Cisco AAA/Identity/Nac :: SSH From ACS 5.2

May 18, 2011

When I try to SSH from ACS 5.2 CLI to my SFTP server I get :
 
Unable to negotiate a key exchange method.
 
On the SFTP server (Tectia) I have the encryption configured with aes256 and hmac-sha1.

View 2 Replies


ADVERTISEMENT

Cisco AAA/Identity/Nac :: 2960 Unprotected Identity Pattern Not Working As Expected

Oct 28, 2012

I'm trying to test such 802.1x wired environment:windows xp sp3 as supplicant windows NPS as radius server 2960 as authenticator latest anyconnect (3.1.01065) + nam and standalone profile editor.I have a question: What is the difference between protected identity pattern and unprotected identity pattern (set in nam profile editor)? As I understand documentation PEAP-MSCHAPv2 is a tunneled method and it uses un- protected identity pattern to protect user's identity during phase 0. But if I use any fake identity here (anonymous, anonymous@[domain], etc) access is rejected (Access-Reject in switch debugs). I have to use exacly the same pattern in unprotected identity pattern as in protected identity pattern ([username] or [username]@[domain]) to gain access, regardless of authenticaton mode (same in machine only, user only authentication).

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Group Mapping With LDAP External Identity Store

May 18, 2011

I have a new Cisco Secure ACS 5.2 on a VM. We want to use it to for administrative access to our Cisco equipment  with TACACS+. I am trying to map user permissions to different groups of devices based on active directory group membership, however it is not working.
 
I am using an LDAP (configured for secure authentication) external identity store. On the directory organization tab, I have confirmed the accuracy of the subject and group search base and the test configuration button shows that it's finding > 100 users and >100 groups.
 
On the directory groups page I have entered the groups according to the required format. cn=groupname1,ou=groups,dc=abc,dc=com
 
I have a rule based result selection under group mapping. I have two rules in the format below.
 
Conditon
LDAP:Externalgroups groupname1
Result
Identitygroup1
 
I have the default group set to a identity group named other. My problem is, no matter what user attempts to authenticate, the Default rule is applied, and the user is put into the other identity group.This occurs when I log on as a groupname1 user, groupname2 user, or as user that is not a member of either of those groups. LDAP authentication works and the user is able to logon to the device.

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 - Create Microsoft Active Directory (AD) Identity Store?

Jul 11, 2011

We are using ACS 5.2 and we are trying to create a Microsoft Active Directory (AD) Identity Store. We have a user to be used in the Active Directory creation General page and we would like to know how the test communication / ACS to AD communication takes place.
 
Our user is a predefined user in AD and has admin rights, but the password expires every 60 days. Will this affect the communication between AD and ACS 5.2 at everytime the entered user's password expires?

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 Host Internal Identity Store / Per Group Modification

Jan 24, 2012

I'm currently looking for a solution in order to restrict the modification of the host internal identity store (add or delete MAC host) per group. The default administrator roles does not include "per group restriction". Under the ACS I defined one group per department? My objective it to allow each department to access their ACS MAC database to add or delete MAC addresses as required.

How to restrict internal identity store per group?Do I need to create new roles? and how?I was not able to get an answer from the ACS ADMIN manual.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ASA5550 / ACS 5.3 - 22056 Subject Not Found In Applicable Identity?

Dec 5, 2012

I have a new ACS 5.3 configure and a ASA5550 to authenticate VPN users using a remote LDAP server. Once I try to authenticate the users with the ACS it gives me the error message "22056 Subject not found in the applicable identity store(s)."
 
I checked out the documentation and have already configure the Identity store sequences to redirect everything to the LDAP server, I also did the Bind test and it says that is ok, but I still have the same problem.
 
I validated the Access Policies Menu, and tried to create a new Service Selection Rules, but whet I get to the option of modifying the Identity option I get the error: "This System Failure occurred: {0}. Your changes have not been saved.Click OK to return to the list page. " and I'm not able to modify the identity, not in this new option I created, nor in the ones already created in the ACS.

View 8 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Error - 22056 Subject Not Found In Applicable Identity

Oct 6, 2012

I have two ACS v 5.2 (primary and secundary) and some users are in the internal stor and the others are in the AD.The local site topology is like this:
 
PC - AP - WLC - ACS - AD
 
Authentication method is PEAP(EAP-MSCHAPv2) and all user have the certificate company installed. The OS in the client users is Windows 7.Users was working fine but some users reports intranet disconnections. I see in the ACS log  many "22056 Subject not found in the applicable identity store(s)." and "24415 User authentication against Active Directory failed since user's account is locked out" alarms.I believed it was because user wasn´t in the AD data base, but some times the same user is authenticated successfull and other i see the "22056...." or "24415...." alarms.
 
I switched the role for ACS primary to works as secundary and we see the same alarms.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Identity Groups - Restrict Device Access

Apr 14, 2011

I have ACS 5.2 running as a VM.  I'm AD, then local authentication successfully for device access, but I want to define ACS user groups to restrict login. I don;t see any way to do this.  If I use AD groups, they don;t show up as selection options on the policy screens, just the ACS locallyy defined groups. 

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.x Identity Store Sequence And Token Validation

Dec 3, 2012

We have a ACS 4.3.2 installed with users authenticating against an Active Directory database. The AD database not only authenticate the users but also assigns the group that is used to select IP address pool.Now the requirements require to use token authentication with SafeNet. This authentication uses the same username but the password is composed of the original password + OTP.The problem is that the SafeNet server doesn't return the group membership.I've read about the Identity Store Sequence in ACS 5.x and I think I could use it in the following sequence:! configure an Authentication Sequence using the SafeNet token server (this works with ACS 4.x)I configure an Attribute Retrieval Sequence against the AD database. This would use the username only, no password and would retrieve the group membership.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ISE V1.1 ISE Authorization Rules Do Not Use Endpoint Identity Group

Dec 5, 2011

I'm looking for Cisco ISE v1.1 to use the following licensing feature. url...Endpoint is dynamically profiled by Cisco ISE and assigned  dynamically or statically to an endpoint identity group. Cisco ISE authorization  rules do not use this endpoint identity group.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.1.0.44 External Identity Stores Account To Be Locked Out

May 11, 2012

I am currently running cisco ACS 5.1.0.44 and use active directory as the main authentication identity store to allow network administrators to have access to network devices in my organization .As per the established security policies in my organization , the ACS has to disable any account after 3 failed login attempts to any network devices .i have gone through all the settings oN the acs but couldn't find where or how it is done .

View 3 Replies View Related

Cisco AAA/Identity/Nac :: Authenticate VPN Users Via ACS 5.4 And AD Via External Identity Store

Feb 22, 2013

I have installed ACS 5.4 and we are looking to authenticate our Anyconnect users with ACS via Active Directory. I think I have the correct commands in our ASA ( we had ACS 4 and authenticated our anyconnect users ).
 
I also have configured ACS to use Active Directory  and installed the server side cert in ACS. I'm just uncertain how to program ACS to use the security group that I have setup in Active Directory.

View 6 Replies View Related

Cisco AAA/Identity/Nac :: ACS5.3 - Configuring Multiple Identity Sources

Aug 28, 2012

I have an ACS 5.3 cluster, that is configured to use AD. There are a few wireless devices, and monitoring tools that do not have AD accounts. I would like to configure ACS to first check AD for the user authentication, and if that fails to roll over to the local (Internal Users) identity source where I can define these user accounts.
 
It seems that when the authentication hits the initial Identity Policy rule, it never moves onto the next one if the first fails.
 
Attached are screen shots that show how i'm configured for the test, i have a local user defined and I'm trying to log into the firewalls.
 
- Identity Definition : Screen shot of the main ACS definition for the rule i'm testing that's not working
- Identity Rule 1 : The configuration of rule 1 that if it fails i need it to move onto rule 2.
- Log Output : Screen shot for one of the failed attempts from the ACS View Log server.
 
Reason I need to configure it this way is:

- Wireless users authenticate to wireless using AD user accounts. Some hand held scanners do not support that and will need to authenticate using the MAC address.
- Authentication to Network devices for managment uses AD accounts. We have some monitoring tools that do not have AD accounts, and will need to    be able to log into Network devices to issue some commands (Examples: Cisco Prime LMS and NCS, Infoblox NetMRI).

View 4 Replies View Related

Cisco AAA/Identity/Nac :: WLC-2500 / Profiling In Identity Services Engine 1.1?

Apr 18, 2012

how profiling works exactly ?How intelligent is the profiling engine, meaning: Will it discover that one device has more than one different MACs and will merge the entries in the database ??
 
Example:This is in fact the same device, there is only one WLC-2500 in the network ....If it can discover that, what needs to be configured on the ISE to do that ?

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACL 122 - Setup Identity Firewall On ASA Version 5.6 On DMZ Interface

Aug 27, 2012

I have setup an Identity Firewall on a ASA version 5.6 on a DMZ interface.I have installed the ADAgent on a domain member Win2008 and configured as follows: [code]
 
where ashdew is a domain user and ACL 122(only one line) is applied on the dmz interface and NAT is properly configured.The ADagent has been properly tested and ASA can register to it.The ASA can connect to AD DC controller and query user database.I have placed a laptop ip 172.17.h.x on the DMZ and can ping the DMZ interface.
 
The laptop cannot authenticate on the domain and the asa does not seem to retrieve the user identity.Do I need to add extra rules in the access-list 122 to permit trafic to DC?Can I check on the AD Agent if it can retrieve the user to ip mapping ?

View 6 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 Connect To Multiple Identity Stores

Aug 15, 2012

I understand that Cisco Secure ACS 5.3 supports the integration with existing external identity repositories such as Windows Active Directory and LDAP servers. In fact, in my environment, my ACS 5.3 is now integrated with AD and RSA.My question here is can Cisco Secure ACS 5.3 integrate with "multiple" WIndows AD, LDAP, RSA Server etc.? if yes, is there a Cisco document stating this? The keyword here is multipple.

View 4 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 - Multiple Identity Store For PEAP

Sep 25, 2011

I am trying to setup PEAP authentication for wireless users but I got stuck at place where I have single ssid and users are store in different identity stores like some will be using their active directory and some are locally created users on ACS. I created separate service for wireless authentication and under that I am unable to create rule to differentiate them with identity stores. any idea how to achieve this.
 
I tried creating identity selection based on role but it does not work as for protocol like radius.peap,ms-chap ACS does not look for another identity store once user not find in an identity stores.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 Not Getting Single Result Selection Under Identity

May 19, 2013

After clicking on below path we are not getting option as should be reflected. Below is the snapshots for the issues.
 
Access Policies > Access Services > Default Device Admin > Identity

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS V5.3 Identity Selection For Authentication?

Jan 16, 2012

I configured before ACS v4.2 to authenticate network devices using internal users at first, and if the user is not found use AD list users.  But with v5.3 I have some problems doing this, on identity policies I use rule based result selection option, I configured 2 polices for Identity source, one for Internal Users and other policy for AD user, but it only works with the first policy, internal users or AD, but works only for the first policy identity.  how to do that, if the user is not found on first policy, continue to the next policy.

View 7 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Identity Base Authentication

Jul 3, 2011

I need a specify users to allow access to particular devices and give privilege only for show command or show run. Here is how I tried to configured.
 
1. Configured two seperate Shell Profile and Command set with privilege level 4-5 and allowing only show run command

2. create seperate service selection rule with adding the require NDG and protocol TACACS and maching service "RestrictAccess"

3. In the RestrictAccess Service I have following configured; Identity: internal users, Group Mapping to a particular group where the user exists, authorization: matching the above created identity group, NDG, shell profile, command sets
 
All the steps are attached in the .doc file. However when I tried with the particular user he is able to access everything and he is not hitting the correct access rule.

View 6 Replies View Related

Cisco AAA/Identity/Nac :: ISE 1.0.4 - Identity Sequence Refuses To Use AD After RSA

Jan 24, 2012

We are running ISE 1.0.4 with a requirement that on the surface is simple, but fails to execute properly no matter how I tweak it it.  It is:
 
VPN users either need to be within a certain AD group or They need to authenticate against RSA.
 
I set authentication to use an identitysequence with RSA listed first, then AD second.
I set authorization to check identity server (using network access:AuthenticationIdentityStore).
- If it’s RSA, pass it.
- If it’s Active directory, AND the condition with a check on that group membership.  Pass if both pass.
- Set the default authorization rule to deny access.
 
This should work.  Here’s where it breaks down.  It all stems from the fact that the same userIds exist in RSA and AD and that ISE steadfastly refuses to attempt the second identity server method listed in the sequence if RSA is listed first.

• If I list RSA first and the “authentication failed” policy is set to Reject:  For users not in RSA that I want to authenticate against AD, it rejects – it attempts against RSA but never hits AD (second server listed in the Identity sequence).  This is what is brokenThis works for users in RSA

• If I list the RSA server first and the “authentication failed” policy is set to continue Users not in RSA will pass authentication that shouldn’t because the network access: AuthenticationIdentityStore value will be pointing to the RSA server, regardless of whether they actually passed to that server or not.Effectively users can connect regardless of whether their password is right or notThis option sets it to proceed from authentication to authorization

• If I list AD first in the sequence Since the same ID exists in both AD and RSA, it’ll fail as bad password against AD.  It'll never attempt against RSA. 

Am I missing a simple fix for this?  I have a testbed in which I can simulate the issue but since I don’t have an RSA server handy, I’m using an identity sequence with AD and fallback to internal.  It works as I’d expect, falling back from AD to local if the user doesn't exist in AD.  If the user is in AD, it never tries local and shows the attempt as a bad password.

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 - How To Associate Identity Group With AD Group

May 1, 2012

how to associate an AD group - which i have defined in users and identity stores/external identity stores/Active Directory/Directory attributes to associate with the relevant identity groups - Users and identity stores/identity groups Is there an example of this being done somewhere as i am having problems understanding how to do this from the user guide.All i want to do is associate identity groups with ad groups.

View 3 Replies View Related

Cisco AAA/Identity/Nac :: EAP-TLS On ACS 5.3?

Apr 13, 2013

I have a requirement to set up wireless connectivity from iOS devices using EAP-TLS via Cisco WLC using dot.1x, acting as the supplicant ant authenticating against ACS 5.3. I've used a mobile device manager to deliver certificates and wireless profile to the Mobile devices, and i've configured the WLC for dot.1x but I'm looking for a good Cisco step by step document for setting up the ACS 5.3.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: Installing 5-2-0-26-4.tar.gpg On ACS 5.2?

May 26, 2011

Trying to upgrade a pair of ACS servers from 5.2.0.26 base to patch 4.  I have tried creating different repositiories that are SFTP, FTP, and Local.  The secondary unit(ROTACS2) upgraded fine with no problems the primary(ROTACS) will not, see below.

Cisco Application Deployment Engine OS Release: 1.2ADE-OS Build Version: 1.2.0.182ADE-OS System Architecture: i386
Copyright (c) 2005-2009 by Cisco Systems, Inc.All rights reserved.Hostname: ROTACS
Version information of installed applications---------------------------------------------
Cisco ACS VERSION INFORMATION-----------------------------Version : 5.2.0.26Internal Build ID : B.3075
ROTACS/mpartain#

[code]....

It appears that the GPG key is not vaild on this primary server.  The patches are in the repositories and I used the acsrepo repo to install on the ROTACS2 secondary server.I have looked through articles and the only mention is to not use TFTP, which I am not.  I have also tried to apply patches 1-3 with the same results.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.1 How To Restore From One V5.1 Box

Jul 5, 2010

I'm trying to do a restore from one v5.1 box to another.  The file is sent via ftp from the configured repository but when the file is sent I get an error saying failed to unpack.
 
My restore box is running an evaluation version at level 5.1.0.44.3

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Web-authentication Using ASA And ACS 5.1

Feb 2, 2012

In order to restrict access to websites on our internal network, would we be able to put an ASA in front of the web server and force users to authenticate through the ASA and, once authenticated, allow only port 80 or 443 traffic for that use?  The ASA would query the ACS 5.1 server for authentication/authorization using AD as the identity store.  Is this even possible with TACACS? 

View 1 Replies View Related

Cisco AAA/Identity/Nac :: MAC OS-X And Authentication Via ACS 5.2?

Apr 1, 2012

My customer has a large installed base of MACs, all connected via controller-based (5508) WLAN. He wants to grant access to the network based on the device's mac addresses and move the WLAN-clients to a specific VLAN.I added all devices with their mac addresses to the ACS internal identity store for hosts.According to the following message the client sends the user-login credentials (chegger) within the RADIUS-request instead of the clients mac address and of course it has to fail.  After many configuration changes, I ended up always with the same result.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Best Way To Do Migration

May 19, 2013

I have an ACS 5.2 deployment and i want to upgrade it to 5.4 version.I have 2 server in my deplyement:
 
1/ Primary Server as Authentication server & log collector

2/ Secondary server as Authentication server.
 
What is the best way to do the migration? Normaly, i can proceed as follows:
 
1/ Deregidter each server from the deployement ==> Make both the servers standaone
2/ Upgrade the Secondary server.
3/ Upgrade the Primary server (without migrate the log server).
4/ Join Servers to the deployement.

View 11 Replies View Related

Cisco AAA/Identity/Nac :: Downgrade ACS 5 - How To Do

Jul 24, 2012

I want to downgrade an acs acs 5.3 to 5.2. I have looked through the documentation, but somehow I fail to find the exact commands for the downgrade.Previously I just used the recovery cd to reinstall the image, but  it must be possible to do a downgrade without loosing all the configuration.

View 4 Replies View Related

Cisco AAA/Identity/Nac :: Migration From ACS 4.0 To ACS 5.0?

Mar 22, 2011

what is the key point to note for migrating data from ACS 4.0 to ACS 5.0? how can I use Migration utility to migrate data from old version to new version??
 
I have ACS setup running with 1000 devices and more than 2000 users and 60 groups dont want to build new acs from scratch want to import data from old version?

View 2 Replies View Related

Cisco AAA/Identity/Nac :: 802.1x With ACS 5.2 And Windows AD

Aug 7, 2011

Im trying to setup 802.1x with ACS 5.2 but am struggling as its very differnet to ACS 4.2.I have setup the ACS to be the domain and think i have setup up the External Idnetity Store, however when i try to authenticate a pc using authentication Medthod 'PEAP (EAP-MSCHAPv2), i get a failure reason '22056 Subject not found in the applicable identity store'

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Not Logging Anything

Mar 15, 2012

I have an ACS 5.2 VM that went down during an ESX host issue.  Since it has no VMWare tools, it didn't migrate to another host very nicely.  When the box came up, I had to delete the Virtual nic and re-add it and then set up the IP info again to get the VM communicating on the network.Currently the ACS box is not logging anything.  There are no logs visable.  What can I do to check why there are no logs visable?  Authentication is working because wireless uses are still getting on the wireless network, but there are no logs that show passed or failed attempts.

View 4 Replies View Related

Cisco AAA/Identity/Nac :: ACS Migration From 4.1.1.23 To 5.2?

Jan 14, 2012

I need to upgrade my ACS for windows 4.1.1.23 to 5.2 as we have come across the windows 2008R2 AD problem. Now reading the migration document it says I need  to go to at least 4.1.1.24 first which will not be a problem, then I need a migation server, so that means I need another ACS server as the migration server. As I already have 2 ACS servers could I use one of them as the Migration server, ie take it out of production?

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved