Cisco AAA/Identity/Nac :: ASA 5510 - Allow Only Authenticated Users To Enter Internet
Jan 3, 2012I have an ASA 5510 with IOS 8.4. I want that only authenticated active directory users can pass the firewall.
View 3 Replies
ADVERTISEMENT
Cisco AAA/Identity/Nac :: 5520 VPN Users Are Authenticated Against MS-AD Through LDAP
Sep 1, 2011I have 2 ASA 5520 (v. 8.21) in a active/standby fail over configuration.
VPN users are autenticated against the MS-AD through LDAP. For the most part this works well. Occasionally I'm having problems with new users in the AD. If I run a test I keep getting "User was not found". This can happen days after the account was created still. In some cases it never seems to work. The accounts I create exists on the same OU level as all the other accounts that are working.
Cisco AAA/Identity/Nac :: 5510 / Failed To Privilege Mode When Authenticated By Radius Server
Aug 26, 2007I tried to authenticate and authorized Nokia/checkpoint Nortel/AD3 and Nortel 5510 platform using an 4.1 for windows ACS. the ACCESS-REQUEST is well processed bi the radius server wich send ACCESS-ACCEPT to the AAA Client (ie NORTEL or NOKIA), but i'have got privilege access denied on the Client side. RADIUS IETF Dictionnary is used for every device. all others Cisco Devices authenticate and are well authorized.
View 3 Replies View RelatedCisco :: SNMP Web Authenticated Users Wlc 5508?
Apr 4, 2013I am using web authentication with my Wlc 5508 and I would like to check all users currently connected (ip, login used, MAC address, ...) with SNMP.
I am using an external web server and my client are authenticated with ldap.
I know I can receive these information with traps, but I would like to create a short program which will check all users when I click on a button.
Cisco :: WLC5508 Limit Number Of Users Authenticated With One Login
Feb 28, 2012Is it possible to configure WLC so that only one user can connect to wireless network at a time with one login? We have WLC5508 (7.2.103.0) web authentication with LDAP (Active Directory).
View 2 Replies View RelatedCisco AAA/Identity/Nac :: Using Active Directory Users To Manage ASA 5510?
Dec 28, 2012I know that our VPN users currently use Active Directory to authenticate their VPN sessions, so now I'm wondering if there is an easy way to configure my company's Cisco ASA 5510 to use either a Windows Server 2008 R2 Active Directory group (preferred method) or specific Active Directory users (less preferred) and authenticate them for management access (privilege level 15) using their Active Directory credentials. I do not want this to change the IP range used for ASDM/HTTPS/Telnet/SSH access (currently all local networks, no VPN), as those are settings that my company does not want changed.
View 5 Replies View RelatedCisco Switching/Routing :: Unable To Enter New Users In Nexus 5K
May 1, 2013Interestingly enough I've seen about 3-4 posts with the exact same problem and yet not a single one is ever answered.. The task is simple:
"username USER password 5 SOMEPASS role network-admin"
It consistently outputs: "String failed to match token pattern at '^' marker." - always the carat is at the first character in whatever password I input. I've ensured passwords I input meet the conditions of "password strength-check" and I have also disabled this feature and repeated with numerous passwords to no effect.
Cisco AAA/Identity/Nac :: ACS 1120 - How Many Devices (MAB) Can Be Authenticated
Jan 23, 2012I´m currently looking for a document that specify how many MAC addresses can be stored and authenticated via an ACS (1120)? I prefer to use the internal identity store over AD or LDAP for MAB authentication for 802.1X project. I would like to know what is the impact on the ACS? CPU/MEM? What is the impact on the user authentication? delay, timeout, etc.
View 7 Replies View RelatedCisco AAA/Identity/Nac :: ACS 4.0 Not Getting Authenticated With 2008 AD Server
Nov 8, 2011I have a cisco ACS 4.0 build 27 on windows 2003 server . My site was working fine when i was having a AD on 2003 server . Recently i have migrated my AD servers is 2008 .
After the migration the ACS is not authenticating the users . Now i have made a server with 2003 and made the site working . I need a solution to make it work using 2008 server is there any compatiblity issue between ACS 4.0 and 2008 server .
Cisco AAA/Identity/Nac :: WS-C4510R+E - Wired 802.1X With ISE / Some Computers Cannot Be Authenticated
Aug 28, 2012We have a customer which is using ISE with 802.1X in order to authenticate computers. All the computers have their own certificate and most of them can be authenticated fine! The issue is that some computers cannot be authenticated.The port configuration the authenticator (Cisco WS-C4510R+E IOS 151-1) are configured exactly the same: [code]
But for some reason some PC cannot be authenticated. A wireshark capture on the computer not working shows that the computer receives a EAP Request Identity and also send a Response Identity to the switch but then nothing happens more: So the process is stucked in the EAP-Response/identity. I attach a debug capture on the switch for one of the computer which cannot be authenticated.
Cisco AAA/Identity/Nac :: ACS 5.3 Assign Static IP Address Depending On Authenticated User
Feb 12, 2012Actually I have a lab with ACS 5.3 running with 802.1x, but when when the user is successfully authenticated, it's assigned and IP address from the DHCP server, is there a way to assign a static IP address depending of login username??
View 13 Replies View RelatedAAA/Identity/Nac :: ASA5510 - WEBVPN User Authenticated Through LDAP Failure?
Feb 28, 2013I'm trying to configure an ASA5510 with release 9.1(1) in order to authenticate VPN AnyConnect users through LDAP. In a first step the logs shiw me this kind of error:
[-2147483632] Session Start
[-2147483632] New request Session, context 0xadf415d4, reqType = Authentication
[-2147483632] Fiber started
[Code]......
Cisco AAA/Identity/Nac :: 2960 - Remote Desktop To Machine 802.1x Authenticated By User (Wired
Jan 22, 2012802.1x is working properly, 802.1x port is up,but;when I do a remote desktop to machine that is 802.1x authenticated by an user(Wired), first, login to pc successfuly then(3 minutes) is switch port down..
Debug radius authentication
Debug aaa authentication
Does not appear in the log only message port is down
Equipment;
Cisco 2960, Cisco ACS 4.2 ,MS Active Directory Authentication
Client:windows xp, windows 7
Cisco 2960 Port Config
switchport mode access
dot1x pae authenticator
dot1x port-control auto
spanning-tree portfast
spanning-tree guard loop
Cisco Firewall :: ASA 5510 / Can LDAP-authenticated Remote User Be Assigned A Connection
Jun 30, 2011ASA 5510 ASA 8.0 ASDM 6.1 I want some remote users to have split-tunnel connection, others not. I used Cisco Document ID 100936 "Allow Split Tunneling for AnyConnect VPN Client on the ASA Configuration...". I created a new Group Policy with split-tunnel enabled. I created a new Connection Profile and assigned to it the new Group Policy. When I authenticate at the AnyConnect client I get a dropdown of the 2 connecton profiles, to choose the one I want. Each of them works, enabling or disabling split-tunnel. But I want to assign a connection profile to the particular user, not give the user a choice. The problem is I'm using LDAP authentication. The Local Users I set up before LDAP are obsolete, assigning them a Group Policy does nothing. I really don't want to give up LDAP and force people back to another local password. But the LDAP authentication to Active Directory just says yes or no, it won't assign a connection profile. At the AnyConnect Connection Profiles page I have set a switch "Allow user to select connection profile, identified by its alias, on the login page. Otherwise, DefaultWebVPNGroup will be the connection profile". If I clear that switch every user will be assigned the same default profile, which does not work.
View 2 Replies View RelatedCisco AAA/Identity/Nac :: To Auto Enter Priv Exec Mode Upon Login On ASR1002
Jul 5, 2011how to straight away enter priv EXEC mode when authenticated for asr1002?? Using XR12000, it can be done but asr1002 have to input enable passwd...my username for asr1002 have privilege 15 and i want to enter priv EXEC mode straight away after login without asking the enable passwd.
View 4 Replies View RelatedCisco AAA/Identity/Nac :: Authenticate VPN Users Via ACS 5.4 And AD Via External Identity Store
Feb 22, 2013I have installed ACS 5.4 and we are looking to authenticate our Anyconnect users with ACS via Active Directory. I think I have the correct commands in our ASA ( we had ACS 4 and authenticated our anyconnect users ).
I also have configured ACS to use Active Directory and installed the server side cert in ACS. I'm just uncertain how to program ACS to use the security group that I have setup in Active Directory.
Cisco Firewall :: ASA 5510 - Users Unable To Access Internet Through Firewall
Feb 26, 2013I have some problem with the ASA 5510 ver 7.0(6). My manager wants to keep this as backup. tried lots of things but still users not able to access internet nor can i ping anywhere.For example when i ping 4.2.2.2 i dont get any reply.The runing config is below for ur ref :
HQ-ASA-01# show running-config
: Saved
:
[Code]......
Cisco AAA/Identity/Nac :: Importing Users From ACS 4.x To ACS 5.x
Jun 24, 2012Is it possible to export internal ACS users from an ACS 4.x Windows (On ESXi), solution to an ACS 5.x solution. All I want to be able to do is export usernames and passwords out of the 4.x solution and then import them into the 5.x solution. I thought maybe the CSUtil program be used ?
View 3 Replies View RelatedInternet Can Enter The Main Pages But Cannot Open Individual Sections
Mar 13, 2011if I can enter their main page, I cannot enter individual sections. I will get this "This webpage is not available" error.The thing is that, both forums have been running smoothly for others but not me.Few days ago, the situation wasn't so bad. But when I using my ISP Proxy Address I can only access one of the 2 forums only. Hence, to access the other one, I would have to disable my ISP Proxy Address,Now, I can't. Even if I use Google DNS, I also cannot access the forums at all,Is my network screwed up ? But if it was screwed up, how come I can access to other forums but not these 2 ?
View 1 Replies View RelatedAAA/Identity/Nac :: Authenticate LAN Users Via Cisco 2911
Feb 9, 2012We have remote users that dial-in over ISDN to a Cisco 2911. We have configured AAA to pass the authentication off to a RADIUS server. Once successfully authenticated, the router permits the users to access a single web server. However, we need to do some testing in our test environment, but unfortunately we don't have an ISDN line to test with. We have created a little environment in our LAB using a 2911, a switch, a RADIUS server & web server. I was hoping that we could simply create a "user" VLAN off the back of the 2911 to simulate our remote users, and access the web site from the test usr PC's over the LAN. I was hoping that the 2911 would be able to intercept the connection and pass the authentication off to the RADIUS server (as it does with the PPP ISDN traffic). But I cannot find anyway to do this, because I can only configure AAA to offload either PPP traffic or telnet/ssh connections to the router itself.
In summary what I want is for a user to access an internal web site over a LAN interface of a 2911 - but have the 2911 authenticate the user via a remote RADIUS server first. Is there a way to configure a 2911 (or any router!) to do this?Is the answer to configure port-based authentication (802.1X) on the switch?
Cisco AAA/Identity/Nac :: ACS 5.0 - VPN Authentication And IP Pools For Users
Mar 19, 2012How to configure the ACS5.0 radius for remote access VPN authentication.
And how could I implement the IP Pools for the VPN users.
Cisco AAA/Identity/Nac :: How To Show Logged In Users In ACS 5.1
Sep 5, 2011After some time no using Cisco ACS5.1, I still don't know how I can see all logged in users. I can see logging and check why an log in goes wrong, but in ACS 3.2 I just clicked on Reports and Activity and I could choose to see logged in users, or failed attempts, etc.
View 2 Replies View RelatedCisco AAA/Identity/Nac :: ACS 5.1 Authenticate Wireless Users With 802.1x
Jun 9, 2011I have an issue with an implementation, I had a ACS R5.1 that I'm using to authenticate the wireless users with 802.1x, that's OK and working fine. Now I want to use the same ACS to authenticate wired users using MAB (for IP phones, printers, servers, and other devices) and 802.1x (for corporate users). I already configured the authentication services (MAB and 802.1x) on ACS, but when I'm doing tests I can see that for example the phones are trying to authenticate using the 802.1x rules of wireless connection, not using the MAB rules. [code]
You could also see an screen from the ACS in the attached file. On the picture remark you could see a IP Phone trying to authenticate using the wireless Access Services insted of using MAB.
Cisco AAA/Identity/Nac :: ACS V5.2 - Any Limitations On Import Users
Mar 21, 2012on ACSv5.2...are there any limitations on the number of users that can be imported via CSV file...i.e. will the ACS handle 250,000 internal users for example?
View 1 Replies View RelatedCisco AAA/Identity/Nac :: ACS 5.3 - Create Dashboard For All Users?
Apr 28, 2013I'm at the point of setting up admin access for engineers needing to have insight into the operations and status of our ACS 5.3 systems. any way to create a Dashboard that can be applied to all admin user accounts? (perhaps a custom role?)I've been able to customize the dashboard for my own account to show what is most relevant, but am unable to figure out how to apply this layout and setup to all other users.
Basically, I have a number of folks that need to see this data, but that I can't exactly count on to setup their own dashboards to show the important details. If there were some way to build a tab/dashboard/portlet, etc (whatver it may be) and have it apply to all users, that would save me TONS of work so that I don't have to login to each person's account and set things up for them.For example, I want to have all users see a tab/dashboard that shows the applet "Live Authentications", but with the protocol already configured to display TACACS vs the default which is RADIUS.
Cisco AAA/Identity/Nac :: ACS V5.1.0.44 / WLC 5508 / Cannot Get Users To Authenticate
Sep 25, 2011Having an issue with Cisco ACS v5.1.0.44 and the Cisco WLC 5508. Cannot get users to authenticate and keep getting error messages referring to EAP session timeouts from WLC filling our logs. Seems to be with this model WLC because we have Cisco 4400 WLCs pointing to the same ACS with no issues. Is there a bug or special configuration that is necessary to marry the 5508 with ACS v5.1.0.44?
View 9 Replies View RelatedCisco AAA/Identity/Nac :: ACS 5.1 - Authenticate Only Specific AD Users
Jul 22, 2012Is it possible for ACS 5.1 to only allow specific AD users to authenticate the switches and routers? Currently What I have configured is only for all AD users. I can't seem to find a way to be selective.
View 9 Replies View RelatedCisco AAA/Identity/Nac :: ACS 5.x Admin Users Authentication Against AD
Apr 23, 2012Do you know if it's possible to use ACS 5.x in such manner that the admin users (so not the end users, but the administrator users of ACS) are authenticated against and external database, like Active Directory?
View 2 Replies View RelatedCisco AAA/Identity/Nac :: ACS 5.2 RSA Users Not Getting Level 15 Privilege?
Jun 13, 2011I have cisco ACS 5.2 and external identity source as RSA secure ID.Currently when the RSA user login to AAA Network devices, User id & passcode prompt coming after giving the credential its going to user exec mode.Then after "enable" command again asking for Passcode giving passcode then user able to logged in successfully.
I need RSA users to get direct privlege level15 (privlege mode) ? no need to ask enable password ?
I checked this for local ACS users it is working and loca users getting directly privelege mode access...
Cisco AAA/Identity/Nac :: ACS 5.3 With Mac Authentication To Users Wireless
Mar 14, 2013I'm working with a cisco wlc and acs 5.3 . I have two profile or ssid's and one of them is working with web authentication and the accounts exists in the local database of cisco acs.
I'll would like to know how can i should configure mac authentication on the cisco acs 5.3?
My purpose is authenticate users first by mac, and second by the account of local users in the cisco acs.
Cisco :: 5510 - VPN Users Needs Access To All L2L Segments
May 17, 2013Client has a Cisco ASA 5510 with 4 L2L VPN's all using 5505's
The L2L connect to the "outside" interface as do the VPN Users (I'm leary of this
The VPN Users need access to the "inside" networks and all L2L subnets.
The VPN User has its own subnet (192.168.168.0/24( seperate from the Local LANs (172.16.0.0/16)
When the Users VPN in they can get to all the subnets connected to the inside interface but none of the L2L subnets
I have verified that the UserVPN Subnet is in the crypto acls and in the route statements of all L2L 5505s
AAA/Identity/Nac :: ACS 4.2 Radius Authentication For SSL VPN Users
Dec 22, 2012Using Cisco ASA I want the ssl clientless vpn users to be authenticated through a local Radius-Server. but it does not work, and on asa while i want to see (Debug Radius) output, there is no debuging msgs displayed. When i try to test the user which i have created on the ACS-Server 4.2, the test gets successful. where i have made a mistake in my configuration ?
View 2 Replies View RelatedAAA/Identity/Nac :: 3355 - Deploy NAC For 500 To 600 Users Across WAN?
Jan 24, 2013We want to deploy NAC for 500-600 users across WAN. We are planning for L3-OOB-Real Gateway central deployment Solution.We are having two NAC Server (3355) two NAC manger (3355) at HQ and 6 NAC Server(3315) at branch. We deployed NAC under VRF.How we can deploy NAC over WAN without NAC Server, need step by step configuration under VRF.
View 1 Replies View Related