Cisco AAA/Identity/Nac :: ACS 5.2 - Multiple Identity Store For PEAP

Sep 25, 2011

I am trying to setup PEAP authentication for wireless users but I got stuck at place where I have single ssid and users are store in different identity stores like some will be using their active directory and some are locally created users on ACS. I created separate service for wireless authentication and under that I am unable to create rule to differentiate them with identity stores. any idea how to achieve this.
 
I tried creating identity selection based on role but it does not work as for protocol like radius.peap,ms-chap ACS does not look for another identity store once user not find in an identity stores.

View 1 Replies


ADVERTISEMENT

Cisco AAA/Identity/Nac :: 7925 ISE Cannot Run Multiple Signed CA In Store

Jun 4, 2013

Using Sha1 for Cisco 7925g and sha256 for data. Two separate CA's, one EnTrust (SHA1) the other Local Wondows CA (SHA256); ISE can only use one at a time to process a particular protocol (ie..EAP-TLS, HTTP, etc...) As a result we have to have a separate PSN just for Wireless and Wired VoIP (which can only hold SHA1 RSA1024).

View 5 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Group Mapping With LDAP External Identity Store

May 18, 2011

I have a new Cisco Secure ACS 5.2 on a VM. We want to use it to for administrative access to our Cisco equipment  with TACACS+. I am trying to map user permissions to different groups of devices based on active directory group membership, however it is not working.
 
I am using an LDAP (configured for secure authentication) external identity store. On the directory organization tab, I have confirmed the accuracy of the subject and group search base and the test configuration button shows that it's finding > 100 users and >100 groups.
 
On the directory groups page I have entered the groups according to the required format. cn=groupname1,ou=groups,dc=abc,dc=com
 
I have a rule based result selection under group mapping. I have two rules in the format below.
 
Conditon
LDAP:Externalgroups groupname1
Result
Identitygroup1
 
I have the default group set to a identity group named other. My problem is, no matter what user attempts to authenticate, the Default rule is applied, and the user is put into the other identity group.This occurs when I log on as a groupname1 user, groupname2 user, or as user that is not a member of either of those groups. LDAP authentication works and the user is able to logon to the device.

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 - Create Microsoft Active Directory (AD) Identity Store?

Jul 11, 2011

We are using ACS 5.2 and we are trying to create a Microsoft Active Directory (AD) Identity Store. We have a user to be used in the Active Directory creation General page and we would like to know how the test communication / ACS to AD communication takes place.
 
Our user is a predefined user in AD and has admin rights, but the password expires every 60 days. Will this affect the communication between AD and ACS 5.2 at everytime the entered user's password expires?

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 Host Internal Identity Store / Per Group Modification

Jan 24, 2012

I'm currently looking for a solution in order to restrict the modification of the host internal identity store (add or delete MAC host) per group. The default administrator roles does not include "per group restriction". Under the ACS I defined one group per department? My objective it to allow each department to access their ACS MAC database to add or delete MAC addresses as required.

How to restrict internal identity store per group?Do I need to create new roles? and how?I was not able to get an answer from the ACS ADMIN manual.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.x Identity Store Sequence And Token Validation

Dec 3, 2012

We have a ACS 4.3.2 installed with users authenticating against an Active Directory database. The AD database not only authenticate the users but also assigns the group that is used to select IP address pool.Now the requirements require to use token authentication with SafeNet. This authentication uses the same username but the password is composed of the original password + OTP.The problem is that the SafeNet server doesn't return the group membership.I've read about the Identity Store Sequence in ACS 5.x and I think I could use it in the following sequence:! configure an Authentication Sequence using the SafeNet token server (this works with ACS 4.x)I configure an Attribute Retrieval Sequence against the AD database. This would use the username only, no password and would retrieve the group membership.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Authenticate VPN Users Via ACS 5.4 And AD Via External Identity Store

Feb 22, 2013

I have installed ACS 5.4 and we are looking to authenticate our Anyconnect users with ACS via Active Directory. I think I have the correct commands in our ASA ( we had ACS 4 and authenticated our anyconnect users ).
 
I also have configured ACS to use Active Directory  and installed the server side cert in ACS. I'm just uncertain how to program ACS to use the security group that I have setup in Active Directory.

View 6 Replies View Related

Cisco AAA/Identity/Nac :: ACS5.3 - Configuring Multiple Identity Sources

Aug 28, 2012

I have an ACS 5.3 cluster, that is configured to use AD. There are a few wireless devices, and monitoring tools that do not have AD accounts. I would like to configure ACS to first check AD for the user authentication, and if that fails to roll over to the local (Internal Users) identity source where I can define these user accounts.
 
It seems that when the authentication hits the initial Identity Policy rule, it never moves onto the next one if the first fails.
 
Attached are screen shots that show how i'm configured for the test, i have a local user defined and I'm trying to log into the firewalls.
 
- Identity Definition : Screen shot of the main ACS definition for the rule i'm testing that's not working
- Identity Rule 1 : The configuration of rule 1 that if it fails i need it to move onto rule 2.
- Log Output : Screen shot for one of the failed attempts from the ACS View Log server.
 
Reason I need to configure it this way is:

- Wireless users authenticate to wireless using AD user accounts. Some hand held scanners do not support that and will need to authenticate using the MAC address.
- Authentication to Network devices for managment uses AD accounts. We have some monitoring tools that do not have AD accounts, and will need to    be able to log into Network devices to issue some commands (Examples: Cisco Prime LMS and NCS, Infoblox NetMRI).

View 4 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 Connect To Multiple Identity Stores

Aug 15, 2012

I understand that Cisco Secure ACS 5.3 supports the integration with existing external identity repositories such as Windows Active Directory and LDAP servers. In fact, in my environment, my ACS 5.3 is now integrated with AD and RSA.My question here is can Cisco Secure ACS 5.3 integrate with "multiple" WIndows AD, LDAP, RSA Server etc.? if yes, is there a Cisco document stating this? The keyword here is multipple.

View 4 Replies View Related

Cisco AAA/Identity/Nac :: ACS 15015 Could Not Find ID Store

Feb 12, 2012

I'm trying to authorize managment access for HP ProCurve Manager via ACS RADIUS. But I get the failure: 15015 Could not find ID Store Machine is configured under Network Devices and AAA Clients, the sevice selection rule selects the correct access service, Access Service is Network Access, authorization profiles = permit access.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: How Certificates Work When Using PEAP On ACS 5.2

Apr 23, 2013

how the certificates work when using PEAP on ACS 5.2.Currently we have clients which are Cisco wireless IP phones that are using the ACS server(s) for authentication to the wireless network. The phones are configured to use PEAP with server validation enabled. The phones have a Godaddy root certificate, and Godaddy intermediate certificates installed on them, (in addition they have all the certs that are on the phone by default). On the ACS server there is a certificate that is signed by Godaddy. This was creating doing the CSR process etc...
 
So from what I understand, because all the phones are set up to validate the server certificate, they require the public root certs and the intermediate certs that are installed on them, in order to validate the private cert that is on the ACS server. The private certificate (the one signed and issued by Godaddy), expires the middle of next year (2014) (a little ways off I know, but it is never too early be concerned about stuff). When we go to get a new private certificate for the ACS servers (or get a renewal) and when we install this new signed certificate onto the ACS servers…will all the clients still trust this new certificate, and everything will continue to work smoothly? Or will the clients all need to have new root certs installed, and new intermediate certificates installed? From what I can gather I think the first scenario should be the case, because the root certs and intermediate certs are there to trust certs that are signed by Godaddy, so as long as the new private certificate is signed by Godaddy everything should be okay.

View 8 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 With Certificates And Wireless PEAP

Apr 3, 2012

I have been trying to figure out for days now how to get Windows XP/Windows 7 and Apple iPads to connect to a broadcasted SSID and authenticate with PEAP without getting prompted to verify a certificate that exists on ACS.
 
In Windows 7, I get a window that says the connection attempt could not be completed and get a warning that the certificate could not be validated. If I manually configure a wireless connection and specify PEAP to accept my trusted root certificate authority (in the default list), it doesn't prompt but having users do this is not acceptable and more work than to just verify when prompted. I have no control over the devices connecting so I can't push anything down using GPOs.
 
For the iPad, I get a similar message that the certificate authority can't be verified and you have to accept.
 
For the certs, I have tried GoDaddy and Starfield. How to get this working without getting prompted to verify/validate a certificate authority? If so, what cert are you using? I have the intermediate certs installed in ACS and Windows and iPads see them because as soon as I delete, the screen that pops up changes to my actual cert.

View 5 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 PEAP With Machine Authentication

Sep 11, 2011

Any good guide for configuring PEAP with Machine Authentication to allow for domain login?This is a clean install on a new 5.2 install.We are moving from 4.X to 5.2 and i want to make sure i dont miss anything.

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 - Connection To External ID Store - Encrypted?

Mar 14, 2012

are the connections between the ACS and external identity stores encrypted?I know that when setting up LDAP identity store there is the option to specify SSL conection.  Are the other connections encrypted by default, or is the data sent between the ACS and AD, for example, sent in the clear?

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.1 / PEAP (EAP-GTC) Machine Authentication With LDAP?

Aug 19, 2012

Cisco 5508 wireless controllerCisco ACS 5.1LDAP connection I have setup the wireless controller to do RADUIS authentication with the ACS 5.1 using LDAP. The setup is currently working, Brief info below on setup.
 
I setup the PC client to use WPA2-Enterprise AES and authentication method CISCO PEAP. When I connect to the SSID this will prompt for a username and password. I will enter in my AD details and the ACS with the LDAP connection will authenicate and on the network I go.
 
Now I want to add machine authentication with CERTIFICATES, each laptop and pc in our network has CA certificates installed.
 
way that I can add these certificates into the ACS 5.1 so I pretty much want to import them into the ACS. Once they are imported inside I want the ACS to check that the certificates are on the PC and then prompt for the AD username and password, and only once it meets these two conditions it allows the workstation onto the network.So it will be a two form authentication one with certificates and the other ldap.

View 18 Replies View Related

Cisco AAA/Identity/Nac :: WLC To ACS 4400 V5 To AD - 12309 PEAP Handshake Failed

Feb 25, 2010

I have a Cisco WLC talking to a ACS 4400 version 5.1 which in turn talks to Active Directory.Ive been trying to get 802.1x for wireless clients going, I have a cert on the ACS from verisign on the box but when users try to sign in they get 12309 PEAP handshake failed in the ACS RADIUS log.The cert was exported and placed directly on the testing laptop and at one point it all worked.  I stepped away from it for 2 weeks to get a new internal CA built on a windows box, now coming back to it with the intent of issuing new certs to the ACS from the internal CA and thought I would check it to make sure all was good, but its not.Google doesn’t return happy results for “12309 PEAP handshake failed”, I opened a TAC case on it and they took my cert to their lab.  Haven’t heard back.

View 6 Replies View Related

AAA/Identity/Nac :: SSL Certificate Installation On Acs Appliance 1120 For PEAP Clients

Apr 18, 2011

I need this SSL certficate installation on my acs appliance 1120 for PEAP clients.I have exported SSL server certficate from my old acs 3.3 server which is under acscertstore folder issued by CA vendor . I need to reuse this same SSL certificate on my acs appliance .ACS appliance certficate setup requires following two certificate to be installed for PEAP clients authentication

1) Server Certificate

2) CA certificate
 
Server Certificate : For server certifcate , I have my old certificate which is exported from my old acs 3.3 server , when i tried to download my server certficate via ftp server on my acs appliance , its looking for private key & private key file .Private key & file is generated intially on CSR request when this server certificate is requested to CA vendor for my old acs 3.3 . I dont know the private key password . If i need private key & file , then i need to generate new CSR from my acs appliance and i need to submit this CSR output to my CA vendor to generate new SSL server certificate .which is something like new server certificate request .CA certficate : For CA certficate , when i open my existing SSL certificate under detials tab in CRL distribution point , i could see below URL . whn i open this URL it giving certificate revocation list . [1]CRL Distribution Point.

View 10 Replies View Related

Cisco AAA/Identity/Nac :: 5508 ISE Integration With PEAP (Server Side Cert)

Oct 20, 2012

We are currently evaluating ISE and I am stuck with the PEAP authentication (with Server side Cert).Our current setup consists of two 5508 controllers, 30+ access point. For authentication we are using PEAP with (server side Cert). We have an IAS server which is also acting as a CA server. We are using Cisco’s NAM as a supplicant on Windows XP & 7 workstations. I would like to use ISE for authentication. I would like to use PEAP with Server side Cert (similar setup like IAS). I want ISE to perform the same function in addition to profiling etc.....
 
I was able to integrate ISE with Active Directory but could not get it working with PEAP (server side Cert). I would also like to know if they used Microsoft’s CA server or Open SSL CA server or a third party CA server (Go Daddy, VeriSign etc.)Can you we ISE as a CA server just the way we used Microsoft’s IAS Server as a CA Server?

View 8 Replies View Related

Cisco AAA/Identity/Nac :: ACS 4.2(0) Build 124 / Failed To Initialize PEAP Or EAP-TLS Authentication Protocol

Oct 31, 2010

I replaced an ACS certificate that had been installed as follows:

1. Generate CSR file and private key file, then send CSR to GeoTrust (Key length: 2048 and Digest to sign with SHA1)

2. GeoTrust send me a certificate. Issued by "GeoTrust SSL CA".

3. Install the certificate on the ACS. Restart ACS service.

4. ACS Certification authority setup. Issued by "VeriSign Class 2 Public Primary Certification Authority - G3"

5. Edit certificate trust list and select "VeriSign Class 2 Public Primary Certification Authority - G3" as trusted.

6. Enable EAP-TLS, then restarted the ACS service. The problem is when i try to enable EAP i get the error msg:Failed to initialize PEAP or EAP-TLS authentication protocol because CA certificate is not installed. Install the CA certificate using "ACS Certification Authority Setup" page.I searched on cisco and it said to disable the CSA, but in fact there is no CSA installed on this server.
 
OS: Win 2003 sp2Cisco ACS: Release 4.2(0) Build 124

View 4 Replies View Related

Cisco AAA/Identity/Nac :: Testing Windows 8 Consumer Preview With ACS 5.2 PEAP Auth

Apr 29, 2012

We are deploying ACS 5.2 to replace our ACS 4.2 in production.  I have two wireless networks setup as WPA2-Enterprise.  One points at the ACS 4.2 and the other at the ACS 5.2.  Both use the same SSL certificate with the same CN.  Both authenticate Windows 7 clients.  However, Windows 8 CP will only authenticate to the ACS 4.2 and not to ACS 5.2.  The error it gives is:
 
11051 Radius packet contains invalid state attribute
 
It also shows no authentication method (most of the time).
 
Occasionally, I get a request that actually shows an authentication method of PEAP (EAP-MSCHAPv2) which is what it should be.  On those requests, I get error:
 
24444 Active Directory operation has failed because of an unspecified error in the ACS.
 
Both ACs 4.2 and ACS 5.2 are pointed at the same Windows AD source.

View 3 Replies View Related

Cisco AAA/Identity/Nac :: Multiple EAP Certificates In ACS 5.2?

Feb 10, 2011

I want to use multiple cert (enterprise certs and verisign cert) for authentication in wireless.Users that have their computer in the domain should use EAP-TLS and PEAP (verisign) are for users in the domain but on non-domain computers.I can only enable one certificate in system adminstration->local server certificates-> local certificates to use EAP.I have installed both enterprise and verisign cert in the CA store in User and Identy store and enbled the enterprise cert for EAP-TLS.The EAP-TLS connection works fine when the enterprise cert is enabled for EAP (in local certificates) but PEAP does not. If I enable EAP on the verisign cert in local certificates the enterprise cert get EAP disabled and that authentication stops working av PEAP starts working.
 
Is the ACS5.2 only able to have one certificate enabled at the time for EAP?

View 10 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 Multiple AD Domains

Aug 9, 2012

I do have a quick question about Cisco ACS 5.3 and multi domain authentication. How is it exactly handled?
 
Can I join more than one domain with the ACS server? Or do I still need to configure that bidirectional trust relationship between those AD forests (even with the ACS 5.3)?

View 5 Replies View Related

Cisco AAA/Identity/Nac :: ACS 4.2 - Delete Multiple Clients?

Jun 28, 2011

I've inherited some ACS appliances from another part of my organization.  I need to keep most of the settings but want to remove all the AAA clients; and preferably not one-by-one.  I don't see a way in the documentation and web searches have proven fruitless.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 4.2 Multiple AD Domain Authentication?

Feb 3, 2013

I have acs 4.2 for windows installed on a windows server 2003 box, because of a merger I need to now authenticate against 2 different domains, there is a bidirectional trust between the two domains and the dial-in permission has been set in ADUC but whenever I try to authenticate a user it says dial-in permissions needed in the acs failed authentication log.

View 5 Replies View Related

AAA/Identity/Nac :: ACS 5.3 Single Device On Multiple NDG Groups?

Jan 14, 2013

I have multiple campuses and a Central Admin...I've created Groups for all, except I need a few devices within Central to be available to the Campus Admins... (ie..a Cisco WCS System) How do I allow a device to be put into multiple NDG groups?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.x - Configuring Multiple AD Domains For Authentication

Jan 7, 2013

Currently on ACS 5.2 and our MS Active Directory is migrating to a completely new domain. There will be a two way trust between them for the 24 month migration period. How best to configure ACS connect to both domains?

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Multiple Domain Prefix Searching?

May 23, 2011

We have an ACS 5.2 server connected to an AD domain controller which has several trusted domains.  (domain1, domain2, domain3)  We currently have to specify which domain each user belongs to (ie, domain1user) in order to connect.  We would like to only have to enter the user name without the prefix, (ie, user1) and have ACS automatically check each domain for a match.  Is this possible with ACS 5.2?  I seem to remember this was possible with ACS 4.2.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: Can Operate Simultaneously Multiple External DB In ACS 4.2

Jan 24, 2012

Can operate simultaneously multiple external DB in ACS 4.2?Mutiful External DB server is AD and Token server

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 4.2 Authentication Using Multiple External Databases

Feb 7, 2012

We currently use ACS 4.2 for authentication of corporate users who are accessing the network in 2 different ways:
 
1) VPN client (via ASA5510)

2) Wireless (EAP-PEAP)
 
For all users who currently access the network via either of the above 2 methods, the Password Authentication under User Account settings in ACS is set to query an RSA SecurID Token Server.
 
We would like to try achieve the following in ACS:
 
IF an access request comes from the ASA (VPN clients), THEN we would like the user's password authentication to be handled by the RSA SecurID Token Server as it currently is. IF an access request comes from the Wireless LAN controllers THEN we would like to use EAP-TLS authentication. (We are aware that we would obviously need to configure the WLC, clients, PKI infrastructure etc accordingly for eap-tls). 

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Multiple Instance Of Custom Attributes ACS 5.x?

Nov 27, 2011

is there a way to have multiple instances of user custom attributes and insert those as multiple instances of the A/V Pair in the authorisation profile in ACS 5.2/5.3 ?Background: We have to migrate a ACS 4.2 to 5.3. In ACS 4.2 our client used the multiline attribute
 
Number
#Name
#Description
#Type of Value
#Inbound/Outbound

[code]....

to specify multiple routes to various networks in the RADIUS reply spcific for every single PPP username of routers dialing in.Using the internal user database, extended by a string attribute and using that attribute as source of a dynamic value in the access-policy works basically. But as I have only ONE single line instance of the attribute for every user, I can only return ONE framed-route.We have lots of cases where multiple routes have to be assigned to one router.I 'd like to avoid defining a seperate access profile for every remote RAS router for external PPP Dial-In...[URL]

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 - AD Integrate With Single Domain Name With Multiple ADs

Sep 3, 2011

We having ACS version 5.2 0.26 with Active/Standby. We need to integrate active directory with ACS. Domain name given by Server team was as xyzcompy.local. When I tried to resolve the same domain name I got five servers ip address against the same domain name. however we given the ip reachability to only for two servers. We we try to save we get error saying that "Can not resolve the network address".
 
So my questions are;

- does ACS should have ip reachaibility to all five servers

- does the username/password we entered in the ACS should have domain admin rights?.

- the given AD is configured with windows NTP [URL] but when we configured ACS as windows NTP it was taking  local server as active NTP..?
 
When we check the ACS logs, we saw the following error;

in acsLocalStore:
AdminName=acsadmin, DomainName=qatarconvention.local, ADOperationResult=unable to create secured connection against AD server, switching to non-secured connection. javax.naming.CommunicationException: simple bind failed: qnccad02.xxxxconvention.local:636 [Root exception is java.net.SocketException: Connection reset],
in ACSADAgent;
32484]: INFO  dns.findsrv FindSrvFromDns failed: res_query failed _ldap._tcp.xxxxconvention.local
Sep  4 12:43:20 acs01-cc4 adjoin[32484]: INFO  cli.adjoin Join to domain 'xxxxconvention.local', zone 'null' failed.
 
I attached some screen print which saw the error and output of nslookup for the domain name.

View 3 Replies View Related

Cisco AAA/Identity/Nac :: 3395 - ISE Not Identifying AD Group Attributes When Using Multiple ISE

Oct 2, 2012

So we have multiple ISE Servers with differing personals. I was having an issue with our new ISE setup not identifying AD Group Attributes when using them in Authorization rules. We have 2- 3395 appliances running Admin and Monitoring/Troubleshooting Personas and 2- 3395 appliances running as Policy server personas. We are running  v1.1.1.268 with the latest two patches. I was unable to pull Active Directory Group Attributes in any of my Authorization rules. After Resyncing all the boxes with the Primary Administration box I was able to do this. There is no bug listings for this occurrence nor do we have Smartnet to call support for other reasons.

View 3 Replies View Related

Cisco AAA/Identity/Nac :: Can ACS 5.2 Support Multiple Active Directory Domains For 802.1x

May 25, 2011

I'm looking to implement ACS 5.2 using 802.1X, we have two seperate AD domains.A single switch will need to support both ADs, so if a machine in AD1 is connected, it will be authenticated to the ACS using AD1 and applied to VLAN1, while a machine that is in AD2 will be authenticated to AD2 and applied to VLAN 2.
 
I'm looking at machine authentication, not user authentication, so I assume that I will need to import two certs from each AD.

View 3 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved