AAA/Identity/Nac :: Secure ACS 5.2 And Microsoft NPS?
Dec 6, 2011
We're using Cisco Secure ACS 5.2 as a Proxy AAA server, using Active Directory as an External Identity Store. They are already synced and connected and thus I can login into the VPN using my Domain credentials.
But that's not enough. My client needs to limit who can and can't establish VPN session, I mean, the way it is now, EVERY single employee can do that if his/her credentials are valid in the Active Directory domain controller. So I need to do two things:
1) Using the Microsoft NPS server, via dialin attribute, allow or deny VPN sessions using ACS/ASA;
2) Using the company user credential attribute to identify which Authorization Group the requesting user should be in, Downloadable ACLs will then be applied according to the access policies created for each company.
View 3 Replies
ADVERTISEMENT
Jul 11, 2011
We are using ACS 5.2 and we are trying to create a Microsoft Active Directory (AD) Identity Store. We have a user to be used in the Active Directory creation General page and we would like to know how the test communication / ACS to AD communication takes place.
Our user is a predefined user in AD and has admin rights, but the password expires every 60 days. Will this affect the communication between AD and ACS 5.2 at everytime the entered user's password expires?
View 2 Replies
View Related
May 2, 2011
I have a problem with my 802.1x Solution in ACS Version : 5.2.0.26. The hours between my ACS and the AD lost synchronize, for that reason the user in my network can't authenticate in the Solution. when i see the hours was different for the AD in 5 minutes, i have to force again the common ntp server 172.25.0.34 (which is ip ntp server). I don´t know why is the reason for lost synchronize, maybe could be a bug.. or samething that i have to configurate in the ACS or AD.
View 3 Replies
View Related
Feb 2, 2013
I am trying to configure ACS 5.2 to do all authentication against Microsoft AD, but use local identity groups to determine TACACS+ authorization.
View 1 Replies
View Related
May 10, 2010
We need to move from ESX 3.5 to ESX 4.0 a virtual machine running Cisco Secure ACS per Windows version 4.2.
View 10 Replies
View Related
Nov 16, 2011
All users are located in the local identity store.So - assume I do not implement ACS but I do turn on password expiration after 60 or 90 days. Will a user whose password is about to expire attempts to authenticate against ACS 5.2, will they be notified that their password is about to expire?Also, when a user attempts to authenticate but their password expired yesterday, will they be prompted to change it and if so, how will that prompt to change it be presented?
View 3 Replies
View Related
Nov 14, 2012
We're running Cisco Secure ACS V5.1 on a Linux platform to manage remote access to many networking devices. This has not been in place long, and is generally working OK. However, whenever I set the parameters of the user authentication to 'disable user account after X days if password was not changed', so as to comply with our internal security regulations, the user IDs seem to disable themselves intermittently, irrespective of whatever number of days I put in this - this can be a couple of days after re-enabling, or just a few minutes.
This can be found in the advanced tab here: System Administration > Users > Authentication Settings.In the mean time, we are having to set the user authentication to be non-expiry. Is this a known fault with this version of software? If so, would there be a patch available, and how would I go about obtaining it?
View 1 Replies
View Related
Mar 10, 2013
Cisco Airespace configuration in Cisco Secure ACS v5.3. We're migrating to ACS v5.3 but we're encountering an issue with Cisco Airespace. It is only working on ACS4.1 but when we tried to move it to Cisco Secure ACS v5.3, it is not working.
View 7 Replies
View Related
Jan 13, 2013
I want to use RADIUS (of Secure ACS 5.3) to authenticate users within an ISP environment. Users log connect to a network using a point to point connection (L2) and then they are sending a RADIUS request to get IP adresses. Secure ACS is not quite easy to look through in that case.
View 3 Replies
View Related
Jan 7, 2010
I've got 2 freshly installed ACS 4.2 for Windows servers and I need to apply the latest patch rollup before I build the configurations. I stopped the ACS services and ran Acs-4.2.0.124.15-SW.exe to install the patches. The application begins running fine but fails on upgrading the database and then none of the ACS services would start. I was able to restore the files from the backup that runs with the patch utility and get ACS functioning again. What am I missing - does the patch rollup require any specific Microsoft Patches to be installed or something like that?
View 7 Replies
View Related
Mar 15, 2012
I am setting up an LDAP identity store over ldaps in ACS 5.1. I specify that the connection uses secure authentication and provide the Root CA certificate. When I hit "Test Bind to Server", I get this error message in a popup window: "Connection test bind Failed :server certificate not found"Is this saying that ACS can't find the CA certificate uploaded, or does it mean the actual certificate presented by my LDAPS server during the bind test?
View 2 Replies
View Related
Jul 16, 2012
I'm with one problem, my OS Lion don't authentication in the Secure ACS Version: 5.2.0.26.10.For the Mac Lion operating system to work you must put in execeção the MAC Address of your computer. I wonder how it could cause the OS to authenticate the ACS Lion.
View 1 Replies
View Related
Jul 19, 2012
We are using version 5.3 with patch 5. Incremental and full backup are configured but every day we receive an alarm notification.
View 7 Replies
View Related
Sep 27, 2012
I am working on project with Secure ACS 5.2. I am trying to determine the proper External Database to use. LDAP or direct to AD?
Additionally, the Domain that I am connecting to has Multiple sub domains. All of the users are currently in the Sub domains, but will be moving to root domain later. How should I configure the connection, do I need to connec to each sub domain or can I just connect to the root?
View 2 Replies
View Related
Sep 1, 2011
I just want to know if i need to support High Availability in Cisco Secure ACS 5.1 appliance, will the base license suffice or do i need to buy Security Group Access System License/ Large deployment License. Again, do we require license for each appliance or just one is enough?
I Suppose the licensing rules are same for the Vmware version also.
View 2 Replies
View Related
Mar 13, 2011
Am I entitle to upgrade from 5.1 to 5.2 by having smarnet on my 1120 Secure ACS Appliance?
View 1 Replies
View Related
Feb 4, 2012
I've recently been looking into linking in our Cisco 2960S Gb Switch with RSA SecureID via Radius.I've already managed to link it in for ssh access
but I've not managed to get it working for http / web access to the switchI think this is because we're using "single use" tokens for maximum security with RSA Secure-ID and the web interface attempts to authenticate multiple times against the Radius part of the RSA SecureID server (okay on the first authentication, but each time after it's going to want a different token code)
(if there's a way to get the switch to just authenticate once instead of multiple times against the radius server) For info the switch is a WS-C2960S-24TS-L with IOS 15.0(1)SE2
View 2 Replies
View Related
Nov 5, 2011
provide a sample configuration to use Cisco Secure ACS 4.2 to enable command authorization using TACACS.
View 8 Replies
View Related
Feb 6, 2012
We have a pair of ACS 4.1 servers (Windows Server 2003 R2). Let's call them ACS1 and ACS2. We don't want either one of them to proxy to any AAA server, including each other. We're using mostly TACACS authentication.
While troubleshooting a general problem, I'm guessing that one of us did this on ACS1:
pressed the Network Configuration button,saw the Proxy Distribution Tableclicked (Default)moved ACS1 from the AAA Servers column to the Forward To column.
So, essentially, we're telling ACS1 to proxy all requests to itself, which doesn't seem to make sense. I don't know for sure whether it should work when configured to "self proxy," but in that state, it does not authenticate anyone and gives merely "Internal error" as the reason.
If I change the configuration so that "ACS2" appears in the Forward To column, and I move "ACS1" back to AAA Servers and restart, ACS1 starts responding correctly to TACACS requests. Of course, ACS1 is just proxying all requests to ACS2, so having two servers isn't doing much good.
I cannot simply remove ACS1 from the Forward To column and leave it empty. The interface complains that it can't forward to zero servers. Of course, on ACS2, there are no servers in the Forward To column, since we never touched the Proxy Distribution Table there.
Is there any way to return the Proxy Distribution Table to its default setup, that is, no servers appear in the "Forward To" column?
We're planning to upgrade to version 4.2 very soon, so this question is mostly academic, unless the same problem exists in 4.2.
For full disclosure, I should mention that the problem we were troubleshooting was loss of connectivity to our Windows Domain Controllers from our ACS servers. We had missed adding some exceptions in our firewalls to allow for four new DCs. As far as we can tell from testing, connectivity to the DCs is now fine. The firewall rules group ACS1 and ACS2 together, so connectivity should be the same, and ACS2 authenticates users correctly.
View 2 Replies
View Related
Sep 13, 2012
How many newtork devices can Cisco Secure ACSv4.1 support is there any limit on the same? How to get the Specs of Cisco Secure ACSv4.1 on the above grounds...
View 2 Replies
View Related
Jul 30, 2012
I'm trying to configure an ASA to communicate with an AD environment that is only using LDAP Secure (LDAPS). I've configured authentication to ASA's with LDAP lots of times, though never with LDAPS.
Presumably there is a procedure to install a certificate in the same way as an RSA sig in VPN.
View 3 Replies
View Related
Feb 3, 2007
We have several ASA 5510 firewalls which are being used as VPN gateways.RSA SecurID is the authentication mechanism using native SDI connectivity. No ACS server is being used.Is it possible to assign user Group and other attributes (such as ACL), using the SecurID RADIUS server? I know this is what the Cisco ACS is for, but is it possible using the RSA RADIUS server itself?
View 11 Replies
View Related
Jul 12, 2011
When setting up my e1000 router for a secure domain it automatically opened a non secure one that my neighbors are using. How can I cancel it?
View 2 Replies
View Related
Jun 10, 2011
My emails are not being sent POP3 failed, is there a troubleshoot, autofix website i can go to
View 4 Replies
View Related
Dec 5, 2011
I want to setup a lap environment for my studies using Microsoft Virtual pc. I have installed 3 virtual pc of which 2 are windows server 2008 named srv1 and srv2, the third virtual pc is running windows XP professional services pack 2 with the host operating system being windows 7.I have installed Microsoft loop-back adapter and i am trying to network the 3 virtual pc and the host.
srv1 ip address is 192.168.2.200
srv2 ip address is 192.168.2.201
wk1 ip address is 192.168.2.10
host pc's ip addresss for the loopback adaptor is 192.168.2.5 when i check the workgroup i see only srv1 and srv2 i am only able to ping srv1 and svr2, the rest are unreachable.
View 4 Replies
View Related
Jan 16, 2012
have a problem with downloading microsoft silver light with both browsers ie mozilla firefox and internet explorer as i click the download button firefox say silverlight server not loading or busy and explorer says page cannot be displayed and i need it really badly as i need to send photos to all my friends.
View 3 Replies
View Related
Dec 13, 2011
I cant access microsoft webpage. I have fresh copy of win XP pro SP3, IE 8, and connected through an updated Vodafone ADSL modem through ethernet. Strange thing is, I can access bank, tv over internet, etc. except MICROSOFT webpages.
View 2 Replies
View Related
Aug 10, 2012
We have two separate external connections, one behind a pix one behind an asa, clients behind either of these firewalls cannot get to skydrive.live.com - the page title loads but then thats it!im debugging behind the pix becuase there is less traffic and ive pulled this from syslog so far-have been googling but not sure if this syslog data is normal or not really
View 9 Replies
View Related
Oct 19, 2011
I can't seem to connect to any wifi. I opened my device manager and looked under network adapters ant there is a little triangle with a ! in it. What can I do to fix this???? I'm a college student who needs access to the internet badly
View 14 Replies
View Related
Feb 5, 2013
Running Windows 7 64bit, ISP is EATEL connected through a PACE 3801HGV to a new Linksys EA6500. Since the initial setup ( I was walked through the setup via Linksys support) I cannot access windows update, (the error screen tells me to restart my computer, "Windows update cannot currently check for updates because the service is not running. You may need to restart your computer", and I have done so 25 times) and I cannot update my Microsoft security essentials. Windows firewall tells me that the 'advanced settings snap-in' failed to load. Is it safe to uninstall and try to reinstall these or is there a way to start the services?
View 14 Replies
View Related
Jun 24, 2011
I have a LAN running Window server 2000 as domain controller and having 40 client PCs.i want to configure my server as a mail server which is for the time being only a file server. i dont want to use POPS, IMAP or Exchange server.instead i want to use Microsoft Mail to configure my client computers.i have only heard about "Microsoft Mail" mail so far.
View 2 Replies
View Related
Dec 26, 2011
I cannot access any microsoft websites except when in safe mode + networking. I can browse all other websites just fine, but can only access any microsoft sites in safe mode.
View 3 Replies
View Related
Jun 20, 2012
Lost pin number for Microsoft 2010?
View 1 Replies
View Related
