Cisco AAA/Identity/Nac :: How To Limit Config Actions With ACS 5.3
Mar 6, 2013
Seems to me that regardless of the command set that once you allow a user into Config mode all bets are off. I want to allows certain users only certain actions (like assinging ports to a different vlan) but once in Config mode none of them matter, and the user has free reign.
1. Is it even possible to restrict which commands a users has under Config mode?
2. If so, is there a specific way withing ACS 5.3 or on the router/switch itself that this needs to be defined?
View 1 Replies
ADVERTISEMENT
Nov 20, 2011
I set up RME several years ago on our Ciscoworks several running LMS 3.2 to notify us on any BGP flaps via email notification.I noticed the last couple maintenance period where we had perform Circuit work with our ISP's. We haven't received any emails....I verified those routers are configured to send notifications in the Device Selector and even checked the router logs.
004161: Nov 20 05:04:52 EST: %BGP-5-ADJCHANGE: neighbor X.X.X.X Down BGP Notification sent
004162: Nov 20 05:04:52 EST: %BGP-3-NOTIFICATION: sent to neighbor X.X.X.X 4/0 (hold time expired) 0 bytes
The syslog collector status appears to be normal.....
View 3 Replies
View Related
Mar 22, 2011
I am looking for a sample configuration for doing TACCAS+ on ACS 5.2 with an ASA 8.2.2.
View 1 Replies
View Related
Feb 23, 2012
I need to limit to some AD groups, authentication with ACS 5.3.For example, i need that only users os somedomain.com/users/test1 are authenticatet via ACS --> ADS.
View 1 Replies
View Related
Jun 1, 2013
Few days ago in my wireless infrastrucer i deploy Cisco ACS 5.0 with Active directory integration. My wireless users are login through web authentication process. The authentication process is passed by AD & its working fine. But i want to do a work on my ACS 5.0 that a user cannot login simultaneously multiple device at a time.
View 21 Replies
View Related
May 26, 2011
I m trying to setup a Tacacs config onto my new NEXUS 5000 series.Nevertheless the authentication doesn't work.Actually I followed the config guide but something is not working or missing.I have setup everything through VMWARE with ACS installed on a Windows server.
View 20 Replies
View Related
Jan 1, 2013
I've looked at the forum posts and the document post, and I understand the explanations. My question is, under system administration>max user session global settings, would setting a timeout (say 1 hour) purge these sessions?
Under access policies, I am not enforcing max concurrent sessions per user, due to some of our devices using a generic log in. But if I understand the explanation, and my understanding might be wrong, then setting an expiry timeout should purge the accounting sessions, right?
View 4 Replies
View Related
Jul 1, 2012
we have TACACS+ based AAA on our network equipment, authenticating against internal user database on a network of ACS 5.3s.What I want is to limit certain AAA users (namely automated tools) to be only permitted to authenticate from a list of known IPs.I can do this for authorization, easily, that isn't a problem. The problem is to only accept authentication attempts coming from certain IPs and ignore the rest. My problem is, as it is currently, the automated tools are prone to a sort of a DoS attack - if I attempt logging in to any device using the tool's user account and a wrong password, I can get the account disabled in five tries.
I want to ignore all authentication attempts, unless they are coming from well known source IPs.Ex: netmon user is the user for a tool running on server 10.20.30.40. If I try to log in from my own laptop with user netmon, it should fail, and the attempt ignored. Currently after five (or whatever is configured) failed attempts, the user will be disabled. Oly attempts from 10.20.30.40 should be considered for user netmon.I can't use ACLs on the devices, as I want other users to be able to log in from other IPs.
View 4 Replies
View Related
Jan 14, 2011
We are using ACS 5.1 and from time to time we are getting a warning saying that the active sessions are over the limit (250000). It is just a warning, so my assumption is that its not a big deal, but how do we keep from getting the event, or prevent the event?
View 2 Replies
View Related
Aug 19, 2012
I have recently enabled the SMTP alert function in ACS 5.3. It seems to work well for most of the alerts. One thing though, the active sessions are over limit warning that comes up every so often. I know it is not impacting operations and it is ACS's way of clearing out sessions that had no accounting stop, but how do I disable this alert from being sent by e-mail from ACS 5.3?
View 3 Replies
View Related
Aug 21, 2012
We have 2 CSACS 1121 with Cisco ACS 5.2.0.26.10 The primary server manages 20000+ authentications per day. Its memory utilization increases everyday. It is now at 83% , there a limit?,What will happen when memory utilization reach this limit?,What can we do to purge memory utilization? (reboot, service restart.
View 11 Replies
View Related
Apr 17, 2012
If i connected the latop to brand new out of the box ASA 5505 through consloe cable and i have a config file on this laptop from other ASA5505, is there anyway i can upload that config file into startup-config of this new ASA5505 through console cable, without using TFTP or FTP?
View 5 Replies
View Related
Nov 15, 2009
I have a Cisco 2811 router and when I turn of the router the running config is lost. I have to the following to get the router running of the start-up config settings.
router#copy start-up running-config
View 9 Replies
View Related
Oct 28, 2012
I am planning to buy a router for my hotel and I would like to know is it possible to limit the bandwidth limit to the guests? And the admin computer can utilize the maximum speed? it it possible to create a login page paper when some one enters my wifi connection?
View 7 Replies
View Related
Oct 31, 2012
need to know the OSPF best design. I have a customer currently running their OSPF only in two area. Area 0 is provider reside and area 1 reside 700 hundred over of router including HQ router and remote branch router connecting to metro-E 10Mbps networks. Is this design have any weakness? Area 1 about 800 hundred router reside in, the HQ model is cisco router 7200 and remote end is cisco router 1841.Let's say they want a solution, for 3G remote router connect back to the HQ using Lease line with a fixed IP. Using DMVPN and OSPF communicating back to HQ. What should we aware when designing and implementing for the OSPF best practice. They have 700 hundred over remote branch need to terminate back to their HQ. I read cisco recommend an area should not be more than 50 router and per-area no more than 28 area.
View 4 Replies
View Related
Sep 11, 2011
I'm running into and interesting issue concerning a twice NAT config.
We have a remote site that needs to connect to a server cluster on our end. Using ASDM I have created a NAT rule that uses PAT to map our server addresses to a single IP (this is due to constraints placed on us by the remote site). This in and of itself shouldn't be a problem. The issue is that the VPN tunnel won't come up unless I also map an address to the remote site's sever.
Example:
Appliance: ASA 5510
ASA Version: 8.4(2)
ASDM Version: 6.4(5)
Original Packet:
Source Interface: inside
Destination Interface: outside
Source Address: Server_Cluster
Destination Address: Remote_Server
Service: any
Translated Packet:
Source NAT Type: Dynamic PAT (Hide)
Source Address: Mapped_Server_Cluster_Address
Destination Address: Mapped_Remote_Server_Address
Service: -- Original --
Within the Translated Packet section, if I set Destination Address to the actual remote server address nothing happens when I attempt to bring up the tunnel. However, if I map an address to the remote server, the tunnel begins to come up and then fails during phase two (as the mapped address doesn't match the addressing that has been defined in the remote end's connection profile).
Initially I thought the issue may be due to an IP addressing overlap since both sites are running similar numbers, but the default route statement on our ASA, should contend with this issue. Also, each time I change the NAT rule, I change the connection profile to match those changes.
So, ultimately, what I wish to accomplish is to allow connectivity between my site and the remote site without having to map another address to their remote server. How may I do this?
View 2 Replies
View Related
Jul 8, 2012
I have 2 office buildings using Cisco 800 series routers with a L2L VPN between both. I'm upgrading the router to an ASA5505 at one of the offices but can't figure out the L2L VPN on the ASA. Specifically, can't figure out how to set the pre-shared key. On the Cisco 800 it's:That doesn't seem to work on the ASA. Here is my current config on the Cisco 800. [code]
View 9 Replies
View Related
Sep 14, 2011
I am converting one PIX config (in 6.2) format to 8.4 format manually.I am stuck at the following statements.
---------------------------
global (outside) 1 192.168.21.100-192.168.21.150 netmask 255.255.255.0
global (outside) 1 192.168.21.44 netmask 255.255.255.255
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-list 101 permit ip host 10.130.101.2 10.132.102.0 255.255.255.0
-----------------------------
My understanding from the old config file was that any traffic coming from source 10.130.101.2 to destination 10.132.102.0 would NOT be translated and this shall remain the same in 8.4.How can I rewrote the NAT commands?
View 5 Replies
View Related
Feb 7, 2013
How do I turn off "logging esm config"? I tried conft no logging esm config and that worked for the moment, but when the switch reboots, or I run reload, it comes back.What does that do anyway? This switch was giving an out of memory error and seemed to be flooded with messages, so I trying to turn logging off/lower the log level.
View 5 Replies
View Related
Aug 15, 2011
my config and all the show's ive run sofar tryign to figure this out, but the policy map isnt matching the traffic for some reason
View 9 Replies
View Related
Feb 6, 2007
I have tried the config-register command and it is not available. Here is part of the show ver command. I want to change the config-reg from 0xF to 0x2102.I have run into this before but don't remember how to correct it.....I think I have to use the boot command but not sure. Here it the output show ver Cisco IOS Software, C2960 Software (C2960-LANBASE-M), Version 12.2(25)FX, RELEASE SOFTWARE (fc1)
ROM: Bootstrap program is C2960 boot loader
BOOTLDR: C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(25r)FX, RELEASE SOFTWARE (fc4)
System returned to ROM by power-on?System image file is "flash:c2960-lanbase-mz.122-25.FX/c2960-lanbase-mz.122-25.FX.bin"cisco WS-C2960-24TT-L (PowerPC405) processor (revision A0) with 61440K/4088K bytes of memory.last reset from power-on
4 Virtual Ethernet interfaces
24 FastEthernet interfaces
2 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.64K bytes of flash-simulated non-volatile configuration memory.
Model number : WS-C2960-24TT-L
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 26 WS-C2960-24TT-L 12.2(25)FX C2960-LANBASE-M
Configuration register is 0xF
View 6 Replies
View Related
Aug 2, 2011
We have two offices in the US and one in Mexico. Our site in Mexico connects to our headquarters in the US over an AVPN/ MPLS circuit .Mexico has a separate Internet connection through TelMex. There is an ASA 5510 at headquarters and an ASA 5505 in Mexico. We have a fail over VPN set up in the ASAs for times when the MPLS circuit goes down. All Internet traffic in Mexico is supposed to be routed to the TelMex connection. All company traffic is supposed to be routed to the Cisco router. ASA is supposed to be last resort route. We have a fail over VPN set up in the ASAs for times when the MPLS circuit goes down. (Or at least we did until I had someone work on the configuration) Everything had been working fine for the last 4 years.
Yesterday when the MPLS went down, so did their Internet connection. I realized the Internet traffic is now coming through the MPLs circuit to head quarters and out our ASA. Obviously there is a problem with the configuration. I do not have enough experience to figure this out. I have attached the configs and the routes for both the ASA and the router.
View 11 Replies
View Related
Jul 31, 2011
I tried to deploy configuration templates with Cisco LMS Template Center, due to the 10 Cool LMS Tricks to better manage your network i am able to do it now.Just i don't know why, after deploying these templates the configuration is not save to the startup-config.another problem i have with the snmp-server location configuration. It seems my template does not support spaces in the textbox. Any way to put spaces in the snmp location?
<parameter name="snmp-location">
<description>SNMP Server Location</description>
View 3 Replies
View Related
Jul 18, 2012
I have run a netconfig jobs in LMS 4.2.1 with these settings: [code] After running the job the "Device Details" of the jobs say "Successful Devices" for all three switches:"Deploy successful (Primary Login Succeeded / Primary Enable Succeeded )" For the devices switch-1 and switch-2 I get the desired output: [code]. Why there is no output although the job is successful?
View 3 Replies
View Related
Feb 20, 2011
I’m currently training to take my CCNA, So for the reason I’m here, I have just been asked to take over the company network.And I need to know how I go about configuring some base level routers.I have 3 remote sites and 1 main site, all these routers are using 857’s, with a VPN tunnel between them, this is running all OK and working fine,But my boss has decided to have a second ADSL line installed in the main site for failover.How do I go about configuring this, ie how do the VPN’s terminate on the other router when the main one goes down?
View 1 Replies
View Related
Apr 1, 2013
If I have a PI 1.2 system that has multiple interfaces configured I can upgrade to PI 1.3 and both interfaces remain and I can see both under the admin webpage under appliance interfaces. But if I do a fresh install of PI 1.3 I can only configure one interface. The commands fail from the cli to configure anything but gigabitethernet 0. Are multiple interfaces not supported in PI?
View 2 Replies
View Related
Apr 14, 2012
I'm working on tweaking the config on a 2911 ISR G2 with a ZBF and am looking for some input. Our main issue right now is that the router is having performance issues once we hit certain troughput thresholds.
Right now, I have an inside-outside inspect set to look at all FTP, TCP, UDP, ICMP, DNS, SIP and HTTP (I know, its a bit redundant) traffic and do inspection on it then pass all other traffic. From a company policy, we are not filtering ANY traffic of any kind going outbound. (I know this isn't best practice but that's another battle for another day.)
Additionally, I have an outside-inside policy set to pass GRE traffic to an internal PPTP server (I know, not secure but its what we have.) then I have another inbound policy to inspect all traffic coming through that matches a specific ACL that defines all of the holes we're poking for hosting various functions on internal servers, etc.
could I, should I, why would or wouldn't I simply pass traffic that matches specific ACLs or whatever instead of how we are presently doing a lot of inspection?If I was to simply pass matching traffic instead of doing the inspect, would I see a substantial performance increase/workload decrease ont he 2911?
What are the security ramifications related to simply passing traffic instead of doing the inspection?
View 2 Replies
View Related
Jun 17, 2012
I have a task for a config I have not done before. I'm replacing an older 831 and PIX with a Cisco 881 router with Firewall feature set. The router receives its public IP address dynamically and there is a static public IP range also assigned with a couple of NAT statements on the PIX for a few public IP's.I'm ok with the core router config but the range is where I'm a little stuck. Current setup is as follows
Internet ---------- Router( Public intf Dynamic IP----internal intf Range IP)Router-------------PIX (outside intf Range IP---------Inside intf private net)Pix-------
As per the aboive the PIX had a public IP address from the range on the outside interface with a default route to the Router inside interface which uses a public range addres.
With my proposed config I've setup the outside interface as dynamic and just created my nat statements for the Range IP's. I believe I'm correct that I do not need to actually have a Range IP address configured on the router?
View 2 Replies
View Related
Oct 28, 2012
I'm trying to test such 802.1x wired environment:windows xp sp3 as supplicant windows NPS as radius server 2960 as authenticator latest anyconnect (3.1.01065) + nam and standalone profile editor.I have a question: What is the difference between protected identity pattern and unprotected identity pattern (set in nam profile editor)? As I understand documentation PEAP-MSCHAPv2 is a tunneled method and it uses un- protected identity pattern to protect user's identity during phase 0. But if I use any fake identity here (anonymous, anonymous@[domain], etc) access is rejected (Access-Reject in switch debugs). I have to use exacly the same pattern in unprotected identity pattern as in protected identity pattern ([username] or [username]@[domain]) to gain access, regardless of authenticaton mode (same in machine only, user only authentication).
View 1 Replies
View Related
May 18, 2011
I have a new Cisco Secure ACS 5.2 on a VM. We want to use it to for administrative access to our Cisco equipment with TACACS+. I am trying to map user permissions to different groups of devices based on active directory group membership, however it is not working.
I am using an LDAP (configured for secure authentication) external identity store. On the directory organization tab, I have confirmed the accuracy of the subject and group search base and the test configuration button shows that it's finding > 100 users and >100 groups.
On the directory groups page I have entered the groups according to the required format. cn=groupname1,ou=groups,dc=abc,dc=com
I have a rule based result selection under group mapping. I have two rules in the format below.
Conditon
LDAP:Externalgroups groupname1
Result
Identitygroup1
I have the default group set to a identity group named other. My problem is, no matter what user attempts to authenticate, the Default rule is applied, and the user is put into the other identity group.This occurs when I log on as a groupname1 user, groupname2 user, or as user that is not a member of either of those groups. LDAP authentication works and the user is able to logon to the device.
View 3 Replies
View Related
Jul 11, 2011
We are using ACS 5.2 and we are trying to create a Microsoft Active Directory (AD) Identity Store. We have a user to be used in the Active Directory creation General page and we would like to know how the test communication / ACS to AD communication takes place.
Our user is a predefined user in AD and has admin rights, but the password expires every 60 days. Will this affect the communication between AD and ACS 5.2 at everytime the entered user's password expires?
View 2 Replies
View Related
Jan 24, 2012
I'm currently looking for a solution in order to restrict the modification of the host internal identity store (add or delete MAC host) per group. The default administrator roles does not include "per group restriction". Under the ACS I defined one group per department? My objective it to allow each department to access their ACS MAC database to add or delete MAC addresses as required.
How to restrict internal identity store per group?Do I need to create new roles? and how?I was not able to get an answer from the ACS ADMIN manual.
View 1 Replies
View Related
Dec 5, 2012
I have a new ACS 5.3 configure and a ASA5550 to authenticate VPN users using a remote LDAP server. Once I try to authenticate the users with the ACS it gives me the error message "22056 Subject not found in the applicable identity store(s)."
I checked out the documentation and have already configure the Identity store sequences to redirect everything to the LDAP server, I also did the Bind test and it says that is ok, but I still have the same problem.
I validated the Access Policies Menu, and tried to create a new Service Selection Rules, but whet I get to the option of modifying the Identity option I get the error: "This System Failure occurred: {0}. Your changes have not been saved.Click OK to return to the list page. " and I'm not able to modify the identity, not in this new option I created, nor in the ones already created in the ACS.
View 8 Replies
View Related
