Cisco AAA/Identity/Nac :: Implementing Group NAR For ACS 4.2?
May 22, 2012
I have a problem implementing a NAR for a specific device group. I am running Cisco ACS 4.2 and it works fine for all the other stuff I do but this issue is perplexing me a bit.
I have a device group with Juniper devices in it and I authenticate using RADIUS (Juniper) as the radius setting. I have a Administration user group set up.
I placed a NAR into the group "Per Group Defined Network Access Restrictions" specific to the device group with * for port and address
I placed this group into both the Define IP-Based as well as the Define CLI/DNIS-based section.
No matter what I do I keep getting authenticated.
When I go to the passed authentications page I see my login and the group-name is identified correctly and the network device group is identified correctly too. The filter says "no filters activated". So how can I get this NAR to kick in? I would like to restrict one device group from a ACS user group.
View 12 Replies
ADVERTISEMENT
May 1, 2012
how to associate an AD group - which i have defined in users and identity stores/external identity stores/Active Directory/Directory attributes to associate with the relevant identity groups - Users and identity stores/identity groups Is there an example of this being done somewhere as i am having problems understanding how to do this from the user guide.All i want to do is associate identity groups with ad groups.
View 3 Replies
View Related
Sep 30, 2012
After implementing TACACS, one of our routers takes about 8 seconds to response to any CLI command. We have no problems with other devices in the same location with the same AAA configuration. The router is talking to the ACS server (ACS 5.3) and the logs on the ACS server look normal for the router as well.
View 5 Replies
View Related
Oct 13, 2011
We have customer with implementation ACS5.2 in Windows environment. Now they want to implement IP phones in the network.
View 0 Replies
View Related
Apr 15, 2012
I am having difficulties implementing Mac-auth on selected ports between an HP ProCurve 2510 and Cisco ACS 5.3.The 802.1x works just fine, but for selected ports I need to implement port-access with MAC-based authentication instead of regular 802.1X (yeah, I know, but this line of ProCurve switches only support one auth-mechanism per port!).The switch successfully forwards interesting MAC-auth requests for authentication to the ACS with CHAP/MD5, but the ACS reports this:
Logged At:
April 16,2012 1:20:48.080 PM
RADIUS Status:
Authentication failed : 22056 Subject not found in the applicable identity store(s). NAS Failure:
Username:
002655886b3d MAC/IP Address:
00-26-55-88-6b-3d Network Device:
[code].....
The ACS is configured to use the Internal Hosts database, where the client computer is configured like this;MAC-address: 00-26-55-88-6B-3D
View 1 Replies
View Related
May 18, 2011
I have a new Cisco Secure ACS 5.2 on a VM. We want to use it to for administrative access to our Cisco equipment with TACACS+. I am trying to map user permissions to different groups of devices based on active directory group membership, however it is not working.
I am using an LDAP (configured for secure authentication) external identity store. On the directory organization tab, I have confirmed the accuracy of the subject and group search base and the test configuration button shows that it's finding > 100 users and >100 groups.
On the directory groups page I have entered the groups according to the required format. cn=groupname1,ou=groups,dc=abc,dc=com
I have a rule based result selection under group mapping. I have two rules in the format below.
Conditon
LDAP:Externalgroups groupname1
Result
Identitygroup1
I have the default group set to a identity group named other. My problem is, no matter what user attempts to authenticate, the Default rule is applied, and the user is put into the other identity group.This occurs when I log on as a groupname1 user, groupname2 user, or as user that is not a member of either of those groups. LDAP authentication works and the user is able to logon to the device.
View 3 Replies
View Related
Jan 24, 2012
I'm currently looking for a solution in order to restrict the modification of the host internal identity store (add or delete MAC host) per group. The default administrator roles does not include "per group restriction". Under the ACS I defined one group per department? My objective it to allow each department to access their ACS MAC database to add or delete MAC addresses as required.
How to restrict internal identity store per group?Do I need to create new roles? and how?I was not able to get an answer from the ACS ADMIN manual.
View 1 Replies
View Related
Dec 5, 2011
I'm looking for Cisco ISE v1.1 to use the following licensing feature. url...Endpoint is dynamically profiled by Cisco ISE and assigned dynamically or statically to an endpoint identity group. Cisco ISE authorization rules do not use this endpoint identity group.
View 2 Replies
View Related
Apr 26, 2011
I'm trying to set a VPN connection to a router using group authorization with the ACS 5.2 but cannot make it work. I configured everything based on the procedure used for ACS 4.2. I created a user that corresponds to the group name, used the password cisco and used all the requiered Cisco AV pairs in an authorization profile. (Based on document: [URL]
While testing with ACS 4.2 this works fine, I can see that the ACS returns the group attibutes correctly (here is a debug output)
Apr 9 16:16:59.256: RADIUS: Received from id 1645/22 192.168.1.212:1645, Access-Accept, len 203Apr 9 16:16:59.256: RADIUS: authenticator 02 07 F5 E6 46 78 73 CA - 46 6D 47 90 FE 92 38 9AApr 9 16:16:59.256: RADIUS: Vendor, Cisco [26] 30 Apr 9
[Code].....
View 4 Replies
View Related
Apr 7, 2011
We have ACS 4.2 and has been integrated with AD. Now, a new user group has been added in AD but we are not able to see that new AD group in ACS to do the mapping. We have refreshed the sgent in ACS and also have restarted the ACS agent in AD. But still we rae not able to fetch the new AD group in ACS in group mapping.any way to fetch the new group in ACS from AD.
View 1 Replies
View Related
Apr 30, 2012
I am configuring a new ACS 5.3 system. Part of the rules is that I want to match the users specific AD group membership, and match appropriatly to an identity group.What i'm trying to do is say that if the user is a member of the AD Group (G-CRP-SEC-ENG) then associate them with the Identity Group SEC-ENG. The under the access service, authorization portion, i assign shell profiles and command sets based on Identity Group.It seems that the ACS server will not match the AD Group for the user, and it will match the Default of teh Group Mapping portion of the policy every time.
I tried several configuration choices from : AD1:ExternalGroups contains any <string showing in AD>, AD1:memberOf <group>.Is there something special i need to do in the Group Mapping Policy to get it to match and active directory group and result in assigning the host to an Identity Group?
View 7 Replies
View Related
Apr 25, 2011
I'm sure it can be done just haven't been able to find it. I'm running ACS 4.2 and have 2 network groups, one is wireless where I have a WLC and the other is the default where vpn users authenticate with their tokens. Is there a way to have the Wireless network group authenticate using AD and the other group use RSA? I can't find the switch or switches I need.
View 1 Replies
View Related
Sep 12, 2012
We are using ACS 4.2.1.15 with patch 8 on ACS 1113 SE box.
Our requirement is to assign ACS loal group to user on basis of windows Nt group. Which means I dont wants to create individual users in ACS rather when user will login, the auth request will be forwarded to AD(remote database). Depeneding on the remote database group the user should be mapped to local database.
For this I have configured "database group mapping" according to following cisco guide. [URL]
However when ever my AD users are authenticating they are getting the membership of default group as configured in "Default" profile. I am using TACACS+ protocol in my routers and switches for authentication.
whether "Group mapping by External user database" works with TACACS+ or only with RADIUS protocol. If it works with TACACS+ what else configuration need to be done so that my ACS can map users to proper groups instead of default group.
View 4 Replies
View Related
Jul 5, 2012
I need to add RADIUS attributes for a custom vendor under "Group Setup" page in ACS 4.2. As of now, I see Cisco Aironet RADIUS Attributes, IETF RADIUS Attributes etc in "Group Setup" page. How can I make sure that the RADIUS attributes for a vendor also appear on that page?
View 2 Replies
View Related
Mar 13, 2013
to grant not to show the certificate error adevertise to all clients connecting to guest services (because obviously they don't have the CA root certificate of our company), we have purchased a wildcard certificate from Verisign in order to work with all of our PSN Common Names and friendly url for sponsor and mydevices. But when I try to import it to more than one PSN the following error message is shown " The certificate already exists in the data base".How can I import the same certificate (with the same private key) in every PSN in a node group?
We have ISE 1.1.2
View 4 Replies
View Related
May 9, 2012
I have a problem where occasionally a user will attempt to login and the LDAP search will find the user but then fail when it does the group search. The error I get is below
22037 Authentication Passed
22023 Proceed to attribute retrieval
24032 Sending request to secondary LDAP server
24016 Looking up user in LDAP Server - testuser
24004 User search finished successfully
24027 Groups search ended with an error
24034 Secondary server failover. Switching to primary server
24031 Sending request to primary LDAP server
24016 Looking up user in LDAP Server - testuser
24004 User search finished successfully
24027 Groups search ended with an error
22059 The advanced option that is configured for process failure is used.
22062 The 'Drop' advanced option is configured in case of a failed authentication request.
Some users never get this error, others will get it once in a while and I have one user that gets it every time they try and login.
View 3 Replies
View Related
Apr 18, 2011
I'm trying to configure ACS 5.2 to assign the VLAN to a user dynamically based on the AD group that the user belongs to. I've gone into:
Users and Identity Stores -> External Identity Stores -> Active Directory -> Directory Groups tab
and selected the group name from the AD. If I understand correctly, I should now see this group under:
Policy Elements -> Authorization and Permissions -> Network Access -> Authorization Profiles -> Common Tasks -> VLAN ID/Name
However, it does not. Am I missing something?
View 2 Replies
View Related
Mar 23, 2013
In my ACS 5.4 I want to have same useranme to use two shell profiles. Here is the requirement.One shell profile with privelege 15 for IOS device admin and other one with different privelege for WCS admin.As there can't have two shell profiles on the same authroization profile, I created two different profiles, and match with the ACS local group name. However whenever user tries to access it always hits the 1st profiles.
View 3 Replies
View Related
Oct 2, 2012
So we have multiple ISE Servers with differing personals. I was having an issue with our new ISE setup not identifying AD Group Attributes when using them in Authorization rules. We have 2- 3395 appliances running Admin and Monitoring/Troubleshooting Personas and 2- 3395 appliances running as Policy server personas. We are running v1.1.1.268 with the latest two patches. I was unable to pull Active Directory Group Attributes in any of my Authorization rules. After Resyncing all the boxes with the Primary Administration box I was able to do this. There is no bug listings for this occurrence nor do we have Smartnet to call support for other reasons.
View 3 Replies
View Related
Jul 27, 2011
This question might actually belong under tacacs server but it's only happening with the ACE. I've configured tacacs on the 4710 and configured the tacacs server per the documentation. If I enter the shell:<context>*Admin default-domain under the group settings when I login with my tacacs ID my role is set to Network-Monitor. If I set the shell in my specific tacacs ID I'm assigned the correct role as Admin. We're running ACS ver 4.1 and the ACE is A4(1.1)
View 1 Replies
View Related
Nov 25, 2012
I had a problem about authentication use AD group member. Below webiside is the way I config on ACS.
[URL]
I'm using ACS 5.1.0.44 and this version has a bug , ACS cannot read AD group. I have to add it manually . After I change the access policy from Internal user to AD1. I can use anyone AD ID to pass authenticaiton. I finished all config from the website had same result.
I checked the access polices -- default device admin -- authorization , the new rules I created had no hit count. How can I make sure that I make a right config ?
View 2 Replies
View Related
Jun 13, 2012
I am trying to move a device from the Default location to a sub group and get the following message when I try (either with IE or Firefox)
This System Failure occurred: Index : 0, Size: 0. Your changes have not been saved. Click OK to return to the list page.
it also gives me the same error if I try and change the Device type from default to a sub group. I'm sure I could do this previously. The ACS build is (VMWARE install):
Cisco Application Deployment Engine OS Release: 1.2ADE-OS Build Version: 1.2.0.228ADE-OS System Architecture: i386
Copyright (c) 2005-2009 by Cisco Systems, Inc.All rights reserved.Hostname: ACS1
Version information of installed applications---------------------------------------------
Cisco ACS VERSION INFORMATION-----------------------------Version : 5.3.0.40Internal Build ID : B.839
I'm suspecting it a read/write issue with the database or a database corruption. I have stopped and started the application acs via the console and show application status acs has the following to say about itself.
ACS1/admin# show application status acs
ACS role: PRIMARY
Process 'database' runningProcess 'management' runningProcess 'runtime' runningProcess 'view-database' runningProcess 'view-jobmanager' runningProcess 'view-alertmanager' runningProcess 'view-collector' runningProcess 'view-logprocessor' running
View 3 Replies
View Related
Mar 6, 2012
We are migrating our ACS 5.1 to ISE 1.0.4.
- On ACS we were doing 802.1x Authentification over an Activedirectory, assigning Vlan according to computer/user group. In some case the user vlan could be different from the computer vlan (ex admin account connecting to a user account). This works great with ACS.I tested the same function with ISE and the behaviour is a bit different :
- When the computer boot, I can see the computer account being authenticated on ISE. The logs show the AD groups the computer belongs to and the Authorization profile is well applied according to the AD group.
- When the user login, I can see the user account being authenticated on ISE, BUT the logs show the AD groups of the previous authentication, the one belonging to the computer not the user. So the authorization profile is the one from the computer not the user.
It seems that the AD group attributes are not well updated :
- AD logs show the second authentication doesn't engage a new group parsing from AD
- Shutting down the switch port when user is logged engage a new authentication a AD group are well updated.
- Bug toolkit reference the same bug but for WLC CSCto83897 so I suspect it's present in other case.
View 0 Replies
View Related
Apr 15, 2013
I am deploying ISE with WLC 7.4. I have two SSID(s) running in my network 1. Corporate & 2. Services. I have a domain setup lets say "AD.com" with 4 groups 1. Corporate, 2. Services, 3. Employees, 4. Contractors.Here is an example of the scenario that I want:
AD.com Group : Corporate's User : 1. C_USER1
2. C_USER2
3. C_USER3
4. C_USER4
5. C_USER5
[code]....
Now what I want to do is have 802.1x authentication on my Corporate SSID that will check in AD.com, ONLY AND in ONLY corporate group for authentication. That is only C_USER1 to C_USER5 are allowed to connect to it. Users from any other AD group shouldnt be authenticated on this SSID.The same for the services group & SSID.
View 2 Replies
View Related
Apr 28, 2012
installing the Cisco NAC agent through the Active Directory Group Policy. (Windows 2008 R2)Currently Cisco NAC CAS servers has been installed, configured and the switches are added. But the ports are not active. Currently users are not passing through the NAC. When the ports are active and the users trying to access the network, the browser will ask the users to install the Cisco NAC Agent.I need t by pass this by installing the Cisco NAC agent through the active directory Group Policy. How to install the Cisco NAC agent (4.9.1) to all the users in the Network (Windows XP / 7 )through Active Directory so that the users will not know that the Cisco NAC agent has been installed in their computers. By this way the users need not install the Cisco NAC agent through the Web browser and will just login their user name and password and get into the network.
View 1 Replies
View Related
Dec 21, 2012
I have a working ASA 5505 that is used for remote access. It authenticates users via RADIUS (Microsoft AD using two IAS servers), it also authorises users via LDAP and it does some LDAP attribute mapping to get group membership for DAP. This is all working fine however recently I enabled IPv6 to do some testing. I have a /126 subnet on the Inside interface (maps to its equivalent /30 IPv4 subnet) and OSPFv3 running so the ASA has visibility of the internal IPv6 networks. DNS client is enabled in the ASA and all the authentication servers are entered as hostnames. The two RADIUS servers only have A records and the two LDAP servers (Windows DC's) have both A and AAAA records. My plan was to begin test IPv6 on the AnyConnect VPN clients (once I was happy the ASA was working fine with IPv6).
When I initially enabled IPv6 everything continued to work as before, however I had to reboot the ASA today and after it all came back up authorisation stopped working. I did a bit of troubleshooting and the ASA is complaining of not being able to resolve the addresses of the two LDAP servers. From the CLI I can ping the hostnames and the LDAP servers resolve to IPv6 addresses and the RADIUS servers resolve to IPv4 addresses. When I issue the command 'show aaa-server LDAP' (LDAP is the name of the group) I see the servers listed but the address displays 0.0.0.0:
Prior to the reboot both the LDAP servers were showing thier addresses (IPv4) correctly. I can workaround it by disabling IPv6 on the ASA, letting it lookup the (IPv4) addresses of the LDAP servers (so they appear in the 'Server Address:' field above) and then re-enabling IPv6. Strangely deleting and re-adding the servers just with their IPv4 addresses also fails but I haven't fully tested this. I don't know but I think I would have the same behaviour if the RADIUS servers also had AAAA records.
I assume when IPv6 is enabled on the ASA it will perform AAAA lookups as well as A lookups but the LDAP client cannot use IPv6? Just guessing at the moment as I haven't managed to get a LAN capture. [code]
View 1 Replies
View Related
Mar 28, 2012
My question is on ASA and ACS5.2 users.Have my ASA SSL VPN and IPSEC VPN, the my ACS5.2 many users, for example, wireless user.I would now like to establish an independent user group, only the VPN user name and password, while both the ASA VPN can only allow users in this independent group of ACS5.2 VPN login, how to configure?
View 1 Replies
View Related
Feb 3, 2007
We have several ASA 5510 firewalls which are being used as VPN gateways.RSA SecurID is the authentication mechanism using native SDI connectivity. No ACS server is being used.Is it possible to assign user Group and other attributes (such as ACL), using the SecurID RADIUS server? I know this is what the Cisco ACS is for, but is it possible using the RSA RADIUS server itself?
View 11 Replies
View Related
Aug 26, 2009
Looking to fine tune Cisco IPSec client RA-VPN authentication on our ASA-5510. Currently using NT Domain authentication. It's been working fine for quite a while but is too broad a brush. It authenticates anyone who is in the domain. We need to only authenticate folks who are in a specific AD remote access security group. I'm testing LDAP but am getting the same results. I can get it to authenticate based on overall domain membership but can't seem to figure out how to check group membership.
We've updated to ASA 8.2(1) and ASDM 6.2(1). It seems to have more LDAP functionality but I'm not an LDAP expert. I've posted an image of the LDAP server dialog from the ASDM. I originally tried putting the Group DN in the Base DN field but kept getting a "can't find user" error when testing. I also tried adding the group info in the "LDAP parameters for group search" field at the bottom. But it doesn't seem to be looking there. Note that the current value is the Group Base DN only. I also tried putting "memberOf=" in front of that. Still no luck. The values shown in the image work for simple domain membership.
View 3 Replies
View Related
Jan 15, 2012
Can I use AAA Radius on a ASA 5505 to block outgoing user access by user name in a group?
View 2 Replies
View Related
Jul 31, 2012
I try to map LDAP Group to ASA Group policy following documentation:
[URL]
This is a config for ASA 8.0. I would have expected it to work on 8.4 as well but I do run into problems. The mapping as shown in LDAP Debug and ASA Log will actually happen but it is overwritten by the "GPnoAccess" Group Policy configured locally in the Tunnel Group. From earlier works with RADIUS I would have expected the user specific Attribute to be "stronger"?
ASA Log:
AAA retrieved user specific group policy (correct Policy) for user = XXX
AAA retrieved default group policy (GPnoAccess) for user = XXX
View 3 Replies
View Related
Jun 5, 2012
The desktop team has asked me to set up multicast in our network with building PC's as they will be deploying a few hundred of them starting in two weeks. We currently do not have multicast set up, and the only experience I have with it was during my certification studies, so I have a lot to catch up on quick. They will be sending the build traffic from a single server. The network environment is simple: a 3750 stack as the router/distribution layer and mainly 3550's as access. The PC's that they will be imaging will be on one VLAN that is already designated for PXE builds. This VLAN is across multiple switches. Is it possible to just enable the multicast features on a single VLAN? I have been reading around but not finding much other that very in-depth Cisco papers.
View 5 Replies
View Related
Mar 15, 2012
We have backup and other traffic over our vpn which is affecting our ip phone service between two sites. Our consultant suggested implementing QOS over the VPN to give the phone traffic priority. Is this possible with the rvs4000. Is there any good source saying how to do it. Is the setup of the QOS on this router similar to another router where this has been discussed.
View 1 Replies
View Related
