Cisco AAA/Identity/Nac :: Multiple Instance Of Custom Attributes ACS 5.x?

Nov 27, 2011

is there a way to have multiple instances of user custom attributes and insert those as multiple instances of the A/V Pair in the authorisation profile in ACS 5.2/5.3 ?Background: We have to migrate a ACS 4.2 to 5.3. In ACS 4.2 our client used the multiline attribute
 
Number
#Name
#Description
#Type of Value
#Inbound/Outbound

[code]....

to specify multiple routes to various networks in the RADIUS reply spcific for every single PPP username of routers dialing in.Using the internal user database, extended by a string attribute and using that attribute as source of a dynamic value in the access-policy works basically. But as I have only ONE single line instance of the attribute for every user, I can only return ONE framed-route.We have lots of cases where multiple routes have to be assigned to one router.I 'd like to avoid defining a seperate access profile for every remote RAS router for external PPP Dial-In...[URL]

View 1 Replies


ADVERTISEMENT

Cisco AAA/Identity/Nac :: ACS 5.3 - Custom Attributes And Wireless Groups?

May 13, 2012

I have been tasked with migrating from ACS 4 to ACS 5.3. I havent had any training and so i am finding it a bit different. Currently i have this issue -
 
I have a group in  the ACS 4 for users accessing via wireless on the ACS - Code...

View 4 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 - Adding Custom Attributes For Juniper Netscreen TACACS+?

Aug 9, 2011

I am trying add custom attributes for Juniper Netscreen TACACS+ authentication to a v5.2 ACS. The advice is to add it to the group as follows:
 
ervice = netscreen {
vsys = root
privilege = read-write
} I know how to add this to a version v4.x ACS

However, I do not know how to apply this to the custom attribiutes to a v5.x ACS?do I add the vsys and privilege attribute seperately or together? What should be the attribute name? netscreen? Should it be mandatory?

View 4 Replies View Related

Cisco AAA/Identity/Nac :: 3395 - ISE Not Identifying AD Group Attributes When Using Multiple ISE

Oct 2, 2012

So we have multiple ISE Servers with differing personals. I was having an issue with our new ISE setup not identifying AD Group Attributes when using them in Authorization rules. We have 2- 3395 appliances running Admin and Monitoring/Troubleshooting Personas and 2- 3395 appliances running as Policy server personas. We are running  v1.1.1.268 with the latest two patches. I was unable to pull Active Directory Group Attributes in any of my Authorization rules. After Resyncing all the boxes with the Primary Administration box I was able to do this. There is no bug listings for this occurrence nor do we have Smartnet to call support for other reasons.

View 3 Replies View Related

Cisco AAA/Identity/Nac :: 1120 - Registering ACS 5.2 Instance To Primary

May 29, 2013

When attempting to register an ACS instance to a primary (via System Administration -> Operations -> Local Operations -> Deployment Operations), I receive the following error as a popup in my browser:
 
"This System Failure occurred:  /opt/CSCOacs/db/acs.crt (No such file or directory). Your changes have not been saved.Click OK to return to the list page."
 
I had 2 ACS 1120 appliances clustered, 1 suffered a hardware failure about a year ago so I replaced it with a VM. That one is now the primary. I'm now wanting to replace the secondary instance (the remaining 1120 appliance) with a VM as well. I removed the current appliance from the network, installed the VM using the same IP address, and attempted to register. It failed as per the above error. After trying this a number of times, I then decided to return the 1120 appliance to secondary status and attempted to register it with the same results as above.

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.4 - Audit Logs Operated By Secondary Instance?

Mar 28, 2013

I'm using ACS 5.4p2 within distributed systems: one primary and one secondary instance.For now, primary instance is acting as Log Collector server and I can see any AAA audit logs.

When the primary instance fails I can authenticate successfully using the secondary instance.However, when primary instance comes back, I'm not able to see any audit logs operated by secondary.

View 9 Replies View Related

Cisco AAA/Identity/Nac :: Maximum Number Of AAA Clients Supported By Single ACS5.3 Instance

Aug 7, 2012

what is the maximum number of AAA clients supported by a single ACS5.3 instance?

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 4.2 - Add RADIUS Attributes

Mar 17, 2012

I want to add Radius attribute to Rad ware devices , so I will have the option to grant "read only" permission to users. as I understand I need to add VSA for the "read only" permission, or configure specific "Service-Type value 255"
   
in the following picture you can see the required information from Rad ware:

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Add OPNET Radius Attributes In ACS 4.2

May 16, 2012

I need to add OPNET Radius attributes in ACS 4.2. How should I add a new VSA in ACS?  The google search is pointing me to CSUtil.exe, and I cannot find this utility in the ACS install files.  These are the values that I need added for OPNET. When configuring the RADIUS server to support the ACE Live Appliance, use the following Vendor Code and Vendor Specific Attribute (VSA): Vendor Code: 7119 VSA: 33.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 / 5.3 Configuring Packeteer Attributes

Oct 9, 2012

We have found the following  issue configuring radius attributes for network access with packeteer appliances.with PAcketeer-AVPair  attribute , value --> access=touch Login fails and we see this
 
PacketShaper# radius login user password
"user" RADIUS Authentication Fail
Vendor-Specific: ccess=touch  <--- value is bad
 
PAcketeer is not receiving  vendor-specific value correctly, As workaround , we put other character  before value --    xacces=touch
 
PacketShaper# radius login user password
"user" RADIUS Authentication OK
Vendor-Specific: access=touch

View 5 Replies View Related

Cisco AAA/Identity/Nac :: Add RADIUS Attributes Under Group Setup In ACS 4.2

Jul 5, 2012

I need to add RADIUS attributes for a custom vendor under "Group Setup" page in ACS 4.2. As of now, I see Cisco Aironet RADIUS Attributes, IETF RADIUS Attributes etc in "Group Setup" page. How can I make sure that the RADIUS attributes for a vendor also appear on that page?

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.1 - Specific RADIUS Attributes For IP Phones

Mar 28, 2011

I am doing MAB (MAC authentication bypass) for IP phones and printers.
 
But these devices are authenticated with different identity stores (IP phones with AD, printer local host on ACS)
 
Is there any specific AV Radius attributes that i can use in the compound conditions selections which is specific for the IP Phones?
 
so when doing the Authentication, i could seperate each type (IP phones or Printers) with the appropriate database.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS5.1 - AD And RADIUS Attributes Mapping

Aug 18, 2010

I'm trying to dynamically assign  IP address for VPN users from AD (without IAS service). I know that there is a restriction that "Dial-in users are not supported by AD in ACS (note in "acsuserguide51") but Im not exacly sure what can and can't do with it. In "Authorization Profiles" in RADIUS Attributes tab I try to mannually add specific Attribute (Framed-IP-Address).
 
I have no problem (everything works just fine) with static address assignment in a way as below:

AD is already integrated with ACS and I've managed to download Directory attributes especially msRADIUSFramedIPAddress
 
When I change "Attribute Value" from static to dynamic type I see  the option to select AD (but "Select" which should list all available attributes is empty)
 
I know that I can do it directly (ASA <-> AD attribute mapping) but I want ACS to do it

View 5 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.1 Authorization Profile / RADIUS Attributes

Jun 1, 2011

I am setting up Radius AAA for cat6K switch.For authentication its work and user can login to switch. But for the privilege level assignment, it does not work. After loging in, I always get privilege 1. I need your guide on how to configure on ACS 5.1,  RADIUS Attribute.I follow the document to configure the cisco-av-pair for assign Privilege 15 and Privilege 5 , but it does not work.This attribute format was shown in document is to set Privilege 15, "shell:privlvl=15" it is correct way of configure it on ACS 5.1

View 5 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 - Radius Attributes And Device Administration / Shell

Sep 18, 2012

Under 'Policy Elements/Authorization and Permissions/Network Access/Authorization profiles' I have defined a profile and the following Attribute:Attribute = F5-LTM-User-RoleType = Unsigned Integer 32Value = 300.
 
My question is:How can I define the same as above using 'Device Administration/Shell Profiles' ?

There is a Custom Attributes tab but I cannot figure out how to specify the 'Type' field. (Under Custom Attributes tab there is only space for 2 fields and not 3 fields).

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 RADIUS Authentication Based On IMEI And MSISDN Attributes

Apr 19, 2011

I've been working on trying to get RADUIS authentication working for devices connecting to our corporate mobile APN.  Out APN provider sends us Username & Password attributes which I can authenticate fine using ACS 5.2 but I'm having a problem using other attributes sent in the Access-Request.  We have mobile SIM cards with an MSISDN value match with a physical device with an IMEI value.  The SIM cards cannot be used in other devices, only their matched device.  The provider passes us the MSISDN attribute under RADIUS-IETF 31 and the IMEI under a VSA of 3GPP-IMEI
 
What is the best way of being able to authenticate a user and match the MSISDN and IMEI associated to that user?

View 1 Replies View Related

AAA/Identity/Nac :: ACS 5.3 RADIUS Authentication Based On IMESI & MSISDN Attributes

Jan 9, 2012

I'm trying to find out the options for authenticating remote users via IMEI and MISDN values via ACS 5.3/I'm unfamiliar with the Radius attribute options here and what kind of request/response we can utilise.  Also previously I could define IP pools on ACS 4 but can't seem to do that now.  Is there a way have ACS 5.3 to provide a DHCP server address for the connection ?

View 6 Replies View Related

Cisco Routers :: RV180 / Setup Custom Service That Contains Both Multiple Disjoint Ports?

Jul 11, 2012

I have an rv180 and I'm trying to setup a custom service that contains both multiple disjoint ports (some UDP some TCP), as well as a TCP port range. This has lead me to a couple of questions.1) Is it even possible to have a single custom service with disjoint ports? Is it just going to be necessary to define multiple partial services for this?2) Is it possible to forward a range of ports? It's clear how to define a service with a port range, but the port forwarding table interface only allows me to select one LAN-side port for any service. Is there a secret notation that I need to do here that will just forward to the same LAN-side port as the WAN-side port---effectively one-to-one NAT forwarding, but just for the selected service?

View 8 Replies View Related

Cisco AAA/Identity/Nac :: How To Configure Custom Attribute ACS 5.1

May 30, 2011

I want to configure RBAC for ANM 4,2 using tacacs+ and ACS 5.1 [code]

When the admin user logs in, this policy element is triggerd, but the Role is not sent back.How to configure the Custom Attribute?

View 1 Replies View Related

AAA/Identity/Nac :: ACS 5.1 Custom Smtp Port Number?

May 31, 2012

I have a ACS 5.1, My mailing server does not run on standard port number of smtp (25). Need to know if i can customize the port number suiting my mailing server requirement.

View 0 Replies View Related

Cisco VPN :: ASA 5520 / Error / Split Tunnel Attributes(51) Greater Than Max Allowed Split Attributes(50)

Jul 21, 2012

We have ASA 5520 acting as the VPN Server and Cisco 1941 router as EZVPN client. Since last few days client is not able to establish vpn connection. 1941 router is continuously generating the below log messages
 
001569: Jul 22 12:19:05.883 ABC: %CRYPTO-4-EZVPN_SA_LIMIT: EZVPN(VPNGROUP) Split tunnel attributes(51) greater than max allowed split attributes(50)
 001574: Jul 22 12:19:07.835 ABC: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=vpn_user  Group=VPNGROUP Client_public_addr=<client public ip>  Server_public_addr=<server public ip>
 004943: Jul 22 11:32:42.247 ABC: %IP_VFR-4-FRAG_TABLE_OVERFLOW: Dialer1: the fragment table has reached its maximum threshold 16

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS 4.2 Tacacs Custom Attribute For Nexus 1000V

Jul 18, 2011

how to add tacacs custom attribute to ACS 4.2 for Nexus 1000V:shell:roles="network-admin admin-vdc"In the interface configuration I've added new service, service - shell, protocol - tacacs+.In the group settings I've enabled this attribute configuration. And it is not works. Default privilege level is assigned to any user with access allowed.

View 8 Replies View Related

Cisco AAA/Identity/Nac :: ACS5.3 - Configuring Multiple Identity Sources

Aug 28, 2012

I have an ACS 5.3 cluster, that is configured to use AD. There are a few wireless devices, and monitoring tools that do not have AD accounts. I would like to configure ACS to first check AD for the user authentication, and if that fails to roll over to the local (Internal Users) identity source where I can define these user accounts.
 
It seems that when the authentication hits the initial Identity Policy rule, it never moves onto the next one if the first fails.
 
Attached are screen shots that show how i'm configured for the test, i have a local user defined and I'm trying to log into the firewalls.
 
- Identity Definition : Screen shot of the main ACS definition for the rule i'm testing that's not working
- Identity Rule 1 : The configuration of rule 1 that if it fails i need it to move onto rule 2.
- Log Output : Screen shot for one of the failed attempts from the ACS View Log server.
 
Reason I need to configure it this way is:

- Wireless users authenticate to wireless using AD user accounts. Some hand held scanners do not support that and will need to authenticate using the MAC address.
- Authentication to Network devices for managment uses AD accounts. We have some monitoring tools that do not have AD accounts, and will need to    be able to log into Network devices to issue some commands (Examples: Cisco Prime LMS and NCS, Infoblox NetMRI).

View 4 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 Connect To Multiple Identity Stores

Aug 15, 2012

I understand that Cisco Secure ACS 5.3 supports the integration with existing external identity repositories such as Windows Active Directory and LDAP servers. In fact, in my environment, my ACS 5.3 is now integrated with AD and RSA.My question here is can Cisco Secure ACS 5.3 integrate with "multiple" WIndows AD, LDAP, RSA Server etc.? if yes, is there a Cisco document stating this? The keyword here is multipple.

View 4 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 - Multiple Identity Store For PEAP

Sep 25, 2011

I am trying to setup PEAP authentication for wireless users but I got stuck at place where I have single ssid and users are store in different identity stores like some will be using their active directory and some are locally created users on ACS. I created separate service for wireless authentication and under that I am unable to create rule to differentiate them with identity stores. any idea how to achieve this.
 
I tried creating identity selection based on role but it does not work as for protocol like radius.peap,ms-chap ACS does not look for another identity store once user not find in an identity stores.

View 1 Replies View Related

Cisco :: LMS 4.2 Sub-interface Not Available In Instance Selection

Apr 26, 2013

I have sub-interfaces created on the switch and are in active(up/up) state,but these sub-interface not available for selection in the instance window while creating the poller, and am not able to monitor the traffic on these sub interface in the performance management.
 
LMS will not display the interfaces in the instance selection window if they are not active, but here the sub-interface are in active state but these are not available.

View 1 Replies View Related

MySQL Server Instance Configuration Not Responding

Apr 30, 2012

I have done some searching, but I am unable to find a solution to this problem. I am wondering if there are any solutions that I was unable to find.

View 13 Replies View Related

Cisco WAN :: Pair Of Nexus 5548 And 3750 Are Configured With MST Instance

Feb 8, 2012

I am having some issue with SPT with the following topology.Pair of Nexus 5548 and 3750  are configured with MST instance 1.when enable STP as MST on Dell switches , it does not recognise it and create loop but if We change MST0 (only tried on one 3750 and two Dell switches in triangle in lab). its work fine.Does Dell switches only understand MST0 ?Can Nexus 5548 support MST0 if we change from MST1 and what will be effect?

View 4 Replies View Related

Cisco Firewall :: 6500 - Passive FTP Through 2 FWSM Contexts Via VRF Instance

Mar 26, 2012

I'm having problems getting FTP to work through two FWSM virtual contexts which are connected via a vrf. All this is configured on a 6500 switch with the FWSM running 3.1(4)
 
CLIENT-----CONTEXT_1-------VRF------CONTEXT_2--------FTP_SERVER
 
At the moment we can make the control connection but when we issue commands the connection times out.
 
Looking at the logs we can see the initial connection made to the server on port 21 from the client, this is also seen on the second firewall context (nearest the FTP server). The data channel is then seen on the first context, made using high src & dst port numbers and initiated from the client, successfully passing the ACL/Inspection, then on the second context we see the connection being denied by the incoming ACL on the second contexts interface connected to the VRF instance.
 
The rules are identical on the contexts and have been made by copying and paste the rule using CSM, we are using the predefined service group 'FTP-Group' which contains both tcp 20 & 21. FTP inspection is at default on both contexts.
 
We have tested with Win XP (capable of Active FTP only) & Firefox 3.6.12 which is the connections we are seeing in the logs trying to do Passive FTP.
 
Is this a problem with teh contexts randomizing sequence numbers or TCP Normalization? Or do we just have a problem with the Inspection engine on one of the contexts (I would have expected to see this on both contexts if it was a bug).

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Multiple EAP Certificates In ACS 5.2?

Feb 10, 2011

I want to use multiple cert (enterprise certs and verisign cert) for authentication in wireless.Users that have their computer in the domain should use EAP-TLS and PEAP (verisign) are for users in the domain but on non-domain computers.I can only enable one certificate in system adminstration->local server certificates-> local certificates to use EAP.I have installed both enterprise and verisign cert in the CA store in User and Identy store and enbled the enterprise cert for EAP-TLS.The EAP-TLS connection works fine when the enterprise cert is enabled for EAP (in local certificates) but PEAP does not. If I enable EAP on the verisign cert in local certificates the enterprise cert get EAP disabled and that authentication stops working av PEAP starts working.
 
Is the ACS5.2 only able to have one certificate enabled at the time for EAP?

View 10 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 Multiple AD Domains

Aug 9, 2012

I do have a quick question about Cisco ACS 5.3 and multi domain authentication. How is it exactly handled?
 
Can I join more than one domain with the ACS server? Or do I still need to configure that bidirectional trust relationship between those AD forests (even with the ACS 5.3)?

View 5 Replies View Related

Cisco Switching/Routing :: 4500 Max Spanning-tree Instance When Merging Networks

Feb 23, 2013

I have been tasked with migrating 24 access switches from their current distribution switches, 2x stack 3750's to a their new 4500 distribution switches. Ideally with no downtime. My plan for this was to connect the 4500's to the 3750's and create replica vlans on the 4500's therefore spanning the L2 broadcast domain across both sets of switches.
 
Each one of the vlans that had been created on the 4500's would have the STP bridge priority set to 4096 and 8192. When one of the uplinks from the access switches to the old 3750 stack is connected to the 4500's, as I understand this should have a stp cost of 4 and move the old uplink into discarding therefor passing traffic across the new link. This would then allow me to disconnect the old link and connect it to the second 4500 as the L2 traffic is spanned between all switches. Not ideal but the only way I can see this working.
 
Once each of these switches have been moved, the SVI's and static routes will be moves from the 3750 stack to the 4500s.The problem I have is that I've ran out of the available STP instances I can use, these 3750's all seem to be at 128 already so as far as I know, is that if a loop was to be formed when the 128 allocation is hit this would indeed cause loop in the network.I have a total of in use vlans to be spanned of 700. I'm unaware how many instances of stp the 4500's can deal with however I can bet it's not 700. 3000 logical interfaces I believe is the maximum I can see online with regards to how many stp instances the 4500's can use.

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS 4.2 - Delete Multiple Clients?

Jun 28, 2011

I've inherited some ACS appliances from another part of my organization.  I need to keep most of the settings but want to remove all the AAA clients; and preferably not one-by-one.  I don't see a way in the documentation and web searches have proven fruitless.

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved