Cisco AAA/Identity/Nac :: ACS 5.2 TACACS+ And Two Factor Authentication?

May 1, 2013

I want to setup two factor authentication via ACS 5.2 TACACS+ without having to use a token (such as that by RSA).  Is there a way to do it?
 
More info:
 
Users from unconnected AD domains will be connecting to the routers and switches.There is a certificate server available to generate certificates.SSHv2 is the current login protocol.

View 5 Replies


ADVERTISEMENT

Cisco AAA/Identity/Nac :: Two Factor Authentication On ACS 4.x / 5.x

Mar 9, 2011

I would like to konw does Cisco ACS 4.x / 5.x natively support Two factor authenication, but not act as a Radius Proxy?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 And TACACS + Authentication From VPN?

Mar 4, 2012

I have a Cisco ASA (8.2) setup with remote access for my users using Cisco VPN client. The authentication is passed off to my ACS 5.3 which then checks with AD. What I've done so far is create Access Policy rule where I define specifically the Location and NDG where the ASA is and then a DenyAllCommands command set. This should pass authentications just fine but this also gives those users the ability to remote connect directly into the ASA and login successfully. Even though there is a Deny Commands there I still would prefer they get Access Denied as a message. If I do a Deny Access on the ShellProfile then this stops the login authentication altogether.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: NCS TACACS+ With ACS 4.2 - Authentication / Authorization?

Sep 13, 2011

I tried to configure TACACS+ authentication / authorization for NCS via ACS 4.2. For that I followed the configuration guide:
 
1. Configured the service for NCS with HTTP (see attachment)
 
2. Added the tasks to the user (see attachment)
  
When I try to login on the NCS it fails, in the logs on the NCS I see the following lines:
 
09/14/11 16:53:03.333 TRACE [system] [http-443-7] [TACACS+ AAAModule] Creating authorization socket   - To Server:  192.168.49.14  - For User:  netadmin
09/14/11 16:53:03.335 TRACE [system] [http-443-7] [TACACS+ AAAModule] Sending authorization request packet  - To Server:  192.168.49.14  - For User:  netadmin
09/14/11 16:53:03.336 TRACE [system] [http-443-7] [TACACS+ AAAModule] Receiving authorization response packet  - From Server:  192.168.49.14  - For User:  netadmin

[code].....

View 7 Replies View Related

Cisco AAA/Identity/Nac :: ASA5545 - Allow Tacacs Authentication

May 14, 2013

I am trying to access an ASA 5545 using TACACS+.  I have the ASA configured as follows:

aaa-server tacacs+ protocol tacacs+
aaa-server tacacs+ (inside) host 10.x.x.x
[code]....
 
I have added the ASA in ACS with the correct IP and the correct key. When I try to test the authentication via test aaa-server authentication tacacs+ host 10.x.x.x username Cisco password Cisco, I get:
 
ERROR: Authentication Server not responding: No error.

View 20 Replies View Related

Cisco AAA/Identity/Nac :: Setting Up ACS 5.2 TACACS Authentication With JUNOS?

Aug 6, 2012

I have ACS 5.2 and JUNOS 10.6.x  I setup 2  classes eng-class and ops-class  with read/write and read-only permission here is my configuration on JUNOS
 
set system login class eng-class idle-timeout 15
set system login class eng-class permissions all
set system login user engineer full-name “Regional-Engineering”
set system login user engineer uid 2001
set system login user engineer class eng-class
set system login user engineer authentication plain-text-password xxxxxxx

[code]....
 
I have 2 separate Authorization policies for engineer and operator group.Result,

1.  engineering group is working fine.

2.  the operator group its not working im unable to login to device under this group "authentication failed" but on the ACS logs its successfully authenticated.

3.  Web authentication is not also working for bot group.

View 14 Replies View Related

Cisco AAA/Identity/Nac :: W2003 / ACS Tacacs Authentication Failed

Jun 27, 2012

we have a ACS server V4 installed on W2003 server ,when we make a telnet to an equipement on the wan the authentication pass on the first connexion ,but when we telent to a switch on the lan the first connxion fails and we need to retry to login .when i check the  field attempt log on the ACS i dont find the field attempt.i find this issue in ALL switch on the LAN ,from the switch i can ping the the ACS server .this problem appear frequently?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Juniper JWEB Authentication Via TACACS To ACS 5.1?

Dec 20, 2009

Having an issue with authenticating Juniper J Series and SRX devices with ACS 5.1 The devices can authenticate using TACACS to ACS 5.1 via the CLI (telnet / ssh connections) but cannot using the JWEB management page.Doing packet captures between the Juniper devices and the ACS 5.1 box shows the Authenticate phase passing, but it does not progress onto the Authorisation phase.  There is nothing of interest in the ACS Logs (Even with the debugging levels turned right up) The same Access service is in use for both the CLI and GUI (JWEB).Using ACS 4.1, both CLI and JWEB authentication works.[URL]I'm thinking the issue is with ACS 5.0 / 5.1 and it maybe not liking the response from the Juniper (even though it should be the same mechanism)

View 6 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Authentication Against Microsoft AD / TACACS Authorization

Feb 2, 2013

I am trying to configure ACS 5.2 to do all authentication against Microsoft AD, but use local identity groups to determine TACACS+ authorization. 

View 1 Replies View Related

Cisco AAA/Identity/Nac :: How To Configure User Authentication Via TACACS On UCS 1.4 With ACS 5.2

Aug 18, 2011

how do i configure user authentication via TACACS on UCS 1.4 with ACS 5.2?  My TACACs connection works, and my user authentication is successful, but i can only get read-only rights.  I have tried several versions of "cisco-av-pair= role=admin" both as mandatory attributes named role and as cisco-av-pair=role , with "admin" as the value, and i still get read-only.
 
When i attempt to find any documentation, it only describes ACS 4.2, which is another problem i have with most documentation for new cisco products (i have this exact issue with my NAMs, nothing i do to change the attributes results in successfully logging into the NAM, and all config guides are written in 4.2 speak).
 
is there any possiblity cisco is going to release some documentation on how to convert 4.2 speak to 5.2 speak?

View 8 Replies View Related

Cisco AAA/Identity/Nac :: Configuring WLC 4402 TACACS+ Authentication Using ACS 5.0

Aug 22, 2009

We added AAA client in the Cisco ACS 5.0 for WLC 4402 (TACACS+ Authentication) and configured WLC 4402 to use TACACS+ authentication for the management access. We can't get this work for some reasons.
 
Other Cisco routers and switches all worked fine with TACACS+ authentication. This is a TACACS debug output from the WLC;
 
Sun Aug 23 16:19:06 2009: tplus response: type=1 seq_no=2 session_id=f59bbf0b length=15 encrypted=0
Sun Aug 23 16:19:06 2009: TPLUS_AUTHEN_STATUS_GETPASS

[Code].....

View 24 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.1 Failing To Authenticate Tacacs Authentication To ASA Firewall?

Jan 5, 2012

ACS 5.1 is failing to authenticate tacacs authentication to the ASA firewall, getting

View 6 Replies View Related

Cisco AAA/Identity/Nac :: 6506-9 / TACACS+ Server Authentication Failed

Mar 15, 2010

I've been configured my device 6506-9 with TACACS+ server authentication: [code]
 
but when I tried to access the device only uses authentication local but not uses TACACs (with username/password defined) it can be an error in configuration? in the other devices of network this works properly, only it's wrong in Cat6506-E

View 6 Replies View Related

Cisco AAA/Identity/Nac :: TACACS Authentication Working Via SSH But Not HTTP (ACS 5.1 / 3560)

Aug 26, 2010

My switches are able to successfully authenticate user access against ACS 5.1 via SSH with TACACS+, but I am not able to authenticate via HTTPS with TACACS+.  I don't even get a log in ACS when attempting to authenticate via HTTPS.
 
Here is my AAA config, followed by a debug:
 
aaa new-modelaaa authentication login ACCESS group tacacs+ localaaa authorization consoleaaa authorization config-commandsaaa authorization exec ACCESS group tacacs+ aaa authorization commands 1 Priv1 group tacacs+ none

[Code]......

View 8 Replies View Related

AAA/Identity/Nac :: ACS 5.4 - TACACS Authentication - Drop Straight Into Enable Mode?

Dec 5, 2012

I successfully authenticate through ACS to my Identity Store, but only get dropped into a non-enable prompt: ciscoasa> How can I get an Authenticated user directly into enable mode?

View 3 Replies View Related

Cisco AAA/Identity/Nac :: Nexus 5010 Allows TACACS And Local Authentication Concurrently

Jun 6, 2011

I am experiencing an issue where NX-OS on our 5010s is allowing both Local AND TACACS authentication concurrently.  If I don't configure any aaa authorization commands, the locally logged in user has unmitigated access to the device.  Once I enable aaa authroization, all commands issued by the locally logged in user are denied by ACS, but they can still log in to the device.  When I comb through the logs on the ACS server, I see successful logins when TACACS credentials are used, and also the failed attempts when the locally configured credentials are used.  On the switch, however, I receive "%TACACS-3-TACACS_ERROR_MESSAGE:  All servers failed to respond" when using locally configured credentials on the switch itself.  We are running ACS v4.2.

View 6 Replies View Related

Cisco AAA/Identity/Nac :: Catalyst 3750 - TACACS Authentication Stopped Working

Jul 25, 2011

We have a Catalyst 3750 switch that failed over to local login after the Tacacs authentication stopped working. I went through the configuration settings and everything appears to be identical to another switch in this same building.

View 4 Replies View Related

Cisco VPN :: Two Factor Authentication With ACS 5.1 And Vasco

Jan 2, 2012

How two factor authentication can be implemented using cisco acs 5.1 & vasco?

View 1 Replies View Related

Cisco :: ASA 5505 Two Factor Authentication With Certificates?

Jun 2, 2011

Has anyone tried to get two factor authentication working with the asa 5505. I have a CA setup and the enrollment emails are being sent out. But when I go to login to the enrollment site at [URL]. I get a page not found.

I would like to have one factor be a username and password and the second factor being a certificate on the device.

View 4 Replies View Related

Cisco VPN :: Two-factor Authentication Recommendations For ASA 5510

Dec 19, 2012

I'm wondering what people are using and/or recommending for two-factor authentication for VPN users on the Cisco ASA platform?

View 6 Replies View Related

Cisco Routers :: SA520 SSL VPN Two Factor Authentication?

Jul 30, 2012

Two factor setup with Symantec VIP? I just fined setting it up and VIP Service and SA520 seems to be synchronizing correctly but device doesnt direct VPN users for second authentication ?               

View 16 Replies View Related

Cisco Security :: VIP Two Factor Authentication With Either SA520 Or SA540?

May 2, 2012

I was very excited to read about the two factor authentication that Cisco and Verisign offer through the VIP and SA500 series routers.  I purchased an SA540 a month and a half ago.  I have been on the phone with support of both Cisco and Verisign ever since.  It appears no one actually knows how to make the product work.  Finally I was told that they have only tested it on an SA520.  So I bought an SA520; however, it doesn't work either. How to use the Verisign VIP two factor authentication with either an SA520 or SA540?  If so, what is the trick?  If not, how is Cisco advertising this product if it doesn't actually work?

View 3 Replies View Related

Cisco Firewall :: Setup SSL VPN With Two-factor Authentication On ASA5510 With Software Version 8.0(4)?

Dec 1, 2009

I am trying to set up SSL VPN with two-factor authentication on an ASA5510 with software version 8.0(4). I want to use LDAP for actual authentication and user mapping, but require a valid certificate signed by a particular local CA to connect.I have imported the CA's root certificate, signed an identity cert for the ASA box and imported, and assigned the cert ("trustpoint")  to the outside interface.Under the connection profile itself (for DefaultWEBVPNGroup), there is an option to select authentication method as AAA, certificate or both. AAA works as expected, authenticating against LDAP. If I select certificate or both, I get rejected with Certificate Validation Failure regardless of if I have a valid signed cert or not. This is what I see with "debug webvpn 100":
 
webvpn_portal.c:ewaFormServe_webvpn_login[1904]webvpn_portal.c:http_webvpn_kill_cookie[682]webvpn_portal.c:ewaFormSubmit_webvpn_login[1964]ewaFormSubmit_webvpn_login: tgCookie = 0ewaFormSubmit_webvpn_login: cookie = c98f3940ewaFormSubmit_webvpn_login: tgCookieSet = 0ewaFormSubmit_webvpn_login: tgroup = NULLTunnel Group: DefaultWEBVPNGroup, Client Cert Auth Failed!Embedded CA Server not enabled. Logging out the user.webvpn_portal.c:ewaFormServe_webvpn_login[1904]webvpn_portal.c:http_webvpn_kill_cookie[682]
 
So, it seems the ASA is only trying to check the cert against a (nonexistent) ASA-based CA. How do I get it to check against an external CA cert?Under "Remote Access VPN -> Network (client) Access -> AnyConnect Connection Profiles", I have ticked "Allow Access" and "Enable DTLS". There is also an option "Require client certificate" which doesn't seem to do anything - whether or not I check it, I can connect and authenticate to the VPN with or without signed certs as long as the previous setting is "AAA".

Some highlights from the config:

crypto ca trustpoint ASDM_pfirewall01.company.tld enrollment terminal fqdn pfirewall01.company.tld subject-name CN=pfirewall01.company.is,O=Company,C=IS,L=Reykjavik keypair company crl configurecrypto ca trustpoint ASDM_TrustPoint0 revocation-check crl none enrollment terminal crl configure  no enforcenextupdate  no protocol ldap  no protocol scepcrypto ca trustpoint ASDM_pfirwall01.company.tld revocation-check crl enrollment terminal no client-types crl configurecrypto ca certificate chain ASDM_pfirewall01.company.tld certificate 02    30820598 30820480 a0030201 02020102 300d0609 2a864886 f70d0101 05050030     <snipped rest of cert>  quitcrypto ca certificate chain ASDM_TrustPoint0 certificate ca 00e2a6f08003ded6c9    3082054e 30820436 a0030201 02020900 e2a6f080 03ded6c9 300d0609 2a864886     <snipped rest of cert>  quitcrypto ca certificate chain

[code]....

View 9 Replies View Related

Cisco VPN :: Clinet Tacacs+ Authentication On ASA5510?

Mar 25, 2011

How to be able to locate a sample, working configuration of tacacs+ authentication on the ASA5510?

View 2 Replies View Related

Cisco :: CiscoWorks LMS 3.2 With TACACS Role Authentication?

Jan 4, 2011

I'm trying to get user authentication backed off to ACS 5.1, I've got it working but not the way I'd like.  This is using the TACACS settings not ACS mode.I've created a local user in CW and assigned it to the correct roles, then created a user in ACS with the same name and a different password and this works fine.My question is can I set the roles on the TACACS server using a shell profile/custom attributes.  All the documentation I can find is for ACS v4?

View 15 Replies View Related

Cisco Switching/Routing :: 6500 - Tacacs Authentication?

Feb 17, 2012

All ip's and any identifying numbers have been change to protect.
 
I have a 6500 series switch that for some reason will not authenticate to the tacacs server.  When you try, you get a password authentication failure.  However, it will let you use the configured username and secret to log in thru ssh.  And the enable secret to get into privileged mode.  Tacacs key is correct, btw.we will call the server vlan 300 and the admin vlan 400.the tacacs source interface is in vlan 400 and the tacacs server is in vlan 300.
 
I can ping the tacacs server via the switch, but when i use the source cmd with the ip address of the admin interface vlan, ping will not work.  I changed the tactics source interface to vlan 300 (the server vlan) and authentication with the tacacs server works fine.  ip routing is turned on.  There are entries for both the server vlan subnet and the ad-min vlan subnet in the routing table.  There are only standard access-lists, and none of them are blocking packets from getting to the tacacs server via the admin vlan. 

I could just leave the source interface on the int vlan for the servers, but I would like to find out why this isn't working.  I have 1 other 6500 switch on a different network that is configured exactly the same (except for ip's, keys, and vlans) and am not having any issues with that LAN.  I also have 6 other 3700 switches on the network that Im having an issue with, and none of them are having issues with authentication.

View 1 Replies View Related

Cisco :: ACS 5.2 / Configure Management-access Authentication To WCS Via Tacacs+?

Jul 12, 2012

I want to configure managment-access authentication to the WCS via tacacs+. The AAA Server is Cisco ACS 5.2.I made it and it works, but only with PAP Authentication Type. Chap doesn't work 4 me.The Access Service is configured with allowed protocols PAP and CHAP.The ACS Monitor just display an error with these steps:Received TACACS+ Authentication START  Request

View 1 Replies View Related

Cisco LAN :: 5.3.0.40.6 / Tacacs Appliances Crashing AD Authentication ACS Server Version?

Dec 27, 2012

We are using  Cisco ACS server Version : 5.3.0.40.6. Our tacacs appliances are crashing on AD authentication on a fairly regular basis.  I have been searching Cisco.com to see whether we are on the latest version or not  however I  couldn't find anything lattest than what we are currently using. Are we on the latest version?

View 1 Replies View Related

Cisco Wireless :: How To Configure ACS5.2 For TACACS Management Authentication Of WCS

Sep 12, 2011

Is there a decent guide on how to configure ACS5.2 for TACACS management authentication of WCS?

View 2 Replies View Related

Cisco Switching/Routing :: Configure Tacacs Authentication For Http In 2960

Oct 13, 2011

I am trying configure tacacs authentication for http in Cisco 2960 with IOS 15.0.1.SE. [code] But the device is not authenticating. It ask the credentials (user and pass) but not authenticates.

View 7 Replies View Related

Cisco AAA/Identity/Nac :: Cannot Authenticate AD For Tacacs ACS 5.0

May 24, 2011

I think i've got everything set up to authenticate against AD for Tacacs+ device logins.  When i check the logs, i see:"24408 User authentication against Active Directory failed since  user has entered the wrong password".  This leads me to believe that it is checking AD correctly, however if i enter the password correctly for the same AD user, there is no log at all...no pass, no fail.
 
If i look at the Tacacs debugs on the switch, i see the following:May 25 10:55:07.927 CDT: TAC+: ver=192 id=874699084 received AUTHEN status = ERRORMay 25 10:55:09.932 CDT: TAC+: send abort reason=Unknown

Obviously the switch is communicating to ACS, and ACS is passing info back to the switch.  ACS also appears to be communicating effectively with AD since it knows when i put in an incorrect password for the specific user.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 - TACACS For Network Access

Feb 27, 2011

I found that TACACS should be available for network access with ACS 5.2:(url) But when I'm trying to create Rule tu allow PPP authentication against TACACS server I get error.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: To Configure MS ACS 4.1.1.23 To Allow Linux TACACS

Sep 20, 2011

I am running ACS 4.1.1.23 on a Microsoft server and I am trying to get TACACS to work with two Linux servers.  The servers are capable of TACACS, are using port 49 and have the correct shared secret.  I believe I do not have the devices configured properly on the ACS side.  These 2 servers currently are using RADIUS and we are getting bit by the bug where the ACS application will start rejecting RADIUS authentication requests but still accept TACACS requests.

View 6 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved