Secondary ACS does not authenticate

I install an ACS secondary, database replication works correctly.

But when I try to use the ACS secondary server to authenticate the user, I can't authenticate successfully.

In reports and activities (ACS secondary), it does not appear anything.

In primary school, ACS, he failed attempts, I see an "unknown SIN" the ip address of the secondary ACS, it seems only secondary try to use elementary to authenticate...

Where I'm wrong?

Thank you

Daniele

Hi Daniele,

It is because the parameter on the acs secondary proxy. On secondary acs visit acs--> configuration network--> table tell proxy---> bring your secondary acs under the front walk to the box.

That should fix it.

Kind regards

~ JG

Note the useful messages

Tags: Cisco Security

Similar Questions

  • ACS secondary server does not authenticate users through 3850 WLC

    HI - I have a question that my secondary ACS server does not authenticate users when the primary is taken offline.  My configuration is:

    3850 WLC by using the code version 03.07.00E

    ACS Version 5.6 (primary/secondary)

    The two ACS servers added to WLC (ACS-NLBP-01 (primary) / HEN-ACS-01 (secondary)), defined in the Group server (ACS_AUTH) and also the method list (ACS_AUTH).  List of the ACS_AUTH method is then applied to the SSID.

    A 'test of ACS_AUTH aaa server group' command for the two outcomes of ACS server as a result of access.  Communication IP/Radius is operational between WLC and two ACS servers.

    configuration of 3850 also attached for reference.

    Any help would be appreciated.

    Thank you

    Scott

    Please add the below listed orders and test again when you can.

    Server radius # deadtime $min$
    retransmission of radius-# 1 Server
    # Server radius-dead-criteria times 5 tent 1

    Configuring settings for all RADIUS servers

    HTH

    ~ Jousset

  • Secondary ACS do not authenticate

    I have 2 ACS 1113 devices running 4.1 Build 24 (1). The first is the main and replica nightly on the secondary to our DR. Although in different places, they are both in the same VLAN with no. firewalls or an in-between of the lists to access them. All my devices will be authenticate with my primary ACS unless it is down, in which case they must authenticate the ACS secondary. The problem is that I have no problem with authentication on my ACS primary, but I can't get anything to authenticate to my high school (after the primary decision-making down to test). In trying to authenticate to my high school, I get no newspaper for authentication successful or failed after that my attempts fail. In addition, during my attempts fail, I try to log into devices locally and my authorization fails - again with no journal of the ACS. However, when I remove the NDG in the ACS secondary, I'm able to log on locally on the network device.

    I believe that with the device the NDG in the breast of the CSA, there is a communication omitting my attempts (although it does not connect anything) since I can take the device off that NDG and transmit local authentication. I was running code 4.0 with the same question and thought that the update should fix the problem... but obviously, I have something to do else here.

    Any comments or suggestions would be greatly appreciated.

    This on seconday acs.

    ACS---> configuration network ===> table Proxy Dis---> click default ===> if you see delivenrance 1 to the aaa Server---> drag it to 'Prior to'---> and what is there under forward to---> Drag it server aaa--> submit + apply.

    It should work now.

    If you do not see distribution proxy option then go to GBA--->---> advanced option interface configuration---> enable the distributed array.

    That should fix it.

    Kind regards

    ~ JG

    Note the useful messages

  • Satellite 1110: Secondary display does not work

    I have a satellite 1110
    Connection of a monitor second - does not work
    The settings are correct in what, move your mouse off the screen of the laptop and he enters the secondary monitor - but this monitor is empty
    Tried all the normal things - control work? Yes etc.
    I'm running XP Professional could be corrupted or is it more likely to do with my laptop

    Please someone help - new monitor for Christmas - just can't make it work

    Thank you

    Hello Nick

    According to your description, you can't write that the second display doesn t work. Of course, you have activated the option called extend my Windows desktop on this monitor. In this case, you can remove all windows laptop for external monitor screen.

    If you work with more different windows on this way, your work will be more comfortable. I assume that you do want this and it will be interesting to know how you want to use the secondary display:
    -secondary display only
    -but both with the same point of view?

    Remove the scope option and use the FN + F5 key combination and choose display to use.

    Good bye

  • HP 6450 b HARD drive in secondary Bay does not work

    I bought a HARD drive caddy to mount a drive to expand on my HP 6450 b (Win 10) using the connection of SATA DVD ROM.

    First with SO HARD drive is a WD 250 GB SATA 2 3 GB/s.

    I see my product spec TEC and I chose a HARD Seagate 500 GB SATA 3 6 Gbps drive to put in the caddy as a secondary HARD drive.

    I mounted the caddy with the new HARD drive, but it does not work: initially, the portable green light turn on, but does not Society. Without any error message, after a few seconds the led become yellow and green for some time and after that the PC turns off.

    When I put off the caddy with the secondary HARD disk, the OS starts correctly.

    I read similar posts in the forum and I have:

    (1) check the option in the BIOS to activate the secondary HARD drive is active (in FACT, it is enable)

    (2) turn off the launch of the er disk HARD secondary (DONE)

    (3) test on the HARD drive (in FACT, it's OK)

    I tried to set up in BIOS the SATA 3 GB/s speed, but I can't find the option. I see that someone has done this action.

    That would be the problem?

    I also think that could be a problem with drivers to support the new secondary HARD drive, but I don't know how to do.

    Is there someone who could help me?

    Thank you

    Andrea

    Andrea_Mogni wrote:

    New test: the pc does not start if I put on the caddy without hard drive.

    I think it is proof that the problem is my caddy.

    I would also come to this conclusion. Request a RMA number for that one and find another brand.

  • Account Exchange does not authenticate to exchange server with a domain under Windows Surface 3 pro 8.1 user

    Hello

    We recently bought a Surface 3 pro from our supplier that has windows 8.1 pre installed (OEM) and I have set up a local user with local administrator rights account, I did windows updates, also activated the account administrator local and then added the device to our area, but I can not set up exchange on the domain user account. I also gave this area local administrator user rights, but it does not check the name on the Exchange Server. It makes the connection to the network, on behalf of the research, but it will not connect to the server. I tried to manually configure upwards, but not luck. When I created this same domain account on a local user with administrator rights, I works very well. I did several times on Windows 7 and never had any problems. Has anyone encountered this problem? Help please.

    Thank you!

    Hello

    Thanks for posting in the Microsoft Community.

    As you said you are trying to connect to the domain network, we have a dedicated team with advanced tools and permission to help with such issues.

    I suggest you to send your query in TechNet forum for better support.

    https://social.technet.Microsoft.com/forums/Windows/en-us/home?category=w7itpro

    Let us know if you have other questions about Windows in the future. We will be happy to help you.

    Thank you.

  • Secondary display does not connect

    Hello world

    I have trouble getting a secondary display to work. The installer worked well on an older Mac Pro until we passed out.

    Now, we use a Mac Pro mid-2012, that uses a DVI output for main monitor. The secondary display is sent from a thunderbolt port to a mini-affichage of a transmitter HDMI to HDMI, then drills down to a level via ethernet to a receiver, which converts it to HDMI for a TV.

    Whenever I connect the mini display of converter for love at first sight, the computer behaves as if she's trying to connect flashing market, switching back and forth between 1 and 2 screens. It just keeps going black, showing black desktop, two desktop computers, never until that I disconnect the converter mini display.

    Anyone have any ideas why? The Setup program has worked well on the previous computer, a 2006 Mac Pro, using DVI to HDMI instead of the mini HDMI display. I also tried to use the DVI on the new port and the same result.

    Thank you!

    The Mac requires the display to meet an initial query with its name and capabilities.

    No answer = no image.

    HDMI is for TVs, then your box of stunt may not have implemented the secondary channel required to connect to the computer and ability to react on it.

  • Install certificates for EAP - TLS does ACS does not work

    Hi all

    I have two problems.

    I produced a CSR ACS and sent my people to windows this and they published my ACS with a certificate. Cool.

    I'm going to download the GBA and I put a 'private key file?

    What is this file? and where can I get a? What is this long string of characters that generate the CSR, I sent the boys of windows?

    Also, I managed to just put any old rubbish in there? and I was surprised he accepted.

    Restarted the service IS and I tried to turn it on eap - tls on the "Overall Authentication Configuration" page to get only the message

    Could not initialize authentication PEAP or EAP - TLS because that Protocol

    certificate is not installed. Install CA using "ACS."

    «Configuration of CA page»»

    Now, I'm a little confused, because if have the installer GBA incorrectly, because of my lack of understanding of what this private key file and how it relates to all which?

    Thx a lot indeed.

    Ken

    I'm having the same problem. It seems the guys from windows to generate a cert that it must be exportable, which offers also private key file. I tried the following without success document. It can work for you, however, http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_configuration_example09186a008020a45c.shtml

    I also tried to have the ACS to generate a certificate self-signed, that works. But on the client, you must uncheck the box validate the server certificate because GBA is not a trusted certificate servers. Right now I'm trying to understand how ad to publish the ACS as a trusted cert server so windows knows to do trust the cert of the ACS. Through all this, I found that you can configure in several ways, the most difficult part is to find a way that works for you.

  • 5.2 ACS does not check the Active directory changes

    Hi all

    I work with ACS 5.2 and using Radius Authentication client vpn.

    The authentication method used is Active Directory in a Windows environment with multiple domains in the same forest.

    My problem occurs when I change from one group to the other user in Active Directory. After that, I get the following message appears when try to connect:

    15039 selected authorization profile is DenyAccess

    The message is as correspond to the default policy.

    Another user in the same ad group works very well.

    All domains in the forest have a relationship of trust between them.

    I use universal groups to include all domain users belongs to this forest.

    Can someone help me?

    Concerning

    What is your rule of authentication corresponding against a single ad group?

    You can check which groups were extracted for the user, as follows:

    -goto "monitoring and troubleshooting.

    -Select authentication - RADIUS - today

    -Find the input that do not match and click on the Details icon

    -Expand the section "Details of authentication". Look under "Other attributes" groups comes from AD to be enrolled in the user

  • 5.3 - command sets ACS does not

    We installed Vmware-cent os 5.3 GBA and a cisco router is configured to authenticate to this server GANYMEDE +,.

    I am able to connect to the router using the username specified of GANYMEDE. / password and able to see shots also like below in the policy,.

    But the sets of commands work as defined, pls help me to find the problem...

    Filter: StatusNameIdentity GroupNDG:LocationNDG:Device TypeTime and DateCommand SetsShell ProfileHit heads Match if: Equals EqualsNot EnabledDisabledMonitor only
    Status Name Conditions Results Hit Count
    Membership group NDG:Location Type of NDG:Device Time And Date Command Sets Shell Profile
    1 ACCESS TO RO in all groups: READ ONLY ACCESS in all locations in all Types of devices -ANY- READ ONLY POLICY SHELL OF RO 10
    2 RESTRICTED ACCESS in all groups: ACCESS SELECT in all locations in all Types of devices -ANY- RESTRICTED USER POLICY Allow access 1
    3 SUPER ADMIN ACCESS in all groups: FULL ACCESS in all locations in all Types of devices -ANY- ALLOW ALL POLICIES Allow access 0

    How you set up your sets of commands? Also make sure that we have orders for authorization on the router,

    AAA authorization exec default group Ganymede + authenticated if

    AAA authorization commands 1 default group Ganymede + authenticated if

    AAA authorization commands 15 default group Ganymede + authenticated if

    AAA authorization config-commands

    Kind regards

    ~ JG

    Note the useful messages

  • cfldap does not authenticate

    I use our company LDAP server to authenticate users to an intranet site. There are currently 5 different announcements that a user might belong too. Long story short, our business is to streamline to a single ad. Thus, they deployed a test server that I am trying to authenticate. I am able to authenticate using Microsoft's LDP, so I know that my credentials are good. I am also able to authenticate the servers current ldap using cfldap, but for some reason, I get the message "Inappropriate authentication" trying to authenticate on the new test server. Here is my tag:

    < cfldap action = "query".
    name = "qryLDAP".
    Scope = "base".
    Server = "test.domain.com"
    Start = "dc = test, dc = domain, dc = com"
    attributes = "cn".
    Filter = "(CN=Users)" "
    username = "uid".
    password = 'pwd' >

    I replaced the generic info dn with a few things for the sake of this post. The same thing with the user name and password.

    No idea why I can authenticate using Microsoft's LDP and not with cfldap?

    Thank you!

    Okay, that was a doh!

    Since this is a test server, that they put in place, my AD account has been replicated, so the password was different. Unfortunately, they do not have to send me my password for my test account. Problem solved, now I can go on holiday!

  • Why my cron for primary/secondary server does not work, but worked at the prompt of

    I have redhat linux version 5, oracle servers 11 GR 2.

    I have cronjobs to monitor the use of tablespace and alert logs.

    However they do not work to the task, but if I execute them at the command prompt, it worked.

    What could be the problem?
    example cron script:
    Head of the script:

    #! / bin/bash
    . / u01/app/Oracle/bin/hydev_env
    MAILTO = "DBA.com"
    LOG=/U01/app/Oracle/dba_cron/out/tablespace_90_full.html
    echo $ORACLE_SID
    sqlplus-s < <-EOF > > / dev/null
    / as sysdba


    Cron job set is like this:


    #------------------------TABLESPACES Check------------------------------------------------------------------------
    0.35 * /u01/app/oracle/dba_cron/scripts/tablespaces_over_90%.sh > /u01/app/oracle/dba_cron/out/tablespaces_over_90%.log > 2 > & 1


    VI/var/spool/mail/oracle:

    At the error like this:
    / bin/sh:-c: line 0: about syntax error unexpected token '2'
    / bin/sh:-c: line 0: ' /u01/app/oracle/dba_cron/scripts/chk_ora_alert_all.sh > /u01/app/oracle/dba_cron/out/chk_oracle_alert_all.log > 2 > & 1'


    Any help guru?

    Hello;

    Usually it is a question of the environment.

    The script works in command prompt, because when you signed on your chosen username environment of a profile settings, for example .bash_profile.

    A crontab task presents no environment. That's why you call hydev_env at the beginning of the script. If something things are missing in your env file especially likely.

    What I do is keep a file for each database in the environment to a place like this:

    / u01/app/Oracle/dba_tool/env (/ u01/app/oracle/dba_tool/env/PRIMARY.env)

    The PRIMARY.env file is .env

    What I keep in there, that's all I need a job like crontab background would need:

    ORACLE_BASE=/u01/app/oracle

ULIMIT=unlimited

ORACLE_SID=PRIMARY

ORACLE_HOME=$ORACLE_BASE/product/11.2.0.2

ORA_NLS33=$ORACLE_HOME/ocommon/nls/admin/data

LD_LIBRARY_PATH=$ORACLE_HOME/lib:/lib:/usr/lib

LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib

LIBPATH=$LD_LIBRARY_PATH:/usr/lib

TNS_ADMIN=$ORACLE_HOME/network/admin

PATH=$ORACLE_HOME/bin:$ORACLE_BASE/dba_tool/bin:/bin:/usr/bin:/usr/ccs/bin:/etc:/usr/sbin:/usr/ucb:$HOME/bin:/usr/bin/X11:/sbin:/usr/lbin:/GNU/bin/make:/u01/app/oracle/dba_tool/bin:/home/oracle/utils/SCRIPTS:/usr/local/bin:.

export TERM=vt100

export ORACLE_BASE ORACLE_SID ORACLE_TERM ULIMIT

export ORACLE_HOME

export LIBPATH LD_LIBRARY_PATH ORA_NLS33

export TNS_ADMIN

export PATH

export MAILTO=

    Important If you are not sure, a setting on your system type "env" at a Linux prompt, when you are logged in as user where the script works. Change as needed in your file .env.

    I have here a script call in crontab to check the tablespaces

    #!/bin/bash
####################################################################
#

if [ "$1" ]
then DBNAME=$1
else
echo "basename $0 : Syntax error : use . quickcheck  "
exit 1
fi

#
# Set the Environmental variable for the instance
#
. /u01/app/oracle/dba_tool/env/${DBNAME}.env
#
#

$ORACLE_HOME/bin/sqlplus /nolog <

    Note how I passes the name of the comic as a parameter to the script if I can use the script with several database without changing.

    /U01/app/Oracle/dba_tool/bin/quickCheck.sh primary SCHOOL

    Is the crontab to run every day at 05:12:

    12 05 * /u01/app/oracle/dba_tool/bin/quickcheck.sh PRIMARY > /tmp/quickcheck.out

    Best regards

    mseberg

  • ACS database does not not after having changed the secondary ip of acs.

    Hello.. Im having 2 ACS 3.1 server. ACS01 (primary) & ACS02 (secondary). We recently moved ACS02 to another site and has changed its ip address.

    When we of database replication from ACS01, we received the error message saying ACS02 has refused the request of replication.

    Any idea what can be the problem?

    Consider these elements when you implement the database replication feature Cisco Secure:

    (1) ACS supports only supported replication of database to other ACS servers. All ACS servers participating in the Cisco Secure database replication must run the same version and patch to FAC level.

    (2) the principal server copy compressed and encrypted the database on the secondary server components. This transmission is done via a connection TCP, Port 2000. The TCP session is authenticated and using an encrypted protocol, Cisco-owners.

    (3) only hosts properly configured, valid ACS can be secondary servers. To add a secondary server, configure it in the AAA servers table in the section of this document Network Configuration. When a server is added to the AAA servers table, the server is displayed for selection as a secondary server in the list of AAA servers as replication partners, on the Cisco Secure database replication page.

    (4) the principal server must be configured as an AAA server and must have a key. The secondary server must have a primary server configured as an AAA server and its key for the primary server must match the key primary servers.

    (5) secondary servers replication takes place sequentially in the order listed in the replication list under replication partners, on the Cisco Secure database replication page. (6) the secondary server that receives the replicated components must be configured to accept replication of database from the primary server. To configure a secondary server for database replication, refer to configuring a secondary Cisco Secure ACS Server of this document section.

    (7) ACS does not support two-way replication of database. The secondary server, which receives the replicated components, check that the primary server is not on its list of replication. If this is not the case, the secondary server accepts replicated components. If so, it rejects the components.

    (8) to replicate the seller of RADIUS defined by the user and the configurations of the specific attribute (VSA) provider successfully, definitions have to be replicated must be identical on the primary and secondary servers. This includes seller RADIUS slots occupy sellers RADIUS defined by the user. For more information on the sellers of the RADIUS and the VSA attributes defined by the user, see section User-Defined RADIUS vendors and VSA sets the document Cisco Secure ACS database command-line Utility.

  • Two fingers for secondary click tab does not work

    I had to create a new user profile, because in my old profile all the apple connected apps crashed when opening.

    My new user profile doesn't have this problem, but another: tab 2 fingers for secondary click does not work, even if it is selected in the trackpad options (System Preferences).

    I tried the usual off click / click back on, restart the computer, etc.. No change.

    Instead of secondary click, two fingers tab activates the scroll bar. I already disabled options scroll with two fingers, hoping that the problem would be a sort of interference, but again, no luck.

    Any ideas?

    I found my own solution and decided to publish it for anyone having a similar problem:

    When I activated the option "Ignore the trackpad when a mouse is connected" two-finger-click started working.

    I can't explain why (I do not use a mouse, so it shouldn't make a difference), but who cares, it works now.

  • ACS 5.1 - command line filters does not not in Config Mode

    Hello

    I am trying to set up filters to deny command line sniffer commands being entered. I have set up a command set and applied to an authorization policy. The command filter works great for commands in privileged mode. However, the filter does not work for any order that is entered in configuration mode.

    I have a set of commands that will deny for a test installation:

    display the clock

    terminal length

    display monitor

    duration of the distance

    the monitor session

    The first three commands are entered from the initial mode of privilege and they are omitted by the AEC. The last two commands can be entered in config mode and the ACS does not stop their entry.

    I have attached two screenshots that show configuration commands on GBA game and a Terminal session which commands are filtered and which are rented by the intermediary.

    Has anyone encountered this problem? Is there something else I should be adding to the command Set? Is this a bug?

    There is a bug on the Cisco site that relates to the command filters:

    http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtf08567

    I don't know if this bug applies to this question because there is so little information on this subject. In addition, if it does not I don't understand workaround to apply it to this situation.

    Any advice would be greatly appreciated. -(ACS Version 5.1.0.44.2)

    Dave was soon

    You have authorization for the configuration on the router mode?

    If this isn't the case, add:

    AAA authorization config-commands

Maybe you are looking for