AAA/Identity/Nac :: Cat4500e ISE Support On Third Party Switch Doing 802.1x Authentication On Interface
Jun 8, 2013
how ISE support on third party LAN switch, if the requirement is doing 802.1X based flexauth.Refer to the diagram i attached; 01 topology.png
Concern 1: if the 3com switch with 802.1X feature, but still without the full feature to support FlexAuth, policy encforcement, DACL etc. In this kind of situation, will user still able to authenticate (using method PEAP-MSCHAP v2), but authorization just grant with permit any any?
Concern 2: Can i assume i authenticated the 3com switch using MAB? But this will cause endpoint with no 802.1X, am i right?
Concern 3: cisco switch C4507-E, loaded with IOS version Cat4500e-UNIVERSALK9-M, version 03.04 and Supervisor Engine :WS-X45-SUP7-E, is this platform is supported in Cisco TrusctSEC?
View 2 Replies
ADVERTISEMENT
Apr 23, 2013
I'd like to configure ASDM access to ASA-SM using RSA SecurID authentication.I've followed instructions in this documen [URL]When I test access from CLI everything looks fine:
asa-vss/admin/act# test aaa-server authentication RSA
Server IP Address or name: xx.xx.xx.xx
Username: testuser
Password: **********
INFO: Attempting Authentication test to IP address <xx.xx.xx.xx> (timeout: 12 seconds)
INFO: Authentication Successful
[code]....
When I try to use ASDM, I'm unable to login and I can see lot of authentication error (Token reuse) messages on RSA server monitor window.It looks like ASDM 6.5(1) for ASA-SM doesn't support RSA/SDI authentication.
View 9 Replies
View Related
Feb 1, 2013
We are planning for the first installation of 4500 switches containing these supervisor modules. I'm trying to determine the interface numbering convention for ports on the supervisors. Our existing 4500E all have SUP6 modules with twin-gig converters - so I am familiar with the numbering conventions used on those supervisors. How does this change with the software based selection command "hw-module uplink select" used in SUP7?
View 2 Replies
View Related
Oct 24, 2011
I am using a cisco asa5520 and i have set up remote access vpn with an AnyConnect connection profile.In the connection profile i have set up that users should authenticate using both certificate and AAA.Due to a high security requirement, the user certificate is issued from a 3rd party. This is working fine and the user now need a valid certificate and a username/password to authenticate successfully.I added the CA certificate as a associated trustpoint on the ASA box to get the certificate verification working.Problem:If Jane and Joe both have a valid certificate AND a valid username/password, Jane could authenticate using a combo of Joes certificate, and Janes username/password. Both are valid (isolated), but i only want jane to be able to authenticate with her username/password and her personal certificate.
View 1 Replies
View Related
Apr 23, 2012
I am thinking about running some third-party unified communications apps under VMWare ESXi5 on a Cisco SRE 900 module. According to the Cisco docs, third-party apps are supported on these modules (see table below) but the app in question is NOT on Cisco's list below.
[URL]
Some questions:
1. As long as the third-party app is capable of running under VMWare/VSphere ESXi5, is there anything on the SRE that would prevent you from running this third-party app even though it's not on Cisco's list?
2. What is Cisco's policy on the use of third-party apps that are not on their list? For example, will they take a support call on the SRE running a non-listed app. (I don't want to void any sort of support contract through the use of a third-party app not on their list).
View 2 Replies
View Related
Mar 29, 2011
I would like to make a centralized management of loggin account on my cisco switch (with a radius server). But, on Cisco 3750 E, i use 12.2(44) SE1 IOS and no command aaa authentication login exist.
Cisco 3750 can support other IOS than 12.2 who have this ability ?
View 2 Replies
View Related
Feb 4, 2012
I've recently been looking into linking in our Cisco 2960S Gb Switch with RSA SecureID via Radius.I've already managed to link it in for ssh access
but I've not managed to get it working for http / web access to the switchI think this is because we're using "single use" tokens for maximum security with RSA Secure-ID and the web interface attempts to authenticate multiple times against the Radius part of the RSA SecureID server (okay on the first authentication, but each time after it's going to want a different token code)
(if there's a way to get the switch to just authenticate once instead of multiple times against the radius server) For info the switch is a WS-C2960S-24TS-L with IOS 15.0(1)SE2
View 2 Replies
View Related
Dec 18, 2011
I have Some Alcatel Switch and I want to use ACS 5.2's tacscs+ for Alcatel Switch admin authentication.the Failure Reason:13011 Invalid TACACS+ request packet - possibly mismatched Shared SecretsBut I was check the share secret is correct.Before I was tried associated ACS with vision 4.2 is work.
View 12 Replies
View Related
Mar 11, 2012
I am using ACS 5.3.I need to make macauthentication on Enterasys switch with Cisco ACS 5.3.I get the following error;
Parsing error or event type unknown:xxxxxxxxxxxxx ERROR RADIUS : RADIUS packet contains invalid attribute(s) ;Failed-Attepmt:Radius request dropped
How can I integrate Custom Attribute Enterasys A2 Switch with Cisco ACS 5.3 ?
View 3 Replies
View Related
Mar 27, 2012
on the followup the document "Configuration example : central web-authentication with a switch and Identity Service Engine" by Nicolas Darchis, since the redirection on the switch is not working.
I'm using ISE Version : 1.0.4.573 and WS-C2960-24PC-L w/software 12.2(55)SE1 and image C2960-LANBASEK9-M for the access.
The interface configuration looks like this:
interface FastEthernet0/24
switchport access vlan 6
switchport mode access
switchport voice vlan 20
ip access-group webauth in(code)
View 12 Replies
View Related
Nov 15, 2012
I have windows 7 clients (supplicants), D-link access point (authenticator), Cisco acs 5.2 virtual appliance with evalution license (acts as authentication server - Radius server). I want to setup EAP authentication (PEAP) that users will be able connect to Wireless LAN with login-password. I've done some configurations, but I did not get any result. in ACS 5.2 I get this error message: 11014 RADIUS packet contains invalid attribute(s): RADIUS Request dropped.
View 5 Replies
View Related
Oct 10, 2012
I have a school club, but our school does not allow any wireless networks within the school perimeters.Wired are allowed, but wireless are not allowed.I plan to host a LAN party for my club, and we will have about 20-30 people.We cannot have any internet access, and I have not touched a wired stuff, There is a 24 ethernet switch, and if I buy one, and suppose I buy another 24 ethernet switch (I know there is a 48 ethernet switch), can I connect those two 24 ethernet switches to make 47 ports?* For a LAN party without internet access, can we use an ethernet switch or do we use something else?* For 20-30 people, it is recommended that we have a ~8mbps upload speed. When ethernet switches advertise 10mbps, is that upstream & downstream? When all the computers are hooked to 24 ports, does the advertised 10mbps go lower? (I have seen 100/10 mbps, and I don't know what that means)
View 4 Replies
View Related
May 5, 2012
I'm fairly new to networking but I've learned quite a bit on my own without being educated. I'm trying to just figure things out on my gear. So for my LAN party i'm going to need an internet connection. I'm not going to rely on my venues subnet though so i want to create a new /24 subnet(250 hosts is good for a start). I want my subnet to be able to speak to the outside network too.
View 8 Replies
View Related
Jan 16, 2012
I configured before ACS v4.2 to authenticate network devices using internal users at first, and if the user is not found use AD list users. But with v5.3 I have some problems doing this, on identity policies I use rule based result selection option, I configured 2 polices for Identity source, one for Internal Users and other policy for AD user, but it only works with the first policy, internal users or AD, but works only for the first policy identity. how to do that, if the user is not found on first policy, continue to the next policy.
View 7 Replies
View Related
Jul 3, 2011
I need a specify users to allow access to particular devices and give privilege only for show command or show run. Here is how I tried to configured.
1. Configured two seperate Shell Profile and Command set with privilege level 4-5 and allowing only show run command
2. create seperate service selection rule with adding the require NDG and protocol TACACS and maching service "RestrictAccess"
3. In the RestrictAccess Service I have following configured; Identity: internal users, Group Mapping to a particular group where the user exists, authorization: matching the above created identity group, NDG, shell profile, command sets
All the steps are attached in the .doc file. However when I tried with the particular user he is able to access everything and he is not hitting the correct access rule.
View 6 Replies
View Related
Aug 27, 2012
I have setup an Identity Firewall on a ASA version 5.6 on a DMZ interface.I have installed the ADAgent on a domain member Win2008 and configured as follows: [code]
where ashdew is a domain user and ACL 122(only one line) is applied on the dmz interface and NAT is properly configured.The ADagent has been properly tested and ASA can register to it.The ASA can connect to AD DC controller and query user database.I have placed a laptop ip 172.17.h.x on the DMZ and can ping the DMZ interface.
The laptop cannot authenticate on the domain and the asa does not seem to retrieve the user identity.Do I need to add extra rules in the access-list 122 to permit trafic to DC?Can I check on the AD Agent if it can retrieve the user to ip mapping ?
View 6 Replies
View Related
Dec 6, 2011
I am unable to successfully authenticate my SG200 to either a Cisco ACS or Windows2008 RADUIS server. (C3750x on the same network authenticates fine).
Q1. Is this feature (management login authentication to a RADIUS server) supported on the SG200?
Q2. Is so is there any configuration guidance available for both the SG200 and CSACS / WindowsServer2008 NPS?
I hav not got as far as 802.1x uthentication yet, but config example of this would laso be useful.
View 1 Replies
View Related
Jul 30, 2012
SSH commands not available in IOS cat4500e-universalk9.SPA.03.02.00.XO.150-2.XO.bin I just recently upgraded to universal k9 as the k9 versions usually include the crypto, shh commands however I still do not have access to these commands, is there anything I must to to enable these?
View 2 Replies
View Related
Oct 2, 2011
We just replaced a floor swithc, and ended up going with an IOS-XE software, LMS does not seem to like this software, the device is not available in my Identity dashboard, it's abviously running dot1x.
LMS shows it as software version 03.02.01.SG, same as you get when you do a show version, license level is enterprise services.
Actual Image name: cat4500e-universalk9.SPA.03.02.01.SG.150-2.SG1.bin
Also, the IOS upgrade option does not work for this device, it give an error saying to perform an inventory collection, which I have manually performed, the device is reachable and manageable by LMS, and it does not show up in any of the IOS version reports.
View 1 Replies
View Related
Oct 11, 2012
I have a Cisco LMS 4.2.1 on a Windows 2008 Server R2 platform and I would like to backup the configuration of my WS-C4503-E version cat4500e-universalk9.SPA.03.03.01.SG.151-1.SG1I create the job in Configuration > Configuration Archive > Synchronization and after the execution of the job, I check th status in Admin > Job > Browser: I don't know why the archive doesn't exist. It's a newly install.
View 2 Replies
View Related
Oct 18, 2012
i want to activate flexible netflow on my WS-X45-SUP7-E with IOS cat4500e-universalk9.SPA.03.02.00.SG.150-2.SG. I've started with a simple configuration like this:
Configuring a Flow Monitor for IPv4/IPv6 Traffic Using the Flexible NetFlow
“NetFlow IPv4 Original Input” Predefined Record
SUMMARY STEPS
View 1 Replies
View Related
Nov 25, 2011
I want to integrate my ACS 5.1 with AD, My request is to check for the machine authentication first. If the machine authentication passes the client username/password should be validated and client should be put in vlan X . If the machine authentication fails, the client username/password should be validated. If the authentication passes the client should be put in vlan Y.
View 3 Replies
View Related
Feb 2, 2012
In order to restrict access to websites on our internal network, would we be able to put an ASA in front of the web server and force users to authenticate through the ASA and, once authenticated, allow only port 80 or 443 traffic for that use? The ASA would query the ACS 5.1 server for authentication/authorization using AD as the identity store. Is this even possible with TACACS?
View 1 Replies
View Related
Apr 1, 2012
My customer has a large installed base of MACs, all connected via controller-based (5508) WLAN. He wants to grant access to the network based on the device's mac addresses and move the WLAN-clients to a specific VLAN.I added all devices with their mac addresses to the ACS internal identity store for hosts.According to the following message the client sends the user-login credentials (chegger) within the RADIUS-request instead of the clients mac address and of course it has to fail. After many configuration changes, I ended up always with the same result.
View 2 Replies
View Related
May 16, 2011
I am having a problem getting an ASA running 8.3 to authenticate an SSL VPN directly against an LDAP on Windows Server 2003. I have changed the read access on the Active Directory to allow Annonymous to read it. I think I am missing something on the ASA config. I have the Server Group specified with the address of the correct server but nothing else really configured.
View 1 Replies
View Related
Jun 13, 2012
I have question on EAP-TLS with ACS 5.2. If I would like to implement the EAP-TLS with Microsoft CA, how will the machine and user authentication take place? Understand that the cert are required on both client and server end, but is this certificate ties to the machine or ties to individual user?
If ties to user, and I have a shared PC which login by few users, is that mean every user account will have their own certificates?
And every individual user will have to manually get the cert from CA? is there any other method as my environment has more than 3000 PCs.
And also if it ties to user, all user can get their cert from CA with their AD login name and password, if they bring in their own device and try to get the cert from CA, they will be able to successfully install the cert into their device right?
View 7 Replies
View Related
Jan 22, 2012
I have a new ACS 5.3 installation which I have joined to our AD Domain and added the directory groups into. I have also added all our devices into ACS and their groups etc but I am still only able to authenticate on the our switches with an internal ACS account, when I try with an external AD account the log shows the following error "Subject not found in the applicable identity Store (s)"
View 1 Replies
View Related
Sep 12, 2012
Cisco 3750 with IP Service Image 12.2.55, Trying to enable Web Authentication on Layer 3 interface:
!
ip auth-proxy name bp_auth_proxy http inactivity-time 60
!
interface GigabitEthernet1/0/5
no switchport
ip address 192.168.1.27 255.255.255.0
ip access-group 101 in
View 1 Replies
View Related
Jul 17, 2012
I have a Catalyst 4500 L3 Switch Software (cat4500e UNIVERSAL-M), Version 03.02.00.XO RELEASE SOFTWARE (fc2). So I just wanted to verify that the switch only does dot1q encapsulation because the switchport trunk encapsulation dot1q command does not work.
View 3 Replies
View Related
Apr 18, 2010
We got recently a Cisco Secure ACS 1120 and i upgraded the Appliance to 5.1 from 5.0 with all your support
Now I need to integrate Cisco ACS 5.1 with RSA Authentication Manager 6.1 . I Successfully Downloaded config file from RSA ACE Server and exported into ACS 1120.
I also Added ACS as a NetOS Agent in the RSA Server , during the process i found few warnings . The ACE Server is not able to Resolve the IP Address to NAme ( DOes it Necessary ?? ).
I havent created any secret Key file for communication between ACS and RSA and encryption i used is DES.
Now when I log into ACS and search for Devices in the Identity Store Sequences i am not able to Look for RSA Token Sever .
View 10 Replies
View Related
Sep 13, 2011
is it possible to validate the ACS Application Accounts against an external repository like LDAP? I have found that LDAP can be used only as Identity store to authenticate users on AAA clients and Network devices.
View 0 Replies
View Related
Aug 24, 2011
I've my ACS linked with AD to give administration access to few network devices and I've created an access policy to link my AD groups with those network devices and command sets.
Unfortunately I found I can use any user from my AD to login to my devices. Only LOGIN, the authorization definition is restricting the command set for those users.
How can I restrict the LOGIN to an specific AD group?
View 2 Replies
View Related
Sep 1, 2011
I am trying to setup up a rule to allow wireless access only to users in my AD when they use computers from my AD.I have Machine authentication working on it's own (computer boots up and connects to wireless - confrimed by ACS logs) I have User authentication working But when I try to creat the floowing rule:it does not work.
Access Policy
Access Service:
Default Network Access Identity Store:
AD1
Authorization Profiles:
DenyAccess
Exception Authorization Profiles:
Active Directory Domain:
[code]....
Everything seem to fine until it gets to the last rule.
View 1 Replies
View Related
