AAA/Identity/Nac :: Juniper Netscreen Radius Authentication With ACS 5.1
Jun 3, 2011
Several of my older netscreen devices only support radius authentication and I'm having trouble migrating them from ACS 4.2 to ACS 5.1. When I try to authenticate, the authentication passes in ACS but it doesn't log you into the Netscreen (you see a auth failure in the Netscreen logs). I believe that the custom attributes are not being passed from ACS to the Netscreen. The custom attribute we are trying to pass is "NS-Admin-Privilege" with type integer and a value of 2. The netscreen is setup so that the user privledges are obtained from the ACS server.
Any setup where they are using Cisco radius authentication to authenticate Netscreen devices?
I am trying to authenticate on Juniper NSM express using cisco ACS 5.2. The request is arriving at the cisco ACS but i am getting the following error.RADIUS requests can only be processed by Access Services that are of type Network Access.
I wants to inegrate Juniper netscreen firewall in Tacacs Cisco Acs 5.1.As I go through Juniper KB which mentioned that I need to enable Netscreen Service in Cisco ACS 5.1. how to enable Netscreen service in Cisco Acs 5.1 and how I got Further to integrate Juniper Netscreen Device in Cisco cs 5.1
I am trying add custom attributes for Juniper Netscreen TACACS+ authentication to a v5.2 ACS. The advice is to add it to the group as follows:
ervice = netscreen { vsys = root privilege = read-write } I know how to add this to a version v4.x ACS
However, I do not know how to apply this to the custom attribiutes to a v5.x ACS?do I add the vsys and privilege attribute seperately or together? What should be the attribute name? netscreen? Should it be mandatory?
i changed from ACS 4 to ACS 5.2. Everything works fine but i have authentication failed in the Radius accouting reports every time when users connect through ASA or Juniper into our network. Juniper amd ASA only send accounting informations to ACS. The users are not configured on the ACS, authentication is done via external LDAP. So my question is why do o see authentication error on ACS because Juniper and ASA only send accounting packets ?
Having an issue with authenticating Juniper J Series and SRX devices with ACS 5.1 The devices can authenticate using TACACS to ACS 5.1 via the CLI (telnet / ssh connections) but cannot using the JWEB management page.Doing packet captures between the Juniper devices and the ACS 5.1 box shows the Authenticate phase passing, but it does not progress onto the Authorisation phase. There is nothing of interest in the ACS Logs (Even with the debugging levels turned right up) The same Access service is in use for both the CLI and GUI (JWEB).Using ACS 4.1, both CLI and JWEB authentication works.[URL]I'm thinking the issue is with ACS 5.0 / 5.1 and it maybe not liking the response from the Juniper (even though it should be the same mechanism)
Using Cisco ASA I want the ssl clientless vpn users to be authenticated through a local Radius-Server. but it does not work, and on asa while i want to see (Debug Radius) output, there is no debuging msgs displayed. When i try to test the user which i have created on the ACS-Server 4.2, the test gets successful. where i have made a mistake in my configuration ?
I have been trying to get our IPS (ASA-SSM-10 and 4260) to authenticate with Cisco Radius ACS 5.2 and they are not working. However, I was able to get them working with Microsoft Radius. Below is the logs from the IPS:
I have a questión about radius authenticaction with AD, when I log in into the network with user in AD and I make a mistake in password my radius authenticaction event in ACS 5.2 dont show me this logg. only show the authentication succeeded but dont show me the authentication failed. Maybe i must to enable same service to show the authentiaction failed. The Voice authetication works fine..
I've setup my ASA 5510 to use AAA to my Windows Server 2008 NAP. After many hours of troubleshooting I got my setup to work. The only thing I'm not satsified with at the moment is, that RADIUS is using PAP for communicating between ASA5510 and W2K8/NAP.I've tried ticking the box "Microsoft CHAPv2 Capable" box under Users/AAA => AAA Server Groups => Edit AAA Server.From EventViewer on W2K8/NAP I get Event ID 6278 and 6272., see attached filehow I change from the PAP to the CHAP protocol? PS: ASA 5510 running ASA version 8.2(4) and ASDM version 6.3(5)
I am having ACS 4.0.2 in my network, which I want to use for 802.1x Radius Authentication for Clients on PEAP-MSCHAPv2 methodology.As per the documentation " EAP Authentication with RADIUS Server", Doc ID: 44844.I have configured Network Configuration and populated AAA client IP range and Secret Key.
Question1: Under Authenticate Using option, there are various RADIUS flavors available for selection. For a Non Cisco AAA client, should I select RADIUS IETF?
Question 2: In the above snap shot, It has an option called Global Authentication Setup, where we can setup EAP configuration. Under PEAP subsection there is an option to "Allow EAP-MSCHAPv2" check box.After checking that, is a restart required to the ACS Server? Would it cause any disruptions to the existing services on the ACS?
how to setup ACS 5.3 to authenticate wireless users over radius? I currently have the SSID pointing to a Microsoft IAS server and would like to move the authentication to be done via ACS.
For some reason, i can't get the lobby "sponsors" to authentication to the Guest NAC server (2.0.2) using ACS 5.2 via Radius.I was able to figure out how to get the Guest NAC Radius Authentication for "Administrator" to work by adding custom Radius value IEFT-6 under...
Policy ElementsAuthorization & permissionsNetwork AccessAuthorization Profiles I added a policy & under the Radius Attributes Tab... I manually entered an Attribute that looks like the following: Dictionary Type: = RADIUS-IETFRadius Attribute: = Service-TypeAttribute Type: = EnumerationAttribute Value: = StaticValue = "Administrative" I then created an Access Policy... I looked for a specific AD group - Result = "Name of Custom Policy Above"...
All of that is working just fine.... the NAC Guest Docs tell you the Radius server must return a value of IETF-6...
When it gets into the Sponsor section, it doesn't tell you the value your Radius server should return... so just for grins, instead of "Name of Custom Policy Above", I tried "Permit Access"... i tried the "Name of Custom Policy above"... Not sure what else to try to get this to work...
here is a like to the document i'm following: URL
Page 68 refers to the "Configuring Sponsor Authentication" for Radius.. it just tell you to add the Radius Server & change the authentication order.
i am trying to assign a right role for a user who authenticates to nexus 7k switch via radius. i am using cisco ISE version 1.1.1.268 and the nexus version is 5.0.2,I have created a role on nexus.
I have setup my radius server access on the Nexus but am unable to authenticate through putty. If I do a radius-server test on the Nexus it says I authenticate. Here is the log I am getting.
2012 Mar 14 16:03:21 switch-a %AUTHPRIV-4-SYSTEM_MSG: pam_unix(aaa:auth): check pass; user unknown - aaad
I am trying to get AAA authentication for HTTP to use radius, and seem to be having problems with setting the priviledge level. It works fine with SSH login, but doesn't work with web management. The model is a WS-CBS3130X-S-F running 12.2(58)SE1 with http version 1.001.002...
Config is as follows:
aaa new-model aaa authentication login VTYSandHTTP group radius local aaa authorization exec VTYSandHTTP group radius local ip http server ip http authentication aaa login-authentication VTYSandHTTP
[code]...
This is what I get when I try to log on to HTTP
HTTP AAA Login-Authentication List name: VTYSandHTTP HTTP AAA Login-Authentication List name: VTYSandHTTP HTTP: Authentication failed for level 15
I have configured Radius authentication on Windows 2008 server (NPS) The following configuration is working perfectly on Cisco Switch 3560. [code]But, the same configuration is not working on Cisco Catlyst Switch 6509 (C3560-IPBASEK9-M), Version 12.2(46)SE, RELEASE SOFTWARE (fc2)/
I am trying to integrate Cisco ACS 5.2 in a network to do device authentication of switches for administrators.
I am not sure if Cisco ACS 5.2 support RADIUS protocol to do device authentication. In the configuration of the Cisco ACS 5.2 I can only see TACACS authentication for device authentication and I have configured it and it works. If CISCO ACS 5.2 supports RADIUS auth for device authentication?
I'm trying to find out the options for authenticating remote users via IMEI and MISDN values via ACS 5.3/I'm unfamiliar with the Radius attribute options here and what kind of request/response we can utilise. Also previously I could define IP pools on ACS 4 but can't seem to do that now. Is there a way have ACS 5.3 to provide a DHCP server address for the connection ?
Would like to check out some client side setting on Wireless 802.1x authenticaiton.
Network setup is using
- Cisco WLC 7.2 and AP3500, - ACS 5.3 - Microsoft Windows server 2008 hosting AD and CA services (same machine) - Client OS is Microsoft Window 7.
Authentication mehtod would use PEAP-MSChap V2 Combo.
My question :
01. In AD environment, should ACS 5.3 be part of the domain computer?
02. To have secure connectivity, IF the security policy force client to check "Validate server certificate", which certificate it is look for? Is it ACS's identity certifate, that require CA server to sign on the CSR?
03. Back to client side, should the client also need to import this certificate in trusted root certification authorities?
Or the client will trust ACS identity certificate against the root CA certificate store at client's trusted root certification authorities, where they have the identical issuer?
04. Extra question: If no CA environment, would it be sufficient simply export ACS self-signed certificate and import to client computer, and it's trusted?
I'm somewhat new to ACS and am trying to complete a migration from 4 to 5.3.Currently, I've got ACS joined to my (2003) domain, and it shows status connected (although the test connect fails). I have aaa working without issue for TACACS, but all RADIUS authentication is currently failing. Logs show the message below: "24401 could not establish connection with acs active directory agent"I'm not seeing anything telling in the logs on the domain controllers.
We are setting up a new office and I am trying to get RADIUS setup for authentication to my switches and routers. Currently I am working on a 3750 running IOS 15 and getting hung on what I think on something small. I have attached my Microsoft NPS Network Policy. Below is my IOS config:
aaa group server radius corp-radius server 10.15.10.20 auth-port 1812 acct-port 1813 ! aaa authentication login default group corp-radius local aaa authentication login radius-localfallback group corp-radius enable aaa authorization exec default group radius
I've been working on trying to get RADUIS authentication working for devices connecting to our corporate mobile APN. Out APN provider sends us Username & Password attributes which I can authenticate fine using ACS 5.2 but I'm having a problem using other attributes sent in the Access-Request. We have mobile SIM cards with an MSISDN value match with a physical device with an IMEI value. The SIM cards cannot be used in other devices, only their matched device. The provider passes us the MSISDN attribute under RADIUS-IETF 31 and the IMEI under a VSA of 3GPP-IMEI
What is the best way of being able to authenticate a user and match the MSISDN and IMEI associated to that user?
I am attempting to configure Radius authentication accross a site-to-site VPN for my ASA 5510-01 for remote access.
ASA5510-1 currently has a live site to site to ASA5510-2.
ASA 5510-1 - 10.192.0.253
ASA 5510-2 - 172.16.102.1
DC - 172.16.102.10
ASA5510-01 can ping the DC and vica versa but is unable to authticate when i perform a test. ASA5510-01 can authenticate to a DC on it;s own LAN but not on the remote LAN that DC sits on.
I have double checked the 'Server Secret Key' and ports as well as various users which all work locallly. ASA5510-02 authenticates to DC with no problems.
I have set up an ACS 5.4 box and have some test devices connected to it.Cisco and Juniper, both working fine using TACACS I can connect to both using SSH or Telnet but my problem is the J-Web Juniper GUI I can access the J-web no problem with the root account. i can not seem to get it to work, no matter what I try. Here is my shell from the ACS box And the following Juniper configuration. I have tried binding the local-user-name attribute to both the remote and remoteadmin with no luck.
version 9.6R1.13; system { host-name Juniper-Firewall; authentication-order [ tacplus password ]; root-authentication { encrypted-password "$1$1tRuy9o2$LwSPxNwe4XGNMOMIMo1pd1"; ## SECRET-DATA
In the process of migrating from ACS 4.1 to ACS 5.3. Authentication works fine, but having issues with authorization on the Juniper WXC-3400 devices. In ACS 4.1 we were passing TACACS+Shell (exec) Custom attributes Privilege level=15, which allowed a user to login with read/write privileges. In ACS 5.3 tried setting the Shell Profiles common task to 15 for both Default and Maximum (one at a time, and together), as well as setting the Custom Attributes for priv-lvl=15 (with and without Common Tasks set).
I have configured ACS 5.1 and using Tacacs. I have two juniper SSG140 FW's in different subnet. Tacacs authentication is working on one SSG140 FW, but not on the other one. Tacacs configuration on both FW's are exactly the same. Both FW's have been added in the ACS server with the same shared secret key same profile etc. I don't even see the authentication requests from the FW. ACS can ping both FW's and vice versa. [code]
I am running ASA version 8.4(1), and anyconnect version 3.0.1047. My SSL VPN works fine, but i run into an issue with one user . his account did not work , and everytime users logged in it got this message "VPN Server could not parse request".
I found the problem after getting a user information meaning his username and password. His password had "&" as one of the special characters. when we change it to something that does not have that , it works just fine.
We are using microsoft NPS server as radius. but when i run a test within CLI it works just fine, only when anyconnect asks to authenticate it fails.
I'm running WCS 7.0.220.0.I would like to authenticate users that are able to logon the WCS, through MS Network Policy Service (RADIUS).I would like all my domain users to be member of the local group on the WCS "Lobby Ambassador", so all domain users has access to generate guest access accounts, for the web auth... I can see under the WCS Administration under AAA that it should be able to use RADIUS - but i'm not sure how to setup the NPS policy?
I am configuring an old WLC4400 with V4.2.130.0. I added a new sub-interface for VLAN 50 with proper IP for the subnet and then add the Radius server(Windows server 2008 with NPS) onto WLC4400. I then created new WLAN with WPA+WPA2 Encryption and 802.1x key management and selected the Radius server under AAA for authentication.
Configured the test XP with WPA-Enterprise and PEAP as EAP method. I purposely configured computer to prompt for username and password.
When I try to connect, I did get prompt for username and password. However after that nothing happens. It seems like laptop just keep trying to authenticate.
I checked windows event log and do not see anything under NPS. I know this windows server NPS setup works as it is also the authentication server for our remotevpn.
is there any special option I need to turn on for WLC in order for Radius authentication work? Or is there any known bug with V4.2.130.