Cisco AAA/Identity/Nac :: How To Setup VPN On ACS 5.2
Jun 28, 2011I am working on getting ACS to authenticate VPN users. I have a wireless/TACACS policy in place and working.setup of the Authorization profile as well as the policy?
View 6 Replies
ADVERTISEMENT
Cisco AAA/Identity/Nac :: ACL 122 - Setup Identity Firewall On ASA Version 5.6 On DMZ Interface
Aug 27, 2012I have setup an Identity Firewall on a ASA version 5.6 on a DMZ interface.I have installed the ADAgent on a domain member Win2008 and configured as follows: [code]
where ashdew is a domain user and ACL 122(only one line) is applied on the dmz interface and NAT is properly configured.The ADagent has been properly tested and ASA can register to it.The ASA can connect to AD DC controller and query user database.I have placed a laptop ip 172.17.h.x on the DMZ and can ping the DMZ interface.
The laptop cannot authenticate on the domain and the asa does not seem to retrieve the user identity.Do I need to add extra rules in the access-list 122 to permit trafic to DC?Can I check on the AD Agent if it can retrieve the user to ip mapping ?
Cisco AAA/Identity/Nac :: How To Setup ACS 5.4 And Juniper J-Web
May 29, 2013I have set up an ACS 5.4 box and have some test devices connected to it.Cisco and Juniper, both working fine using TACACS I can connect to both using SSH or Telnet but my problem is the J-Web Juniper GUI I can access the J-web no problem with the root account. i can not seem to get it to work, no matter what I try. Here is my shell from the ACS box And the following Juniper configuration. I have tried binding the local-user-name attribute to both the remote and remoteadmin with no luck.
version 9.6R1.13;
system {
host-name Juniper-Firewall;
authentication-order [ tacplus password ];
root-authentication {
encrypted-password "$1$1tRuy9o2$LwSPxNwe4XGNMOMIMo1pd1"; ## SECRET-DATA
[code].....
Cisco AAA/Identity/Nac :: Setup A Command Set In ACS 5.3?
Nov 26, 2012I'm trying to set up a command set in Cisco ACS 5.3, I can't get i to work no mather who I try What I'm trying to accomplish is that some users, say Bob can run every priv. level 1 command + show run, or just to specify which commands Bob will be able to run, whatever is easiest to set up.
In my switch I have the commands:
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization commands 1 default group tacacs+
aaa authorization commands 15 default group tacacs+ <--- tried diffrent apporaches whith priv level..
(and specied a tacacs server)
is the "default" under "aaa authorization commands 1x default group tacacs+" the name of the command set?
In the ACS I have specied a Authorization group and binded it to the command set, should the user have priv 15 for this to work or priv 1?(I have also specied a user and an identity group and specied ip ranges under "Network Devices and AAA Clients")
Cisco AAA/Identity/Nac :: ACS 4.0.2 Radius Authentication Setup
Jan 9, 2012I am having ACS 4.0.2 in my network, which I want to use for 802.1x Radius Authentication for Clients on PEAP-MSCHAPv2 methodology.As per the documentation " EAP Authentication with RADIUS Server", Doc ID: 44844.I have configured Network Configuration and populated AAA client IP range and Secret Key.
Question1: Under Authenticate Using option, there are various RADIUS flavors available for selection. For a Non Cisco AAA client, should I select RADIUS IETF?
Question 2: In the above snap shot, It has an option called Global Authentication Setup, where we can setup EAP configuration. Under PEAP subsection there is an option to "Allow EAP-MSCHAPv2" check box.After checking that, is a restart required to the ACS Server? Would it cause any disruptions to the existing services on the ACS?
Cisco AAA/Identity/Nac :: How To Setup Sync Between Two New ACS Server V5.3
Dec 4, 2011I setup one acs v5.3 in one server in NYC and another acs v5.3 in SJC.I want to make the acs.nyc as primary and acs.sjc as the secondary, how do i setup it up?
View 1 Replies View RelatedCisco Firewall :: ASA 5512 - Best Way To Setup Identity NAT
May 2, 2013I'm porting our configuration from a Pix 515 firewall to an ASA 5512x. What's vexing me right now is with the deprecation of the "static" command, I can't quite figure out the best way to Identity NAT my inside sub nets (multiple) to the DMZ sub net
So on the pix I have my identiy NATs as an example:
static (inside,dmz) <IntSubA> <IntSubA> netmask 255.255.255.0
static (inside,dmz) <IntSubB> <IntSubB> netmask 255.255.255.0
static (inside,dmz) <IntSubC> <IntSubC> netmask 255.255.255.0
Cisco's migration guide seems to do them one object at a time, which I guess is straightforward enough to do:
object network SubA
subnet <IntSubA> 255.255.255.0
[code]...
I'm thinking that there must be an easier way (aka less lines) to implement this for all the sub nets I want to Identity NAT to the DMZ.
1) Can I do this creating objects using a sub net with a net mask of 255.255.0.0 - one object to cover multiple internal sub nets?
2) Can I do this using object groups and trim this down to: (assuming I have to commands right)
Object-group network Inside_Subs
network-object <IntSubA> 255.255.255.0
network-object <intSubB> 255.255.255.0
network-object <intsubC> 255.255.255.0
nat (inside,dmz) source static Inside_Subs Inside_Subs no-proxy-ARP route-enabled. What would be the best way to translate my Identity NATs?
Cisco AAA/Identity/Nac :: Setup ACS 5.1 For Dot1x-Port Authentication?
Jan 24, 2010I want to setup the ACS 5.1 for dot1x-Port authentication. I want to make a machine authentication against an AD-Domain and I got the following error Message:24435 Machine Groups retrieval from Active Directory succeeded
View 13 Replies View RelatedCisco AAA/Identity/Nac :: 5520 How To Setup Another Access Policy 5.3
Jan 30, 2012I am new to v5.3, and I am not good at VPN.I just have my consultant to configure this correctly just today. Currently, there is only one rule for the access policy (Single Result Selection). That rule is to use Active Directory as the source for the authentication. And by default will deny any other access which is not found in the rule.Now... I just got an order that I need to setup a new user who will need to access to our network by using Cisco IPSec VPN (the software one). But that user is not setup in our Active Directory, and we do not want him to access our domain anyway. He only needs to access non-domain resourse...such as airconditioning controller by IP. So I am thinking to setup his account by using "internal identtity". If I do this way, what do I need to do to setup another access policy? May you give me some steps with little more details? OR... if it is not the way I should do...what else can I do to achieve this goal? Also, he said he could provide his static IP trying to access from. I have a ASA 5520.
View 4 Replies View RelatedCisco AAA/Identity/Nac :: Add RADIUS Attributes Under Group Setup In ACS 4.2
Jul 5, 2012I need to add RADIUS attributes for a custom vendor under "Group Setup" page in ACS 4.2. As of now, I see Cisco Aironet RADIUS Attributes, IETF RADIUS Attributes etc in "Group Setup" page. How can I make sure that the RADIUS attributes for a vendor also appear on that page?
View 2 Replies View RelatedCisco AAA/Identity/Nac :: Setup ACS 5.2 With An ASA V8.3.2 To Lock Users Into VPN Groups?
Jan 18, 2011I'm trying to setup ACS 5.2 with an ASA v8.3.2 to lock users into VPN groups based on a users AD group. I've tried various combinations but the group lock isn't working. I've done steps 1 & 2 ...
1) Network Devices and AAA Clients -> Define VPN
2) Users and Identity Stores -> Setup AD and Directory Groups, test connection
Policy Elements:
Q1) Policy Elements - Do I need an authorization profile for each group:
Q2) What RADIUS attributes should I use to match my ASA tunnel-groups?
RADIUS-IETF attribute 25?RADIUS-Cisco VPN 3000/ASA/PIX 7.x 85 (Tunnel-Group-Lock)?Other?
Access Policies:
Q1) Do I need to enable and use group mapping?
Q2) Do I need a Network Access Authorization Policy for each group?
Cisco AAA/Identity/Nac :: Setup RA VPN On ASA 8.4 With 2 Groups - VPNGp1 And VPNGp2?
Aug 21, 2011I am trying to set up RA VPN on ASA 8.4 with 2 groups - VPNGp1 and VPNGp2. VPNGp1 users will access 1.2.3.0/24 and VPNGp2 users will access 5.6.7.0/24. User authentication will happen using ACS 5.3 Radius.
On ASA, I have configured the IP pools, VPN ACLs, VPN groups, group policies for each group, and tunnel groups.
On ACS, I have created vpn-user1 and vpn-user2 for each of 2 groups.
I am not sure if some more configuration needs to be done on ASA and ACS... Do I need to add new users - vpn-user1 and vpn-user2 - on ASA, under each corresponding group policy, using vpn-group-policy command? Or I need to do something else on ACS?
Lastly, how can I configure authorization and accounting for the VPN users? Do I need to do this on ACS or on ASA?
Cisco AAA/Identity/Nac :: ACS 5.2 - Setup EAP-TLS Authentication For Wireless Access Points?
Jun 22, 2011I am trying to setup EAP-TLS authentication for my wireless access points, but I can't sign my ACS certificate with my enterprise CA certificate.If I generate a self-signed certificate on the ACS server, and try to sign it on my CA, I get an ASN tag error. It looks like that is because the ACS server is not in the certificate path of the CA server.If I generate a certificate on the CA and try to import it into ACS, I get a "unable to parse certificate" error. Is there a way to edit the Certificate Trust List in 5.2? It looks like that was possible with 4.2, but not with the latest version.
View 1 Replies View RelatedCisco AAA/Identity/Nac :: ISE 3315 Does Not Boot After Running Setup Command
May 24, 2013we have a new ISE 3315 installation going on, I powered on the Appliance and appliance booted sucessfully, I run the Setup command. however after Setup is completed and appliance got a reload, it is not booting at all , booting seems to be hang up as per the snapshot attached.however Appliance is pingable, . i carried the following tasks as part of troubleshooting.
2: suspecting that Setup was corrupted, i then re-initialzied / re-installed the ISE Completely, then i run the setup command and after self reload, exactly same behaviour.
3: I tried with both Secure CRT & Putty and results are same
Cisco AAA/Identity/Nac :: How To Setup ACS 4.2 As LDAP Server To Authenticate Devices
Sep 1, 2011I have a ACS 4.2 under windows, I setuped it to authenticate routers by RADIUS and TACACS+ protocols. now I have some devices whitch know only LDAP protocol. How can setup ACS as a ldap server to authenticate those devices?>
View 1 Replies View RelatedCisco AAA/Identity/Nac :: How To Setup Enable Mode Password On ASA 5510
Jan 24, 2013how do I setup an enable password for an ASA 5510? At the moment its setup to authenticate using RADIUS (which I'd like to keep doing) but I need to setup an enable mode password.
View 3 Replies View RelatedCisco AAA/Identity/Nac :: ACS 5.1 AD Connection Setup DNS Failing To Resolve Address
May 9, 2010I am trying to configure the ACS with AD in the identity store but am running into the following issue.I enter the AD Domain Name and username and password and hit the 'Test Connection' button and receive a DNS error stating that it 'Cannot resolve network address'.I have logged into the CLI and test to the domain name from there and it works fine.
View 5 Replies View RelatedCisco AAA/Identity/Nac :: Setup Tacacs Config Onto New NEXUS 5000
May 26, 2011I m trying to setup a Tacacs config onto my new NEXUS 5000 series.Nevertheless the authentication doesn't work.Actually I followed the config guide but something is not working or missing.I have setup everything through VMWARE with ACS installed on a Windows server.
View 20 Replies View RelatedCisco AAA/Identity/Nac :: Setup AAA For Anyconnect With Active Directory On Asdm 6.4
Aug 20, 2012Im sure this has been asked before but a quick search has not yielded any exact results so here goes
I have anyconnect up and working great on for vpn users using local authentication. Im going over the white papers and seeing a lot of options for NT domain, LDAP, tacacs+ etc
we would like remote vpn users to autherticate using their windows domain password, but Im not sure which would be the easiest and quickest option to configure, and I cant find a guide for asdm setup for this topic that doesnt cause more questions than answers . The white papers Im finding are confusing since I am a rookie at this topic.
what is the easiest/quickest way to setup windows domain authentication via asdm?
Cisco AAA/Identity/Nac :: 7000 Setup Switch To Be Able To Authenticate Users With Tacacs+
May 2, 2012I have a cisco nexus 7000 switch and a cisco ACS 5.2. I would like to setup the switch to be able to authenticate users with tacacs+ using RSA secureid tokens when they try to logon to the switch.
View 1 Replies View RelatedCisco AAA/Identity/Nac :: 3750 / Get RADIUS Setup For Authentication To Switches And Routers?
Sep 19, 2012We are setting up a new office and I am trying to get RADIUS setup for authentication to my switches and routers. Currently I am working on a 3750 running IOS 15 and getting hung on what I think on something small. I have attached my Microsoft NPS Network Policy. Below is my IOS config:
aaa group server radius corp-radius
server 10.15.10.20 auth-port 1812 acct-port 1813
!
aaa authentication login default group corp-radius local
aaa authentication login radius-localfallback group corp-radius enable
aaa authorization exec default group radius
[code]....
Cisco AAA/Identity/Nac :: Accounting Setup On WLC 440x / 5508 ACS Takes It As Authentication Request And Fail
Dec 8, 2011accounting in ACS 5.3. When I setup accounting on WLC 440x / 5508 ACS takes them as an authentication request and fail.
Here are some logs what I see in acsview:
Dec 9,11 6:05:11.783 PM
Radius authentication failed for USER: navrka2 MAC: a.b.c.d AUTHTYPE: Radius authentication failed
ACS Session ID:
dc2aaa1v/112555963/420
Audit Session ID:
0a9a01d7000001fd4ee23a3d
Tunnel Details:
[code]...
Cisco Routers :: QuickVPN Setup On RV120W Without Changing Internal Setup
Nov 8, 2011Is there a way to set up Quick VPN on the RV120W without changing the internal subnet? I have just taken over responsibility for a network and I don't know all of the nooks and crannies yet, so I'd rather not change the internal sub net. I've tried setting up a user then changing the LAN settings afterward, but it automatically removed the VPN user when I did so.
View 1 Replies View RelatedCisco AAA/Identity/Nac :: 2960 Unprotected Identity Pattern Not Working As Expected
Oct 28, 2012I'm trying to test such 802.1x wired environment:windows xp sp3 as supplicant windows NPS as radius server 2960 as authenticator latest anyconnect (3.1.01065) + nam and standalone profile editor.I have a question: What is the difference between protected identity pattern and unprotected identity pattern (set in nam profile editor)? As I understand documentation PEAP-MSCHAPv2 is a tunneled method and it uses un- protected identity pattern to protect user's identity during phase 0. But if I use any fake identity here (anonymous, anonymous@[domain], etc) access is rejected (Access-Reject in switch debugs). I have to use exacly the same pattern in unprotected identity pattern as in protected identity pattern ([username] or [username]@[domain]) to gain access, regardless of authenticaton mode (same in machine only, user only authentication).
View 1 Replies View RelatedCisco AAA/Identity/Nac :: ACS 5.2 Group Mapping With LDAP External Identity Store
May 18, 2011I have a new Cisco Secure ACS 5.2 on a VM. We want to use it to for administrative access to our Cisco equipment with TACACS+. I am trying to map user permissions to different groups of devices based on active directory group membership, however it is not working.
I am using an LDAP (configured for secure authentication) external identity store. On the directory organization tab, I have confirmed the accuracy of the subject and group search base and the test configuration button shows that it's finding > 100 users and >100 groups.
On the directory groups page I have entered the groups according to the required format. cn=groupname1,ou=groups,dc=abc,dc=com
I have a rule based result selection under group mapping. I have two rules in the format below.
Conditon
LDAP:Externalgroups groupname1
Result
Identitygroup1
I have the default group set to a identity group named other. My problem is, no matter what user attempts to authenticate, the Default rule is applied, and the user is put into the other identity group.This occurs when I log on as a groupname1 user, groupname2 user, or as user that is not a member of either of those groups. LDAP authentication works and the user is able to logon to the device.
Cisco AAA/Identity/Nac :: ACS 5.2 - Create Microsoft Active Directory (AD) Identity Store?
Jul 11, 2011We are using ACS 5.2 and we are trying to create a Microsoft Active Directory (AD) Identity Store. We have a user to be used in the Active Directory creation General page and we would like to know how the test communication / ACS to AD communication takes place.
Our user is a predefined user in AD and has admin rights, but the password expires every 60 days. Will this affect the communication between AD and ACS 5.2 at everytime the entered user's password expires?
Cisco AAA/Identity/Nac :: ACS 5.3 Host Internal Identity Store / Per Group Modification
Jan 24, 2012I'm currently looking for a solution in order to restrict the modification of the host internal identity store (add or delete MAC host) per group. The default administrator roles does not include "per group restriction". Under the ACS I defined one group per department? My objective it to allow each department to access their ACS MAC database to add or delete MAC addresses as required.
How to restrict internal identity store per group?Do I need to create new roles? and how?I was not able to get an answer from the ACS ADMIN manual.
Cisco AAA/Identity/Nac :: ASA5550 / ACS 5.3 - 22056 Subject Not Found In Applicable Identity?
Dec 5, 2012I have a new ACS 5.3 configure and a ASA5550 to authenticate VPN users using a remote LDAP server. Once I try to authenticate the users with the ACS it gives me the error message "22056 Subject not found in the applicable identity store(s)."
I checked out the documentation and have already configure the Identity store sequences to redirect everything to the LDAP server, I also did the Bind test and it says that is ok, but I still have the same problem.
I validated the Access Policies Menu, and tried to create a new Service Selection Rules, but whet I get to the option of modifying the Identity option I get the error: "This System Failure occurred: {0}. Your changes have not been saved.Click OK to return to the list page. " and I'm not able to modify the identity, not in this new option I created, nor in the ones already created in the ACS.
Cisco AAA/Identity/Nac :: ACS 5.2 Error - 22056 Subject Not Found In Applicable Identity
Oct 6, 2012I have two ACS v 5.2 (primary and secundary) and some users are in the internal stor and the others are in the AD.The local site topology is like this:
PC - AP - WLC - ACS - AD
Authentication method is PEAP(EAP-MSCHAPv2) and all user have the certificate company installed. The OS in the client users is Windows 7.Users was working fine but some users reports intranet disconnections. I see in the ACS log many "22056 Subject not found in the applicable identity store(s)." and "24415 User authentication against Active Directory failed since user's account is locked out" alarms.I believed it was because user wasn´t in the AD data base, but some times the same user is authenticated successfull and other i see the "22056...." or "24415...." alarms.
I switched the role for ACS primary to works as secundary and we see the same alarms.
Cisco Routers :: SRP527W - Setup - Cannot Find Web Console To Setup
Jan 1, 2012I've just purchased a couple of SRP527W routers. I've been unable to even browse to the default 192.168.15.1 to start my configuration. My local network is 192.168.1.x. At risk of showing my stupidity, what am I doing wrong.
View 5 Replies View RelatedCisco AAA/Identity/Nac :: ACS 5.2 Identity Groups - Restrict Device Access
Apr 14, 2011I have ACS 5.2 running as a VM. I'm AD, then local authentication successfully for device access, but I want to define ACS user groups to restrict login. I don;t see any way to do this. If I use AD groups, they don;t show up as selection options on the policy screens, just the ACS locallyy defined groups.
View 1 Replies View RelatedCisco AAA/Identity/Nac :: ACS 5.x Identity Store Sequence And Token Validation
Dec 3, 2012We have a ACS 4.3.2 installed with users authenticating against an Active Directory database. The AD database not only authenticate the users but also assigns the group that is used to select IP address pool.Now the requirements require to use token authentication with SafeNet. This authentication uses the same username but the password is composed of the original password + OTP.The problem is that the SafeNet server doesn't return the group membership.I've read about the Identity Store Sequence in ACS 5.x and I think I could use it in the following sequence:! configure an Authentication Sequence using the SafeNet token server (this works with ACS 4.x)I configure an Attribute Retrieval Sequence against the AD database. This would use the username only, no password and would retrieve the group membership.
View 1 Replies View RelatedCisco AAA/Identity/Nac :: ISE V1.1 ISE Authorization Rules Do Not Use Endpoint Identity Group
Dec 5, 2011I'm looking for Cisco ISE v1.1 to use the following licensing feature. url...Endpoint is dynamically profiled by Cisco ISE and assigned dynamically or statically to an endpoint identity group. Cisco ISE authorization rules do not use this endpoint identity group.
View 2 Replies View Related
