Greetings,   I've been having some trouble with the ACS x AD Identity Store, since the ACS randomly disconnects from the AD domain and I have to manually 'Test Connection' to get it working again.   Because of that, I was wondering if there is any way to make ACS send a SNMP/E-mail when the ACS disconnects from the domain with the timestamp and reason of the disconnection. Anyone knows how to do that? Thanks in advance. Regards, D.Y. ... View more

Greetings,    I have a simple ASA, ACS, AD schema for RA VPN authentication. All is working for a few months now, but since the initial deployment we have this connectivty issue regarding ACS and MS AD. At random intervals, 1 month/1 week, the ACS connection status becomes "DISCONNECTED" although the CLI shows that ad client is running. But because of that, no RA VPNs can be authenticated. Clock is not a problem, since it didn't change automatically nor was manually configured prior to the malfunction.    What do I do to fix this?     I change the domain name, from the currently working xx.com, to cisco.com for instance, so I can get an error message. Then I set the correct domain name again and click on "Test Connection" until I get a successful message so I can press Save Changes. That usually takes 10-15 tries.    After some research I've noticed a LOT of people have this same problem, even on ACS 5.3. I was wondering if anybody has an oficial solution. I'm not sure how to see the log messages on the ACS itself for further troubleshooting on this matter, but since a simple procedure like the above solves the problem, I'm thinking of a bug. And because of that, I'll apply the latest patch 5.2.0.26 (10) tonight, hoping it solves this odd behaviour.    Any thoughts? Thanks in advance. Regards, Daniel ... View more

Greetings all!   I'd like to ask you guys, if you ever had to configure a deploy in the way my client wants.   We're using Cisco Secure ACS 5.2 as a Proxy AAA server, using Active Directory as an External Identity Store. They are already synced and connected and thus I can login into the VPN using my Domain credentials.   But that's not enough. My client needs to limit who can and can't establish VPN session, I mean, the way it is now, EVERY single employee can do that if his/her credentials are valid in the Active Directory domain controller. So I need to do two things:    1) Using the Microsoft NPS server, via dialin attribute, allow or deny VPN sessions using ACS/ASA;    2) Using the company user credential attribute to identify which Authorization Group the requesting user should be in, Downloadable ACLs will then be applied according to the access policies created for each company.    I've looked for documentation in the Cisco portal but couldn't find anything really useful. Can anyone help me out? Thanks in advance! Regards, Dan ... View more

Greetings! I'm using a 6509 Sup720 FWSM VSS Cluster. Failover isn't active on FWSM modules yet, so I'm using the FWSM module on slot 4 of the VSS Switch and I'm using multiple contexts (multiple-vlan-interface enabled), 1 routed and 13 transparent. The routed is FWCTX-BACKEND. I have a SVI configured for management access in this cluster, which is Vlan 10 (172.20.101.0/24). I have an ACS 1121 appliance on version 5.2.26 which is the TACACS+ AAA device manager (172.20.0.2/25) on Vlan220 whose default gateway is 172.20.0.1 the FWCTX-BACKEND DMZ interface (Vlan220) on FWCTX-BACKEND on the FWSM module. My aaa rules on the 6500 are as follow: aaa new-model aaa authentication fail-message ^CCC*** Failed login. Five consecutive fails will revoke.***^C aaa authentication login default group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authorization exec default group tacacs+ none aaa accounting exec default stop-only group tacacs+ aaa accounting commands 0 default stop-only group tacacs+ aaa accounting commands 7 default stop-only group tacacs+ aaa accounting commands 15 default stop-only group tacacs+ ! ip tacacs source-interface Vlan10 ! tacacs-server host 172.20.0.2 tacacs-server host 172.20.0.3 tacacs-server timeout 3 tacacs-server directed-request tacacs-server key <OMITTED> The route to the ACS is done, from the MSFC through the FWCTX-BACKEND. From the 6500 config prompt I can ping 172.20.101.250 (Intf Vlan10 @FWCTX-BACKEND) but not 172.20.0.2(ACS) - hence my auth problem. But from the FWCTX-BACKEND(172.20.101.250) I can't ping the 6500 (172.20.101.1). Enabling debug icmp and I get this message: CORE-01(config)#do ping 172.20.101.250 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.20.101.250, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms CORE_CSC-01(config)# *Nov  1 18:44:24.535 BRT: ICMP: dst (172.20.101.1) host unreachable rcv from 172.20.101.250 *Nov  1 18:44:24.539 BRT: ICMP: echo reply rcvd, src 172.20.101.250, dst 172.20.101.1 *Nov  1 18:44:24.539 BRT: ICMP: echo reply rcvd, src 172.20.101.250, dst 172.20.101.1 *Nov  1 18:44:24.539 BRT: ICMP: echo reply rcvd, src 172.20.101.250, dst 172.20.101.1 *Nov  1 18:44:24.539 BRT: ICMP: echo reply rcvd, src 172.20.101.250, dst 172.20.101.1 *Nov  1 18:44:24.539 BRT: ICMP: echo reply rcvd, src 172.20.101.250, dst 172.20.101.1 *Nov  1 18:44:24.543 BRT: ICMP: dst (172.20.101.1) host unreachable rcv from 172.20.101.250 *Nov  1 18:44:24.543 BRT: ICMP: dst (172.20.101.1) host unreachable rcv from 172.20.101.250 There is no way that 172.20.101.1 could be unreachble to 172.20.101.250, they are on the same subnet and using the same vlan tag, so no routes are needed, but apparently thats is what the log states. If I reload the 6500, I can make the first ping from 6500 172.20.101.1 to ACS 172.20.0.2 but as soon as it ends, I can't ping anymore. The same thing happens to my RA access. I've set SSH permission to 6500 at 201.x.x.129, SVI Vlan200, and 201.x.x.132, interface Vlan200 INTERNET FWCTX-BACKEND. I can authenticate a SSH session to the 6500 on ACS only one time after a reboot, every other request to the 6500 are then treated locally, the FWCTX-BACKEND SSH session always authenticate on the ACS and I can't explain why that happens. -- [6500] This SVI on the VSS is: interface Vlan10 ip address 172.20.101.1 255.255.255.0 no ip redirects no ip proxy-arp Routing for this SVI is: ip route 172.20.0.2 255.255.255.255 172.20.101.250 ip route 172.20.0.3 255.255.255.255 172.20.101.250 [FWSM] @FWCTX-BACKEND interface Vlan10 nameif MGMT security-level 60 ip address 172.20.101.250 255.255.255.0 standby 172.20.101.251 interface Vlan200 nameif RA security-level 1 ip address 201.x.x.132 255.255.255.248 standby 201.x.x.133 ! Interface Vlan220 nameif DMZ security-level 52 ip address 172.20.0.1 255.255.255.0 standby 172.20.0.4 ! access-list DMZ_IN line 2 extended permit icmp any any access-list DMZ_IN line 3 extended permit ip host 172.20.0.2 host 10.1.98.64 access-list DMZ_IN line 4 extended permit ip host 172.20.0.3 host 10.1.98.64 access-list DMZ_IN line 5 extended permit ip host 172.20.0.2 any access-list DMZ_OUT line 1 remark ### ACESSO : GCC-ACS-01 : 172.20.0.2 ### access-list DMZ_OUT line 2 extended permit tcp any host 172.20.0.2 eq https access-list DMZ_OUT line 3 extended permit tcp any host 172.20.0.2 eq tacacs access-list DMZ_OUT line 4 remark ### ACESSO : GCC-ACS-01 : 172.20.0.2 @ad ### access-list DMZ_OUT line 5 extended permit tcp any host 172.20.0.2 eq 88 access-list DMZ_OUT line 6 extended permit tcp any host 172.20.0.2 eq 445 access-list DMZ_OUT line 7 extended permit tcp any host 172.20.0.2 eq 464 access-list DMZ_OUT line 8 extended permit tcp any host 172.20.0.2 eq 3268 access-list DMZ_OUT line 9 extended permit udp any host 172.20.0.2 eq ntp access-list DMZ_OUT line 10 extended permit udp any host 172.20.0.2 eq 389 access-list DMZ_OUT line 11 remark ### ACESSO : GCC-ACS-02 : 172.20.0.3 ### access-list DMZ_OUT line 12 extended permit tcp any host 172.20.0.3 eq https access-list DMZ_OUT line 13 extended permit tcp any host 172.20.0.3 eq tacacs access-list DMZ_OUT line 14 remark ### ACESSO : GCC-ACS-02 : 172.20.0.3 @ad ### access-list DMZ_OUT line 15 extended permit tcp any host 172.20.0.3 eq 88 access-list DMZ_OUT line 16 extended permit tcp any host 172.20.0.3 eq 445 access-list DMZ_OUT line 17 extended permit tcp any host 172.20.0.3 eq 464 6 access-list DMZ_OUT line 18 extended permit tcp any host 172.20.0.3 eq 3268 access-list DMZ_OUT line 19 extended permit udp any host 172.20.0.3 eq ntp access-list DMZ_OUT line 20 extended permit udp any host 172.20.0.3 eq 389 access-list DMZ_OUT line 21 remark ### ACESSO : GCC-ACS-01 : 172.20.0.2 access-list DMZ_OUT line 22 extended permit tcp host 172.20.0.2 any eq https access-list DMZ_OUT line 23 extended permit tcp host 172.20.0.2 any eq tacacs access-list DMZ_OUT line 24 remark ### ACESSO : GCC-ACS-01 : 172.20.0.2 @ad ### access-list DMZ_OUT line 25 extended permit tcp host 172.20.0.2 any eq 88 access-list DMZ_OUT line 26 extended permit tcp host 172.20.0.2 any eq 445 access-list DMZ_OUT line 27 extended permit tcp host 172.20.0.2 any eq 464 access-list DMZ_OUT line 28 extended permit tcp host 172.20.0.2 any eq 3268 access-list DMZ_OUT line 29 extended permit udp host 172.20.0.2 any eq ntp access-list DMZ_OUT line 30 extended permit udp host 172.20.0.2 any eq 389 access-list DMZ_OUT line 31 remark ### ACESSO : GCC-ACS-02 : 172.20.0.3 access-list DMZ_OUT line 32 extended permit tcp host 172.20.0.3 any eq https access-list DMZ_OUT line 33 extended permit tcp host 172.20.0.3 any eq tacacs access-list DMZ_OUT line 34 remark ### ACESSO : GCC-ACS-02 : 172.20.0.3 @ad ### access-list DMZ_OUT line 35 extended permit tcp host 172.20.0.3 any eq 88 access-list DMZ_OUT line 36 extended permit tcp host 172.20.0.3 any eq 445 access-list DMZ_OUT line 37 extended permit tcp host 172.20.0.3 any eq 464 access-list DMZ_OUT line 38 extended permit tcp host 172.20.0.3 any eq 3268 access-list DMZ_OUT line 39 extended permit udp host 172.20.0.3 any eq ntp access-list DMZ_OUT line 40 extended permit udp host 172.20.0.3 any eq 389 access-list DMZ_OUT line 41 extended permit ip host 10.1.98.64 host 172.20.0.2 access-list DMZ_OUT line 42 extended permit ip host 172.20.0.2 host 10.1.98.64 access-list DMZ_OUT line 43 extended permit ip any host 10.1.98.64 access-list MGMT_IN line 1 extended permit ip any any access-group DMZ_IN in interface DMZ access-group DMZ_OUT out interface DMZ access_group MGMT_IN in interface MGMT -- Resume: SSH 201.x.x.129 (6500) > aaa credentials @acs: only first connection after a reboot will work                                         > aaa credentials LOCAL: after that only local credentials will work since it can't connect to ACS through FWSM SSH 201.x.x.132 (FWSM) > aaa credentials @acs: everytime ok Can anyone give any help? Thanks in advance, Dan ... View more

Greetings,   I'm having a lot of trouble trying to add Cisco ACS 5.2 to my client AD Domain. I have two different behaviours everytime I try to sync ACS and AD:   1) After 2 seconds I get the CAN NOT RESOLVE NETWORK ADRESS   2) I reamins trying for ever, my browser (tried IE9 and Firefox 6) freezes on "Read 172.20.0.2" message.   I can ping the AD IP from the ACS console and vice-versa. On the NSLOOKUP domainname from the ACS console I get a big list but the actual AD ip listing is there, not on the first line, but it's there.   First question: how can I know what is wrong? is there any debug I can see on the ACS, to try to see which message states this connection problem?   Second question: what is the correct timezone in the ACS cli for Brazil's timezone? I know it's GMT-2 but in the show timezones I see this:   ...   MST7MDT   Universal   Zulu   Navajo   Brazil/West   Brazil/East   ...   CET   PST8PDT   ...   So i assume CET equals GMT-2. Is that right? What about summertime?   Thanks in advance! At, Daniel ... View more

Greetings!    I'm currently on a project which uses FWSM modules on 6509 Chassis running VSS. I'm facing some dificulties to set remote admin access to the 6509 through 2 FW contexts from WAN. This should be a simple task but... What am I  missing?    I'm uploading a zip file with what I think will help you guys to better understand this situation. Thanks in advance. Regards, Dan ... View more

Greetings!       Currently I have a specific need on  security compliance checks using the Cisco  NAC solution (CAM) and consequently the Nessus Famework. The deployment environment is based on Desktops  using Linux as OS and here are the 4 basic checks: Kernel version: i.e. if not version 2.6.35 or higher it should point as a security breach. Service check: i.e. if iptables is running it should point as a security breach. File check: i.e. if there isn't a file seccheck.txt on /usr/lib/  it should point as a security breach. String  check within a File: i.e. if the string @#$%¨&* is not on the file  seccheck.txt on /usr/lib/  it should point as a security breach.      As I understand I'll need specific Linux plugins for the Nessus Framework and  then I was wondering if there is any available plugin that actually  does that or I'll have to custom code write each of the,  3 or 4 as I  see it. Besides that, I know that audit files can do that easilly on Nessus, but does the CAM recognizes these audit files? Or is it plugins only?     If not, can anyone give any help here? Thanks in advance. Regards, Dan ... View more