Cisco AAA/Identity/Nac :: ACS 5.3 Local User Authentication
Nov 12, 2012
I want to have a local user in ACS that is permitted to login to routers. I have TACACS with AD already working but cannot get a local user to work. I used to do this in ACS 4.x.I created a user in the internal identity store.I tried configuring a policy to allow this users TACACS authentication multiple ways to no avail. I cannot find a config example doc and cannot figure it out from the user guide as the documention is sorely lacking.
View 5 Replies
ADVERTISEMENT
Mar 14, 2011
How i can use both LDAP Authentication and local user database to authenticate the remote vpn clinet in asa 5505?
when i try to do the things either only one method is working both are not working at a time.
View 3 Replies
View Related
Sep 1, 2011
I am trying to setup up a rule to allow wireless access only to users in my AD when they use computers from my AD.I have Machine authentication working on it's own (computer boots up and connects to wireless - confrimed by ACS logs) I have User authentication working But when I try to creat the floowing rule:it does not work.
Access Policy
Access Service:
Default Network Access Identity Store:
AD1
Authorization Profiles:
DenyAccess
Exception Authorization Profiles:
Active Directory Domain:
[code]....
Everything seem to fine until it gets to the last rule.
View 1 Replies
View Related
Sep 13, 2011
is it possible to validate the ACS Application Accounts against an external repository like LDAP? I have found that LDAP can be used only as Identity store to authenticate users on AAA clients and Network devices.
View 0 Replies
View Related
Jan 6, 2012
I am facing authentication issue with ACS 5.2. Below is AAA flow (EAP-TLS),
- Wireless Users >> Cisco WLC >> ADs <-- everything OK
- Wireless Users >> Cisco WLC >> ACS 5.2 >> ADs <-- problem
Last time I tested with ACS, it worked but didn't do migration as there'll be changes from ADs. Now my customer wants ACS migration by creating new Group in AD, I also update ACS config. For the user from the old group, authentication is ok.For the user from the new group, authentication fails. With subject not found error, showing the user is from the old group.
Seems like ACS is querying from old records (own cache or database). Already restared the ACS but still the same error.
Note: My customer can only access their local ADs (trusted by Global ADs). Local ADs & ACS are in the same network, ACS should go to local AD first.How can we check or make sure it?
View 3 Replies
View Related
Jun 7, 2011
how I can assign a static IP to a user in ACS 5.2. I am able to do it in ACS 4.2, but I don't see the same options under 5.2. General idea is that users authenticate from our VPN appliance via RADIUS, and upon authentication, their static IP is passed back to the VPN device. I can attach an arbitrary field to my local users by going to System Administration -> Configuration -> Dictionaries -> Identity -> Internal Users, but how do I get that IP address passed back when the user is authenticated via Radius?
View 1 Replies
View Related
Feb 9, 2010
I know the way to configure the ASA to fallback to LOCAL authentication, if the Radius server is not available.
Now we would like to authenticate the local users, if the user is not found in the AD. Is this possible and how can I configure this with the new policies? I tested it with "dropping" when the user is not found in the AD, but then the Radius server will be marked as "dead" and the other AD users can't login for a given period. Maybe we can configure the dead time to 0, but this is not as nice it could be.
View 4 Replies
View Related
Sep 26, 2011
We have configured ACS 5.1 for autenticating wireless users with active directory, which is working fine now.But we would like implement that single user should be authenticated through ACS . If any user try to access WLAN from multi system will be notified with multi login access restriction.Can we implement this policy in acs, if possible what are the exact configuration changes we have to implement.
View 1 Replies
View Related
Dec 28, 2011
We have cross domain trust relationship established and I have added the user group in our ACS 5.1. we are using Active directory as an external Identity store. Also I have created a rule in the 'Access polices' to allow the user group. From the cross domain, I use abc@xxx.xyz as a user id, but I get this error message 13036 Selected Shell Profile is DenyAccess.
View 3 Replies
View Related
Jun 5, 2012
Can use ACS 5.2 as Guest user authentication server?
View 3 Replies
View Related
Apr 12, 2013
I am using ISE 1.1.3.124.My first question:I want to know the relation between the attribute "WasMachineAuthenticated" and the MAR (MAchine access restriction in advanced setting for AD).Is-it the same or not ?Once you time out, you need to do machine auth again. What is the timer ?Using the attribute "WasMachineAuthenticated", is-it the same timer that you configure in MAR ? In a distributed environnement, is the information about machine previously authenticated replicated to all policy node ?Because, if a swicth has 2 radius-server, we are not sure that it will point everytime to the same server.
View 1 Replies
View Related
Jul 18, 2011
For our wireless, we enabled the machine authentication, but we want to bind the machine authentication and user authentication together which means they need to meet both requirements to access the wireless, how can we do this? Right now looks like as soon as the machine is authenticated, it can access the network, no user authentication needed.
View 6 Replies
View Related
Aug 18, 2011
how do i configure user authentication via TACACS on UCS 1.4 with ACS 5.2? My TACACs connection works, and my user authentication is successful, but i can only get read-only rights. I have tried several versions of "cisco-av-pair= role=admin" both as mandatory attributes named role and as cisco-av-pair=role , with "admin" as the value, and i still get read-only.
When i attempt to find any documentation, it only describes ACS 4.2, which is another problem i have with most documentation for new cisco products (i have this exact issue with my NAMs, nothing i do to change the attributes results in successfully logging into the NAM, and all config guides are written in 4.2 speak).
is there any possiblity cisco is going to release some documentation on how to convert 4.2 speak to 5.2 speak?
View 8 Replies
View Related
Jul 19, 2011
I am migrating from ACS 4.2 to 5.2. In 4.2 you could assign one user to auth via Internal Database and another user to auth via Radius Token Server. I cannot find how to do this with 5.2. There is a note in the doc that states 'Identity-related attributes are not available as conditions in a service selection policy'. Does this mean that you can only choose one auth method for all users? If it is possible to have multiple methods, how am I able to accomplish this?
View 1 Replies
View Related
Dec 17, 2011
While configuring LDAP , I got struck in “Step 3 - Directory Organization”. How to make this work? My aim is to make users authenticated from their windows domain usernames and passwords while they log in to AAA clients.
View 1 Replies
View Related
Jul 18, 2011
I have some queries regarding on the report generation for on Cisco ACS v5.2.
1) Can we schedule to run a customized report on ACS and then email the report to the user?
2) Can we run a users authentication trend report based on the AD directory group rather than individual user.
3) Can we configure user authentication logs to be viewed on WCS.
View 6 Replies
View Related
Apr 18, 2011
I have setup ACS 5.2 in my lab and have it completely funcation with Downloadable ACLs, Dynamic VLANs and the identity store on the backend is Active Directory. I need it to lock a user account in AD if there are to many auth attempts. I have gone into AD and set a max login attempts to 3 but if I continue to fail authentication (on purpose) using radius auth, it never locks out my AD account? I am using the Anyconnect 3.0 with NAM as the supplicant installed on my workstation. I have also configured the switchport that I am connect to with the following commands. I tried the dot1x max-reauth-req 3 command and that didn't really do anything for me either. What am I missing here?
switchport mode access ip access-group 10 in authentication event fail action authorize vlan 40 authentication event no-response action authorize vlan 40 authentication host-mode multi-host authentication priority dot1x mab authentication port-control auto authentication timer reauthenticate 10 authentication timer inactivity 20 authentication violation protect mab dot1x pae authenticator dot1x timeout quiet-period 5 dot1x timeout tx-period 5 dot1x max-req 3 spanning-tree portfast
View 1 Replies
View Related
May 15, 2012
i am running NX-OS image n5000-uk9.5.1.3.N1.1.bin on the nexus 5020 platform.i have configured authorization with tacacs+ on ACS server version 5.2 with fall back to switch local database.a user test with priv 15 is craeted on ACS server, password test2 everything works fine, until i create the same username on the local database with privilege 0. ( it doesnt matter if the user in local database was created before user in ACS or after ) e.g.: username test password test1 role priv-0 (note passwords are different for users in both databases)
after i create the same user in local database with privilege 0,if i try to connect to the switch with this username test and password defined on ACS, i get only privilege 0 authorization, regardless, that ACS server is up and it should be primary way to authenticate and authorizate the user.
View 3 Replies
View Related
Apr 28, 2011
I am trying to configure an ASA 5505 running 8.3 to allow a priv 15 local user to be able to ssh into the device and be placed into priv 15 mode without having to execute the enable command and type the enable password.Right now when you log in as a priv 15 user you still have to execute the enable command and type the enable password to get to priv 15.
View 3 Replies
View Related
Oct 3, 2012
I'm a bit new to Cisco and i find this AAA a bit confusing..I've turend on AAA by:aaa new-model
Can I use this "default" list for WebVPN ? And what would be a different if i create new "sslvpn" list..Also when I'll be creating user for VPN remote access.. that user will also exist in local database and have access to router via SSH?Because the research I've done it doesn't seem you can group users in different "aaa groups" e.g. user admin belongs under "admin" aaa group which can do ssh to router, users for VPN can only do remote VPN access and not SSH and login into router.i saw ASA has some attribute for users called remote-user
•admin, in which users are allowed access to the configuration mode. This option also allows a user to connect via remote access.
•nas-prompt, in which users are allowed access to the EXEC mode.
•remote-access, in which users are allowed access to the network.
But i can't find this option in IOS on my 1900 Series ISR router.
View 1 Replies
View Related
Jun 6, 2011
I am experiencing an issue where NX-OS on our 5010s is allowing both Local AND TACACS authentication concurrently. If I don't configure any aaa authorization commands, the locally logged in user has unmitigated access to the device. Once I enable aaa authroization, all commands issued by the locally logged in user are denied by ACS, but they can still log in to the device. When I comb through the logs on the ACS server, I see successful logins when TACACS credentials are used, and also the failed attempts when the locally configured credentials are used. On the switch, however, I receive "%TACACS-3-TACACS_ERROR_MESSAGE: All servers failed to respond" when using locally configured credentials on the switch itself. We are running ACS v4.2.
View 6 Replies
View Related
Oct 10, 2011
I want to create a local user in my Cisco ASA 5520 to allow the user to use the ASDM in Read-Only mode. I want the user to view the Dashboard only.
View 1 Replies
View Related
Sep 22, 2011
We are running ACS 5.2 patch 6 and want to restrict access for users to be able to add devices to the system.For example, admin person in site A can only add devices into the site A group and cannot see/access other sites groups.
View 1 Replies
View Related
Apr 5, 2011
We are changing our old Pix 515e this weekend and for brand new ASA 5510.With this new installation, I would like to implement the Radius authentication for remote vpn user. Changing the firewall of the company has many impact and for the first phase the user will keep authenticating locally but I need that in phase 2, they will be authenticated via a radius server.Is there a way to configure both authentication for remote vpn user?
All user will be authenticated locally except the member of the IT Department who will be authenticated by the radius server for testing.I have remote vpn users around the world so I do not want these users to be blocked by the testing of the radius authentication. What I want is that users in group1 will be authenticated locally on the ASA and users in group2 will be authenticated by the radius. When testing will be done, all users will be transfer to the radius authentication gradually.
View 1 Replies
View Related
Jan 16, 2012
I configured before ACS v4.2 to authenticate network devices using internal users at first, and if the user is not found use AD list users. But with v5.3 I have some problems doing this, on identity policies I use rule based result selection option, I configured 2 polices for Identity source, one for Internal Users and other policy for AD user, but it only works with the first policy, internal users or AD, but works only for the first policy identity. how to do that, if the user is not found on first policy, continue to the next policy.
View 7 Replies
View Related
Jul 3, 2011
I need a specify users to allow access to particular devices and give privilege only for show command or show run. Here is how I tried to configured.
1. Configured two seperate Shell Profile and Command set with privilege level 4-5 and allowing only show run command
2. create seperate service selection rule with adding the require NDG and protocol TACACS and maching service "RestrictAccess"
3. In the RestrictAccess Service I have following configured; Identity: internal users, Group Mapping to a particular group where the user exists, authorization: matching the above created identity group, NDG, shell profile, command sets
All the steps are attached in the .doc file. However when I tried with the particular user he is able to access everything and he is not hitting the correct access rule.
View 6 Replies
View Related
Nov 14, 2012
I want to limit a local user's access to some specific groups of devices. In Role Management Setup I can define which service they can access, but I want to restrict it to a specific device as well.
View 3 Replies
View Related
Jun 1, 2011
On our guest wireless, at times when a user shuts down their laptop and powers back up they are not asked to re-authenticate.The only security is a login and password then the user is tunneled to our 440 in our DMZ then out the internet pipe.My question is if the user shuts the laptop off then starts it back up shouldn't they be prompted for the user login and password?
View 2 Replies
View Related
Jan 17, 2012
I would like to configure RADIUS authentication and authorization in ASA 8.2 (ADSM 6.2) by configuring Cisco anyconnect VPN client connection profile.So the end result would be user enters his username, password and a token in any connect client, then the RADIUS server validates this information and sends the user attributes to ASA upon successful authentication.I would be grateful if i can get the step by step procedure to achieve this:The below is what iam trying to do:
1) Create an AAA server group.
2) Add the AAA server to this group (here its RADIUS).
3) create an LDAP-cisco ASA group mapping (for authorization)
3) Add a group policy and create IP pool. (We can add two types of group policies, one is internal and external. Not sure which one to select here).
4) create a any connect vpn client connection profile. Here we specify the created server group name, IP pool and group policy.(While creating a connection profile, it asks us to select an interface. As of now i have only one interface which is "inside". Not sure what the interface "outside" means).
View 5 Replies
View Related
Mar 4, 2010
I have a WLC 2106 and 1242AG.it's a hotspot configuration.So in WLC, under controller tab, i have set my ap-manager ip, my management ip, my virtual ip (1.1.1.1) and my hotspot network range ip.I set also a DHCP range for the hotspot network.
In Wlans tab, i set my hotspot wlan, with no layer 2 security and for layer 3, i set none for layer 3 security and i use web policy authentication.I use local authentication and i created under security menu, under AAA tab, 3 local net users.
From pc number 1, i get ip from dhcp, and i have authentication web page, authentication is ok and i can surf on web.From pc number2, when user 1 from pc 1 is connected, i get ip from dhcp but i have not the authentication web page, i have not DNS resolution.when i try https:1.1.1.1/login.html, i have no answer.
And when user 1 is de-authenticated, the user 2 can surf on web.So only one user can surf at the same time. not good for a Hotspot.
View 12 Replies
View Related
Mar 14, 2012
A quick query regarding setting up a local user on a Cisco 2811. I have setup a few users as they need to have remote VPN access into our edge router, this works fine and I'm happy with it. The only thing is that when they come into the office they now have logins to get onto the router, they do not have the enable secret so they can't exactly do a lot (plus I've created them with privilege 0 which cuts a few extra CLI options) but I'd rather not allow them access at all if possible.If they weren't on DHCP then I could setup an access-list but this isn't really an option, I could also set me up statically and deny everyone else, but yet again I'd rather not.Is there anyway to restrict telnet/ssh access based on user alone? So when they put in their login it just boots them out. I could setup something like RADIUS (and therefore remove the local users completely) but I think it will be a bit over kill for the sake of a couple of users.
View 1 Replies
View Related
Sep 11, 2012
We are wanting to use local database users to authenticate our SSH connections to our 6500 cores.
We have added the usernames and password into the 6500 using
username anameduser password astrongpassword or username anameduser secret astrongpassword
We where expecting the commands to be the same as other iOS devices example C3750 we would add.
Line vty 0 4 login local
And this would allow us to use the local user database to authenticate our ssh sessions.
The login local commands are not availbe on the 6500s and we have not found any documentation on how to impliment a local database for this purpose except in a CatOS 6500.
View 1 Replies
View Related
Jan 22, 2013
I would like to be able to have a few "guest" users on the Wireless network for visitors. Is there any method to have a prompt for "Username / password"? I would like the user accounts to have different expiry periods if this is possible. My current config is attached. The SSID "test" appears on the network. The SSID "test111" does not appear.
View 1 Replies
View Related
