Cisco AAA/Identity/Nac :: New Version Of ACS 5.2 Allow User To Belong To Several Groups Of AD?
Jul 7, 2011We have ACS Engine 4.1 and want to upgrade it to 5.x.
Is the new version of ACS 5.2 allows a user to belong to several groups of AD ?
ADVERTISEMENT
Cisco AAA/Identity/Nac :: ACS 5.2 Add A User Into Several Groups?
Apr 5, 2011We are running two ACS appliances but we cannot figure out how we can add a user into 2 differents groups.Here's the context :We have a company A which is having devices, this company uses Group A.then we have a company B which is having devices, this company uses Group B.But the admin has to manage the devices for both companies A & B.We don't want to mix devices from company A with company B.Is there a way to add the user into both groups A & B.
View 5 Replies View RelatedCisco AAA/Identity/Nac :: Can Latest Version Of ACS 4.0 Support Nested AD Groups
Dec 20, 2012We are running ACS 4.0 so understandably so we are looking to upgrading to a Cisco supportable version of ACS. The limitation of our current version of ACS does not support nested AD groups. The latest version of ACS (I think it is 5.4) will?
View 1 Replies View RelatedCisco VPN :: 5505 - Can Single Local User Belong To 2 Group-policies
Jan 13, 2013I have a Cisco ASA 5505 that I've setup with an SSL VPN. This is for personal use, and I therefore don't have need for anything more than local authentication. [code]
I'd like to have one profile/policy where I only encrypt data going to my split-tunnel ACL, and I'd like to have one profile/policy where I encrypt all traffic.
The issue ive been fighting is - it doesn't seem like its possible to associate more than one group policy per user. If it IS possible - can you tell me how I associate both groups to my local account?
Cisco :: LMS 4.1 No User Defined Groups Shown In Fault Notification Groups?
Dec 12, 2011I created some User Defined Groups in LMS 4.1, now I want to apply certain fault notification groups to Event Sets.
Unfortunately the Groups I configured are not in the Group Selector of the Fault Notification Group: Admin > Network > Notification and Action Settings > Fault Notification Group
Cisco AAA/Identity/Nac :: ACS1113 Version 4.2 Ssh Version 1 / Specify Only Version 2 Or Turn Off SSH?
Sep 14, 2009McAffee scan of acs 1113 appliance running the 4.2 build 124 patch 12 version reports that a medium vulnerability exists because the system has SSH version 1. Any way to specify only version 2 or turn off SSH?
View 9 Replies View RelatedCisco AAA/Identity/Nac :: ACS 5.2 Identity Groups - Restrict Device Access
Apr 14, 2011I have ACS 5.2 running as a VM. I'm AD, then local authentication successfully for device access, but I want to define ACS user groups to restrict login. I don;t see any way to do this. If I use AD groups, they don;t show up as selection options on the policy screens, just the ACS locallyy defined groups.
View 1 Replies View RelatedCisco :: LMS 4.1 User Defined Groups Empty?
Jan 23, 2012I have seen some discussion in the forums regarding user defined groups being empty in LMS 4.0 but not 4.1. I am having this issue in 4.1. Under User Defined groups, I have created 2 logical groups named "Physical Location" and "Switches". These do not contain any actual devices, they are just containers for other groups. Under the Physical Location logical group I have created 2 other groups, Acuna and Hampton. Under the Switches group I have also created 2 groups, HDM and HHC. The criterion for the Physical Location group is based on the first 3 characters of the hostname:
Device.System.Name startswith "hdm"
The criterion for the Switches group is based on the value of a user defined field, Admin_responsibility:
Device.Admin_responsibility equals "HDM"
The Physical Location groups work - the Switches group does not. Both the HDM and the HHC group should contain several devices. The HDM group contains 2, the HHC contains none. If I edit the groups and click "next" until I get to step 3, Membership: Edit, the "objects matching criteria" list is fully populated - it contains the devices that it should contain. However, after I click "Finish" and go to Inventory => Add / Import / Manage Devices there is no change in group membership - the HDM group contains 2 devices and the HHC group contains none.
Cisco Switches :: SF-300-08 SNMP Setup Doesn't Show Any Groups In Add User Pulldown
Jun 1, 2012I'm setting up a new SF-300-08 with SNMP.I have defined Groups OK.But, when I go to Add User, the Group pulldown is grayed out and I can't add a user.
View 1 Replies View RelatedCisco AAA/Identity/Nac :: ACS 5.2 User Roles And Restricting User Access To Add Items?
Sep 22, 2011We are running ACS 5.2 patch 6 and want to restrict access for users to be able to add devices to the system.For example, admin person in site A can only add devices into the site A group and cannot see/access other sites groups.
View 1 Replies View RelatedCisco AAA/Identity/Nac :: Can't Add AD Groups In ACS 5.2
Jul 21, 2011I've run into an annoying issue with my ACS 5.2 install. I can no longer add directory groups in the AD settings, the ACS comes back with "The item you are trying to delete is referenced by other items.You must remove all references to this item before it can be deleted." but I am not deleting any group, just adding.
Could probably be cleared with removing the AD setup completely, which for obvious reasons is not something I want to do.
Cisco AAA/Identity/Nac :: ACS 5.2 Will Not Enumerate 2003 AD Groups?
Aug 4, 2011I have seen similar references to this issue, but no concrete solutions. My new ACS appears to join my domain with little or no issues, however, when I go to list the groups nothing is ever listed.Running ACS as a vm.I have set the ntp server on the ACS server to match my domain.I can ping all domain controllers/DNS servers.nslookup resolves hostnames of my domain controllers
***Update***
I verified that a computer account for my ACS is in fact being created, however, I am receiving some Kerberos errors on my DC with the FSMO roles:
Event Type: Error
Event Source: KDC
Event Category: None
Event ID: 26
Date: 8/5/2011
Time: 3:07:46 PM
User: N/A
Computer: <MY DC>
Description:While processing an AS request for target service krbtgt, the account <ACS SERVER> did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes were 17. The accounts available etypes were 23 -133 -128 3 1.
Cisco AAA/Identity/Nac :: ACS 5.1 Directory Groups 2008 R1
Jun 13, 2011I have an ACS 5.1 and am trying to integrate with windows 2008 R1. The ACS has a valid AD account and indicates that its connected but when I try to list any directory groups my windows IE browser hangs?
View 2 Replies View RelatedCisco AAA/Identity/Nac :: ACS 5.3 - How To Only Allow Specific AD Groups To Login
Nov 4, 2012I've configured three specific AD groups, Admin, Storage, and HelpDesk, with their own commands sets.
This seems to be working fine, but everyone can log into everything, but they can't do anything except exit.
My goal is to not allow anyone to login that is not part of the three AD groups I have specified with the respective command sets.
All the logins hit the Admin account, even though the id in AD is not in the that AD group. I have something screwed up.
Cisco AAA/Identity/Nac :: ACS 5.2 Sync With Windows 2008 AD But Cannot See Groups
Jan 2, 2011Recently I've been working with the ACS 5.2 (Installed on VMWare). At the beginning I was using a Win Server 2003 Enterprise edition AD, and there was no problem with the AD and the CA Authority. Because some of my customers use Win Server 2008 I change the AD platform to Win Server 2008 Enterprise edition (x64).I don't really have a great experience with Win Server Platforms and, for what I've seen, the Win Server 2003 Services deployment is easier than the Win Server 2008 is.
So, when I used the Win server 2003 I could not only synchronize the ACS with the AD but also use some groups created on the AD to perform the Network Access Authentication. When I try to do the same with the Win Server 2008 AD the ACS and the Server get Synchronized but when I want to add the groups for the Authentication purposes there is no one, absolutely nothing... so I cannot do any test.Also I looked for information about the compatibility between the ACS 5.2 and the Win Server 2008 platforms and at the end the platforms are compatibles.
Cisco AAA/Identity/Nac :: ACS 5.3 - Custom Attributes And Wireless Groups?
May 13, 2012I have been tasked with migrating from ACS 4 to ACS 5.3. I havent had any training and so i am finding it a bit different. Currently i have this issue -
I have a group in the ACS 4 for users accessing via wireless on the ACS - Code...
Cisco AAA/Identity/Nac :: Setup ACS 5.2 With An ASA V8.3.2 To Lock Users Into VPN Groups?
Jan 18, 2011I'm trying to setup ACS 5.2 with an ASA v8.3.2 to lock users into VPN groups based on a users AD group. I've tried various combinations but the group lock isn't working. I've done steps 1 & 2 ...
1) Network Devices and AAA Clients -> Define VPN
2) Users and Identity Stores -> Setup AD and Directory Groups, test connection
Policy Elements:
Q1) Policy Elements - Do I need an authorization profile for each group:
Q2) What RADIUS attributes should I use to match my ASA tunnel-groups?
RADIUS-IETF attribute 25?RADIUS-Cisco VPN 3000/ASA/PIX 7.x 85 (Tunnel-Group-Lock)?Other?
Access Policies:
Q1) Do I need to enable and use group mapping?
Q2) Do I need a Network Access Authorization Policy for each group?
Cisco AAA/Identity/Nac :: Setup RA VPN On ASA 8.4 With 2 Groups - VPNGp1 And VPNGp2?
Aug 21, 2011I am trying to set up RA VPN on ASA 8.4 with 2 groups - VPNGp1 and VPNGp2. VPNGp1 users will access 1.2.3.0/24 and VPNGp2 users will access 5.6.7.0/24. User authentication will happen using ACS 5.3 Radius.
On ASA, I have configured the IP pools, VPN ACLs, VPN groups, group policies for each group, and tunnel groups.
On ACS, I have created vpn-user1 and vpn-user2 for each of 2 groups.
I am not sure if some more configuration needs to be done on ASA and ACS... Do I need to add new users - vpn-user1 and vpn-user2 - on ASA, under each corresponding group policy, using vpn-group-policy command? Or I need to do something else on ACS?
Lastly, how can I configure authorization and accounting for the VPN users? Do I need to do this on ACS or on ASA?
AAA/Identity/Nac :: ACS 5.3 Single Device On Multiple NDG Groups?
Jan 14, 2013I have multiple campuses and a Central Admin...I've created Groups for all, except I need a few devices within Central to be available to the Campus Admins... (ie..a Cisco WCS System) How do I allow a device to be put into multiple NDG groups?
View 1 Replies View RelatedCisco AAA/Identity/Nac :: ACL 122 - Setup Identity Firewall On ASA Version 5.6 On DMZ Interface
Aug 27, 2012I have setup an Identity Firewall on a ASA version 5.6 on a DMZ interface.I have installed the ADAgent on a domain member Win2008 and configured as follows: [code]
where ashdew is a domain user and ACL 122(only one line) is applied on the dmz interface and NAT is properly configured.The ADagent has been properly tested and ASA can register to it.The ASA can connect to AD DC controller and query user database.I have placed a laptop ip 172.17.h.x on the DMZ and can ping the DMZ interface.
The laptop cannot authenticate on the domain and the asa does not seem to retrieve the user identity.Do I need to add extra rules in the access-list 122 to permit trafic to DC?Can I check on the AD Agent if it can retrieve the user to ip mapping ?
Cisco AAA/Identity/Nac :: ACS 5.3 / Authenticating Device Admin Users Against AD Specific Groups
Jan 28, 2013I am using ACS 5.3 What I am about is setting user authentication against existence of the user in specific AD group, not just being a member in any AD. What is happening now, users get authenticated as long as they exists in the AD, luckily they fail on authorization, as it is bound to specific AD group.
how can I bind the authentication aginst specific group in AD, not just using AD1 as the identity source.
Cisco AAA/Identity/Nac :: 1113 - Multiple Network Device Groups Using One Windows Remote Agent?
May 4, 2011I'm working with a 1113 ACS device running the 4.2.0.124 software. I'm trying to get multiple network device groups to use an existing Remote Agent set up for authentication against our Windows domain. For instance, we want our infrastructure switches to authenticate agains the local Active Directory and our WLC to authenticate users agains the same Active Directory. When I try and set both network device groups to use the same remote agent, it fails and reports either the host name is already in use or the IP address overlaps with an existing remote agent.
The question is:
Can I have multiple network device groups use the same remote agent? Or do I have to install the remote agent software on separate Windows servers in order to have different types of devices authenticate against the Windows AD?
Cisco Wireless :: Restriction SSID Per User With ACS 5.x Version
Sep 15, 2011I would like to ask some question on WLAN technology, which I using WiSM version 2. And i get requirement that user must be restrict with SSID, so, i found that it can do it on ACS version 4.x via NAR for SSID-based authentication feature. Then, is it possible to do restriction on ACS Version 5.x?
View 4 Replies View RelatedCisco AAA/Identity/Nac :: 802.1X Switch IOS Version
Jul 12, 2012I' have realy big layer two access network made of etherogenius Cisco switch with different IOS version and train.My customer bought ISE (ADVANCED AND BASE LICENSE).As far I read on DS it is seem that if you have Minimum IOS release 12.2(52) SE you are able to perform COA, reading DS with more attention I notice that cisco raccomend IOS versione 12.2(55)SE3 why ? does it means COA does not work with 12.2(52)SE,I need a minimum IOS release to perform 802.1x on my wired network ?
View 1 Replies View RelatedCisco AAA/Identity/Nac :: Upgrade ACS From 4.1.1.23 To Version 4.2.1.15
Sep 18, 2011I have installed ACS Windows 2003 R2 Services Pack 2.
I am upgrading of version 4.1.1.23 to version 4.2.1.15. Recommended by Cisco.
Before of update everthing works fine.
After of upgrade, this does not authenticate user, sends the next message "External user not found", "Authentication session invalidated" and "internal error".
The mapping is ready. annex image.
Cisco AAA/Identity/Nac :: ACS1120 Does Support ACS Version 5.2.0.x
Aug 27, 2011I have ACS 1120 appilance does it support ACS version 5.2.0.x and corresponding patches.
View 2 Replies View RelatedCisco AAA/Identity/Nac :: Configuration Between ACS 4.2 And ISE Latest Version
Jan 26, 2013We are a Small company with 400-Users and currently we are using ACS 4.2 at our company.we want to upgrade and use Cisco ISE Appliance instead.
I want to know is there any major changes in configuration between ACS 4.2 and the ISE Latest Verizon.?
Is there any Hardware (Switch or Cisco AP ) compatibility issues with using Cisco ISE. (we are currently using Cisco Cat 3550 and Cisco Aironet 2600 APs with the existing ACS4.2) What ISE Series & what Soft version are the latest so i can order ?
Cisco AAA/Identity/Nac :: 7600 Router - NX-OS ACS 4.2 Version
Sep 9, 2012We have ACS 4.2 for our existing IOS routers mainly 7600.We have just integrated Nexus switches.
What is the appropriate ACS version/appliance that will support both the existing IOS routers and new NX-OS switches?
Cisco AAA/Identity/Nac :: ACS 5.2 Maximum User ID
Jan 5, 2013what is the maximum user IDs that I can create to the ACS server? The client have an ACS appliance with version 5.2.
View 2 Replies View RelatedCisco AAA/Identity/Nac :: ACS Version 5.2.0.26 / Failed MAB Authentication Logs
Jan 8, 2013Having an issue where a user will plug a PC into a switch. The switch does a MAB authenticaiton and the MAC is not located in the ACS server. It logs the failed attempt, but when the PC is removed from the switch, the failed attempts keep getting logged until the port is bounced. Any way to keep the attemps from happening after the PC is removed? If not, any way to make it stop without bouncing the port?
running ACS version 5.2.0.26
switch port config:
interface GigabitEthernet1/0/2
sw access vlan 2 sw mode access
authentication control-direction in
authenticaion host-mode multi-auth
authentication port-control auto
mab
spanning-tree portfast
AAA/Identity/Nac :: SUP720 ISE Supported Switch IOS Version
Apr 18, 2012The table referenced in the new 1.1 ISE guide show 12.2(33)SXI6 is the minimum version for support. Does this mean this version or above? Does ISE is tested in newer SXJ streams? We have a massive rollout of SUP720s to do and need to know the most stable version to load in preparation for ISE.
View 1 Replies View RelatedCisco AAA/Identity/Nac :: Restricting User Sessions In ACS 5.1?
Jul 26, 2011We are using ACS 5.1 in our network. We have created users and grouped them as per the requirements. We want to restrict the user sessions in the network. A user should authenticate and able to access a network resource. But when he is active with that session, we need to block him from another successful authentication. We want to avoid multiple users using same user credentials for logging into the devices. whether this can be achieved by making configuration changes in ACS.
View 2 Replies View RelatedCisco AAA/Identity/Nac :: ACS 5.1 How To Deny Access To User
Jun 12, 2011I have ACS 5.1.I have created the Identity Group 'Admin' and added 2 users in that, say User1 and User2.How do I permit only User1 to get authenticated when he logins in to the device?There is option to select 'UserName' while creating Service Access Policy , but I have observed that though I have mentioned only User1 in the rule, User2 is also getting permitted
View 1 Replies View Related
