MAB ACS 4.1 ACtive Directoy Pb

s.berthier · ‎05-24-2007

Hello

I have an appliance ACS v4.1 and I use 802.1X PEAP authentication.

All work fine for PC which are 802.1X compliant with an external database Active Directory

But when you wan't to authenticate a non 802.1X device such as printer, the ACS log an "Internal Error" in Authentication failure code on the Failed report.

I have create an object on AD that have the username = @mac and password = @mac

Can you tell me if you have solution to solve this problem ?

Thanks for your help

Jagdeep Gambhir · ‎05-28-2007

Hi,

I'not sure if you have configured MAB. To achieve it we need to set up MAB.

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/sp.htm#wp1160819

Regards,

s.berthier · ‎05-28-2007

Hi,

I have look this configuration, but in "Network Access Profile" you can only configure a type of Mac authentication bypass with ACS Internal Database or LDAP Server but not with an Active Directory Database ?

When I configure This whis Internal Database it's work fine and the message "Internal Error" don't Appear.

But I have look on a meeting, that can do this with an Active Directoy database .

If you have other solutions

Thanks

Premdeep Banga · ‎06-01-2007

Hi,

I haven't done that, might not be possible either. But you can start with how exactly the unknown device is being discovered.

If you have ACS for windows, turn it on to full logging from System Configuration > Service Control > Level of Detail > Full > Restart.

And when the authentication fails with Internal Error code, take the time stamp when it failed, and search how exactly the device was searched from Auth.log file. Its a simple readable text file. found from,

\CSAuth\Logs

It will give you a pretty good idea.

Do share the result!

Regards,

Prem

s.berthier · ‎06-04-2007

Hello

I have an appliance ACS and log don't show nothing else that :

05/25/2007 17:00:51 Authen failed 000d6013d891 Printers 00-0D-60-13-D8-91 (Default) Internal error .. .. 50019 10.253.104.94 .. .. .. .. .. gvanet01 ..

I can't have a more precisely log i think

I have open a call on cisco and i wait for a reponse

thanks

Jagdeep Gambhir · ‎06-04-2007

Hi,

This is how you can get logs from acs appliance,

Make sure login is full,

System Configuration --> Support --> Run Support Now.

After a min it will ask you to save a file"Package.cab". This file contains all of the log information from ACS.

Thanks

jafrazie · ‎06-04-2007

First, ACS should not log "Internal Error" in Authentication failure code on the Failed report.

It should also work by creating an object on AD if you like for the username = @MAC and password = @MAC.

This documentation reference is incorrect to achieve such an operation:

<http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/sp.htm#wp1160819>

You're running into CSCsh62641. This has been fixed and you need ACS 4.1(3). See the release notes here:

<http://www.ciscosystems.ch/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/rnotes/rnacs413.htm>

The summary is, it allows you to only look at the CLID field (Re: the way "MAB: is documented above) OR to be able to just define a MAC as a "user account" somewhere like in Active Directory.

Hope this helps,

s.berthier · ‎06-05-2007

Hello

Thanks for your help

In fact I will try to obtain Upgrade to ACS 4.1(3) and i will tell you if it works

Thanks

s.berthier · ‎06-07-2007

Hello

The problem is solve when I upgrade ACS to 4.1.3.12.

And now i have no error message and Mac Authentication Bypass works fine with Active Directory

Thanks for your help