From: Sadiq Yakasai (sadiqtanko@gmail.com)
Date: Mon Feb 09 2009 - 08:15:04 ARST
Scott and Darby, I couldnt agree with you more on that! But back to why we
are here as techies ... :-)
Edourd,
I am confident this is not a bug to do with ACS at all!
Going through the documentation of your VASCO server, this server is meant
to sit **between you AAA client (authenticator, switch) and ACS**! However,
it seems you have placed the VASCO server *behind* your AAA server! It is
only when you configure TACACS that you have it behind the aaa server.
From what I am seeing, this VASCO server should be a caching/sniffing the
system for users on the network. AND it does not speak RADIUS with ACS. All
it seems to do is proxy RADIUS between the switch and ACS. Hence what you
see:
"PC-USER can not log-in with 802.1x. I have used EAP-MD5 and PEAP w/o luck.
The message I get inside the ACS is that user is not sending the right
password: "External DB password invalid". The interesting thing is that the
packen never leave the ACS to go to the Vasco Server."
So, if you can reconfigure your setup correctly, I am confident you will see
some level of progress there :-)
HTH,
Sadiq
On Mon, Feb 9, 2009 at 5:44 AM, Farrukh Haroon <farrukhharoon@gmail.com>wrote:
> You may check this link out:
>
>
> http://www.vasco.com/documents/literature/pdf/VRM_Interoperability_Guide_for_Cisco_ACS1.pdf
>
> Regards
>
> Farrukh
>
> On Mon, Feb 9, 2009 at 2:50 AM, Edouard Zorrilla <ezorrilla@tsf.com.pe
> >wrote:
>
> > I there,
> >
> > Is anyone there who can share with me the upgrade from ACS 4.1.1 to 4.1.3
> > or
> > 4.1.4 for example ?. I am having problems with a config and I guess this
> is
> > bug.:
> >
> > [PC-USER]
> >
> >
> -------Prot.=802.1x(PEAPandEAP)--------[SW-C2950]--------Prot.=Radius--------
> > [ACS4.1]--------Prot.=Radius--------[VACMAN(Vasco)Server]
> >
> > PC-USER can not log-in with 802.1x. I have used EAP-MD5 and PEAP w/o
> luck.
> > The
> > message I get inside the ACS is that user is not sending the right
> > password:
> > "External DB password invalid". The interesting thing is that the packen
> > never
> > leave the ACS to go to the Vasco Server.
> >
> > Nevertheless, PAP works good with ACS and Vasco. For instance when I try
> to
> > login inside the SWITCH, it works very well.
> >
> >
> >
> [SW-C2950]--------Prot.=Radius(PAP)--------[ACS4.1]--------Prot.=Radius------
> > --[VACMAN(Vasco)Server]
> >
> > That is why I need to upgrade my ACS. I know that I should go to the TAC
> to
> > ask a soft but here someone forgot to renew the contract with Cisco :(
> and
> > I
> > am asked inside my company to finish with this problem. I just want to
> > figure
> > out if a bug is the problem, I would not run it on my live network.
> Anyone
> > who
> > can help me with the upgrade patch please send me an email offline.
> >
> > Any help will be appreciated,
> >
> > Regards
> >
> > PS: I already used the latest patch for ACS 4.1.1, what I want is to
> > upgrade
> > at the latest to ACS 4.1.3 and see if things work fine there.
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
-- CCIE #19963Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:44:10 ARST