Cisco AAA/Identity/Nac :: ACS 5.3 / Authenticating Device Admin Users Against AD Specific Groups

Jan 28, 2013

I am using ACS 5.3 What I am about is setting user authentication against existence of the user in specific AD group, not just being a member in any AD. What is happening now, users get authenticated as long as they exists in the AD, luckily they fail on authorization, as it is bound to specific AD group.
 
how can I bind the authentication aginst specific group in AD, not just using AD1 as the identity source.

View 1 Replies


ADVERTISEMENT

Cisco AAA/Identity/Nac :: ASA5510 / VPN Client And Clientless Users Not Authenticating With AD?

Oct 16, 2012

Web clients are receiving login failed messages and VPN clients are getting disconnected by host messages. I am able to ping the server from the ASA5510.  Users authenticate in AD.  I am not sure if the problem is on the server or the ASA.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 - How To Only Allow Specific AD Groups To Login

Nov 4, 2012

I've configured three specific AD groups, Admin, Storage, and HelpDesk, with their own commands sets.
 
This seems to be working fine, but everyone can log into everything, but they can't do anything except exit.
 
My goal is to not allow anyone to login that is not part of the three AD groups I have specified with the respective command sets.
 
All the logins hit the Admin account, even though the id in AD is not in the that AD group.  I have something screwed up.

View 6 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Identity Groups - Restrict Device Access

Apr 14, 2011

I have ACS 5.2 running as a VM.  I'm AD, then local authentication successfully for device access, but I want to define ACS user groups to restrict login. I don;t see any way to do this.  If I use AD groups, they don;t show up as selection options on the policy screens, just the ACS locallyy defined groups. 

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Setup ACS 5.2 With An ASA V8.3.2 To Lock Users Into VPN Groups?

Jan 18, 2011

I'm trying to setup ACS 5.2 with an ASA v8.3.2 to lock users into VPN groups based on a users AD group.  I've tried various combinations but the group lock isn't working.  I've done steps 1 & 2 ...
 
1) Network Devices and AAA Clients -> Define VPN

2) Users and Identity Stores -> Setup AD and Directory Groups, test connection
  
Policy Elements:
 
Q1) Policy Elements - Do I need an authorization profile for each group:

Q2) What RADIUS attributes should I use to match my ASA tunnel-groups?
 
RADIUS-IETF attribute 25?RADIUS-Cisco VPN 3000/ASA/PIX 7.x 85 (Tunnel-Group-Lock)?Other?
 
Access Policies:
 
Q1) Do I need to enable and use group mapping?

Q2) Do I need a Network Access Authorization Policy for each group?

View 8 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.x Admin Users Authentication Against AD

Apr 23, 2012

Do you know if it's possible to use ACS 5.x in such manner that the admin users (so not the end users, but the administrator users of ACS) are authenticated against and external database, like Active Directory?

View 2 Replies View Related

AAA/Identity/Nac :: ACS 5.3 Single Device On Multiple NDG Groups?

Jan 14, 2013

I have multiple campuses and a Central Admin...I've created Groups for all, except I need a few devices within Central to be available to the Campus Admins... (ie..a Cisco WCS System) How do I allow a device to be put into multiple NDG groups?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.1 - Authenticate Only Specific AD Users

Jul 22, 2012

Is it possible for ACS 5.1 to only allow specific AD users to authenticate the switches and routers? Currently What I have configured is only for all AD users. I can't seem to find a way to be selective.

View 9 Replies View Related

Cisco AAA/Identity/Nac :: ISE 1.1.3 Authenticate Wireless Users / Admin Access To WLC / Switches

Mar 13, 2013

Deployed two Cisco ISE 1.1.3. ISE will be used to authenticate wireless users, admin access to WLC and switches. Backend database is Microsoft AD running on Windows Server 2012. Existing Cisco ACS 4.2 still running and authenticating users. There are two Cisco WLCs version 7.2.111.3.Wireless users authenticates to AD through ACS 4.2 works. Admin access to WLC and switches to AD through ISE works. Wireless authentication using PEAP-MSCHAPv2 and admin access wtih PAP/ASCII.

Wireless users cannot authenticate to AD through ISE. The below is the error message "11051 RADIUS packet contains invalid state attribute" & "24444 Active Directory operation has failed because of an unspecified error in the ISE".Conducted a detailed test of AD from ISE. The test was successful and the output seems all right except for the below: [code]

Update:

1) Built another Cisco ISE 1.1.3 sever in another datacentre that uses the same domain but different domain controller. Thais domain controller is running Windows Server 2008. This works and authentication successful.

2) My colleague tested out in a lab environment of Cisco ISE 1.1.2 with Windows Server 2012. He got the same problem as described.

View 6 Replies View Related

Cisco AAA/Identity/Nac :: 1113 - Multiple Network Device Groups Using One Windows Remote Agent?

May 4, 2011

I'm working with a 1113 ACS device running the 4.2.0.124 software.  I'm trying to get multiple network device groups to use an existing Remote Agent set up for authentication against our Windows domain.   For instance, we want our infrastructure switches to authenticate agains the local Active Directory and our WLC to authenticate users agains the same Active Directory.  When I try and set both network device groups to use the same remote agent, it fails and reports either the host name is already in use or the IP address overlaps with an existing remote agent.
 
The question is:
 
Can I have multiple network device groups use the same remote agent?   Or do I have to install the remote agent software on separate Windows servers in order to have different types of devices authenticate against the Windows AD? 

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.1 Device Admin Privilege Assignment?

Dec 1, 2011

my admin user is still being assigned privilege level 1, as shown in AAA Protocol > TACACS+ Authentication Details report.The report seems to show that the user is getting the right shell profile (Selected Shell Profile: Net-Admin -- is the one I setup for this user's group with both Default Privilege and Maximum Privilege set to Static 15). But still not the right privilege (Privilege Level: 1).Also, I found this document via Google: [URL] The router configuration examples all show this "aaa authorization exec tacacs+|radius local" command, which my device does not have.So I am wondering if I am not reading the ACS report right, or the device actually was assigned the correct privilge but that does not work without the "aaa authorization exec" command in the configuration?

View 1 Replies View Related

AAA/Identity/Nac :: ACS 5.2 Using AD To Manage Network Device Admin Policy Creation

May 22, 2012

we managed to integrate our newly setup ACS 5.2 to our regional domain.  now im creating a Device Admin access Policy for Regional Network Admin group and Regional Network Operators group. each having full  and read access respectively. 
 
i already have the default  identity policy and authorization policy with with command sets  fullaccess and showonly for each group, now i dont know how can i match the AD group regionaladm and regionalops so that  each user falls under one of these groups will have a correct  read/write access.

View 4 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.1 Using Active Directory To Manage Network Device Admin

Jun 14, 2012

we've configured an ACS 5.1 and integrated it with active directory Win2K3, we created two groups in the AD for managing network devices one for Administrators and the other for operators (read-only),  so we configured a device admin policy and both groups work fine, but now we are facing a little problem any user who exists in the AD can login (user exec mode) in the network devices and we want to restric the login with the policy, but we just don't know how. Is there a way to get a user be authenticated against external group or internal acs but at user level, just like you can do it in the ACS 4.X?

View 8 Replies View Related

Cisco :: Authenticating LMS 4.x Users Via TACACS+ On ACS 5.3.0

Jul 12, 2012

how to Configure ACS 5.x so LMS 4 users can authenticate via TACACS+?  I have ACS 5.x setup and authenticating to Active Directory.  Have changed the LMS 4.x Authentication Module to TACACS+.  Have gotten past the user / password problem by configuring a local user in LMS 4.x.  Now, am hitting the Default rule in ACS and Shell Profile is deny access.. 

View 1 Replies View Related

Cisco AAA/Identity/Nac :: 11213 NAC Clients Via ISE Authenticating

Apr 17, 2012

So if I do a static ip address it works fine, but if I turn off static, the machine authenticates fine, but is not assigned to the access vlan, and it does not get an ip address.now when I use static I notice in the ISE live authentication logs, 11213 No response received from Network Access Device, for the switch even though its configured correctly.

View 5 Replies View Related

AAA/Identity/Nac :: ACS 4.2 Authenticating 4710 ACE Appliance Failed

May 5, 2011

I've got a problem with Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance.
 
ACS4.2 has been configured to use both internal and external database. It's been working fine for a couple or years.
 
Recently we bought a Cisco 4710 ACE appliance. When I use ACS4.2 internal username and password to login the Cisco 4710 ACE appliance, I have no problem. I can also see the passed authentication log on ACS4.2. However, if I use AD username and password, I couldn't login in. The message is "Login incorrect". I checked the failed attempts log on the ACS4.2, there was no log regarding the failed attempt. My AD username and password works fine on all other cisco routers and switches.
 
I've posted my AAA configuration of the 4710 ACE below. ACE is running on the latest version A4(1.1).
 
tacacs-server key 7 "xxxxxxxxxxxxx"aaa group server tacacs+ tac_admin  server xx.xx.xx.xx
 
aaa authentication login default group tac_admin local aaa authentication login console group tac_admin local aaa accounting default group tac_admin

View 2 Replies View Related

Cisco AAA/Identity/Nac :: MC75 Motorola Handheld Not Authenticating With ACS

Jun 6, 2011

I have deployed a Cisco wireless environment at one of our sites. The problem is that we are rolling out new motorola handhelds (MC75) are not authenticating with the ACS. I have copied the same config as it was with the exsisting  wireless that was installed. Funny thing is we have another set of motorola handhelds (MC70) all use the same certificates and can authenticate without any issues.When i look at the ACS for logs I get the following error; EAP-TLS or PEAP authentication failed during SSL handshake.

View 6 Replies View Related

Sharing :: Changing Locations To Select Users Or Groups?

Jan 27, 2012

I have three computers in a Workgroup and I can transfer files through all the computers properly. However I cant set up permissions to who can access these files. The three computers are Windows 7 64bit desktop, Windows 7 64bit laptop, Windows XP Professional 32bit desktop.

What I tried so far...
Right-click on folder I wanted to share
Click on Sharing Tab
Click on Advanced Sharing>Permissions>Add...>Locations

I only see the name of the local computer, I don't see the two other computers on the network. The window looks similar to this, how I can find the other computers in my network, in the locations window.

View 10 Replies View Related

Cisco AAA/Identity/Nac :: Can't Add AD Groups In ACS 5.2

Jul 21, 2011

I've run into an annoying issue with my ACS 5.2 install. I can no longer add directory groups in the AD settings, the ACS comes back with "The item you  are trying to delete is referenced by other items.You must remove all references to this item before it can be deleted." but I am not deleting any group, just adding.
 
Could probably be cleared with removing the AD setup completely, which for obvious reasons is not something I want to do.

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Add A User Into Several Groups?

Apr 5, 2011

We are running two ACS appliances but we cannot figure out how we can add a user into 2 differents groups.Here's the context :We have a company A which is having devices, this company uses Group A.then we have a company B which is having devices, this company uses Group B.But the admin has to manage the devices for both companies A & B.We don't want to mix devices from company A with company B.Is there a way to add the user into both groups A & B.

View 5 Replies View Related

Cisco Firewall :: 5520 - URL Blocking To Be Applied To Specific Users

Feb 10, 2010

I am having ASA firewall 5520. I want to block yahoo mail, gmail using regex for particular users only.

View 5 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Will Not Enumerate 2003 AD Groups?

Aug 4, 2011

I have seen similar references to this issue, but no concrete solutions.  My new ACS appears to join my domain with little or no issues, however, when I go to list the groups nothing is ever listed.Running ACS as a vm.I have set the ntp server on the ACS server to match my domain.I can ping all domain controllers/DNS servers.nslookup resolves hostnames of my domain controllers
 
***Update***
 
I verified that a computer account for my ACS is in fact being created, however, I am receiving some Kerberos errors on my DC with the FSMO roles:
 
Event Type:          Error
Event Source:          KDC
Event Category:          None
Event ID:          26
Date:                    8/5/2011
Time:                    3:07:46 PM
User:                    N/A
Computer: <MY DC>

Description:While processing an AS request for target service krbtgt, the account <ACS SERVER> did not  have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes were 17.  The accounts available etypes were 23  -133  -128  3  1.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.1 Directory Groups 2008 R1

Jun 13, 2011

I have an ACS 5.1 and am trying to integrate with windows 2008 R1. The ACS has a valid AD account and indicates that its connected but when I try to list any directory groups my windows IE browser hangs?

View 2 Replies View Related

Cisco AAA/Identity/Nac :: Authenticate VPN Users Via ACS 5.4 And AD Via External Identity Store

Feb 22, 2013

I have installed ACS 5.4 and we are looking to authenticate our Anyconnect users with ACS via Active Directory. I think I have the correct commands in our ASA ( we had ACS 4 and authenticated our anyconnect users ).
 
I also have configured ACS to use Active Directory  and installed the server side cert in ACS. I'm just uncertain how to program ACS to use the security group that I have setup in Active Directory.

View 6 Replies View Related

Cisco Firewall :: ASA 5510 - Authenticate Users Of Specific LDAP Group

Apr 19, 2010

I'm actually require authentication for users who are coming from the PublicVLAN (the vlan associated with the wireless hotspot) to authenticate themself to the LDAP server via my firewall ASA 5510

View 12 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Sync With Windows 2008 AD But Cannot See Groups

Jan 2, 2011

Recently I've been working with the ACS 5.2 (Installed on VMWare). At the beginning I was using a Win Server 2003 Enterprise edition AD, and there was no problem with the AD and the CA Authority. Because some of my customers use Win Server 2008 I change the AD platform to Win Server 2008 Enterprise edition  (x64).I don't really have a great experience with Win Server Platforms and, for what I've seen, the Win Server 2003 Services deployment is easier than the Win Server 2008 is.
 
So, when I used the Win server 2003 I could not only synchronize the ACS with the AD but also use some groups created on the AD to perform the Network Access Authentication. When I try to do the same with the Win Server 2008 AD the ACS and the Server get Synchronized but when I want to add the groups for the Authentication purposes there is no one, absolutely nothing... so I cannot do any test.Also I looked for information about the compatibility between the ACS 5.2 and the Win Server 2008 platforms and at the end the platforms are compatibles.

View 13 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 - Custom Attributes And Wireless Groups?

May 13, 2012

I have been tasked with migrating from ACS 4 to ACS 5.3. I havent had any training and so i am finding it a bit different. Currently i have this issue -
 
I have a group in  the ACS 4 for users accessing via wireless on the ACS - Code...

View 4 Replies View Related

Cisco AAA/Identity/Nac :: New Version Of ACS 5.2 Allow User To Belong To Several Groups Of AD?

Jul 7, 2011

We have ACS Engine 4.1 and want to upgrade it to 5.x.
 
Is the new version of ACS 5.2 allows a user to belong to several groups of AD ?

View 2 Replies View Related

Cisco AAA/Identity/Nac :: Setup RA VPN On ASA 8.4 With 2 Groups - VPNGp1 And VPNGp2?

Aug 21, 2011

I am trying to set up RA VPN on ASA 8.4 with 2 groups - VPNGp1 and  VPNGp2. VPNGp1 users will access 1.2.3.0/24 and VPNGp2 users will access  5.6.7.0/24. User authentication will happen using ACS 5.3 Radius.
 
On ASA, I have configured the IP pools, VPN ACLs, VPN groups, group policies for each group, and tunnel groups.
 
On ACS, I have created vpn-user1 and vpn-user2 for each of 2 groups.
 
I am not sure if some more configuration needs to be done on ASA and  ACS... Do I need to add new users - vpn-user1 and vpn-user2 - on ASA,  under each corresponding group policy, using vpn-group-policy command?  Or I need to do something else on ACS?
 
Lastly, how can I configure authorization and accounting for the VPN users? Do I need to do this on ACS or on ASA?

View 8 Replies View Related

Cisco AAA/Identity/Nac :: Can Latest Version Of ACS 4.0 Support Nested AD Groups

Dec 20, 2012

We are running ACS 4.0 so understandably so we are looking to upgrading to a Cisco supportable version of ACS.  The limitation of our current version of ACS does not support nested AD groups.  The latest version of ACS (I think it is 5.4) will?

View 1 Replies View Related

Cisco Switching/Routing :: 2560 Create Dynamic VLAN For Specific Group Of Users

Feb 6, 2012

We have Cisco Cat4503 series L3 Switch and Cisco L2 2560 Series Switches, some of the users want to have a dynamic VLAN membership, and connecting with the network as mobile users,
 
can it possible and create dynamic VLAN for specific group of users.

View 6 Replies View Related

Cisco :: LMS 4.1 No User Defined Groups Shown In Fault Notification Groups?

Dec 12, 2011

I created some User Defined Groups in LMS 4.1, now I want to apply certain fault notification groups to Event Sets.
   
Unfortunately the Groups I configured are not in the Group Selector of the Fault Notification Group: Admin > Network > Notification and Action Settings > Fault Notification Group

View 3 Replies View Related

Cisco AAA/Identity/Nac :: Can't Ssh Into ACS 5.2 By Using The Admin Account

Jun 5, 2011

We created the admin account during the setup and were able to log into the Web GUI, but we can't use this admin to access the CLI by using ssh, always said permission denied.

View 3 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved