Cisco 5508 wireless controllerCisco ACS 5.1LDAP connection I have setup the wireless controller to do RADUIS authentication with the ACS 5.1 using LDAP. The setup is currently working, Brief info below on setup.
I setup the PC client to use WPA2-Enterprise AES and authentication method CISCO PEAP. When I connect to the SSID this will prompt for a username and password. I will enter in my AD details and the ACS with the LDAP connection will authenicate and on the network I go.
Now I want to add machine authentication with CERTIFICATES, each laptop and pc in our network has CA certificates installed.
way that I can add these certificates into the ACS 5.1 so I pretty much want to import them into the ACS. Once they are imported inside I want the ACS to check that the certificates are on the PC and then prompt for the AD username and password, and only once it meets these two conditions it allows the workstation onto the network.So it will be a two form authentication one with certificates and the other ldap.
Any good guide for configuring PEAP with Machine Authentication to allow for domain login?This is a clean install on a new 5.2 install.We are moving from 4.X to 5.2 and i want to make sure i dont miss anything.
I have 802.1x/peap authentication in my wireless network with ACS 4.2 as the authentication server. I enabled PEAP machine authentication under the Unknown user policy --->database configuration sub-menu. I discovered that I was still able to access the wireless network on my android phone with my domain logon. I later discovered that there is an option in Group policy to force Windows XP clients to perform computer authentication. Now the problem is that windows 7 clients do not have the EAPOL option in the registry, hence the group policy object may not work. How to enforce machine authentication and stop unwanted devices without having to purchase a NAC server.
I have configured ACS 5.1 to check AD domain computer accounts then permit access, the next rule authenticates AD domain users and checks machine accounts with WAS MACHINE AUTHENTICATED "TRUE" permit.
My dilemma - Windows XP supplicant work fine and I can see the host/machine (Wireless device) authenticating followed by user credentials, but when I use the Intel Pro/set supplicant version 12.1 the same device fails authentication due to ACS not being able to verify a good previous machine authentication?
Is this problem ACS related or down to the Intel supplicant.
we have acs 4.2 as our radius server, and 2 wlc 4404 with a wism2 for our wireless network. we have 2 SSID network, lets call them SSID A and B. A have a more restricted access to server than B.PEAP machine authentification is authorize on both network, to let our users laptop connect before the user login, this enable us to have our computer gpo deploy before the user logon, or have network access to authenticate a user to our directory if he had not logon previously on the laptop.
Users from group A can't logon to SSID B, they can only logon to SSID A, but we have some clever users from group A who have change they wireless setting to only send machine authentification (this can be done in the advance setting of a wireless network in windows 7) to connect to SSID B
We can't force the wireless config by GPO because we don't have an ad 2008 domain, we are still in 2003 soo we can't change the gpo for windows 7 wireless setting . I can't force user to require machine authentification and user authentification because we have a lot of ipad and iphone, and other mobile device that connect using only their user credentials.Is there a way I could configure this without having to disable machine authentification for SSID B?
I replaced an ACS certificate that had been installed as follows:
1. Generate CSR file and private key file, then send CSR to GeoTrust (Key length: 2048 and Digest to sign with SHA1)
2. GeoTrust send me a certificate. Issued by "GeoTrust SSL CA".
3. Install the certificate on the ACS. Restart ACS service.
4. ACS Certification authority setup. Issued by "VeriSign Class 2 Public Primary Certification Authority - G3"
5. Edit certificate trust list and select "VeriSign Class 2 Public Primary Certification Authority - G3" as trusted.
6. Enable EAP-TLS, then restarted the ACS service. The problem is when i try to enable EAP i get the error msg:Failed to initialize PEAP or EAP-TLS authentication protocol because CA certificate is not installed. Install the CA certificate using "ACS Certification Authority Setup" page.I searched on cisco and it said to disable the CSA, but in fact there is no CSA installed on this server.
I am having a problem getting an ASA running 8.3 to authenticate an SSL VPN directly against an LDAP on Windows Server 2003. I have changed the read access on the Active Directory to allow Annonymous to read it. I think I am missing something on the ASA config. I have the Server Group specified with the address of the correct server but nothing else really configured.
is it possible to validate the ACS Application Accounts against an external repository like LDAP? I have found that LDAP can be used only as Identity store to authenticate users on AAA clients and Network devices.
but when i test, i have an error (user account work directly in server)
test aaa-server authentication LDAPGROUP host 10.0.1.30 username user password ***** INFO: Attempting Authentication test to IP address <10.0.1.30> (timeout: 12 seconds)ERROR: Authentication Rejected: Unspecified
Does Cisco Secure ACS 5.3 support LDAP authentication with Apple Mac OS X server? One of our clients require an access control system. The major portion of the network consists of Apple Mac OS X 10.7 (Lion) Server and clients. They were using MAC-address based authentication along with LDAP through Cisco Wireless LAN Controller. But now the number of users has exceeded the maximum number of MAC addresses supported by WLC (2048). Hence we suggested ACS appliance to overcome the limit. My doubt is whether ACS 5.3 appliance can communicate with the Mac server and perform LDAP authentication.
I am setting up an LDAP identity store over ldaps in ACS 5.1. I specify that the connection uses secure authentication and provide the Root CA certificate. When I hit "Test Bind to Server", I get this error message in a popup window: "Connection test bind Failed :server certificate not found"Is this saying that ACS can't find the CA certificate uploaded, or does it mean the actual certificate presented by my LDAPS server during the bind test?
While configuring LDAP , I got struck in “Step 3 - Directory Organization”. How to make this work? My aim is to make users authenticated from their windows domain usernames and passwords while they log in to AAA clients.
I set up LDAP store pointing to a Windows domain and am testing authenticating users via an ASA. In my LDAP config, its set for "Groups Objects refer to subjects" and I selected usernames in the drop down. I also added a a Global Group to the Directory groups tab in the LDAP store that I created.
Under my Access Polices, I created a rule that meets two condititons - coming from the ASA, and then I was able to select the group from the drop down box for my ldap domain. As a condition, it shows up as DomainName:External Groups. I set the permission to Permit Access.
Originally, I was failing authentication and I was receiving Subject Not Found in Store. I adjusted the Identity Sequence and now I receive a the following error:
15039: Selected Authorization Profile is Deny Access. So it must not be associating my account with the group with the Permit Access and using the Default Permissions.So it does match the correct Access Service, and Identity Store.
I am trying to setup up a rule to allow wireless access only to users in my AD when they use computers from my AD.I have Machine authentication working on it's own (computer boots up and connects to wireless - confrimed by ACS logs) I have User authentication working But when I try to creat the floowing rule:it does not work.
Is there a way to authenticate a windows computer in ACS 5.2 for 802.1x only with a certificate.The Computer is from a different active directory than the one that is configured in ACS.I tried importing the cert into "external indentity Stores" > "certificate authorities", then setup the computer to use smart card or certificate, then selected the certificate from the other AD.when i look at the ACS log, here is the message i can see: 22044 Identity policy result is configured for certificate based authentication methods but received password based
we have a customer with a wifi deployment aruba 3600 controller based. Corporate SSID authentication is EAP-TLS double machine and user authentication through ACS 4.2 against AD and Microsoft AC PKI infraestructure based; it was working ok. After migrating from ACS 4.2 to 5.2, both authentication (machine and user) are reported as succeed by ACS but aruba controller does not recognize machine authentication. It seems that controller sees two authentication users and not an machine followed by and user one. We have revised configuration in detail and it seems correct. We begin thinking it could be a bug .
A PC with a machine cert gets connected to a switch running 802.1x. The switch uses EAP with .1x to query PC, handing this off to ACS, that bit I'm ok with. The ACS needs to query the CA server to authenticate the PC, its this process I'm not sure about.
Reading the documentation I think that I need to configure LDAP between the ACS and the CA, which is running on 64-bit 2008 server. But, ACS SE remote agent is 32 bit only.
Is this correct, if so how do I get ACS SE to communicate with a 64-bit 2008 CA server?
I am using ISE 1.1.3.124.My first question:I want to know the relation between the attribute "WasMachineAuthenticated" and the MAR (MAchine access restriction in advanced setting for AD).Is-it the same or not ?Once you time out, you need to do machine auth again. What is the timer ?Using the attribute "WasMachineAuthenticated", is-it the same timer that you configure in MAR ? In a distributed environnement, is the information about machine previously authenticated replicated to all policy node ?Because, if a swicth has 2 radius-server, we are not sure that it will point everytime to the same server.
I am using ACS 5.3. I have succesfully configured Machine Authentication for a Windows 7 laptop using EAP-TLS. The ACS is configured with an Active Directory external identity store where the Windows 7 laptop is configured as part of the domain. I'm pretty sure that the ACS was using the AD to authenticate the laptop's name because at first the authentications were failing because I had the Certificate Authentication Profile configured to look at an attribute in the client certificate that was empty. When I fixed that, the authentication suceeded.
I started doing some failure testing so I disconnected the Domain Controller from the network. Sure enough, the ACS shows the Active Directory external store is in the Disconnected State.I then went to my Windows 7 laptop and disconnected the wireless connection and connected it again, expecting it to fail because the AD is down. But it succeeded! My Win 7 laptop is accessing the network wirelessly through a Lightweight AP and 5508 WLC. The WLAN Session Timeout was set for 30 minutes. So even with the AD disconnected, every 30 minutes, the ACS log showed a successful EAP-TLS authentication. I then changed the WLAN Session Timeout to 2 hours 10 minutes. Same thing, every 2 hours 10 minutes, a succesfull EAP-TLS authentication. I really don't know how the authentications are succeeding when the AD is not even connected. Is there a cache in the ACS?
For our wireless, we enabled the machine authentication, but we want to bind the machine authentication and user authentication together which means they need to meet both requirements to access the wireless, how can we do this? Right now looks like as soon as the machine is authenticated, it can access the network, no user authentication needed.
- I have a cisco unified network (ACS 5.1, Cisco controller, LWAP) and have configured ACS to integrate with AD.
- I am using this network for Laptops and wireless IP phones access.
- I have only one Service Selection rule for both Laptops and wireless IP phones. All the conditions attributes are set to ANY except Protocol = Radius
- I select a simple Identity Policy and I use a sequence where IP phones users are authenticated using ACS local user and the Laptops users are authenticated using AD
- Laptop users are authenticated using PEAP and IP phones users using EAP-Fast
Everything is working fine BUT I need to make 2 changes and eventhough I spent many hours hours on forums and reading articles and trying things myself I can't get the changes to work.
The first change is to use 2 Service Selection Rules one for the IP phones and one for the Laptops. After adding another service selection rules that I put at the top, I tried many combinations to try and get the IP phones to use it but whatever I did (used different combinations of conditions), the IP phones always select the 2nd rule, which is the original one. The question is "what conditions to put in a service selection rule to make wireless IP phones use the rule).
The second change is that I want to add machine authentication so only Laptops that are in AD can access the network. AGain I tried various settings but can't get this to work.
I am trying to setup PEAP authentication for wireless users but I got stuck at place where I have single ssid and users are store in different identity stores like some will be using their active directory and some are locally created users on ACS. I created separate service for wireless authentication and under that I am unable to create rule to differentiate them with identity stores. any idea how to achieve this.
I tried creating identity selection based on role but it does not work as for protocol like radius.peap,ms-chap ACS does not look for another identity store once user not find in an identity stores.
I have a Cisco Small bussiness RV120w and I setup the radius server , WPA2 Enterprise with a windows 2008 NPS radius server . The big problem is that the authentication fails .This is the error that I see in event viewer / server roles / Network policy and access services: reason-code 49 "The connection attempt did not match any connection request policy".The radius key is matching between the server and the client . The radius server is reachable and I don't find any routing issues .Does anybody tested this router with this type of wireless security?
I have a WPA2/AES network with PEAP MsChapv2 authentication. I have 2 ACS servers for authentication. The problem I have is dropped clients. Both ACS servers are setup identical. The database replcation has been preformed.A series of 10 clients connects wirelessly and they are all successful. ACS server 1 is the primary and ACS server 2 is the backup. We verified that the 10 users authenticated to the primary ACS. My time out to reauth is 30 minutes on the WiSM. 10 minutes into the test we took down the Primary server. This should have had no impact on the clients. 5 minutes later the clients lost thier authentication and were dropped from the network. They were able to reconnect by shutting down thier wireless client and reconnecting. The authentications were seen on the Backup ACS server.on a test of falling back to the primary the same thing happened again to the clients.
I have a new Cisco Secure ACS 5.2 on a VM. We want to use it to for administrative access to our Cisco equipment with TACACS+. I am trying to map user permissions to different groups of devices based on active directory group membership, however it is not working.
I am using an LDAP (configured for secure authentication) external identity store. On the directory organization tab, I have confirmed the accuracy of the subject and group search base and the test configuration button shows that it's finding > 100 users and >100 groups.
On the directory groups page I have entered the groups according to the required format. cn=groupname1,ou=groups,dc=abc,dc=com
I have a rule based result selection under group mapping. I have two rules in the format below.
Conditon LDAP:Externalgroups groupname1 Result Identitygroup1
I have the default group set to a identity group named other. My problem is, no matter what user attempts to authenticate, the Default rule is applied, and the user is put into the other identity group.This occurs when I log on as a groupname1 user, groupname2 user, or as user that is not a member of either of those groups. LDAP authentication works and the user is able to logon to the device.
i am facing an issue while trying to configure LDAP integration on Cisco ASA firewall. The requirement is allow the remote access VPN to specific group defined on AD. When i checked the debug logs " debug ldap 255" , it shows that the authenication is sucessfull with the LDAP server , but the ldap attribute is not getting mapped and because of this reason , the tunnel-group default group policy of "NOACCESS" is getting applied ( vpn simultanous set to zero) that results zero connection.
I confirmed this by changing the value of NOACCESS from zero to one and found that the VPN is getting connected
The name of user account is testvendor that belongs to the group of Test-vendor.
The configuration and debug output is shown below.
SHOW RUN ldap attribute-map ABC-VENDOR map-name memberOf Group-Policy
how the certificates work when using PEAP on ACS 5.2.Currently we have clients which are Cisco wireless IP phones that are using the ACS server(s) for authentication to the wireless network. The phones are configured to use PEAP with server validation enabled. The phones have a Godaddy root certificate, and Godaddy intermediate certificates installed on them, (in addition they have all the certs that are on the phone by default). On the ACS server there is a certificate that is signed by Godaddy. This was creating doing the CSR process etc...
So from what I understand, because all the phones are set up to validate the server certificate, they require the public root certs and the intermediate certs that are installed on them, in order to validate the private cert that is on the ACS server. The private certificate (the one signed and issued by Godaddy), expires the middle of next year (2014) (a little ways off I know, but it is never too early be concerned about stuff). When we go to get a new private certificate for the ACS servers (or get a renewal) and when we install this new signed certificate onto the ACS servers…will all the clients still trust this new certificate, and everything will continue to work smoothly? Or will the clients all need to have new root certs installed, and new intermediate certificates installed? From what I can gather I think the first scenario should be the case, because the root certs and intermediate certs are there to trust certs that are signed by Godaddy, so as long as the new private certificate is signed by Godaddy everything should be okay.
I have been trying to figure out for days now how to get Windows XP/Windows 7 and Apple iPads to connect to a broadcasted SSID and authenticate with PEAP without getting prompted to verify a certificate that exists on ACS.
In Windows 7, I get a window that says the connection attempt could not be completed and get a warning that the certificate could not be validated. If I manually configure a wireless connection and specify PEAP to accept my trusted root certificate authority (in the default list), it doesn't prompt but having users do this is not acceptable and more work than to just verify when prompted. I have no control over the devices connecting so I can't push anything down using GPOs.
For the iPad, I get a similar message that the certificate authority can't be verified and you have to accept.
For the certs, I have tried GoDaddy and Starfield. How to get this working without getting prompted to verify/validate a certificate authority? If so, what cert are you using? I have the intermediate certs installed in ACS and Windows and iPads see them because as soon as I delete, the screen that pops up changes to my actual cert.
I have cisco ASA 5505 with security plus, i configured remote VPN with ASA for LDAP authentication which works as i want. Now i have a requierment that some users needs to get access via remote VPN but they are not part OUR SERVER Active directory, Is that a possibility that users have an access of remote VPN while not creating an account in AD and perfrom local authentication via firewall for them?
