Cisco AAA/Identity/Nac :: ACS 5.2 User Authentication With Token And Password?
Jul 19, 2011
I am migrating from ACS 4.2 to 5.2. In 4.2 you could assign one user to auth via Internal Database and another user to auth via Radius Token Server. I cannot find how to do this with 5.2. There is a note in the doc that states 'Identity-related attributes are not available as conditions in a service selection policy'. Does this mean that you can only choose one auth method for all users? If it is possible to have multiple methods, how am I able to accomplish this?
View 1 Replies
ADVERTISEMENT
Nov 30, 2011
I have ACS4 and i am planning to upgrade to ACS5.I would like to have such a rules:I have user1, one ASA device which is VPN concentrator for remote users.ASA have two different tunnel-groups: one which allow for logging via certificate (with mandatory pki authorization thru ACS) with disabled Xauth,and second tunnel-group with allow login thru typical Xauth with authorization thru ACS which users external database (RSA Tokens).So i have one user1 which can login thru VPN using RSA tokencode or certificate.For example: on phone user1 uses certificate, and on PC station the same user1 uses token password.For tunnel-group with pki authorization ASA checks username in ACS and in typical scenario login="CN from certificate" and password="CN from certificate". So we would need "two credentials" for the user - one for pki authorization, and second one external database (RSA token).Is such scenatio possible under ACS 5 ? where one user uses different credentials based on tunnel-group usage ?
View 2 Replies
View Related
Dec 3, 2012
We have a ACS 4.3.2 installed with users authenticating against an Active Directory database. The AD database not only authenticate the users but also assigns the group that is used to select IP address pool.Now the requirements require to use token authentication with SafeNet. This authentication uses the same username but the password is composed of the original password + OTP.The problem is that the SafeNet server doesn't return the group membership.I've read about the Identity Store Sequence in ACS 5.x and I think I could use it in the following sequence:! configure an Authentication Sequence using the SafeNet token server (this works with ACS 4.x)I configure an Attribute Retrieval Sequence against the AD database. This would use the username only, no password and would retrieve the group membership.
View 1 Replies
View Related
Sep 1, 2011
I am trying to setup up a rule to allow wireless access only to users in my AD when they use computers from my AD.I have Machine authentication working on it's own (computer boots up and connects to wireless - confrimed by ACS logs) I have User authentication working But when I try to creat the floowing rule:it does not work.
Access Policy
Access Service:
Default Network Access Identity Store:
AD1
Authorization Profiles:
DenyAccess
Exception Authorization Profiles:
Active Directory Domain:
[code]....
Everything seem to fine until it gets to the last rule.
View 1 Replies
View Related
Nov 12, 2012
I want to have a local user in ACS that is permitted to login to routers. I have TACACS with AD already working but cannot get a local user to work. I used to do this in ACS 4.x.I created a user in the internal identity store.I tried configuring a policy to allow this users TACACS authentication multiple ways to no avail. I cannot find a config example doc and cannot figure it out from the user guide as the documention is sorely lacking.
View 5 Replies
View Related
Sep 26, 2011
We have configured ACS 5.1 for autenticating wireless users with active directory, which is working fine now.But we would like implement that single user should be authenticated through ACS . If any user try to access WLAN from multi system will be notified with multi login access restriction.Can we implement this policy in acs, if possible what are the exact configuration changes we have to implement.
View 1 Replies
View Related
Dec 28, 2011
We have cross domain trust relationship established and I have added the user group in our ACS 5.1. we are using Active directory as an external Identity store. Also I have created a rule in the 'Access polices' to allow the user group. From the cross domain, I use abc@xxx.xyz as a user id, but I get this error message 13036 Selected Shell Profile is DenyAccess.
View 3 Replies
View Related
Jun 5, 2012
Can use ACS 5.2 as Guest user authentication server?
View 3 Replies
View Related
Apr 12, 2013
I am using ISE 1.1.3.124.My first question:I want to know the relation between the attribute "WasMachineAuthenticated" and the MAR (MAchine access restriction in advanced setting for AD).Is-it the same or not ?Once you time out, you need to do machine auth again. What is the timer ?Using the attribute "WasMachineAuthenticated", is-it the same timer that you configure in MAR ? In a distributed environnement, is the information about machine previously authenticated replicated to all policy node ?Because, if a swicth has 2 radius-server, we are not sure that it will point everytime to the same server.
View 1 Replies
View Related
Jul 18, 2011
For our wireless, we enabled the machine authentication, but we want to bind the machine authentication and user authentication together which means they need to meet both requirements to access the wireless, how can we do this? Right now looks like as soon as the machine is authenticated, it can access the network, no user authentication needed.
View 6 Replies
View Related
Aug 18, 2011
how do i configure user authentication via TACACS on UCS 1.4 with ACS 5.2? My TACACs connection works, and my user authentication is successful, but i can only get read-only rights. I have tried several versions of "cisco-av-pair= role=admin" both as mandatory attributes named role and as cisco-av-pair=role , with "admin" as the value, and i still get read-only.
When i attempt to find any documentation, it only describes ACS 4.2, which is another problem i have with most documentation for new cisco products (i have this exact issue with my NAMs, nothing i do to change the attributes results in successfully logging into the NAM, and all config guides are written in 4.2 speak).
is there any possiblity cisco is going to release some documentation on how to convert 4.2 speak to 5.2 speak?
View 8 Replies
View Related
Dec 17, 2011
While configuring LDAP , I got struck in “Step 3 - Directory Organization”. How to make this work? My aim is to make users authenticated from their windows domain usernames and passwords while they log in to AAA clients.
View 1 Replies
View Related
Sep 21, 2011
I`ll get straight to the point. I have at work a domain of computers. on one of the computers (I have admin rights) I want to share a folder that can be accessed by other computers that are not in the domain. By default accessing that share requires a user/pass. My question is: can I configure something on the computer (running windows 2008 server) to the shared folder so that other computers that are not from the domain will gain access to without user/pass requirement (like a normal share)?
View 3 Replies
View Related
Jul 18, 2011
I have some queries regarding on the report generation for on Cisco ACS v5.2.
1) Can we schedule to run a customized report on ACS and then email the report to the user?
2) Can we run a users authentication trend report based on the AD directory group rather than individual user.
3) Can we configure user authentication logs to be viewed on WCS.
View 6 Replies
View Related
Apr 18, 2011
I have setup ACS 5.2 in my lab and have it completely funcation with Downloadable ACLs, Dynamic VLANs and the identity store on the backend is Active Directory. I need it to lock a user account in AD if there are to many auth attempts. I have gone into AD and set a max login attempts to 3 but if I continue to fail authentication (on purpose) using radius auth, it never locks out my AD account? I am using the Anyconnect 3.0 with NAM as the supplicant installed on my workstation. I have also configured the switchport that I am connect to with the following commands. I tried the dot1x max-reauth-req 3 command and that didn't really do anything for me either. What am I missing here?
switchport mode access ip access-group 10 in authentication event fail action authorize vlan 40 authentication event no-response action authorize vlan 40 authentication host-mode multi-host authentication priority dot1x mab authentication port-control auto authentication timer reauthenticate 10 authentication timer inactivity 20 authentication violation protect mab dot1x pae authenticator dot1x timeout quiet-period 5 dot1x timeout tx-period 5 dot1x max-req 3 spanning-tree portfast
View 1 Replies
View Related
Oct 11, 2011
I use ACS appliance 1120 for cisco devices administration. The identity store is external. I use Active directory. Actually, Authentication, authorization and accounting work well but users can not change theirs Active directory password when they have expired. Do you now how to configure ACS to permit password changing?
View 5 Replies
View Related
Mar 7, 2012
On the ACS ver5, there is a "User Change Password" feature. When i click the UCP WSDL, it gives me a page with WSDL language. how is it supposed to be installed? does it copy or install to any web server
View 1 Replies
View Related
Aug 25, 2011
I have configured under Administration password policies about password lenght, items to be putted as number, letters and so on.on the second tab is the password expire for users and I configured to expire after 90 days.
I even tried creating a new user and changing a password from an existing user using Apache TOMCAT WAR,I have checked CLOCK of ACS appliance and setted up NTP on our internal NTP servers
even I create a new user or I change the password via Admin GUI or I change the user password via Apache TOMCAT WAR, I have the user being disabled in a few of minutes, half an hour.,As last, with CISCO AnyConnect is possible to warn the user about the password being expireing and if so, the change could be driven via AnyConnect or is absolutely needed a User Hand Task on the Apache TOMCAT portal I setted up with the ACS WAR application?
View 6 Replies
View Related
Sep 21, 2011
Is there a way to configure a webpage where end users would go to change their passwords? I would not like to use the network devices themselves with the "change password at next logon" option.
I believe ACS 4.2 has such solution. Does 5.2 have it too?
View 3 Replies
View Related
Sep 27, 2010
I am looking for a way how to set the password-rules for individually for for some users or identity-groups.I just can find the global settings,Background of the requirement: We want to use password-aging for most admin-users, for some we dont want that pw expires.
View 10 Replies
View Related
Apr 19, 2011
I have problem with Cisco ACS 4.0 "Windows" with core 4500 switch "cat4500-ENTSERVICESK9-M 12.2" the problem shows only on one device "x.x.x.x" the problem is " Authen failed-------badcred------External DB user invalid or bad password" i can see it in failed attempt. on the same side i can see in Passed Authentications for same record "Authen OK", i can login to the mentioned switch using my ACS credentials and not local database credentials
can debug this from ACS if not how can view the authentication records from core switch?
View 8 Replies
View Related
May 30, 2011
Our customer has the business needs to authenticate remote users against AD with empty password. I've seen ACS5.1 release note where mentioned about resolved issue: #CSCte72751 #ACS 5.1 drops authentication with empty password.
I tried to authenticate dial-in users through Tacacs and Radius against AD with empty password but without success. ACS points to wrong AD password. Is it possible to authneticate remote users with empty password?
View 3 Replies
View Related
Mar 28, 2012
My question is on ASA and ACS5.2 users.Have my ASA SSL VPN and IPSEC VPN, the my ACS5.2 many users, for example, wireless user.I would now like to establish an independent user group, only the VPN user name and password, while both the ASA VPN can only allow users in this independent group of ACS5.2 VPN login, how to configure?
View 1 Replies
View Related
Sep 22, 2011
We are running ACS 5.2 patch 6 and want to restrict access for users to be able to add devices to the system.For example, admin person in site A can only add devices into the site A group and cannot see/access other sites groups.
View 1 Replies
View Related
Apr 5, 2011
We are changing our old Pix 515e this weekend and for brand new ASA 5510.With this new installation, I would like to implement the Radius authentication for remote vpn user. Changing the firewall of the company has many impact and for the first phase the user will keep authenticating locally but I need that in phase 2, they will be authenticated via a radius server.Is there a way to configure both authentication for remote vpn user?
All user will be authenticated locally except the member of the IT Department who will be authenticated by the radius server for testing.I have remote vpn users around the world so I do not want these users to be blocked by the testing of the radius authentication. What I want is that users in group1 will be authenticated locally on the ASA and users in group2 will be authenticated by the radius. When testing will be done, all users will be transfer to the radius authentication gradually.
View 1 Replies
View Related
Jan 16, 2012
I configured before ACS v4.2 to authenticate network devices using internal users at first, and if the user is not found use AD list users. But with v5.3 I have some problems doing this, on identity policies I use rule based result selection option, I configured 2 polices for Identity source, one for Internal Users and other policy for AD user, but it only works with the first policy, internal users or AD, but works only for the first policy identity. how to do that, if the user is not found on first policy, continue to the next policy.
View 7 Replies
View Related
Jul 3, 2011
I need a specify users to allow access to particular devices and give privilege only for show command or show run. Here is how I tried to configured.
1. Configured two seperate Shell Profile and Command set with privilege level 4-5 and allowing only show run command
2. create seperate service selection rule with adding the require NDG and protocol TACACS and maching service "RestrictAccess"
3. In the RestrictAccess Service I have following configured; Identity: internal users, Group Mapping to a particular group where the user exists, authorization: matching the above created identity group, NDG, shell profile, command sets
All the steps are attached in the .doc file. However when I tried with the particular user he is able to access everything and he is not hitting the correct access rule.
View 6 Replies
View Related
Jun 1, 2011
On our guest wireless, at times when a user shuts down their laptop and powers back up they are not asked to re-authenticate.The only security is a login and password then the user is tunneled to our 440 in our DMZ then out the internet pipe.My question is if the user shuts the laptop off then starts it back up shouldn't they be prompted for the user login and password?
View 2 Replies
View Related
Jan 17, 2012
I would like to configure RADIUS authentication and authorization in ASA 8.2 (ADSM 6.2) by configuring Cisco anyconnect VPN client connection profile.So the end result would be user enters his username, password and a token in any connect client, then the RADIUS server validates this information and sends the user attributes to ASA upon successful authentication.I would be grateful if i can get the step by step procedure to achieve this:The below is what iam trying to do:
1) Create an AAA server group.
2) Add the AAA server to this group (here its RADIUS).
3) create an LDAP-cisco ASA group mapping (for authorization)
3) Add a group policy and create IP pool. (We can add two types of group policies, one is internal and external. Not sure which one to select here).
4) create a any connect vpn client connection profile. Here we specify the created server group name, IP pool and group policy.(While creating a connection profile, it asks us to select an interface. As of now i have only one interface which is "inside". Not sure what the interface "outside" means).
View 5 Replies
View Related
Mar 4, 2010
I have a WLC 2106 and 1242AG.it's a hotspot configuration.So in WLC, under controller tab, i have set my ap-manager ip, my management ip, my virtual ip (1.1.1.1) and my hotspot network range ip.I set also a DHCP range for the hotspot network.
In Wlans tab, i set my hotspot wlan, with no layer 2 security and for layer 3, i set none for layer 3 security and i use web policy authentication.I use local authentication and i created under security menu, under AAA tab, 3 local net users.
From pc number 1, i get ip from dhcp, and i have authentication web page, authentication is ok and i can surf on web.From pc number2, when user 1 from pc 1 is connected, i get ip from dhcp but i have not the authentication web page, i have not DNS resolution.when i try https:1.1.1.1/login.html, i have no answer.
And when user 1 is de-authenticated, the user 2 can surf on web.So only one user can surf at the same time. not good for a Hotspot.
View 12 Replies
View Related
Jan 22, 2013
I would like to be able to have a few "guest" users on the Wireless network for visitors. Is there any method to have a prompt for "Username / password"? I would like the user accounts to have different expiry periods if this is possible. My current config is attached. The SSID "test" appears on the network. The SSID "test111" does not appear.
View 1 Replies
View Related
Jun 26, 2011
I have a remote access VPN profile configured on an ASA 5540. This profile is almost identical to the same profiles configured on other ASA 5540. The profile is linked to Active Directory for authentication. For some reason, users are not being prompted for the domain name field when connecting to the firewall, on the other firewalls they get prompted for all three (user/pass/domain).
All the firewalls are running 8.0(4) 32. And the following is the configuration of the firewall that I am experiencing issues with:
ip local pool TESTVPN 10.244.124.1-10.244.127.254 mask 255.255.252.0
group-policy TESTCERT internal
group-policy TESTCERT attributes
banner value **** WARNING ****
banner value You are Now Successfully Connected (code)
View 1 Replies
View Related
Mar 14, 2011
How i can use both LDAP Authentication and local user database to authenticate the remote vpn clinet in asa 5505?
when i try to do the things either only one method is working both are not working at a time.
View 3 Replies
View Related
