Cisco AAA/Identity/Nac :: Authenticate VPN Users Via ACS 5.4 And AD Via External Identity Store

Feb 22, 2013

I have installed ACS 5.4 and we are looking to authenticate our Anyconnect users with ACS via Active Directory. I think I have the correct commands in our ASA ( we had ACS 4 and authenticated our anyconnect users ).
 
I also have configured ACS to use Active Directory  and installed the server side cert in ACS. I'm just uncertain how to program ACS to use the security group that I have setup in Active Directory.

View 6 Replies


ADVERTISEMENT

Cisco AAA/Identity/Nac :: ACS 5.2 Group Mapping With LDAP External Identity Store

May 18, 2011

I have a new Cisco Secure ACS 5.2 on a VM. We want to use it to for administrative access to our Cisco equipment  with TACACS+. I am trying to map user permissions to different groups of devices based on active directory group membership, however it is not working.
 
I am using an LDAP (configured for secure authentication) external identity store. On the directory organization tab, I have confirmed the accuracy of the subject and group search base and the test configuration button shows that it's finding > 100 users and >100 groups.
 
On the directory groups page I have entered the groups according to the required format. cn=groupname1,ou=groups,dc=abc,dc=com
 
I have a rule based result selection under group mapping. I have two rules in the format below.
 
Conditon
LDAP:Externalgroups groupname1
Result
Identitygroup1
 
I have the default group set to a identity group named other. My problem is, no matter what user attempts to authenticate, the Default rule is applied, and the user is put into the other identity group.This occurs when I log on as a groupname1 user, groupname2 user, or as user that is not a member of either of those groups. LDAP authentication works and the user is able to logon to the device.

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 - Connection To External ID Store - Encrypted?

Mar 14, 2012

are the connections between the ACS and external identity stores encrypted?I know that when setting up LDAP identity store there is the option to specify SSL conection.  Are the other connections encrypted by default, or is the data sent between the ACS and AD, for example, sent in the clear?

View 3 Replies View Related

AAA/Identity/Nac :: Authenticate LAN Users Via Cisco 2911

Feb 9, 2012

We have remote users that dial-in over ISDN to a Cisco 2911. We have configured AAA to pass the authentication off to a RADIUS server. Once successfully authenticated, the router permits the users to access a single web server. However, we need to do some testing in our test environment, but unfortunately we don't have an ISDN line to test with. We have created a little environment in our LAB using a 2911, a switch, a RADIUS server & web server. I was hoping that we could simply create a "user" VLAN off the back of the 2911 to simulate our remote users, and access the web site from the test usr PC's over the LAN. I was hoping that the 2911 would be able to intercept the connection and pass the authentication off to the RADIUS server (as it does with the PPP ISDN traffic). But I cannot find anyway to do this, because I can only configure AAA to offload either PPP traffic or telnet/ssh connections to the router itself.
 
In summary what I want is for a user to access an internal web site over a LAN interface of a 2911 - but have the 2911 authenticate the user via a remote RADIUS server first. Is there a way to configure a 2911 (or any router!) to do this?Is the answer to configure port-based authentication (802.1X) on the switch?

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.1 Authenticate Wireless Users With 802.1x

Jun 9, 2011

I have an issue with an implementation, I had a ACS R5.1 that I'm using to authenticate the wireless users with 802.1x, that's OK and working fine. Now I want to use the same ACS to authenticate wired users using MAB (for IP phones, printers, servers, and other devices) and 802.1x (for corporate users). I already configured the authentication services (MAB and 802.1x) on ACS, but when I'm doing tests I can see that for example the phones are trying to authenticate using the 802.1x rules of wireless connection, not using the MAB rules. [code]
 
You could also see an screen from the ACS in the attached file. On the picture remark you could see a IP Phone trying to authenticate using the wireless Access Services insted of using MAB.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS V5.1.0.44 / WLC 5508 / Cannot Get Users To Authenticate

Sep 25, 2011

Having an issue with Cisco ACS v5.1.0.44 and the Cisco WLC 5508. Cannot get users to authenticate and keep getting error messages referring to EAP session timeouts from WLC filling our logs. Seems to be with this model WLC because we have Cisco 4400 WLCs pointing to the same ACS with no issues. Is there a bug or special configuration that is necessary to marry the 5508 with ACS v5.1.0.44?

View 9 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.1 - Authenticate Only Specific AD Users

Jul 22, 2012

Is it possible for ACS 5.1 to only allow specific AD users to authenticate the switches and routers? Currently What I have configured is only for all AD users. I can't seem to find a way to be selective.

View 9 Replies View Related

AAA/Identity/Nac :: ACS 4.1 Failure To Authenticate Windows Users?

Feb 24, 2013

We are running Cisco Secure ACS for Windows version 4.1(1)b23p5 on a Windows 2000 member server. Starting from today, ACS fails to authenticate users. Using the same external user (andrea-meconi) I can verify successfull and failed authentication. This is the AUTH.log for a genericRADIUS request...
 
AUTH 25/02/2013 15:30:24 I 0396 3900 External DB [NTAuthenDLL.dll]: Starting authentication for user [andrea-meconi]
AUTH 25/02/2013 15:30:24 I 0396 3900 External DB [NTAuthenDLL.dll]: Attempting

[Code].....

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 4.2 Failure To Authenticate Windows Users

Apr 8, 2009

The ACS can authenticate people using local database , it can also authenticate a single user (using windows database) if you are fast after the service is restarted , however after a few secounds, it fails to authenticate any users  , the error we are seeing on the logs appear as authentication failure type : internal error. Also on the log files, the authentication request from the user does not appear in the correct group, it is thrown into the default group.

View 7 Replies View Related

Cisco AAA/Identity/Nac :: Configure Users On ACS 4 To Authenticate Password With RSA 6.1

Apr 16, 2013

I have ACS 4 integrated with RSA 6.1, where users of ACS can authenticate their passwords with the rsa server.I am migrating users to ACS 5, and I want to integrate with rsa.
 
I am configuring rsa as “rsa secureID token servers”.But how should I configure the users on acs to authenticate the password with rsa?
 
Previously on acs 4, on the user page, in password field, I select authenticate with external DB, Also, any guide for the config on  rsa 6.1 side (with acs 5)

View 1 Replies View Related

AAA/Identity/Nac :: Single Win2008R2 NPS Server To Authenticate Both VPN Users

Jul 17, 2012

I have successfully set up a windows 2008 box as a Radius server and use it to authenticate VPN users against ta AD database.I have also set up a similar policy that permits authentication for management purposes to all my networking devices (routers,switches and the ASA).Both policies work fine.Of course I don't want every VPN user to have administrative access to the ASA and every other device on my network.How can I discriminate between the 2 groups (VPN users and Network administrators)

View 3 Replies View Related

AAA/Identity/Nac :: ACS5 Try To Authenticate User In External Database

Jan 16, 2012

Is it possible to create on ACS5 rule which will:

1. Try to authenticate user in external database1 (radius)
2. When external database1 returns FAIL (because of bad password) ACS5 should try to authenticate user in another external database2 (radius)

View 5 Replies View Related

Cisco AAA/Identity/Nac :: 7000 Setup Switch To Be Able To Authenticate Users With Tacacs+

May 2, 2012

I have a cisco nexus 7000 switch and a cisco ACS 5.2. I would like to setup the switch to be able to authenticate users with tacacs+ using RSA secureid tokens when they try to logon to the switch.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ISE 1.1.3 Authenticate Wireless Users / Admin Access To WLC / Switches

Mar 13, 2013

Deployed two Cisco ISE 1.1.3. ISE will be used to authenticate wireless users, admin access to WLC and switches. Backend database is Microsoft AD running on Windows Server 2012. Existing Cisco ACS 4.2 still running and authenticating users. There are two Cisco WLCs version 7.2.111.3.Wireless users authenticates to AD through ACS 4.2 works. Admin access to WLC and switches to AD through ISE works. Wireless authentication using PEAP-MSCHAPv2 and admin access wtih PAP/ASCII.

Wireless users cannot authenticate to AD through ISE. The below is the error message "11051 RADIUS packet contains invalid state attribute" & "24444 Active Directory operation has failed because of an unspecified error in the ISE".Conducted a detailed test of AD from ISE. The test was successful and the output seems all right except for the below: [code]

Update:

1) Built another Cisco ISE 1.1.3 sever in another datacentre that uses the same domain but different domain controller. Thais domain controller is running Windows Server 2008. This works and authentication successful.

2) My colleague tested out in a lab environment of Cisco ISE 1.1.2 with Windows Server 2012. He got the same problem as described.

View 6 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 - Create Microsoft Active Directory (AD) Identity Store?

Jul 11, 2011

We are using ACS 5.2 and we are trying to create a Microsoft Active Directory (AD) Identity Store. We have a user to be used in the Active Directory creation General page and we would like to know how the test communication / ACS to AD communication takes place.
 
Our user is a predefined user in AD and has admin rights, but the password expires every 60 days. Will this affect the communication between AD and ACS 5.2 at everytime the entered user's password expires?

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 Host Internal Identity Store / Per Group Modification

Jan 24, 2012

I'm currently looking for a solution in order to restrict the modification of the host internal identity store (add or delete MAC host) per group. The default administrator roles does not include "per group restriction". Under the ACS I defined one group per department? My objective it to allow each department to access their ACS MAC database to add or delete MAC addresses as required.

How to restrict internal identity store per group?Do I need to create new roles? and how?I was not able to get an answer from the ACS ADMIN manual.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.x Identity Store Sequence And Token Validation

Dec 3, 2012

We have a ACS 4.3.2 installed with users authenticating against an Active Directory database. The AD database not only authenticate the users but also assigns the group that is used to select IP address pool.Now the requirements require to use token authentication with SafeNet. This authentication uses the same username but the password is composed of the original password + OTP.The problem is that the SafeNet server doesn't return the group membership.I've read about the Identity Store Sequence in ACS 5.x and I think I could use it in the following sequence:! configure an Authentication Sequence using the SafeNet token server (this works with ACS 4.x)I configure an Attribute Retrieval Sequence against the AD database. This would use the username only, no password and would retrieve the group membership.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 - Multiple Identity Store For PEAP

Sep 25, 2011

I am trying to setup PEAP authentication for wireless users but I got stuck at place where I have single ssid and users are store in different identity stores like some will be using their active directory and some are locally created users on ACS. I created separate service for wireless authentication and under that I am unable to create rule to differentiate them with identity stores. any idea how to achieve this.
 
I tried creating identity selection based on role but it does not work as for protocol like radius.peap,ms-chap ACS does not look for another identity store once user not find in an identity stores.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.1.0.44 External Identity Stores Account To Be Locked Out

May 11, 2012

I am currently running cisco ACS 5.1.0.44 and use active directory as the main authentication identity store to allow network administrators to have access to network devices in my organization .As per the established security policies in my organization , the ACS has to disable any account after 3 failed login attempts to any network devices .i have gone through all the settings oN the acs but couldn't find where or how it is done .

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS 15015 Could Not Find ID Store

Feb 12, 2012

I'm trying to authorize managment access for HP ProCurve Manager via ACS RADIUS. But I get the failure: 15015 Could not find ID Store Machine is configured under Network Devices and AAA Clients, the sevice selection rule selects the correct access service, Access Service is Network Access, authorization profiles = permit access.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: 7925 ISE Cannot Run Multiple Signed CA In Store

Jun 4, 2013

Using Sha1 for Cisco 7925g and sha256 for data. Two separate CA's, one EnTrust (SHA1) the other Local Wondows CA (SHA256); ISE can only use one at a time to process a particular protocol (ie..EAP-TLS, HTTP, etc...) As a result we have to have a separate PSN just for Wireless and Wired VoIP (which can only hold SHA1 RSA1024).

View 5 Replies View Related

AAA/Identity/Nac :: 5508 - Re-authenticate By NAC

Aug 20, 2012

we have deployed L3 in-band scenario for wireless 2 years ago and the solution was working without any problem. we have upgrade wireless controller to 5508, since then, when users login to the first page and certified, and they want to browse to the internet, NAC redirects the web page and ask for authenticatin again, despite the users' devices are being shown as certified devices in the list.

View 6 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 To Authenticate Macbooks

Aug 30, 2012

Having an issue with Macbook authentication. All Macbooks at this one site, on same switch, going to same RADIUS server, work except for one. Looking at logs it appears server and client never exchange certificates. Attached is log for failed Macbook authentication.

View 4 Replies View Related

Cisco AAA/Identity/Nac :: Cannot Authenticate AD For Tacacs ACS 5.0

May 24, 2011

I think i've got everything set up to authenticate against AD for Tacacs+ device logins.  When i check the logs, i see:"24408 User authentication against Active Directory failed since  user has entered the wrong password".  This leads me to believe that it is checking AD correctly, however if i enter the password correctly for the same AD user, there is no log at all...no pass, no fail.
 
If i look at the Tacacs debugs on the switch, i see the following:May 25 10:55:07.927 CDT: TAC+: ver=192 id=874699084 received AUTHEN status = ERRORMay 25 10:55:09.932 CDT: TAC+: send abort reason=Unknown

Obviously the switch is communicating to ACS, and ACS is passing info back to the switch.  ACS also appears to be communicating effectively with AD since it knows when i put in an incorrect password for the specific user.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: URL Not Changed After Successful Authenticate With ISE 1.1.1

Jul 30, 2012

I have setup Cisco Identity Service Engine (1.1.1) with Wireless LAN Controller (7.2.110)Everything is complete unless the URL redirect. My guest client can join the Guest SSID and also can authenticate to ISE.But after they success to authenticate with ISE, the URL in the browser doesn't change to the pre-configure. It still be something like [URL]. Anyway the content in the browser is changed to the URL that being configured such as url...How can I do with this situation cause everything is working fine but only the browser URL that is not change to the preconfigure one.

View 5 Replies View Related

Cisco AAA/Identity/Nac :: Set Up ACS 5.3 Administrator Accounts To Authenticate?

Jun 3, 2012

Have set up a pair of ACS 5.3 servers and have set up device administration authentication be passed through to an RSA server via RADIUS. All works great.
 
What we want to do is go a step further and set the system up so that ACS Administrators also have to authenticate to the ACS system by RSA via RADIUS (the same as the Device Authentication we've set up) for ACS administration tasks.
 
Looking at the options available in the ACS Administration setup (administrator accounts etc) there doesn't seem to be an option to authenticate via another method apart from a local administrator account on the ACS.
 
Is it possible to do this?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: 12520 Windows 7 Cannot Authenticate To ISE

Aug 21, 2012

I have seen couple of people with win7 cannot authenticate to ISE: 12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate.I've thought of this: Maybe get a 3rd party cert (go daddy) and have that installed in ISE.I know i do have to make a CSR Cert.Sign.Request that matches cn=primary.ise.mydomain, would I also need a cert for secondary?
 
If I use LEAP as a preferred protocol then it doesn't ask for cert and users are authenticated successfully.I know they have to say do not validate cert and all that but sometimes it doesn't popupt to them they just can't get on.Again maybe going wtih 3rd party certs will make it easier while benefiting from using PEAP?

View 5 Replies View Related

Cisco AAA/Identity/Nac :: Can Only Authenticate With Telnet On ASA 5520

Jul 12, 2011

On an ASA5520 v7.2 I can only seem to authenticate to the console when using telnet and not ssh. I can connect using both methods, but just have trouble authenticating with ssh. Here are relevent lines related to the issue:
 
username user1 password ***** encrypted privilege 15username user2 password ***** encrypted privilege 15
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
telnet <my subnet> 255.255.255.0 Inside
ssh <my subnet> 255.255.255.0 Inside

View 2 Replies View Related

Cisco AAA/Identity/Nac :: Lexmark Printers Authenticate Against NPS But Not ACS 5.4

Dec 9, 2012

We are doing a new installation of a Cisco ACS 5.4 replacing a Microsoft NPS.
 
Recently I ran into issues with Lexmark wireless printers authenticating against the ACS 5.4.
 
While these printers work against the old Microsoft NPS we want to replace, I get "11500 Invalid or unexpected EAP payload received" on the ACS.
 
Windows/Android/iDevices authenticate against the same SSID using PEAP. I suspect, we ran into

CSCtq46211  Bug Details  
Lexmark Printers work with ACS 4 but not ACS 5 Symptom: Lexmark printers uzed to work with ACS 4.2 but they produce "internal error" on acs 5.1 or 5.2 
Conditions: Not known exactly 
Workaround:1st Found-In  5.2(0.26.3)
Fixed-In  5.3(0.40.7)
  
setting up a new VM with ACS 5.3 patching it to P7, reconfiguring and retest all the stuff we implemented during several days ist not an option.
 
The Cisco TAC refuses to open a SR because the product is under warranty only, and claims warranty only covers HARDWARE replacement... (and we ordered ACS is a VM,,,) Maybe I should burn the ISO image to a DVD and RMA it for repair . 
 
Maybe Cisco could verify whether the fix for CSCtq46211 has been integrated to ACS Version 5.4.0.46-B.221 already or not ?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Cloned ACS 5.2 But Clone Does Not Authenticate

Jan 16, 2013

I'm having an issue with a cloned vm of our ACS. We are moving it to a different location. I was able to clone it and get it back on the network, but I can't authenticate to it from any of my switches. I do have an older version:5.2.0.26

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 - Use RSA Server And AD To Authenticate Network Devices

Nov 10, 2011

I am not sure what I am trying to do is possible, so I thought I would pose the question on here.  In ACS 5.3, I would like to use an RSA server and AD to authenticate my network devices.  So when I log into a router or switch I would enter my AD username, be prompted for my RSA token, then when I enable be prompted for my AD password, or visa versa. how to write an access policy to achive this?

View 2 Replies View Related

Cisco AAA/Identity/Nac :: Authenticate ACS 5.2 Administrators To Active Directory?

Mar 21, 2011

Rather than maintaining local accounts is it possible to authenticate admins against AD?  I'm talking about administrators of the ACS server itself to be clear.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: WS-C2960G-48TC-L - 802.1x Fails To Authenticate

Nov 13, 2012

I have a user named "testuser" and trying to authenticate from the xp computer but fails to authenticate. The ACS logs says that authentication failed, the user is in the local database but why it fails to authenticate?

I have cisco switch :

WS-C2960G-48TC-L   12.2(52)SE            C2960-LANBASEK9-M

*Mar  8 04:03:55.030: AAA/BIND(00000029): Bind i/f 
*Mar  8 04:03:55.173: %AUTHMGR-5-START: Starting 'dot1x' for client (782b.cbc9.a027) on Interface Gi0/2 AuditSessionID 0A6A00200000001924EBD428
*Mar  8 04:03:57.010: %LINK-3-UPDOWN: Interface GigabitEthernet0/2, changed

[Code]....

View 7 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved