Cisco AAA/Identity/Nac :: Wp1430161 Downloadable ACL Dependent On User Credentials?
May 7, 2012
I have been reading article url....wp1430161 and I am trying to get my head around the type of port authentication Methods & Modes I am going to require for a Proof of Concept using a Cisco ISE as the Authentication Server.
The switchport will have a single IP Phone in a Voice VLAN and then a Single host in a Data VLAN. Reading this article, I think I should be configuring "802.1x" authentication method using "Single Host" Mode.
However will that support a Downloadable ACL dependent on the user credentials? And will it allow a restricted ACL to be downloaded if authentication of the Machine or the User fails.? I dont really want to create & manage Guest & Remediation VLANs with thier respective ACLs on every switch in my enterprise, including our remote branch offices.
View 1 Replies
ADVERTISEMENT
Nov 30, 2011
I have ACS4 and i am planning to upgrade to ACS5.I would like to have such a rules:I have user1, one ASA device which is VPN concentrator for remote users.ASA have two different tunnel-groups: one which allow for logging via certificate (with mandatory pki authorization thru ACS) with disabled Xauth,and second tunnel-group with allow login thru typical Xauth with authorization thru ACS which users external database (RSA Tokens).So i have one user1 which can login thru VPN using RSA tokencode or certificate.For example: on phone user1 uses certificate, and on PC station the same user1 uses token password.For tunnel-group with pki authorization ASA checks username in ACS and in typical scenario login="CN from certificate" and password="CN from certificate". So we would need "two credentials" for the user - one for pki authorization, and second one external database (RSA token).Is such scenatio possible under ACS 5 ? where one user uses different credentials based on tunnel-group usage ?
View 2 Replies
View Related
Mar 6, 2011
I have configured 1841 router as VPN server. All VPN users are getting authenticated using radius in ACS 4.1 I need to apply per-user downloadable ACL.
I have configured ACS for the Downlodabale ACL. Even ACS report acivity shows that ACL is applied to the authenticated user, but the traffic is not blocked or passed accordingly.
View 2 Replies
View Related
Feb 20, 2012
How to upgrade from LMS 3.0 December 2007 update to LMS 3.1 or LMS 3.2. The problem is the large number of C2960S-24TS-L switches that my organization has and cannot managed them.. I tried to upgrade devices through Software Center but always Ciscoworks informs me with the following message."Error while downloading package information from [URL] for the selected products. See the log file for details". Also i can not run EOL/EOS inventory report. The message is " INVREP0102: Cisco.com user credentials are invalid. Enter correct credentials." I check my credentials and is right. The server has access to www through proxy without any restrictions. In the past I've already updated devices through the software center. Also in the past i ve run EOS/EOL inventory reports.The LMS 3.0 December 2007 has the following products LMS3.0.116 May 2008
CiscoWorks Common Services3.1.102 Jul 2009, 07:44:58 EEST2.Campus Manager5.0.511 Oct 2009, 07:36:10 EEST3.CiscoView6.1.702 Jul 2009, 07:45:05 EEST4.CiscoWorks Assistant1.0.102 Jul 2009, 07:45:05 EEST5.Device Fault Manager3.0.512 Jun 2010, 07:31:48 EEST6.Internetwork Performance Monitor4.0.102 Jul 2009, 07:45:11 EEST7.Integration Utility1.7.102 Jul 2009, 07:45:14 EEST8.LMS Portal1.0.102 Jul 2009, 07:45:16 EEST9.Resource Manager Essentials4.1.102 Jul 2009, 07:45:17 EEST
View 1 Replies
View Related
Feb 19, 2013
user can't login into domain with right credentials in active directory
View 6 Replies
View Related
Jun 20, 2011
I recently tried to deploy an ACS appliance with version 5.2 installed on it for a customer.
After setting up the WLC to use the ACS as a radius server, and successfully testing connection from the ACS to the AD, I get an error message " 12321 PEAP failed SSL/TLS handshake because the client rejected the ACS local-certificate" anytime a client tries to connect to the network.
This is surprising because I had already generated a certficate for the ACS from a CA and binded the CA signed certificate with the ACS, I also specified the CA in the client machine's wireless properties and checked the "validate certificate" button.
When I tried to connect using the internal identity store, the client was successfully authenticated without any certificate issues.
View 1 Replies
View Related
Sep 22, 2011
We are running ACS 5.2 patch 6 and want to restrict access for users to be able to add devices to the system.For example, admin person in site A can only add devices into the site A group and cannot see/access other sites groups.
View 1 Replies
View Related
Oct 28, 2011
I have cisco catalyst 2960S switch. In this switch I have created the vlan 10 with member ports Gig 1/0/1, Gig 1/0/2 and Gig 1/0/3. What I want to configure is as follows.
- If any one of the port of this vlan 10 is turned down, then I want to shutdown entire van
- If Gi1/0/1 is turned down, then I want to shut down Gi1/0/2.
View 1 Replies
View Related
Jun 19, 2011
I'd like to set up a downloadable ACL from my ACS 5.2 server to be applied for users authenticating for just one of my SSIDs / WLANs.
I intend to use this primarily for mobile devices to allow them to go to any of my physical locations, connect to the same WLAN regardless of location and then get the same downloaded ACLs (filtered based off of destination port and address) applied in each case.
View 3 Replies
View Related
Jun 9, 2011
I'm am wanting to know how to configure Easy VPN server with downloadable ACLs on a cisco router 2811.
Indeed, I would like to set up a remote access vpn that uses radius for authentication of VPN clients. The radius server is connected to an Active Directory server that contains the log in / password. I would like to on the basis of the user who connects to the VPN, the ACL that define the services or servers to which this user can access is automatically applied on the router and define the rights of the users.
View 1 Replies
View Related
Nov 6, 2012
I tried to download the new firmware version (2.0.04) for Linksys x2000 hw version 1 Annex A: error 404 page not found.Same issue with 2 different machines on different internet connections.
View 3 Replies
View Related
Apr 5, 2011
We are running two ACS appliances but we cannot figure out how we can add a user into 2 differents groups.Here's the context :We have a company A which is having devices, this company uses Group A.then we have a company B which is having devices, this company uses Group B.But the admin has to manage the devices for both companies A & B.We don't want to mix devices from company A with company B.Is there a way to add the user into both groups A & B.
View 5 Replies
View Related
Jan 5, 2013
what is the maximum user IDs that I can create to the ACS server? The client have an ACS appliance with version 5.2.
View 2 Replies
View Related
Jul 26, 2011
We are using ACS 5.1 in our network. We have created users and grouped them as per the requirements. We want to restrict the user sessions in the network. A user should authenticate and able to access a network resource. But when he is active with that session, we need to block him from another successful authentication. We want to avoid multiple users using same user credentials for logging into the devices. whether this can be achieved by making configuration changes in ACS.
View 2 Replies
View Related
Jun 12, 2011
I have ACS 5.1.I have created the Identity Group 'Admin' and added 2 users in that, say User1 and User2.How do I permit only User1 to get authenticated when he logins in to the device?There is option to select 'UserName' while creating Service Access Policy , but I have observed that though I have mentioned only User1 in the rule, User2 is also getting permitted
View 1 Replies
View Related
Mar 29, 2013
i have cisco ACS 5.2 and want to create user account for technician, with only certain commands.
View 3 Replies
View Related
Mar 7, 2012
On the ACS ver5, there is a "User Change Password" feature. When i click the UCP WSDL, it gives me a page with WSDL language. how is it supposed to be installed? does it copy or install to any web server
View 1 Replies
View Related
Apr 28, 2011
My company's security group uses Tripwire to monitor for changes in start-config and running-config on network devices in PCI scope. We are migrating from ACS v4.2 to v5.2. I need to create the account for Tripwire on the ACS Appliance but did not want to assign the admin role which would give access to configure terminal. The user role does not have privileges for show start-config or show running-config. Am I missing something or are these the only 2 roles available at the CLI? Can another rolle be added?
View 1 Replies
View Related
Nov 12, 2012
I want to have a local user in ACS that is permitted to login to routers. I have TACACS with AD already working but cannot get a local user to work. I used to do this in ACS 4.x.I created a user in the internal identity store.I tried configuring a policy to allow this users TACACS authentication multiple ways to no avail. I cannot find a config example doc and cannot figure it out from the user guide as the documention is sorely lacking.
View 5 Replies
View Related
Jun 25, 2012
on the acs 5.2 , how to delete specific log for user X, ?
View 3 Replies
View Related
Feb 18, 2013
So we have this problem that just started, I can replicate the issue as well, if a user makes a mistake on typing there password after 1 attempt ACS sends 3 to AD locking out the user.
In a putty or secureCRT session after 1 password failed attempt, I am unable to retry with that same session.
The issue seems to be that after 1 bad password attempt, from the client side I am unable to get another try.
View 1 Replies
View Related
Sep 12, 2012
We are using ACS 4.2.1.15 with patch 8 on ACS 1113 SE box.
Our requirement is to assign ACS loal group to user on basis of windows Nt group. Which means I dont wants to create individual users in ACS rather when user will login, the auth request will be forwarded to AD(remote database). Depeneding on the remote database group the user should be mapped to local database.
For this I have configured "database group mapping" according to following cisco guide. [URL]
However when ever my AD users are authenticating they are getting the membership of default group as configured in "Default" profile. I am using TACACS+ protocol in my routers and switches for authentication.
whether "Group mapping by External user database" works with TACACS+ or only with RADIUS protocol. If it works with TACACS+ what else configuration need to be done so that my ACS can map users to proper groups instead of default group.
View 4 Replies
View Related
Sep 1, 2011
I am trying to setup up a rule to allow wireless access only to users in my AD when they use computers from my AD.I have Machine authentication working on it's own (computer boots up and connects to wireless - confrimed by ACS logs) I have User authentication working But when I try to creat the floowing rule:it does not work.
Access Policy
Access Service:
Default Network Access Identity Store:
AD1
Authorization Profiles:
DenyAccess
Exception Authorization Profiles:
Active Directory Domain:
[code]....
Everything seem to fine until it gets to the last rule.
View 1 Replies
View Related
Oct 11, 2011
I use ACS appliance 1120 for cisco devices administration. The identity store is external. I use Active directory. Actually, Authentication, authorization and accounting work well but users can not change theirs Active directory password when they have expired. Do you now how to configure ACS to permit password changing?
View 5 Replies
View Related
May 8, 2012
we have created some administration accounts which should only have the possibility to work on the user database. the useradmin role is to limited to create a user and set a fixed password only, but not able to enable the users authentication against a predefined external identity store. Other roles which makes this possible are far to powerful for a second level adminstrator.The adminstrator should have the possibility the create an user and set the password check against an external database. This is not possible with the predefine role "UserAdmin". Other roles do have to many rights for these users.
View 4 Replies
View Related
May 2, 2011
Migrating from 4.2 to 5.2 acs and have noticed there is no expiration date per internal user added. We expire users at different times due to their time on site. Is there something that has to be added to get back this basic feature we had before?
View 6 Replies
View Related
Aug 23, 2012
A short background. Our corporate SSID is being migrated from using PEAPv0 to EAP-TLS. This restricts access only to company notebooks. Additionally we have barcode scanners which are used to inventory assets. Those devices are not able to use EAP-TLS as they cannot be integrated in the domain and being unable to do certificate based authentication.
As a workaround we planned to use another SSID with access to the same network but using PEAPv0 as authentication method, basically the same SSID but with a different name. As this naturally allows anyone to access the corporate network with a valid username/password I now wanted to add another step into the authentication process - the MAC of the device. I know I can do the filtering at the WLAN controller, but as it has a limited database as well as the fact that it is cumbersome to maintain the MAC list on all the controllers I thought I can do it over our ACS system.
I am now trying to accomplish the following: The user gets authenticated via the internal user store, which is succesful. Now I want to authorize the user via the MAC address, which is stored in the internal host store of the ACS, if access is granted or not.
For this I created the following policy:
Service Selection Policy -- (Rule based result selection)
-- (NDG:Device Type in All Device Types:Wireless And RADIUS-IETF:Called-Station-ID contains <SSID>) | Result: PEAP access
-- Default | Result: DenyAccess
Service PEAP access Identity: Internal Users -- (Single result selection) Authorization -- (Rule based result selection) -- Internal Hosts:HostIdentityGroup in All Groups:Valid_MACs
When I then try to access the wireless network I won't get authenticated. The error I get, when I look into the logs is: 15039 Selected Authorization Profile is DenyAccess
Is it not possible to use one identity store as "attribute database" for the other identity store?
View 5 Replies
View Related
Jun 11, 2011
I am trying to create a user restriction to allow one user to access only two networks (10.192.3.0 and 10.192.5.0) I have range of networks but I want to permit only two networks for limited user and full access for the admins. I know this was possible with ACS 3.3 but I am not too sure if this is also applicable with ACS 5.2.
View 1 Replies
View Related
Jun 5, 2012
Can use ACS 5.2 as Guest user authentication server?
View 3 Replies
View Related
Apr 12, 2013
I am using ISE 1.1.3.124.My first question:I want to know the relation between the attribute "WasMachineAuthenticated" and the MAR (MAchine access restriction in advanced setting for AD).Is-it the same or not ?Once you time out, you need to do machine auth again. What is the timer ?Using the attribute "WasMachineAuthenticated", is-it the same timer that you configure in MAR ? In a distributed environnement, is the information about machine previously authenticated replicated to all policy node ?Because, if a swicth has 2 radius-server, we are not sure that it will point everytime to the same server.
View 1 Replies
View Related
Jun 7, 2011
how I can assign a static IP to a user in ACS 5.2. I am able to do it in ACS 4.2, but I don't see the same options under 5.2. General idea is that users authenticate from our VPN appliance via RADIUS, and upon authentication, their static IP is passed back to the VPN device. I can attach an arbitrary field to my local users by going to System Administration -> Configuration -> Dictionaries -> Identity -> Internal Users, but how do I get that IP address passed back when the user is authenticated via Radius?
View 1 Replies
View Related
Dec 12, 2011
I have an ACS 5.2 server integrated with Active directory . Now i need to create an internal user account to login to some radisu devices using internal user database .I have near about 600 users all are authenticating through AD .
View 3 Replies
View Related
Nov 29, 2011
I want to export the ACS local user's records.Then import to other ACS5.3 server.But the export file not the user's password record.I cannot import it well....
View 1 Replies
View Related
