Cisco AAA/Identity/Nac :: 2960 - Remote Desktop To Machine 802.1x Authenticated By User (Wired
Jan 22, 2012
802.1x is working properly, 802.1x port is up,but;when I do a remote desktop to machine that is 802.1x authenticated by an user(Wired), first, login to pc successfuly then(3 minutes) is switch port down..
I've just installed NCS. When trying to configure NCS for ACS Tacacs+ authentication, I receive the message below when trying to login to NCS. ACS records my login in the 'passed authentications' log. I am using ACS 4.2."No authorization information found for Remote Authenticated User. Please check the correctness of the associated task(s) and Virtual Domain(s) in the remote server". I used the following link to configure ACS for NCS, url...
ASA 5510 ASA 8.0 ASDM 6.1 I want some remote users to have split-tunnel connection, others not. I used Cisco Document ID 100936 "Allow Split Tunneling for AnyConnect VPN Client on the ASA Configuration...". I created a new Group Policy with split-tunnel enabled. I created a new Connection Profile and assigned to it the new Group Policy. When I authenticate at the AnyConnect client I get a dropdown of the 2 connecton profiles, to choose the one I want. Each of them works, enabling or disabling split-tunnel. But I want to assign a connection profile to the particular user, not give the user a choice. The problem is I'm using LDAP authentication. The Local Users I set up before LDAP are obsolete, assigning them a Group Policy does nothing. I really don't want to give up LDAP and force people back to another local password. But the LDAP authentication to Active Directory just says yes or no, it won't assign a connection profile. At the AnyConnect Connection Profiles page I have set a switch "Allow user to select connection profile, identified by its alias, on the login page. Otherwise, DefaultWebVPNGroup will be the connection profile". If I clear that switch every user will be assigned the same default profile, which does not work.
I'm trying to configure an ASA5510 with release 9.1(1) in order to authenticate VPN AnyConnect users through LDAP. In a first step the logs shiw me this kind of error:
[-2147483632] Session Start [-2147483632] New request Session, context 0xadf415d4, reqType = Authentication [-2147483632] Fiber started
Actually I have a lab with ACS 5.3 running with 802.1x, but when when the user is successfully authenticated, it's assigned and IP address from the DHCP server, is there a way to assign a static IP address depending of login username??
We have a customer which is using ISE with 802.1X in order to authenticate computers. All the computers have their own certificate and most of them can be authenticated fine! The issue is that some computers cannot be authenticated.The port configuration the authenticator (Cisco WS-C4510R+E IOS 151-1) are configured exactly the same: [code]
But for some reason some PC cannot be authenticated. A wireshark capture on the computer not working shows that the computer receives a EAP Request Identity and also send a Response Identity to the switch but then nothing happens more: So the process is stucked in the EAP-Response/identity. I attach a debug capture on the switch for one of the computer which cannot be authenticated.
I have a PC behind a DSL router. In my PC (WinXP SP3) I have a virtual machine also running WinXP SP3. I would like to access the VM via remote desktop. Since I have a dynamic IP, I use the(url)tool to solve the problem. I installed the no-ip sync tool in the VM. Now when I write my no-ip address in the remote desktop from my office, I will access my host system, and not the hosted VM. Does any knows how I should configure things in order to get access to the virtual machine and not to the host machine
I have a Win 7 machine with Win SBS 2011 in my office and an iMac. The Win machine is being setup for Exchange 2010. My problem is this: I can't Remote Desktop in from my iMac into the Win machine, but CAN when outside the network.The Win7 machine has a static IP, the iMac a dynamic. When I access the internal part of my router I can only see my iMac. I get a "can't connect to win-based machine" error when I try to Remote Connect.The only thing I can think is that using the same gateway is somehow messing things up? I've had two techs try to figure this out and they're both stumped.I was maybe thinking that since both comps are going out the same gateway that I should try anc configure the iMac to try and RDC on a different port, since maybe the iMac is listening on 3389 and sending the RDC back to itself?
I am trying to setup up a rule to allow wireless access only to users in my AD when they use computers from my AD.I have Machine authentication working on it's own (computer boots up and connects to wireless - confrimed by ACS logs) I have User authentication working But when I try to creat the floowing rule:it does not work.
I am using ISE 1.1.3.124.My first question:I want to know the relation between the attribute "WasMachineAuthenticated" and the MAR (MAchine access restriction in advanced setting for AD).Is-it the same or not ?Once you time out, you need to do machine auth again. What is the timer ?Using the attribute "WasMachineAuthenticated", is-it the same timer that you configure in MAR ? In a distributed environnement, is the information about machine previously authenticated replicated to all policy node ?Because, if a swicth has 2 radius-server, we are not sure that it will point everytime to the same server.
For our wireless, we enabled the machine authentication, but we want to bind the machine authentication and user authentication together which means they need to meet both requirements to access the wireless, how can we do this? Right now looks like as soon as the machine is authenticated, it can access the network, no user authentication needed.
- On ACS we were doing 802.1x Authentification over an Activedirectory, assigning Vlan according to computer/user group. In some case the user vlan could be different from the computer vlan (ex admin account connecting to a user account). This works great with ACS.I tested the same function with ISE and the behaviour is a bit different :
- When the computer boot, I can see the computer account being authenticated on ISE. The logs show the AD groups the computer belongs to and the Authorization profile is well applied according to the AD group.
- When the user login, I can see the user account being authenticated on ISE, BUT the logs show the AD groups of the previous authentication, the one belonging to the computer not the user. So the authorization profile is the one from the computer not the user.
It seems that the AD group attributes are not well updated :
- AD logs show the second authentication doesn't engage a new group parsing from AD - Shutting down the switch port when user is logged engage a new authentication a AD group are well updated. - Bug toolkit reference the same bug but for WLC CSCto83897 so I suspect it's present in other case.
I have a Linksys WRT54G router; have a cable internet connection through the router; and two wired desktops, one running Vista (32-bit) and the other XP. I would like to replace the XP machine with a wired desktop running Windows 7 (64-bit).
We've just replaced our Fortinet Firewalls with 5525's but are struggling to get a feature working that worked great on the Fortinet firewall.All our users use a proxy for internet access that's configured in IE but from time to time some users need to remove this proxy and go directly out to the internet, with the Fortinet devices we created a rule right at the bottom of the inside access out rule that had it authenticate users via TACACS which worked a treat and could be used from PC or laptop. We want to do a similar thing on the 5525 and I thought the Authenticated user would give me this access but I don't seem to be able to get it to work. I've got the AD side of it working fine the ASA can pull user and groups from AD but I'm struggling to get this working for a user.
First time VPN newbie. I need to set up vpn for a friends small business using RV082 so, as a test, I set it up here at my home using a very basic config. The network topology looks like:
At a remote site, I fire up QUICKVPN, enter necessary data and successfully connect. Bring up Remote Desktop and put in the IP of my home pc and the logon username and, after a minute or two, it says "unable to connect to the computer" (or words to that effect). My home PC has been configured to allow remote desktop connections and this has occured in the past but not since the RV082 installation. There is nothing in the PC's logs nor in the RV082's logs.
At first I use ACS 4.2 to create static ip address user for remote access VPN,It's easy,just configuration it at user set>Client IP Address Assignment>Assign static IP address,but when I use ACS 5.2 I dont't know how to do it.
I try to add IPv4 address attribute to user by read "ACS 5.2 user guide" ,it says this:
Step 1Add a static IP attribute to internal user attribute dictionary: Step 2Select System Administration > Configuration > Dictionaries > Identity > Internal Users. Step 3Click Create. Step 4Add static IP attribute. Step 5Select Users and Identity Stores > Internal Identity Stores > Users. Step 6Click Create. Step 7Edit the static IP attribute of the user.
I just do it,but it's not work.When I use EasyVPN client to connect ASA 5520,user could success to authentication but will not get the static IP address which I configure on Internal Users,so the tunnel set up failed.I try to Configure a IP pool on ASA for ACS users get IP address,and use EasyVPN client to connect ASA , everything is OK,user authenticate successed.but when I kill IP pool coufigurations and use the "add a static IP address to user "configurations,EzVPN are failed. how to use ACS 5.2 to create a static ip address user for remote access VPN?
I´m currently looking for a document that specify how many MAC addresses can be stored and authenticated via an ACS (1120)? I prefer to use the internal identity store over AD or LDAP for MAB authentication for 802.1X project. I would like to know what is the impact on the ACS? CPU/MEM? What is the impact on the user authentication? delay, timeout, etc.
I have a cisco ACS 4.0 build 27 on windows 2003 server . My site was working fine when i was having a AD on 2003 server . Recently i have migrated my AD servers is 2008 .
After the migration the ACS is not authenticating the users . Now i have made a server with 2003 and made the site working . I need a solution to make it work using 2008 server is there any compatiblity issue between ACS 4.0 and 2008 server .
I have 2 ASA 5520 (v. 8.21) in a active/standby fail over configuration.
VPN users are autenticated against the MS-AD through LDAP. For the most part this works well. Occasionally I'm having problems with new users in the AD. If I run a test I keep getting "User was not found". This can happen days after the account was created still. In some cases it never seems to work. The accounts I create exists on the same OU level as all the other accounts that are working.
I tried to authenticate and authorized Nokia/checkpoint Nortel/AD3 and Nortel 5510 platform using an 4.1 for windows ACS. the ACCESS-REQUEST is well processed bi the radius server wich send ACCESS-ACCEPT to the AAA Client (ie NORTEL or NOKIA), but i'have got privilege access denied on the Client side. RADIUS IETF Dictionnary is used for every device. all others Cisco Devices authenticate and are well authorized.
We are running ACS 5.2 patch 6 and want to restrict access for users to be able to add devices to the system.For example, admin person in site A can only add devices into the site A group and cannot see/access other sites groups.
We are rolling out a new VPN infrastructure utilizing ASA 5520's (one active/standby cluster at each of our two sites) and making the conversion from the old IPsec client over to AnyConnect 2.5 clients. We do have AnyConnect Premium licenses at both sites, but are not utilizing ISE. What we want to do is first auth the machine that's trying to initiate the AC VPN session to determine if it a company-owned machine (with the idea that only co-owned machines can connect), and then auth the user using RADIUS, which uses attribute 25 to assign them into groups for policy application. We have the RADIUS piece working now, but is there a way to first do the machine auth, and then the user auth? We don't just want to use something like cert-based VPN because if the machine gets stolen (or a non-co user otherwise gets into the OS) then we don't want the non-legit user to be able to establish a VPN session just because they have access to a company machine. The other rub is that the machine auth solution must be cross-OS compatible (we use a mix of Windows, MacOS and Linux on the machines that should be allowed to VPN.)
On wireless (lenovo tabletx61) I cannot connect through the intranet - no problem connecting through internet. When I manage to connect through intranet connection is dropped quite often.No problem connecting via Ethernet cables.
I have to connect client machine using Modem. They Have their Telephone number and they are saying that by dialing that number I have to connect their machine using that number from modem. How can I do this and which hardware, software I need i.e requirement of things to do this
I am trying to get an XP machine to communicate with 2 printers that are wired via USB to a windows 7 machine. Peachtree accounting is running on both machines and the windows 7 machine holds all the data this works fine but when I try to share the printers I can not. When I go into the window 7 Home Prem. network share and choose to allow printer and file shareing and close out the window cut off the computer reboot and go back into file and printer shareing both are in the off position what's up?
I have 4-5 machines connected to each other in network which are in workgroup. Now I want to change one group policy on remote machine. The name of that policy is " Network access: sharing and security model for the local accounts :- Guest only" . How can I change this policy from remotely?
I'm trying to test such 802.1x wired environment:windows xp sp3 as supplicant windows NPS as radius server 2960 as authenticator latest anyconnect (3.1.01065) + nam and standalone profile editor.I have a question: What is the difference between protected identity pattern and unprotected identity pattern (set in nam profile editor)? As I understand documentation PEAP-MSCHAPv2 is a tunneled method and it uses un- protected identity pattern to protect user's identity during phase 0. But if I use any fake identity here (anonymous, anonymous@[domain], etc) access is rejected (Access-Reject in switch debugs). I have to use exacly the same pattern in unprotected identity pattern as in protected identity pattern ([username] or [username]@[domain]) to gain access, regardless of authenticaton mode (same in machine only, user only authentication).
I have an GRE Tunnel across my head office and remote site with multiple subnets using cisco 1841 routers.I can ping most of the devices on the remote side, but I can not ping certain devices.These devices respond to ping requests on the local LAN, but not through the WAN link. If I change the IP of device than it start responding. I am using same gateway and mask on these devices.The remote site is running classic STP on switches with distribution switch being the root bridge.
I have just reimaged one of my ACS appliances as it was completely corrupted.Now I have done this I have connected it to the network via DHCP so I can patch it from v4.2 to the latest version.The machines is now on the same VLAN as my workstation. When I try to login I get the message
"This machine cannot be used for administration"
The box is a vanilla install with only the passwords set on the machine - my workstation has its local firewall turned off and is not using a proxy server. as I can't log into the gui I can't change any settings there?
