Cisco AAA/Identity/Nac :: 5510 Assigning A User Group Using RSA Secure ID RADIUS Server

Feb 3, 2007

We have several ASA 5510 firewalls which are being used as VPN gateways.RSA SecurID is the authentication mechanism using native SDI connectivity. No ACS server is being used.Is it possible to assign user Group and other attributes (such as ACL), using the SecurID RADIUS server? I know this is what the Cisco ACS is for, but is it possible using the RSA RADIUS server itself?

View 11 Replies


ADVERTISEMENT

Cisco AAA/Identity/Nac :: Use Radius On ASA 5505 To Block Outgoing User Access By Username In Group

Jan 15, 2012

Can I use AAA Radius on a ASA 5505 to block outgoing user access by user name in a group?

View 2 Replies View Related

Cisco AAA/Identity/Nac :: 5510 / Failed To Privilege Mode When Authenticated By Radius Server

Aug 26, 2007

I tried to authenticate and authorized Nokia/checkpoint Nortel/AD3 and Nortel 5510 platform using an 4.1 for windows ACS. the ACCESS-REQUEST is well processed bi the radius server wich send ACCESS-ACCEPT to the AAA Client (ie NORTEL or NOKIA), but i'have got privilege access denied on the Client side. RADIUS IETF Dictionnary is used for every device. all others Cisco Devices authenticate and are well authorized.

View 3 Replies View Related

Cisco AAA/Identity/Nac :: Nexus 5K With Free-Radius Assigning Network-operator Role

Apr 26, 2011

my customer has FreeRadius, and I'm trying to get the server to assign a network admin role to a 5K running 5.0.3 code.This is based on the example given in this document: url...The server authenticates the user name, but will only put the user into the network operator role. This is confirmed by checking the output of show user-account and debug security user-db.The Radius test using the same credentials passes the authentication test. I'm sure the problem is that the N5K dosent understand the VSA format of the attribute, and that this is a simple syntax problem.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: Secure ACS 5 For IP Address Assignment Via RADIUS?

Jan 13, 2013

I want to use RADIUS (of Secure ACS 5.3) to authenticate users within an ISP environment. Users log connect to a network using a point to point connection (L2) and then they are sending a RADIUS request to get IP adresses. Secure ACS is not quite easy to look through in that case.

View 3 Replies View Related

Cisco AAA/Identity/Nac :: Add RADIUS Attributes Under Group Setup In ACS 4.2

Jul 5, 2012

I need to add RADIUS attributes for a custom vendor under "Group Setup" page in ACS 4.2. As of now, I see Cisco Aironet RADIUS Attributes, IETF RADIUS Attributes etc in "Group Setup" page. How can I make sure that the RADIUS attributes for a vendor also appear on that page?

View 2 Replies View Related

Cisco VPN :: ASA 5510 - Group-Lock Not Working With Web VPN And RADIUS Authentication

May 16, 2013

I'm on an ASA 5510 running 8.2(5)41. I have clientless WebVPN configured to authenticate against an RSA RADIUS server, which has users assigned to RADIUS Class attribute 25 to match the group-lock values assigned to each ASA group-policy. This of course is to ensure users can only access the login page's drop-down VPN profiles they are assigned to by the RADIUS server. I have two other ASA 5510s (same code level) using the same RADIUS server with group-lock enabled but for IPSec remote access VPN's, and the group-lock feature works fine.

WebVPN, however, is authenticating any user to any VPN profile without regard to the RADIUS Class attribute 25 they are assigned. If I configure the VPN profiles to authenticate locally and assign group-lock to individual ASA user accounts, group-lock works. As soon as I point it back to the RADIUS server, group-lock does nothing. From the 'debug aaa' below for user 'corpvpnstp', you can see the RADIUS server sends back the attribute 25 values of "ou=stp.Client;" and "ou=stp.ClientDRC;" for this user. The ASA profile this user has attempted to connect to is "EMS-Admin", which should get denied by the ASA. Instead, the ASA successfully authenticates the user.

View 4 Replies View Related

Cisco VPN :: 5510 - Separate RADIUS Profiles For SSLVPN Group

Sep 11, 2012

We are starting to deploy SSL VPN in our company and we recently purchased two ASA 5510 firewalls. I have already completed the initial configuration but I do have some inquiry on how to have it configured properly.
 
1. Employees and clients will access the URL
2. They will select the appropriate group on where they should login.
3. Enter credentials, etc.
4. Username/Password authentication is via RADIUS. The usernames were all created in Cisco ACS 5.3.
 
My challenge is, we have several clients and all their usernames were created in ACS5.3. Meaning if the configuration is just being differentiated by group settings, clientA can select the profile of clientB and still get authenticated. If that happens, they will be able to access the resources of each other. Also in the future, we will be deploying 2-Factor authentication for some of our clients.

View 4 Replies View Related

Cisco AAA/Identity/Nac :: ACS 4.2 User Group Mapping?

Sep 12, 2012

We are using ACS 4.2.1.15 with patch 8 on ACS 1113 SE box.
 
Our requirement is to assign ACS loal group to user on basis of windows Nt group. Which means I dont wants to create individual users in ACS rather when user will login, the auth request will be forwarded to AD(remote database). Depeneding on the remote database group the user should be mapped to local database.
 
For this I have configured "database group mapping" according to following cisco guide. [URL] 
 
However when ever my AD users are authenticating they are getting the membership of default group as configured in "Default" profile. I am using TACACS+ protocol in my routers and switches for authentication.
 
whether "Group mapping by External user database"  works with TACACS+ or only with RADIUS protocol. If it works with TACACS+ what else configuration need to be done so that my ACS can map users to proper groups instead of default group.

View 4 Replies View Related

Cisco VPN :: 5510 - Authenticate One User In Only 1 Group?

Oct 20, 2011

I have two tunnel groups using WEBVPN , I have local users at ASA 5510 version 7.2.

How can I authenticate one user in only one group?Now with local users I can loggin in both tunnel groups

View 1 Replies View Related

Cisco :: WLC 2106 - Take Group B And Point It To A Radius Server For Authentication

Dec 13, 2011

In the WLC there are two groups (say A and B).  How would I take group B and point it to a RADIUS server for authentication? The server is ping reachable.  I have searched  but did not see any definitive answer.

View 3 Replies View Related

Cisco VPN :: Specific Tunnel-group With User On ASA 5510?

May 13, 2011

I would like to ask some question about VPN clinet and SSL VPN, on my ASA 5510 i have many tunnel-group it have around 5 tunnel-group and i have one SSL VPN,i also have user 20 user. let me show you that:
 
1- tunnel-group Staff-VPN remote-access
2- tunnel-group Manager-VPN remote-access
3- tunnel-group normalstaff-VPN remote-access
4- tunnel-group guest-VPN remote-access
5- tunnel-group other-VPN remote-access
and tunnel-group sslgroup type remote-access
 
and i have user around 20 user and i want to specific user to tunnel-groups like this
 
1- tunnel-group Staff-VPN remote-access
username AAA password AAA
username AAA01 password AA01
 
2- tunnel-group Manager-VPN remote-access
username BBB password BBB
username BBB01 password BBB01
 
3- tunnel-group normalstaff-VPN remote-access
username CCC password CCC
username CCC01 password CCC01
 
5- tunnel-group other-VPN remote-access
username DDD password DDD
username DDD01  password DDD01
 
So, How can i manag tunel-groups with user?

View 3 Replies View Related

AAA/Identity/Nac :: ISE 1.0.4 Machine / User ActiveDirectory Group Retrieving

Mar 6, 2012

We are migrating our ACS 5.1 to ISE 1.0.4.
 
- On ACS we were doing 802.1x Authentification over an Activedirectory, assigning Vlan according to computer/user group. In some case the user vlan could be different from the computer vlan (ex admin account connecting to a user account). This works great with ACS.I tested the same function with ISE and the behaviour is a bit different :
 
- When the computer boot, I can see the computer account being authenticated on ISE. The logs show the AD groups the computer belongs to and the Authorization profile is well applied according to the AD group.
 
- When the user login, I can see the user account being authenticated on ISE, BUT the logs show the AD groups of the previous authentication, the one belonging to the computer not the user. So the authorization profile is the one from the computer not the user.
 
It seems that the AD group attributes are not well updated :

- AD logs show the second authentication doesn't engage a new group parsing from AD
- Shutting down the switch port when user is logged engage a new authentication a AD group are well updated.
- Bug toolkit reference the same bug but for WLC CSCto83897 so I suspect it's present in other case.

View 0 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 Stripping Radius User Prefix

Mar 7, 2012

I have configure my ACS 5.3 to strip the prefix of the radius username (Domain week wang) it received and I also configured my ACS as the External Radius Server. However, this does not seem to work. The authentication protocol that I am using is PEAP Mschap v2.
 
I have read inside this forum that due to the fact that the radius username and password is transited inside the TLS tunnel of the PEAP MsChap v2 thus ACS is not able to do the stripping as it is not allow to touch anything inside the TLS tunnel.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 4.1- Shell Command Works Under User But Not Group

Jul 27, 2011

This question might actually belong under tacacs server but it's only happening with the ACE.  I've configured tacacs on the 4710 and configured the tacacs server per the documentation. If I enter the shell:<context>*Admin default-domain under the group settings when I login with my tacacs ID my role is set to Network-Monitor.  If I set the shell in my specific tacacs ID I'm assigned the correct role as Admin.  We're running ACS ver 4.1 and the ACE is A4(1.1)

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS5.2 - Establish Independent User Group / Only VPN Username And Password

Mar 28, 2012

My question is on ASA and ACS5.2 users.Have my ASA SSL VPN and IPSEC VPN, the my ACS5.2 many users, for example, wireless user.I would now like to establish an independent user group, only the VPN user name and password, while both the ASA VPN can only allow users in this independent group of ACS5.2 VPN login, how to configure?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 ASA 5510 Radius Connection

Jan 17, 2012

currently I'm evaluating an ACS 5.2.I need to authenticate the VPN-Users against LDAP, but have no direct connection from the ASA to the LDAP-Server. So the ASA should connect to the ACS to ask the LDAP-Identity-Store, OK.
 
My first Problem is: the ACS doesn't respond to the RADIUS-Requests of the ASA! ASA use's Port 1812, the Secret is ok, the ASA is as a Network Device in the ACS configured and I've created an internal Test-User on the ACS.the Firewall-Log shows the established connection (so I think, there is a Hand shake!? ), but the ASA says in Radius-Test: "EROR:Authentication-Server not responding".

View 3 Replies View Related

AAA/Identity/Nac :: Get ASA 5510 To Use CHAP Via RADIUS Authentication?

Jan 13, 2012

I've setup my ASA 5510 to use AAA to my Windows Server 2008 NAP. After many hours of troubleshooting I got my setup to work. The only thing I'm not satsified with at the moment is, that RADIUS is using PAP for communicating between ASA5510 and W2K8/NAP.I've tried ticking the box "Microsoft CHAPv2 Capable" box under Users/AAA => AAA Server Groups => Edit AAA Server.From EventViewer on W2K8/NAP I get Event ID 6278 and 6272., see attached filehow I change from the PAP to the CHAP protocol?
 
PS: ASA 5510 running ASA version 8.2(4) and ASDM version 6.3(5)

View 4 Replies View Related

Cisco Firewall :: DNS Server Group On ASA 5510

Apr 5, 2011

I can not have "dns server-group" on my asa 5510, could you tell me how to get this command in my ASA 5510.

View 3 Replies View Related

Cisco AAA/Identity/Nac :: 5508-WLC Using MS NPS As RADIUS Server For EAP-TLS

May 18, 2011

getting a Cisco WLC to work with MS NPS server? We've done it before albeit with differnt code versions.
 
I have a Cisco 5508 WLC running 7.0.116.0 code hosting a WLAN configured for WPA2 with 802.1x for authentication.  I have two Windows NPS servers configured as the RADIUS servers for EAP-TLS authentication. Via debug info on the WLC I can see the 802.1x handshake take place with the wireless client and the WLC as well as a successful transmission of an Authentication Packet from the WLC to one of the RADIUS servers. However on the WLC I see repeated RADIUS server x.x.x.x:1812 deactivated in global list and on the NPS server I'm seeing event log errors indicating "The Network Policy Server discarded the request for a user"  along with the pertinent auth request info that I would expect the NPS server to receive from the WLC.  Based on the WLC debug info I'm never actually getting to the EAP-TLS certificate authentication part. It seems the NPS servers don't like the format of the initial RADIUS authentication request coming from the WLC and so don't respond whcih in turn casues to WLC to switch to the other NPS server which produces the same issue.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 4.2 / ISE As Standalone RADIUS Server

Apr 7, 2013

Is there any way to set up our ISE to provide Radius instead of acting as Radius Proxy? In our Company we use ACS 4.2 to provide AAA via Tacacs+ and this works proper with all our Cisco-Switches. Now we are testing the ISE 1.1.1 as NAC-Solution.
 
I know how to set up the ISE as 'Radius Proxy', configuring the Sequences and Policies, but till now we are using only Tacacs+ for AAA. The current version of ISE does not support Tacacs+ and I don't want to set up a Radius-enviroment in ACS if not necessary. Somewhere ( I think the specs) I read, the ISE is a merge of ACS and NAC. So in my Opinion there should be a way to provide AAA via Radius on the ISE without ACS and without 'Radius Proxy'.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ASA-5510 / IPSec Client Authentication Based On AD Group Membership?

Aug 26, 2009

Looking to fine tune Cisco IPSec client RA-VPN authentication on our ASA-5510.  Currently using NT Domain authentication.  It's been working fine for quite a while but is too broad a brush.  It authenticates anyone who is in the domain.  We need to only authenticate folks who are in a specific AD remote access security group.  I'm testing LDAP but am getting the same results.  I can get it to authenticate based on overall domain membership but can't seem to figure out how to check group membership. 
 
We've updated to ASA 8.2(1) and ASDM 6.2(1).  It seems to have more LDAP functionality but I'm not an LDAP expert.  I've posted an image of the LDAP server dialog from the ASDM.  I originally tried putting the Group DN in the Base DN field but kept getting a "can't find user" error when testing.  I also tried adding the group info in the "LDAP parameters for group search" field at the bottom.  But it doesn't seem to be looking there.  Note that the current value is the Group Base DN only.  I also tried putting "memberOf=" in front of that.  Still no luck.  The values shown in the image work for simple domain membership.

View 3 Replies View Related

AAA/Identity/Nac :: Possible To Send VSA From Radius Server To ASA-5505

Oct 26, 2009

Wondering if it's possible to send a VSA from my radius server to my ASA-5505 that will instruct the ASA to use one of several split tunnel lists I have created, based on the user name supplied in the Radius request.For example, I can send a VSA of "ip:inacl#1=permit ..." and the ASA will dynamically create an access-list for that user.Is there a similar VSA for split tunnel?

View 8 Replies View Related

Cisco Firewall :: File Transfer Using Secure Copy Server On ASA 5510?

Nov 13, 2008

I have SSH and SCP enabled on the ASA 5510.  I can SSH fine into the device. However, I cannot copy files to the device usng WinSCP.  Used all options but nothign seems to work.  I see the log authentication successful, but then WinSCP reports no response from ASA.

View 5 Replies View Related

AAA/Identity/Nac :: Turn Cisco 877 Router Into RADIUS Server?

Apr 22, 2011

I was just wondering if it was possible to turn a cisco 887 Router into a RADIUS Server. What i wanted to do was setup my wireless AP to authenticate using RADIUS, but didn't want to setup another server for the purpose.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: CiscoSecure ACS V4.2 RADIUS Logs Upload To FTP Server

Apr 24, 2013

I am using CiscoSecure ACS v4.2 appliance, in there any way that RADIUS logs upload to FTP server because it has limitation to store RADIUS logs.

View 15 Replies View Related

Cisco AAA/Identity/Nac :: Configure ACS 5.4 As Radius Server For Network Access

May 1, 2013

I'm trying to configure ACS 5.4 as radius server for network access (PPP connections).In monitoring and reports the users have green color , but the clients cannot send data. Auth method is CHAP/MD5.
 
Allowed protocols are set to CHAP and PAP only.

View 5 Replies View Related

Cisco AAA/Identity/Nac :: MDS 9216i Switch - Nexus 4.27d And RSA Radius Server

Apr 13, 2011

I can authenticate between our MDS 9216i switch and RSA radius server but my role does not come across. The logged in user is a network-operator not admin. In the AV Pair i have defined shell:role*network-admin but it doesnt seem to come across

View 4 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 - Primary-secondary Radius Server Configuration

Apr 21, 2013

I have a couple of ACS 5.2 configured as active and backup and I am   doing dot 1x authentication using these servers . I have configured the  switch with the bellow configuration.
 
radius-server host 10.0.10.15 auth-port 1645 acct-port 1646
radius-server host 10.0.10.16 auth-port 1645 acct-port 1646
radius-server key 7 aaaaaaaaaaaaaa
 
please help to understand what will happen in switch
 
1) in case of primary failure
2)in case if primary returns alive .

View 8 Replies View Related

Cisco AAA/Identity/Nac :: Install Radius Server For 2801 Router

Mar 12, 2013

I am trying to install Radius server for a cisco 2801 router. I am not able to configure it properly.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: 3550 Switch - Radius Server Source Ports 1645 - 1646?

Apr 20, 2005

I am configuring TACACS Authentication on Cisco 3550 switch .It has Version 12.2(25)SEA IOS image. A strange thing is happening, whenver I am enabling AAA new-model on this switch, and then after enabling I see ruuning-config . It shows me this
 
tacacs-server host x.x.x.x
tacacs-server host x.x.x.x
no tacacs-server directed-request
tacacs-server key 7 xxxxxx
radius-server source-ports 1645-1646
 
* included here to hide the specific information I dint specified any RADIUS server , why it is showing me radius-server source-ports 1645-1646 after enabling AAA New-Model As soon as i give "no aaa new-model", this parameter also vanishes. I think this is the only reason I am not able to do tacacs authentication.

View 9 Replies View Related

Cisco AAA/Identity/Nac :: 3750 Fall Back To Local Vlan If Radius Server Is Found

Nov 14, 2012

We have configured following commands on switch to fallback to local Vlan if both radius server (policy persona's) is found dead. For test purpose we shutdown both servers (policy persona's) but fallback didn't work. We have 3750 switch running image 12.2(55)SE6 having following configuration.We do not know whether we configured switch in proper way or do we need to modify it. [code]

View 5 Replies View Related

Cisco AAA/Identity/Nac :: Can Use ACS 5.2 As Guest User Authentication Server?

Jun 5, 2012

Can use ACS 5.2 as Guest user authentication server?

View 3 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved