Cisco AAA/Identity/Nac :: ACS 5.2 - Adding Custom Attributes For Juniper Netscreen TACACS+?

Aug 9, 2011

I am trying add custom attributes for Juniper Netscreen TACACS+ authentication to a v5.2 ACS. The advice is to add it to the group as follows:
 
ervice = netscreen {
vsys = root
privilege = read-write
} I know how to add this to a version v4.x ACS

However, I do not know how to apply this to the custom attribiutes to a v5.x ACS?do I add the vsys and privilege attribute seperately or together? What should be the attribute name? netscreen? Should it be mandatory?

View 4 Replies


ADVERTISEMENT

Cisco AAA/Identity/Nac :: Juniper Netscreen Integration In ACS 5.1 Tacacs

Oct 21, 2011

I wants to inegrate Juniper netscreen firewall in Tacacs Cisco Acs 5.1.As I go through Juniper KB which mentioned that I need to enable Netscreen Service in Cisco ACS 5.1. how to enable Netscreen service in Cisco Acs 5.1 and how I got Further to integrate Juniper Netscreen Device in Cisco cs 5.1

View 2 Replies View Related

AAA/Identity/Nac :: Juniper Netscreen Radius Authentication With ACS 5.1

Jun 3, 2011

Several of my older netscreen devices only support radius authentication and I'm having trouble migrating them from ACS 4.2 to ACS 5.1. When I try to authenticate, the authentication passes in ACS but it doesn't log you into the Netscreen (you see a auth failure in the Netscreen logs). I believe that the custom attributes are not being passed from ACS to the Netscreen. The custom attribute we are trying to pass is "NS-Admin-Privilege" with type integer and a value of 2. The netscreen is setup so that the user privledges are obtained from the ACS server.
 
Any setup where they are using Cisco radius authentication to authenticate Netscreen devices?

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 - Custom Attributes And Wireless Groups?

May 13, 2012

I have been tasked with migrating from ACS 4 to ACS 5.3. I havent had any training and so i am finding it a bit different. Currently i have this issue -
 
I have a group in  the ACS 4 for users accessing via wireless on the ACS - Code...

View 4 Replies View Related

Cisco AAA/Identity/Nac :: Multiple Instance Of Custom Attributes ACS 5.x?

Nov 27, 2011

is there a way to have multiple instances of user custom attributes and insert those as multiple instances of the A/V Pair in the authorisation profile in ACS 5.2/5.3 ?Background: We have to migrate a ACS 4.2 to 5.3. In ACS 4.2 our client used the multiline attribute
 
Number
#Name
#Description
#Type of Value
#Inbound/Outbound

[code]....

to specify multiple routes to various networks in the RADIUS reply spcific for every single PPP username of routers dialing in.Using the internal user database, extended by a string attribute and using that attribute as source of a dynamic value in the access-policy works basically. But as I have only ONE single line instance of the attribute for every user, I can only return ONE framed-route.We have lots of cases where multiple routes have to be assigned to one router.I 'd like to avoid defining a seperate access profile for every remote RAS router for external PPP Dial-In...[URL]

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Juniper JWEB Authentication Via TACACS To ACS 5.1?

Dec 20, 2009

Having an issue with authenticating Juniper J Series and SRX devices with ACS 5.1 The devices can authenticate using TACACS to ACS 5.1 via the CLI (telnet / ssh connections) but cannot using the JWEB management page.Doing packet captures between the Juniper devices and the ACS 5.1 box shows the Authenticate phase passing, but it does not progress onto the Authorisation phase.  There is nothing of interest in the ACS Logs (Even with the debugging levels turned right up) The same Access service is in use for both the CLI and GUI (JWEB).Using ACS 4.1, both CLI and JWEB authentication works.[URL]I'm thinking the issue is with ACS 5.0 / 5.1 and it maybe not liking the response from the Juniper (even though it should be the same mechanism)

View 6 Replies View Related

Cisco AAA/Identity/Nac :: Acs Is Not Receiving Tacacs Requests From Juniper SSG140

Dec 11, 2011

I have configured ACS 5.1 and using Tacacs. I have two juniper SSG140 FW's in different subnet. Tacacs authentication is working on one SSG140 FW, but not on the other one. Tacacs configuration on both FW's are exactly the same. Both FW's have been added in the ACS server with the same shared secret key same profile etc. I don't even see the authentication requests from the FW. ACS can ping both FW's and vice versa. [code]

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 4.2 Tacacs Custom Attribute For Nexus 1000V

Jul 18, 2011

how to add tacacs custom attribute to ACS 4.2 for Nexus 1000V:shell:roles="network-admin admin-vdc"In the interface configuration I've added new service, service - shell, protocol - tacacs+.In the group settings I've enabled this attribute configuration. And it is not works. Default privilege level is assigned to any user with access allowed.

View 8 Replies View Related

Cisco Firewall :: ASA5510 - Adding New Custom Client To AD Agent?

Feb 1, 2012

we're currently evaluating how we can attach our web based business application to the AD Agent in order to perform Single Sign-On against it. Our users are connecting via VPN to an ASA 5510 which is configured to use our Active Directory for authentication. After access granted the users may access a web server with our business application and should be automatically logged-in there without having to re-type their credentials.

View 0 Replies View Related

Wnr834m / Adding Custom Service On Netgear Port-forwarding Will Not Work

Sep 16, 2011

I am trying to set up a custom service on my netgear configuration page. I have a netgear router model# Wnr834m. every time i click the "add custom service" button the page redirects to "system authentication failed" and logs me out. What can i do to set up the new port?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 4.2 - Add RADIUS Attributes

Mar 17, 2012

I want to add Radius attribute to Rad ware devices , so I will have the option to grant "read only" permission to users. as I understand I need to add VSA for the "read only" permission, or configure specific "Service-Type value 255"
   
in the following picture you can see the required information from Rad ware:

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Add OPNET Radius Attributes In ACS 4.2

May 16, 2012

I need to add OPNET Radius attributes in ACS 4.2. How should I add a new VSA in ACS?  The google search is pointing me to CSUtil.exe, and I cannot find this utility in the ACS install files.  These are the values that I need added for OPNET. When configuring the RADIUS server to support the ACE Live Appliance, use the following Vendor Code and Vendor Specific Attribute (VSA): Vendor Code: 7119 VSA: 33.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 / 5.3 Configuring Packeteer Attributes

Oct 9, 2012

We have found the following  issue configuring radius attributes for network access with packeteer appliances.with PAcketeer-AVPair  attribute , value --> access=touch Login fails and we see this
 
PacketShaper# radius login user password
"user" RADIUS Authentication Fail
Vendor-Specific: ccess=touch  <--- value is bad
 
PAcketeer is not receiving  vendor-specific value correctly, As workaround , we put other character  before value --    xacces=touch
 
PacketShaper# radius login user password
"user" RADIUS Authentication OK
Vendor-Specific: access=touch

View 5 Replies View Related

Cisco AAA/Identity/Nac :: Add RADIUS Attributes Under Group Setup In ACS 4.2

Jul 5, 2012

I need to add RADIUS attributes for a custom vendor under "Group Setup" page in ACS 4.2. As of now, I see Cisco Aironet RADIUS Attributes, IETF RADIUS Attributes etc in "Group Setup" page. How can I make sure that the RADIUS attributes for a vendor also appear on that page?

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.1 - Specific RADIUS Attributes For IP Phones

Mar 28, 2011

I am doing MAB (MAC authentication bypass) for IP phones and printers.
 
But these devices are authenticated with different identity stores (IP phones with AD, printer local host on ACS)
 
Is there any specific AV Radius attributes that i can use in the compound conditions selections which is specific for the IP Phones?
 
so when doing the Authentication, i could seperate each type (IP phones or Printers) with the appropriate database.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS5.1 - AD And RADIUS Attributes Mapping

Aug 18, 2010

I'm trying to dynamically assign  IP address for VPN users from AD (without IAS service). I know that there is a restriction that "Dial-in users are not supported by AD in ACS (note in "acsuserguide51") but Im not exacly sure what can and can't do with it. In "Authorization Profiles" in RADIUS Attributes tab I try to mannually add specific Attribute (Framed-IP-Address).
 
I have no problem (everything works just fine) with static address assignment in a way as below:

AD is already integrated with ACS and I've managed to download Directory attributes especially msRADIUSFramedIPAddress
 
When I change "Attribute Value" from static to dynamic type I see  the option to select AD (but "Select" which should list all available attributes is empty)
 
I know that I can do it directly (ASA <-> AD attribute mapping) but I want ACS to do it

View 5 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.1 Authorization Profile / RADIUS Attributes

Jun 1, 2011

I am setting up Radius AAA for cat6K switch.For authentication its work and user can login to switch. But for the privilege level assignment, it does not work. After loging in, I always get privilege 1. I need your guide on how to configure on ACS 5.1,  RADIUS Attribute.I follow the document to configure the cisco-av-pair for assign Privilege 15 and Privilege 5 , but it does not work.This attribute format was shown in document is to set Privilege 15, "shell:privlvl=15" it is correct way of configure it on ACS 5.1

View 5 Replies View Related

Cisco AAA/Identity/Nac :: 3395 - ISE Not Identifying AD Group Attributes When Using Multiple ISE

Oct 2, 2012

So we have multiple ISE Servers with differing personals. I was having an issue with our new ISE setup not identifying AD Group Attributes when using them in Authorization rules. We have 2- 3395 appliances running Admin and Monitoring/Troubleshooting Personas and 2- 3395 appliances running as Policy server personas. We are running  v1.1.1.268 with the latest two patches. I was unable to pull Active Directory Group Attributes in any of my Authorization rules. After Resyncing all the boxes with the Primary Administration box I was able to do this. There is no bug listings for this occurrence nor do we have Smartnet to call support for other reasons.

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 - Radius Attributes And Device Administration / Shell

Sep 18, 2012

Under 'Policy Elements/Authorization and Permissions/Network Access/Authorization profiles' I have defined a profile and the following Attribute:Attribute = F5-LTM-User-RoleType = Unsigned Integer 32Value = 300.
 
My question is:How can I define the same as above using 'Device Administration/Shell Profiles' ?

There is a Custom Attributes tab but I cannot figure out how to specify the 'Type' field. (Under Custom Attributes tab there is only space for 2 fields and not 3 fields).

View 3 Replies View Related

Cisco AAA/Identity/Nac :: How To Setup ACS 5.4 And Juniper J-Web

May 29, 2013

I have set up an ACS 5.4 box and have some test devices connected to it.Cisco and Juniper, both working fine using TACACS I can connect to both using SSH or Telnet but my problem is the J-Web Juniper GUI I can access the J-web no problem with the root account. i can not seem to get it to work, no matter what I try. Here is my shell from the ACS box And the following Juniper configuration.  I have tried binding the local-user-name attribute to both the remote and remoteadmin with no luck.
 
version 9.6R1.13;
system {
host-name Juniper-Firewall;
authentication-order [ tacplus password ];
root-authentication {
encrypted-password "$1$1tRuy9o2$LwSPxNwe4XGNMOMIMo1pd1"; ## SECRET-DATA

[code].....

View 17 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 RADIUS Authentication Based On IMEI And MSISDN Attributes

Apr 19, 2011

I've been working on trying to get RADUIS authentication working for devices connecting to our corporate mobile APN.  Out APN provider sends us Username & Password attributes which I can authenticate fine using ACS 5.2 but I'm having a problem using other attributes sent in the Access-Request.  We have mobile SIM cards with an MSISDN value match with a physical device with an IMEI value.  The SIM cards cannot be used in other devices, only their matched device.  The provider passes us the MSISDN attribute under RADIUS-IETF 31 and the IMEI under a VSA of 3GPP-IMEI
 
What is the best way of being able to authenticate a user and match the MSISDN and IMEI associated to that user?

View 1 Replies View Related

AAA/Identity/Nac :: ACS 5.3 RADIUS Authentication Based On IMESI & MSISDN Attributes

Jan 9, 2012

I'm trying to find out the options for authenticating remote users via IMEI and MISDN values via ACS 5.3/I'm unfamiliar with the Radius attribute options here and what kind of request/response we can utilise.  Also previously I could define IP pools on ACS 4 but can't seem to do that now.  Is there a way have ACS 5.3 to provide a DHCP server address for the connection ?

View 6 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Authentication Radius Juniper NSM?

May 24, 2011

I am trying to authenticate on Juniper NSM express using cisco ACS 5.2.  The request is arriving at the cisco ACS but i am getting the following error.RADIUS requests can only be processed by Access Services that are of type Network Access.

View 4 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 Authorization With Juniper WXC-3400

May 5, 2013

In the process of migrating from ACS 4.1 to ACS 5.3. Authentication works fine, but having issues with authorization on the Juniper WXC-3400 devices. In ACS  4.1 we were passing TACACS+Shell (exec) Custom attributes Privilege level=15, which allowed a user to login with read/write privileges. In ACS 5.3  tried setting the Shell Profiles common task to 15 for both Default and Maximum (one at a time, and together), as well as setting the Custom Attributes for priv-lvl=15 (with and without Common Tasks set).
 
A capture shows Auth Status: 0x11  (ERROR).

View 15 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Radius Accounting From ASA And Juniper?

Apr 10, 2013

i changed from ACS 4 to ACS 5.2. Everything works fine but i have authentication failed in the Radius accouting reports every time when users connect through ASA or Juniper into our network. Juniper amd ASA only send accounting informations to ACS. The users are not configured on the ACS, authentication is done via external LDAP. So my question is why do o see authentication error on ACS because Juniper and ASA only send accounting packets ?

View 2 Replies View Related

Cisco AAA/Identity/Nac :: How To Configure Custom Attribute ACS 5.1

May 30, 2011

I want to configure RBAC for ANM 4,2 using tacacs+ and ACS 5.1 [code]

When the admin user logs in, this policy element is triggerd, but the Role is not sent back.How to configure the Custom Attribute?

View 1 Replies View Related

AAA/Identity/Nac :: ACS 5.1 Custom Smtp Port Number?

May 31, 2012

I have a ACS 5.1, My mailing server does not run on standard port number of smtp (25). Need to know if i can customize the port number suiting my mailing server requirement.

View 0 Replies View Related

Cisco VPN :: ASA 5520 / Error / Split Tunnel Attributes(51) Greater Than Max Allowed Split Attributes(50)

Jul 21, 2012

We have ASA 5520 acting as the VPN Server and Cisco 1941 router as EZVPN client. Since last few days client is not able to establish vpn connection. 1941 router is continuously generating the below log messages
 
001569: Jul 22 12:19:05.883 ABC: %CRYPTO-4-EZVPN_SA_LIMIT: EZVPN(VPNGROUP) Split tunnel attributes(51) greater than max allowed split attributes(50)
 001574: Jul 22 12:19:07.835 ABC: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=vpn_user  Group=VPNGROUP Client_public_addr=<client public ip>  Server_public_addr=<server public ip>
 004943: Jul 22 11:32:42.247 ABC: %IP_VFR-4-FRAG_TABLE_OVERFLOW: Dialer1: the fragment table has reached its maximum threshold 16

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 And TACACS + Authentication From VPN?

Mar 4, 2012

I have a Cisco ASA (8.2) setup with remote access for my users using Cisco VPN client. The authentication is passed off to my ACS 5.3 which then checks with AD. What I've done so far is create Access Policy rule where I define specifically the Location and NDG where the ASA is and then a DenyAllCommands command set. This should pass authentications just fine but this also gives those users the ability to remote connect directly into the ASA and login successfully. Even though there is a Deny Commands there I still would prefer they get Access Denied as a message. If I do a Deny Access on the ShellProfile then this stops the login authentication altogether.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: Cannot Authenticate AD For Tacacs ACS 5.0

May 24, 2011

I think i've got everything set up to authenticate against AD for Tacacs+ device logins.  When i check the logs, i see:"24408 User authentication against Active Directory failed since  user has entered the wrong password".  This leads me to believe that it is checking AD correctly, however if i enter the password correctly for the same AD user, there is no log at all...no pass, no fail.
 
If i look at the Tacacs debugs on the switch, i see the following:May 25 10:55:07.927 CDT: TAC+: ver=192 id=874699084 received AUTHEN status = ERRORMay 25 10:55:09.932 CDT: TAC+: send abort reason=Unknown

Obviously the switch is communicating to ACS, and ACS is passing info back to the switch.  ACS also appears to be communicating effectively with AD since it knows when i put in an incorrect password for the specific user.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: NCS TACACS+ With ACS 4.2 - Authentication / Authorization?

Sep 13, 2011

I tried to configure TACACS+ authentication / authorization for NCS via ACS 4.2. For that I followed the configuration guide:
 
1. Configured the service for NCS with HTTP (see attachment)
 
2. Added the tasks to the user (see attachment)
  
When I try to login on the NCS it fails, in the logs on the NCS I see the following lines:
 
09/14/11 16:53:03.333 TRACE [system] [http-443-7] [TACACS+ AAAModule] Creating authorization socket   - To Server:  192.168.49.14  - For User:  netadmin
09/14/11 16:53:03.335 TRACE [system] [http-443-7] [TACACS+ AAAModule] Sending authorization request packet  - To Server:  192.168.49.14  - For User:  netadmin
09/14/11 16:53:03.336 TRACE [system] [http-443-7] [TACACS+ AAAModule] Receiving authorization response packet  - From Server:  192.168.49.14  - For User:  netadmin

[code].....

View 7 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 - TACACS For Network Access

Feb 27, 2011

I found that TACACS should be available for network access with ACS 5.2:(url) But when I'm trying to create Rule tu allow PPP authentication against TACACS server I get error.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: To Configure MS ACS 4.1.1.23 To Allow Linux TACACS

Sep 20, 2011

I am running ACS 4.1.1.23 on a Microsoft server and I am trying to get TACACS to work with two Linux servers.  The servers are capable of TACACS, are using port 49 and have the correct shared secret.  I believe I do not have the devices configured properly on the ACS side.  These 2 servers currently are using RADIUS and we are getting bit by the bug where the ACS application will start rejecting RADIUS authentication requests but still accept TACACS requests.

View 6 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved