Cisco :: Authenticating LMS 4.x Users Via TACACS+ On ACS 5.3.0

Jul 12, 2012

how to Configure ACS 5.x so LMS 4 users can authenticate via TACACS+?  I have ACS 5.x setup and authenticating to Active Directory.  Have changed the LMS 4.x Authentication Module to TACACS+.  Have gotten past the user / password problem by configuring a local user in LMS 4.x.  Now, am hitting the Default rule in ACS and Shell Profile is deny access.. 

View 1 Replies


ADVERTISEMENT

Cisco AAA/Identity/Nac :: ASA5510 / VPN Client And Clientless Users Not Authenticating With AD?

Oct 16, 2012

Web clients are receiving login failed messages and VPN clients are getting disconnected by host messages. I am able to ping the server from the ASA5510.  Users authenticate in AD.  I am not sure if the problem is on the server or the ASA.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 / Authenticating Device Admin Users Against AD Specific Groups

Jan 28, 2013

I am using ACS 5.3 What I am about is setting user authentication against existence of the user in specific AD group, not just being a member in any AD. What is happening now, users get authenticated as long as they exists in the AD, luckily they fail on authorization, as it is bound to specific AD group.
 
how can I bind the authentication aginst specific group in AD, not just using AD1 as the identity source.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: 7000 Setup Switch To Be Able To Authenticate Users With Tacacs+

May 2, 2012

I have a cisco nexus 7000 switch and a cisco ACS 5.2. I would like to setup the switch to be able to authenticate users with tacacs+ using RSA secureid tokens when they try to logon to the switch.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.x TACACS / Radius Password Policy Profile For Different Users

Sep 4, 2012

I just came across a requirement, of implementing different password policies for different group users.
 
I can see in >>>>SYSTEM CONFIGURATION>>>>User>>AUTHENTICATION SETTINGS has only global option to implement the password complexity/no of days for active user. But i need this feature to be based for per user/group

View 3 Replies View Related

Cisco Wireless :: OEAP 600 Not Authenticating

Feb 18, 2013

We have cisco 5508 office extend in dmz running code 7.3.112. 1132 AP seems to register and authenticate fine but OEAP 600 series dont seem to authenticate. they seem to join the controller and download the SSID but just wont authenticate ? not even registering on the AAA server

View 9 Replies View Related

Cisco :: Authenticating Windows 7 On AP1231?

Feb 23, 2011

We are starting to roll out a few Win7 devices. Even on our Guest WLAN, they are taking longer to authenticate on the AP1231 than WinXP. The APs are controlled by a WLC, which connects to NAC?

View 3 Replies View Related

Linksys / Cisco Router Stuck In Authenticating?

Feb 3, 2013

Dell inspiron 1525 / Windows XP

Linksys/Cisco Router.

When trying to connect (wireless or wired), I can't get past the authenticating status. Have used this computer with same router for 3 years. If there was ever a problem, I would unplug/replug the router.I am currently connected through my neighbor's unsecured network.

View -1 Replies View Related

Cisco AAA/Identity/Nac :: 11213 NAC Clients Via ISE Authenticating

Apr 17, 2012

So if I do a static ip address it works fine, but if I turn off static, the machine authenticates fine, but is not assigned to the access vlan, and it does not get an ip address.now when I use static I notice in the ISE live authentication logs, 11213 No response received from Network Access Device, for the switch even though its configured correctly.

View 5 Replies View Related

Cisco :: 1140 - Win XP Clients Not Authenticating Using PEAP

Apr 2, 2013

A customer has RADIUS running on a Win Server 2008 R2 machine, has Autonomous 1140 APs and a mix of Windows 7 and XP Pro clients.  Using PEAP as the authentication method the Win 7 clients can access the WLAN, but the Win XP clients cannot.  The Win XP clients are at least SP2.  I am doing some research before going to site on Friday and wanted to poll the community.  I found an older post speaking to a MS Hotfix under KB#885453, but it referes to "third-party RADIUS servers," not MS servers URL.

View 14 Replies View Related

Cisco Wireless :: WAP4410n Authenticating To Active Directory?

Aug 22, 2011

I have a WAP4410n which I'd like to authenticate users against our corporate active directory. I would like to know how to achieve this - whether we require a dedicated RADIUS server, whether AD has a RADIUS engine which can be used, etc. Also, what would the pros / cons be of this setup versus using a WPA2 password?

View 2 Replies View Related

Cisco AAA/Identity/Nac :: MC75 Motorola Handheld Not Authenticating With ACS

Jun 6, 2011

I have deployed a Cisco wireless environment at one of our sites. The problem is that we are rolling out new motorola handhelds (MC75) are not authenticating with the ACS. I have copied the same config as it was with the exsisting  wireless that was installed. Funny thing is we have another set of motorola handhelds (MC70) all use the same certificates and can authenticate without any issues.When i look at the ACS for logs I get the following error; EAP-TLS or PEAP authentication failed during SSL handshake.

View 6 Replies View Related

Dell :: Inspiron 6000 Non Stop Authenticating

Mar 15, 2012

My computers inability to connect to the internet.  It is a 2006 Dell Inspiron 6000 with a 1370 WLAN  card.  I just moved into a new house and was able to connect to my roommates wireless connection with no problem.  Then a couple weeks ago we both lost our ability to connect.  When we disconnected the router and modum and then reconnected she was able to get on the internet again.  I was unable to.  A computer savvy friend came over and through some finagling was able to get my connection going again. I might try cleaning my computer up and putting stuff onto an external hard drive.  Since then I have tried some different stuff I have seen on the internet, such as ipconfig to no avail, tried repairing the connections doesn't do anything.

View 11 Replies View Related

AAA/Identity/Nac :: ACS 4.2 Authenticating 4710 ACE Appliance Failed

May 5, 2011

I've got a problem with Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance.
 
ACS4.2 has been configured to use both internal and external database. It's been working fine for a couple or years.
 
Recently we bought a Cisco 4710 ACE appliance. When I use ACS4.2 internal username and password to login the Cisco 4710 ACE appliance, I have no problem. I can also see the passed authentication log on ACS4.2. However, if I use AD username and password, I couldn't login in. The message is "Login incorrect". I checked the failed attempts log on the ACS4.2, there was no log regarding the failed attempt. My AD username and password works fine on all other cisco routers and switches.
 
I've posted my AAA configuration of the 4710 ACE below. ACE is running on the latest version A4(1.1).
 
tacacs-server key 7 "xxxxxxxxxxxxx"aaa group server tacacs+ tac_admin  server xx.xx.xx.xx
 
aaa authentication login default group tac_admin local aaa authentication login console group tac_admin local aaa accounting default group tac_admin

View 2 Replies View Related

Cisco :: AP1252 - Authenticating Client Computers Onto Wireless Network?

May 22, 2013

I am having problems authenticating client computers onto the wireless network using a Cisco AP1252 via radius
 
Setup:

I have a Cisco AP1252 wireless Access Point connected to a Cisco ASA5510 on subnet X.X.5.Z    The access point ip address is X.X.5.101

The ASA on another port is also connected to the wired network on a different subnet X.X.0.Z
 
On the wired network are two radius servers - Ubuntus servers running freeradius which are running fine and reliably authenticate wired users for ssh connections to the ASA and importantly to the AP1252 as well (The radius servers ip addresses are X.X.0.191 and X.X.0.192)
 
Problem:

When a wireless user tries to connect to the wireless network via the AP1252 after being disconnected form it for a while (or after waking from a long sleep) they are never authenticated. They just try over and over and never obtain an IP
 
Interestingly in such a case neither Ubuntu server shows any sign of receiving an authentication request from the AP  - Both ubuntu servers are running in debug mode so they show any activity - there is none

Oddly:

If i try to authenticate a user wirelessly to the AP and leave it in the usual state of trying over and over (with no visible activity on the ubuntu servers) BUT then go to a wired machine and attempt to authenticate an ssh connection to the AP1252 using a terminal command     ssh user1@X.X.5.101   THEN as soon as I hit enter on that request (and before I enter a password for the ssh connection) THE WAITING WIRELESS USER IS IMMEDIATELY AUTHENTICATED (and the ubuntu server shows the authentication activity for the wireless user

I really do not understand this and cannot use this method to facilitate wireless user authentication 
 
What might be causing this behavior - it seems like the AP sleeping and the wired ssh request wakes it up so that it sees the pending wireless user waiting and then acts on that completing the wireless user authentication request.

View 11 Replies View Related

Cisco Firewall :: Pix 6.3 DHCP Server - Authenticating To Active Directory On DMZ

Apr 28, 2011

I will set up a Dhcp server on the inside interface of my pix.  I would like to have the DHCP Server authenticate to the Active Directory Server that is located on the DMZ.
 
Inside --pix--dmz 
Inside interface
Win 2008 DHCP 
DMZ interface
Active Directory Server
 
What would be the issues that I could run in to when I try to authenticate this server from the inside interface to the dmz? I see that Dhcprelay option is available on the PIX 6.3 I'm guessing this is the only command that I need to use: dhcprelay enable dmz

View 3 Replies View Related

Linksys Wireless Router :: WRT54GC Ver 2.0 Keeps Authenticating And Never Connects

Feb 18, 2012

I put a password on my WRT54GC ver 2.0. After that i couldn't access internet. It keeps authenticating and never connects.

View 2 Replies View Related

Cisco Wireless :: Clients Authenticating To 1231G Not Getting Assigned DHCP Addresses

Jun 24, 2007

Here at HQ we have a 4402 WLC. At our remote sites we have 1231G APs running in autonomous mode. I upgraded one of the APs -- IOS 12.4(3g)JA -- to run LWAPP. Per release notes I've read upgraded 1231's do not support REAP/HREAP mode, consequently, it's running in LOCAL mode.
 
The AP is managed by the WLC. I created a WLAN for the remote site and assigned it to the MGMT interface; the remote site subnet doesn't exist in HQ. The DHCP server for the remote site is presently at that site; AP and DHCP server reside at the same place.
 
Clients authenticate successfully to the remote site AP, however, they are not getting DHCP addresses assigned.  Does the DHCP server for the remote site have to reside in HQ since the AP is running in local mode? If so, where is that specified, on the MGMT interface config?

View 4 Replies View Related

Cisco Wireless :: 1260 Root AP De-authenticating WGB Clients After 6 Minutes Of Inactivity

May 27, 2013

i have 2 1260 Access points one is in root mode , one is wgb mode. Authentication is EAPFAST. There are 5 devices connected via WGB bridge to the rest of the network.

- If clients are sending some data , then WGB AP announces this client mac via IAPP to root AP and rest of the network sees them correctly
- If clients are "passive" , then after WBG AP announces them to root AP , they timeout after 6 minutes on root AP and obviously they are not pingable from the rest of the network. The only way to restore connectivity is to ping that device from WGB AP, then WGB AP announces via IAPP to root AP , then and only then they become visible from the rest of the network.

My question is related to this 6 minute timeout on root AP . Is it normal behaviour ?

View 5 Replies View Related

Cisco :: NCS TACACS Accounting Via ACS 5.4

Mar 4, 2013

If I choose to authenticate NCS users through Cisco ACS (5.4 in this instance) via TACACS, do I still have the ability to do accounting to track what changes they have made?  I'm not getting anything in the TACACS accounting reports and I don't see anywhere to configure TACACS for accounting within NCS gui like I can on a WLC.  I know that NCS has an internal audit trail but if a users account is both a local account on NCS as well as an account being authenticated through ACS does the Audit trail on NCS for that local user still contain the information about changes the user made?  I ask because it looks like it does but I want to make sure I'm not going mad.  Here is my example:
 
Local account username:  NCS_Admin2AD account via TACACS username:  NCS_Admin2
 
Audit trail for the NCS_Admin2 account on NCS looks like changes are being logged to NCS even though the user is logging in with their AD credentials via TACACS.

View 4 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 And TACACS + Authentication From VPN?

Mar 4, 2012

I have a Cisco ASA (8.2) setup with remote access for my users using Cisco VPN client. The authentication is passed off to my ACS 5.3 which then checks with AD. What I've done so far is create Access Policy rule where I define specifically the Location and NDG where the ASA is and then a DenyAllCommands command set. This should pass authentications just fine but this also gives those users the ability to remote connect directly into the ASA and login successfully. Even though there is a Deny Commands there I still would prefer they get Access Denied as a message. If I do a Deny Access on the ShellProfile then this stops the login authentication altogether.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: Cannot Authenticate AD For Tacacs ACS 5.0

May 24, 2011

I think i've got everything set up to authenticate against AD for Tacacs+ device logins.  When i check the logs, i see:"24408 User authentication against Active Directory failed since  user has entered the wrong password".  This leads me to believe that it is checking AD correctly, however if i enter the password correctly for the same AD user, there is no log at all...no pass, no fail.
 
If i look at the Tacacs debugs on the switch, i see the following:May 25 10:55:07.927 CDT: TAC+: ver=192 id=874699084 received AUTHEN status = ERRORMay 25 10:55:09.932 CDT: TAC+: send abort reason=Unknown

Obviously the switch is communicating to ACS, and ACS is passing info back to the switch.  ACS also appears to be communicating effectively with AD since it knows when i put in an incorrect password for the specific user.

View 2 Replies View Related

Cisco VPN :: Clinet Tacacs+ Authentication On ASA5510?

Mar 25, 2011

How to be able to locate a sample, working configuration of tacacs+ authentication on the ASA5510?

View 2 Replies View Related

Cisco AAA/Identity/Nac :: NCS TACACS+ With ACS 4.2 - Authentication / Authorization?

Sep 13, 2011

I tried to configure TACACS+ authentication / authorization for NCS via ACS 4.2. For that I followed the configuration guide:
 
1. Configured the service for NCS with HTTP (see attachment)
 
2. Added the tasks to the user (see attachment)
  
When I try to login on the NCS it fails, in the logs on the NCS I see the following lines:
 
09/14/11 16:53:03.333 TRACE [system] [http-443-7] [TACACS+ AAAModule] Creating authorization socket   - To Server:  192.168.49.14  - For User:  netadmin
09/14/11 16:53:03.335 TRACE [system] [http-443-7] [TACACS+ AAAModule] Sending authorization request packet  - To Server:  192.168.49.14  - For User:  netadmin
09/14/11 16:53:03.336 TRACE [system] [http-443-7] [TACACS+ AAAModule] Receiving authorization response packet  - From Server:  192.168.49.14  - For User:  netadmin

[code].....

View 7 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 - TACACS For Network Access

Feb 27, 2011

I found that TACACS should be available for network access with ACS 5.2:(url) But when I'm trying to create Rule tu allow PPP authentication against TACACS server I get error.

View 2 Replies View Related

Cisco Wireless :: 5508 - Tacacs Not Working

Oct 24, 2011

Tacacs not working for 3 new 5508 WLC's...working fine for 6 old 4400 WLC's.
 
Before 7.116 code upgrade...I remember 5508 was working on and off and now they are not.
 
Same configs on SW, WLC and ACS.
 
Debug on WLC gives..below message when Tacacs is attempted..
*aaaQueueReader: Oct 25 09:20:41.700: tplus_processAuthRequest: memory alloc failed for tplus
 
Not sure why statistics show zero...?? Radius is working for users.
 
(wlc03) >show tacacs auth statistics

Authentication Servers:
 
Server Index..................................... 1
Server Address................................... 10.3.121.21
Msg Round Trip Time.............................. 0 (msec)
First Requests................................... 0
Retry Requests................................... 0
Accept Responses................................. 0
Reject Responses................................. 0
 
[ Code].....

View 7 Replies View Related

Cisco AAA/Identity/Nac :: To Configure MS ACS 4.1.1.23 To Allow Linux TACACS

Sep 20, 2011

I am running ACS 4.1.1.23 on a Microsoft server and I am trying to get TACACS to work with two Linux servers.  The servers are capable of TACACS, are using port 49 and have the correct shared secret.  I believe I do not have the devices configured properly on the ACS side.  These 2 servers currently are using RADIUS and we are getting bit by the bug where the ACS application will start rejecting RADIUS authentication requests but still accept TACACS requests.

View 6 Replies View Related

Cisco :: CiscoWorks LMS 3.2 With TACACS Role Authentication?

Jan 4, 2011

I'm trying to get user authentication backed off to ACS 5.1, I've got it working but not the way I'd like.  This is using the TACACS settings not ACS mode.I've created a local user in CW and assigned it to the correct roles, then created a user in ACS with the same name and a different password and this works fine.My question is can I set the roles on the TACACS server using a shell profile/custom attributes.  All the documentation I can find is for ACS v4?

View 15 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.x Tacacs Accounting Report

May 14, 2013

I am setting up reports for tacacs accounting on ACS 5.3.  However, accounting only seems to work after entering enable mode on the switch.  I would like to see all commands, even the enable command when in privlage 1 mode.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 - TACACS And JunOS Authorization?

Mar 4, 2012

I can get it to authenticate.  But I've read some posts on ACS 4.2 and authorization, but I don't find anything similar.I want to control down to what commands the authenticated user can run.  I want the defintion to come from the ACS server, or at least control it from the ACS server.  I want to minimize the changes on the JunOS side,but if it can't be easily done, I'll change the JunOS side.

View 10 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 / Tacacs Authorization Restrictions

Nov 14, 2012

ACS 5.3 configured with two rules, 1 rule for standard level 15 access for the Network Engineers and a 2nd rule to allow some limited access to switches: The limited access account has enough command set access to change the vlan on a switchport, so Configure Terminal, Interface FAx/x and switchport access vlan x.
 
Switch configuration:     
 
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa session-id common
 
Everything works well and the limited access users can only perform the commands i've setup.
 
Problem:The problem i've encountered is when one of the network engineers makes a change that would stop the device from being able to see the ACS server it stops allowing any commands to be typed in the router/switch. Additionally if you then connect to the device and login with the local username and password the device then waits for it to hit the TACACS server timeout for every command you enter. This is obviously very slow and painful for the engineer.
 
Question:Is there a way to set this up so the engineer logging in with full Level 15 access doesn't have to have each command authorized by the ACS server but still allow the limited access accounts to be able to make interface changes?

View 1 Replies View Related

Cisco :: Sync Archive Failed LMS 3.2 Using TACACS

Mar 18, 2012

Iam using LMS 3.2. In short, there is 2 type of router, 2800series and 2900series. These device already join to TACACS server. When I try to sync archive I got:

- failed on 2900series
- successful on 2800series
 
I have doing same config (credential, snmp, protocol for sync archive), for those device on ciscoworks but why I find the error??

View 5 Replies View Related

Cisco AAA/Identity/Nac :: Switches TACACS Or RADIUS With ACS 4.2

Aug 14, 2011

So far i managed my switches with TACACS+, however now i've to deploy 802.1X, requiring RADIUS only. For what i know, ACS (i'm using 4.2) allows to define a device using only TACACS or RADIUS, but not both. Do i am right? Or there is a way to define an AAA client to communicate with the same ACS using both the protocols?
 
Supposing i am right, i was then considering the following options: - configure all of the switches to use radius for any service (authentication, authorization etc ec) This simplifies the task, but i lose the TACACS+ services for the switches. Is this a big loss?
 
- configure the L3 switches to use a second Loopback, just for RADIUS services. This would allow to still use the TACACS+ but would require a new network just for the RADIUS service; furthermore L2 switches doesn't support two IP addresses and would require anyway a migration to RADIUS.

A considerable administrative overhead, in other words. I'm not willing to deploy a second RADIUS (ACS, Windows, whatever), in this moment.
 
The key point is this: reading around i see Cisco documentation recommending always to use TACACS+ for management, but in this situation is not possibile. In general, every time the device has a role of network admission  (switch or access-point) RADIUS seems to be the protocol of choice. Moving to RADIUS would have some major drawback or only a change in the communication protocol? (I know the difference between TACACS+ and RADIUS: tcp vs udp, encryption of the whole packet vs encryption of only the password).

View 3 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved