ACS auth problem

Unanswered Question
Sep 2nd, 2009
User Badges:

guys today spending 6 hours of troubleshooting i was unable to get the desired results on ACS 4.0 so i will refer to someone who can really help m eout with my problem....we have a ACS server (domain controller) on windows 2003.......we wanted to haqve a backup server so that it can failover if primary fails.....its the same domain controller.....i installed the backup server and the config a AAA on secondary server (IP and name of primary) and i did the same on primary for backup. Replication started without any problem.....i could see all the conifg on secondary after replication. Guys the ACS do redius authentication using windows active directory and ACS is only used for wirless authntiocation.....i went to WCS and created a templet so that i can push the config on all the wireless controllers.....we have 30 sites all over country......now when i was creating a templete it asked me for shared secret so i put the key of secondary server (which i put ABS%DD) while i was config secondary server there was an option of HEX and ascii so i checked the alredy config templete for primary and i did ASCII.....i failed one of the sites to secondary server but clients were unable to get authenticated.....i didnt some troubleshooting and while i was doing that i have realised that thlough in logs it get replicated but when i cked the network configs the groups were not mapped.....in groups i can see all the groups but in config (external database) no group was mapped why is that???? i tried to map it and i some how did it but again the clients were not able to get auth.....then i decided to go through all doco's again but couldnt find any help.....i thought that shared secret is wrong......as in cisco doco it says that its the key of AAA client......i jumped to the primary server and checked all the AAA clients (wireless contrrollers) and many has different keys so i was confused which key i have to put as for WCS i connect to different server which is not on AAA client.....guys plz help me out as i am feeling v down i have attached on eof the screen shot for your review......plz dont refer any doco as i have seen many but couldnt find mt problem what i am doing wrong can someone plz tell me.....thanks guys alot



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jagdeep Gambhir Wed, 09/02/2009 - 08:14
User Badges:
  • Red, 2250 points or more

No doubt it is shared secret mismatch. In acs you need to only give shared key in the box listed after IP address section.


That same key you need to put on WLC.Don't make any change in RADIUS Key Wrap section. Let it be on default settings.


Regards,

~JG


Do rate helpful posts



The_guroo_2 Wed, 09/02/2009 - 16:30
User Badges:

Thanks for your lovely reply but my question stand still i guess i fail to explain properly i will do it for second time.


1- when i did replication the secondary server got everything but when i go to external database tab where there is a database group mapping icon when i click on that its only showing default.....while if i check the primary one it shoes me domain name and groups associated with that why is that why its not replicated though if i go to group setup on secondary i can see all the groups.....this a concern


2- we have WCS as we have 30 contollers we have a templete for contoller already set when i make a new templete for new radius server it ask me shared secret now if i go to ACS secondary in a network tab i see AAA clients (30 all contollers address) and in AAA server i can see secondary as well as primary server. Now if i click contollers there is a IP address and a key but the key is different for all 30 servers so which key shd i put in templete in WCS (that is a issue) now if i click AAA server it has a key as well....am i suppose to put that key or a different key.........these are two big concerns last when i go to system configuration tab and then go to service tab and and click restart nothing......nothing happens after 2 min it tell me that the ACS has stopped why is that.......kindly help m eout as i am realy tense abt this

Vinay Sharma Wed, 09/02/2009 - 23:01
User Badges:
  • Gold, 750 points or more

Hi,


Regarding your first question, please enable NAP on primary and secondary ACS. By checking the NAP it will start sending the external database configuration like group mapping etc.


++++++++++++++++++++++++++++++++

Network Access Profiles2

A collaboration of configuration settings. These include: Network Access Profiles, Posture Validation settings, AAA clients and hosts, external user database configuration, global authentication configuration, NDGs, user-defined RADIUS dictionaries, shared profile components, logging configuration3 , GAME Group Feed back configuration, databases for MAC Authentication Bypass, EAP-TLS for PEAP configuration, EAP-TLS configuration, and Key Wrap allowed configuration.

++++++++++++++++++++++++++++++++++++++++


http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SCAdv.html#wp756374


+++++++++++++++++++++++++++++++++++++++


regarding 2nd issue:-


WCS is able to identify your 30 WLC and in order to secure the communication between WCS and WLC they require a shared secret to create the secure tunnel.


Now their are 2 points.

Point1:- communication between ur WCS with WLC. They will use a different shared secret key to communicate with each other.


Point2:-ACS and WLC will use a different shared secret key to comm to each toerh which you defined on controller for AAA and on ACS for WLC.


So for the template on WCS will required the shared secret you will define on WLC and it has nothing to do with ACS defined shared secret. All authe request will follow the path

USer-->LWAAP-->WLC-->ACS-->AD.


WCS is used only to push the config on WLC's.


Noe since you want to config radius server template on WCS, then you have to add the WCS as radius client in ACS and then define the shared secret and use the same in the template. The reason to add WCS in ACS is if WCS will send any radius packet to ACS, ACS will know that this device is known to ACS and will not discard the packet.


http://www.cisco.com/en/US/partner/docs/wireless/wcs/5.2/configuration/guide/5_2temp.html#wp1066056


3rd issue:-


If you are using firefox. try to use IE because this is a browser issue.


Vinay

The_guroo_2 Thu, 09/03/2009 - 00:41
User Badges:

Vinay

First of all i would like to thankyou for your kind reply it is really nice of you by taking time and replying such a nice and comprehensive reply....i am really thankful to you.....now when i check NAP box and do replication is comes an error says that network configuration device table and NAP cant replicate togather......why is that now what if i uncheck network configuration device tab and do the NAP along with other once it get replicated i then uncheck NAP and do the device table.....will it work as i have read some where that ACS overwrites whole database....so in that case it will not work what do u say??? thanks again

Vinay Sharma Thu, 09/03/2009 - 01:23
User Badges:
  • Gold, 750 points or more

this is what NAP component will do:-

Replication of Network Access Profiles contradicts the replication of Network Configuration Device tables; therefore, do not check both of these components at the same time. NAP settings will override all other settings. Dynamically mapped users are not replicated, only statically added users are replicated.


If you already have the replication for primary and fallback server configured then their is only one way to replicate the external database configuration i.e. through NAP component. I personnely have not seen any issue with customers if they check NAP since we don't have any other way.


If you have any specific configuration on primary which you don't want to send to secondary (check NAP component details) then their is no workaround for that.


Vinay

The_guroo_2 Thu, 09/03/2009 - 01:37
User Badges:

look we had a server before which has been taken off now we have build a new server to do the job.....now in doco it says that network configuration device table will replicate AAA servers and clients defined in th enetwork tab to the secondary.


so if i check NAP first and do replication an dthen uncheck it and check network configuration device table it shd be alright or not?????? i need your expert opinion


Vinay Sharma Thu, 09/03/2009 - 01:54
User Badges:
  • Gold, 750 points or more

you don't need to change anything. Check NAP and it will push you AAA clients and hosts, NDGs which is again Network Configuration Device tables components [AAA Servers tables, the AAA Clients tables, in the Network Configuration section, Key Wrap keys as part of host configuration or Network Device Groups (NDG)].


+++++++++++++++++++++++++++++++++++++++

For better clarification compare the following:-


Network Configuration Device tables1

AAA Servers tables, the AAA Clients tables, in the Network Configuration section, Key Wrap keys as part of host configuration or Network Device Groups (NDG) and Remote Agents configuration. This option also controls whether NDGs are replicated.


If you intend to use cascading replication to replicate network configuration device tables, you must configure the primary ACS with all ACSs that will receive replicated database components, regardless of whether they receive replication directly or indirectly from the primary ACS. For example, if the primary ACS replicates to two secondary ACSs that, in turn, each replicate to two more ACSs, the primary ACS must have AAA server configurations for all six ACSs that will receive replicated database components.


AND


Network Access Profiles2

A collaboration of configuration settings. These include: Network Access Profiles, Posture Validation settings, AAA clients and hosts, external user database configuration, global authentication configuration, NDGs, user-defined RADIUS dictionaries, shared profile components, logging configuration3 , GAME Group Feed back configuration, databases for MAC Authentication Bypass, EAP-TLS for PEAP configuration, EAP-TLS configuration, and Key Wrap allowed configuration.


Replication of Network Access Profiles contradicts the replication of Network Configuration Device tables; therefore, do not check both of these components at the same time. NAP settings will override all other settings. Dynamically mapped users are not replicated, only statically added users are replicated.


++++++++++++++++++++++++++++++++++++++++ So if you define NAP component, then you don't need to unchecked it and check Network Configuration Device tables because NAP will take care of it.


Vinay

Actions

This Discussion