Cisco AAA/Identity/Nac :: Configure ASA 8.4 To Communicate With AD Environment Using LDAP Secure?

Jul 30, 2012

I'm trying to configure an ASA to communicate with an AD environment that is only using LDAP Secure (LDAPS). I've configured authentication to ASA's with LDAP lots of times, though never with LDAPS.
 
Presumably there is a procedure to install a certificate in the same way as an RSA sig in VPN.

View 3 Replies


ADVERTISEMENT

Cisco AAA/Identity/Nac :: ACS 5.1 Configuring LDAP With Secure Authentication?

Mar 15, 2012

I am setting up an LDAP identity store over ldaps in ACS 5.1.  I specify that the connection uses secure authentication and provide the Root CA certificate.  When I hit "Test Bind to Server", I get this error message in a popup window: "Connection test bind Failed :server certificate not found"Is this saying that ACS can't find the CA certificate uploaded, or does it mean the actual certificate presented by my LDAPS server during the bind test? 

View 2 Replies View Related

Cisco AAA/Identity/Nac :: LDAP Or AD For External Database - Secure ACS 5.2

Sep 27, 2012

I am working on project with Secure ACS 5.2.  I am trying to determine the proper External Database to use.  LDAP or direct to AD?
 
Additionally, the Domain that I am connecting to has Multiple sub domains.  All of the users are currently in the Sub domains, but will be moving to root domain later.  How should I configure the connection, do I need to connec to each sub domain or can I just connect to the root?

View 2 Replies View Related

Cisco AAA/Identity/Nac :: How To Configure Airespace In Secure ACS V5.3

Mar 10, 2013

Cisco Airespace configuration in Cisco Secure ACS v5.3. We're migrating to ACS v5.3 but we're encountering an issue with Cisco Airespace. It is only working on ACS4.1 but when we tried to move it to Cisco Secure ACS v5.3, it is not working.

View 7 Replies View Related

Cisco :: WLC 5508 Support Of Secure LDAP Using TLS?

Oct 23, 2011

I have seen that the current WLC software release, 7.0.116.0, does not support secure LDAP using TLS. Are there any plans to incorporate this feature? (I've read that it was supported in previous releases to version 4.2). Is it in the roadmap of the product?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Group Mapping With LDAP External Identity Store

May 18, 2011

I have a new Cisco Secure ACS 5.2 on a VM. We want to use it to for administrative access to our Cisco equipment  with TACACS+. I am trying to map user permissions to different groups of devices based on active directory group membership, however it is not working.
 
I am using an LDAP (configured for secure authentication) external identity store. On the directory organization tab, I have confirmed the accuracy of the subject and group search base and the test configuration button shows that it's finding > 100 users and >100 groups.
 
On the directory groups page I have entered the groups according to the required format. cn=groupname1,ou=groups,dc=abc,dc=com
 
I have a rule based result selection under group mapping. I have two rules in the format below.
 
Conditon
LDAP:Externalgroups groupname1
Result
Identitygroup1
 
I have the default group set to a identity group named other. My problem is, no matter what user attempts to authenticate, the Default rule is applied, and the user is put into the other identity group.This occurs when I log on as a groupname1 user, groupname2 user, or as user that is not a member of either of those groups. LDAP authentication works and the user is able to logon to the device.

View 3 Replies View Related

Cisco AAA/Identity/Nac :: 802.1x / ACS In The Active Directory Environment?

Nov 9, 2011

question 1. in the typical active directory environment and doing wireless/wired 802.1x authentication on endpoints, should ACS join as a domain computer? 
 
question 2. for the endpoint (domain computer) join the domain, in this case is the endpoint will trust the ACS ( also domain computer) ?
 
question 3. what if there's a GPO policy to install the rootCA certificate toward the endpoints. In this case,  ACS should issue the CSR and let the domain CA to signed as the identity certificate? Am i correct?

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Integration With LDAP?

Jun 22, 2011

provide me  Step by Step procedure for integrating LDAP with ACS 5.2 .

View 1 Replies View Related

AAA/Identity/Nac :: ASA 8.3 LDAP Authentication For SSL VPN

May 16, 2011

I am having a problem getting an ASA running 8.3 to authenticate an SSL VPN directly against an LDAP on Windows Server 2003.  I have changed the read access on the Active Directory to allow Annonymous to read it.  I think I am missing something on the ASA config.  I have the Server Group specified with the address of the correct server but nothing else really configured. 

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ISE 1.1.1 With Domino LDAP Integration?

Oct 23, 2012

know about Domino LDAP ? I would like to integrate this LDAP with Cisco ISE.I try to bind this LDAP but it does not show me anything in "Naming Context". So I cannot choose group to map into ISE.I test this on WLC. It is success to do but cannot make the same thing with Cisco ISE.Is this LDAP supports with Cisco ISE 1.1.1 ?

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 Use LDAP IS For One SSID And Use HOST IS For Another

Jul 31, 2012

I have 2 SSIDs on WLCs.I would like to have 1 SSID point to the acs radius using LDAP store and the 2nd SSID point to the acs radius using the host identity store for mac filtering.both scenarios are working, but not together.if I adjust the rule order I can get one SSID, but then the other fails. [code] It seems to me that there should be a simple process to make this happens. I thought if the rule is not matched it would move on to the next rule etc.I might be able to live with first checking ldap and if that fails move on to the local host db, but that seems ineficient. url...

View 3 Replies View Related

Cisco AAA/Identity/Nac :: How Can LDAP Client Connect To ACS 5.2

May 8, 2011

I have an CS-ACS appliance with 5.2.0.0.26.3 version. There is not any direct solution for connect ldap client to server. I have 3 servers that have only ldap and for authentication I can not use radius or Tacacs+. I need a solution for this problem. How can LDAP Client  connect to ACS when it has only ldap protocol?

View 1 Replies View Related

AAA/Identity/Nac :: ACS 5.2 Local Authentication With LDAP?

Sep 13, 2011

is it possible to validate the ACS Application Accounts against an external repository like LDAP? I have found that LDAP can be used only as Identity store to authenticate users on AAA clients and Network devices.

View 0 Replies View Related

AAA/Identity/Nac :: ASA 5510 - LDAP Authentication

Mar 2, 2011

I have a problem with LDAP authentication. i have an Cisco Asa5510 and windows 2008 R2 server. i create LDAP authentication.
 
aaa-server LDAPGROUP protocol ldapaaa-server LDAPGROUP (inside) host 10.0.1.30 server-port 389 ldap-base-dn dc=reseaux,dc=local ldap-naming-attribute sAMAccountName ldap-login-password ***** ldap-login-dn CN=user,OU=Utilisateurs,DC=reseau,DC=local server-type microsoft
 
but when i test, i have an error (user account work directly in server)
 
test aaa-server authentication LDAPGROUP host 10.0.1.30 username user password *****
INFO: Attempting Authentication test to IP address <10.0.1.30> (timeout: 12 seconds)ERROR: Authentication Rejected: Unspecified

View 11 Replies View Related

Servers :: Configure Linux Server With LDAP?

May 31, 2011

the linux server should be configured with LDAP, so that any user should not login into that machine by local user credentials but by his intranet credentials.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 EAP-TLS Binary Certificate Comparison Via LDAP

Feb 9, 2012

i have a wireless deplyoment with WLC 5508, ACS 5.2 and several AD connected by LDAP. It is required that users are authenticated by certificates additional the user should only get access to the wireless environment when the user is found in a certain security group in the Microsoft AD forrest. The certificate based authentication is working without any problems, except the lookup into the AD isn't working. Here are the Details of the "Evaluting Identity Policy"

Evaluating Identity Policy
15004  Matched rule
22037  Authentication Passed
22023  Proceed to attribute retrieval
24031  Sending request to primary LDAP server
24016  Looking up user in LDAP Server - Alex Dersch
24008  User not found in LDAP Server
22015  Identity sequence continues to the next IDStore
24209  Looking up Host in Internal Hosts IDStore - Alex Dersch
24217  The host is not found in the internal hosts identity store.
22016  Identity sequence completed iterating the IDStores
 
but the user can access the WLAN just without verifying the user in the AD.
i tried the to enable Binary Comparisation but then the Authentication is not working any more. I get the same Identity Policy result as above.
 
i configured the Binary Comparisation as below:
 
I though with the binary comparisation i'll be able to verify the existance and the status of an user in the Active Directory.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 LDAP Authentication With Apple Mac OS X Server?

Jan 24, 2012

Does Cisco Secure ACS 5.3 support LDAP authentication with Apple Mac OS X server? One  of our clients require an access control system. The major portion of  the network consists of Apple Mac OS X 10.7 (Lion) Server and clients.  They were using MAC-address based authentication along with LDAP through  Cisco Wireless LAN Controller. But now the number of users has exceeded  the maximum number of MAC addresses supported by WLC (2048). Hence we  suggested ACS appliance to overcome the limit. My doubt is whether ACS  5.3 appliance can communicate with the Mac server and perform LDAP  authentication.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: To Login 1841 By Using LDAP Account

Jan 14, 2010

I've set up a ACS 5.1 Server an want to use it with our LDAP System. Therefor, I'm trying to login to a Cisco 1841 by using my LDAP Account, but it dosent work. The ACS seems not to know that it should use LDAP, because I get,"22056 Subject not found in applicable identity stores"LDAP is configured as Identitiy Store, the bind test works successfully and I created a sequence, where LDAP is at first position. What goes wron?? (TATACS for loal ACS Users works)

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ASA 5520 - VPN Access Control Using LDAP

Mar 13, 2011

I am configuring an ASA 5520 for VPN access.  Authorization & Authentication use an LDAP server.  I have the tunneling configured successfully, and I can access internal resources.  What I want to do now is to restrict access to a specific AD Group membership.  In the absence of that group membership, a user should not be allowed access to the VPN.
 
My test VPN client software is Cisco Systems VPN Client Version 5.0.05.0290.  The group authentication is configured into a Connection Entry that identifies the Tunnel Group. I think I worded that correctly.
 
The Software Version on the ASA is 8.3(1).
 
My current challenge is getting the VPN to stop letting every access request through regardless of group membership. 
 
[URL]
 
The configuration (AAA LDAP, group policy, and tunnel group) is below.
 
aaa-server LDAP protocol ldapaaa-server LDAP (inside) host x.x.y.12      server-port 636      ldap-base-dn dc=domain,dc=com      ldap-scope subtree      ldap-naming-attribute sAMAccountName      ldap-login-password ********      ldap-login-dn

[Code].....

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 To Use Local Database When LDAP Fails

Mar 22, 2011

i'm trying to configure acs 5.2 to LDAP external idenity store, when LDAP failes ACS 5.2 should use internal indenity store. I configured A sequence to use LDAP 1st then Internal and i shut off the link to the LDAP but ACS will not use internal,  AAA Diagnostics keeps telling me that Cannot establish connection with LDAP server and will not use the internal store.

View 7 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 Additional LDAP Attribute Retrieval

Aug 28, 2012

I'm authenticating users against Active Directory and want to also check additionals attributes from LDAP. In ACS 5.3. it was possible to set this up via External Identity Sequence, but in ISE I don't see this possibility. I can set sequence only for authentication, but not for additional attribute retrieval.
 
When I set a condition in a policy that an LDAP attribute must match with some value, the attribute is not retrieved and autorization ends on default Deny Access.

View 17 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.1 LDAP Group Search Error?

May 9, 2012

I have a problem where occasionally a user will attempt to login and the LDAP search will find the user but then fail when it does the group search.  The error I get is below
 
22037  Authentication Passed
22023  Proceed to attribute retrieval
24032  Sending request to secondary LDAP server
24016  Looking up user in LDAP Server - testuser
24004  User search finished successfully
24027  Groups search ended with an error
24034  Secondary server failover. Switching to primary server
24031  Sending request to primary LDAP server
24016  Looking up user in LDAP Server - testuser
24004  User search finished successfully
24027  Groups search ended with an error
22059  The advanced option that is configured for process failure is used.
22062  The 'Drop' advanced option is configured in case of a failed authentication request.
 
Some users never get this error, others will get it once in a while and I have one user that gets it every time they try and login. 

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.1 / PEAP (EAP-GTC) Machine Authentication With LDAP?

Aug 19, 2012

Cisco 5508 wireless controllerCisco ACS 5.1LDAP connection I have setup the wireless controller to do RADUIS authentication with the ACS 5.1 using LDAP. The setup is currently working, Brief info below on setup.
 
I setup the PC client to use WPA2-Enterprise AES and authentication method CISCO PEAP. When I connect to the SSID this will prompt for a username and password. I will enter in my AD details and the ACS with the LDAP connection will authenicate and on the network I go.
 
Now I want to add machine authentication with CERTIFICATES, each laptop and pc in our network has CA certificates installed.
 
way that I can add these certificates into the ACS 5.1 so I pretty much want to import them into the ACS. Once they are imported inside I want the ACS to check that the certificates are on the PC and then prompt for the AD username and password, and only once it meets these two conditions it allows the workstation onto the network.So it will be a two form authentication one with certificates and the other ldap.

View 18 Replies View Related

Cisco AAA/Identity/Nac :: WLC 4402 - Authenticate With Novell LDAP Through ACS 5.2?

Aug 2, 2011

I'd like to configure wireless access from winXP to authenticate with our corporate Novell LDAP through ACS

Setup:
WinXP SP3 --> WLC 4402 --> ACS 5.2 --> Novell LDAP
 
1. Our Novell LDAP server uses secure LDAP (port 636) to authentication user.On ACS 5.2, when we configure this option we need to select Root CA. Should the Root CA in ACS must be the same as the LDAP server's? (the LDAP's certificate issuer)
 
2. What kind of authentication that this setup supports? Does it support PEAP/MSCHAPv2 as in Windows Zero Configuration or it only supports PEAP-GTC, EAP-FAST, EAP-TLS (which means I have to use Intel Proset/Wireless software to configure).

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Integration With LDAP For User Authentication

Dec 17, 2011

While configuring LDAP , I got struck in  “Step 3 - Directory Organization”. How to make this work? My aim is to make users authenticated from their windows domain usernames and passwords while they log in to AAA clients.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: 5520 VPN Users Are Authenticated Against MS-AD Through LDAP

Sep 1, 2011

I have 2 ASA 5520 (v. 8.21) in a active/standby fail over configuration.
 
VPN users are autenticated against the MS-AD through LDAP. For the most part this works well. Occasionally I'm having problems with new users in the AD. If I run a test I keep getting "User was not found". This can happen days after the account was created still. In some cases it never seems to work. The accounts I create exists on the same OU level as all the other accounts that are working.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: 5545 Ldap Mapping Is Not Working / It Allows All AD Users

Feb 28, 2013

I've configure Ldap authentication on ASA 5545 to allow only a certain user group. I mapped the the memberOf group but this seems not to be working as it allows all AD users. [code]

View 1 Replies View Related

Cisco AAA/Identity/Nac :: How To Setup ACS 4.2 As LDAP Server To Authenticate Devices

Sep 1, 2011

I have a ACS 4.2 under windows, I setuped it to authenticate routers by RADIUS and TACACS+  protocols. now I have some devices whitch know only LDAP protocol. How can setup ACS as a ldap server to authenticate those devices?>

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 - LDAP Authentication Works / Authorization Fails

Oct 24, 2011

I set up LDAP store pointing to a Windows domain and am testing authenticating users via an ASA.  In my LDAP config, its set for "Groups Objects refer to subjects" and I selected usernames in the drop down.  I also added a a Global Group to the Directory groups tab in the LDAP store that I created.
 
Under my Access Polices, I created a rule that meets two condititons - coming from the ASA, and then I was able to select the group from the drop down box for my ldap domain.  As a condition, it shows up as DomainName:External Groups.  I set the permission to Permit Access.
 
Originally, I was failing authentication and I was receiving Subject Not Found in Store.  I adjusted the Identity Sequence and now I receive a the following error:
 
15039:  Selected Authorization Profile is Deny Access.  So it must not be associating my account with the group with the Permit Access and using the Default Permissions.So it does match the correct Access Service, and Identity Store.

View 1 Replies View Related

Possible To Configure 2 VLANs To Communicate With Each Other On Same Switch?

Oct 27, 2012

How is it possible to configure 2 VLANs to communicate with each other on the same switch? I have managed to create 2 VLANS and they both work (and can access the internet), but they can't communicate with each other.VLAN1 has an IP range starting 10.4.160 and VLAN2 has an IP range starting 10.6.192.Is it VLAN routing that I'm looking for? My switch is Netgear GSM7328FS.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ASA 5505 Does Some LDAP Attribute Mapping To Get Group Membership For DAP

Dec 21, 2012

I have a working ASA 5505 that is used for remote access.  It authenticates users via RADIUS (Microsoft AD using two IAS servers), it also authorises users via LDAP and it does some LDAP attribute mapping to get group membership for DAP.  This is all working fine however recently I enabled IPv6 to do some testing.  I have a /126 subnet on the Inside interface (maps to its equivalent /30 IPv4 subnet) and OSPFv3 running so the ASA has visibility of the internal IPv6 networks.  DNS client is enabled in the ASA and all the authentication servers are entered as hostnames.  The two RADIUS servers only have A records and the two LDAP servers (Windows DC's) have both A and AAAA records.  My plan was to begin test IPv6 on the AnyConnect VPN clients (once I was happy the ASA was working fine with IPv6).

When I initially enabled IPv6 everything continued to work as before, however I had to reboot the ASA today and after it all came back up authorisation stopped working.  I did a bit of troubleshooting and the ASA is complaining of not being able to resolve the addresses of the two LDAP servers.  From the CLI I can ping the hostnames and the LDAP servers resolve to IPv6 addresses and the RADIUS servers resolve to IPv4 addresses.  When I issue the command 'show aaa-server LDAP' (LDAP is the name of the group) I see the servers listed but the address displays 0.0.0.0:
 
Prior to the reboot both the LDAP servers were showing thier addresses (IPv4) correctly.  I can workaround it by disabling IPv6 on the ASA, letting it lookup the (IPv4) addresses of the LDAP servers (so they appear in the 'Server Address:' field above) and then re-enabling IPv6.  Strangely deleting and re-adding the servers just with their IPv4 addresses also fails but I haven't fully tested this.  I don't know but I think I would have the same behaviour if the RADIUS servers also had AAAA records.
 
I assume when IPv6 is enabled on the ASA it will perform AAAA lookups as well as A lookups but the LDAP client cannot use IPv6?  Just guessing at the moment as I haven't managed to get a LAN capture. [code]

View 1 Replies View Related

AAA/Identity/Nac :: ASA5510 - WEBVPN User Authenticated Through LDAP Failure?

Feb 28, 2013

I'm trying to configure an ASA5510 with release 9.1(1) in order to authenticate VPN AnyConnect users through LDAP. In a first step the logs shiw me this kind of error:
 
[-2147483632] Session Start
[-2147483632] New request Session, context 0xadf415d4, reqType = Authentication
[-2147483632] Fiber started

[Code]......

View 0 Replies View Related

Netgear GSM7328FS - To Configure 2 Vlans To Communicate

Oct 27, 2012

How is it possible to configure 2 VLANs to communicate with each other on the same switch? I have managed to create 2 VLANS and they both work (and can access the internet), but they can't communicate with each other.VLAN1 has an IP range starting 10.4.160 and VLAN2 has an IP range starting 10.6.192.Is it VLAN routing that I'm looking for?

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved