Cisco AAA/Identity/Nac :: Device Access Based Upon NDG Using ACS 5.2?

Mar 15, 2012

I have 2 types of network, DC & Office. I have 3 types of users NOC, Office & DC. Office network devices are in Office NDG, DC network devices are in DC NDG. Becasue of such config, Office network users can only access Office devices & DC network users can only access DC network devices....Now i have NOC users, who wants access to both Office & DC network devices. How can i achieve this?

View 6 Replies


ADVERTISEMENT

Cisco AAA/Identity/Nac :: ACS 5.2 Identity Groups - Restrict Device Access

Apr 14, 2011

I have ACS 5.2 running as a VM.  I'm AD, then local authentication successfully for device access, but I want to define ACS user groups to restrict login. I don;t see any way to do this.  If I use AD groups, they don;t show up as selection options on the policy screens, just the ACS locallyy defined groups. 

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 - Certificate Based Network Access Using AD

Mar 23, 2012

How to implement certificate based 802.1x authentication network access using ACS5.3 & external identity store as AD.

View 13 Replies View Related

Cisco AAA/Identity/Nac :: ACS (4.2) Read Only Device Access?

Sep 30, 2010

We are using ACS ver 4.2 and trying to setup users with limited access to our switchs and routers.  Here is what we did:
 
1) Created a user in ACS
 
2) Create Shell command Autorization Set - ReadOnly
Unmatched Commands - Deny
Commands Added
show
exit

* this should limit the user to the show and exit command only (correct)?
 
3) Created a group - HelpDesk with the following TACACS+ Settings

Shell (exec) is checked
Priviledge level is check with 15 as the assigned level
Assign a Shell Command Authorization Set for any network device - selected
ReadOnly - shell command autorization set seleted
 
When the user logs on to the router/switch it appears that he has full access.  He can enter the enable command, config terminal command, etc.  All we want him to be able to do is to issue the show command.

View 13 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Device And Network Access

Oct 15, 2012

I have a question reguarding the Cisco Secure ACS 5.2 and network access vs device admin access. We have our switches,routers,and firewall configured to use TACACS+.  We also have configured our Wireless LAN Controller to use RADIUS for allowing for 802.1X authentication to the wireless network.  We are using Active Directory for the backend user database and have assigned the users to different groups in AD.  We have a Network Admins group to access the network devices and a Wireless Users to access the WLAN.  The problem that we have is that everyone in the Wireless Users group can access the devices and run full commands on them. We want to limit the Wireless Users group from being able to do this.  Is there a policy or config change that we will need to make for this?

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.1 - How To Configure Rules To Allow 802.1x And Device Access

Aug 21, 2011

I am new to ACS 5.1.I need to configure the ACS to act as the 802.1x authentication Server, as well as, act as the Radius Server for the authentication and authorization process when I access the switch.
 
I had created Two rules (under the Access policy) to cater for the two scenario, it will always "stuck" at the 1st rule. For e.g. Rule-1 is meant for the 802.1x, Rule 2 is meant for the AAA process. When I tested with 802.1x, it worked perfectly. But when I tested to login to the switch, it always failed. Based on the log, Rule1 is not able to fulfill my requirement (of course it can't). I thought the rules check process will proceed with Rule-2, but apparently it did not.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ISE 1.1 Differentiate Guest Access Depending On Device

Sep 21, 2012

I'm running an ISE 1.1.1 and i need to authenticate guest users.The goal is apply different Authorization profile to the same guest user based on the thevice he use to connect to the guest wlan.
 
I.E.:
if guest user "user1" connect to the guest WLAN using a windows laptop, than apply "Guest" authorization profile
if guest user "user1" connect to the guest WLAN using an Apple iPad, than apply "Mobile" authorization profile
 
I've tried to deployed the following 2 authorization policy:
1)if "Apple-Device" and "IdentityGroup:Name EQUALS Guest" then "Mobile"
2)if "Guest" then "Guest"
 
but the first rule never match and even if I use and iPad to access the guest network the "Guest" authorization Profile is matched
 
I've verified that the iPad is correctly recognized as an Apple-Device changing for test purposes the rule table in
1)if "Apple-Device" then "Mobile"
2)if "Guest" then "Guest"

View 5 Replies View Related

Cisco :: 3502 / Restrict WLAN Clients Based On Device?

Oct 8, 2012

I have 2 SSIDs being broadcasted out in my campus, one for computers, macs etc and other for just cell phones, Is there a way we can restrict the cellphones from not connecting to the SSID used by computers. I do not have an identity management system like ISE. My controllers are WISM2 and I use 3502 APs.
 
