Cisco AAA/Identity/Nac :: ACS 5.1 Using Local Users As Fall Back For AD
Aug 24, 2011
I have ACS 5.1 configured to authenticate users based on Active Directory. I have configured wired 802.1x too, with machine authentication enabled on ACS.When I login with credentials that exist in AD, it works fine. Then I configured Windows Authentication to ask for credentials (popup window). But I experience network disconnection when I login with a local account even though I entered correct AD credentials.I want to do the following: for an account that exist on the machine being authenticated (non-AD account), ACS should check its local database and reply with authentication success if it finds it, so the user is granted network connectivity.I heard about Identity Sequence in ACS. But I still don't see the right configuration,
View 2 Replies
ADVERTISEMENT
Nov 14, 2012
We have configured following commands on switch to fallback to local Vlan if both radius server (policy persona's) is found dead. For test purpose we shutdown both servers (policy persona's) but fallback didn't work. We have 3750 switch running image 12.2(55)SE6 having following configuration.We do not know whether we configured switch in proper way or do we need to modify it. [code]
View 5 Replies
View Related
Feb 8, 2012
After completing an AD upgrade to 2008r2 I've had my fill of roaming profiles. I want to change all users back so that their profile is on their pc. Of course ideally I'd like this to occur with the user affected as little as possible. Most users are still winxp but some win7 machines too.
View 18 Replies
View Related
Feb 22, 2013
I have installed ACS 5.4 and we are looking to authenticate our Anyconnect users with ACS via Active Directory. I think I have the correct commands in our ASA ( we had ACS 4 and authenticated our anyconnect users ).
I also have configured ACS to use Active Directory and installed the server side cert in ACS. I'm just uncertain how to program ACS to use the security group that I have setup in Active Directory.
View 6 Replies
View Related
May 23, 2012
when I ping another workstation on my local network I should get back it's local IP but instead I am getting an ip address that resolves to somewhere in Germany! In fact if I ping any bogus name, I mean anything, it returns this same address 62.116.181.25. If I shut down my cable modem then everything resolves correctly. And yes I have DNS relay enabled because it seems to be the only way to get the workstations to resolve external sites correctly.
View 2 Replies
View Related
Aug 17, 2011
I have ACS 5.1 configured to authenticate users based on Active Directory. I have configured wired 802.1x too, with machine authentication enabled on ACS.When I login with credentials that exist in AD, it works fine. Then I configured Windows Authentication to ask for credentials (popup window). But I experience network disconnection when I login with a local account even though I entered correct AD credentials.I want to do the following: for an account that exist on the machine being authenticated (non-AD account), ACS should check its local database and reply with authentication success if it finds it, so the user is granted network connectivity.I heard about Identity Sequence in ACS. But I still don't see the right configuration,
View 2 Replies
View Related
Jul 10, 2011
We are required to change passwords every so often at my job. I am trying to change the password for one of the local user accounts on a 5508 WLC running 7.0.98.218 - How can I accomplish this task? The option I get is to remove the users.
View 1 Replies
View Related
Jul 16, 2012
I am trying to configure a Cisco ASA 5505 so that users can authenticate via Radius or via a Local account using the Cisco AnyConnect client. In the AnyConnect Connection profile, the basic tab, it has Authentication Method. We have this going to an AAA server group with Use Local if Server Group fails option is checked.Each time, I see where the user has failed while attemtping to log in to the domain via the radius servers and thus bypasses the local user database all together.
View 3 Replies
View Related
Jan 25, 2012
Since the number of computers are expanding at my home, I want to reduce Wireless Connectivity and increase Ethernet connection between computers. I will be running a Server that supports 10 TB Storage.Will a Custom PC be better or should I use a NAS connected to a web server?
I currently use a Linksys WRT160n router that supports only 4 ethernet connections.Now I need at least 40 Ethernet connections. Will a Switch do? Also I will be running Asterisk to support Telephones.
My web server will not function globally. Only in LAN.And also, the web server will have a 250gb Wikipedia Dump that will deploy 10 times; and also a lot of video from KhanAcademy for knowledge base.I am looking for something powerful which will be quiet and have less downtime.I have checked out Newegg, eRacks, and many other websites. But I am confused with what to consider buying.
A Local Web Server or a custom built PC for 10tb hard drive suppoty.Router that can provide wired connection to about 40 users.A Terminal so I can monitor the bandwidth usage.
View 19 Replies
View Related
Jan 22, 2012
I haven't got time to test different configurations yet. Just want to quickly ask here about the fall-over route-map configuration. I saw lots of example using pip prefix-list to specify the next-hop for tracking. Is that the only way you can do it? Can you just use a standard ACL to specify that host like permit host 10.2.2.2? ip prefix-list will do like ip prefix-list seq 5 permit 10.2.2.2/32. And you apply the prefix-list to route-map then. ACL will work?
View 2 Replies
View Related
Apr 24, 2011
I am wondering if I can make our WAP4410 fall under two ip address ranges. I want to have a network for the office users and one for the guest users. We currently use a Safe@Office500WP Checkpoint router. It allows us to create multiple network ranges. We have the office users wireless under 192.168.0.1 ip range and the Guest Wireless is under the 192.168.200.1 range. Do I need two access points or can this be done with just the one?
View 7 Replies
View Related
May 29, 2012
Is it possible to assign IP addresses to remote site WIFI users from local DHCP server and forward all other traffic to 2504 WLC?
[WIFI Users] >--------<AP (DHCP server) >------ VPN ---------< WLC
View 1 Replies
View Related
Jun 24, 2012
Is it possible to export internal ACS users from an ACS 4.x Windows (On ESXi), solution to an ACS 5.x solution. All I want to be able to do is export usernames and passwords out of the 4.x solution and then import them into the 5.x solution. I thought maybe the CSUtil program be used ?
View 3 Replies
View Related
Feb 9, 2012
We have remote users that dial-in over ISDN to a Cisco 2911. We have configured AAA to pass the authentication off to a RADIUS server. Once successfully authenticated, the router permits the users to access a single web server. However, we need to do some testing in our test environment, but unfortunately we don't have an ISDN line to test with. We have created a little environment in our LAB using a 2911, a switch, a RADIUS server & web server. I was hoping that we could simply create a "user" VLAN off the back of the 2911 to simulate our remote users, and access the web site from the test usr PC's over the LAN. I was hoping that the 2911 would be able to intercept the connection and pass the authentication off to the RADIUS server (as it does with the PPP ISDN traffic). But I cannot find anyway to do this, because I can only configure AAA to offload either PPP traffic or telnet/ssh connections to the router itself.
In summary what I want is for a user to access an internal web site over a LAN interface of a 2911 - but have the 2911 authenticate the user via a remote RADIUS server first. Is there a way to configure a 2911 (or any router!) to do this?Is the answer to configure port-based authentication (802.1X) on the switch?
View 3 Replies
View Related
Mar 19, 2012
How to configure the ACS5.0 radius for remote access VPN authentication.
And how could I implement the IP Pools for the VPN users.
View 4 Replies
View Related
Sep 5, 2011
After some time no using Cisco ACS5.1, I still don't know how I can see all logged in users. I can see logging and check why an log in goes wrong, but in ACS 3.2 I just clicked on Reports and Activity and I could choose to see logged in users, or failed attempts, etc.
View 2 Replies
View Related
Jun 9, 2011
I have an issue with an implementation, I had a ACS R5.1 that I'm using to authenticate the wireless users with 802.1x, that's OK and working fine. Now I want to use the same ACS to authenticate wired users using MAB (for IP phones, printers, servers, and other devices) and 802.1x (for corporate users). I already configured the authentication services (MAB and 802.1x) on ACS, but when I'm doing tests I can see that for example the phones are trying to authenticate using the 802.1x rules of wireless connection, not using the MAB rules. [code]
You could also see an screen from the ACS in the attached file. On the picture remark you could see a IP Phone trying to authenticate using the wireless Access Services insted of using MAB.
View 1 Replies
View Related
Mar 21, 2012
on ACSv5.2...are there any limitations on the number of users that can be imported via CSV file...i.e. will the ACS handle 250,000 internal users for example?
View 1 Replies
View Related
Apr 28, 2013
I'm at the point of setting up admin access for engineers needing to have insight into the operations and status of our ACS 5.3 systems. any way to create a Dashboard that can be applied to all admin user accounts? (perhaps a custom role?)I've been able to customize the dashboard for my own account to show what is most relevant, but am unable to figure out how to apply this layout and setup to all other users.
Basically, I have a number of folks that need to see this data, but that I can't exactly count on to setup their own dashboards to show the important details. If there were some way to build a tab/dashboard/portlet, etc (whatver it may be) and have it apply to all users, that would save me TONS of work so that I don't have to login to each person's account and set things up for them.For example, I want to have all users see a tab/dashboard that shows the applet "Live Authentications", but with the protocol already configured to display TACACS vs the default which is RADIUS.
View 3 Replies
View Related
Sep 25, 2011
Having an issue with Cisco ACS v5.1.0.44 and the Cisco WLC 5508. Cannot get users to authenticate and keep getting error messages referring to EAP session timeouts from WLC filling our logs. Seems to be with this model WLC because we have Cisco 4400 WLCs pointing to the same ACS with no issues. Is there a bug or special configuration that is necessary to marry the 5508 with ACS v5.1.0.44?
View 9 Replies
View Related
Jul 22, 2012
Is it possible for ACS 5.1 to only allow specific AD users to authenticate the switches and routers? Currently What I have configured is only for all AD users. I can't seem to find a way to be selective.
View 9 Replies
View Related
Apr 23, 2012
Do you know if it's possible to use ACS 5.x in such manner that the admin users (so not the end users, but the administrator users of ACS) are authenticated against and external database, like Active Directory?
View 2 Replies
View Related
Jun 13, 2011
I have cisco ACS 5.2 and external identity source as RSA secure ID.Currently when the RSA user login to AAA Network devices, User id & passcode prompt coming after giving the credential its going to user exec mode.Then after "enable" command again asking for Passcode giving passcode then user able to logged in successfully.
