Cisco AAA/Identity/Nac :: Configuring AAA On ASA 5520

Dec 15, 2012

We have an IAS (Internet Authentication Server) to authenticate all our network devices. This server is integrated with our local AD server so that we can use our domain credentials to login into the netwoerk devices. i have successfully configured all our L2 & L3 switches with IAS but facing issue with ASA 5520. Below is the config i have applied on ASA. When i am testing the authentication with IAS server, i am getting "Authentication Successful" message.
 
aaa-server AAA protocol radius
aaa-server AAA host 10.91.38.70
key *****

[Code]....

Also when i am trying to telnet the Firewall, i am directly getting password promt. I should first get the username promt wherein i can enter my domain username.

View 1 Replies


ADVERTISEMENT

AAA/Identity/Nac :: Configuring Authorization ASA 5520 - Level 15

Sep 10, 2012

I have an ASA 5520 8.2(5) with ACS 5.1, I made the configutation of Authentication and is working well, now how I can configure the authorization and get  into the privileged level 15 mode directly.

View 6 Replies View Related

Cisco AAA/Identity/Nac :: ACS5.3 - Configuring Multiple Identity Sources

Aug 28, 2012

I have an ACS 5.3 cluster, that is configured to use AD. There are a few wireless devices, and monitoring tools that do not have AD accounts. I would like to configure ACS to first check AD for the user authentication, and if that fails to roll over to the local (Internal Users) identity source where I can define these user accounts.
 
It seems that when the authentication hits the initial Identity Policy rule, it never moves onto the next one if the first fails.
 
Attached are screen shots that show how i'm configured for the test, i have a local user defined and I'm trying to log into the firewalls.
 
- Identity Definition : Screen shot of the main ACS definition for the rule i'm testing that's not working
- Identity Rule 1 : The configuration of rule 1 that if it fails i need it to move onto rule 2.
- Log Output : Screen shot for one of the failed attempts from the ACS View Log server.
 
Reason I need to configure it this way is:

- Wireless users authenticate to wireless using AD user accounts. Some hand held scanners do not support that and will need to authenticate using the MAC address.
- Authentication to Network devices for managment uses AD accounts. We have some monitoring tools that do not have AD accounts, and will need to    be able to log into Network devices to issue some commands (Examples: Cisco Prime LMS and NCS, Infoblox NetMRI).

View 4 Replies View Related

Cisco Firewall :: Configuring New ASA 5520 With AIP Module?

May 14, 2011

I am configuring new ASA 5520 with AIP module for our network with HA (2 boxes), would be the best practice to configure in order to protect web servers and email server.

View 2 Replies View Related

Cisco Firewall :: Configuring QOS On ASA 5520 Release 8.0(2)?

Jun 20, 2011

I present wish to develop a policy and template for QOS on our ASA 5520 release 8.0(2) we presently have wish to do server hosting in our network for other organization,which the they will be able to access their servers they have both public and private addresses. we do have our one servers also already in production all behind the ASA And therefore we wish to apply qos on the servers to be hosted and we wish to do this on the ASA. how to go about this to apply qos on the ASA?

View 3 Replies View Related

Cisco Security :: Configuring SSL Certificate On ASA 5520

Jun 20, 2011

I have a SSL certificate from a third party that is showing under the Identity in ADSM, howerver the audit scan of the firewall shows that the SSL Certificate Signed with an unknown certification Authority. I have installed the Intermediate Primary and Secondary Certificate from the third party under the CA Certificate of the ADSM however when I verify the SSL certificate it still shows as self-signed. What other steps do I miss. I have attached some screenshots.

View 2 Replies View Related

Cisco VPN :: Configuring Split-tunneling On ASA 5520

May 28, 2012

I have some troubles configuring split-tunneling on ASA 5520.Number of remote users establish ipsec connection with ASA 5520 (in central office) using ubuntu vpnc-client.Split-tunneling is in use, to allow remote users to surf Internet using their ISP.The goal is to remove the possibility to ssh/telnet servers inside corporate LAN for remote users. [code]

There is nat enabled on interface, but there is special statement in nat0 ACL for 192.168.100.0 subnetwork access-list INSIDE_LAN_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0.The problem is that remote users can easely ssh and telnet servers in INSIDE_LAN network. Whatever i put in INSIDE_LAN_in ACL, remote users still have full access to this network. Restrictions in REMOTE_split ACL don't work either.

View 2 Replies View Related

Cisco Firewall :: ASA 5520 - Configuring Dynamic NAT And PAT

Jan 13, 2013

To configure a dynamic NAT, PAT, or identity NAT rule, I need to perform the following steps: 

Step 1 From the Configuration > Firewall > NAT Rules pane, choose Add > Add Dynamic NAT Rule.
 
The Add Dynamic NAT Rule dialog box appears. However, when I click on Add I don't get the option to Add Dynamic Nat Rule. To see the options I get please see attachment.
 
The following is a capture of the show version:
 
ciscoasa# show ver Cisco Adaptive Security Appliance Software Version 8.4(2) <system> Device Manager Version 6.4(1) Compiled on Wed 15-Jun-11 18:17 by builders System image file is "Unknown, monitor mode tftp booted image" Config file at boot was "start up-config"
ciscoasa up 16 mins 57 secs Hardware: ASA 5520, 1024 MB RAM, CPU Pentium II 1000 MHz Internal ATA Compact Flash, 256MB
BIOS Flash unknown @ 0x0, 0KB  
0: Ext: GigabitEthernet0 : address is 00ab.a72f.0100, irq 0
1: Ext: GigabitEthernet1 : address is 00ab.a72f.0101, irq 0
2: Ext: GigabitEthernet2 : address is 0000.ab6d.9802, irq 0
[code]...
 
This platform has an ASA 5520 VPN Plus license. Serial Number: 123456789AB
Running Permanent Activation Key: 0x4a3ec071 0x0d86fbf6 0x7cb1bc48 0x8b48b8b0 0xf317c0b5
Configuration register is 0x0
Configuration has not been modified since last system restart.

View 8 Replies View Related

Cisco Firewall :: Configuring Virtual MAC Addresses On ASA 5520?

Jul 21, 2012

I configure the virtual MAC address for a interface on ASA 5520, will enter the following command on the active unit:
 
failover mac address Inside 0012.3456.789a 0023.4567.89ab
 
The active MAC address is of the same as the Inside's burned-in MAC address of the active unit.Similarly, the standby MAC address is of the same as the Inside's burned-in MAC address of the standby unit.Do I get the effect of failover mac address command?

View 1 Replies View Related

Cisco Firewall :: Configuring Inbound Access On ASA 5520

Dec 18, 2011

I have successfully been able to allow outbound access from inbound hosts  on the appliance; however, I have only one outbound IP address and had to configure outbound access using static PAT.  What I need to do is to configure access to certain inbound hosts from outside.  What's wrong with my running config?  Below are the commands that I believe need to be changed from the configuration. [code]

View 14 Replies View Related

Cisco Firewall :: 5520 - Configuring ASA Management On Sub-interface

Jul 27, 2010

I have two ASA 5520 with 4 Giga interfaces and 1 management interface.
 
I need to use 4 interfaces four data traffic
 
1- Inside
2- Outside
3- dmz-1
4- dmz-2
 
The remaining will be the management interface only.How can I configure the Statefull failover and Management?
 
1- I used the management0/0 for The stateful failover.
 
2- I used gig 0 for outside
 
3- I used gig 1 for inside
 
4- I used gig 2 for dmz-1
 
5- I divided the gig 3 to two sub interfaces
a- gig0/3.1 for dmz-2
b- gig0/3.2 for Management and I defined it as a management-only

View 6 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 Configuring 802.1x

Jan 17, 2012

Trying to configure 802.1x with ACS 5.3, have some general doubts about how to make it, this is what I got for the moment:
 
ACS 5.3 = 192.168.240.28
AD = 192.168.251.97
Switch = 192.168.240.171
 
IOS device config Already configured and running Device Administration using Tacacs, mising with Radius aaa commands:
 
aaa group server tacacs+ TACACS_PLUS
server 192.168.240.28
!
aaa group server radius RADIUS_1x

[Code]......

View 15 Replies View Related

Cisco Firewall :: ASA 5520 Configuring Active Standby High Availability

Nov 1, 2011

I am new to Cisco firewalls. We are moving from a different vendor to Cisco ASA 5520s.I have two ASA 5520s running ASA 8.2(5). I am managing them with ASDM 6.4(5).I am trying to setup Active/Standby using the High Availability Wizard. I have interfaces on each device setup with just an IP address and subnet mask. Primary is 10.1.70.1/24 and secondary is 10.1.70.2/24. The interfaces are connected to a switch and these interfaces are the only nodes on this switch. When I run the Wizard on the primary, configure for Active/Standby, enter the peer IP of 10.1.70.2 and I get an error message saying that the peer test failed, followed by an error saying ASDM is temporarily unable to connect to the firewall.

View 5 Replies View Related

Cisco AAA/Identity/Nac :: Configuring 802.1x With ACS 4.2 (RADIUS)?

Mar 25, 2013

I am trying to configure AAA authentication and authorization with Cisco 3725 (IOS 12.4(17)) for 802.1x and ACS 4.2 with VLAN assignment to my Windows XP client. (trying to assign VLAN 100 in my scenario).When user connects to the Router, it passes the authentication process (EAP-MD5). In my debug i see that Router recieves the Radius Attributes BUT does not apply anything!My running config:

Building configuration... 
Current configuration : 1736 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec

[code]......
 
As a result the vlan-switch data based does not change.

View 3 Replies View Related

Cisco AAA/Identity/Nac :: 3750 - Configuring NPS AA

Jan 4, 2012

I am struggling with configuring NPS AA for our 3750 array ... authentication and authorization. I tried almost every config i could find online but the most i got out of it is a simple authentication. What i need is quite simple: we have several AD groups.

1- Admin
2- Read only with few privileges for ping, show, trace route and telnet
 
I need my switches to be able to recognize the groups and assign them the correct priv. But it doesn't seem to be happening. Any clean config for  the switch and for NPS ?

View 8 Replies View Related

Cisco AAA/Identity/Nac :: Configuring BlueCoat ProxyAV 510 With ACS V5.x

Oct 9, 2012

I am trying to configure the ACS v5.x server to accept RADIUS authentication/authorization for BlueCoat ProxyAV 510's. Unfortunately, I can't seem to find any useful documentation for this. I have created a BlueCoat VSA with an Attribute of 'Blue-Coat-Authorization' with a value of '2' (Admin Access) and Type of 'Unsigned Integer' but this does not seem to work. The ACS reports that authentication has succeeded but I cannot login to the BlueCoat device and have to rely on local access.

View 4 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 / 5.3 Configuring Packeteer Attributes

Oct 9, 2012

We have found the following  issue configuring radius attributes for network access with packeteer appliances.with PAcketeer-AVPair  attribute , value --> access=touch Login fails and we see this
 
PacketShaper# radius login user password
"user" RADIUS Authentication Fail
Vendor-Specific: ccess=touch  <--- value is bad
 
PAcketeer is not receiving  vendor-specific value correctly, As workaround , we put other character  before value --    xacces=touch
 
PacketShaper# radius login user password
"user" RADIUS Authentication OK
Vendor-Specific: access=touch

View 5 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.x - Configuring Multiple AD Domains For Authentication

Jan 7, 2013

Currently on ACS 5.2 and our MS Active Directory is migrating to a completely new domain. There will be a two way trust between them for the 24 month migration period. How best to configure ACS connect to both domains?

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.1 Configuring LDAP With Secure Authentication?

Mar 15, 2012

I am setting up an LDAP identity store over ldaps in ACS 5.1.  I specify that the connection uses secure authentication and provide the Root CA certificate.  When I hit "Test Bind to Server", I get this error message in a popup window: "Connection test bind Failed :server certificate not found"Is this saying that ACS can't find the CA certificate uploaded, or does it mean the actual certificate presented by my LDAPS server during the bind test? 

View 2 Replies View Related

Cisco AAA/Identity/Nac :: Configuring ACS 5.x For Restricted Dev Admin Command Set?

Apr 25, 2013

this is the first time I am about to configure ACS 5.3 to authorize user group from doing some commands in the "configure mode" while permitting them some other commands. As example, I want to deny them from doing "reload" but give them access to configure "time-range", what happen is, they are denied access to "reload" on the exec mode, but once they went into "configure" mode, they would be able to "do reload"I mean to say, is it possible to manage the subsequent commands to "configure terminal" ?

View 4 Replies View Related

Cisco AAA/Identity/Nac :: Configuring WLC 4402 TACACS+ Authentication Using ACS 5.0

Aug 22, 2009

We added AAA client in the Cisco ACS 5.0 for WLC 4402 (TACACS+ Authentication) and configured WLC 4402 to use TACACS+ authentication for the management access. We can't get this work for some reasons.
 
Other Cisco routers and switches all worked fine with TACACS+ authentication. This is a TACACS debug output from the WLC;
 
Sun Aug 23 16:19:06 2009: tplus response: type=1 seq_no=2 session_id=f59bbf0b length=15 encrypted=0
Sun Aug 23 16:19:06 2009: TPLUS_AUTHEN_STATUS_GETPASS

[Code].....

View 24 Replies View Related

AAA/Identity/Nac :: Configuring AAA Network Client On ACS V5.1 Using Same Radius

Feb 6, 2012

I was wondering if i should use the same RADIUS VSA attribute on ACS v5.1 to authenticate AAA clients as those i was using on my old  ACS v3.3 server.

Example : under ACS v3.3 i was using RADIUS (Cisco Aironet) attribute to authenticate AP & WLC, should i do the same under ACS v5.1 ?

View 2 Replies View Related

Cisco AAA/Identity/Nac :: Configuring 802.1x Authentication On ACS 5.1.0.44 / Catalyst 2960S Switches?

Mar 22, 2012

configuring 802.1x authentication on ACS 5.1.0.44 & Catalyst 2960S switches.All the documents i have found seem to have incorrect screen shots or missing steps.I have found a doc external to Cisco [URL]however this just hangs when attempting to complete the task in figure G.The other docs are for configuring IBNS & assume that 802.1x is already configured.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: 1121 - Configuring ACS To Strip Domain From Request And Sending It To AD

Jul 24, 2011

We are currently evaluating a ACS 1121 running 5.2, we are trying to configure this to Authenticate eap-peap requests.

Our users will be using credentials in a username@example.com format, if the server sees a request using username@anotherrealm.com then it would forward the request to a external proxy radius server, if the server saw a request for our domain it would strip off the @example.com part and authenticate against AD.
 
Im finding it hard locating documentation to tell the server if a request comes from a NAS using username@example.com then strip @example.com and authenticate username against AD.

View 4 Replies View Related

Cisco AAA/Identity/Nac :: Can Only Authenticate With Telnet On ASA 5520

Jul 12, 2011

On an ASA5520 v7.2 I can only seem to authenticate to the console when using telnet and not ssh. I can connect using both methods, but just have trouble authenticating with ssh. Here are relevent lines related to the issue:
 
username user1 password ***** encrypted privilege 15username user2 password ***** encrypted privilege 15
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
telnet <my subnet> 255.255.255.0 Inside
ssh <my subnet> 255.255.255.0 Inside

View 2 Replies View Related

Cisco Firewall :: How To Configure Identity In ASA 5520

Nov 4, 2011

i have an ASA 5520 with ios 8.4 and asdm 6.4.
 
my configureation is below 
my asa interfaces 
inside ip
172.16.0.0/22

[Code]..... 
 
so now i want to configure my asa to give access to user based. what configurations should i use to do so.
 
i have attached the Edit Active Directory Server  dialuge box so what should i put there in the box's

View 1 Replies View Related

Cisco AAA/Identity/Nac :: 5520 How To Setup Another Access Policy 5.3

Jan 30, 2012

I am new to v5.3, and I am not good at VPN.I just have my consultant to configure this correctly just today. Currently, there is only one rule for the access policy (Single Result Selection). That rule is to use Active Directory as the source for the authentication. And by default will deny any other access which is not found in the rule.Now... I just got an order that I need to setup a new user who will need to access to our network by using Cisco IPSec VPN (the software one). But that user is not setup in our Active Directory, and we do not want him to access our domain anyway. He only needs to access non-domain resourse...such as airconditioning controller by IP. So I am thinking to setup his account by using "internal identtity". If I do this way, what do I need to do to setup another access policy? May you give me some steps with little more details? OR... if it is not the way I should do...what else can I do to achieve this goal? Also, he said he could provide his static IP trying to access from. I have a ASA 5520.

View 4 Replies View Related

Cisco VPN :: Moving Identity Certificate From One ASA 5510 To 5520

Apr 18, 2012

I'm trying to export identity certificates from an ASA 5510 to 5520, I'm exporting in pkcs12 format and specifying a passphrase. When attempting to import to the 5520, I get "error import pkcs12 operation failed" from cli or asdm.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ASA 5520 - VPN Access Control Using LDAP

Mar 13, 2011

I am configuring an ASA 5520 for VPN access.  Authorization & Authentication use an LDAP server.  I have the tunneling configured successfully, and I can access internal resources.  What I want to do now is to restrict access to a specific AD Group membership.  In the absence of that group membership, a user should not be allowed access to the VPN.
 
My test VPN client software is Cisco Systems VPN Client Version 5.0.05.0290.  The group authentication is configured into a Connection Entry that identifies the Tunnel Group. I think I worded that correctly.
 
The Software Version on the ASA is 8.3(1).
 
My current challenge is getting the VPN to stop letting every access request through regardless of group membership. 
 
[URL]
 
The configuration (AAA LDAP, group policy, and tunnel group) is below.
 
aaa-server LDAP protocol ldapaaa-server LDAP (inside) host x.x.y.12      server-port 636      ldap-base-dn dc=domain,dc=com      ldap-scope subtree      ldap-naming-attribute sAMAccountName      ldap-login-password ********      ldap-login-dn

[Code].....

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ASA 5520 / Username Does Not Show In CLI And ACS Logs

Aug 3, 2011

Why my asa5520 brings out:

sh curpriv
Username : enable_15
Current privilege level : 15
Current Mode/s : P_PRIV
 
while i am logging in with my username which is XXXX. And in my ACS accounting logs I cannot see which user did what.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: 5520 VPN Users Are Authenticated Against MS-AD Through LDAP

Sep 1, 2011

I have 2 ASA 5520 (v. 8.21) in a active/standby fail over configuration.
 
VPN users are autenticated against the MS-AD through LDAP. For the most part this works well. Occasionally I'm having problems with new users in the AD. If I run a test I keep getting "User was not found". This can happen days after the account was created still. In some cases it never seems to work. The accounts I create exists on the same OU level as all the other accounts that are working.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ASA 5520 Failover Exec Authorization Failed

Mar 14, 2013

I have a pair of ASA 5520 firewalls running in active/standby mode on 8.3.2.34 code. My configuration performs authentication/authorization into ACS 5.1, however command authorization is failing when I try to execute a command on the standby from the active unit...
 
failover exec standby dir disk0:/
 
Fallback authorization. Username 'adminuser' not in LOCAL database Command authorization failed
 
I don't even see the authentication attempt going into ACS.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ISE 1.1.2 Change Of Authorization With Avaya Switches (5520)?

Jan 27, 2013

I am configuring ise to do the posture assessment. I am having avaya as my LAN and Core switches. The idea is once the user is authenticated using 802.1x then it will be moved to qurantine vlan and after it is compliant with the company's policy then it will be moved to the actual vlan. I have configured the avaya switch to accept the radius assigned vlan and also configured the 802.1x dynamic-authorization. Currently, radius assigned qurantine vlan is working but once the nac agent scan and mark the PC status as Compliant then the CoA is not happening and User is not moved to the actual vlan.
 
I tested the same ise authorization policy of dynamically assigning VLANs on cisco switches and it worked perfectly, but the same is not happening on avaya switch.

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved