Cisco AAA/Identity/Nac :: ACS 5.3 Host Internal Identity Store / Per Group Modification
Jan 24, 2012
I'm currently looking for a solution in order to restrict the modification of the host internal identity store (add or delete MAC host) per group. The default administrator roles does not include "per group restriction". Under the ACS I defined one group per department? My objective it to allow each department to access their ACS MAC database to add or delete MAC addresses as required.
How to restrict internal identity store per group?Do I need to create new roles? and how?I was not able to get an answer from the ACS ADMIN manual.
I have a new Cisco Secure ACS 5.2 on a VM. We want to use it to for administrative access to our Cisco equipment with TACACS+. I am trying to map user permissions to different groups of devices based on active directory group membership, however it is not working.
I am using an LDAP (configured for secure authentication) external identity store. On the directory organization tab, I have confirmed the accuracy of the subject and group search base and the test configuration button shows that it's finding > 100 users and >100 groups.
On the directory groups page I have entered the groups according to the required format. cn=groupname1,ou=groups,dc=abc,dc=com
I have a rule based result selection under group mapping. I have two rules in the format below.
Conditon LDAP:Externalgroups groupname1 Result Identitygroup1
I have the default group set to a identity group named other. My problem is, no matter what user attempts to authenticate, the Default rule is applied, and the user is put into the other identity group.This occurs when I log on as a groupname1 user, groupname2 user, or as user that is not a member of either of those groups. LDAP authentication works and the user is able to logon to the device.
We are using ACS 5.2 and we are trying to create a Microsoft Active Directory (AD) Identity Store. We have a user to be used in the Active Directory creation General page and we would like to know how the test communication / ACS to AD communication takes place.
Our user is a predefined user in AD and has admin rights, but the password expires every 60 days. Will this affect the communication between AD and ACS 5.2 at everytime the entered user's password expires?
We have a ACS 4.3.2 installed with users authenticating against an Active Directory database. The AD database not only authenticate the users but also assigns the group that is used to select IP address pool.Now the requirements require to use token authentication with SafeNet. This authentication uses the same username but the password is composed of the original password + OTP.The problem is that the SafeNet server doesn't return the group membership.I've read about the Identity Store Sequence in ACS 5.x and I think I could use it in the following sequence:! configure an Authentication Sequence using the SafeNet token server (this works with ACS 4.x)I configure an Attribute Retrieval Sequence against the AD database. This would use the username only, no password and would retrieve the group membership.
I have installed ACS 5.4 and we are looking to authenticate our Anyconnect users with ACS via Active Directory. I think I have the correct commands in our ASA ( we had ACS 4 and authenticated our anyconnect users ).
I also have configured ACS to use Active Directory and installed the server side cert in ACS. I'm just uncertain how to program ACS to use the security group that I have setup in Active Directory.
I am trying to setup PEAP authentication for wireless users but I got stuck at place where I have single ssid and users are store in different identity stores like some will be using their active directory and some are locally created users on ACS. I created separate service for wireless authentication and under that I am unable to create rule to differentiate them with identity stores. any idea how to achieve this.
I tried creating identity selection based on role but it does not work as for protocol like radius.peap,ms-chap ACS does not look for another identity store once user not find in an identity stores.
how to associate an AD group - which i have defined in users and identity stores/external identity stores/Active Directory/Directory attributes to associate with the relevant identity groups - Users and identity stores/identity groups Is there an example of this being done somewhere as i am having problems understanding how to do this from the user guide.All i want to do is associate identity groups with ad groups.
I'm looking for Cisco ISE v1.1 to use the following licensing feature. url...Endpoint is dynamically profiled by Cisco ISE and assigned dynamically or statically to an endpoint identity group. Cisco ISE authorization rules do not use this endpoint identity group.
