Cisco AAA/Identity/Nac :: To Deploy 2x New Acs 5.x
Apr 25, 2012
The client is interested to deploy 2x new ACS 5.x and interested to setup split deployment between two ACS in two separate locations for load sharing, and configuration replication. At the same the client want an ability to make configuration changes on both ACS servers. According to Cisco ACS 5.x deployment notes all
Configurations must me make to a primary ACS servers and secondary servers will obtain configuration from the primary server which defeat the client requirements of the ability and capability to make changes to both server.
Question:
If I deploy two ACS servers in two different location as an independent servers, can I still replicate information between two servers? I know ACS 4.2 I can do replication between two servers.
View 3 Replies
ADVERTISEMENT
Jan 24, 2013
We want to deploy NAC for 500-600 users across WAN. We are planning for L3-OOB-Real Gateway central deployment Solution.We are having two NAC Server (3355) two NAC manger (3355) at HQ and 6 NAC Server(3315) at branch. We deployed NAC under VRF.How we can deploy NAC over WAN without NAC Server, need step by step configuration under VRF.
View 1 Replies
View Related
Aug 10, 2011
I'm looking to deploy the Cisco 881 3G routers for a few mobile assets. The assets will use WIFI / WIMAX as their primary communications via the Ethernet interface and roll over to a 3G cellular connection when traveling outside of the WIFI / WI MAX coverage area. The WIFI / WI MAX network will solely be for the corporate network and will not required any VPN tunnels. When outside of the WIFI / WI MAX network, the asset will use the 3G cellular network via an IPSEC VPN tunnel.
My question - is it possible fire up the VPN tunnel only when connectivity failing over to the 3G connection and not when utilizing the Ethernet interface?
View 1 Replies
View Related
Jan 17, 2011
is there a way for pre deploying the new ap images? We have around 500 APs and my inspection windows isnt long enough to upgrade via controller......
View 6 Replies
View Related
Apr 11, 2013
deploying a large wireless network (about 14 access points) spread across 9 buildings that are in relative close proximity to each other. I have included a picture with a rough scale (it's editable, so feel free to play around with it). Anyways, here is the basic idea. I do basic IT consulting for small businesses and some friends of mine work for an apartment complex in my local area. They came to me with this idea of deploying a wireless network on the campus to provide their tenants with "free" basic wireless internet. Basic meaning, not intended to be a replacement for a private connection. But suitable for basic web browsing, school work (I live in a university town), and email. So I got to scratching my head and quickly realized that I need to dome some learning and refresh on my skills.
View 4 Replies
View Related
Sep 26, 2012
Is a CA/CS required to deploy 802.1x? Google searches is confusing me with multiple answers. Im currently trying to test without a CA/CS and im having no luck.
Lab
2008 R2 DC
2008 R2 NPS
Juniper EX4200
User Win 7 PC
This is for a wired connection
View 3 Replies
View Related
Jan 13, 2013
Attempting to upgrade from ASA 8.3.2, ASDM 6.3.4, Any Connect 2.5.1 to ASA 8.4(4)1, ASDM 6.4(9) and Any Connect 3.1.00495 using ASA 5505.
Client is Windows XP SP3 w/ IE7. Can log into the ASA web portal and starts to install via ActiveX. I get past the IE7 message bar to authorize installing the ActiveX control. I briefly see a message that says "ActiveX could not be launched" (I think. It is very fast) and then the install hangs w/ the message in the web connect dialog about the IE7 message bar. If I let the timer expire, the java install also fails. If I download the installer via the web portal, and install Any Connect via the downloaded installer, everything works fine.
Same problem w/ ASA 9.1.1, ASDM 7.1(1) and Any Connect 3.1.02026. I have added the web page address to the trusted zone, and checked all the zones for permissions to install ActiveX controls, etc. Worked w/ the older/original software when I remove the kill bit for Microsoft KB2736233. Have not installed any custom Any Connect profile to use transforms. I did see in the release notes some information on NO INSTALL ACTIVEX=0, but I think this applies to the per-install package only.
View 2 Replies
View Related
Jul 21, 2011
Need to deploy ms office compatibility pack via a gpo to a network I work on. I've extracted the exe and have the msi and cab files which I've placed in a network share and given full control permissions to everyone (I did this after it not working a few times with modify), everyone has full control on the 2 files as well.
I've created a new gpo "software deploy" under computer configuration, software, I've assigned a new package and typed the path in the following format \servershareo12.msi. I've moved a test pc into a test ou in ad and back in group policy management I've linked the software deploy gpo to this test ou. I've ran gpupdate /force on both ends.I've restarted the test box, nothing, repeatedly, I even edited the gpo to deploy the software under user and moved a test user into this test ou, same thing, nothing. I then went back to the config above using the computer config instead of user.
View 2 Replies
View Related
Apr 7, 2013
im currenly configuring a 4500X with 16 port. All sfp are 1Gig, but when I input show ip int brief, it shows that the interfaces are on 10 Gig. Does Catalyst 4500X already support the 1Gig SFP without inputting a command or do I have to configure it to activate the 1Gig interface?
View 6 Replies
View Related
Mar 11, 2013
I need deploy a BGP with two ISPs exchanging routes with the Internet.My company has a Switch 3550 as follow specification below
Cisco WS-C3550-48 (PowerPC) processor (revision E0) with 65526K/8192K bytes of memory.
Processor board ID CHK0629V0F1
Last reset from warm-reset
Running Layer2/3 Switching Image
Cisco IOS Software, C3550 Software (C3550-IPSERVICESK9-M), Version 12.2(25)SEB4, RELEASE SOFTWARE (fc1)
I Should like a tip about that switch going be support that implementation. for exemplo it has 64MB as showed above.
View 2 Replies
View Related
Apr 9, 2013
deploy OTV using ASR 1001 between 2 data-centers? We want to acquire HSRP localization there, but at this moment I can only see lots docs are saying how to do this on N7K, not ASR. I saw it has a FHRP filtering enabled by default when the OTV configuration is done, and also see there is a access-list created by default call otv_filter_fhrp, Im just wondering besides this IP ACL there should be MAC ACL applied?
View 3 Replies
View Related
Oct 2, 2011
I`d like to know if that antenna AIR-ANT24120 works with the LAP 1252 in a Mesh deploy.
View 8 Replies
View Related
Apr 9, 2012
Currently we have a CISCO 3020 VPN Concentrator to terminate Lan-to-Lan tunnels and have our mobile workers connect via CISCO VPN client (300 users-employees and contractors-). Since this device is coming to an EOL this year we purchased a CISCO 5520 (below are the current licenses on it)
The licensing seems rather complicated, therefore this is my question:
- What VPN solution do you recommend for our users and contractors? it is my understanding the CISCO VPN client does not work with ASA 5500 series devices
- Is there a license needed to deploy VPN solutions for our remote users(employees/contractors)?
View 3 Replies
View Related
Aug 10, 2011
We are looking to deploy an indoor mesh deployment in an area where radar might be an issue.know that when using 1500 series APs you cannot choose UNII-1 channels even if they are deployed indoors.My question is if you can use a UNII-1 backhaul with indoor APs (3600 series for example) in an indoor mesh deployment.
View 8 Replies
View Related
Dec 31, 2011
I have broadband connection on a wired DSL Modem. Now I want to create a wireless networking environment at my home so to work with my laptop and WLAN enabled phone. I do not like to buy a new Wireless router.
Is is possible to deploy my existing modem/router with some extra equipments to build a wifi hotspot?
View 5 Replies
View Related
Aug 8, 2012
We've got a doubt about the uplink ports of this supervisor. I've read that you have to use the four ports in 10G mode or in 1G mode, but not use for example 1 port in 10G mode and 1 port in 1G mode:
But, you can read in another sentence: " Beginning with Cisco IOS Release 12.2(25)SG, you could simultaneously deploy the dual 10-Gigabit.Ethernet ports and the four Gigabit Ethernet SFP ports on the Catalyst 4503, Catalyst 4506, and Catalyst 4507R chassis." Is it posible deploy simultaneously both type of ports?
View 2 Replies
View Related
Jun 1, 2012
WE have to deploy ASA5585 in between User vlans & server vlans. we have to find all the ports that needs to be opened on firewall. any tools to do same.
View 2 Replies
View Related
Feb 13, 2012
What is the best way to deploy the IOS firewall feature?I have a Cisco 1841 router running 12.4.
View 4 Replies
View Related
Feb 6, 2012
We are going to deploy a site to site VPN using two ASA5505. The network I'm going to traverse has a max MTU of 1320. I determined this by experimenting with pings of different sizes. How should I configure MTU on my ASAs?I'm thinking of using these two commands but I don't know if there are any implications to this...
ip mtu outside 1320
ip mtu inside 1280
View 1 Replies
View Related
Oct 28, 2012
I'm trying to test such 802.1x wired environment:windows xp sp3 as supplicant windows NPS as radius server 2960 as authenticator latest anyconnect (3.1.01065) + nam and standalone profile editor.I have a question: What is the difference between protected identity pattern and unprotected identity pattern (set in nam profile editor)? As I understand documentation PEAP-MSCHAPv2 is a tunneled method and it uses un- protected identity pattern to protect user's identity during phase 0. But if I use any fake identity here (anonymous, anonymous@[domain], etc) access is rejected (Access-Reject in switch debugs). I have to use exacly the same pattern in unprotected identity pattern as in protected identity pattern ([username] or [username]@[domain]) to gain access, regardless of authenticaton mode (same in machine only, user only authentication).
View 1 Replies
View Related
May 18, 2011
I have a new Cisco Secure ACS 5.2 on a VM. We want to use it to for administrative access to our Cisco equipment with TACACS+. I am trying to map user permissions to different groups of devices based on active directory group membership, however it is not working.
I am using an LDAP (configured for secure authentication) external identity store. On the directory organization tab, I have confirmed the accuracy of the subject and group search base and the test configuration button shows that it's finding > 100 users and >100 groups.
On the directory groups page I have entered the groups according to the required format. cn=groupname1,ou=groups,dc=abc,dc=com
I have a rule based result selection under group mapping. I have two rules in the format below.
Conditon
LDAP:Externalgroups groupname1
Result
Identitygroup1
I have the default group set to a identity group named other. My problem is, no matter what user attempts to authenticate, the Default rule is applied, and the user is put into the other identity group.This occurs when I log on as a groupname1 user, groupname2 user, or as user that is not a member of either of those groups. LDAP authentication works and the user is able to logon to the device.
View 3 Replies
View Related
Jul 11, 2011
We are using ACS 5.2 and we are trying to create a Microsoft Active Directory (AD) Identity Store. We have a user to be used in the Active Directory creation General page and we would like to know how the test communication / ACS to AD communication takes place.
Our user is a predefined user in AD and has admin rights, but the password expires every 60 days. Will this affect the communication between AD and ACS 5.2 at everytime the entered user's password expires?
View 2 Replies
View Related
Jan 24, 2012
I'm currently looking for a solution in order to restrict the modification of the host internal identity store (add or delete MAC host) per group. The default administrator roles does not include "per group restriction". Under the ACS I defined one group per department? My objective it to allow each department to access their ACS MAC database to add or delete MAC addresses as required.
How to restrict internal identity store per group?Do I need to create new roles? and how?I was not able to get an answer from the ACS ADMIN manual.
View 1 Replies
View Related
Dec 5, 2012
I have a new ACS 5.3 configure and a ASA5550 to authenticate VPN users using a remote LDAP server. Once I try to authenticate the users with the ACS it gives me the error message "22056 Subject not found in the applicable identity store(s)."
I checked out the documentation and have already configure the Identity store sequences to redirect everything to the LDAP server, I also did the Bind test and it says that is ok, but I still have the same problem.
I validated the Access Policies Menu, and tried to create a new Service Selection Rules, but whet I get to the option of modifying the Identity option I get the error: "This System Failure occurred: {0}. Your changes have not been saved.Click OK to return to the list page. " and I'm not able to modify the identity, not in this new option I created, nor in the ones already created in the ACS.
View 8 Replies
View Related
Oct 6, 2012
I have two ACS v 5.2 (primary and secundary) and some users are in the internal stor and the others are in the AD.The local site topology is like this:
PC - AP - WLC - ACS - AD
Authentication method is PEAP(EAP-MSCHAPv2) and all user have the certificate company installed. The OS in the client users is Windows 7.Users was working fine but some users reports intranet disconnections. I see in the ACS log many "22056 Subject not found in the applicable identity store(s)." and "24415 User authentication against Active Directory failed since user's account is locked out" alarms.I believed it was because user wasn´t in the AD data base, but some times the same user is authenticated successfull and other i see the "22056...." or "24415...." alarms.
I switched the role for ACS primary to works as secundary and we see the same alarms.
View 2 Replies
View Related
Apr 14, 2011
I have ACS 5.2 running as a VM. I'm AD, then local authentication successfully for device access, but I want to define ACS user groups to restrict login. I don;t see any way to do this. If I use AD groups, they don;t show up as selection options on the policy screens, just the ACS locallyy defined groups.
View 1 Replies
View Related
Dec 3, 2012
We have a ACS 4.3.2 installed with users authenticating against an Active Directory database. The AD database not only authenticate the users but also assigns the group that is used to select IP address pool.Now the requirements require to use token authentication with SafeNet. This authentication uses the same username but the password is composed of the original password + OTP.The problem is that the SafeNet server doesn't return the group membership.I've read about the Identity Store Sequence in ACS 5.x and I think I could use it in the following sequence:! configure an Authentication Sequence using the SafeNet token server (this works with ACS 4.x)I configure an Attribute Retrieval Sequence against the AD database. This would use the username only, no password and would retrieve the group membership.
View 1 Replies
View Related
Dec 5, 2011
I'm looking for Cisco ISE v1.1 to use the following licensing feature. url...Endpoint is dynamically profiled by Cisco ISE and assigned dynamically or statically to an endpoint identity group. Cisco ISE authorization rules do not use this endpoint identity group.
View 2 Replies
View Related
May 11, 2012
I am currently running cisco ACS 5.1.0.44 and use active directory as the main authentication identity store to allow network administrators to have access to network devices in my organization .As per the established security policies in my organization , the ACS has to disable any account after 3 failed login attempts to any network devices .i have gone through all the settings oN the acs but couldn't find where or how it is done .
View 3 Replies
View Related
Feb 22, 2013
I have installed ACS 5.4 and we are looking to authenticate our Anyconnect users with ACS via Active Directory. I think I have the correct commands in our ASA ( we had ACS 4 and authenticated our anyconnect users ).
I also have configured ACS to use Active Directory and installed the server side cert in ACS. I'm just uncertain how to program ACS to use the security group that I have setup in Active Directory.
View 6 Replies
View Related
Aug 28, 2012
I have an ACS 5.3 cluster, that is configured to use AD. There are a few wireless devices, and monitoring tools that do not have AD accounts. I would like to configure ACS to first check AD for the user authentication, and if that fails to roll over to the local (Internal Users) identity source where I can define these user accounts.
It seems that when the authentication hits the initial Identity Policy rule, it never moves onto the next one if the first fails.
Attached are screen shots that show how i'm configured for the test, i have a local user defined and I'm trying to log into the firewalls.
- Identity Definition : Screen shot of the main ACS definition for the rule i'm testing that's not working
- Identity Rule 1 : The configuration of rule 1 that if it fails i need it to move onto rule 2.
- Log Output : Screen shot for one of the failed attempts from the ACS View Log server.
Reason I need to configure it this way is:
- Wireless users authenticate to wireless using AD user accounts. Some hand held scanners do not support that and will need to authenticate using the MAC address.
- Authentication to Network devices for managment uses AD accounts. We have some monitoring tools that do not have AD accounts, and will need to be able to log into Network devices to issue some commands (Examples: Cisco Prime LMS and NCS, Infoblox NetMRI).
View 4 Replies
View Related
Apr 18, 2012
how profiling works exactly ?How intelligent is the profiling engine, meaning: Will it discover that one device has more than one different MACs and will merge the entries in the database ??
Example:This is in fact the same device, there is only one WLC-2500 in the network ....If it can discover that, what needs to be configured on the ISE to do that ?
View 2 Replies
View Related
Aug 27, 2012
I have setup an Identity Firewall on a ASA version 5.6 on a DMZ interface.I have installed the ADAgent on a domain member Win2008 and configured as follows: [code]
where ashdew is a domain user and ACL 122(only one line) is applied on the dmz interface and NAT is properly configured.The ADagent has been properly tested and ASA can register to it.The ASA can connect to AD DC controller and query user database.I have placed a laptop ip 172.17.h.x on the DMZ and can ping the DMZ interface.
The laptop cannot authenticate on the domain and the asa does not seem to retrieve the user identity.Do I need to add extra rules in the access-list 122 to permit trafic to DC?Can I check on the AD Agent if it can retrieve the user to ip mapping ?
View 6 Replies
View Related
