Wildcard AAA Client ACS4.1

Similar Questions

• Internal DB ACS4.2 replication - do not replicate the AAA clients

  I'm trying to set up a new server ACS4.2. ACS is installed, a partner of replication configured, etc. Master and slave new run every two ACS4.2 (0) Build 124. (Master shows 'Patch 12', slave shows any patch info)

  Replication on the new ACS server settings are identical to those on my current secondary ACS server that receives data replicated correctly.

  Problem: I have reproduce manually master ACS server on the new ACS server. Logs on both servers show a successful replication. Users, groups of users, network device groups (NDG) all reproduce them correctly. However, there are zero features in each of the NDG.

  Master is set to send, new slave set to receive:

  User and group database

  Network device Configuration tables

  WBS

  Configuration of the interface

  Interface security settings

  Password validation settings

  I also tried to reproduce the network access profiles instead of peripheral Network Configuration tables. Still no customer AAA in the NDG.

  I need my replicated AAA clients.  Should I be reproducing different or additional components? Am I missing some settings elsewhere in ACS?

  Hello

  Please apply patch 12 on slave ACS as well.

  Try the replication and let me know the results.

  Also on the Configuration of the network see the name NDG? or just no customer AAA under each NDG.

  Kind regards

  Anisha

• Import bulk of ACS - SE of AAA Clients

  Hi all, I know that there is a feature of AAA Client import bulk in ACS, using a csv and csutil.exe. Is there a way to do this in an ACS Solution engine? Some tell me that there is a way to do it via FTP, is it? Thanks in advance, Michael

  Not as far as I know, but rather than define each AAA clientindividually why not set them in groups using wildcards in IP addresses, for example; 192.168.10 *.

• AAA clients

  Hello

  I am running CiscoSecure ACS v3.0 for Windows 2000/NT version 3.0 (1) build 40 in my environment. I have a problem when adding the AAA clients in a group of network devices, because it gives an error saying that the device already exist.

  I did a manual search of the device and it can not be found. Is there any other way to remove this device by its ip address, which the system think already exist.

  Diop

  Hmm, you enter the peripheral IPS, ranges or DNS names?

  Even an accidental overlap somewhere?

  You can use regedit to inspect the network configuration db. He lives under HKLM/SOFTWARE/Cisco/CiscoAAAv3.3/Hosts

  If you spot the duplicate, you can simply delete the subkey, and then restart all CS * services (including the CSAdmin) of the control panel.

  Mounira

• ISE has not found any AAA Client or network devices

  During authentication using 802.1 x and MAB, I get a failure of authentication with the error 11007 (impossible to locate AAA Client or network device). The cause that ISE spits me is "Cannot find the network device or the AAA Client while accessing NAS by IP for authentication." I got almost everything by the book but instead use a loopback interface, I used a vlan with a defined ip address.  Could it be the cause of the problem?

  Here is the config of the port that I have tested on:

  interface GigabitEthernet1/0/9
  switchport access vlan 9
  switchport mode access
  switchport voice vlan 8
  IP access-group ACL-LEAVE in
  SRR-queue bandwidth share 1 30 35 5
  queue-series 2
  priority queue
  authentication event fail following action method
  action of death event authentication server reset vlan 4
  action of death event authentication server allow voice
  the host-mode multi-auth authentication
  open authentication
  authentication order dot1x mab
  authentication priority dot1x mab
  Auto control of the port of authentication
  restrict the authentication violation
  MAB
  MLS qos trust device cisco-phone
  MLS qos trust cos
  dot1x EAP authenticator
  dot1x tx-time 10
  Auto qos voip cisco-phone
  spanning tree portfast
  service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
  end

  Regardless of the IP address you entered in ISE when adding this switch must match the IP address of the interface configured under your command "ip source RADIUS interface. In your first post you said you use an IVR for this but in your message later, I see that your being RADIUS packets come from "TenGigabitEthernet1/0/1 interface" Doublecheck cela and make sure things.

  If you have a Loopback interface configured it is strongly recommended that use you for the source of these services it (Radius, GANYMEDE +, SNMP, Syslog, etc.).

  Thank you for evaluating useful messages!

• How to count the number of AAA clients

  Hello

  As we know, ACS5.2 is necessary with a basic license - 500 devices support network.

  Sometimes, there are a lot of AAA clients or network devices that are authenticate simultaneous. So my question is, how to count network devices allowed to auth on ACS5.2? This only includes network, including network devices, or the AAA clients or devices?

  Rgds,

  Laowu5017

  Hello

  ACS 5.x counts the number of AAA clients that are configured on the ACS.

  Please note that clients and network devices of AAA is the same and they conform, switches, routers, WLCs, or any other device configured under

  Network resources >

  ... >

  Network devices and the AAA Clients

  The AAA Clients aren't the AAA suplicants.

  End-user PCs customers are the AAA suplicants, and for this, there is no limit to number.

  HTH,

  Tiago

  --

  If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

• Refuse the AAA Clients to a specific group of users GBA v4.1

  With the help of 4.1 is there a method 'simple' simply deny a user group the ability to connect to specific clients of AAA? Customer has a group of phones they want to allow them to Telnet and check in all routers of the voice, but not other routers, they have sets of orders and that the installation but I wanted to see if a way to push this group simply to voice only routers?

  Thanks in advance,

  Dave

  You can configure using NAR GBA.

  http://www.Cisco.com/en/us/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml

  Kind regards

  ~ JG

  Note the useful messages

• GANYMEDE + peripheral unknown network or Client AAA package

  Hi all

  I can do connect using the set of credentials to the ACS server, log it showed:

  "Reason for failure: 13017 receipt GANYMEDE + peripheral unknown network or Client AAA package."

  I know there are a few changes on GANYMEDE + room for new catalyst IOS, so I consult the guide and it is the end of my config:

  AAA server Ganymede group + TAC_PLUS

  the AUTH server name

  RADIUS server AUTH

  ipv4 10.10.21.251 address

  key xxxxxx

  AAA TAC_PLUS authentication connection group Ganymede + local line

  TAC_PLUS AAA authorization exec group Ganymede + none

  AAA authorization commands 15 default authenticated if

  accounting AAA periodic update 1

  exec accounting AAA TAC_PLUS start-stop group Ganymede +.

  network accounting AAA TAC_PLUS start-stop group Ganymede +.

  connect accounting AAA TAC_PLUS start-stop group Ganymede +.

  My platform is

  -C6500 running on IOS 12.2 (33) SXJ1

  -ACS 5.2.0.26

  Need advice on this subject, thanks

  Noel

  Hello

  What is IP IOS appropriate set to network devices and the AAA Clients for the candidate countries? If Yes, what IP address is indicated on the failure of the ACS that includes the error "GANYMEDE + unknown cover peripheral network or Client AAA? ACS reports as unknown IP address when it is already set appropriately?

  Kind regards.

• LEAP authentication fails; that means this exit "debug aaa VAC?

  I'm trying to authenticate from laptop (client of JUMP) and I do not succeed. Can you help me understand what the problem is?

  Comment: Please find attached out of "debug aaa authentication" starting from the journal of Cisco Aironet and 'ACS failed attempts' respective.

  Please note that the ACS 3.3, "Network Configuration", "Devices-> installation of the AAA Client to the AP1", I entered a value for the field "key". However, I found this 'key' in my configuration of gateway as indicated in the attached file. Can you please confirm if I should set up such "Key" and what is the command to do this in access point?

  Thank you very much!

  Marlon

  Marlon,

  at the end of this command:

  RADIUS-server host 163.77.93.83 auth-port 1645 acct-port 1646

  You can add a 0 and the key you defined on the AAA server.

• AAA for PIX 7.2 (2)

  Hello

  Im having a problem on my PIX 7.2 newly upgraded (2). It seems that my authentication does not work. It maintains authenticate using my local user name not on my ACS. Here is my config

  AAA-sever GANYMEDE + Protocol Ganymede +.

  AAA-server GANYMEDE + (inside) host 172.x.x.x key

  AAA authentication enable console LOCAL + GANYMEDE

  ACS config:

  AAA client: Add IP

  Key to the AAA: even with PIX

  Please help me.

  Thank you

  Jong

  The reason for the authentication of the AAA to failure can be one of the following conditions:

  (1) authentication key shift

  User 2 password incompatibility).

  (3) error in the configuration

  Check if the keys are configured correctly on the device and also, username and passwords.

  For more information, please visit the following url:

  http://www.Cisco.com/en/us/docs/security/PIX/pix72/release/notes/pixrn722.html#wp201347

• access to AAA server to remote problems

  Hi all. I can ping and trace to this GANYMEDE server. but I can't authenticate my telnet users. I configured local AAA relief so that he tries the remote server several times and then returns to the local GANYMEDE. I noticed the logs show the TCP FINS. Which indicates that I am actually reach the remote server, but the server sends a TCP FIN or is the server simply is not available, as indicated by the newspapers. Why the server will be not not accessible if I can ping and trace it.

  I also checked the NOC extranet firewall accepted my traffic through the RADIUS server. they took the newspapers showing that my traffic has been accepted.

  February 4, 2011 13:04:12: % ASA-7-609001: built internal local host: AAA_SERVER
  February 4, 2011 13:04:12: % ASA-6-302013: built 24726 for inner outbound TCP connection: AAA_SERVER / 49 (AAA_SERVER/49) to identity:17.2.2.2/28055 (17.2.2.2/28055)
  February 4, 2011 13:04:12: % ASA-6-113014: AAA authentication server unavailable: server = AAA_SERVER: user = vzz19
  February 4, 2011 13:04:12: % ASA-6-302013: built 24727 for inner outbound TCP connection: AAA_SERVER / 49 (AAA_SERVER/49) to identity:17.2.2.2/32029 (17.2.2.2/32029)
  February 4, 2011 13:04:12: % ASA-6-302014: TCP disassembly 24726 for interior connection: AAA_SERVER / 49 to identity:17.2.2.2/28055 duration 0: 00:00 bytes TCP fins 41
  February 4, 2011 13:04:12: % ASA-6-113014: AAA authentication server unavailable: server = AAA_SERVER: user = vzz19
  February 4, 2011 13:04:12: % ASA-6-302013: built 24728 for inner outbound TCP connection: AAA_SERVER / 49 (AAA_SERVER/49) to identity:17.2.2.2/39039 (17.2.2.2/39039)
  February 4, 2011 13:04:12: % ASA-6-302014: TCP disassembly 24727 for interior connection: AAA_SERVER / 49 to identity:17.2.2.2/32029 duration 0: 00:00 bytes TCP fins 41
  February 4, 2011 13:04:12: % ASA-6-113014: AAA authentication server unavailable: server = AAA_SERVER: user = vzz19
  February 4, 2011 13:04:12: % ASA-6-302013: built 24729 for inner outbound TCP connection: AAA_SERVER / 49 (AAA_SERVER/49) to identity:17.2.2.2/33702 (17.2.2.2/33702)
  February 4, 2011 13:04:12: % ASA-6-302014: TCP disassembly 24728 for interior connection: AAA_SERVER / 49 to identity:17.2.2.2/39039 duration 0: 00:00 bytes TCP fins 41
  February 4, 2011 13:04:12: % ASA-6-113014: AAA authentication server unavailable: server = AAA_SERVER: user = vzz19
  February 4, 2011 13:04:12: % ASA-2-113022: AAA marking GANYMEDE + Server AAA_SERVER aaa-server group MYGROUP as being broken
  February 4, 2011 13:04:12: % ASA-4-409023: method of rescue attempt LOCAL AAA for authentication of user vzz19 request: inaccessible Server Auth MYGROUP group
  February 4, 2011 13:04:12: % ASA-6-113015: rejected AAA user authentication: reason = invalid password: local database: user = vzz19
  February 4, 2011 13:04:12: % ASA-6-611102: failed authentication user: Uname: vzz19
  February 4, 2011 13:04:12: % ASA-6-605004: connection refused from 10.2.2.2/26089 to inside:17.2.2.2/telnet for the user "vzz19".
  February 4, 2011 13:04:12: % ASA-6-302014: TCP disassembly 24729 for interior connection: AAA_SERVER / 49 to identity:17.2.2.2/33702 duration 0: 00:00 bytes TCP fins 41
  February 4, 2011 13:04:12: % ASA-7-609002: duration of dismantling inside local host: AAA_SERVER 0:00:00

  Here is my config from aaa

  AAA-server protocol Ganymede MYGROUP +.
  Max - a failed attempts 4
  AAA-server host AAA_SERVER MYGROUP (inside)
  timeout 3
  Console Telnet AAA authentication LOCAL MYGROUP
  Console to enable AAA authentication LOCAL MYGROUP
  privilege MYGROUP 15 AAA accounting command

  I can ping AND trace on the RADIUS server

  ATLUSA01-FW01 # ping AAA_SERVER
  Type to abort escape sequence.
  Send 5, echoes ICMP 100 bytes to AAA_SERVER, wait time is 2 seconds:
  !!!!!
  Success rate is 100 percent (5/5), round-trip min/avg/max = ms 02/01/10
  ATLUSA01-FW01 # trace AAA_SERVER

  Type to abort escape sequence.
  The route to 151.162.239.239

  1 17.2.2.3 0 ms 0 ms 0 ms
  2 17.2.2.4 0 ms 0 ms 0 ms - extranet fire barrier
  3 10.4.7.1 0 0 0 ms ms ms
  4 10.4.7.13 0 0 0 ms ms ms
  5 10.4.7.193 0 0 0 ms ms ms
  6 AAA_SERVER (10.5.5.5) 0 ms 10 ms 10 ms

  You'll certainly need the assistance of the administrator of the AAA, troubleshooting on the AAA client side shows only a fraction of what's going on.

  Ask him or her to do the following:

  Much easier and the most important thing is to check an 'attempt' journal and watch if there is no entry at all for your ASA.

  If there is an entry, it should be automatic explaining like "Unknown SIN" or "Ganymede key bad argument" - be convinced on a good config and check it are two different things.

  I have seen weird things like walking into a key on an AAA server via remote desktop and keyboard settings were inconsistent: English/German, traded resulting from letters 'Y' and 'Z' - do not trust your config until it you checked.

  If there is no entry at all then it could be a device on the way which is allowing ping/traceroute tcp/49 but drops or a device is to translate the address of the ASA (well in this case, you should see an "unknown SIN" in the failed attempts).

  You have the possibility to connect a device inside the network of the SAA as a laptop? If so, try Telnet for tcp/49 of the AAA server, you should see immediately, if it is allowed tcp/49 (get a blank screen immediately = connectivity, timeout = no connectivity)

  That's all you can do on your side, unfortunately tha ASA isn't a telnet client.

  Rgds,

  MiKa

• AAA addressing limit

  Hello

  I'll put up our ACS server to authenticate access to networking with GANYMEDE + and it works fine, but when I create the network devices and the AAA Clients I like include the row set that these devices will be in (we have 200 + devices DMVPN). When I do thi I get an error message whenever I open the ACS server telling me "Managed Device exceeded" under the Administration of the system > Licensing > Base Server License. I was told it was a cosmetic thing to the Cisco TAC.

  I'll be okay to add as many addresses that I need? I really don't want to have to go and add all addresses for each network in the network device - even if this would result in less than the limit of 500 devices.

  Thank you

  Hi Patrick,

  There are two types of licenses the Base and the largest deployment license, with the base license GBA will tell you that you can add 500 devices, however for the countries candidates 5.x each IP address is a device, so if you add a router with range: 192.168.1.0/24 to EC is the same as adding 255 devices , so if you add more than 500 devices, you will get this information on the outdated "Managed Device" message but it is only cosmetic and you need not worry about this.

  The largest deployment license the have a limit of devices and it will remove the message "information", but it will be for you to decide whether you need it or not.

  Let me know if it helps.

• Sync/copy customer AAA between two ACS5.2

  Hi, all, we move peripheral network (200 +) authentication/authorization/management at new ACS5.2, is there an easy way to copy/sync all AAA clients to another ACS5.2 server configuration? I don't need configuration to be copied/synchronized to another server ACS5.2, thanks in advance.

  Go to the menu of aaa clients and click "export."

  Then on the other ACS, click 'file operations', 'Add' and you should be good to go...

• Reg: Ganymede configuration

  Hi all

  I'm trying to configure the authentication of routers around 300 by Cisco GANYMEDE, AAA I installed acs4.2 on a windows Server 2003 and updated as a result of orders from AAA in the router, the RADIUS server host and the key on trialrouter

  AAA new-model

  !

  !

  AAA authentication login default group Ganymede + local

  NO_AUTHEN AAA authentication login no

  AAA authorization config-commands

  AAA authorization exec default group Ganymede + authenticated if

  NO_AUTHOR AAA authorization exec no

  AAA authorization commands 1 default group Ganymede + authenticated if

  AAA authorization commands 1 NO_AUTHOR no

  AAA authorization commands 15 default group Ganymede + authenticated if

  AAA authorization commands 15 NO_AUTHOR no

  AAA authorization network series none

  AAA accounting exec default start-stop Ganymede group.

  accounting AAA commands default 15 stop only Ganymede group.

  !

  AAA - the id of the joint session

  then I created a user and mentioned a secret key on the acs server, I added this router as an AAA client, the router no longer meets the old login name and password but did not username set to GBA, where I am a mistake? Kindly help.

  Thank you.

  ANU,

  Are you Ganymede username-password prompt?

  If you get the username-password prompt and it isn't taking Ganymede credentials, could you please connect with the local user name-password and run him debugs.

  debugging Ganymede

  Debug aaa authentication

  term Lun

  After this attempt to connect again with Ganymede username-password and send me the output.

  Fix the failure of GBA attemopts > reports and activity.

  HTH
  JK

  The rate of useful messages-

• How can I create a network of groups ACS 4.2

  Hello

  I want to create a site wise groups in the ACS4.2 is possible or not, please send me the steps.

  Secondly I am having nearly 5000 network devices in my network, I have to manually add all devices or any method is to import the devices in groups

  Please let us now

  With regard to the control of network group following link

  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/n.html#wp342699

  About importing customer, you can use CSUtil database utility

  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/AE.html

  check the section user and aaa client import

  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/AE.html#wp417039

  M.

  hope that helps rate if it is