Cisco AAA/Identity/Nac :: ACS 5.2 ASA 5510 Radius Connection
Jan 17, 2012
currently I'm evaluating an ACS 5.2.I need to authenticate the VPN-Users against LDAP, but have no direct connection from the ASA to the LDAP-Server. So the ASA should connect to the ACS to ask the LDAP-Identity-Store, OK.
My first Problem is: the ACS doesn't respond to the RADIUS-Requests of the ASA! ASA use's Port 1812, the Secret is ok, the ASA is as a Network Device in the ACS configured and I've created an internal Test-User on the ACS.the Firewall-Log shows the established connection (so I think, there is a Hand shake!? ), but the ASA says in Radius-Test: "EROR:Authentication-Server not responding".
View 3 Replies
ADVERTISEMENT
Jan 13, 2012
I've setup my ASA 5510 to use AAA to my Windows Server 2008 NAP. After many hours of troubleshooting I got my setup to work. The only thing I'm not satsified with at the moment is, that RADIUS is using PAP for communicating between ASA5510 and W2K8/NAP.I've tried ticking the box "Microsoft CHAPv2 Capable" box under Users/AAA => AAA Server Groups => Edit AAA Server.From EventViewer on W2K8/NAP I get Event ID 6278 and 6272., see attached filehow I change from the PAP to the CHAP protocol?
PS: ASA 5510 running ASA version 8.2(4) and ASDM version 6.3(5)
View 4 Replies
View Related
Aug 26, 2007
I tried to authenticate and authorized Nokia/checkpoint Nortel/AD3 and Nortel 5510 platform using an 4.1 for windows ACS. the ACCESS-REQUEST is well processed bi the radius server wich send ACCESS-ACCEPT to the AAA Client (ie NORTEL or NOKIA), but i'have got privilege access denied on the Client side. RADIUS IETF Dictionnary is used for every device. all others Cisco Devices authenticate and are well authorized.
View 3 Replies
View Related
Feb 3, 2007
We have several ASA 5510 firewalls which are being used as VPN gateways.RSA SecurID is the authentication mechanism using native SDI connectivity. No ACS server is being used.Is it possible to assign user Group and other attributes (such as ACL), using the SecurID RADIUS server? I know this is what the Cisco ACS is for, but is it possible using the RSA RADIUS server itself?
View 11 Replies
View Related
Jun 28, 2012
I am attempting to configure Radius authentication accross a site-to-site VPN for my ASA 5510-01 for remote access.
ASA5510-1 currently has a live site to site to ASA5510-2.
ASA 5510-1 - 10.192.0.253
ASA 5510-2 - 172.16.102.1
DC - 172.16.102.10
ASA5510-01 can ping the DC and vica versa but is unable to authticate when i perform a test. ASA5510-01 can authenticate to a DC on it;s own LAN but not on the remote LAN that DC sits on.
I have double checked the 'Server Secret Key' and ports as well as various users which all work locallly. ASA5510-02 authenticates to DC with no problems.
View 3 Replies
View Related
Oct 30, 2011
I am currently useing ACS 5.2 and have no problem using Tacacs+ with AD access.
But with Radius it seems I can only get the Local identity store to work, need to do something special to get Radius to work with active directory with Cisco ACS?
View 10 Replies
View Related
Nov 22, 2011
I have been trying to get our IPS (ASA-SSM-10 and 4260) to authenticate with Cisco Radius ACS 5.2 and they are not working. However, I was able to get them working with Microsoft Radius. Below is the logs from the IPS:
evStatus: eventId=1321566464942057375 vendor=Cisco originator: hostId: NACAIRVIDLAB1 appName: authentication appInstanceId: 350 time: 2011/11/23 17:50:38 2011/11/23 09:50:38 GMT-08:00 controlTransaction:
[Code].....
View 0 Replies
View Related
Dec 3, 2011
I need to configure RADIUS VSA configuration for a my alvarion device. Following are the attributes that need to be configured.
- Packet Data Flow ID (ID 1, integer16)
- Direction (ID 4, integer8)
- Transport Type (ID 6, integer8)
- UplinkQoSID (ID 7, integer8)
- DownlinkQoSID (ID 8, integer8)
[code]....
I was able to configure the first 6 attributes, how can I add the Sub - TLV's ClassifiedID, Priority, VLAN-ID and Classifier Direction which come under Classifier. Don't see any option for that in ACS 5.x
View 1 Replies
View Related
Jan 31, 2012
We have 2 ACS 4.2.1 servers in Windows 2003 with SP2 installed. We have updated the first ACS to the latest patches for Windows. After that we started having problems. CSRadius either stops by itself or when some time passes we get the following error in Failed attempts "Unknown error". When we restart the ACS services by the GUI, it resumes until the next time it stops.Do you happen to know if we have any bugs related to Windows patches?
View 3 Replies
View Related
Mar 25, 2013
I am trying to configure AAA authentication and authorization with Cisco 3725 (IOS 12.4(17)) for 802.1x and ACS 4.2 with VLAN assignment to my Windows XP client. (trying to assign VLAN 100 in my scenario).When user connects to the Router, it passes the authentication process (EAP-MD5). In my debug i see that Router recieves the Radius Attributes BUT does not apply anything!My running config:
Building configuration...
Current configuration : 1736 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
[code]......
As a result the vlan-switch data based does not change.
View 3 Replies
View Related
Mar 10, 2011
I have a questión about radius authenticaction with AD, when I log in into the network with user in AD and I make a mistake in password my radius authenticaction event in ACS 5.2 dont show me this logg. only show the authentication succeeded but dont show me the authentication failed. Maybe i must to enable same service to show the authentiaction failed. The Voice authetication works fine..
This is the confg in the port of the switch:
interface FastEthernet0/12 switchport mode access switchport access vlan 2 switchport voice vlan 10 authentication port-control auto authentication host-mode multi-domain authentication violation protect authentication event fail action authorize vlan 11 authentication event fail retry 2 action authorize vlan 11 authentication event no-response action authorize vlan 11 authentication periodic authentication timer reauthenticate 60 mab dot1x pae authenticator dot1x timeout tx-period 10 dot1x max-reauth-req 3 spanning-tree portfast end
Vlan 2: DATA
Vlan 10: VOICE
Vlan 11: GUEST
View 1 Replies
View Related
Apr 10, 2012
I have the next config of radius authentication:
aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local
aaa session-id common
ip radius source-interface Vlan31 vrf LEGACY
[Code] .....
View 3 Replies
View Related
Mar 17, 2012
I want to add Radius attribute to Rad ware devices , so I will have the option to grant "read only" permission to users. as I understand I need to add VSA for the "read only" permission, or configure specific "Service-Type value 255"
in the following picture you can see the required information from Rad ware:
View 1 Replies
View Related
Mar 28, 2013
I am using the Self RADIUS server in my Cisco ACS SE 4.2 appliance S. I have an AAA client C that interacts with S by means of the RADIUS protocol. This works fine, in that S correctly carries out authentication chores on username/password (PAP and CHAP) pairs received from C, sending back to C the corresponding Access-Accept packet when the authentication succeeds, or Access-Reject when it doesn't.
I have been able to import a set of three VSAs into S. Each of those attributes is of string type. I then configured in S a single user U with password P so that, whenever a U/P pair received in S from C is authenticated by S, S should send back to C, in the Access-Accept packet, the three attributes with the following values: [code]
With this setup, when an authentication is successfully completed by S, C receives 53 bytes worth of data from S every time. I am attaching a typical example, already disassembled. I have disguised the actual vendor ID, for legal reasons, but the rest is exactly as it was when received in C.
According to the disassembly, what we got is an Access-Accept packet, as expected. Its length is 53 bytes - again as expected, for this is the only packet that C has received from S here. However, the packet is incomplete, for attribute #3 is missing its value field.
Looking into the whole packet in more detail, it can be seen that while the wire format for the first attribute, namely, Frame-IP-Address, is correctly constructed, the remaining are not. For example, the sequence of bytes corresponding to the attribute #1 reads 1a 09 00 00 xx xx 2c 61 62 63. I believe that this is incorrect; it should be 1a 0a 00 00 xx xx 2c 61 62 63, for the wire format for this attribute consists of 10, not 9, bytes. I tried a few variations on the values for the attributes, and the results are always substantially the same, in that the wire formats for these attributes are always incorrect.
This all probably implies I have done something wrong when importing the VSAs into S, and/or when configuring things on S. I am therefore attaching the csv files I used to import my VSAs into S; as before, names and vendor ID are disguised, but their lengths are exactly the same as in the undisguised file. I used two csv files: One to import the vendor ID, and the other to import the VSAs under that vendor ID. As for user U, in S's administration GUI I clicked on User Setup and selected user U, moved to the bottom of the screen, where the attributes for this particular vendor were present,introduced the values for each attribute mentioned above, and made sure that button in front of each attribute was ticked.
View 2 Replies
View Related
Apr 19, 2009
I am doing the initial configuration on our ASA 5510 to use our Radius server just as our 3005 VPN Concentrator did. I can do the test connection inside the ASA with no problems, and when I authenticate using the Anyconnect client, it appears to authenticate fine, but then dumps the connection with an error stating there is not enough memory in he ASA to allow this connection, the error message is as follows:
Error Message %ASA-4-722004: Group group User user-name IP IP_address Error responding
to SVC connect request.
Explanation There is not enough memory to perform the action.
Recommended Action Purchase more memory, upgrade the device, or reduce the load on the device.
Can this really be the case with no connections active, a single user attempting to authenticate through Radius and an out-of-the-box ASA 5510?
View 3 Replies
View Related
May 16, 2012
I need to add OPNET Radius attributes in ACS 4.2. How should I add a new VSA in ACS? The google search is pointing me to CSUtil.exe, and I cannot find this utility in the ACS install files. These are the values that I need added for OPNET. When configuring the RADIUS server to support the ACE Live Appliance, use the following Vendor Code and Vendor Specific Attribute (VSA): Vendor Code: 7119 VSA: 33.
View 2 Replies
View Related
Feb 27, 2012
When I upgraded my cisco 3750 ME from c3750me-i5k91-mz.122-46.SE to c3750me-i5k91-mz.122-58.SE2.bin all commands for radius disappeared? However, there are a lot of commands to ldap which was missing in the previous version. Seems as if the radius has disappeared and been replaced by ldap?
View 1 Replies
View Related
Feb 27, 2011
I am trying to configure ACS 5.1 to authenticate SSL VPNs on an ASA5500 and aslo to provide admin access to the ASA5500 both via radius.I want to authenticate the VPN against a SeureID appliance and the admin login against a different database (using internal for testing but will use LDAP in the end).I cant seem to get the ACS to distinguish between the two authentication types. If I create a rule that says match protocol radius I can point that at either database but if I try saying match radius and service type 5 it doesnt match the VPN and falls through to the default authentication service. I have also tried matching service type 6 for admin and that doesnt seem to work either.In the end what I want to acheive is to authenticate teh ASA5500 VPN against the SecureID appliance and then admin access to all devices on teh newtork (a mixture of Cisco, F5 and Juniper) to active directory via LDAP where if the user is a member of the "admin" group they get access.I was intending to use specific devices for the ASA5500s (there aretwo) and then creat a device group based on IP address range for everything else.
View 4 Replies
View Related
May 24, 2011
I am trying to authenticate on Juniper NSM express using cisco ACS 5.2. The request is arriving at the cisco ACS but i am getting the following error.RADIUS requests can only be processed by Access Services that are of type Network Access.
View 4 Replies
View Related
Nov 18, 2012
I have CISCO ACS 5.1 radius for VPN on ASA and tried to configure an NDG on it for AIRONET 1260 too and worked fine with IEEE 802.1x CISCO EAP-FAST authentication As I had some trouble to let users to authenticate only on VPN if are VPN users and only on CISCO AIRONET if need only WIFI AIRONET I tried exception policies rules but something not working. VPN was ok but not WIFI access denied for rule policy access I decided to install CISCO ACS 4.x on Windows 2003 that is on ACS 5 DVD I created NDG as done on ACS 5 put a shared secret , put on AIRONET too as done for ACS 5 but I receive an error against ACS 4.x To troubleshout it I tried [URL] but not work ! I think to have done all fine owever on ACS 5 it worked in 5 minutes I searched log inside ACS 4 and found "Invalid message authenticator in EAP request" and I found this: [URL]Changed shared secret more times but ever not workign with ACS 4 I need to have user and password prompt on client trying to authentincate on AIRONET WIFI and I need ACS INTERNAL USER no active directory, no LDAP , no external user database?
View 1 Replies
View Related
Jan 9, 2012
I am having ACS 4.0.2 in my network, which I want to use for 802.1x Radius Authentication for Clients on PEAP-MSCHAPv2 methodology.As per the documentation " EAP Authentication with RADIUS Server", Doc ID: 44844.I have configured Network Configuration and populated AAA client IP range and Secret Key.
Question1: Under Authenticate Using option, there are various RADIUS flavors available for selection. For a Non Cisco AAA client, should I select RADIUS IETF?
Question 2: In the above snap shot, It has an option called Global Authentication Setup, where we can setup EAP configuration. Under PEAP subsection there is an option to "Allow EAP-MSCHAPv2" check box.After checking that, is a restart required to the ACS Server? Would it cause any disruptions to the existing services on the ACS?
View 3 Replies
View Related
May 26, 2011
is command accounting for Radius supported on ACS 5.2 ? provided vendor's radius implementation supports this capability.
View 1 Replies
View Related
Nov 19, 2012
I am trying to move my ISDN dialup branches authentication/authorization from old ACS 4.1 to ISE appliance. Before it was through ACS 4.2 with TACACS protocol but now since we are moving to ISE we are moving them to ISE with radius.
Problem is that isdn client gets authenticated and authorized but calls get dropped and they dont able to communicate with HO. IP address is assigned by Head End router to all remote isdn dialing branches..
I have used default "PermitAccess" in authorization policy and authentication policy is also default. I dont understand where I am going wrong as authentication and authorization is sucessful.
aaa authentication ppp default group radius local
aaa authentication network default group radius
aaa accounting network default start-stop group radius
radius-server host 12.18.22.41
radius-server key *****
View 8 Replies
View Related
Aug 21, 2011
I need to configure the ACS 5.1 to meet the following requirement :-
1. ACS 5.1 will point to a RSA SecurID as the first authentication mechanism for the validation of user credential
2. In the event that RSA SecurID is not reachable, the ACS 5.1 shall point to its local user database.
I had no problem configuring for Point (1), but I am not able to let it failover to the local user database.
View 11 Replies
View Related
Jul 4, 2012
how to setup ACS 5.3 to authenticate wireless users over radius? I currently have the SSID pointing to a Microsoft IAS server and would like to move the authentication to be done via ACS.
View 1 Replies
View Related
May 18, 2011
getting a Cisco WLC to work with MS NPS server? We've done it before albeit with differnt code versions.
I have a Cisco 5508 WLC running 7.0.116.0 code hosting a WLAN configured for WPA2 with 802.1x for authentication. I have two Windows NPS servers configured as the RADIUS servers for EAP-TLS authentication. Via debug info on the WLC I can see the 802.1x handshake take place with the wireless client and the WLC as well as a successful transmission of an Authentication Packet from the WLC to one of the RADIUS servers. However on the WLC I see repeated RADIUS server x.x.x.x:1812 deactivated in global list and on the NPS server I'm seeing event log errors indicating "The Network Policy Server discarded the request for a user" along with the pertinent auth request info that I would expect the NPS server to receive from the WLC. Based on the WLC debug info I'm never actually getting to the EAP-TLS certificate authentication part. It seems the NPS servers don't like the format of the initial RADIUS authentication request coming from the WLC and so don't respond whcih in turn casues to WLC to switch to the other NPS server which produces the same issue.
View 2 Replies
View Related
Apr 10, 2013
i changed from ACS 4 to ACS 5.2. Everything works fine but i have authentication failed in the Radius accouting reports every time when users connect through ASA or Juniper into our network. Juniper amd ASA only send accounting informations to ACS. The users are not configured on the ACS, authentication is done via external LDAP. So my question is why do o see authentication error on ACS because Juniper and ASA only send accounting packets ?
View 2 Replies
View Related
Jan 19, 2012
I have configured a Cisco 877 router to send RADIUS requests when a user logs in to the console (Line Console or Line VTY) using the following config:
aaa new-model
aaa authentication login default group radius
aaa authentication ppp default group radius
radius-server host 10.0.0.1 auth-port 1812 acct-port 1812 key mysharedkey
When I log the RADIUS packets I see that the Cisco router is sending the initial AccessRequest using PAP.
How can I configure the router to send it's inial AccessRequest packet using CHAP?
View 5 Replies
View Related
Apr 7, 2013
Is there any way to set up our ISE to provide Radius instead of acting as Radius Proxy? In our Company we use ACS 4.2 to provide AAA via Tacacs+ and this works proper with all our Cisco-Switches. Now we are testing the ISE 1.1.1 as NAC-Solution.
I know how to set up the ISE as 'Radius Proxy', configuring the Sequences and Policies, but till now we are using only Tacacs+ for AAA. The current version of ISE does not support Tacacs+ and I don't want to set up a Radius-enviroment in ACS if not necessary. Somewhere ( I think the specs) I read, the ISE is a merge of ACS and NAC. So in my Opinion there should be a way to provide AAA via Radius on the ISE without ACS and without 'Radius Proxy'.
View 2 Replies
View Related
Aug 14, 2011
So far i managed my switches with TACACS+, however now i've to deploy 802.1X, requiring RADIUS only. For what i know, ACS (i'm using 4.2) allows to define a device using only TACACS or RADIUS, but not both. Do i am right? Or there is a way to define an AAA client to communicate with the same ACS using both the protocols?
Supposing i am right, i was then considering the following options: - configure all of the switches to use radius for any service (authentication, authorization etc ec) This simplifies the task, but i lose the TACACS+ services for the switches. Is this a big loss?
- configure the L3 switches to use a second Loopback, just for RADIUS services. This would allow to still use the TACACS+ but would require a new network just for the RADIUS service; furthermore L2 switches doesn't support two IP addresses and would require anyway a migration to RADIUS.
A considerable administrative overhead, in other words. I'm not willing to deploy a second RADIUS (ACS, Windows, whatever), in this moment.
The key point is this: reading around i see Cisco documentation recommending always to use TACACS+ for management, but in this situation is not possibile. In general, every time the device has a role of network admission (switch or access-point) RADIUS seems to be the protocol of choice. Moving to RADIUS would have some major drawback or only a change in the communication protocol? (I know the difference between TACACS+ and RADIUS: tcp vs udp, encryption of the whole packet vs encryption of only the password).
View 3 Replies
View Related
Oct 31, 2010
For some reason, i can't get the lobby "sponsors" to authentication to the Guest NAC server (2.0.2) using ACS 5.2 via Radius.I was able to figure out how to get the Guest NAC Radius Authentication for "Administrator" to work by adding custom Radius value IEFT-6 under...
Policy ElementsAuthorization & permissionsNetwork AccessAuthorization Profiles
I added a policy & under the Radius Attributes Tab... I manually entered an Attribute that looks like the following:
Dictionary Type: = RADIUS-IETFRadius Attribute: = Service-TypeAttribute Type: = EnumerationAttribute Value: = StaticValue = "Administrative"
I then created an Access Policy... I looked for a specific AD group - Result = "Name of Custom Policy Above"...
All of that is working just fine.... the NAC Guest Docs tell you the Radius server must return a value of IETF-6...
When it gets into the Sponsor section, it doesn't tell you the value your Radius server should return... so just for grins, instead of "Name of Custom Policy Above", I tried "Permit Access"... i tried the "Name of Custom Policy above"... Not sure what else to try to get this to work...
here is a like to the document i'm following: URL
Page 68 refers to the "Configuring Sponsor Authentication" for Radius.. it just tell you to add the Radius Server & change the authentication order.
View 9 Replies
View Related
May 17, 2011
I have a 5510 authenticating successfully with a RADIUS server. I'm using it for VPN authentication and it works great. I would also like to do this for administrator access to the ASA. When I turn it on though, any authentication for VPN access is also granted administrative access to the ASA. Obviously, I need to limit that to a select few users.
View 1 Replies
View Related
Dec 22, 2012
Using Cisco ASA I want the ssl clientless vpn users to be authenticated through a local Radius-Server. but it does not work, and on asa while i want to see (Debug Radius) output, there is no debuging msgs displayed. When i try to test the user which i have created on the ACS-Server 4.2, the test gets successful. where i have made a mistake in my configuration ?
View 2 Replies
View Related
