Cisco AAA/Identity/Nac :: ACS 5.2 Group Mapping With LDAP External Identity Store
May 18, 2011
I have a new Cisco Secure ACS 5.2 on a VM. We want to use it to for administrative access to our Cisco equipment with TACACS+. I am trying to map user permissions to different groups of devices based on active directory group membership, however it is not working.
I am using an LDAP (configured for secure authentication) external identity store. On the directory organization tab, I have confirmed the accuracy of the subject and group search base and the test configuration button shows that it's finding > 100 users and >100 groups.
On the directory groups page I have entered the groups according to the required format. cn=groupname1,ou=groups,dc=abc,dc=com
I have a rule based result selection under group mapping. I have two rules in the format below.
Conditon
LDAP:Externalgroups groupname1
Result
Identitygroup1
I have the default group set to a identity group named other. My problem is, no matter what user attempts to authenticate, the Default rule is applied, and the user is put into the other identity group.This occurs when I log on as a groupname1 user, groupname2 user, or as user that is not a member of either of those groups. LDAP authentication works and the user is able to logon to the device.
View 3 Replies
ADVERTISEMENT
Dec 21, 2012
I have a working ASA 5505 that is used for remote access. It authenticates users via RADIUS (Microsoft AD using two IAS servers), it also authorises users via LDAP and it does some LDAP attribute mapping to get group membership for DAP. This is all working fine however recently I enabled IPv6 to do some testing. I have a /126 subnet on the Inside interface (maps to its equivalent /30 IPv4 subnet) and OSPFv3 running so the ASA has visibility of the internal IPv6 networks. DNS client is enabled in the ASA and all the authentication servers are entered as hostnames. The two RADIUS servers only have A records and the two LDAP servers (Windows DC's) have both A and AAAA records. My plan was to begin test IPv6 on the AnyConnect VPN clients (once I was happy the ASA was working fine with IPv6).
When I initially enabled IPv6 everything continued to work as before, however I had to reboot the ASA today and after it all came back up authorisation stopped working. I did a bit of troubleshooting and the ASA is complaining of not being able to resolve the addresses of the two LDAP servers. From the CLI I can ping the hostnames and the LDAP servers resolve to IPv6 addresses and the RADIUS servers resolve to IPv4 addresses. When I issue the command 'show aaa-server LDAP' (LDAP is the name of the group) I see the servers listed but the address displays 0.0.0.0:
Prior to the reboot both the LDAP servers were showing thier addresses (IPv4) correctly. I can workaround it by disabling IPv6 on the ASA, letting it lookup the (IPv4) addresses of the LDAP servers (so they appear in the 'Server Address:' field above) and then re-enabling IPv6. Strangely deleting and re-adding the servers just with their IPv4 addresses also fails but I haven't fully tested this. I don't know but I think I would have the same behaviour if the RADIUS servers also had AAAA records.
I assume when IPv6 is enabled on the ASA it will perform AAAA lookups as well as A lookups but the LDAP client cannot use IPv6? Just guessing at the moment as I haven't managed to get a LAN capture. [code]
View 1 Replies
View Related
Jan 24, 2012
I'm currently looking for a solution in order to restrict the modification of the host internal identity store (add or delete MAC host) per group. The default administrator roles does not include "per group restriction". Under the ACS I defined one group per department? My objective it to allow each department to access their ACS MAC database to add or delete MAC addresses as required.
How to restrict internal identity store per group?Do I need to create new roles? and how?I was not able to get an answer from the ACS ADMIN manual.
View 1 Replies
View Related
Feb 22, 2013
I have installed ACS 5.4 and we are looking to authenticate our Anyconnect users with ACS via Active Directory. I think I have the correct commands in our ASA ( we had ACS 4 and authenticated our anyconnect users ).
I also have configured ACS to use Active Directory and installed the server side cert in ACS. I'm just uncertain how to program ACS to use the security group that I have setup in Active Directory.
View 6 Replies
View Related
Feb 28, 2013
I've configure Ldap authentication on ASA 5545 to allow only a certain user group. I mapped the the memberOf group but this seems not to be working as it allows all AD users. [code]
View 1 Replies
View Related
Apr 7, 2011
We have ACS 4.2 and has been integrated with AD. Now, a new user group has been added in AD but we are not able to see that new AD group in ACS to do the mapping. We have refreshed the sgent in ACS and also have restarted the ACS agent in AD. But still we rae not able to fetch the new AD group in ACS in group mapping.any way to fetch the new group in ACS from AD.
View 1 Replies
View Related
Apr 30, 2012
I am configuring a new ACS 5.3 system. Part of the rules is that I want to match the users specific AD group membership, and match appropriatly to an identity group.What i'm trying to do is say that if the user is a member of the AD Group (G-CRP-SEC-ENG) then associate them with the Identity Group SEC-ENG. The under the access service, authorization portion, i assign shell profiles and command sets based on Identity Group.It seems that the ACS server will not match the AD Group for the user, and it will match the Default of teh Group Mapping portion of the policy every time.
I tried several configuration choices from : AD1:ExternalGroups contains any <string showing in AD>, AD1:memberOf <group>.Is there something special i need to do in the Group Mapping Policy to get it to match and active directory group and result in assigning the host to an Identity Group?
View 7 Replies
View Related
Sep 12, 2012
We are using ACS 4.2.1.15 with patch 8 on ACS 1113 SE box.
Our requirement is to assign ACS loal group to user on basis of windows Nt group. Which means I dont wants to create individual users in ACS rather when user will login, the auth request will be forwarded to AD(remote database). Depeneding on the remote database group the user should be mapped to local database.
For this I have configured "database group mapping" according to following cisco guide. [URL]
However when ever my AD users are authenticating they are getting the membership of default group as configured in "Default" profile. I am using TACACS+ protocol in my routers and switches for authentication.
whether "Group mapping by External user database" works with TACACS+ or only with RADIUS protocol. If it works with TACACS+ what else configuration need to be done so that my ACS can map users to proper groups instead of default group.
View 4 Replies
View Related
Jul 31, 2012
I try to map LDAP Group to ASA Group policy following documentation:
[URL]
This is a config for ASA 8.0. I would have expected it to work on 8.4 as well but I do run into problems. The mapping as shown in LDAP Debug and ASA Log will actually happen but it is overwritten by the "GPnoAccess" Group Policy configured locally in the Tunnel Group. From earlier works with RADIUS I would have expected the user specific Attribute to be "stronger"?
ASA Log:
AAA retrieved user specific group policy (correct Policy) for user = XXX
AAA retrieved default group policy (GPnoAccess) for user = XXX
View 3 Replies
View Related
Mar 14, 2012
are the connections between the ACS and external identity stores encrypted?I know that when setting up LDAP identity store there is the option to specify SSL conection. Are the other connections encrypted by default, or is the data sent between the ACS and AD, for example, sent in the clear?
View 3 Replies
View Related
May 9, 2012
I have a problem where occasionally a user will attempt to login and the LDAP search will find the user but then fail when it does the group search. The error I get is below
22037 Authentication Passed
22023 Proceed to attribute retrieval
24032 Sending request to secondary LDAP server
24016 Looking up user in LDAP Server - testuser
24004 User search finished successfully
24027 Groups search ended with an error
24034 Secondary server failover. Switching to primary server
24031 Sending request to primary LDAP server
24016 Looking up user in LDAP Server - testuser
24004 User search finished successfully
24027 Groups search ended with an error
22059 The advanced option that is configured for process failure is used.
22062 The 'Drop' advanced option is configured in case of a failed authentication request.
Some users never get this error, others will get it once in a while and I have one user that gets it every time they try and login.
View 3 Replies
View Related
Sep 27, 2012
I am working on project with Secure ACS 5.2. I am trying to determine the proper External Database to use. LDAP or direct to AD?
Additionally, the Domain that I am connecting to has Multiple sub domains. All of the users are currently in the Sub domains, but will be moving to root domain later. How should I configure the connection, do I need to connec to each sub domain or can I just connect to the root?
View 2 Replies
View Related
Jul 11, 2011
We are using ACS 5.2 and we are trying to create a Microsoft Active Directory (AD) Identity Store. We have a user to be used in the Active Directory creation General page and we would like to know how the test communication / ACS to AD communication takes place.
Our user is a predefined user in AD and has admin rights, but the password expires every 60 days. Will this affect the communication between AD and ACS 5.2 at everytime the entered user's password expires?
View 2 Replies
View Related
Dec 3, 2012
We have a ACS 4.3.2 installed with users authenticating against an Active Directory database. The AD database not only authenticate the users but also assigns the group that is used to select IP address pool.Now the requirements require to use token authentication with SafeNet. This authentication uses the same username but the password is composed of the original password + OTP.The problem is that the SafeNet server doesn't return the group membership.I've read about the Identity Store Sequence in ACS 5.x and I think I could use it in the following sequence:! configure an Authentication Sequence using the SafeNet token server (this works with ACS 4.x)I configure an Attribute Retrieval Sequence against the AD database. This would use the username only, no password and would retrieve the group membership.
View 1 Replies
View Related
Sep 25, 2011
I am trying to setup PEAP authentication for wireless users but I got stuck at place where I have single ssid and users are store in different identity stores like some will be using their active directory and some are locally created users on ACS. I created separate service for wireless authentication and under that I am unable to create rule to differentiate them with identity stores. any idea how to achieve this.
I tried creating identity selection based on role but it does not work as for protocol like radius.peap,ms-chap ACS does not look for another identity store once user not find in an identity stores.
View 1 Replies
View Related
May 1, 2012
how to associate an AD group - which i have defined in users and identity stores/external identity stores/Active Directory/Directory attributes to associate with the relevant identity groups - Users and identity stores/identity groups Is there an example of this being done somewhere as i am having problems understanding how to do this from the user guide.All i want to do is associate identity groups with ad groups.
View 3 Replies
View Related
Dec 5, 2011
I'm looking for Cisco ISE v1.1 to use the following licensing feature. url...Endpoint is dynamically profiled by Cisco ISE and assigned dynamically or statically to an endpoint identity group. Cisco ISE authorization rules do not use this endpoint identity group.
View 2 Replies
View Related
May 11, 2012
I am currently running cisco ACS 5.1.0.44 and use active directory as the main authentication identity store to allow network administrators to have access to network devices in my organization .As per the established security policies in my organization , the ACS has to disable any account after 3 failed login attempts to any network devices .i have gone through all the settings oN the acs but couldn't find where or how it is done .
View 3 Replies
View Related
Feb 12, 2012
I'm trying to authorize managment access for HP ProCurve Manager via ACS RADIUS. But I get the failure: 15015 Could not find ID Store Machine is configured under Network Devices and AAA Clients, the sevice selection rule selects the correct access service, Access Service is Network Access, authorization profiles = permit access.
View 2 Replies
View Related
Jun 4, 2013
Using Sha1 for Cisco 7925g and sha256 for data. Two separate CA's, one EnTrust (SHA1) the other Local Wondows CA (SHA256); ISE can only use one at a time to process a particular protocol (ie..EAP-TLS, HTTP, etc...) As a result we have to have a separate PSN just for Wireless and Wired VoIP (which can only hold SHA1 RSA1024).
View 5 Replies
View Related
Aug 18, 2010
I'm trying to dynamically assign IP address for VPN users from AD (without IAS service). I know that there is a restriction that "Dial-in users are not supported by AD in ACS (note in "acsuserguide51") but Im not exacly sure what can and can't do with it. In "Authorization Profiles" in RADIUS Attributes tab I try to mannually add specific Attribute (Framed-IP-Address).
I have no problem (everything works just fine) with static address assignment in a way as below:
AD is already integrated with ACS and I've managed to download Directory attributes especially msRADIUSFramedIPAddress
When I change "Attribute Value" from static to dynamic type I see the option to select AD (but "Select" which should list all available attributes is empty)
I know that I can do it directly (ASA <-> AD attribute mapping) but I want ACS to do it
View 5 Replies
View Related
May 2, 2011
how to map my command shells that I created to the access policies under Default Device Admin/Authorization. All I get an option for is Shell Profile but not commands. See attached doc.ACS 4.2 was easy.. I would just create a command set and apply to a group.
View 5 Replies
View Related
May 16, 2011
I am having a problem getting an ASA running 8.3 to authenticate an SSL VPN directly against an LDAP on Windows Server 2003. I have changed the read access on the Active Directory to allow Annonymous to read it. I think I am missing something on the ASA config. I have the Server Group specified with the address of the correct server but nothing else really configured.
View 1 Replies
View Related
Jun 22, 2011
provide me Step by Step procedure for integrating LDAP with ACS 5.2 .
View 1 Replies
View Related
Sep 13, 2011
is it possible to validate the ACS Application Accounts against an external repository like LDAP? I have found that LDAP can be used only as Identity store to authenticate users on AAA clients and Network devices.
View 0 Replies
View Related
Mar 2, 2011
I have a problem with LDAP authentication. i have an Cisco Asa5510 and windows 2008 R2 server. i create LDAP authentication.
aaa-server LDAPGROUP protocol ldapaaa-server LDAPGROUP (inside) host 10.0.1.30 server-port 389 ldap-base-dn dc=reseaux,dc=local ldap-naming-attribute sAMAccountName ldap-login-password ***** ldap-login-dn CN=user,OU=Utilisateurs,DC=reseau,DC=local server-type microsoft
but when i test, i have an error (user account work directly in server)
test aaa-server authentication LDAPGROUP host 10.0.1.30 username user password *****
INFO: Attempting Authentication test to IP address <10.0.1.30> (timeout: 12 seconds)ERROR: Authentication Rejected: Unspecified
View 11 Replies
View Related
Oct 23, 2012
know about Domino LDAP ? I would like to integrate this LDAP with Cisco ISE.I try to bind this LDAP but it does not show me anything in "Naming Context". So I cannot choose group to map into ISE.I test this on WLC. It is success to do but cannot make the same thing with Cisco ISE.Is this LDAP supports with Cisco ISE 1.1.1 ?
View 3 Replies
View Related
Jul 31, 2012
I have 2 SSIDs on WLCs.I would like to have 1 SSID point to the acs radius using LDAP store and the 2nd SSID point to the acs radius using the host identity store for mac filtering.both scenarios are working, but not together.if I adjust the rule order I can get one SSID, but then the other fails. [code] It seems to me that there should be a simple process to make this happens. I thought if the rule is not matched it would move on to the next rule etc.I might be able to live with first checking ldap and if that fails move on to the local host db, but that seems ineficient. url...
View 3 Replies
View Related
May 8, 2011
I have an CS-ACS appliance with 5.2.0.0.26.3 version. There is not any direct solution for connect ldap client to server. I have 3 servers that have only ldap and for authentication I can not use radius or Tacacs+. I need a solution for this problem. How can LDAP Client connect to ACS when it has only ldap protocol?
View 1 Replies
View Related
Feb 9, 2012
i have a wireless deplyoment with WLC 5508, ACS 5.2 and several AD connected by LDAP. It is required that users are authenticated by certificates additional the user should only get access to the wireless environment when the user is found in a certain security group in the Microsoft AD forrest. The certificate based authentication is working without any problems, except the lookup into the AD isn't working. Here are the Details of the "Evaluting Identity Policy"
Evaluating Identity Policy
15004 Matched rule
22037 Authentication Passed
22023 Proceed to attribute retrieval
24031 Sending request to primary LDAP server
24016 Looking up user in LDAP Server - Alex Dersch
24008 User not found in LDAP Server
22015 Identity sequence continues to the next IDStore
24209 Looking up Host in Internal Hosts IDStore - Alex Dersch
24217 The host is not found in the internal hosts identity store.
22016 Identity sequence completed iterating the IDStores
but the user can access the WLAN just without verifying the user in the AD.
i tried the to enable Binary Comparisation but then the Authentication is not working any more. I get the same Identity Policy result as above.
i configured the Binary Comparisation as below:
I though with the binary comparisation i'll be able to verify the existance and the status of an user in the Active Directory.
View 1 Replies
View Related
Jan 24, 2012
Does Cisco Secure ACS 5.3 support LDAP authentication with Apple Mac OS X server? One of our clients require an access control system. The major portion of the network consists of Apple Mac OS X 10.7 (Lion) Server and clients. They were using MAC-address based authentication along with LDAP through Cisco Wireless LAN Controller. But now the number of users has exceeded the maximum number of MAC addresses supported by WLC (2048). Hence we suggested ACS appliance to overcome the limit. My doubt is whether ACS 5.3 appliance can communicate with the Mac server and perform LDAP authentication.
View 2 Replies
View Related
Jan 14, 2010
I've set up a ACS 5.1 Server an want to use it with our LDAP System. Therefor, I'm trying to login to a Cisco 1841 by using my LDAP Account, but it dosent work. The ACS seems not to know that it should use LDAP, because I get,"22056 Subject not found in applicable identity stores"LDAP is configured as Identitiy Store, the bind test works successfully and I created a sequence, where LDAP is at first position. What goes wron?? (TATACS for loal ACS Users works)
View 3 Replies
View Related
Mar 15, 2012
I am setting up an LDAP identity store over ldaps in ACS 5.1. I specify that the connection uses secure authentication and provide the Root CA certificate. When I hit "Test Bind to Server", I get this error message in a popup window: "Connection test bind Failed :server certificate not found"Is this saying that ACS can't find the CA certificate uploaded, or does it mean the actual certificate presented by my LDAPS server during the bind test?
View 2 Replies
View Related