I'm trying to authorize managment access for HP ProCurve Manager via ACS RADIUS. But I get the failure: 15015 Could not find ID Store Machine is configured under Network Devices and AAA Clients, the sevice selection rule selects the correct access service, Access Service is Network Access, authorization profiles = permit access.
are the connections between the ACS and external identity stores encrypted?I know that when setting up LDAP identity store there is the option to specify SSL conection. Are the other connections encrypted by default, or is the data sent between the ACS and AD, for example, sent in the clear?
Using Sha1 for Cisco 7925g and sha256 for data. Two separate CA's, one EnTrust (SHA1) the other Local Wondows CA (SHA256); ISE can only use one at a time to process a particular protocol (ie..EAP-TLS, HTTP, etc...) As a result we have to have a separate PSN just for Wireless and Wired VoIP (which can only hold SHA1 RSA1024).
I'm trying to set a VPN connection to a router using group authorization with the ACS 5.2 but cannot make it work. I configured everything based on the procedure used for ACS 4.2. I created a user that corresponds to the group name, used the password cisco and used all the requiered Cisco AV pairs in an authorization profile. (Based on document: [URL]
While testing with ACS 4.2 this works fine, I can see that the ACS returns the group attibutes correctly (here is a debug output)
Apr 9 16:16:59.256: RADIUS: Received from id 1645/22 192.168.1.212:1645, Access-Accept, len 203Apr 9 16:16:59.256: RADIUS: authenticator 02 07 F5 E6 46 78 73 CA - 46 6D 47 90 FE 92 38 9AApr 9 16:16:59.256: RADIUS: Vendor, Cisco [26] 30 Apr 9
I have a problem implementing a NAR for a specific device group. I am running Cisco ACS 4.2 and it works fine for all the other stuff I do but this issue is perplexing me a bit.
I have a device group with Juniper devices in it and I authenticate using RADIUS (Juniper) as the radius setting. I have a Administration user group set up.
I placed a NAR into the group "Per Group Defined Network Access Restrictions" specific to the device group with * for port and address
I placed this group into both the Define IP-Based as well as the Define CLI/DNIS-based section.
No matter what I do I keep getting authenticated.
When I go to the passed authentications page I see my login and the group-name is identified correctly and the network device group is identified correctly too. The filter says "no filters activated". So how can I get this NAR to kick in? I would like to restrict one device group from a ACS user group.
We have ACS 4.2 and has been integrated with AD. Now, a new user group has been added in AD but we are not able to see that new AD group in ACS to do the mapping. We have refreshed the sgent in ACS and also have restarted the ACS agent in AD. But still we rae not able to fetch the new AD group in ACS in group mapping.any way to fetch the new group in ACS from AD.
I am configuring a new ACS 5.3 system. Part of the rules is that I want to match the users specific AD group membership, and match appropriatly to an identity group.What i'm trying to do is say that if the user is a member of the AD Group (G-CRP-SEC-ENG) then associate them with the Identity Group SEC-ENG. The under the access service, authorization portion, i assign shell profiles and command sets based on Identity Group.It seems that the ACS server will not match the AD Group for the user, and it will match the Default of teh Group Mapping portion of the policy every time.
I tried several configuration choices from : AD1:ExternalGroups contains any <string showing in AD>, AD1:memberOf <group>.Is there something special i need to do in the Group Mapping Policy to get it to match and active directory group and result in assigning the host to an Identity Group?
I'm sure it can be done just haven't been able to find it. I'm running ACS 4.2 and have 2 network groups, one is wireless where I have a WLC and the other is the default where vpn users authenticate with their tokens. Is there a way to have the Wireless network group authenticate using AD and the other group use RSA? I can't find the switch or switches I need.
We are using ACS 4.2.1.15 with patch 8 on ACS 1113 SE box.
Our requirement is to assign ACS loal group to user on basis of windows Nt group. Which means I dont wants to create individual users in ACS rather when user will login, the auth request will be forwarded to AD(remote database). Depeneding on the remote database group the user should be mapped to local database.
For this I have configured "database group mapping" according to following cisco guide. [URL]
However when ever my AD users are authenticating they are getting the membership of default group as configured in "Default" profile. I am using TACACS+ protocol in my routers and switches for authentication.
whether "Group mapping by External user database" works with TACACS+ or only with RADIUS protocol. If it works with TACACS+ what else configuration need to be done so that my ACS can map users to proper groups instead of default group.
we are facing a strange problem with a Cisco Small Business SG 200-08 Switch (firmware release 1.0.1.0). When configuring the switch to act as a RADIUS Client with 802.1x port security enabled, it sends the “Account Name” attribute to the radius server with max. 32 characters. The string comes in this format: host/dns Host Name and will be cut after 32 characters which will cause the NPS to say: “The specified domain does not exist.” and NPS is right. When I reduce the hostname so that host/dnsHostName <= 32 characters, authentication is working fine. And by the way, we also have a SG 200-26 in production and it can handle more than 32 characters which lead me to think of a bug in the firmware of the SG 200-08.
I have 2 SSIDs on WLCs.I would like to have 1 SSID point to the acs radius using LDAP store and the 2nd SSID point to the acs radius using the host identity store for mac filtering.both scenarios are working, but not together.if I adjust the rule order I can get one SSID, but then the other fails. [code] It seems to me that there should be a simple process to make this happens. I thought if the rule is not matched it would move on to the next rule etc.I might be able to live with first checking ldap and if that fails move on to the local host db, but that seems ineficient. url...
In my ACS 5.4 I want to have same useranme to use two shell profiles. Here is the requirement.One shell profile with privelege 15 for IOS device admin and other one with different privelege for WCS admin.As there can't have two shell profiles on the same authroization profile, I created two different profiles, and match with the ACS local group name. However whenever user tries to access it always hits the 1st profiles.
I need to add RADIUS attributes for a custom vendor under "Group Setup" page in ACS 4.2. As of now, I see Cisco Aironet RADIUS Attributes, IETF RADIUS Attributes etc in "Group Setup" page. How can I make sure that the RADIUS attributes for a vendor also appear on that page?
to grant not to show the certificate error adevertise to all clients connecting to guest services (because obviously they don't have the CA root certificate of our company), we have purchased a wildcard certificate from Verisign in order to work with all of our PSN Common Names and friendly url for sponsor and mydevices. But when I try to import it to more than one PSN the following error message is shown " The certificate already exists in the data base".How can I import the same certificate (with the same private key) in every PSN in a node group?
I have a problem where occasionally a user will attempt to login and the LDAP search will find the user but then fail when it does the group search. The error I get is below
22037 Authentication Passed 22023 Proceed to attribute retrieval 24032 Sending request to secondary LDAP server 24016 Looking up user in LDAP Server - testuser 24004 User search finished successfully 24027 Groups search ended with an error 24034 Secondary server failover. Switching to primary server 24031 Sending request to primary LDAP server 24016 Looking up user in LDAP Server - testuser 24004 User search finished successfully 24027 Groups search ended with an error 22059 The advanced option that is configured for process failure is used. 22062 The 'Drop' advanced option is configured in case of a failed authentication request.
Some users never get this error, others will get it once in a while and I have one user that gets it every time they try and login.
I am using ACS5.1 connected to WLC (v7.x) and frequently see host auth requests in the ACS logs. I am not interested in seeing host auth requests at all. Is there anyway just to ignore these.The issue is that these will always fail. If I enable the lock out facility within WLC and a host continually tries to auth the WLC will lock-out that mac address meaning that when the user is ready to connect with their own credentials they are unable to as the WLC is blocking that mac address from connecting to the wireless network.I tried disabling the 'process host lookup' option, but this apparently only changes the type of request to appear like a standard PAP auth request which again fails, filling up my RADIUS logs and stopping me from enabling the WLC lookout feature.So, as I say, I want to simply ignore host requests. I have no control over the end points so am unable to go and update config etc of these devices.
On ACS 4.2.0.124 version installed on Appliance 1113.We are getting error code as "Internal error" and also "Enabling Tacacs+ is not allowed for this Access Server" while client authentication.
i have configured my ACS 5.3 server to access AD for user authentication but i would as well like to use the internal store for some users.The problem is that when i test with an internal user account, i can see in the logs that it still tries to access the AD for this user and i receive a message in the logs. " 22056 subject not found in the applicable data store".i have already defined the identity sequence to first use the AD, then if user not found, use the internal database.
- On ACS we were doing 802.1x Authentification over an Activedirectory, assigning Vlan according to computer/user group. In some case the user vlan could be different from the computer vlan (ex admin account connecting to a user account). This works great with ACS.I tested the same function with ISE and the behaviour is a bit different :
- When the computer boot, I can see the computer account being authenticated on ISE. The logs show the AD groups the computer belongs to and the Authorization profile is well applied according to the AD group.
- When the user login, I can see the user account being authenticated on ISE, BUT the logs show the AD groups of the previous authentication, the one belonging to the computer not the user. So the authorization profile is the one from the computer not the user.
It seems that the AD group attributes are not well updated :
- AD logs show the second authentication doesn't engage a new group parsing from AD - Shutting down the switch port when user is logged engage a new authentication a AD group are well updated. - Bug toolkit reference the same bug but for WLC CSCto83897 so I suspect it's present in other case.
So we have multiple ISE Servers with differing personals. I was having an issue with our new ISE setup not identifying AD Group Attributes when using them in Authorization rules. We have 2- 3395 appliances running Admin and Monitoring/Troubleshooting Personas and 2- 3395 appliances running as Policy server personas. We are running v1.1.1.268 with the latest two patches. I was unable to pull Active Directory Group Attributes in any of my Authorization rules. After Resyncing all the boxes with the Primary Administration box I was able to do this. There is no bug listings for this occurrence nor do we have Smartnet to call support for other reasons.
This question might actually belong under tacacs server but it's only happening with the ACE. I've configured tacacs on the 4710 and configured the tacacs server per the documentation. If I enter the shell:<context>*Admin default-domain under the group settings when I login with my tacacs ID my role is set to Network-Monitor. If I set the shell in my specific tacacs ID I'm assigned the correct role as Admin. We're running ACS ver 4.1 and the ACE is A4(1.1)
I had a problem about authentication use AD group member. Below webiside is the way I config on ACS.
[URL]
I'm using ACS 5.1.0.44 and this version has a bug , ACS cannot read AD group. I have to add it manually . After I change the access policy from Internal user to AD1. I can use anyone AD ID to pass authenticaiton. I finished all config from the website had same result.
I checked the access polices -- default device admin -- authorization , the new rules I created had no hit count. How can I make sure that I make a right config ?
I am trying to move a device from the Default location to a sub group and get the following message when I try (either with IE or Firefox)
This System Failure occurred: Index : 0, Size: 0. Your changes have not been saved. Click OK to return to the list page.
it also gives me the same error if I try and change the Device type from default to a sub group. I'm sure I could do this previously. The ACS build is (VMWARE install):
Cisco Application Deployment Engine OS Release: 1.2ADE-OS Build Version: 1.2.0.228ADE-OS System Architecture: i386 Copyright (c) 2005-2009 by Cisco Systems, Inc.All rights reserved.Hostname: ACS1 Version information of installed applications--------------------------------------------- Cisco ACS VERSION INFORMATION-----------------------------Version : 5.3.0.40Internal Build ID : B.839
I'm suspecting it a read/write issue with the database or a database corruption. I have stopped and started the application acs via the console and show application status acs has the following to say about itself.
ACS1/admin# show application status acs ACS role: PRIMARY Process 'database' runningProcess 'management' runningProcess 'runtime' runningProcess 'view-database' runningProcess 'view-jobmanager' runningProcess 'view-alertmanager' runningProcess 'view-collector' runningProcess 'view-logprocessor' running
Trying to use the "File Operations" option to import hosts into ACS. I go through the wizard and click "Finish", the pop up goes blank and just hangs there. No errors are generated.
