RE: Upgrade ACS 4.1.1 to 4.1.3 or higher

From: Scott Morris (smorris@internetworkexpert.com)
Date: Mon Feb 09 2009 - 00:45:03 ARST

Or at least I'd make sure I had someone else's documented name responsible
for the unethical decisions rather than setting up to be a scapegoat!

Scott

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Darby Weaver
Sent: Sunday, February 08, 2009 9:16 PM
To: Edouard Zorrilla
Cc: Sadiq Yakasai; security@groupstudy.com; ccielab@groupstudy.com
Subject: Re: Upgrade ACS 4.1.1 to 4.1.3 or higher

I get confused when a company wants to achieve a level of Security
Compliance but may be unwilling to pay for the required level of service...
which by some strange definition in my mind would make them non-compliant
for using illegally obtained software that would put their company even
greater guaranteed/imminent liablity.

Check with you CFO/CTO/CIO and explain the scenario and the reason why you
need the software. If it's important enough they will come up with a PO
and your local Cisco SE can probably get you access to the software upgrade
you need asap.

It's much better to not cut corners and to simply play the game according to
the rules. It demonstrates maturity, character, integrity, and ethics.
If the company does not values these virtues, I'd find a new company that
does.

On Sun, Feb 8, 2009 at 7:32 PM, Edouard Zorrilla
<ezorrilla@tsf.com.pe>wrote:

> Sadiq,
>
> Thanks for getting back to me.
>
> ACS4.1 peak with Vasco Server using radius protocol.
>
> Regarding Vasco, it is doing a authentication external DB so that people
> can
> use their token with password that change over time. That is something we
> want
> to achive for the ISO 27001.
>
> I know that my config is all right because of the next:
>
> 1.-
> When I enter to may company using cisco VPN Client, I use the token
> successfully:
>
>
>
[MyPC]-------(INTERNET)--------[VPN-SERVER-CISCO]--------Prot.=Radius-------
-
> [ACS4.1]--------Prot.=Radius--------[VACMAN(Vasco)Server]
>
>
> 2.-
> When I enter to my switches on my company, I authenticate successfully as
> well:
>
>
>
[SW-C2950]--------Prot.=Radius(PAP)--------[ACS4.1]--------Prot.=Radius-----
-
> --[VACMAN(Vasco)Server]
>
> Neverthelesss it failed when I use 802.1x:
>
>
>
[PC-USER]-------Prot.=802.1x(PEAPandEAP)--------[SW-C2950]--------Prot.=Radi
u
> s--------[ACS4.1]--------Prot.=Radius--------[VACMAN(Vasco)Server]
>
> Here I see that the ACS never send the packet to the Vasco Server
> (wireshark
> told me that), the only message I get on the logs is: "External DB
password
> invalid". I do not know why the ACS print this message if the packet never
> leaves the ACS neither the Vasco get the packet asking for authentication.
>
>
> That is why I just wanted to change the version from ACS4.1.1 to ACS4.1.3
> and
> figure out if the problem is or not a bug on that version,
>
> Thanks a lot,
>
> Regards
>
> ----- Original Message -----
> From: Sadiq Yakasai
> To: Edouard Zorrilla
> Cc: security@groupstudy.com ; ccielab@groupstudy.com
> Sent: Sunday, February 08, 2009 7:07 PM
> Subject: Re: Upgrade ACS 4.1.1 to 4.1.3 or higher
>
>
> Ed,
>
> How can ACS4.1 speak RADIUS to another Server???? I am not sure that is
> correct there.
>
> So what is this VASCO server do at all? Is that the DB that contains the
> user information? If you can provide some more detail of what you are
> trying
> to do that would be great too!
>
> How have you configured ACS??? Have you isolated that the issue is not to
> do
> with your config??
>
> Thanks,
> Sadiq
>
>
>
> On Sun, Feb 8, 2009 at 11:50 PM, Edouard Zorrilla <ezorrilla@tsf.com.pe>
> wrote:
>
> I there,
>
> Is anyone there who can share with me the upgrade from ACS 4.1.1 to
> 4.1.3
> or
> 4.1.4 for example ?. I am having problems with a config and I guess
this
> is
> bug.:
>
> [PC-USER]
>
> -------Prot.=802.1x(PEAPandEAP)--------[SW-C2950]--------Prot.=Radius----
> ----
> [ACS4.1]--------Prot.=Radius--------[VACMAN(Vasco)Server]
>
> PC-USER can not log-in with 802.1x. I have used EAP-MD5 and PEAP w/o
> luck.
> The
> message I get inside the ACS is that user is not sending the right
> password:
> "External DB password invalid". The interesting thing is that the
packen
> never
> leave the ACS to go to the Vasco Server.
>
> Nevertheless, PAP works good with ACS and Vasco. For instance when I
try
> to
> login inside the SWITCH, it works very well.
>
>
> [SW-C2950]--------Prot.=Radius(PAP)--------[ACS4.1]--------Prot.=Radius--
> ----
> --[VACMAN(Vasco)Server]
>
> That is why I need to upgrade my ACS. I know that I should go to the
TAC
> to
> ask a soft but here someone forgot to renew the contract with Cisco :(
> and
> I
> am asked inside my company to finish with this problem. I just want to
> figure
> out if a bug is the problem, I would not run it on my live network.
> Anyone
> who
> can help me with the upgrade patch please send me an email offline.
>
> Any help will be appreciated,
>
> Regards
>
> PS: I already used the latest patch for ACS 4.1.1, what I want is to
> upgrade
> at the latest to ACS 4.1.3 and see if things work fine there.
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
>
>
>
> --
> CCIE #19963
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:44:10 ARST