Cisco AAA/Identity/Nac :: ACS 4.2 Authentication Using Multiple External Databases
Feb 7, 2012
We currently use ACS 4.2 for authentication of corporate users who are accessing the network in 2 different ways:
1) VPN client (via ASA5510)
2) Wireless (EAP-PEAP)
For all users who currently access the network via either of the above 2 methods, the Password Authentication under User Account settings in ACS is set to query an RSA SecurID Token Server.
We would like to try achieve the following in ACS:
IF an access request comes from the ASA (VPN clients), THEN we would like the user's password authentication to be handled by the RSA SecurID Token Server as it currently is. IF an access request comes from the Wireless LAN controllers THEN we would like to use EAP-TLS authentication. (We are aware that we would obviously need to configure the WLC, clients, PKI infrastructure etc accordingly for eap-tls).
I have acs 4.2 for windows installed on a windows server 2003 box, because of a merger I need to now authenticate against 2 different domains, there is a bidirectional trust between the two domains and the dial-in permission has been set in ADUC but whenever I try to authenticate a user it says dial-in permissions needed in the acs failed authentication log.
Currently on ACS 5.2 and our MS Active Directory is migrating to a completely new domain. There will be a two way trust between them for the 24 month migration period. How best to configure ACS connect to both domains?
I have a new Cisco Secure ACS 5.2 on a VM. We want to use it to for administrative access to our Cisco equipment with TACACS+. I am trying to map user permissions to different groups of devices based on active directory group membership, however it is not working.
I am using an LDAP (configured for secure authentication) external identity store. On the directory organization tab, I have confirmed the accuracy of the subject and group search base and the test configuration button shows that it's finding > 100 users and >100 groups.
On the directory groups page I have entered the groups according to the required format. cn=groupname1,ou=groups,dc=abc,dc=com
I have a rule based result selection under group mapping. I have two rules in the format below.
Conditon LDAP:Externalgroups groupname1 Result Identitygroup1
I have the default group set to a identity group named other. My problem is, no matter what user attempts to authenticate, the Default rule is applied, and the user is put into the other identity group.This occurs when I log on as a groupname1 user, groupname2 user, or as user that is not a member of either of those groups. LDAP authentication works and the user is able to logon to the device.
I am currently running cisco ACS 5.1.0.44 and use active directory as the main authentication identity store to allow network administrators to have access to network devices in my organization .As per the established security policies in my organization , the ACS has to disable any account after 3 failed login attempts to any network devices .i have gone through all the settings oN the acs but couldn't find where or how it is done .
I have installed ACS 5.4 and we are looking to authenticate our Anyconnect users with ACS via Active Directory. I think I have the correct commands in our ASA ( we had ACS 4 and authenticated our anyconnect users ).
I also have configured ACS to use Active Directory and installed the server side cert in ACS. I'm just uncertain how to program ACS to use the security group that I have setup in Active Directory.
We have a business case where we have a group of ASA 5505's in 3 locations with anyconnect user licensing on all 3 for redundancy.The problem we are facing is that when we need to authenticate our anyconnect clients we use active directory servers located at site 1 and the other 2 sites need to contact these MS AD Servers over an already connected VPN tunnel to site 1 (IPSec l2l) but cannot.So the layout is as follows:Site 1 (houses AD servers) has l2l tunnels to site 2 and 3Site 2 (any connect essentials enabled) has l2l tunnel to site 1 and 3Site 3 (any connect essentials enabled) has l2l tunnel to site 2 and 3AD servers are ip'd as 10.1.1.11 and 10.1.1.4If I use anyconnect to site 1 it authenticates fine - as expected.Site 2 and site 3 fails to contact AD serverAny thoughts on how we can accomplish this(or is it even possible to do?) without exposing the AD server in a DMZ or via external ip?
I have Cisco WLC 2504.I was configured one wlan with external web-authentication.External web server is apache on freebsd.When user connect to wlan and open web browser, wlc redirects client to external web page, where client must input hist credentials.When client click "submit" button on external web auth page, wlc initiates RADIUS request to radius server.Radius server(freeradius) is on the same server, where apache running.
sometimes, when client enter credentials on external page and click "submit" button, wlc suddenly redirect client on internal default auth page.
I have an ACS 5.3 cluster, that is configured to use AD. There are a few wireless devices, and monitoring tools that do not have AD accounts. I would like to configure ACS to first check AD for the user authentication, and if that fails to roll over to the local (Internal Users) identity source where I can define these user accounts.
It seems that when the authentication hits the initial Identity Policy rule, it never moves onto the next one if the first fails.
Attached are screen shots that show how i'm configured for the test, i have a local user defined and I'm trying to log into the firewalls.
- Identity Definition : Screen shot of the main ACS definition for the rule i'm testing that's not working - Identity Rule 1 : The configuration of rule 1 that if it fails i need it to move onto rule 2. - Log Output : Screen shot for one of the failed attempts from the ACS View Log server.
Reason I need to configure it this way is:
- Wireless users authenticate to wireless using AD user accounts. Some hand held scanners do not support that and will need to authenticate using the MAC address. - Authentication to Network devices for managment uses AD accounts. We have some monitoring tools that do not have AD accounts, and will need to be able to log into Network devices to issue some commands (Examples: Cisco Prime LMS and NCS, Infoblox NetMRI).
I configured before ACS v4.2 to authenticate network devices using internal users at first, and if the user is not found use AD list users. But with v5.3 I have some problems doing this, on identity policies I use rule based result selection option, I configured 2 polices for Identity source, one for Internal Users and other policy for AD user, but it only works with the first policy, internal users or AD, but works only for the first policy identity. how to do that, if the user is not found on first policy, continue to the next policy.
I need a specify users to allow access to particular devices and give privilege only for show command or show run. Here is how I tried to configured.
1. Configured two seperate Shell Profile and Command set with privilege level 4-5 and allowing only show run command
2. create seperate service selection rule with adding the require NDG and protocol TACACS and maching service "RestrictAccess"
3. In the RestrictAccess Service I have following configured; Identity: internal users, Group Mapping to a particular group where the user exists, authorization: matching the above created identity group, NDG, shell profile, command sets
All the steps are attached in the .doc file. However when I tried with the particular user he is able to access everything and he is not hitting the correct access rule.
For guest clients , we have configured guest vlan and applied external web authenication on WLC 5508 , the session timeout value is 2700secons . When a client open a browser to internet page , wlc will redirect to URL and get the login page . After completed the login , he can go to internet page . We find the iPhone and ipad clients will get the login page again ahfter ~ 5 mins , it is mismatch with session timeout value 2700 sec (45 mins) .
I follow step by step the link bellow to configure web-auth with external RADIUS server but I receive a error on console debug of the WLC "Returning AAA Error No Server (-7) for mobile"My Radius Server is fine, because I can authenticate on WLC Web page with RADIUS user. WLC 4402 version 4.1.171.0 [URL]
I understand that Cisco Secure ACS 5.3 supports the integration with existing external identity repositories such as Windows Active Directory and LDAP servers. In fact, in my environment, my ACS 5.3 is now integrated with AD and RSA.My question here is can Cisco Secure ACS 5.3 integrate with "multiple" WIndows AD, LDAP, RSA Server etc.? if yes, is there a Cisco document stating this? The keyword here is multipple.
I am trying to setup PEAP authentication for wireless users but I got stuck at place where I have single ssid and users are store in different identity stores like some will be using their active directory and some are locally created users on ACS. I created separate service for wireless authentication and under that I am unable to create rule to differentiate them with identity stores. any idea how to achieve this.
I tried creating identity selection based on role but it does not work as for protocol like radius.peap,ms-chap ACS does not look for another identity store once user not find in an identity stores.
We have a working config with 1 external IP, we need to a second webserver (https) and it should be routed via a second public IP address. I already tried some suggestions from the community but haven't been able to find the solutions.
xxx.xxx.xxx.194 is going to the internal IP of 192.168.60.1 for OWA (https) xxx.xxx.xxx.195 should go to a new webserver on 192.168.60.3
both server should be connected using SSL This is the current configuration :
ASA Version 8.3(1) !hostname fwdomain-name domain.localnames!interface Vlan1nameif insidesecurity-level 100ip address 192.168.60.250 255.255.255.0 !interface Vlan2nameif outsidesecurity-level 0ip address xxx.xxx.xxx.xxx 255.255.255.0 !interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!ftp mode passiveclock timezone CEST 1clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00dns server-group DefaultDNSdomain-name domain.localobject network obj_any subnet 0.0.0.0 0.0.0.0object network NETWORK_OBJ_192.168.70.0_26 subnet 192.168.70.0 255.255.255.192
End user client (Cisco Any connect/VPN client) -> ASA 5500 (AAA client) -> ACS server -> External RADIUS database.
Here ACS server would send the authentication requests to External RADIUS server.So, i have added the external user database (RADIUS token server) in ACS under External databases.I have added AAA client in Network configuration (selected authenticate using RADIUS(VPN 3000/ASA/PIX 7.0) from the drop down.
Here how do i make ASA recognize that it has to send the request to ACS server. Normally when you use ACS as RADIUS server you can add an AAA server in ASA and test it.But here we are using an external RADIUS server which has been configured in ACS, so how do i make ASA to send the requests to ACS server?
Questions / Integration Adapter Cisco Prime.There is an integration adapter for HP uCMDB to get CI information from Cisco Works (Prime whatever ….).We set up a user for CW according to “Open Database Schema Support in Cisco Prime LAN Management Solution 4.2” , page 1ff.According to this document we created a user lmsdatafeed. If we run this integration from HP uCMDB / DDM we can connect to rmeng database using jmx to port 43455, but we have not sufficient privileges to get all the needed information. We tried to connect with a user that has full rights (Admin User), but we cannot connect at all with this user. We use Cisco Prime LMS 4.2 and we want to have our network devices as Configuration Items (CI's) in our HP uCMDB Our question:Would it be save to give more privileges to the user lmsdatafeed ? And if yes: How can this be done ?Is it possible to give an admin user the rights to connect by jmx/jdbc ?Below I post the communication protocol of the adapter, connection is OK and the first select statement to, but them this user doesn't have enough privileges. The error messages are in german for some reason ... (means: "User has not sufficient privileges to selet from DM_Dev_State")
how to properly route multiple external IPs to internal ips assigned to several servers. Where I'm getting a bit lost is that I have two levels of routing - one from the outside into a comcast business class cable modem, which also creates its own internal network. Within that internal network, I have my RV180 router, which creates another separate internal network in which the servers live (don't want the servers to have access to other computers within the Comcast Modem's internal network). I want to map the external ips to servers within the RV180 second level network.
To diagram:
Comcast Cable Modem / RV180 Computer(s) / S1 S2
An internal IP is assigned to the RV180 router. Suppose it is 192.168.1.100.
The cable modem itself supports NAT as well. Do I use NAT twice (on both cable modem and RV180) to route the external IP to S1 and S2?
Or do I modify the routing table on the cable modem? Then use One to One NAT on the RV180 to map the external IPs directly to the internals?
I have an existing pair of PIX 515E that has two interfaces. One connected to the public internet via my ISP and one internal. I recently ran out of IP's and had the ISP route an additional block to public IP of my firewall. This isn't working for some reason and I'm trying to figure out why.
The "ip address outside XXX" command defines the outside address and I don't see any way to add a secondary sub net.
I tried just adding a rule to the firewall for one of the IP's in the new subnet, but I can't seem to get traffic to pass though the device.
if possible with the RV042.Primary External IP address uses port forwards for some ports, all okay.I would like to have other external ip addresses assigned to machines on my lan.Basic host multiple web servers, on different IP addresses, using port 80. [code]
From what i am reading, it looks like the RV042 can do this, but I am not real clear what my rules should look like.
I would think my high priority rule for each external IP address would be to deny all traffic first for each machine on the lan.Then create one entry with source 202.x.x.2 port 80 -> 192.168.168.2 ?
How should I set my rules to do this, and what settings should I have on the Nic of the second machine?
Due to special circumstances we have 2 ISP links on an ASA5510. I am trying to terminate some L2L VPN tunnels on one link and others on the second ISP Link, eg below:
LOCAL FIREWALL crypto map outside-map_isp1 20 match address VPN_ACL_Acrypto map outside-map_isp1 20 set peer 1.1.1.1crypto map outside-map_isp1 20 set transform-set TS-Generic crypto map outside-map_isp2 30 match address VPN_ACL_Bcrypto map outside-map_isp2 30 set peer 3.3.3.3crypto map outside-map_isp2 30 set transform-set TS-Generic crypto map outside-map-isp1 interface ISP_1crypto map outside-map-isp2 interface ISP_2 crypto isakmp enable ISP_1crypto isakmp enable ISP_2 route ISP_1 0.0.0.0 0.0.0.0 1.1.1.254route ISP_2 3.3.3.3 255.255.255.255 2.2.2.254
Establising the VPN tunnels in either direction when using ISP_1 works fine establishing in either direction from remote access users and multiple L2L tunnels (only showing one for example).
On ISP_2 1. Peer 3.3.3.3 device establishes a VPN tunnel, but the return traffic does NOT get back to devices on 3.3.3.3 tunnel. 2. The local firewall does NOT establish a VPN tunnel going to 3.3.3.3 It would seem to indicate that the problems lies with this multihomed firewall not directing the traffic correctly to either return down and establised VPN tunnel (point1) or to intiate a tunnel if none exists (point 2).
Reconfiguring the VPN tunnel peer for 3.3.3.3 to be on ISP_1 of the local firewall, all springs into life! There are sufficient license etc...
I'm planning to create a network of wifi access points all in different locations. Those locations all have different wifi routers and networks. I'm looking for a easy solution that let easily setup those networks to ask authentication credentials (in a browser page, once a user is inside the wifi and wants access the internet) by an external server possibly without overloading too much that server.
I am working on replacing our Checkpoint Firewalls with ASA's, and am running into the following NAT problem. On some of our Checkpoints, there are external NAT's that are mapped to multiple internal hosts based on ports.Is there any way to translate that to the ASA? I'm not sure the ASA will let you have multiple internal hosts mapped to one external IP using static NATs. The main issue, is these are alarm panels that receive data from external hosts (the traffic is initiated externally on the Internet) so I can't use dynamic PAT with this.
Our company has a Server in the office to which we all map network drives.This server is backed up to a Cloud Server (egnyte.com). Whenever I am working on a database on the mapped network drive, it freezes up after 5-10 minutes with the alert "Your network access was interrupted.To continue, close the database,and then open it again."
This problem does not occur with any other Office Products,only Access.It happens to all databases on the server and to all users.
It does not do this when the file is saved on my desktop or when I am working on it directly through the cloud server. When working on the cloud server, however, I went to Compact and Repair my database and a window came up saying the file location did not exist and my whole database disappeared. It was already saved in the file location, I was just compacting and repairing.
Is there some problem with using a local server that backs up to a cloud that makes it lose connectivity every few minutes? Why is this only happening with Access?
The users belong to Multiple AD domains. If we purchase WLC 2500 controller. Can I have one more WLANs authenticate to multiple radius or ad domains? I thought one WLAN/ ssid authenticate to single radius server.
I have looked through the forum and think that I have found the answer to my question but I just need confirmation of my thoughts. We are using a 5508 W LAN controller running software ver 7.2.110.0 and LAP 1142n AP's.
What I would like to do is to configure multiple guest W LAN for each of our regional offices. Each of these W LAN needs to be configured with a Web Authentication page relevant to the office location. My question is this, can I have a Web Authentication page for each location or just 2, the default internal page and 1 customized page?
My boss just asked me if there was a way for him to move from point A to Point B with his wireless laptop and NOT have to reauthenticate at point B if I install another access point there. Right now I have us setup on a Cisco WAP4410N Access Point that works well when he's within range of the antenna. The point B location is upstairs and while it's only about 50-70 feet away from the Point A access point the signal he's getting there is very weak so he wants me to install another AP there.
IOW he wants to authenticate once at point A and when he walks up to point B he wants the laptop to pickup the newer hotter signal when I put another AP point in.
