Cisco AAA/Identity/Nac :: ACS 5.2 Add A User Into Several Groups?
Apr 5, 2011
We are running two ACS appliances but we cannot figure out how we can add a user into 2 differents groups.Here's the context :We have a company A which is having devices, this company uses Group A.then we have a company B which is having devices, this company uses Group B.But the admin has to manage the devices for both companies A & B.We don't want to mix devices from company A with company B.Is there a way to add the user into both groups A & B.
View 5 Replies
ADVERTISEMENT
Jul 7, 2011
We have ACS Engine 4.1 and want to upgrade it to 5.x.
Is the new version of ACS 5.2 allows a user to belong to several groups of AD ?
View 2 Replies
View Related
Dec 12, 2011
I created some User Defined Groups in LMS 4.1, now I want to apply certain fault notification groups to Event Sets.
Unfortunately the Groups I configured are not in the Group Selector of the Fault Notification Group: Admin > Network > Notification and Action Settings > Fault Notification Group
View 3 Replies
View Related
Apr 14, 2011
I have ACS 5.2 running as a VM. I'm AD, then local authentication successfully for device access, but I want to define ACS user groups to restrict login. I don;t see any way to do this. If I use AD groups, they don;t show up as selection options on the policy screens, just the ACS locallyy defined groups.
View 1 Replies
View Related
Jan 23, 2012
I have seen some discussion in the forums regarding user defined groups being empty in LMS 4.0 but not 4.1. I am having this issue in 4.1. Under User Defined groups, I have created 2 logical groups named "Physical Location" and "Switches". These do not contain any actual devices, they are just containers for other groups. Under the Physical Location logical group I have created 2 other groups, Acuna and Hampton. Under the Switches group I have also created 2 groups, HDM and HHC. The criterion for the Physical Location group is based on the first 3 characters of the hostname:
Device.System.Name startswith "hdm"
The criterion for the Switches group is based on the value of a user defined field, Admin_responsibility:
Device.Admin_responsibility equals "HDM"
The Physical Location groups work - the Switches group does not. Both the HDM and the HHC group should contain several devices. The HDM group contains 2, the HHC contains none. If I edit the groups and click "next" until I get to step 3, Membership: Edit, the "objects matching criteria" list is fully populated - it contains the devices that it should contain. However, after I click "Finish" and go to Inventory => Add / Import / Manage Devices there is no change in group membership - the HDM group contains 2 devices and the HHC group contains none.
View 4 Replies
View Related
Jun 1, 2012
I'm setting up a new SF-300-08 with SNMP.I have defined Groups OK.But, when I go to Add User, the Group pulldown is grayed out and I can't add a user.
View 1 Replies
View Related
Sep 22, 2011
We are running ACS 5.2 patch 6 and want to restrict access for users to be able to add devices to the system.For example, admin person in site A can only add devices into the site A group and cannot see/access other sites groups.
View 1 Replies
View Related
Jul 21, 2011
I've run into an annoying issue with my ACS 5.2 install. I can no longer add directory groups in the AD settings, the ACS comes back with "The item you are trying to delete is referenced by other items.You must remove all references to this item before it can be deleted." but I am not deleting any group, just adding.
Could probably be cleared with removing the AD setup completely, which for obvious reasons is not something I want to do.
View 3 Replies
View Related
Aug 4, 2011
I have seen similar references to this issue, but no concrete solutions. My new ACS appears to join my domain with little or no issues, however, when I go to list the groups nothing is ever listed.Running ACS as a vm.I have set the ntp server on the ACS server to match my domain.I can ping all domain controllers/DNS servers.nslookup resolves hostnames of my domain controllers
***Update***
I verified that a computer account for my ACS is in fact being created, however, I am receiving some Kerberos errors on my DC with the FSMO roles:
Event Type: Error
Event Source: KDC
Event Category: None
Event ID: 26
Date: 8/5/2011
Time: 3:07:46 PM
User: N/A
Computer: <MY DC>
Description:While processing an AS request for target service krbtgt, the account <ACS SERVER> did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes were 17. The accounts available etypes were 23 -133 -128 3 1.
View 2 Replies
View Related
Jun 13, 2011
I have an ACS 5.1 and am trying to integrate with windows 2008 R1. The ACS has a valid AD account and indicates that its connected but when I try to list any directory groups my windows IE browser hangs?
View 2 Replies
View Related
Nov 4, 2012
I've configured three specific AD groups, Admin, Storage, and HelpDesk, with their own commands sets.
This seems to be working fine, but everyone can log into everything, but they can't do anything except exit.
My goal is to not allow anyone to login that is not part of the three AD groups I have specified with the respective command sets.
All the logins hit the Admin account, even though the id in AD is not in the that AD group. I have something screwed up.
View 6 Replies
View Related
Jan 2, 2011
Recently I've been working with the ACS 5.2 (Installed on VMWare). At the beginning I was using a Win Server 2003 Enterprise edition AD, and there was no problem with the AD and the CA Authority. Because some of my customers use Win Server 2008 I change the AD platform to Win Server 2008 Enterprise edition (x64).I don't really have a great experience with Win Server Platforms and, for what I've seen, the Win Server 2003 Services deployment is easier than the Win Server 2008 is.
So, when I used the Win server 2003 I could not only synchronize the ACS with the AD but also use some groups created on the AD to perform the Network Access Authentication. When I try to do the same with the Win Server 2008 AD the ACS and the Server get Synchronized but when I want to add the groups for the Authentication purposes there is no one, absolutely nothing... so I cannot do any test.Also I looked for information about the compatibility between the ACS 5.2 and the Win Server 2008 platforms and at the end the platforms are compatibles.
View 13 Replies
View Related
May 13, 2012
I have been tasked with migrating from ACS 4 to ACS 5.3. I havent had any training and so i am finding it a bit different. Currently i have this issue -
I have a group in the ACS 4 for users accessing via wireless on the ACS - Code...
View 4 Replies
View Related
Jan 18, 2011
I'm trying to setup ACS 5.2 with an ASA v8.3.2 to lock users into VPN groups based on a users AD group. I've tried various combinations but the group lock isn't working. I've done steps 1 & 2 ...
1) Network Devices and AAA Clients -> Define VPN
2) Users and Identity Stores -> Setup AD and Directory Groups, test connection
Policy Elements:
Q1) Policy Elements - Do I need an authorization profile for each group:
Q2) What RADIUS attributes should I use to match my ASA tunnel-groups?
RADIUS-IETF attribute 25?RADIUS-Cisco VPN 3000/ASA/PIX 7.x 85 (Tunnel-Group-Lock)?Other?
Access Policies:
Q1) Do I need to enable and use group mapping?
Q2) Do I need a Network Access Authorization Policy for each group?
View 8 Replies
View Related
Aug 21, 2011
I am trying to set up RA VPN on ASA 8.4 with 2 groups - VPNGp1 and VPNGp2. VPNGp1 users will access 1.2.3.0/24 and VPNGp2 users will access 5.6.7.0/24. User authentication will happen using ACS 5.3 Radius.
On ASA, I have configured the IP pools, VPN ACLs, VPN groups, group policies for each group, and tunnel groups.
On ACS, I have created vpn-user1 and vpn-user2 for each of 2 groups.
I am not sure if some more configuration needs to be done on ASA and ACS... Do I need to add new users - vpn-user1 and vpn-user2 - on ASA, under each corresponding group policy, using vpn-group-policy command? Or I need to do something else on ACS?
Lastly, how can I configure authorization and accounting for the VPN users? Do I need to do this on ACS or on ASA?
View 8 Replies
View Related
Jan 14, 2013
I have multiple campuses and a Central Admin...I've created Groups for all, except I need a few devices within Central to be available to the Campus Admins... (ie..a Cisco WCS System) How do I allow a device to be put into multiple NDG groups?
View 1 Replies
View Related
Dec 20, 2012
We are running ACS 4.0 so understandably so we are looking to upgrading to a Cisco supportable version of ACS. The limitation of our current version of ACS does not support nested AD groups. The latest version of ACS (I think it is 5.4) will?
View 1 Replies
View Related
Jan 28, 2013
I am using ACS 5.3 What I am about is setting user authentication against existence of the user in specific AD group, not just being a member in any AD. What is happening now, users get authenticated as long as they exists in the AD, luckily they fail on authorization, as it is bound to specific AD group.
how can I bind the authentication aginst specific group in AD, not just using AD1 as the identity source.
View 1 Replies
View Related
May 4, 2011
I'm working with a 1113 ACS device running the 4.2.0.124 software. I'm trying to get multiple network device groups to use an existing Remote Agent set up for authentication against our Windows domain. For instance, we want our infrastructure switches to authenticate agains the local Active Directory and our WLC to authenticate users agains the same Active Directory. When I try and set both network device groups to use the same remote agent, it fails and reports either the host name is already in use or the IP address overlaps with an existing remote agent.
The question is:
Can I have multiple network device groups use the same remote agent? Or do I have to install the remote agent software on separate Windows servers in order to have different types of devices authenticate against the Windows AD?
View 1 Replies
View Related
Jan 5, 2013
what is the maximum user IDs that I can create to the ACS server? The client have an ACS appliance with version 5.2.
View 2 Replies
View Related
Jul 26, 2011
We are using ACS 5.1 in our network. We have created users and grouped them as per the requirements. We want to restrict the user sessions in the network. A user should authenticate and able to access a network resource. But when he is active with that session, we need to block him from another successful authentication. We want to avoid multiple users using same user credentials for logging into the devices. whether this can be achieved by making configuration changes in ACS.
View 2 Replies
View Related
Jun 12, 2011
I have ACS 5.1.I have created the Identity Group 'Admin' and added 2 users in that, say User1 and User2.How do I permit only User1 to get authenticated when he logins in to the device?There is option to select 'UserName' while creating Service Access Policy , but I have observed that though I have mentioned only User1 in the rule, User2 is also getting permitted
View 1 Replies
View Related
Mar 29, 2013
i have cisco ACS 5.2 and want to create user account for technician, with only certain commands.
View 3 Replies
View Related
Mar 7, 2012
On the ACS ver5, there is a "User Change Password" feature. When i click the UCP WSDL, it gives me a page with WSDL language. how is it supposed to be installed? does it copy or install to any web server
View 1 Replies
View Related
Apr 28, 2011
My company's security group uses Tripwire to monitor for changes in start-config and running-config on network devices in PCI scope. We are migrating from ACS v4.2 to v5.2. I need to create the account for Tripwire on the ACS Appliance but did not want to assign the admin role which would give access to configure terminal. The user role does not have privileges for show start-config or show running-config. Am I missing something or are these the only 2 roles available at the CLI? Can another rolle be added?
View 1 Replies
View Related
Nov 12, 2012
I want to have a local user in ACS that is permitted to login to routers. I have TACACS with AD already working but cannot get a local user to work. I used to do this in ACS 4.x.I created a user in the internal identity store.I tried configuring a policy to allow this users TACACS authentication multiple ways to no avail. I cannot find a config example doc and cannot figure it out from the user guide as the documention is sorely lacking.
View 5 Replies
View Related
Jun 25, 2012
on the acs 5.2 , how to delete specific log for user X, ?
View 3 Replies
View Related
Feb 18, 2013
So we have this problem that just started, I can replicate the issue as well, if a user makes a mistake on typing there password after 1 attempt ACS sends 3 to AD locking out the user.
In a putty or secureCRT session after 1 password failed attempt, I am unable to retry with that same session.
The issue seems to be that after 1 bad password attempt, from the client side I am unable to get another try.
View 1 Replies
View Related
Sep 12, 2012
We are using ACS 4.2.1.15 with patch 8 on ACS 1113 SE box.
Our requirement is to assign ACS loal group to user on basis of windows Nt group. Which means I dont wants to create individual users in ACS rather when user will login, the auth request will be forwarded to AD(remote database). Depeneding on the remote database group the user should be mapped to local database.
For this I have configured "database group mapping" according to following cisco guide. [URL]
However when ever my AD users are authenticating they are getting the membership of default group as configured in "Default" profile. I am using TACACS+ protocol in my routers and switches for authentication.
whether "Group mapping by External user database" works with TACACS+ or only with RADIUS protocol. If it works with TACACS+ what else configuration need to be done so that my ACS can map users to proper groups instead of default group.
View 4 Replies
View Related
Aug 26, 2012
Is it possible to assign a single ssid to multiple interface groups by assigning the ssid to multiple AP groups?
I have buildings geographically dispersed that are configured with multiple vlans in interface groups so that I can maintain an addressing scheme of dhcp assigned addresses per building. Each building is also further grouped as AP groups. I'd like to know if by assigning the same wlan ssid to each of the AP groups, will I maintain addressing integrity for each building? I'm thinking it will work.
Do the buildings have to be outside AP range of each other to avoid problems?
5508 controller
7.2.110.0 code
6 buildings
6 interface groups
1 ssid
View 4 Replies
View Related
Sep 1, 2011
I am trying to setup up a rule to allow wireless access only to users in my AD when they use computers from my AD.I have Machine authentication working on it's own (computer boots up and connects to wireless - confrimed by ACS logs) I have User authentication working But when I try to creat the floowing rule:it does not work.
Access Policy
Access Service:
Default Network Access Identity Store:
AD1
Authorization Profiles:
DenyAccess
Exception Authorization Profiles:
Active Directory Domain:
[code]....
Everything seem to fine until it gets to the last rule.
View 1 Replies
View Related
Oct 11, 2011
I use ACS appliance 1120 for cisco devices administration. The identity store is external. I use Active directory. Actually, Authentication, authorization and accounting work well but users can not change theirs Active directory password when they have expired. Do you now how to configure ACS to permit password changing?
View 5 Replies
View Related
May 8, 2012
we have created some administration accounts which should only have the possibility to work on the user database. the useradmin role is to limited to create a user and set a fixed password only, but not able to enable the users authentication against a predefined external identity store. Other roles which makes this possible are far to powerful for a second level adminstrator.The adminstrator should have the possibility the create an user and set the password check against an external database. This is not possible with the predefine role "UserAdmin". Other roles do have to many rights for these users.
View 4 Replies
View Related