AAA/Identity/Nac :: ACS5.2 - Implementing IP Phones In Network?
Oct 13, 2011We have customer with implementation ACS5.2 in Windows environment. Now they want to implement IP phones in the network.
View 0 Replies
ADVERTISEMENT
Cisco AAA/Identity/Nac :: ACS5.3 - Configuring Multiple Identity Sources
Aug 28, 2012I have an ACS 5.3 cluster, that is configured to use AD. There are a few wireless devices, and monitoring tools that do not have AD accounts. I would like to configure ACS to first check AD for the user authentication, and if that fails to roll over to the local (Internal Users) identity source where I can define these user accounts.
It seems that when the authentication hits the initial Identity Policy rule, it never moves onto the next one if the first fails.
Attached are screen shots that show how i'm configured for the test, i have a local user defined and I'm trying to log into the firewalls.
- Identity Definition : Screen shot of the main ACS definition for the rule i'm testing that's not working
- Identity Rule 1 : The configuration of rule 1 that if it fails i need it to move onto rule 2.
- Log Output : Screen shot for one of the failed attempts from the ACS View Log server.
Reason I need to configure it this way is:
- Wireless users authenticate to wireless using AD user accounts. Some hand held scanners do not support that and will need to authenticate using the MAC address.
- Authentication to Network devices for managment uses AD accounts. We have some monitoring tools that do not have AD accounts, and will need to be able to log into Network devices to issue some commands (Examples: Cisco Prime LMS and NCS, Infoblox NetMRI).
Cisco AAA/Identity/Nac :: Implementing Group NAR For ACS 4.2?
May 22, 2012I have a problem implementing a NAR for a specific device group. I am running Cisco ACS 4.2 and it works fine for all the other stuff I do but this issue is perplexing me a bit.
I have a device group with Juniper devices in it and I authenticate using RADIUS (Juniper) as the radius setting. I have a Administration user group set up.
I placed a NAR into the group "Per Group Defined Network Access Restrictions" specific to the device group with * for port and address
I placed this group into both the Define IP-Based as well as the Define CLI/DNIS-based section.
No matter what I do I keep getting authenticated.
When I go to the passed authentications page I see my login and the group-name is identified correctly and the network device group is identified correctly too. The filter says "no filters activated". So how can I get this NAR to kick in? I would like to restrict one device group from a ACS user group.
Cisco AAA/Identity/Nac :: ACS5.1 Getting Disconnected From AD?
Jul 30, 2010I managed to connect acs5.1 to the AD , user's will be able to get authenticated against the AD when the state is shown "CONNECTED'. This will work ok for a day or so and goes into a 'DISCONNECTED' state , users will no more be able to authenticate . Is this a known error , or is this an error from the microsoft ws2k3 server side ?
View 3 Replies View RelatedAAA/Identity/Nac :: ACS5.3 Command Set Regular Expressions
Jul 9, 2012I am trying to secure changes to switches using ACS 5.3 and allowing our technicians to only change the vlan for user ports on the switches. How can I use regular expressions to filter out the 1/1/# ports so that those ports cannot be accessed in config mode? If I allow the following, it allows access to all interfaces with 'gi' in them.
View 1 Replies View RelatedCisco AAA/Identity/Nac :: ACS5 - Replacement For IP Pools
Jan 26, 2013I know ACS 5 lacks the IP Pools of earlier ACS versions. I'm looking at a 4 to 5 migration and was thinking of just configuring the IP Pools on the router ("ip pool local" etc) and sending back a RADIUS Cisco Attribute pair with the name of the pool. (Seemed like a neat fix, needs no extra kit, etc.)
I could have sworn that attribute pair existed... but I can't find it in ACS5! What's it's name?! Where is it!? Or have I gone mad!? (And, if I have gone mad, how would you go about fixing it?)
Cisco AAA/Identity/Nac :: ACS 5.3 Slow CLI Response After Implementing TACACS
Sep 30, 2012After implementing TACACS, one of our routers takes about 8 seconds to response to any CLI command. We have no problems with other devices in the same location with the same AAA configuration. The router is talking to the ACS server (ACS 5.3) and the logs on the ACS server look normal for the router as well.
View 5 Replies View RelatedAAA/Identity/Nac :: ACS5 Try To Authenticate User In External Database
Jan 16, 2012Is it possible to create on ACS5 rule which will:
1. Try to authenticate user in external database1 (radius)
2. When external database1 returns FAIL (because of bad password) ACS5 should try to authenticate user in another external database2 (radius)
Cisco AAA/Identity/Nac :: ACS5.2 Authentication With Fortigate Firewall
Jun 10, 2013I am trying to configure Fortigate firewall for device authentication through TACACS+ using Cisco ACS 5.2.
I was wondering if any one had an experience to worked on this scenario. I am looking for authorization command attibute to grant admin access.
Cisco AAA/Identity/Nac :: How Does Acs Export User Records Via ACS5.3
Nov 29, 2011I want to export the ACS local user's records.Then import to other ACS5.3 server.But the export file not the user's password record.I cannot import it well....
View 1 Replies View RelatedCisco AAA/Identity/Nac :: Sync / Copy AAA Clients Between Two ACS5.2
May 17, 2011we are moving network devices (200+) authentication/authorization/accounting to new ACS5.2, is there any easy way to copy/sync all those AAA clients configuration to another ACS5.2 server? I don't need other configuration to be synced/copied to another ACS5.2 server
View 8 Replies View RelatedCisco AAA/Identity/Nac :: ACS5.1 - AD And RADIUS Attributes Mapping
Aug 18, 2010I'm trying to dynamically assign IP address for VPN users from AD (without IAS service). I know that there is a restriction that "Dial-in users are not supported by AD in ACS (note in "acsuserguide51") but Im not exacly sure what can and can't do with it. In "Authorization Profiles" in RADIUS Attributes tab I try to mannually add specific Attribute (Framed-IP-Address).
I have no problem (everything works just fine) with static address assignment in a way as below:
AD is already integrated with ACS and I've managed to download Directory attributes especially msRADIUSFramedIPAddress
When I change "Attribute Value" from static to dynamic type I see the option to select AD (but "Select" which should list all available attributes is empty)
I know that I can do it directly (ASA <-> AD attribute mapping) but I want ACS to do it
AAA/Identity/Nac :: ACS5.1 Shows No Logged Events In Monitoring And Reports
Jul 17, 2012I have a Cisco ACS 5.1 virtual appliance which has been working fine, I have however just discovered that it is now unable to provide me with any logs. TACACS authentication is still working without any issues, the only problem I have is viewing the logs.
View 6 Replies View RelatedCisco AAA/Identity/Nac :: ACS5.2 Command Sets Permit All Commands
Mar 3, 2011I have everything working on a new 5.2 ACS but:I can only make a command set that permits things and denies all.I thought with the check box. Permit any command that is not in the table below" one could allow all and specifically deny commands.and that would allow the user to do all commands except for conf and set. But it doesn't seem to adminstratively block it, it allows them to still "conf" for instance.
Then it works as expected, it allows the commands that are permitted and denying all unspecified commands.I know I am in the right command set because the changes I make are reflected immediately.Can someone test the "Permit any command that is not in the table below' and tell me if it works? I can make it work with the unchecked box, sure, but it would be nice to get it to work.
Cisco AAA/Identity/Nac :: Command Auth Failure On ASA5510 Using ACS5.1
Jun 11, 2012I'm having trouble getting things working on a pair of ASA5510's using Cisco Secure ACS v5.1. We were previously using a much older version of ACS to these (and a lot of other) devices which worked OK for remote access for read/write use. Am in the process of migrating to the new ACS software and have got it working OK to everything (many Cisco switches and other IOS devices) except these ASA5510s.
I can get TACACS authenticating fine and am able to log on and go into enable mode. Any subsequent commands are then met with 'command authorization failure', including 'show run', 'conf t' and even 'exit'!
My ASA5510 config has not changed, other than to define the new AAA server, which leads me to think its something to do with how I have the ACS user profile set up. I have configured the ACS5.1 device administration Shell Profile to have the maximum privilege level (15) and the command set I'm using has the box checked 'permit any command that is not in the table below'.
Cisco AAA/Identity/Nac :: ACS5.2 Backup And Restore On A Different Software Version?
Oct 3, 2011We are trying to make a restore from the backup done on ACS version 5.1 to a new appliance running ACS5.2 Before doing it I found this note in Cisco ACS user guide:
Note: You cannot back up data from an earlier version of ACS and restore it to a later version. Backup and restore must be performed on the same version of ACS. If you need the data on a different version of the ACS, you can perform an upgrade after you restore the data. Refer to the Installation and Setup Guide for Cisco Secure Access Control System 5.1 for more information on upgrading ACS to later versions.
How should I understand it? This note has conflicting statements. We can't restore to a later version but if you need data on a different version of ACS you can perform an upgrade AFTER YOU RESTORE the data. Doesn't it mean that the restore will still work? How would I do the upgrade to version 5.2 or even version 5.3 that was announced to be released very soon? I didn't find anything on the software upgrade in ACS5.1 guide.
Cisco AAA/Identity/Nac :: ACS5.2 - Allow Show Running Configuration Without Enable
May 24, 2012I am using ACS5.2 I want user to access the device with all necessary command like show run/ver/int/log… I try to set user privilege using Shell from 1 to 10 but show run doesn't work.
View 15 Replies View RelatedCisco AAA/Identity/Nac :: Invoke IP POOL Defined On VPN 3000 To ACS5.3?
Aug 27, 2012I configured an ip pool on VPN 3000 concetnrator. i wanted to an attribute to use on the nework access profile on the acs 5.3. i was advised to use pool name. However, we don't have pool name attribute on VPN concentrator. only, IP range and subnet mask. how do i refer an IP pool on VPN concentrator in ACS5.3? is there another attribute I can use on ACS5.3 to invoke a pool on CVPN3000, like ip range...?
View 2 Replies View RelatedCisco AAA/Identity/Nac :: Assign Fixed IP Address To User In ACS5.2?
Aug 8, 2011My company requires each user dial-in must be a fixed IP; The old acs4 can,but I cannot find the same configration item in the ACS5.2
View 2 Replies View RelatedCisco AAA/Identity/Nac :: ACS5.1.0.44 Authentication Base AD Group Member
Nov 25, 2012I had a problem about authentication use AD group member. Below webiside is the way I config on ACS.
[URL]
I'm using ACS 5.1.0.44 and this version has a bug , ACS cannot read AD group. I have to add it manually . After I change the access policy from Internal user to AD1. I can use anyone AD ID to pass authenticaiton. I finished all config from the website had same result.
I checked the access polices -- default device admin -- authorization , the new rules I created had no hit count. How can I make sure that I make a right config ?
Cisco AAA/Identity/Nac :: ACS5.1 - Machine Certificate And AD-Account-Verification
Aug 2, 2011We plan to use machine certificates on our notebooks with Windows Vista. Our authenticating server is Cisco ACS 5.1. To access the wireless network we want to use the machine certificate of the notebook and a verification of the corresponding computer account in the Active Directory. What authentication method is the best to check the machine certificate and if in the Active Directory exist the enabled corresponding computer account ? How to configure the ACS and the notebook to use it like described ?
View 1 Replies View RelatedCisco AAA/Identity/Nac :: ACS5.3 - Difference Between WebVPN And IPSEC Radius
Aug 14, 2012I am using Cisco ACS5.3 to authenticate users (using radius) for a cisco ASA firewall for both WebVPN and IPSEC client connections. I have been able to do this successfully. However I need to be able to deply Cisco vendor specific attributes (VSA) for both IPSEC and WebVPN sessions using authorisation profiles. Ideally I don't want to have to combine the attributes required for both services in the same authorisation profile, as I will have to produce alot of different profiles for the different combinations.
The only way I can see that you could possibilly do this is by having service selection rules that can differentiate between WebVPN and IPSEC Radius authentication requests. I have experimented inbound VSA's without success. Is this possible?
Cisco AAA/Identity/Nac :: Implementing Mac-auth On Selected Ports Between An HP ProCurve 2510 And ACS 5.3?
Apr 15, 2012I am having difficulties implementing Mac-auth on selected ports between an HP ProCurve 2510 and Cisco ACS 5.3.The 802.1x works just fine, but for selected ports I need to implement port-access with MAC-based authentication instead of regular 802.1X (yeah, I know, but this line of ProCurve switches only support one auth-mechanism per port!).The switch successfully forwards interesting MAC-auth requests for authentication to the ACS with CHAP/MD5, but the ACS reports this:
Logged At:
April 16,2012 1:20:48.080 PM
RADIUS Status:
Authentication failed : 22056 Subject not found in the applicable identity store(s). NAS Failure:
Username:
002655886b3d MAC/IP Address:
00-26-55-88-6b-3d Network Device:
[code].....
The ACS is configured to use the Internal Hosts database, where the client computer is configured like this;MAC-address: 00-26-55-88-6B-3D
Cisco AAA/Identity/Nac :: 500GB Datastore Requirement To Install ACS5.3 On ESX5.0?
Jul 11, 2012Why ACS5.3 requires 500GB datastore? what for? do we still need this when we use external database? am in the process of migrating from ACS4.2 to 5.3.
View 49 Replies View RelatedCisco AAA/Identity/Nac :: ACS5.1 - Unable To Authenticate AD User With Empty Password
May 30, 2011Our customer has the business needs to authenticate remote users against AD with empty password. I've seen ACS5.1 release note where mentioned about resolved issue: #CSCte72751 #ACS 5.1 drops authentication with empty password.
I tried to authenticate dial-in users through Tacacs and Radius against AD with empty password but without success. ACS points to wrong AD password. Is it possible to authneticate remote users with empty password?
Cisco AAA/Identity/Nac :: Applying Patch To ACS5.3 - Change File Extension?
Nov 11, 2012About to apply a patch for the first time on the ACS 5.3 tonight. Ihave tftp'd it onto a directory i have created on the server. However my support hints i may havre to rename the file ? copy the latest patch file you got from Cisco – you may need to rename as gpg) Current filename is 5-3-0-40-7.tar.tar
So would i need to rename this as 5-3-0-40-7.tar.gpz . If so i will rename it on my pc and redownload it on tftp
Cisco AAA/Identity/Nac :: ACS5.2 - Establish Independent User Group / Only VPN Username And Password
Mar 28, 2012My question is on ASA and ACS5.2 users.Have my ASA SSL VPN and IPSEC VPN, the my ACS5.2 many users, for example, wireless user.I would now like to establish an independent user group, only the VPN user name and password, while both the ASA VPN can only allow users in this independent group of ACS5.2 VPN login, how to configure?
View 1 Replies View RelatedCisco AAA/Identity/Nac :: ACS5 / One User / Two Credentials (external Token Versus Cert)
Nov 30, 2011I have ACS4 and i am planning to upgrade to ACS5.I would like to have such a rules:I have user1, one ASA device which is VPN concentrator for remote users.ASA have two different tunnel-groups: one which allow for logging via certificate (with mandatory pki authorization thru ACS) with disabled Xauth,and second tunnel-group with allow login thru typical Xauth with authorization thru ACS which users external database (RSA Tokens).So i have one user1 which can login thru VPN using RSA tokencode or certificate.For example: on phone user1 uses certificate, and on PC station the same user1 uses token password.For tunnel-group with pki authorization ASA checks username in ACS and in typical scenario login="CN from certificate" and password="CN from certificate". So we would need "two credentials" for the user - one for pki authorization, and second one external database (RSA token).Is such scenatio possible under ACS 5 ? where one user uses different credentials based on tunnel-group usage ?
View 2 Replies View RelatedCisco AAA/Identity/Nac :: Maximum Number Of AAA Clients Supported By Single ACS5.3 Instance
Aug 7, 2012what is the maximum number of AAA clients supported by a single ACS5.3 instance?
View 1 Replies View RelatedCisco AAA/Identity/Nac :: ACS 5.1 - Specific RADIUS Attributes For IP Phones
Mar 28, 2011I am doing MAB (MAC authentication bypass) for IP phones and printers.
But these devices are authenticated with different identity stores (IP phones with AD, printer local host on ACS)
Is there any specific AV Radius attributes that i can use in the compound conditions selections which is specific for the IP Phones?
so when doing the Authentication, i could seperate each type (IP phones or Printers) with the appropriate database.
Cisco :: Implementing The Multicast In The Network
Jun 5, 2012The desktop team has asked me to set up multicast in our network with building PC's as they will be deploying a few hundred of them starting in two weeks. We currently do not have multicast set up, and the only experience I have with it was during my certification studies, so I have a lot to catch up on quick. They will be sending the build traffic from a single server. The network environment is simple: a 3750 stack as the router/distribution layer and mainly 3550's as access. The PC's that they will be imaging will be on one VLAN that is already designated for PXE builds. This VLAN is across multiple switches. Is it possible to just enable the multicast features on a single VLAN? I have been reading around but not finding much other that very in-depth Cisco papers.
View 5 Replies View RelatedCisco VPN :: 8961 - IP Phones With AnyConnect On ASA / Can't Call Other Remote Phones
Jan 4, 2012I have a CUCM BE environment with a number of remote users with 8961 phones connecting to an ASA 5501 via AnyConnect. The phones register fine and can make inbound/outbound calls as well as four digit dialing to other users at the corporate site.
The problem is when a remote user tries to four digit dial another remote phone. The called phone will ring but there is dead air once answered and then the line goes dead.
This sounds like a routing issue to me. How to get AnyConnect clients to be able to reach each other?
Implementing InterVLAN Routing In Campus Network?
Dec 9, 2012I have a task to compare different approaches to implement InterVLAN routing in campus network. Google suggests only Cisco technologies for such query. But what I need is also other companies solutions (like Dell, HP etc), cost of the implementations, pros and cons.
View 1 Replies View Related