Cisco AAA/Identity/Nac :: 5520 VPN Users Are Authenticated Against MS-AD Through LDAP

Sep 1, 2011

I have 2 ASA 5520 (v. 8.21) in a active/standby fail over configuration.
 
VPN users are autenticated against the MS-AD through LDAP. For the most part this works well. Occasionally I'm having problems with new users in the AD. If I run a test I keep getting "User was not found". This can happen days after the account was created still. In some cases it never seems to work. The accounts I create exists on the same OU level as all the other accounts that are working.

View 2 Replies


ADVERTISEMENT

AAA/Identity/Nac :: ASA5510 - WEBVPN User Authenticated Through LDAP Failure?

Feb 28, 2013

I'm trying to configure an ASA5510 with release 9.1(1) in order to authenticate VPN AnyConnect users through LDAP. In a first step the logs shiw me this kind of error:
 
[-2147483632] Session Start
[-2147483632] New request Session, context 0xadf415d4, reqType = Authentication
[-2147483632] Fiber started

[Code]......

View 0 Replies View Related

Cisco AAA/Identity/Nac :: ASA 5510 - Allow Only Authenticated Users To Enter Internet

Jan 3, 2012

I have an ASA 5510 with IOS 8.4. I want that only authenticated active directory users can pass the firewall.

View 3 Replies View Related

Cisco AAA/Identity/Nac :: 5545 Ldap Mapping Is Not Working / It Allows All AD Users

Feb 28, 2013

I've configure Ldap authentication on ASA 5545 to allow only a certain user group. I mapped the the memberOf group but this seems not to be working as it allows all AD users. [code]

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ASA 5520 - VPN Access Control Using LDAP

Mar 13, 2011

I am configuring an ASA 5520 for VPN access.  Authorization & Authentication use an LDAP server.  I have the tunneling configured successfully, and I can access internal resources.  What I want to do now is to restrict access to a specific AD Group membership.  In the absence of that group membership, a user should not be allowed access to the VPN.
 
My test VPN client software is Cisco Systems VPN Client Version 5.0.05.0290.  The group authentication is configured into a Connection Entry that identifies the Tunnel Group. I think I worded that correctly.
 
The Software Version on the ASA is 8.3(1).
 
My current challenge is getting the VPN to stop letting every access request through regardless of group membership. 
 
[URL]
 
The configuration (AAA LDAP, group policy, and tunnel group) is below.
 
aaa-server LDAP protocol ldapaaa-server LDAP (inside) host x.x.y.12      server-port 636      ldap-base-dn dc=domain,dc=com      ldap-scope subtree      ldap-naming-attribute sAMAccountName      ldap-login-password ********      ldap-login-dn

[Code].....

View 2 Replies View Related

Cisco Firewall :: ASA 5510 / Can LDAP-authenticated Remote User Be Assigned A Connection

Jun 30, 2011

ASA 5510 ASA 8.0 ASDM 6.1 I want some remote users to have split-tunnel connection, others not.  I used Cisco Document ID 100936 "Allow Split Tunneling for AnyConnect VPN Client on the ASA Configuration...".  I created a new Group Policy with split-tunnel enabled.  I created a new Connection Profile and assigned to it the new Group Policy.  When I authenticate at the AnyConnect client I get a dropdown of the 2 connecton profiles, to choose the one I want.  Each of them works, enabling or disabling split-tunnel.  But I want to assign a connection profile to the particular user, not give the user a choice.  The problem is I'm using LDAP authentication.  The Local Users I set up before LDAP are obsolete, assigning them a Group Policy does nothing.  I really don't want to give up LDAP and force people back to another local password.  But the LDAP authentication to Active Directory just says yes or no, it won't assign a connection profile.  At the AnyConnect Connection Profiles page I have set a switch "Allow user to select connection profile, identified by its alias, on the login page.  Otherwise, DefaultWebVPNGroup will be the connection profile".  If I clear that switch every user will be assigned the same default profile, which does not work.

View 2 Replies View Related

Cisco :: SNMP Web Authenticated Users Wlc 5508?

Apr 4, 2013

I am using web authentication with my Wlc 5508 and I would like to check all users currently connected (ip, login used, MAC address, ...) with SNMP.
 
I am using an external web server and my client are authenticated with ldap.
 
I know I can receive these information with traps, but I would like to create a short program which will check all users when I click on a button.

View 2 Replies View Related

Cisco :: WLC5508 Limit Number Of Users Authenticated With One Login

Feb 28, 2012

Is it possible to configure WLC so that only one user can connect to wireless network at a time with one login? We have WLC5508 (7.2.103.0) web authentication with LDAP  (Active Directory).

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 1120 - How Many Devices (MAB) Can Be Authenticated

Jan 23, 2012

I´m currently looking for a document that specify how many MAC addresses can be stored and authenticated via an ACS (1120)? I prefer to use the internal identity store over AD or LDAP for MAB authentication for 802.1X project. I would like to know what is the impact on the ACS? CPU/MEM? What is the impact on the user authentication? delay, timeout, etc.

View 7 Replies View Related

Cisco AAA/Identity/Nac :: ACS 4.0 Not Getting Authenticated With 2008 AD Server

Nov 8, 2011

I have a cisco ACS 4.0 build 27  on windows 2003 server . My site was working fine when i was having a AD on 2003 server . Recently i have migrated my AD servers is 2008 .
 
After the migration the ACS is not authenticating the users . Now i have made a server with 2003 and made the site working . I need a solution to make it work using 2008 server is there any compatiblity issue  between ACS 4.0 and  2008 server .

View 1 Replies View Related

Cisco AAA/Identity/Nac :: WS-C4510R+E - Wired 802.1X With ISE / Some Computers Cannot Be Authenticated

Aug 28, 2012

We have a customer which is using ISE with 802.1X in order to authenticate computers. All the computers have their own certificate and most of them can be authenticated fine! The issue is that some computers cannot be authenticated.The port configuration the authenticator (Cisco WS-C4510R+E IOS 151-1) are configured exactly the same: [code]
 
But for some reason some PC cannot be authenticated. A wireshark capture on the computer not working shows that the computer receives a EAP Request Identity and also send a Response Identity to the switch but then nothing happens more: So the process is stucked in the EAP-Response/identity. I attach a debug capture on the switch for one of the computer which cannot be authenticated.

View 4 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Group Mapping With LDAP External Identity Store

May 18, 2011

I have a new Cisco Secure ACS 5.2 on a VM. We want to use it to for administrative access to our Cisco equipment  with TACACS+. I am trying to map user permissions to different groups of devices based on active directory group membership, however it is not working.
 
I am using an LDAP (configured for secure authentication) external identity store. On the directory organization tab, I have confirmed the accuracy of the subject and group search base and the test configuration button shows that it's finding > 100 users and >100 groups.
 
On the directory groups page I have entered the groups according to the required format. cn=groupname1,ou=groups,dc=abc,dc=com
 
I have a rule based result selection under group mapping. I have two rules in the format below.
 
Conditon
LDAP:Externalgroups groupname1
Result
Identitygroup1
 
I have the default group set to a identity group named other. My problem is, no matter what user attempts to authenticate, the Default rule is applied, and the user is put into the other identity group.This occurs when I log on as a groupname1 user, groupname2 user, or as user that is not a member of either of those groups. LDAP authentication works and the user is able to logon to the device.

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 Assign Static IP Address Depending On Authenticated User

Feb 12, 2012

Actually I have a lab with ACS 5.3 running with 802.1x, but when when the user is successfully authenticated, it's assigned and IP address from the DHCP server, is there a way to assign a static IP address depending of login username??

View 13 Replies View Related

Cisco Wireless :: WLC 4404 Integration With LDAP To Authenticate Domain Users?

Feb 24, 2013

I have a WLC 4404 with LWAPs, the customer has a microsoft LDAP and all users are joined to the domain and he wants the users to be authenticated against their domain accounts and this should be done automatically so that when users login to windows they are also authenticated and joined the WLAN.so how we can do that with the simplest way, without Radius server using only the LDAP and wwithout envolving any certificates.also i need to know when i add LDAP server to the WLC, how can i know that this LDAP is properly inegrated with the WLC?

View 8 Replies View Related

Cisco Firewall :: ASA 5510 - Authenticate Users Of Specific LDAP Group

Apr 19, 2010

I'm actually require authentication for users who are coming from the PublicVLAN (the vlan associated with the wireless hotspot) to authenticate themself to the LDAP server via my firewall ASA 5510

View 12 Replies View Related

Cisco AAA/Identity/Nac :: 2960 - Remote Desktop To Machine 802.1x Authenticated By User (Wired

Jan 22, 2012

802.1x is working properly, 802.1x port is up,but;when I do a remote desktop to machine that is 802.1x authenticated by an user(Wired), first, login to pc successfuly  then(3 minutes) is switch port down..
 
Debug radius authentication
Debug aaa authentication
 
Does not appear in the log only message port is down
 
Equipment;
 
Cisco 2960, Cisco ACS 4.2 ,MS Active Directory Authentication
 Client:windows xp, windows 7
 Cisco 2960 Port Config
 switchport mode access
dot1x pae authenticator
dot1x port-control auto
spanning-tree portfast
spanning-tree guard loop

View 1 Replies View Related

Cisco AAA/Identity/Nac :: 5510 / Failed To Privilege Mode When Authenticated By Radius Server

Aug 26, 2007

I tried to authenticate and authorized Nokia/checkpoint Nortel/AD3 and Nortel 5510 platform using an 4.1 for windows ACS. the ACCESS-REQUEST is well processed bi the radius server wich send ACCESS-ACCEPT to the AAA Client (ie NORTEL or NOKIA), but i'have got privilege access denied on the Client side. RADIUS IETF Dictionnary is used for every device. all others Cisco Devices authenticate and are well authorized.

View 3 Replies View Related

Cisco VPN :: Spaces In LDAP OU Field ASA 5520

Jun 21, 2012

I'm running VPN SSL on an asa 5520 (V8.2.5) with LDAP authentication and everything works fine but now the AD people changed name in the groups and they added a " " "blank" in one of the fields so when I configured the group I get an error.

for example:

map-value memberOf CN=VPN_SSL_ABC,OU=External,OU=XXX,DC=ext,DC=local ABCPolicy
 
but this does not:
 
map-value memberOf CN=VPN_SSL_ABC,OU=External Group,OU=XXX,DC=ext,DC=local ABCPolicy
 
Is there any way to insert a space in the OU field?

View 2 Replies View Related

Cisco Firewall :: Enabling Microsoft LDAP With ASA 5520

Oct 27, 2012

I am trying to implement Microsoft LDAP server with our ASA 5520. The client is using Cisco VPN client and when I am trying to connect I am receiving the following error message:
 
"Secure VPN connection terminated locally by the client. Reason 413:User authentication failed"
 
I triggered the debug on the ASA 5520 and everything looks fine .The LDAP server is sending the right information without any error message.
  
Googled this error message and I found that I need to enable the simultaneous logins to enable. I enabled it but I got the same error message. This configuration is under remote access vpn>group-policies>General>more options.

View 64 Replies View Related

Cisco Firewall :: ASA 5520 SSL VPN LDAP Authentication Configuration Required

Oct 16, 2012

I've gotten to the point where I can test against active directory and get in, also I can get AD groups from my server on the ASA. My problem, I can't connect in via my AnyConnect client on my Android. I immediately get a "log in failed" and I know I'm using the right username/pass. Doing a little troubleshooting, I have attached my AnyConnect debug log and the results of the "debug ldap 255" command on the ASA. Also, I've used ldp.exe to determine I can connect in with the username/password combo I'm using.Combing through the AnyConnect logs I see a few instances of "global error unexpected" but no Google searches have brought up anything useful.

View 7 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Integration With LDAP?

Jun 22, 2011

provide me  Step by Step procedure for integrating LDAP with ACS 5.2 .

View 1 Replies View Related

AAA/Identity/Nac :: ASA 8.3 LDAP Authentication For SSL VPN

May 16, 2011

I am having a problem getting an ASA running 8.3 to authenticate an SSL VPN directly against an LDAP on Windows Server 2003.  I have changed the read access on the Active Directory to allow Annonymous to read it.  I think I am missing something on the ASA config.  I have the Server Group specified with the address of the correct server but nothing else really configured. 

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ISE 1.1.1 With Domino LDAP Integration?

Oct 23, 2012

know about Domino LDAP ? I would like to integrate this LDAP with Cisco ISE.I try to bind this LDAP but it does not show me anything in "Naming Context". So I cannot choose group to map into ISE.I test this on WLC. It is success to do but cannot make the same thing with Cisco ISE.Is this LDAP supports with Cisco ISE 1.1.1 ?

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 Use LDAP IS For One SSID And Use HOST IS For Another

Jul 31, 2012

I have 2 SSIDs on WLCs.I would like to have 1 SSID point to the acs radius using LDAP store and the 2nd SSID point to the acs radius using the host identity store for mac filtering.both scenarios are working, but not together.if I adjust the rule order I can get one SSID, but then the other fails. [code] It seems to me that there should be a simple process to make this happens. I thought if the rule is not matched it would move on to the next rule etc.I might be able to live with first checking ldap and if that fails move on to the local host db, but that seems ineficient. url...

View 3 Replies View Related

Cisco AAA/Identity/Nac :: How Can LDAP Client Connect To ACS 5.2

May 8, 2011

I have an CS-ACS appliance with 5.2.0.0.26.3 version. There is not any direct solution for connect ldap client to server. I have 3 servers that have only ldap and for authentication I can not use radius or Tacacs+. I need a solution for this problem. How can LDAP Client  connect to ACS when it has only ldap protocol?

View 1 Replies View Related

AAA/Identity/Nac :: ACS 5.2 Local Authentication With LDAP?

Sep 13, 2011

is it possible to validate the ACS Application Accounts against an external repository like LDAP? I have found that LDAP can be used only as Identity store to authenticate users on AAA clients and Network devices.

View 0 Replies View Related

AAA/Identity/Nac :: ASA 5510 - LDAP Authentication

Mar 2, 2011

I have a problem with LDAP authentication. i have an Cisco Asa5510 and windows 2008 R2 server. i create LDAP authentication.
 
aaa-server LDAPGROUP protocol ldapaaa-server LDAPGROUP (inside) host 10.0.1.30 server-port 389 ldap-base-dn dc=reseaux,dc=local ldap-naming-attribute sAMAccountName ldap-login-password ***** ldap-login-dn CN=user,OU=Utilisateurs,DC=reseau,DC=local server-type microsoft
 
but when i test, i have an error (user account work directly in server)
 
test aaa-server authentication LDAPGROUP host 10.0.1.30 username user password *****
INFO: Attempting Authentication test to IP address <10.0.1.30> (timeout: 12 seconds)ERROR: Authentication Rejected: Unspecified

View 11 Replies View Related

Cisco AAA/Identity/Nac :: Authenticate VPN Users Via ACS 5.4 And AD Via External Identity Store

Feb 22, 2013

I have installed ACS 5.4 and we are looking to authenticate our Anyconnect users with ACS via Active Directory. I think I have the correct commands in our ASA ( we had ACS 4 and authenticated our anyconnect users ).
 
I also have configured ACS to use Active Directory  and installed the server side cert in ACS. I'm just uncertain how to program ACS to use the security group that I have setup in Active Directory.

View 6 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 EAP-TLS Binary Certificate Comparison Via LDAP

Feb 9, 2012

i have a wireless deplyoment with WLC 5508, ACS 5.2 and several AD connected by LDAP. It is required that users are authenticated by certificates additional the user should only get access to the wireless environment when the user is found in a certain security group in the Microsoft AD forrest. The certificate based authentication is working without any problems, except the lookup into the AD isn't working. Here are the Details of the "Evaluting Identity Policy"

Evaluating Identity Policy
15004  Matched rule
22037  Authentication Passed
22023  Proceed to attribute retrieval
24031  Sending request to primary LDAP server
24016  Looking up user in LDAP Server - Alex Dersch
24008  User not found in LDAP Server
22015  Identity sequence continues to the next IDStore
24209  Looking up Host in Internal Hosts IDStore - Alex Dersch
24217  The host is not found in the internal hosts identity store.
22016  Identity sequence completed iterating the IDStores
 
but the user can access the WLAN just without verifying the user in the AD.
i tried the to enable Binary Comparisation but then the Authentication is not working any more. I get the same Identity Policy result as above.
 
i configured the Binary Comparisation as below:
 
I though with the binary comparisation i'll be able to verify the existance and the status of an user in the Active Directory.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 LDAP Authentication With Apple Mac OS X Server?

Jan 24, 2012

Does Cisco Secure ACS 5.3 support LDAP authentication with Apple Mac OS X server? One  of our clients require an access control system. The major portion of  the network consists of Apple Mac OS X 10.7 (Lion) Server and clients.  They were using MAC-address based authentication along with LDAP through  Cisco Wireless LAN Controller. But now the number of users has exceeded  the maximum number of MAC addresses supported by WLC (2048). Hence we  suggested ACS appliance to overcome the limit. My doubt is whether ACS  5.3 appliance can communicate with the Mac server and perform LDAP  authentication.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: To Login 1841 By Using LDAP Account

Jan 14, 2010

I've set up a ACS 5.1 Server an want to use it with our LDAP System. Therefor, I'm trying to login to a Cisco 1841 by using my LDAP Account, but it dosent work. The ACS seems not to know that it should use LDAP, because I get,"22056 Subject not found in applicable identity stores"LDAP is configured as Identitiy Store, the bind test works successfully and I created a sequence, where LDAP is at first position. What goes wron?? (TATACS for loal ACS Users works)

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.1 Configuring LDAP With Secure Authentication?

Mar 15, 2012

I am setting up an LDAP identity store over ldaps in ACS 5.1.  I specify that the connection uses secure authentication and provide the Root CA certificate.  When I hit "Test Bind to Server", I get this error message in a popup window: "Connection test bind Failed :server certificate not found"Is this saying that ACS can't find the CA certificate uploaded, or does it mean the actual certificate presented by my LDAPS server during the bind test? 

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 To Use Local Database When LDAP Fails

Mar 22, 2011

i'm trying to configure acs 5.2 to LDAP external idenity store, when LDAP failes ACS 5.2 should use internal indenity store. I configured A sequence to use LDAP 1st then Internal and i shut off the link to the LDAP but ACS will not use internal,  AAA Diagnostics keeps telling me that Cannot establish connection with LDAP server and will not use the internal store.

View 7 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved