netopia Router that is configured to use RADIUS to authenticate remotely for a telnet connection. The router sends the request to access the Cisco ACS SE RADIUS and a sniff on the side of the ACS shows the application of GBA, but I see no response from the ACS. RADIUS authentication to work with a Windows 2003 server.
I configured an AAA client and a user of the ACS and use the default group. I use IETF RADIUS. Should what attributes I configure. In Windows, I use Service Type framed and Framed-Protocol PPP. This does not work with the Cisco ACS SE. Nothing shows up in the newspapers. It shouldn't be so difficult, but for some reason I can't make it work.
Thanks for any help.
Jutta Kullmann
Jutta,
Good to know it works very well. Please mark this thread as solved so other can benefit from.
Kind regards
~ JG
Tags: Cisco Security
Similar Questions
-
RADIUS does not pray attribute filling 4 (NAS-IP-Address)
I'm trying to get a Cisco 3120 G configured for RADIUS authentication. I have a lot of other IOS devices with identical configuration of work lines, however, it gives me a hard time. The strategy of the RADIUS server is configured by NAS-IP-Address. The configuration of the AAA and RADIUS is as follows:
AAA new-model
AAA authentication login default local radius group
AAA authorization exec default local radius grouphost 10.x.x.x auth-port 1645 1646 RADIUS server acct-port
Server RADIUS ports source-1645-1646
Server RADIUS button 7 XXXXXXXXXXXXXXSee the Flash following debugging information:
indrc3120a #.
000284: 8 Feb 14:05:15.447 PST: RADIUS: Pick NAS IP for you = 0x5992EF4 = 0 cfg_addr = 0.0.0.0 tableid
000285: 8 Feb 14:05:15.447 PST: RADIUS: ustruct sharecount = 1
000286: Feb 8 14:05:15.447 PST: RADIUS: success radius_port_info() = 1 radius_nas_port = 1
000287: Feb 8 14:05:15.447 PST: RADIUS (00000000): send 10.x.x.x:1645 id 1645/8, len 84 access request
000288: Feb 8 14:05:15.447 PST: RADIUS: authenticator 12 5th 7th DF 01 B5 F1 D8 - 40 07 09 76 88 C1 A4 C5
000289: 8 Feb 14:05:15.447 PST: RADIUS: NAS-IP-Address [4] 6 0.0.0.0
000290: 8 Feb 14:05:15.447 PST: RADIUS: NAS-Port [5] 6 2
000291: Feb 8 14:05:15.447 PST: RADIUS: NAS-Port-Type [61] 6 virtual [5]
000292: 8 Feb 14:05:15.447 PST: RADIUS: username [1] 13 "admin_user '.
000293: 8 Feb 14:05:15.447 PST: RADIUS: Calling-Station-Id [31] 15 "10.y.y.y".
000294: 8 Feb 14:05:15.447 PST: RADIUS: User-Password [2] 18 *.
000295: 8 Feb 14:05:15.505 PST: RADIUS: receipt id 1645/8 10.x.x.x:1645, Access-Reject, len 20
000296: 8 Feb 14:05:15.505 PST: RADIUS: authenticator 4th EC 8F AB BB 8th F9 BB - 13 67 56 A3 5F F9 99 94
000297: Feb 8 14:05:15.505 PST: RADIUS: saved the data of permission for the user 5992EF4 to 0Note the NAS-IP-Address populated as 0.0.0.0 attribute
Another switch with an identical Setup returns the following:
tritc3120a #.
350554: 8 Feb 14:11:00.916 PST: RADIUS / ENCODE (000155BC): ask "" user name: ".
350555: 8 Feb 14:11:10.605 PST: RADIUS / ENCODE (000155BC): ask "" password: ".
350556: 8 Feb 14:11:14.480 PST: RADIUS/ENCODE (000155BC): orig. component type = EXEC
350557: 8 Feb 14:11:14.480 PST: RADIUS: AAA Attr not supported: interface [170] 4
350558: 8 Feb 14:11:14.480 PST: RADIUS: 74 74 [tt]
350559: 8 Feb 14:11:14.480 PST: RADIUS / ENCODE (000155BC): down the type of service, "radius attribute 6 sur-pour-login-auth server" is disabled
350560: 8 Feb 14:11:14.480 PST: RADIUS (000155BC): Config NAS IP: 0.0.0.0
350561: 8 Feb 14:11:14.480 PST: RADIUS / ENCODE (000155BC): acct_session_id: 87482
350562: 8 Feb 14:11:14.480 PST: RADIUS (000155BC): send
350563: 8 Feb 14:11:14.480 PST: RADIUS/ENCODE: Best 10.x.x.x address IP Local to the 10.y.y.y Radius Server
350564: 8 Feb 14:11:14.480 PST: RADIUS (000155BC): send 10.y.y.y:1645 id 1645/222, len 90 access request
350565: 8 Feb 14:11:14.480 PST: RADIUS: authenticator 5F B1 17 DF 72 4B 3D - B6 D8 5 85 66 B9 8 d 7 c A6
350566: 8 Feb 14:11:14.480 PST: RADIUS: username [1] 13 "admin_user '.
350567: 8 Feb 14:11:14.480 PST: RADIUS: User-Password [2] 18 *.
350568: 8 Feb 14:11:14.480 PST: RADIUS: NAS-Port [5] 6 2
350569: 8 Feb 14:11:14.480 PST: RADIUS: NAS-Port-Id [87] 6 'tty2 '.
350570: 8 Feb 14:11:14.480 PST: RADIUS: NAS-Port-Type [61] 6 virtual [5]
350571: 8 Feb 14:11:14.480 PST: RADIUS: Calling-Station-Id [31] 15 "10.z.z.z".
350572: 8 Feb 14:11:14.480 PST: RADIUS: NAS-IP-Address [4] 6 1.2.3.4
350573: 8 Feb 14:11:14.556 PST: RADIUS: receipt id 1645/222 10.y.y.y:1645, Access-Accept, len 83
350574: 8 Feb 14:11:14.556 PST: RADIUS: authenticator 24 D9 F9 E2 BB A3 66 F6 - 73 E8 5 42 8 A5 17 DA
350575: 8 Feb 14:11:14.556 PST: RADIUS: Type of Service [6] 6 Administrative [6]
350576: 8 Feb 14:11:14.556 PST: RADIUS: [25] in class 32
350577: 8 Feb 14:11:14.556 PST: RADIUS: 59 B1 6 06 00 00 01 37 00 01 0a 1st DC 18 01 CB C7 B8 D7 82 CA E2 00 00 00 00 00 00 00 0b [Ym7]
350578: 8 Feb 14:11:14.556 PST: RADIUS: seller, Cisco [26] 25
350579: 8 Feb 14:11:14.556 PST: RADIUS: Cisco-AVpair [1] 19 "shell: priv-lvl = 15.
350580: 8 Feb 14:11:14.556 PST: RADIUS (000155BC): receipt of id 1645/222Note that in the above example, the NAS-IP-Address is feeding properly (I just the changed for security reasons)
If anyone has any advice, it would be greatly appreciated. Does the switch need a restart? Blow RADIUS server process?
Thank you
CSCdx27019">."
Seems to be a bug,
CSCdx27019 Pkt sent by CSS access RADIUS request contains no information NAS
The feature of Cisco ACS NAR (restricted access network) with RADIUS does not work with CSS. This is because the radius NAS-IP-Address attribute is set to 0.0.0.0 in the Radius authentication request.
Rgds, jousset
Note the useful messages
-
Hello!
I want to do the backup schedule. According to the user's guide:
You can create a backup scheduled for the primary instance. To create, reproduce or modify a regular
backup:
Step 1 Choose System Administration > operations > at the request of the backups.But the Administration of the system > operations > scheduled backups does not appear in ACS 5.0.0.21.
How can I save?
Hi Alexander,.
Could you please confirm which link you found these instructions?
It seems that these are the instructions of the ACS 5.1 user's guide, but we do not have a similar option on ACS 5.0.
Kind regards
Fede
--
If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.
-
The CPL Script works does not on Cisco E Highway
Hello
I am trying to download the script to block all the RTC call hit on the highway E in order to avoid any misuse, however the script does not come into force.
Attached the script and please let me know if something is missing.
It is downloaded manually until highway E
I check several post in CSC and it seems a necessity to download manually create rather than through GUI.
For me the two does not work and call crosses ExpresswayC and CUCM.
I want to block call to highway E itself, when not authenticated or unknown user sends the RTC call from 9 and +.
Kind regards
RACLOT
You need to have something in the original section, leave empty will only match calls that actually have an empty source field.
An alternative to using a source address which is supposed to be mapped is to specify the area that runs through the call, in this case because it is an external call entering the highway-E, the appeal will also come from the default Zone.
Replace:
unauthenticated-origin=""
With:originating-zone="DefaultZone"
-
'Case' service does not start on ACS 4.2.1
Hello
I recently installed a 4.2.1 with 4.2.1.15.1 and 4.2.1.15.2 patch GBA the on a Win 2003 R2 Std SP2 edition
Can't sart service case
Whenever I have to resart, I have the following message is displayed in the Viewer window:
(Note that I have the same problem on another edition of WIN 2003 Std SP1 machine)
Could you please help me?
Thank you
Michel Misonne
Event type: error
Event source: ACECLIENT
Event category: (1).
Event ID: 1001
Date: 11/04/2010
Time: 18:10:38
User: n/a
Computer: FP9S00180048
Description:
The description for event ID (1001) in Source (ACECLIENT) cannot be found. The local computer may not have the information necessary registry or message DLL files to display messages from a remote computer. You may be able to use the option/auxsource = flag to retrieve this description; For more information, see Help and Support. The following information is part of the event: C:\WINNT\system32\sdconf.rec.
Data:
0000: 00 00 00 00...This is a known issue with 4.2.1, if you are not using RSA feature you can ignore this message.
However, if CSLOG cannot be started, could you try restarting the ACS,
also see if reboot of the windows server helps
-
Skinning-Border Radius does not not in IE8 / IE7
Hello
Jdev Version: 11.1.1.5.
I drew my command button with border-radius. The curved edges are not appear in Internet Explorer 7 / 8.
IE9, chrome and firefox that make them properly.
my CSS code...
af|commandButton.testButton { background-color: Black; color: White; width: 85px; height: 30px; font-family: Calibri; font-size: larger; border-radius: 10px; behavior: url(PIE.htc); }
I had line num # 10 http://css3pie.com/about/
But no luck. Can someone help me?
Thank you
SAIF.
Question: have you installed PIE on EI?
Or have you just copied line 10?
You need to install the extension of the PIE and hope it works, see in road & #8211; CSS3 PIE: decorations of CSS3 for IE
Timo.
-
Cisco suggested cable does not? (Cisco Air-Br1310g-a-k9-R and Ant24120)
Hello
I bought 3 Cisco Aironet 1310 Outdoor Access Point/bridge - wireless access point (AIR-BR1310G-A-K9-R ) and 3 Cisco Aironet 2.4 GHz 12 dBi Omni Mast Mount antenna w/RP-TNC connector (AIR-ANT24120) .But the antenna cable is very short (1 ft.). so I need a cable extra. I read the newspapers and they said AIR-CAB020LL-R is suggested by cable for ant24120. But when I look at the pictures of this cable I saw this cable has two side RP - TNC female.
The access point has the male Ant. side and the next female ANT24120. So, how can I connect this side 2 (MF) with a wire from the female side 2 (FF)? I'm so confused.Please can you suggest me a cable to connect this access point to this antenna.Thank you very much.Hi Bulent,
This cable has 1 female and 1 male connector
Intake AIR-CAB020LL-R of interconnection cable low loss of 20 feet, a RP - TNC,.
one outlet RP - TNCAIR-CAB020LL-R / AIR-CAB050LL-R
Here are the cables RMT 400 Style with TNC reverse polarity of the connectors at one end and TNC female connector reverse polarity on the other end.
See you soon!
Rob
-
Why are some layers does not give me the options of blending Mode?
As you can see, my layers Null and the film have the ability to change the blending mode, but none of the other layers which have. What is the problem?
You have duplicate messages so I'll only answer this one. It is very likely that you use traced to the rendered RADIUS in the composition settings. We would know if you had included a full screenshot. Drawn to the rendered RADIUS does not support on 3D layers blending modes.
-
Cisco ACS 4.1 - user profile changes
There is no option in Cisco ACS 4.1 Solution where we can specify the option that "user must change password on the next logon" as it used to be in Cisco ACS 3.X ".
Is it possible same functionality can be enabled on Cisco ACS 4.1
Concerning
Sohail Sarwar
Hello
That option does not exist in ACS 4.x.
HTH,
Tiago
--
If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.
-
RADIUS authorization does not not for Nortel by ACS 5.3 switches
Hello
RADIUS authorization does not work on the Nortel switches, I configured the access policies relevant for the attributes RADIUS (attached screenshot)
Order get not executed due to the failure of authorization:
config cli password rwa
I do not see RADIUS authorization reports option, just to check if someone has understood how to set up these reports?
I made a capture of packages for packages of AAA of the nortel switch and found that the accounting request contains the cli command sent for authorization. (pcap file attached)
Kind regards
Akhtar
Akhtar,
This isn't how the authorization of RADIUS. Accept access and the av-pairs that are sent in the response is the permission for the session of the user. This isn't like Ganymede where each command is permitted with an authentication request separate with the command that the client is running.
When it comes to radius account management isn't too late in the process.
Thank you
Tarik admani
-
ACS database does not not after having changed the secondary ip of acs.
Hello.. Im having 2 ACS 3.1 server. ACS01 (primary) & ACS02 (secondary). We recently moved ACS02 to another site and has changed its ip address.
When we of database replication from ACS01, we received the error message saying ACS02 has refused the request of replication.
Any idea what can be the problem?
Consider these elements when you implement the database replication feature Cisco Secure:
(1) ACS supports only supported replication of database to other ACS servers. All ACS servers participating in the Cisco Secure database replication must run the same version and patch to FAC level.
(2) the principal server copy compressed and encrypted the database on the secondary server components. This transmission is done via a connection TCP, Port 2000. The TCP session is authenticated and using an encrypted protocol, Cisco-owners.
(3) only hosts properly configured, valid ACS can be secondary servers. To add a secondary server, configure it in the AAA servers table in the section of this document Network Configuration. When a server is added to the AAA servers table, the server is displayed for selection as a secondary server in the list of AAA servers as replication partners, on the Cisco Secure database replication page.
(4) the principal server must be configured as an AAA server and must have a key. The secondary server must have a primary server configured as an AAA server and its key for the primary server must match the key primary servers.
(5) secondary servers replication takes place sequentially in the order listed in the replication list under replication partners, on the Cisco Secure database replication page. (6) the secondary server that receives the replicated components must be configured to accept replication of database from the primary server. To configure a secondary server for database replication, refer to configuring a secondary Cisco Secure ACS Server of this document section.
(7) ACS does not support two-way replication of database. The secondary server, which receives the replicated components, check that the primary server is not on its list of replication. If this is not the case, the secondary server accepts replicated components. If so, it rejects the components.
(8) to replicate the seller of RADIUS defined by the user and the configurations of the specific attribute (VSA) provider successfully, definitions have to be replicated must be identical on the primary and secondary servers. This includes seller RADIUS slots occupy sellers RADIUS defined by the user. For more information on the sellers of the RADIUS and the VSA attributes defined by the user, see section User-Defined RADIUS vendors and VSA sets the document Cisco Secure ACS database command-line Utility.
-
ACS secondary server does not authenticate users through 3850 WLC
HI - I have a question that my secondary ACS server does not authenticate users when the primary is taken offline. My configuration is:
3850 WLC by using the code version 03.07.00E
ACS Version 5.6 (primary/secondary)
The two ACS servers added to WLC (ACS-NLBP-01 (primary) / HEN-ACS-01 (secondary)), defined in the Group server (ACS_AUTH) and also the method list (ACS_AUTH). List of the ACS_AUTH method is then applied to the SSID.
A 'test of ACS_AUTH aaa server group' command for the two outcomes of ACS server as a result of access. Communication IP/Radius is operational between WLC and two ACS servers.
configuration of 3850 also attached for reference.
Any help would be appreciated.
Thank you
Scott
Please add the below listed orders and test again when you can.
Server radius # deadtime $min$
retransmission of radius-# 1 Server
# Server radius-dead-criteria times 5 tent 1Configuring settings for all RADIUS servers
HTH
~ Jousset
-
Generate ACS V 4.1.1 23 aging via SSH password does not work.
Hello, my name is Elias and I have problems with ACS via SSH password aging does not work and there is no meseges password sent by ACS console when I use SSH from aging. I know that there are problems with this, but I can't find any workaround or documentation that says that there is no workaroun. Can you help me with this?
Greetings from the King.
Hey Elias,.
SSHv1 does not support the password as you can do in telnet. You must be
running a version of the IOS which supports SSHv2.
The following site explains which versions support this:
http://www.Cisco.com/en/us/partner/products/SW/iosswrel/ps5207/products_feat
ure_guide09186a00802045dc.html
Rgds,
somishra
-
Cisco forwarding port does not
Dear experts, I got a production Firewall (Cisco Pix 515e 6.3 (1)) and I have set up to allow access to the outside on a server (SSH only).
The server is 10.0.5.200.
External IP is a.b.c.d. (should I use the FW outside the IP address of the interface?)
Here's the sanitized output:
6.3 (1) version PIX
interface ethernet0 100full
interface ethernet1 100full
Auto interface ethernet2
interface ethernet3 100full
Automatic stop of interface ethernet4
Automatic stop of interface ethernet5
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
nameif ethernet2 provider interieure4
nameif dmz security99 ethernet3
nameif ethernet4 intf4 security8
ethernet5 intf5 security10 nameif
activate the encrypted password of XXXXXXXXXXXXXXXX
passwd encrypted XXXXXXXXXXXXXXXXXX
IP address outside a.b.c.d 255.255.255.240
IP address inside 10.0.1.254 255.255.255.0
provider address IP X.X.X.X 255.255.255.0
dmz X.X.X.X 255.255.255.0 IP address
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0 access-list sheep
NAT (inside) 1 10.0.1.0 255.255.255.0 0 0
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
the ssh LOCAL console AAA authentication
NTP server 192.43.244.18 prefer external source
NTP server 128.102.16.2 source outdoors
Enable http server
6.3 (1) version PIX
interface ethernet0 100full
interface ethernet1 100full
Auto interface ethernet2
interface ethernet3 100full
Automatic stop of interface ethernet4
Automatic stop of interface ethernet5
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
nameif ethernet2 provider interieure4
nameif dmz security99 ethernet3
nameif ethernet4 intf4 security8
ethernet5 intf5 security10 nameif
activate pnxJXWf9kU.x7YfY encrypted password
WL6KtWnsAjAQS2yI encrypted passwd
outside_access_in ip access list allow a whole
access list outside-access enable icmp a whole
access-list DMZ_access_in allow icmp a whole
IP address outside a.b.c.d 255.255.255.240
IP address inside 10.0.1.254 255.255.255.0
provider address IP X.X.X.X 255.255.255.0
dmz X.X.X.X 255.255.255.0 IP addressARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0 access-list sheep
NAT (inside) 1 10.0.1.0 255.255.255.0 0 0Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
the ssh LOCAL console AAA authentication
NTP server 192.43.244.18 prefer external source
NTP server 128.102.16.2 source outdoors
Enable http serverThose in bold are the commands that I added:
static (inside, outside) tcp a.b.c.d 2022 10.0.5.200 ssh netmask 255.255.255.255 0.0
access-list 100 permit tcp any host a.b.c.d eq 2022
Allow Access - list 101 tcp 10.0.5.200 eq 22 a
Access-group 100 in external interface
Access-group 101 in the interface inside
When you access from the Wan, I used putty SSH port 2022 a.b.c.d IP in and he gave me of waiting times. I used the:
Capture interface capo outside access-group 100
The results were (that I can remember that I am not on site):
My WAN IP-> a.b.c.d (R)
My WAN IP-> a.b.c.d (S)
My WAN IP-> a.b.c.d (S)
My WAN IP-> a.b.c.d (S)
The server on the internal LAN access is great and I can access port 22 on the server on the local network (Note: there is a L3 switch in the environment and inside the IP segments are 10.0.1.0/24 and 10.0.5.0/24 routable both.)
This is what I did so far and would like more ideas on this subject that I am currently facing to. thanks!
Hello
Configuring static PAT (Port Forward) seemed correct to me.
If you use the IP address of ' outside ' interface you would generally configure the parameter "interface" , and not the IP address.
public static interface 2022 22 netmask 255.255.255.255 tcp (indoor, outdoor) 10.0.5.200
Of course if you can/want to save a public IP address for this server only you could configure static NAT
public static 10.0.5.200 (inside, outside) subnet mask 255.255.255.255
That would bind essentially those 2 IP addresses, and you can allow services that are needed for the current server. Naturally, you will also need to allow traffic in the external ACL to the new public IP address.
But it should also work with your configurations. If you want to use the IP address or a separate public IP's to you.
If you are missing the 'road' to the 10.0.5.0/24 subnet in your PIX configuration so it is an obvious problem in why the server is inaccessible from the Internet. So, I would start by adding the "itinerary" necessary and retest. If it does not then would be good to verify that the routing between the server and the PIX is fine. For example, there is a route to the PIX server, and the server has a default route takes traffic to the PIX.
Hope this helps
-Jouni
-
ACS 5.1 - command line filters does not not in Config Mode
Hello
I am trying to set up filters to deny command line sniffer commands being entered. I have set up a command set and applied to an authorization policy. The command filter works great for commands in privileged mode. However, the filter does not work for any order that is entered in configuration mode.
I have a set of commands that will deny for a test installation:
display the clock
terminal length
display monitor
duration of the distance
the monitor session
The first three commands are entered from the initial mode of privilege and they are omitted by the AEC. The last two commands can be entered in config mode and the ACS does not stop their entry.
I have attached two screenshots that show configuration commands on GBA game and a Terminal session which commands are filtered and which are rented by the intermediary.
Has anyone encountered this problem? Is there something else I should be adding to the command Set? Is this a bug?
There is a bug on the Cisco site that relates to the command filters:
I don't know if this bug applies to this question because there is so little information on this subject. In addition, if it does not I don't understand workaround to apply it to this situation.
Any advice would be greatly appreciated. -(ACS Version 5.1.0.44.2)
Dave was soon
You have authorization for the configuration on the router mode?
If this isn't the case, add:
AAA authorization config-commands
Maybe you are looking for
-
How do I set up my screen so it does not turn off automatically?
I sometimes pull up of recipes and read them the monitor that I Cook. In this way I save ink and paper. The monitor automatically stops a lot too quickly.
-
Hello I have been using the Golden Al - Wafi Translator on my Windows 7, which has been installed in the Arabic version, and it worked very well. However, when I restored my computer from recovery disks and then I leave Windows Installer in the Engli
-
OS6 Guides development of the user interface
Is there a that guides all OS6 out UI development still? I wrote some background apps start on my "BOLD" 9000 OS4.6 into development, but now I want to try my luck at the user interface. I just got the Torch 9800 and I want to connect it to one of
-
Greetings UCCX 9.0 Agent
Hello We are having UCCX 9.0 with Premium license, we can configure Agent greeting service in our call center with this version and the license? If can how can it be done? If can't, what are the requirements we need to activate this? Thank you Towa
-
can I install the virtual XP mode on a windows7 home premium system? and if so what do I do? RKF