I need RSA users to get direct privlege level15 (privlege mode) ? no need to ask enable password ?
I checked this for local ACS users it is working and loca users getting directly privelege mode access...
View 2 Replies
View Related
Mar 14, 2013
I'm working with a cisco wlc and acs 5.3 . I have two profile or ssid's and one of them is working with web authentication and the accounts exists in the local database of cisco acs.
I'll would like to know how can i should configure mac authentication on the cisco acs 5.3?
My purpose is authenticate users first by mac, and second by the account of local users in the cisco acs.
View 10 Replies
View Related
Dec 22, 2012
Using Cisco ASA I want the ssl clientless vpn users to be authenticated through a local Radius-Server. but it does not work, and on asa while i want to see (Debug Radius) output, there is no debuging msgs displayed. When i try to test the user which i have created on the ACS-Server 4.2, the test gets successful. where i have made a mistake in my configuration ?
View 2 Replies
View Related
Jan 24, 2013
We want to deploy NAC for 500-600 users across WAN. We are planning for L3-OOB-Real Gateway central deployment Solution.We are having two NAC Server (3355) two NAC manger (3355) at HQ and 6 NAC Server(3315) at branch. We deployed NAC under VRF.How we can deploy NAC over WAN without NAC Server, need step by step configuration under VRF.
View 1 Replies
View Related
May 13, 2013
its been a while since I configured a Cisco firewall (PIX 6.0, SDM) - I've now been thrown in the deep end with a pair of 5525-X's (Latest Software) and I need to achieve the belowWebsense integration (Got this working)AAA Authentication for various outbound traffic routes.I'm using ASDM as I'm more comfortable with the GUI than CLI (I'm the other way round with switches!!!), I have AD Agent configured but the ASA isn't doing anything based on User Name but I have a few other things to try. What I'm trying to achieve now is ignoring certain user names from being matched to IP Addresses as I believe that this may have something to do with it.We use Sophos AV and each PC requires a Service Account to run Sophos under. Each update that Sophos attempts is seen as a login and that is the user attached to the IP Address of the machine. Within Websense, it can be told to ignore certain users for purposes of filtering and reporting etc.. but I dont seem to be able to do this with the AD Agent.
View 3 Replies
View Related
Jul 1, 2012
we have TACACS+ based AAA on our network equipment, authenticating against internal user database on a network of ACS 5.3s.What I want is to limit certain AAA users (namely automated tools) to be only permitted to authenticate from a list of known IPs.I can do this for authorization, easily, that isn't a problem. The problem is to only accept authentication attempts coming from certain IPs and ignore the rest. My problem is, as it is currently, the automated tools are prone to a sort of a DoS attack - if I attempt logging in to any device using the tool's user account and a wrong password, I can get the account disabled in five tries.
I want to ignore all authentication attempts, unless they are coming from well known source IPs.Ex: netmon user is the user for a tool running on server 10.20.30.40. If I try to log in from my own laptop with user netmon, it should fail, and the attempt ignored. Currently after five (or whatever is configured) failed attempts, the user will be disabled. Oly attempts from 10.20.30.40 should be considered for user netmon.I can't use ACLs on the devices, as I want other users to be able to log in from other IPs.
View 4 Replies
View Related
Mar 16, 2011
I have a Cisco ACS 5.2 and have set it up as a RADIUS server. I was wondering if there is a way to add and update users automatically? We have a large number of users > 1000 that need to be added into the system and I don't want to do this manually. These users also update their passwords on a regular basis so I would need a script that would update the users automatically without any user intervention.
View 4 Replies
View Related
Jun 9, 2013
I've successfully integrated ACS 5.3 with Active Directory for 802.1x implementation. Now i want to cache Active Directory users in ACS so that the user request from ACS does not go to AD every time.
After a certain time period the ACS database gets sync with AD.
View 3 Replies
View Related
Apr 8, 2009
The ACS can authenticate people using local database , it can also authenticate a single user (using windows database) if you are fast after the service is restarted , however after a few secounds, it fails to authenticate any users , the error we are seeing on the logs appear as authentication failure type : internal error. Also on the log files, the authentication request from the user does not appear in the correct group, it is thrown into the default group.
View 7 Replies
View Related
Mar 6, 2011
I have configured 1841 router as VPN server. All VPN users are getting authenticated using radius in ACS 4.1 I need to apply per-user downloadable ACL.
I have configured ACS for the Downlodabale ACL. Even ACS report acivity shows that ACL is applied to the authenticated user, but the traffic is not blocked or passed accordingly.
View 2 Replies
View Related
Apr 11, 2013
I am trying to get users in the external identity store (AD) to be dropped directly into enable mode after being authenticated, since I don't know of a way to set an enable password for users in an external identity store. I think it has something to do with shell attributes but I'm not realy sure.
So here's what I tried.Linking identity group to external group and provide full command priviliges - enable still didn't work Creating duplicate users in the internal identity store and setting the password type field to AD1 - That gives me the ability to get to the enable password prompt hit enter on the blank promt then prompts for Old and new passwords but fails everytime with an Error in Authentication.
View 8 Replies
View Related
