ASK THE EXPERT - TROUBLESHOOTING CISCO SECURE ACS FOR WINDOWS

Unanswered Question
Feb 13th, 2009

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn how to address issues with the ACS database with Cisco expert Srinivas Mallu. Srinivas is a senior customer support engineer in High Touch Technical Support (HTTS) within the Technical Assistance Center (TAC). He has a double CCIE in Routing & Switching and Security (CCIE# 8914). Srinivas has been in TAC for the past eight years supporting security related products such as PIX, ASA, FWSM, Security on IOS, IPSec, ACS and IDS. He also trains people on his team on security technologies

Remember to use the rating system to let Srinivas know if you have received an adequate response.

Srinivas might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through February 27, 2009. Visit this forum often to view responses to your questions and the questions of other community members.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2.3 (4 ratings)
Loading.
mehsulsss Fri, 02/13/2009 - 14:13

Hi there,

I just build an ACS server and before I saved everyting, I moved the cable.

It seems that the ACS server reflects it self IP as the 127.0.0.1.

The answers I got from Cisco support is pretty lenghthy process to fix it.

Is there a quicker way to get it fixed with it real IP?

I don't want to export and send the file anywhere. The version of ACS appliance is 4.2.

Thanks for your help

Regards

ansalaza Fri, 02/13/2009 - 14:25

Is this the solution that you mentioned?

In order to resolve the 127.0.0.1 self problem, you can restore the DMP files on ACS for Windows 4.2 and modify the entry 127.0.0.1 with the desired IP address.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a00808d9199.shtml#res

Something else to confirm is if during the installation of the ACS it was connected to the network using the bottom NIC.

Plug the network connection into the Ethernet 0 port (NIC 1)

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/solution_engine/instalap.html#wp1088634

ansalaza Fri, 02/13/2009 - 19:01

For the Windows Version:

Cisco Secure Access Control Server 90-day Evaluation Software

http://www.cisco.com/kobayashi/sw-center/sw-ciscosecure.shtml

Note: To set or change the IP address of your ACS SE, ACS SE must be connected to a working Ethernet connection.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/solution_engine/admap.html#wp1109621

smallu Mon, 02/16/2009 - 11:11

Hi There,

This is a known issue with the ACS Appliance. There is no easy way to do this. The IP address of ACS solution engine cannot be changed from the GUI.

This is a lengthy procedure, but this is what you have to do.

a) Restore the ACS SE database to ACS for Windows.

b) You'll see the server name with IP address 127.0.0.1.

c) change that to whatever IP address you like it to be. Save it.

d) Restore the database to ACS Solution Engine.

e) Now, you can change the IP address of the server also on the ACS Solution Engine because it is not default AAA server.

Hope this helps!

Thanks,

Srinivas.

smallu Mon, 02/16/2009 - 11:15

For future purposes, one thing you can do to avoid this problem, is to connect the NIC card to the network, so that it pulls an IP address from the DHCP server, so that it does not assign the loopback IP address.

srujanrampally Tue, 02/17/2009 - 01:55

We have purchased Cisco IPS 4240 sensor, installed the license and that device is communicating with other computers in the network. The version installed is IPS 6.1(1)E1. Please can you answer me below questions.

1) Please can you provide me the Document or link, that lists all the possible events that can be generated by Cisco IPS 4240 sensor.

2)Where this IPS 4240 sensor will store all the generated events, Pls can u provide me the File names,location of that files and can you tell me how to acces that files?

3) How many types of events will be generated by this IPS 4240 sensor.

4) How to send all types of events to Syslog server (Windows Kiwi syslog OR Linux syslog) present on another system in the network through CLI,IDM and IME.

5) Can you provide me some Examples to generate different events.

6) What is the difference between CLI, IDM and IME?

7) How we can know that configured IPS system is in Inline mode?

vfranck Tue, 02/17/2009 - 05:51

Hi,

Is it possible to add groups to ACS? By default there are 500 groups, but no choice in GUI to add groups.

smallu Tue, 02/17/2009 - 11:53

The answer is No. Currently, there is no way to add more groups than the default number. Is there a reason why you want more than that? You can open a TAC case, and have an enhancement request filed for the same, if this is a need for your business.

Srinivas

Mubasher Sultan... Wed, 02/18/2009 - 04:11

Hi,

Just wanted to know that can i get CS ACS 4.2 by TAC or Cisco Web Site because it is available now by Cisco & we just got the upgrade CD of ACS?

My old Version was 3.3.2 Build 2

My Upgraded Version 4.1.1 Build 24 &

4.1.4 Build 13

Kindly update me asap.

Thanks,

Mubasher

smallu Wed, 02/18/2009 - 11:00

Hi Mubasher,

Its available on Cisco.com site. If for some reason, you are not able to download it, open a TAC case, and the engineer can make it available for you as a download link.

Thanks,

Srinivas.

smallu Thu, 02/19/2009 - 13:11

Hi There,

If the image you are looking for, is not on Cisco.com site, its probably archived.

Please open a TAC case, and the engineer can post the download link for you.

Thanks,

Srinivas.

Hi Srinivas,

We are having trouble with ACS 4.0 where CSATUH and CSRADIUS services peak up to the memory usage and the authentication for RADIUS and TACACS get stuck. Apprently a memory leakage issue, which gets resolved for the time being by restarting all CSAUTH service. We atleast restart the service atleast three times a working week.

TAC engineer asked us to upgrade to 4.2 to avoid this, but our intgeration is done with IBM's Tivoli which does not have pluggin for ACS 4.2 , but 4.0 . And hence we cannot upgrade to 4.2 until IBM gives the pluggin for it. What could be the workaround on 4.0?

smallu Tue, 02/24/2009 - 10:37

Mohsin,

There are no more fixes coming out 4.0, let alone 4.2. The development team is done with all development with 4.x code, and any new fixes for any new issues will be addressed in 5.x or as a patch in 4.2 code and above.

The memory leak issue has been addressed with a patch in 4.1 and 4.2. There is nothing available in 4.0. There is no workaround available in 4.0, as its a code fix. Can IBM work on a pluggin for ACS 4.2 for you? That pretty much seems to be the only option here.

Srinivas.

lxcollin1 Fri, 02/20/2009 - 09:32

Hi Srinivas,

I'm wondering if it is possible to create an External Database Group Mapping via command line? I have hundreds of AD-to-ACS group mappings that I need to do, but it's very time consuming to do them one-at-a-time via the web interface. I'm running 4.1(4) Please let me know if this is possible.

Thanks,

Lehi

smallu Fri, 02/20/2009 - 12:02

Lehi,

This is not supported. Infact, this feature is not even in the pipeline. If, this something you are interested in, please open a TAC case, and have an enhancement request opened for ACS 5.0, as most of the development for 4.x is already done.

Thanks,

Srinivas.

DavidCHDBaker Sat, 02/21/2009 - 15:38

I am running cisco VPN Client 5.0 on a Windows XP and I am getting error 442 failed to enable virtual adapter. How can I fix this. I tried uninstalling the adapter and reinstalling but did not fix it.

smallu Tue, 02/24/2009 - 10:31

David,

We have seen this issue with Windows XP and Windows Vista in the field, although we could not reproduce it in the lab.

With Windows Vista, it has been determined that the cause is related to DAD "duplicate address detection". This is a known issue in the field. Is the windows XP complaining about a duplicate ip address? It has been determined that it has nothing to do with the Persistent, Active or registry store for the IP information.

Please try this workaround.

Workaround:

Open "Network and Sharing Center", then select "Manage Network Connections", Enable the Virtual Adapter "VA", then right click on the VA and select "diagnose" from the context menu and after that select, "Reset the network adapter "Local Area Connection X"

This sounds like a bug in the VPN Client code. Its documented in CSCsi26106. This is fixed in 005.000(003.560)

One of our customer has been able to resolve this problem windows XP by uninstalling the Microsoft Network Monitor. Try this as well and see if it fixes the problem.

Hope this helps!

Srinivas.

pankaj.kakade Tue, 02/24/2009 - 08:28

Hi Sri,

Can you give me brief idea how to configure the wireless access point with dot1x(PEAP) with cisco ACS as Radius server.

Also how to configure the backup for Primary ACS server.I am using the windows database.Can we use redundancy for this database too.

smallu Tue, 02/24/2009 - 11:38

Pankaj,

Please go through these docs;

Enabling MAC-Based Authentication on the Access Point

http://www.cisco.com/en/US/docs/wireless/access_point/350/configuration/guide/ap350ch8.html#wp1031298

Yes. You can setup upto servers for backup authentication.

Enabling MAC-Based Authentication in Cisco Secure ACS

http://www.cisco.com/en/US/docs/wireless/access_point/350/configuration/guide/ap350ch8.html#wp1031528

Hope this helps!

Srinivas.

akpandey79 Thu, 02/26/2009 - 05:37

Hi Srinivas,

I am having issue with Cisco IDSM-2 module in Cisco 6509 module.It's having 6.1(2)E3 version and it's showing 100% cpu-1 utilization & 100 inspection load continuously.

Please help me to resolve this issue.

smallu Thu, 02/26/2009 - 10:27

Hi There,

This discussion is limited to Cisco Secure ACS. Please submit your question in the IDS forum.

Srinivas.

esdouglas Tue, 02/24/2009 - 11:54

I'm trying to get dot1x authentication working with our Nortel 1140e IP phones, but have been unsuccesful so far. I'm hoping either yourself or other Netpro community members will be able to help me.

My environment consist of the following

Nortel 1140e IP Phone (firmware 0624C6J)

Cisco ACS 4.1(4)

Catalyst 4510R (IOS 12.2.50 SG)

+++++

I have the Nortel phone configure for PEAP authentication, with a self-signed cert from the ACS server instaled, and using a local ACS username and password.

However, authentication fails with the following error messages below, from the ACS server. I'm still wating to hear back from Nortel on this issue, but was wondering if anyone else might have had this issue and resolved it already.

Authen session timed out: Challenge not provided by client

and

EAP-TLS or PEAP authentication failed during SSL handshake

Thanks,

Earl D

smallu Tue, 02/24/2009 - 13:00

Earl,

From the failed attempts message it sounds like a config issue on the Nortel router. I have searched the knowledge base for any issue on ACS with Nortel, and I haven't found any.

I suggest you open a TAC case with Nortel and go from there. From the logs, it seems like the ACS is not receiving information its needing. Does the authentication work with other AAA servers?

Thanks,

Srinivas.

esdouglas Tue, 02/24/2009 - 13:08

Srinivas,

I actually do have an open case with the Cisco TAC on this, and the next step for us into get Nortel involved as well. I was just hoping that you or someone else may have run into this issue and had a solution. But that doesnt seem to be the case, so I will wait to get both Cisco and Nortel on the phone so they can have a civil discussion regarding this issue.

Thanks for your help.

ansalaza Tue, 02/24/2009 - 13:18

- Self-signed Certificate Setup (only if you do not use an external CA)

If you use a Self-signed Certificate from Cisco Secure ACS

Complete these steps:

1. Copy the certificate from its location to the client.

2. Right-click the .cer file and click install certificate.

I suppose you cannot do that on the Nortel Phone can you?

- Set up the Client for PEAP

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a0080545a29.shtml#t20

Note: The same Root Certificate should be installed on the ACS and the Phone.

esdouglas Tue, 02/24/2009 - 13:34

We do have a external CA, but our security group wont let us install that certificate on a device that cant be secured.... but thats a whole other story.

As far as installing the self-signed ACS certificate, you can, and we have installed it on the Nortel IP phone.

If anyone thinks it would help, I can post the Radius debug information of the dot1x authentication failure.

ansalaza Tue, 02/24/2009 - 13:51

Are you also able to remove the Validate Server Certificate option from your Nortel Phone?

Are you able to authenticate a PC with PEAP using the same Certificate?

This will discard that the Certificate is causing an issue...

esdouglas Tue, 02/24/2009 - 14:05

From the options available on the phone, the ability to remove the Validate Server Certificate is not there.

I was able to sucessfully autheticate with a PC prior to creating the self-signed ACS certificate, but havent tried with a PC since. I will test that first thing tomorrow morning to confirm and post my results.

Thanks, once again... hometime for me :<}

esdouglas Wed, 02/25/2009 - 12:45

So here is my findings from today. I tested with a PC and authenticated successfully.

I also started testing other EAP types and was able to get MD5 to work successfully with the NOrtel IP phone, so I'm suspecting that there may be a bug in how PEAP authentication is implemented on the Nortel IP Phone.

Once I get feedback from Nortel, I will post any new resulsts.

smallu Wed, 02/25/2009 - 15:40

Thanks for posting your results! I am very interested to know what you find out!

manikandan15 Wed, 02/25/2009 - 03:49

Hi,

have anyone tried DVLAN concept through ACS replicated with windows Active directory .

smallu Wed, 02/25/2009 - 15:38

Not sure what you are trying to do here. Can you give me more details on this? Explain me your scenario and what you are trying to accomplish.

Srinivas.

johngething Wed, 02/25/2009 - 04:59

Hello,

ACS 4.1/2

Wonder if you could help. The issue i have is that we require users to log onto devices ussing there Cisco PAP passwords (which they have to reset when logging in 1st time) but we would like the same option to be available for the enable mode and also for teh paasword to be different from the login password. At present we are manualy adding these into ACS each users configs/settings.

many thanks John :)

smallu Wed, 02/25/2009 - 16:05

John,

This option/feature is not available for enable passwords at this time. Does your business need this feature? I would suggest that you open a TAC case and file an enhancement request.

Thanks,

Srinivas.

bmcginn Wed, 02/25/2009 - 16:35

Hi there Sri,

Is ACS4.2 supported under a VMWare environment? And if so, is there an easy way to move the data from our 4.1 server (physical box running Win2K) over to a Win2003 virtual server?

Thanks,

Brad

smallu Thu, 02/26/2009 - 16:15

Brad,

We do support ACS 4.x on VMWare. You can upload the 4.1 DB into a Windows 2003 virtual server running VMWare image ACS 4.2, using the backup and restore utilities, that ACS comes with.

You can FTP the database dump from ACS 4.1 to the server, and restore it on the ACS 4.2 VMWare image. ACS 4.2 with its upgrade features allows you an option to restore even a 4.1 image.

Hope this helps!

Srinivas.

johngething Thu, 02/26/2009 - 01:15

Very strange that you cant. This to me seems to a bit of an security issue - if an network user had his PAP password coppied, then someone would have direct access to enable mode.

I will do as you requested and rasie a TAC.

many thanks again!

i.ennassiri Thu, 02/26/2009 - 02:36

Hi there,

I need to know if there is a solution to make a VPN client download a list of backup servers from ASA, and if there is a failure with the first VPN Server it attempt to connect to one of the list downloaded.

Excuse me to post my question in this conversation

Sincereley

smallu Thu, 02/26/2009 - 10:25

Hi There,

The VPN Server list cannot be pushed from the ASA, as the ASA is also one of the VPN Servers. This list needs to be defined on the VPN Profiles.

The VPN Client when installed comes with some preloaded profiles. These profiles have the list of backup servers.

One way to do it is, to have the profiles preloaded with the backup servers at the time of the install, or have the clients manually define these backup servers.

Hope this helps!

Srinivas.

i.ennassiri Thu, 02/26/2009 - 13:09

Can I do it by configuring backup VPN servers in the group attributes.

group-policy <> attributes

backup-servers <>

Thanks

smallu Thu, 02/26/2009 - 16:19

Yes. You can. But keep in mind, this only works as long as the ASA is responsive to the VPN Client. If the ASA is down, this may not work.

Basically, this option works when the ASA may not be available as a VPN Server or may not be taking new connections, however is accessible by the VPN Client. In that case, the ASA pushes the backup server ip's to the client during the IPSec negotiation.

Here is a good reference;

http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/b_711.html#wp1330204

Srinivas.

yvon_delgrange Thu, 02/26/2009 - 05:31

Hi there,

I am just facing a problem with an ACS 4.0 server on Windows 2003 SP2, which uses Active Directory as external DB.

Customer reports that after it started to fail (after power failure), he uninstalled and reinstalled ACS 4.0 on the same server, and he is now unable to authenticate users, but also is unable to configure external DB (msg on GUI is : An error has occured while processing the Authen DLL Default Group Page because of an internal error.)

Could you advise on the troubleshooting procedure?

I collected the package.cab, and the MSInfo.txt file shows that locale is set to italian. I was just wondering if the ACS installation on Windows still requires that the local / language is set to Us_English.

Thanks for your advices.

Yvon.

smallu Thu, 02/26/2009 - 15:59

There are several things that could have gone wrong here;

* A corrupted Windows Registry

* missing or corrupted DLL's or other files

A thorough analysis of the package.cab file can give us more insight. I would recommend opening a TAC case, and have it analysed by the development team.

Hope this helps!

Srinivas.

Actions

This Discussion