I am getting ready to install a new ACS 5.1 server to replace my current 4.1 acs box. I wanted to start off with a fresh install rather than upgrading all of my 4.1 data.
Can I have devices (ASA for VPN authentication, routers & switches for user authentication) use both for authentication while I get all the users configured in the new box?
I configured before ACS v4.2 to authenticate network devices using internal users at first, and if the user is not found use AD list users. But with v5.3 I have some problems doing this, on identity policies I use rule based result selection option, I configured 2 polices for Identity source, one for Internal Users and other policy for AD user, but it only works with the first policy, internal users or AD, but works only for the first policy identity. how to do that, if the user is not found on first policy, continue to the next policy.
View 7 Replies View RelatedI need a specify users to allow access to particular devices and give privilege only for show command or show run. Here is how I tried to configured.
1. Configured two seperate Shell Profile and Command set with privilege level 4-5 and allowing only show run command
2. create seperate service selection rule with adding the require NDG and protocol TACACS and maching service "RestrictAccess"
3. In the RestrictAccess Service I have following configured; Identity: internal users, Group Mapping to a particular group where the user exists, authorization: matching the above created identity group, NDG, shell profile, command sets
All the steps are attached in the .doc file. However when I tried with the particular user he is able to access everything and he is not hitting the correct access rule.
I configured the 2504 with 2 SSIDs for staffs and guests.I also configured the Lobby admin with web auth. But if a guest wants to connect our wireless he/she has to enter the PSK key and then only they are able to connect with the user id and password given by Lobby admin. Can we avoid this key and let the guests connect straightaway with the web auth?I’m planning to configure 802.1x & Radius dual authentication for staffs SSID..
View 5 Replies View RelatedIn order to restrict access to websites on our internal network, would we be able to put an ASA in front of the web server and force users to authenticate through the ASA and, once authenticated, allow only port 80 or 443 traffic for that use? The ASA would query the ACS 5.1 server for authentication/authorization using AD as the identity store. Is this even possible with TACACS?
View 1 Replies View RelatedMy customer has a large installed base of MACs, all connected via controller-based (5508) WLAN. He wants to grant access to the network based on the device's mac addresses and move the WLAN-clients to a specific VLAN.I added all devices with their mac addresses to the ACS internal identity store for hosts.According to the following message the client sends the user-login credentials (chegger) within the RADIUS-request instead of the clients mac address and of course it has to fail. After many configuration changes, I ended up always with the same result.
View 2 Replies View RelatedI have question on EAP-TLS with ACS 5.2. If I would like to implement the EAP-TLS with Microsoft CA, how will the machine and user authentication take place? Understand that the cert are required on both client and server end, but is this certificate ties to the machine or ties to individual user?
If ties to user, and I have a shared PC which login by few users, is that mean every user account will have their own certificates?
And every individual user will have to manually get the cert from CA? is there any other method as my environment has more than 3000 PCs.
And also if it ties to user, all user can get their cert from CA with their AD login name and password, if they bring in their own device and try to get the cert from CA, they will be able to successfully install the cert into their device right?
I have a new ACS 5.3 installation which I have joined to our AD Domain and added the directory groups into. I have also added all our devices into ACS and their groups etc but I am still only able to authenticate on the our switches with an internal ACS account, when I try with an external AD account the log shows the following error "Subject not found in the applicable identity Store (s)"
View 1 Replies View RelatedIs it possible to have Dual NIC on ACS v5.2 such as teaming or any else??
I am thinking of connecting the two NIC on the CSACS-1121-K9 appliance to two switches on the same network, but wondering if it will be possible or not.
We got recently a Cisco Secure ACS 1120 and i upgraded the Appliance to 5.1 from 5.0 with all your support
Now I need to integrate Cisco ACS 5.1 with RSA Authentication Manager 6.1 . I Successfully Downloaded config file from RSA ACE Server and exported into ACS 1120.
I also Added ACS as a NetOS Agent in the RSA Server , during the process i found few warnings . The ACE Server is not able to Resolve the IP Address to NAme ( DOes it Necessary ?? ).
I havent created any secret Key file for communication between ACS and RSA and encryption i used is DES.
Now when I log into ACS and search for Devices in the Identity Store Sequences i am not able to Look for RSA Token Sever .
I have been trying to get our IPS (ASA-SSM-10 and 4260) to authenticate with Cisco Radius ACS 5.2 and they are not working. However, I was able to get them working with Microsoft Radius. Below is the logs from the IPS:
evStatus: eventId=1321566464942057375 vendor=Cisco originator: hostId: NACAIRVIDLAB1 appName: authentication appInstanceId: 350 time: 2011/11/23 17:50:38 2011/11/23 09:50:38 GMT-08:00 controlTransaction:
[Code].....
If laptop/desktop goes on sleep mode or keep connected with interface configured for 802.1X for more than 12 hours it does not work or not connect to Exchange server, Cisco ISE console, office communicator..for re authentication i need to restart PC/ Laptop or unplug and replug lan cable from it!but before restarting i am able to ping all DNS, DHCP, OCS, everything..[code]
View 6 Replies View RelatedI would like to konw does Cisco ACS 4.x / 5.x natively support Two factor authenication, but not act as a Radius Proxy?
View 1 Replies View RelatedI need to limit to some AD groups, authentication with ACS 5.3.For example, i need that only users os somedomain.com/users/test1 are authenticatet via ACS --> ADS.
View 1 Replies View RelatedI have a Cisco ASA (8.2) setup with remote access for my users using Cisco VPN client. The authentication is passed off to my ACS 5.3 which then checks with AD. What I've done so far is create Access Policy rule where I define specifically the Location and NDG where the ASA is and then a DenyAllCommands command set. This should pass authentications just fine but this also gives those users the ability to remote connect directly into the ASA and login successfully. Even though there is a Deny Commands there I still would prefer they get Access Denied as a message. If I do a Deny Access on the ShellProfile then this stops the login authentication altogether.
View 2 Replies View RelatedWe would like to enable ACS authentication to login to different routers (Cisco 881s) we got that are interconnecting with our WAN via VPN tunnels. We would like to avoid using public IP for the router to communicate and relay user/password info with the ACS server and rely on the server's private IP instead. The problem is that all the router's outside interfaces connect to the Internet using public IPs and when the router wants to communicate with the ACS server it will use its public-facing interface IP and that'll fail. We can ping the server obviously when we set the source to the internal LAN IP.
The question is is there a way to have the router communicate with ACS across the VPN tunnel using its private IP?
config being used and tested succesfully on local devices:
aaa new-model
tacacs-server host 10.x.x.x single-connection key xxxxxx
aaa authentication login tacacs-local group tacacs local
[Code].....
I have a dot1x client with client certificate working well with my ACS 5.2 and EAP-TLS. Now I would like to configure the Re-Auth periode on the ACS 5.2, I did the following:
1. Configure a Access Profile with Reauthentication Timer = static and 30 seconds (see attachment ACS1.png and ACS2.png)
2. Enabled authentication periodic and authentication timer reauthenticate server on switchport
interface GigabitEthernet1/0/x
description to dot1x clients
switchport access vlan 5
switchport mode access
authentication event fail action authorize vlan 998
[code]....
i am evaluating ACS 5.3 with an ASA5505, by using password management in the IPSec tunnel config i am able to authenticate the VPN clients using mschapv2, however, the SSH sessions are authenticated using PAP
I have looked for days and days for an answer without success, is this by design?
Cisco documents state that SSH can be authenticated via TACACS with PAP,CHAP or MSCHAPv1, however, It seems to be default to PAP
From Cisco Doc: TACACS+ Server Support # The security appliance supports TACACS+ authentication with ASCII, PAP, CHAP, and MS-CHAPv1
I have a questión about radius authenticaction with AD, when I log in into the network with user in AD and I make a mistake in password my radius authenticaction event in ACS 5.2 dont show me this logg. only show the authentication succeeded but dont show me the authentication failed. Maybe i must to enable same service to show the authentiaction failed. The Voice authetication works fine..
This is the confg in the port of the switch:
interface FastEthernet0/12 switchport mode access switchport access vlan 2 switchport voice vlan 10 authentication port-control auto authentication host-mode multi-domain authentication violation protect authentication event fail action authorize vlan 11 authentication event fail retry 2 action authorize vlan 11 authentication event no-response action authorize vlan 11 authentication periodic authentication timer reauthenticate 60 mab dot1x pae authenticator dot1x timeout tx-period 10 dot1x max-reauth-req 3 spanning-tree portfast end
Vlan 2: DATA
Vlan 10: VOICE
Vlan 11: GUEST
I configured ACS 5.3 and added AAA clients with TACACS+ server and shared secret key as cisco123. i did the below config on switch also. when i try to authenticate login with ACS it does not respond. Find the configuration and debug output.nd
In debug output it gives ruser and rem_addr is null. i did not understand why .
I am able to ping to ACS server and i used telnet 192.x.x.10 49 and it gives the proper output.
aaa new-model
aaa authentication login default group tacacs+ local
!
tacacs-server host 192.168.60.10 key cisco123
tacacs-server directed-request
ip tacacs source-interface Vlan172
I notice 8.4(4) now has public key authentication (just like IOS - yay!) and found a couple of issues: The CLI config guide [URL] states incorrect syntax for adding the public key to the ASAThere is an undocumented ASA limit on the public key size supported
View 4 Replies View RelatedI have several devices on the same subnet and with similar configuration. All of them were entered manually on the ACS server and are configured to authenticate using TACACS+. Some of the devices can authenticate ok, but other will timeout. I did a tcpdump on the firewall port and can see the device sending the SYN to the ACS server but the server sends no reply to the device.
View 3 Replies View RelatedI am using Cisco ACS 5.1. I would like to authenticate my ip phones with mab (Avaya phones) and the commputers with dot1x.Everything works fine except that the phones which are successfully authenticated with mab tries to authenticate again and again and again ... and this fills up the ACS logs. Every authentication is successfull and the phone does not hang up. But this fills up my logs and makes them unusefull.
switch version: cat4500-ipbasek9-mz.122-53.SG3.bin
port config:
interface FastEthernet2/25 switchport access vlan 107 switchport mode access switchport voice vlan 502 switchport port-security maximum 3 switchport port-security switchport port-security aging time 1 switchport port-security aging type inactivity no logging event link-status load-interval 60 speed 100 duplex full qos vlan-based authentication event fail action authorize vlan 109 authentication event server dead action authorize vlan 101 authentication event server alive action reinitialize authentication host-mode multi-domain authentication open authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication violation restrict mab no snmp trap link-status dot1x pae authenticator dot1x timeout quiet-period 30 dot1x timeout server-timeout 25 dot1x timeout tx-period 15 dot1x timeout supp-timeout 25 dot1x max-req 3 tx-queue 3 priority high no cdp enable spanning-tree portfast ip dhcp snooping limit rate 10end
I am in the process of migrating from ACS 4.1.1.23 to ACS 5.4.I have migrated our users and Network Device Groups and configured external Identity stores like AD and RSA.I want to authenticate our Wireless users with AD and VPN users through RSA.I am unable to create policies to get this UP and working.
View 9 Replies View RelatedCurrently I am running Cisco ACS 3.2 ,now wanted to upgrade with the latest version along with the Authentication using AD , process/Document to upgrade the same .
View 1 Replies View RelatedI have configured the cisco 2960 switch with AAA & the radius server is free radius. I am able to login into the switch when radius server is working.But when radius server is not reachable, in that particular condition the switch doesn't move to local authentication configured on the switch.
aaa new-modelaaa group server radius radiuss server 10.1.0.215 auth-port 1812 acct-port 1813!aaa authentication login default group radiuss enableaaa authentication login CONSOLE localaaa authentication enable default group radiusaaa authorization exec default group radius if-authenticated
radius-server host 10.1.0.215 auth-port 1812 acct-port 1813 key 7 071F285C422948514117171
radius-server retransmit 2
line con 0 exec-timeout 5 0 privilege level 15 password 7 14341B1B7D6F0417626173455E47060F login authentication CONSOLEline vty 0 4 access-class 91 in exec-timeout 5 0 password 7 106D004F2C3B7B7F757E6A64812812d transport input sshline vty 5 15 access-class 91 in exec-timeout 5 0 password 7 106D000A061845jsajtqwkd327E6A64 transport input ssh
I configured WiFi connection on Windows XP and Windows 7 with EAP-TLS (using Cisco WLC 7.0.235.3 and Cisco ACS 5.2.0.26.10). It is configured with computer authentication and computers certificates are autoenrolled from Microsoft PKI.It works well!
Now I configured Windows 8 with same configuration.First authentication works but if I manually disconnect and reconnect, I got this error on ACS: 22047 Principal username attribute is missing in client certificate.In EAP packets, we could see that Windows 8 sent a TLS session ticket but session was not resumed correctly by ACS..On ACS configuration, we checked this option "Enable EAP-TLS Session Resume" with session timeout "7200".
I want to integrate my ACS 5.1 with AD, My request is to check for the machine authentication first. If the machine authentication passes the client username/password should be validated and client should be put in vlan X . If the machine authentication fails, the client username/password should be validated. If the authentication passes the client should be put in vlan Y.
View 3 Replies View RelatedI am having a problem getting an ASA running 8.3 to authenticate an SSL VPN directly against an LDAP on Windows Server 2003. I have changed the read access on the Active Directory to allow Annonymous to read it. I think I am missing something on the ASA config. I have the Server Group specified with the address of the correct server but nothing else really configured.
View 1 Replies View RelatedI tried to configure TACACS+ authentication / authorization for NCS via ACS 4.2. For that I followed the configuration guide:
1. Configured the service for NCS with HTTP (see attachment)
2. Added the tasks to the user (see attachment)
When I try to login on the NCS it fails, in the logs on the NCS I see the following lines:
09/14/11 16:53:03.333 TRACE [system] [http-443-7] [TACACS+ AAAModule] Creating authorization socket - To Server: 192.168.49.14 - For User: netadmin
09/14/11 16:53:03.335 TRACE [system] [http-443-7] [TACACS+ AAAModule] Sending authorization request packet - To Server: 192.168.49.14 - For User: netadmin
09/14/11 16:53:03.336 TRACE [system] [http-443-7] [TACACS+ AAAModule] Receiving authorization response packet - From Server: 192.168.49.14 - For User: netadmin
[code].....
Firstly the ACS 4.2.1 for Windows database replication does any one have and documentation on the processes required?Secondly I have a single system installed which is providing TACACS authentication for management access to a Cisco 5508 WLC, the controller prompts with a login box on connection to the web interface. When you put in the username and password pair the box comes back as if the authentication has failed. On the ACS I was unable to see any failed authentications so enabled passed authentication reporting and can see the user passing the process. The WLC is running software version 6.0.199.4. On the ACS I have added the extra two options within the TACACS interface configuration and have a ‘role1=all’ against both the user and the group the user is part of so I am confused as to why the user is still denied access.
View 3 Replies View RelatedI want to set it up so that when you log into any of the ACS 5.2 servers you have to use your AD credentials to log in and define what access you have. Is this possible? If so, how can this be set up?
View 1 Replies View RelatedI'm sure it can be done just haven't been able to find it. I'm running ACS 4.2 and have 2 network groups, one is wireless where I have a WLC and the other is the default where vpn users authenticate with their tokens. Is there a way to have the Wireless network group authenticate using AD and the other group use RSA? I can't find the switch or switches I need.
View 1 Replies View Related