 Following is the detail from one of my controllers
 
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.2.110.0
Bootloader Version............................... 1.0.16
Field Recovery Image Version..................... 7.0.43.32
Firmware Version................................. FPGA 1.6, Env 0.0, USB console 2.2
Build Type....................................... DATA + WPS

View 1 Replies View Related

Cisco :: 2504 LDAP Setting Up To Accept Authentication Based On Device

Aug 19, 2012

How can I setup the WLC to accept authentication based on the device itself and not a user?

View 7 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 Group Mapping Based On (G-CRP-SEC-ENG)

Apr 30, 2012

I am configuring a new ACS 5.3 system. Part of the rules is that I want to match the users specific AD group membership, and match appropriatly to an identity group.What i'm trying to do is say that if the user is a member of the AD Group (G-CRP-SEC-ENG) then associate them with the Identity Group SEC-ENG. The under the access service, authorization portion, i assign shell profiles and command sets based on Identity Group.It seems that the ACS server will not match the AD Group for the user, and it will match the Default of teh Group Mapping portion of the policy every time.
 
I tried several configuration choices from : AD1:ExternalGroups contains any <string showing in AD>, AD1:memberOf <group>.Is there something special i need to do in the Group Mapping Policy to get it to match and active directory group and result in assigning the host to an Identity Group?

View 7 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 AAA Role Based In Nexus 5.1

Feb 7, 2011

I am using ACS 5.2 and attempting to authorize users through TACACS to Nexus 5.1 code.  I seem to have ACS setup correctly based on documentation I received through here.  The problem is that the NX/OS doesnt seem to be operating as expected. 

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 4.2 Certificate Based Authentication And Windows 7

Jan 9, 2012

We use a combination of Cisco ACS and Cisco catalyst 3560 switches for network authentication and authorization. Clients (Windows XP) have a certificate installed which will grand access to the network and put them in the correct VLAN. So far, so good. Some users are testing with Windows 7 in the same set-up as above and run into strange behaviour. The problem is that after a random timer the machine gets de-authenticated and nothing besides a reboot works to get the computer authenticated again (from a Windows point of view). It looks like this only happens to users who are using a certificate to authenticate, Windows 7 MAC bypass users have no such problems. If it occurs, the following logging appears in ACS: [code] We are using ACS 4.2(0) Build 124 and 3560-48PS switches with IOS 12.2(55).

View 4 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 Authorization Of User Based On MAC Address

Aug 23, 2012

A short background. Our corporate SSID is being migrated from using PEAPv0 to EAP-TLS. This restricts access only to company notebooks. Additionally we have barcode scanners which are used to inventory assets. Those devices are not able to use EAP-TLS as they cannot be integrated in the domain and being unable to do certificate based authentication.
 
As a workaround we planned to use another SSID with access to the same network but using PEAPv0 as authentication method, basically the same SSID but with a different name. As this naturally allows anyone to access the corporate network with a valid username/password I now wanted to add another step into the authentication process - the MAC of the device. I know I can do the filtering at the WLAN controller, but as it has a limited database as well as the fact that it is cumbersome to maintain the MAC list on all the controllers I thought I can do it over our ACS system.
 
I am now trying to accomplish the following: The user gets authenticated via the internal user store, which is succesful. Now I want to authorize the user via the MAC address, which is stored in the internal host store of the ACS, if access is granted or not.
 
For this I created the following policy:
 
Service Selection Policy -- (Rule based result selection)

-- (NDG:Device Type in All Device Types:Wireless And RADIUS-IETF:Called-Station-ID contains <SSID>) | Result: PEAP access

-- Default | Result: DenyAccess
 
Service PEAP access Identity: Internal Users -- (Single result selection) Authorization -- (Rule based result selection) -- Internal Hosts:HostIdentityGroup in All Groups:Valid_MACs
 
When I then try to access the wireless network I won't get authenticated. The error I get, when I look into the logs is: 15039 Selected Authorization Profile is DenyAccess
 
Is it not possible to use one identity store as "attribute database" for the other identity store?

View 5 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Assign VLAN Based On AD Group?

Apr 18, 2011

I'm trying to configure ACS 5.2 to assign the VLAN to a user dynamically based on the AD group that the user belongs to. I've gone into:
 
Users and Identity Stores -> External Identity Stores -> Active Directory -> Directory Groups tab
 
and selected the group name from the AD. If I understand correctly, I should now see this group under:
 
Policy Elements -> Authorization and Permissions -> Network Access -> Authorization Profiles -> Common Tasks -> VLAN ID/Name
 
However, it does not. Am I missing something?

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 4.2 - IP Pool Allocation Based On NAS Port IP Address

Jul 7, 2010

using ACS 4.2 and I can't find a way to bind an incoming NAS port to a specifc IP Pool:
 
When a user connects the request to auth comes from 2 possible NAS ports randomly (this cannot change). Depending on which NAS makes the requests determines the IP range required, so I need 2 IP Pools. There is no way to say 'if request comes from NAS1 give IP from Pool1 and if request comes from NAS2 give IP from Pool2'
 
I have gone around and around with NAFs and NARs, but cannot do this.I can create 2 ACS groups with the specific NAS and specific IP pool within, but then I cannot have a single username bound to both groups.
 
I moved the auth to an AD group in the hope that I could bind that single AD group to the 2 ACS groups; and so have a single username, but no joy.

View 8 Replies View Related

AAA/Identity/Nac :: 3750 Using AV-Pairs To Add A Description To Port Based

May 9, 2013

I recently saw a Cisco demo of ISE with a customer and the Cisco SE was setting the port description to the logged in username (dot1x). I can't find any docs on doing this. I did find some old ACS docs that mention using an AV pair and sending aaa:suplicant-name in the result, but that isn't working. I'm trying this on a 3750. and using ISE.

View 3 Replies View Related

Cisco AAA/Identity/Nac :: WLC 7.4 / ISE Authentication Via Active Directory Based On SSID And AD Group?

Apr 15, 2013

I am deploying ISE with WLC 7.4. I have two SSID(s) running in my network 1. Corporate & 2. Services. I have a domain setup lets say "AD.com" with 4 groups 1. Corporate, 2. Services, 3. Employees, 4. Contractors.Here is an example of the scenario that I want:
 
AD.com Group : Corporate's User : 1. C_USER1
2. C_USER2
3. C_USER3
4. C_USER4
5. C_USER5

[code]....
 
Now what I want to do is have 802.1x authentication on my Corporate SSID that will check in AD.com, ONLY AND in ONLY corporate group for authentication. That is only C_USER1 to C_USER5 are allowed to connect to it. Users from any other AD group shouldnt be authenticated on this SSID.The same for the services group & SSID.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 RADIUS Authentication Based On IMEI And MSISDN Attributes

Apr 19, 2011

I've been working on trying to get RADUIS authentication working for devices connecting to our corporate mobile APN.  Out APN provider sends us Username & Password attributes which I can authenticate fine using ACS 5.2 but I'm having a problem using other attributes sent in the Access-Request.  We have mobile SIM cards with an MSISDN value match with a physical device with an IMEI value.  The SIM cards cannot be used in other devices, only their matched device.  The provider passes us the MSISDN attribute under RADIUS-IETF 31 and the IMEI under a VSA of 3GPP-IMEI
 
What is the best way of being able to authenticate a user and match the MSISDN and IMEI associated to that user?

View 1 Replies View Related

AAA/Identity/Nac :: ACS 5.3 RADIUS Authentication Based On IMESI & MSISDN Attributes

Jan 9, 2012

I'm trying to find out the options for authenticating remote users via IMEI and MISDN values via ACS 5.3/I'm unfamiliar with the Radius attribute options here and what kind of request/response we can utilise.  Also previously I could define IP pools on ACS 4 but can't seem to do that now.  Is there a way have ACS 5.3 to provide a DHCP server address for the connection ?

View 6 Replies View Related

Cisco AAA/Identity/Nac :: ASA-5510 / IPSec Client Authentication Based On AD Group Membership?

Aug 26, 2009

Looking to fine tune Cisco IPSec client RA-VPN authentication on our ASA-5510.  Currently using NT Domain authentication.  It's been working fine for quite a while but is too broad a brush.  It authenticates anyone who is in the domain.  We need to only authenticate folks who are in a specific AD remote access security group.  I'm testing LDAP but am getting the same results.  I can get it to authenticate based on overall domain membership but can't seem to figure out how to check group membership. 
 
We've updated to ASA 8.2(1) and ASDM 6.2(1).  It seems to have more LDAP functionality but I'm not an LDAP expert.  I've posted an image of the LDAP server dialog from the ASDM.  I originally tried putting the Group DN in the Base DN field but kept getting a "can't find user" error when testing.  I also tried adding the group info in the "LDAP parameters for group search" field at the bottom.  But it doesn't seem to be looking there.  Note that the current value is the Group Base DN only.  I also tried putting "memberOf=" in front of that.  Still no luck.  The values shown in the image work for simple domain membership.

View 3 Replies View Related

Cisco AAA/Identity/Nac :: Configure IEEE 802.1x Port-based Authentication On Switches / Preferable 2960 Series

Aug 14, 2011

I want to configure IEEE 802.1x port-based authentication on cisco switches, preferable 2960 series. Which models support this feature?. I have try with some older switches but it doesn't works properly on everyone. I have upgraded them whitout better results, there is namely an issue with TLS handshaking on some switches which produces authentication to fail.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Device Restrictions In ACS 5.3?

Mar 13, 2013

In our scenario, easy vpn users are being authenticated by acs 5.3 successfully. We have created seperate user group for these users. The issue is, these users are also able to access our routers using their username/password. I want to restrict this particular group so that its not able to access any device.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 Time And Telnet Device Name?

Sep 12, 2012

This is the great place for ACS discussions , i need two more inputs from experts
  
acsserver
Thu Sep 13 14:35:28 UTC 2012
pughaz
15
[ CmdAV=ip tacacs source-interface FastEthernet 0/1 ]
Device Type:All Device Types:ROUTERS, Location:All Locations:NON DC DEVICES
                  
On the above message
  
1. Need to chang time from UTC to IST
 
2.  The Device column is not showing the exact device name ; i telnet and config changed , it is showing the device group name only , how to get the exact device name i telnet on this message

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Integration ACS 5.2 With Other Device (sandvine)

Sep 18, 2012

I have a ACS version 5.2 (TACACS) where I require equipment integrated with Sandvine, I currently looking information and very little to manage the integration of ACS with these teams Sandvine.
 
I have an information on the provider Sandvine with a guide to the case where only states:

TACACS + server
On a TACACS + server, each user entry must allow the service "Sandvine". Within this
service, the attribute-value pairs Following can exist:
• An attribute named "Sandvine-Group" of type string.

[Code]......

View 4 Replies View Related

Cisco Firewall :: 5520 Identity Based Firewall Doesn't Work Using Citric Published

Jul 26, 2012

We are using the newest release of AD Agent (1.0.0.32.1, built 598). The ASA Firewalls 5520 are having the software release 8.4(3)8 installed.When somebody tries to connect thru the Identity based firewalls from a citrix published desktop environment (PDI) the connection is not possible. Checking the ip-of-user mapping on the firewalls (show user-identity ip-of-user USERNAME) mostly doesn't show the mapping of the USERNAME and the PDI the user is logged in. The user-of-ip mapping of the PDIs IP-address shows mostly other users, which then are used to authenticate the acces thru the firewalls.
 
What is interesting, that on the AD Agent using "adacfg.exe cache list | find /i "USERNAME"" i can't see the PDIs IP-address neither because it is mapped to another user.Is Citrix Published Desktop environment supported to connect thru Identity based Firewalls? How AD Agent, Domain Controllers and Firewalls are working together? On the firewalls with "show user-identity ad-agent we see, the following:
 
-Authentication Port: udp/1645
-Accounting Port: udp/1646
-ASA Listening Port: udp/3799
 
Why Cisco does use 1645 and 1646 and not 1812 and 1813?The Listening Port is used for what purpose? we tried the AD Agent modes full- download and on-demand with the same effect.

View 17 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.1 Device Admin Privilege Assignment?

Dec 1, 2011

my admin user is still being assigned privilege level 1, as shown in AAA Protocol > TACACS+ Authentication Details report.The report seems to show that the user is getting the right shell profile (Selected Shell Profile: Net-Admin -- is the one I setup for this user's group with both Default Privilege and Maximum Privilege set to Static 15). But still not the right privilege (Privilege Level: 1).Also, I found this document via Google: [URL] The router configuration examples all show this "aaa authorization exec tacacs+|radius local" command, which my device does not have.So I am wondering if I am not reading the ACS report right, or the device actually was assigned the correct privilge but that does not work without the "aaa authorization exec" command in the configuration?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 RADIUS Network Device Authentication

Apr 19, 2011

I am trying to integrate Cisco ACS 5.2 in a network to do device authentication of switches for administrators.

I am not sure if Cisco ACS 5.2 support RADIUS protocol to do device authentication. In the configuration of the Cisco ACS 5.2 I can only see TACACS authentication for device authentication and  I have configured it and it works. If CISCO ACS 5.2 supports RADIUS auth for device authentication?

View 1 Replies View Related

AAA/Identity/Nac :: ACS 5.3 Single Device On Multiple NDG Groups?

Jan 14, 2013

I have multiple campuses and a Central Admin...I've created Groups for all, except I need a few devices within Central to be available to the Campus Admins... (ie..a Cisco WCS System) How do I allow a device to be put into multiple NDG groups?

View 1 Replies View Related

Cisco VPN :: Web Based 3270 Access Through SSL VPN?

Jun 23, 2011

We are testing the use of a web based tn3270 emulator through our ASA5510 SSL VPN appliance.  We have it configured to use clientless SSL VPN.  Access to the 3270 session works internally, however when we connect to the SSL session, the session does not load.  Each application that we are testing uses activex components that are downloaded to each connecting client.  Are there settings that need to be addressed to allow for the downloading of ActiveX components.  Also, one of the 3270 applications uses java instead of ActiveX and this app is having the same problem. working with web base tn3270 emulators functioning over ASA SSL VPNs?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: 1142 How CDP Device Sensor Probe Works With ISE

Jan 24, 2013

how the CDP device sensor probe works with ISE ?What I am trying to do, is to identify different Cisco Wireless Access Point models (i.e. LAP 1142) with ISE.Since the APs do speak CDP (I can see the AP devices on the switch), this should be possible with the CDP device sensor on the switch, shouldn't it  I have done the following so far: Configured the switch to talk to ISE via radius accounting: [code] Should this config make the switch send CDP information about connected devices to the ISE (via radius accounting) ?How do the device sensors work ?

View 6 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.1 Radius Device Administration Error 11033

Jul 20, 2010

I'm trying to configure ACS 5.1 as radius server for a catalyst switch but i can't make it work.I keep on getting the "11033 Selected Service type is not Network Access" error message.
 
Tacacs works fine but radius does not. Any sample device administration config to use with RADIUS?it seem the service type does not work with radius in this scenario ( radius + device admin).

View 10 Replies View Related

Cisco AAA/Identity/Nac :: 3315 ISE Integration With Mobile Device Management

Jul 19, 2012

We are conduction a Proof Of Concept (PoC) on  Secure Bring Your Own Device ( BYOD ) using Cisco ISE and gonna test all the scenarios like Wired, Wireless and VPN user access.
 
Our Setup has  ISE VM acting as Admin, Monitor and Profiling Device, we have NAC 3315 physical Appliance as Inline posture Device, Wireless LAN controller, Access point and the Identity source as Microsof Active Directory.Having Plans to Integrate Mobile Device Management ( MDM ) and Citrix VDI setup also.
 
As of now we have tested the Wired Scenario Authentication and authorization for guest users and gonna carry out the profiling and posture.
 
-MDM can be integrated to ISE ? 
-How the MDM can be integrated to Cisco ISE configuration or Guide to show the same?
-What is the demarcation between MDM and ISE ( i.e. What is the role of ISE and MDM on Mobile Devices ) ?
-If MDM is available so then when the control of ISE ends, does MDM do management or ISE will do management of the devices ?
-Is MDM will do client provisioning or ISE should do ?
-Is MDM send or update patches of Mobile Devices ?

View 5 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 Error When Changing Device Group Or Location

Jun 13, 2012

I am trying to move a device from the Default location to a sub group and get the following message when I try (either with IE or Firefox)
 
This System Failure occurred: Index : 0, Size: 0. Your changes have not been saved. Click OK to return to the list page.
 
it also gives me the same error if I try and change the Device type from default to a sub group. I'm sure I could do this previously. The ACS build is (VMWARE install):
 
Cisco Application Deployment Engine OS Release: 1.2ADE-OS Build Version: 1.2.0.228ADE-OS System Architecture: i386
Copyright (c) 2005-2009 by Cisco Systems, Inc.All rights reserved.Hostname: ACS1
Version information of installed applications---------------------------------------------
Cisco ACS VERSION INFORMATION-----------------------------Version : 5.3.0.40Internal Build ID : B.839
 
I'm suspecting it a read/write issue with the database or a database corruption. I have stopped and started the application acs via the console and show application status acs has the following to say about itself.
 
ACS1/admin# show application status acs
ACS role: PRIMARY
Process 'database'                  runningProcess 'management'                runningProcess 'runtime'                   runningProcess 'view-database'             runningProcess 'view-jobmanager'           runningProcess 'view-alertmanager'         runningProcess 'view-collector'            runningProcess 'view-logprocessor'         running

View 3 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved