Cisco AAA/Identity/Nac :: Can Use ACS 5.2 As Guest User Authentication Server?

Jun 5, 2012

Can use ACS 5.2 as Guest user authentication server?

View 3 Replies


ADVERTISEMENT

Cisco AAA/Identity/Nac :: 5508 - NGS Guest Server Authentication Error

Apr 29, 2011

I installed NGS 2.0.2 for wireless guest user management and authentication. I implement webauth via webauth page on wlc deployed.One Branch with a WLC5508 version 7.0 wireless anchor controller is working on the NGS.But now I integrate next branch with WLC4402 version 6.0.188 and the authentication of users at the new branch gets an error, wrong user/password.
 
I double checked configuration and user/password but I can't find any configuration error. Also stopping and starting of radius service and reboot of NGS still does not work. I tried to debug the radius via web interface and watched for the loggfile and there is still a reject.I also tried the freeradius command radiusd -X but I got an error when starting the radiusd -X.
 
1.) How can I figure out, if I will get the correct password from my WLC ? Are there any debug options to see more ? e.g. some cli commands, radiustest utilities or how to get the received password from the chap challenge of the debug ?
 
2.) I have appended a part from my radius loggfile. How can I find the detailed error in the radius log file? Is it correct that the password in the debug file is empty ? raiuds logg line "[radius-user-auth] expand: %{User-Password} -> "

View 3 Replies View Related

Linksys Wireless Router :: Guest / User Authentication E2000?

Jul 7, 2011

E2000 has the guest account feature.  Not sure if all guests shares the same login credentials.  I would like to have guests account use seperate logins.  Is this feature available?  Another thing, I read the manual and it is indicated that only up to 10 maximum guest acccounts is allowed.  I am looking for more than 10 - kinda like a hotspot software.
 
I've been looking everywhere.  I've seen hotspot system, ddwrt, chillspot, etc.  But it's complicated as firmware needed to be flashed.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.1 Authentication MAB And Set Guest VLAN

Jul 13, 2011

is it possible to set the dot1x guest-vlan on a Catalyst Switch via ACS 5.2 dynamicly. I want to make MAB with known Devices (FAT-Clients, Notebooks,  Desktops, Printers) and unknown Devices.I will set the VLAN dynamicly with dot1x per ACS. For known FAT-Clients, Notebooks etc. it's running well.But for Printers it's more difficult because I have about 500 Printers in several IP-Segments on several Switches and I will not make to much Rules in ACS for Grouping, Mapping and Authority-Rules.My Idea is to set the Guest-VLAN on every Switch, read them with ACS and use this for my Printers.The Problem is that Guest-VLAN is set on more than 100 Switch and this guest-vlan is different on any Switch.Can I read the Geust-VLAN Value so that I can set this via ACS ?

View 4 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 - Guest NAC Radius Authentication

Oct 31, 2010

For some reason, i can't get the lobby "sponsors" to authentication to the Guest NAC server (2.0.2) using ACS 5.2 via Radius.I was able to figure out how to get the Guest NAC Radius Authentication for "Administrator" to work by adding custom Radius value IEFT-6 under...
 
Policy ElementsAuthorization & permissionsNetwork AccessAuthorization Profiles 
I added a policy & under the Radius Attributes Tab... I manually entered an Attribute that looks like the following:
Dictionary Type: = RADIUS-IETFRadius Attribute: = Service-TypeAttribute Type: = EnumerationAttribute Value: = StaticValue = "Administrative"   
I then created an Access Policy... I looked for a specific AD group - Result = "Name of Custom Policy Above"...
 
All of that is working just fine.... the NAC Guest Docs tell you the Radius server must return a value of IETF-6...
 
When it gets into the Sponsor section, it doesn't tell you the value your Radius server should return... so just for grins, instead of "Name of Custom Policy Above", I tried "Permit Access"... i tried the "Name of Custom Policy above"...  Not sure what else to try to get this to work...
 
here is a like to the document i'm following: URL
 
Page 68 refers to the "Configuring Sponsor Authentication" for Radius.. it just tell you to add the Radius Server & change the authentication order.

View 9 Replies View Related

AAA/Identity/Nac :: ACS 5.2 Machine Authentication And AD User?

Sep 1, 2011

I am trying to setup up a rule to allow wireless access only to users in my AD when they use computers from my AD.I have Machine authentication working on it's own (computer boots up and connects to wireless - confrimed by ACS logs) I have User authentication working But when I try to creat the floowing rule:it does not work.
 
Access Policy
Access Service:
Default Network Access Identity Store:
AD1
Authorization Profiles:
DenyAccess
Exception Authorization Profiles:
Active Directory Domain:

[code]....
 
Everything seem to fine until it gets to the last rule.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 Local User Authentication

Nov 12, 2012

I want to have a local user in ACS that is permitted to login to routers. I have TACACS with AD already working but cannot get a local user to work. I used to do this in ACS 4.x.I created a user in the internal identity store.I tried configuring a policy to allow this users TACACS authentication multiple ways to no avail. I cannot find a config example doc and cannot figure it out from the user guide as the documention is sorely lacking.

View 5 Replies View Related

AAA/Identity/Nac :: ACS 5.1 Domain User Authentication Restriction

Sep 26, 2011

We have configured ACS 5.1 for autenticating wireless users with active directory, which is working fine now.But we would like implement that single user should be authenticated through ACS . If any user try to access WLAN from multi system will be notified with multi login access restriction.Can we implement this policy in acs, if possible what are the exact configuration changes we have to implement.

View 1 Replies View Related

AAA/Identity/Nac :: ACS 5.1 Authentication From Cross Domain User

Dec 28, 2011

We have cross domain trust relationship established and I have added the user group in our ACS 5.1. we are using Active directory as an external Identity store. Also I have created a rule in the 'Access polices' to allow the user group. From the cross domain, I use abc@xxx.xyz as a user id, but I get this error message 13036 Selected Shell Profile is DenyAccess.

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ISE 1.1.3.124 / Machine And User Authentication / MAR / Timeout?

Apr 12, 2013

I am using ISE 1.1.3.124.My first question:I want to know the relation between the attribute "WasMachineAuthenticated" and the MAR (MAchine access restriction in advanced setting for AD).Is-it the same  or not ?Once you time out, you need to do machine auth again. What is the timer ?Using the attribute "WasMachineAuthenticated", is-it the same timer that you configure in MAR ? In a distributed environnement, is the information about machine previously authenticated  replicated to all policy node ?Because, if a swicth has 2 radius-server, we are not sure that it will point everytime to the same server.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 - How To Bind User Authentication And Machine

Jul 18, 2011

For our wireless, we enabled the machine authentication, but we want to bind the machine authentication and user authentication together which means they need to meet both requirements to access the wireless, how can we do this? Right now looks like as soon as the machine is authenticated, it can access the network, no user authentication needed.

View 6 Replies View Related

Cisco AAA/Identity/Nac :: How To Configure User Authentication Via TACACS On UCS 1.4 With ACS 5.2

Aug 18, 2011

how do i configure user authentication via TACACS on UCS 1.4 with ACS 5.2?  My TACACs connection works, and my user authentication is successful, but i can only get read-only rights.  I have tried several versions of "cisco-av-pair= role=admin" both as mandatory attributes named role and as cisco-av-pair=role , with "admin" as the value, and i still get read-only.
 
When i attempt to find any documentation, it only describes ACS 4.2, which is another problem i have with most documentation for new cisco products (i have this exact issue with my NAMs, nothing i do to change the attributes results in successfully logging into the NAM, and all config guides are written in 4.2 speak).
 
is there any possiblity cisco is going to release some documentation on how to convert 4.2 speak to 5.2 speak?

View 8 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 User Authentication With Token And Password?

Jul 19, 2011

I am migrating from ACS 4.2 to 5.2. In 4.2 you could assign one user to auth via Internal Database and another user to auth via Radius Token Server. I cannot find how to do this with 5.2. There is a note in the doc that states 'Identity-related attributes are not available as conditions in a service selection policy'. Does this mean that you can only choose one auth method for all users? If it is possible to have multiple methods, how am I able to accomplish this?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Integration With LDAP For User Authentication

Dec 17, 2011

While configuring LDAP , I got struck in  “Step 3 - Directory Organization”. How to make this work? My aim is to make users authenticated from their windows domain usernames and passwords while they log in to AAA clients.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS V5.2 / Can Configure User Authentication Logs To Be Viewed On WCS

Jul 18, 2011

I have some queries regarding on the report generation for on Cisco ACS v5.2.
 
1) Can we schedule to run a customized report on ACS and then email the report to the user?
 
2) Can we run a users authentication trend report based on the AD directory group rather than individual user.
 
3) Can we configure user authentication logs to be viewed on WCS.

View 6 Replies View Related

Cisco AAA/Identity/Nac :: Using ACS 5.2 To Lock AD User Account If Too Many Authentication Attempts

Apr 18, 2011

I have setup ACS 5.2 in my lab and have it completely funcation with Downloadable ACLs, Dynamic VLANs and the identity store on the backend is Active Directory. I need it to lock a user account in AD if there are to many auth attempts. I have gone into AD and set a max login attempts to 3 but if I continue to fail authentication (on purpose) using radius auth, it never locks out my AD account? I am using the Anyconnect 3.0 with NAM as the supplicant installed on my workstation. I have also configured the switchport that I am connect to with the following commands. I tried the dot1x max-reauth-req 3 command and that didn't really do anything for me either. What am I missing here?
 
switchport mode access ip access-group 10 in authentication event fail action authorize vlan 40 authentication event no-response action authorize vlan 40 authentication host-mode multi-host authentication priority dot1x mab authentication port-control auto authentication timer reauthenticate 10 authentication timer inactivity 20 authentication violation protect mab dot1x pae authenticator dot1x timeout quiet-period 5 dot1x timeout tx-period 5 dot1x max-req 3 spanning-tree portfast

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Guest NAC Server AAA Administration With ACS 5.3

Nov 30, 2011

I'm having problems settting up a Guest NAC server to authenticate administrative users against a ACS 5.x server.   In the ACS RADIUS Authentication log,  I can see the user authentication is successful.In the AAA Diagnostics log, I can see the following warning:An Access-Request MUST contain either a NAS-IP-Address or a NAS-Identifier or both; Continue processing.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: Authentication With One ACS 4.2 Server While Authorization With Another

Apr 5, 2011

1 ) : Is it possible to do authentication with one ACS server while authorization with another ACS? Use case is if the user authenticated to one ACS server and then switch loses the connectivity to this ACS. Now command authorization requests will go to another ACS server since switch is not able to communicate to the 1st ACS.
 
2): How can the local database sync be acheived in distributed ACS deployments?
 
3): Are the accounting records are sync between different ACS? In other words can accounting be centeralised with ACS4.2

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Upgrade To ACS 5.4 - Authentication Server And Log Collector

Jan 28, 2013

We got 2 Cisco ACS 5.2.0.26.10.Primary server as authentication server and log collector.Secondary server as authentication server. Replication is configured. url..."There are some exceptions to this usual setup, which you can handle as described below: If the ACS 5.3 primary server also functions as a log collector in your 5.3 deployment, you should promote any one of the secondary servers as primary server in the deployment. See Promoting a Secondary Server to Primary "
 
This exception matches with my case. I have to promote my secondary server as primary.I would have :Secondary server as authentication server and log collector.Primary server as authentication server. I think I have to deregister secondary from primary server..According to the guide, I have to upgrade the log collector server. "Step 1: Choose any secondary server to become a log collector:" I dont have another secondary server..

View 6 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 LDAP Authentication With Apple Mac OS X Server?

Jan 24, 2012

Does Cisco Secure ACS 5.3 support LDAP authentication with Apple Mac OS X server? One  of our clients require an access control system. The major portion of  the network consists of Apple Mac OS X 10.7 (Lion) Server and clients.  They were using MAC-address based authentication along with LDAP through  Cisco Wireless LAN Controller. But now the number of users has exceeded  the maximum number of MAC addresses supported by WLC (2048). Hence we  suggested ACS appliance to overcome the limit. My doubt is whether ACS  5.3 appliance can communicate with the Mac server and perform LDAP  authentication.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: 3750 - IP HTTP Server (with No Authentication)

Dec 29, 2011

I have a customer who used to own a 3750 with a older version of IOS. The switch he had used a three year old version of IOS which allowed him to browse to the switch IP and manage it via HTTP without entering a password at all. Now that he has a replacement switch with a new ver of IOS (since the previous switch died). We slapped the config on from the old switch but no matter what we do (understanding that new http aaa authentication commands were added) we cant get this thing to let him in without prompting him for a password. I understand this was an insecure config to begin with so I shouldn't be advocating using it in the first place, but this is what the customer wants.Basically what I'm trying to figure out is are we banging our heads into the wall for nothing as the "ip http server" will not allow an authentication method of "none" anyway? None of the offical documentation I have read for the http aaa authentication cmds shows this as an example nor have I found any blog posts on how to do it ether. Perhaps Cisco removed this by design.

Here is the config: 
 
aaa new model
aaa authentication login default local
aaa authentication enable default none
aaa authentication login none none
 ip http server
ip http authentication aaa login-authentication none

[code]....

View 1 Replies View Related

Cisco AAA/Identity/Nac :: 6506-9 / TACACS+ Server Authentication Failed

Mar 15, 2010

I've been configured my device 6506-9 with TACACS+ server authentication: [code]
 
but when I tried to access the device only uses authentication local but not uses TACACs (with username/password defined) it can be an error in configuration? in the other devices of network this works properly, only it's wrong in Cat6506-E

View 6 Replies View Related

AAA/Identity/Nac :: ACS 5.3 - Install RSA Authentication Manager Server Into Virtual Machine?

Jan 22, 2012

it was possible to install RSA Authentication Manager server into the ACS 5.3 Virtual Machine ?

View 0 Replies View Related

Cisco AAA/Identity/Nac :: 5510 Assigning A User Group Using RSA Secure ID RADIUS Server

Feb 3, 2007

We have several ASA 5510 firewalls which are being used as VPN gateways.RSA SecurID is the authentication mechanism using native SDI connectivity. No ACS server is being used.Is it possible to assign user Group and other attributes (such as ACL), using the SecurID RADIUS server? I know this is what the Cisco ACS is for, but is it possible using the RSA RADIUS server itself?

View 11 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 User Roles And Restricting User Access To Add Items?

Sep 22, 2011

We are running ACS 5.2 patch 6 and want to restrict access for users to be able to add devices to the system.For example, admin person in site A can only add devices into the site A group and cannot see/access other sites groups.

View 1 Replies View Related

Cisco :: Guest Authentication Using AP1200s

Aug 31, 2011

I am looking for a way, even something that might be EOS, that will allow autonomous AP1200s to force a user to enter a user name and password (or even just password) before allowing a user network access.  This is a hotel environment so even though the first client authenticates the process needs to be initiated again whenever a different laptop comes onto the network. 

View 14 Replies View Related

No Wifi Connection For Guest User

Oct 30, 2011

i am loaning my laptop to a friend to use while traveling and I have created a "guest user" account so he doesn't have to go through my home pages and personal files. Well, whenever this account is being used, there is no WiFi connection logo and so it cannot be connected to the internet via WiFi...

View 1 Replies View Related

Cisco :: 2100 Can Create A Guest User Directly On ISE

Oct 10, 2011

I have an instance of ISE and NCS with a WLC 2100 plus a couple of LWAPs. This is an evaluation POC lab to sell ISE and NCS to our management to make our life easier.The problem I have amoungst many is I can create a guest user directly on the ISE and the guest can login, the ISE monitor shows the guest authenticates but the clients webpage passes them back to the login page not onto the original client url. The web auth is pointed at the ISE/guestportal/portal.jsp page.If I point the web auth at the internal WLC page using a WLC local user account it works.If I set the guest access to pass through it works without issues getting dhcp and dns. On the ISE is there a policy needed to say if guests are web authenticated give them access? The need is for AD authenticated users to be able tocreate guest users. The AD authentication works for sponsorship and guest creation its just the guest access redirection I am having issues with.

View 1 Replies View Related

Cisco :: WLC 4400 - Create Guest User Accounts

Jun 13, 2011

(WLC 4400) which enables employees to browse to a custom made webpage, where they can create an account for company vistors to access the internet. It's important for the employees not use any login credentials, they arrive on a webpage where they specify the login & password which the vistor will enter to browse the internet. Is there any good link to documention about this topic?

View 3 Replies View Related

Cisco Wireless :: WLC 2504 - Guest User Life Time?

Sep 19, 2012

Cant we create a guest user login with more than 30 days lifetime? In the lifetime field we can enter maximum 99 but it only allows up to 30

View 5 Replies View Related

Cisco Wireless :: AES128 - Traffic From Guest User Encrypted?

Sep 12, 2011

The design is typical Cisco unified wireless solution. In such a implementation, is the traffic from the guest user who has successfully authenticated via WEB-AUTH encrypted? If so, what is the standard used, AES128 or TKIP?

View 6 Replies View Related

Cisco Wireless :: WCS Creates User Guest Access On WLC 5508

Feb 23, 2012

In my Wireless network, I have two appliances WLC 5508 running version 7.0.116.0.I have a WCS running version 7.0.172.0, deployed on a windows 2003 server.I've imported the two WLCs in my WCS in order to centralize the monitoring and the configuration tasks.Now I'm facing an issue when I want to create a guest user from the WCS, rather than creating this user access on each WLC. The creation of the user account is working good, the replication is done on the both WLCs, but on one of my WLC the guest user account is deleted after one hour(around).On the second WLC, the same user account remains during all its life time.In attachment a screen shot of the advanced parameter of the guest user.You can see that the user was created on the both WLC but is only active on one ... and unfortunately the wrong because the AP is associated with the other WLC.

View 2 Replies View Related

Cisco Wireless :: 5508 - Export Guest User Accounts To New WLC

Dec 19, 2012

I've got a WLC5508 (7.0.116.0) that is managed by WCS (7.0.172.0). I set up another WLC5508 with the same code and managed by the same WCS. Now I'd like to export all the 800 guest user accounts with the passwords from the old WLC and import them into the new WLC.

View 10 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved