Cisco AAA/Identity/Nac :: ACS 5.3 - Radius Attributes And Device Administration / Shell
Sep 18, 2012
Under 'Policy Elements/Authorization and Permissions/Network Access/Authorization profiles' I have defined a profile and the following Attribute:Attribute = F5-LTM-User-RoleType = Unsigned Integer 32Value = 300.
My question is:How can I define the same as above using 'Device Administration/Shell Profiles' ?
There is a Custom Attributes tab but I cannot figure out how to specify the 'Type' field. (Under Custom Attributes tab there is only space for 2 fields and not 3 fields).
View 3 Replies
ADVERTISEMENT
Jul 20, 2010
I'm trying to configure ACS 5.1 as radius server for a catalyst switch but i can't make it work.I keep on getting the "11033 Selected Service type is not Network Access" error message.
Tacacs works fine but radius does not. Any sample device administration config to use with RADIUS?it seem the service type does not work with radius in this scenario ( radius + device admin).
View 10 Replies
View Related
Mar 17, 2012
I want to add Radius attribute to Rad ware devices , so I will have the option to grant "read only" permission to users. as I understand I need to add VSA for the "read only" permission, or configure specific "Service-Type value 255"
in the following picture you can see the required information from Rad ware:
View 1 Replies
View Related
May 16, 2012
I need to add OPNET Radius attributes in ACS 4.2. How should I add a new VSA in ACS? The google search is pointing me to CSUtil.exe, and I cannot find this utility in the ACS install files. These are the values that I need added for OPNET. When configuring the RADIUS server to support the ACE Live Appliance, use the following Vendor Code and Vendor Specific Attribute (VSA): Vendor Code: 7119 VSA: 33.
View 2 Replies
View Related
Jul 5, 2012
I need to add RADIUS attributes for a custom vendor under "Group Setup" page in ACS 4.2. As of now, I see Cisco Aironet RADIUS Attributes, IETF RADIUS Attributes etc in "Group Setup" page. How can I make sure that the RADIUS attributes for a vendor also appear on that page?
View 2 Replies
View Related
Mar 28, 2011
I am doing MAB (MAC authentication bypass) for IP phones and printers.
But these devices are authenticated with different identity stores (IP phones with AD, printer local host on ACS)
Is there any specific AV Radius attributes that i can use in the compound conditions selections which is specific for the IP Phones?
so when doing the Authentication, i could seperate each type (IP phones or Printers) with the appropriate database.
View 1 Replies
View Related
Aug 18, 2010
I'm trying to dynamically assign IP address for VPN users from AD (without IAS service). I know that there is a restriction that "Dial-in users are not supported by AD in ACS (note in "acsuserguide51") but Im not exacly sure what can and can't do with it. In "Authorization Profiles" in RADIUS Attributes tab I try to mannually add specific Attribute (Framed-IP-Address).
I have no problem (everything works just fine) with static address assignment in a way as below:
AD is already integrated with ACS and I've managed to download Directory attributes especially msRADIUSFramedIPAddress
When I change "Attribute Value" from static to dynamic type I see the option to select AD (but "Select" which should list all available attributes is empty)
I know that I can do it directly (ASA <-> AD attribute mapping) but I want ACS to do it
View 5 Replies
View Related
Jun 1, 2011
I am setting up Radius AAA for cat6K switch.For authentication its work and user can login to switch. But for the privilege level assignment, it does not work. After loging in, I always get privilege 1. I need your guide on how to configure on ACS 5.1, RADIUS Attribute.I follow the document to configure the cisco-av-pair for assign Privilege 15 and Privilege 5 , but it does not work.This attribute format was shown in document is to set Privilege 15, "shell:privlvl=15" it is correct way of configure it on ACS 5.1
View 5 Replies
View Related
Jan 9, 2012
I'm trying to find out the options for authenticating remote users via IMEI and MISDN values via ACS 5.3/I'm unfamiliar with the Radius attribute options here and what kind of request/response we can utilise. Also previously I could define IP pools on ACS 4 but can't seem to do that now. Is there a way have ACS 5.3 to provide a DHCP server address for the connection ?
View 6 Replies
View Related
Apr 19, 2011
I've been working on trying to get RADUIS authentication working for devices connecting to our corporate mobile APN. Out APN provider sends us Username & Password attributes which I can authenticate fine using ACS 5.2 but I'm having a problem using other attributes sent in the Access-Request. We have mobile SIM cards with an MSISDN value match with a physical device with an IMEI value. The SIM cards cannot be used in other devices, only their matched device. The provider passes us the MSISDN attribute under RADIUS-IETF 31 and the IMEI under a VSA of 3GPP-IMEI
What is the best way of being able to authenticate a user and match the MSISDN and IMEI associated to that user?
View 1 Replies
View Related
Apr 19, 2011
I am trying to integrate Cisco ACS 5.2 in a network to do device authentication of switches for administrators.
I am not sure if Cisco ACS 5.2 support RADIUS protocol to do device authentication. In the configuration of the Cisco ACS 5.2 I can only see TACACS authentication for device authentication and I have configured it and it works. If CISCO ACS 5.2 supports RADIUS auth for device authentication?
View 1 Replies
View Related
Jun 21, 2006
We have a 1231 AP and a Freeradius Server.Now we are using MAc authentication.The thing is that the AP sends two parameters to the RADIUS:
User-Name = "000ff855df2e"
User-Password = "000ff855df2e"
both are the MAC of the wireless client.I want that the AP send:
User-Name = "00-0f-f8-55-df-2e"
User-Password = "mykey"
Note that the MAC is dash separated and the password is forced to the key that I want.
View 2 Replies
View Related
Dec 3, 2012
There is an ASR1006 Router in the network that serves as an Intelligent Service Gateway (ISG). Subscribers are layer 2 connected and subscriber sessions are initiated on a DHCP request. ISG is configured as a DHCP relay agent. Wi-Fi clients connect to the WLAN using Open SSID and are being redirected to a Web Portal where they enter their login info. This info is sent to RADIUS server which checks if the user is allowed to use Internet service. All the APs are connected o WLC using CAPWAP. The question is the following: there is a requirement to track from which AP a particular Wi-Fi clients is connected. In this case ISG needs somehow to obtain AP’s mac address and send it to the Radius server (probably using attribute 30 – Called-station-id). One possible way for ISG to obtain AP’s mac is via WLC. But the thing is that when WLC is configured as DHCP proxy and Option 82 is set, a wireless client does not obtain IP address via DHCP. In this particular case there two DHCP relay/proxy in the network path between client and DHCP server. Is there any other away for ISG to obtain AP’s mac address?
View 8 Replies
View Related
Mar 23, 2013
In my ACS 5.4 I want to have same useranme to use two shell profiles. Here is the requirement.One shell profile with privelege 15 for IOS device admin and other one with different privelege for WCS admin.As there can't have two shell profiles on the same authroization profile, I created two different profiles, and match with the ACS local group name. However whenever user tries to access it always hits the 1st profiles.
View 3 Replies
View Related
Nov 25, 2011
I am trying to solve this problem without success so far. I have fresh ACS 4.2.15 patch 5 ACS installation and I am tryng to deploy it to our environment. So I have configured one 2960S to be my test client and everything works fine. Problem is when I try to create fine grained policies using network device groups and shell authorization sets.
I have created shell authorization sets called ReadOnly and FullAccess. I have also created NDG called FloorSwitches and added my 2960. I have 2 user groups called FloorSwitchesReadOnly and FloorSwithcesFullAccess. Now, if I configure group FloorSwitchesFullAccess and assign Shell command authorization set per NDG and then log into the switch, all of my commands are refused as unauthorized.
One thing that I have noticed is that if I assign shell command authorization set to any device ( in user group settings ) it works fine. Or if I create association with DEFAULT NDG in user group it also works. So my conclusion is that ACS for some reason does not associate my switch with correct group but rather puts it to DEFAULT group for some reason.
View 2 Replies
View Related
May 30, 2012
Currently i deploy a ACS 5.3 at customer site. The issue i face currently is some command sets not able to deny. Example like below:
i want to deny the AD user with priviledge level 15 to change the enable secret password and delete the enable secret password.
the command i issue at below: Code...
View 1 Replies
View Related
Oct 18, 2011
How to link the command set to a shell profile in acs 5.2.
View 1 Replies
View Related
May 31, 2012
I am in the process of setting up ACS 5.2 for a network and have run into an issue when attempting to apply the following aaa commands to a network device:
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated
Once the commands have been applied to the device configuration I get "command authorization failed" when attempting to do anything. Taking a quick look at the TACACS Authorization reports I see a failure reason of "13025 Command failed to match a Permit rule" and under the Selected Command Set "Deny All Commands" is listed. After doing a bit of searching, I noticed some articles online that indicate I should be able to specify the appropriate command set to the authorization profile under the Default Device Admin policy. However, when I open up a Device Administration Authorization Policy, nowhere in the window does it display command sets that I can select from.
View 4 Replies
View Related
Jul 17, 2011
I have just reimaged one of my ACS appliances as it was completely corrupted.Now I have done this I have connected it to the network via DHCP so I can patch it from v4.2 to the latest version.The machines is now on the same VLAN as my workstation. When I try to login I get the message
"This machine cannot be used for administration"
The box is a vanilla install with only the passwords set on the machine - my workstation has its local firewall turned off and is not using a proxy server. as I can't log into the gui I can't change any settings there?
View 5 Replies
View Related
Dec 19, 2011
I want to use LDAP accounts to administrate switches.It works fine when I use telnet. I just need to push RADIUS attribute Login-Service (ID 15) with Telnet value (ID 0) Now, I want to use SSH (for security reasons )RADIUS have to push RADIUS attribute Login-Service (ID 15) with SSH value (ID 50)(For example with Steel-belt RADIUS [URL] SSH value doesn't exist in RADIUS IETF dictionary for Login-Service attribute.I can't create SSH value because this dictionary is protected...
View 2 Replies
View Related
Sep 22, 2012
I'm trying to configure a shell commnds set such that all commands (including under conf t mode) will be allowed, except for administrative commands, such as write, copy, admin, format etc.It's been working for (most) priviliged mode commands (such as write and copy) but has been unsuccessful for any command under conf t mode. It's important in order to prevent the users from performing 'do write' and 'do copy run start' commands, for example.Here's the input of the shell command authorization set (Partial_access):
Unmatched Commands: permit
Command list:
admin
copy
delete
do
[code]....
View 2 Replies
View Related
Jul 27, 2011
This question might actually belong under tacacs server but it's only happening with the ACE. I've configured tacacs on the 4710 and configured the tacacs server per the documentation. If I enter the shell:<context>*Admin default-domain under the group settings when I login with my tacacs ID my role is set to Network-Monitor. If I set the shell in my specific tacacs ID I'm assigned the correct role as Admin. We're running ACS ver 4.1 and the ACE is A4(1.1)
View 1 Replies
View Related
Nov 30, 2011
I'm having problems settting up a Guest NAC server to authenticate administrative users against a ACS 5.x server. In the ACS RADIUS Authentication log, I can see the user authentication is successful.In the AAA Diagnostics log, I can see the following warning:An Access-Request MUST contain either a NAS-IP-Address or a NAS-Identifier or both; Continue processing.
View 2 Replies
View Related
Jan 17, 2012
I have two Nexus 5520 running 5.0(3)N1(1c).
I have both boxes heading off to ACS for TACACS lo gin authentication and for command authorization. When I first set things up everything works fine. I have a shell profile configured in ACS with Cisco-av-pair*shell:roles="network-admin" to set the network-admin role. I even have command sets configured to deny the use of configure terminal as I am using switch configuration profiles. Everything runs fine. User lo gins are authenticated by ACS and users have the correct command set applied to them.
The problem comes when I make a change to a shell profile in ACS. Even something as simple as changing the name of a shell profile causes the 5520's to crash as soon as I try to log on. If I unplug the management link so that the TACACS server is unavailable I can log on fine with the local admin user.
The NEXUS console reports this error. (amongst many others)
EDNAM-NEXUS-2 %$ VDC-1 %$ %SYSMGR-2-SERVICE_CRASHED: Service "Tacacs Daemon" (PID 4331) hasn't caught signal 11 (core will be saved).
A show system reset-reason shows:
EDNAM-NEXUS-2# sh system reset-reason
----- reset reason for Supervisor-module 1 (from Supervisor in slot 1) ---
1) At 389 usecs after Wed Jan 18 12:32:49 2012
Reason: Reset triggered due to HA policy of Reset
Service: Tacacs Daemon hap reset
Version: 5.0(3)N1(1c)
Could this be a bug with Nexus/ACS?
View 3 Replies
View Related
Oct 9, 2012
We have found the following issue configuring radius attributes for network access with packeteer appliances.with PAcketeer-AVPair attribute , value --> access=touch Login fails and we see this
PacketShaper# radius login user password
"user" RADIUS Authentication Fail
Vendor-Specific: ccess=touch <--- value is bad
PAcketeer is not receiving vendor-specific value correctly, As workaround , we put other character before value -- xacces=touch
PacketShaper# radius login user password
"user" RADIUS Authentication OK
Vendor-Specific: access=touch
View 5 Replies
View Related
May 13, 2012
I have been tasked with migrating from ACS 4 to ACS 5.3. I havent had any training and so i am finding it a bit different. Currently i have this issue -
I have a group in the ACS 4 for users accessing via wireless on the ACS - Code...
View 4 Replies
View Related
Nov 27, 2011
is there a way to have multiple instances of user custom attributes and insert those as multiple instances of the A/V Pair in the authorisation profile in ACS 5.2/5.3 ?Background: We have to migrate a ACS 4.2 to 5.3. In ACS 4.2 our client used the multiline attribute
Number
#Name
#Description
#Type of Value
#Inbound/Outbound
[code]....
to specify multiple routes to various networks in the RADIUS reply spcific for every single PPP username of routers dialing in.Using the internal user database, extended by a string attribute and using that attribute as source of a dynamic value in the access-policy works basically. But as I have only ONE single line instance of the attribute for every user, I can only return ONE framed-route.We have lots of cases where multiple routes have to be assigned to one router.I 'd like to avoid defining a seperate access profile for every remote RAS router for external PPP Dial-In...[URL]
View 1 Replies
View Related
Oct 2, 2012
So we have multiple ISE Servers with differing personals. I was having an issue with our new ISE setup not identifying AD Group Attributes when using them in Authorization rules. We have 2- 3395 appliances running Admin and Monitoring/Troubleshooting Personas and 2- 3395 appliances running as Policy server personas. We are running v1.1.1.268 with the latest two patches. I was unable to pull Active Directory Group Attributes in any of my Authorization rules. After Resyncing all the boxes with the Primary Administration box I was able to do this. There is no bug listings for this occurrence nor do we have Smartnet to call support for other reasons.
View 3 Replies
View Related
Aug 9, 2011
I am trying add custom attributes for Juniper Netscreen TACACS+ authentication to a v5.2 ACS. The advice is to add it to the group as follows:
ervice = netscreen {
vsys = root
privilege = read-write
} I know how to add this to a version v4.x ACS
However, I do not know how to apply this to the custom attribiutes to a v5.x ACS?do I add the vsys and privilege attribute seperately or together? What should be the attribute name? netscreen? Should it be mandatory?
View 4 Replies
View Related
Jul 21, 2012
We have ASA 5520 acting as the VPN Server and Cisco 1941 router as EZVPN client. Since last few days client is not able to establish vpn connection. 1941 router is continuously generating the below log messages
001569: Jul 22 12:19:05.883 ABC: %CRYPTO-4-EZVPN_SA_LIMIT: EZVPN(VPNGROUP) Split tunnel attributes(51) greater than max allowed split attributes(50)
001574: Jul 22 12:19:07.835 ABC: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User=vpn_user Group=VPNGROUP Client_public_addr=<client public ip> Server_public_addr=<server public ip>
004943: Jul 22 11:32:42.247 ABC: %IP_VFR-4-FRAG_TABLE_OVERFLOW: Dialer1: the fragment table has reached its maximum threshold 16
View 3 Replies
View Related
Apr 14, 2011
I have ACS 5.2 running as a VM. I'm AD, then local authentication successfully for device access, but I want to define ACS user groups to restrict login. I don;t see any way to do this. If I use AD groups, they don;t show up as selection options on the policy screens, just the ACS locallyy defined groups.
View 1 Replies
View Related
Oct 30, 2011
I am currently useing ACS 5.2 and have no problem using Tacacs+ with AD access.
But with Radius it seems I can only get the Local identity store to work, need to do something special to get Radius to work with active directory with Cisco ACS?
View 10 Replies
View Related
Nov 22, 2011
I have been trying to get our IPS (ASA-SSM-10 and 4260) to authenticate with Cisco Radius ACS 5.2 and they are not working. However, I was able to get them working with Microsoft Radius. Below is the logs from the IPS:
evStatus: eventId=1321566464942057375 vendor=Cisco originator: hostId: NACAIRVIDLAB1 appName: authentication appInstanceId: 350 time: 2011/11/23 17:50:38 2011/11/23 09:50:38 GMT-08:00 controlTransaction:
[Code].....
View 0 Replies
View Related
