Cisco Firewall :: ASA 5510 - Authenticate Users Of Specific LDAP Group

Apr 19, 2010

I'm actually require authentication for users who are coming from the PublicVLAN (the vlan associated with the wireless hotspot) to authenticate themself to the LDAP server via my firewall ASA 5510

View 12 Replies


ADVERTISEMENT

Cisco Wireless :: WLC 4404 Integration With LDAP To Authenticate Domain Users?

Feb 24, 2013

I have a WLC 4404 with LWAPs, the customer has a microsoft LDAP and all users are joined to the domain and he wants the users to be authenticated against their domain accounts and this should be done automatically so that when users login to windows they are also authenticated and joined the WLAN.so how we can do that with the simplest way, without Radius server using only the LDAP and wwithout envolving any certificates.also i need to know when i add LDAP server to the WLC, how can i know that this LDAP is properly inegrated with the WLC?

View 8 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.1 - Authenticate Only Specific AD Users

Jul 22, 2012

Is it possible for ACS 5.1 to only allow specific AD users to authenticate the switches and routers? Currently What I have configured is only for all AD users. I can't seem to find a way to be selective.

View 9 Replies View Related

Cisco VPN :: 5510 - Authenticate One User In Only 1 Group?

Oct 20, 2011

I have two tunnel groups using WEBVPN , I have local users at ASA 5510 version 7.2.

How can I authenticate one user in only one group?Now with local users I can loggin in both tunnel groups

View 1 Replies View Related

Cisco Firewall :: ASA Version 8.2 (2) / Authenticate With Microsoft LDAP?

Jul 25, 2012

I am running ASA ver. 8.2(2)  and all users are configured in the ASA. This ASA is uses as a VPN ASA and we are using it for remote access for external users. When a user is logged in, he gets all parameters that are need to continue working from outside, such as, IP, assigned to special group with special permissions and so on. All the parameters that are needed are configured under  user attribute. See example below: 
  
username username1 password xxxxxx == nt-encrypted
username username1 attributes
vpn-group-policy Basic
vpn-access-hours none
vpn-simultaneous-logins 1
vpn-idle-timeout 30

[code]....            

Is it possible to live the user attributes as is and to force the users to authenticate via LDAP servers only?

View 4 Replies View Related

Cisco Switching/Routing :: 2560 Create Dynamic VLAN For Specific Group Of Users

Feb 6, 2012

We have Cisco Cat4503 series L3 Switch and Cisco L2 2560 Series Switches, some of the users want to have a dynamic VLAN membership, and connecting with the network as mobile users,
 
can it possible and create dynamic VLAN for specific group of users.

View 6 Replies View Related

Cisco VPN :: Specific Tunnel-group With User On ASA 5510?

May 13, 2011

I would like to ask some question about VPN clinet and SSL VPN, on my ASA 5510 i have many tunnel-group it have around 5 tunnel-group and i have one SSL VPN,i also have user 20 user. let me show you that:
 
1- tunnel-group Staff-VPN remote-access
2- tunnel-group Manager-VPN remote-access
3- tunnel-group normalstaff-VPN remote-access
4- tunnel-group guest-VPN remote-access
5- tunnel-group other-VPN remote-access
and tunnel-group sslgroup type remote-access
 
and i have user around 20 user and i want to specific user to tunnel-groups like this
 
1- tunnel-group Staff-VPN remote-access
username AAA password AAA
username AAA01 password AA01
 
2- tunnel-group Manager-VPN remote-access
username BBB password BBB
username BBB01 password BBB01
 
3- tunnel-group normalstaff-VPN remote-access
username CCC password CCC
username CCC01 password CCC01
 
5- tunnel-group other-VPN remote-access
username DDD password DDD
username DDD01  password DDD01
 
So, How can i manag tunel-groups with user?

View 3 Replies View Related

Cisco VPN :: ASA 8.4 LDAP Group To ASA Group Policy Mapping?

Jul 31, 2012

I try to map LDAP Group to ASA Group policy following documentation:
 
[URL] 
 
This is a config for ASA 8.0. I would have expected it to work on 8.4 as well but I do run into problems. The mapping as shown in LDAP Debug and ASA Log will actually happen but it is overwritten by the "GPnoAccess" Group Policy configured locally in the Tunnel Group. From earlier works with RADIUS I would have expected the user specific Attribute to be "stronger"?
ASA Log:
 
AAA retrieved user specific group policy (correct Policy) for user = XXX
AAA retrieved default group policy (GPnoAccess) for user = XXX

View 3 Replies View Related

Cisco Firewall :: Internet Access Through ASA 5540 For Specific Network Object Group

May 2, 2011

I have a 5540, and i am trying to allow access to internet for an specific network object group, who has inside a bunch of users, who needs direct internet access without any restrictions, i have tried with dynamic NAT, but that configuration ask for a specific IP o a Network range, and is not permitted to configure an  object group as a source
 
The group is located in LAN zone, so a permission from one zone to another zone is needed i think, but i can allow the internet acess to that group Is there another way to get that , different from NAT ?

View 5 Replies View Related

Cisco AAA/Identity/Nac :: WLC 4402 - Authenticate With Novell LDAP Through ACS 5.2?

Aug 2, 2011

I'd like to configure wireless access from winXP to authenticate with our corporate Novell LDAP through ACS

Setup:
WinXP SP3 --> WLC 4402 --> ACS 5.2 --> Novell LDAP
 
1. Our Novell LDAP server uses secure LDAP (port 636) to authentication user.On ACS 5.2, when we configure this option we need to select Root CA. Should the Root CA in ACS must be the same as the LDAP server's? (the LDAP's certificate issuer)
 
2. What kind of authentication that this setup supports? Does it support PEAP/MSCHAPv2 as in Windows Zero Configuration or it only supports PEAP-GTC, EAP-FAST, EAP-TLS (which means I have to use Intel Proset/Wireless software to configure).

View 2 Replies View Related

Cisco Firewall :: 5520 - URL Blocking To Be Applied To Specific Users

Feb 10, 2010

I am having ASA firewall 5520. I want to block yahoo mail, gmail using regex for particular users only.

View 5 Replies View Related

Cisco AAA/Identity/Nac :: How To Setup ACS 4.2 As LDAP Server To Authenticate Devices

Sep 1, 2011

I have a ACS 4.2 under windows, I setuped it to authenticate routers by RADIUS and TACACS+  protocols. now I have some devices whitch know only LDAP protocol. How can setup ACS as a ldap server to authenticate those devices?>

View 1 Replies View Related

Cisco Firewall :: Unable To Authenticate With Common Setting With ASA 5510 Running 8.0

Nov 11, 2008

I have allways configured and run LDAP Server Groups authenticating to Active Directory Domain Controllers using LDAP, never an issue, until I hit a Domain Controller running on a Windows Server 2008. I have been unable to authenticate with the common setting with an ASA5510 running 8.0.1.

View 4 Replies View Related

Cisco Firewall :: ASA 5510 / Can LDAP-authenticated Remote User Be Assigned A Connection

Jun 30, 2011

ASA 5510 ASA 8.0 ASDM 6.1 I want some remote users to have split-tunnel connection, others not.  I used Cisco Document ID 100936 "Allow Split Tunneling for AnyConnect VPN Client on the ASA Configuration...".  I created a new Group Policy with split-tunnel enabled.  I created a new Connection Profile and assigned to it the new Group Policy.  When I authenticate at the AnyConnect client I get a dropdown of the 2 connecton profiles, to choose the one I want.  Each of them works, enabling or disabling split-tunnel.  But I want to assign a connection profile to the particular user, not give the user a choice.  The problem is I'm using LDAP authentication.  The Local Users I set up before LDAP are obsolete, assigning them a Group Policy does nothing.  I really don't want to give up LDAP and force people back to another local password.  But the LDAP authentication to Active Directory just says yes or no, it won't assign a connection profile.  At the AnyConnect Connection Profiles page I have set a switch "Allow user to select connection profile, identified by its alias, on the login page.  Otherwise, DefaultWebVPNGroup will be the connection profile".  If I clear that switch every user will be assigned the same default profile, which does not work.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.1 LDAP Group Search Error?

May 9, 2012

I have a problem where occasionally a user will attempt to login and the LDAP search will find the user but then fail when it does the group search.  The error I get is below
 
22037  Authentication Passed
22023  Proceed to attribute retrieval
24032  Sending request to secondary LDAP server
24016  Looking up user in LDAP Server - testuser
24004  User search finished successfully
24027  Groups search ended with an error
24034  Secondary server failover. Switching to primary server
24031  Sending request to primary LDAP server
24016  Looking up user in LDAP Server - testuser
24004  User search finished successfully
24027  Groups search ended with an error
22059  The advanced option that is configured for process failure is used.
22062  The 'Drop' advanced option is configured in case of a failed authentication request.
 
Some users never get this error, others will get it once in a while and I have one user that gets it every time they try and login. 

View 3 Replies View Related

Cisco Firewall :: DNS Server Group On ASA 5510

Apr 5, 2011

I can not have "dns server-group" on my asa 5510, could you tell me how to get this command in my ASA 5510.

View 3 Replies View Related

Cisco :: LMS 4.0.1 Authenticate User On Group Base And Assign Different Privilege?

Sep 7, 2011

having LMS 4.0.1 is it possible to authenticate user on a group base and assign different privilege to different groups?. The user's group are available in the LDAP server.Do I have to use a TACACS/RADIUS server between the Ciscoworks LMS and the LDAP repository?

View 1 Replies View Related

Cisco Firewall :: ASA 5510 - Users Unable To Access Internet Through Firewall

Feb 26, 2013

I have some problem with the ASA 5510 ver 7.0(6). My manager wants to keep this as backup. tried lots of things but still users not able to access internet nor can i ping anywhere.For example when i ping 4.2.2.2 i dont get any reply.The runing config is below for ur ref :
 
HQ-ASA-01# show  running-config
: Saved
:

[Code]......

View 9 Replies View Related

Cisco :: 1813 Can't Get Users To Authenticate To ACS

Feb 14, 2012

I am trying to connect using officeextend but couldn't . I have managed to connect the officeextend AP  to the DMZ WLC however i cant get the users to authenticte to the ACS (although there is a rule to access the access on ports 1813 and 1812). Should the DMZ WLC need the ACS servers (i thought they wouldnt require as they are anchored back to the Internal WLC that the ACS server address
 
oon a side note, i have'nt created dhcp for hte officeedxtend users - will this cause an issue - (just deciding on to it on WLC or windows server)In-fact i cant even see myself authenticating on the ACS server

View 25 Replies View Related

Cisco AAA/Identity/Nac :: ASA 5505 Does Some LDAP Attribute Mapping To Get Group Membership For DAP

Dec 21, 2012

I have a working ASA 5505 that is used for remote access.  It authenticates users via RADIUS (Microsoft AD using two IAS servers), it also authorises users via LDAP and it does some LDAP attribute mapping to get group membership for DAP.  This is all working fine however recently I enabled IPv6 to do some testing.  I have a /126 subnet on the Inside interface (maps to its equivalent /30 IPv4 subnet) and OSPFv3 running so the ASA has visibility of the internal IPv6 networks.  DNS client is enabled in the ASA and all the authentication servers are entered as hostnames.  The two RADIUS servers only have A records and the two LDAP servers (Windows DC's) have both A and AAAA records.  My plan was to begin test IPv6 on the AnyConnect VPN clients (once I was happy the ASA was working fine with IPv6).

When I initially enabled IPv6 everything continued to work as before, however I had to reboot the ASA today and after it all came back up authorisation stopped working.  I did a bit of troubleshooting and the ASA is complaining of not being able to resolve the addresses of the two LDAP servers.  From the CLI I can ping the hostnames and the LDAP servers resolve to IPv6 addresses and the RADIUS servers resolve to IPv4 addresses.  When I issue the command 'show aaa-server LDAP' (LDAP is the name of the group) I see the servers listed but the address displays 0.0.0.0:
 
Prior to the reboot both the LDAP servers were showing thier addresses (IPv4) correctly.  I can workaround it by disabling IPv6 on the ASA, letting it lookup the (IPv4) addresses of the LDAP servers (so they appear in the 'Server Address:' field above) and then re-enabling IPv6.  Strangely deleting and re-adding the servers just with their IPv4 addresses also fails but I haven't fully tested this.  I don't know but I think I would have the same behaviour if the RADIUS servers also had AAAA records.
 
I assume when IPv6 is enabled on the ASA it will perform AAAA lookups as well as A lookups but the LDAP client cannot use IPv6?  Just guessing at the moment as I haven't managed to get a LAN capture. [code]

View 1 Replies View Related

Cisco Firewall :: ASA 5510 8.4 / VPN Traffic For Specific Client?

Mar 16, 2013

I have ASA 5510 8.4 Firewall where more than 20 Site to Site VPN Clients are configured on it. how to see the traffic for one Specific Site to Site VPN.Actually this site to site vpn is always keep dropping for every minute. I'm sure its a problem at the other end.The remaining 19 VPNS are UP and working without any problem. How to see the traffic for specific vlan.More over we dont have any syslog server in our network. Is their any chance we can check the traffic on the firewall?

View 6 Replies View Related

Cisco Firewall :: ASA 5510 - ASDM Access From Specific IP

Jan 24, 2013

I do have one other question first.  What's the effect of the crypto key zeroize rsa command, and then crypto key generate rsa modulus 1024 while I'm SSH'd to the ASA?  Can I do it?  Or do i need to be consoled in or connected a different way?
 
ASA 5510:
ASA Version 8.4(1)
asdm image disk0:/asdm-641.bin
asdm history enable
http server enable
http 10.1.1.83 255.255.255.255 inside
http 10.1.1.82 255.255.255.255 inside

Shouldn't that right there be enough to access ASDM from either host .82 or .83?  Because I cannot.  But if I add http 0.0.0.0 0.0.0.0 inside, then I of course can.

View 2 Replies View Related

Cisco Firewall :: 5510 Connection Specific TCP Timeouts

Aug 28, 2012

I got a Problem on a customer which is using a Failover ASA 5510 pair with SSM-CSC-10-K9 modules.The clients have to connect to a webserver where they are doing some calculations.If they prepare everything and want to calculate everything what takes a couple of time the session is after about 3 minutes timedout.My first idea was to set session specific timeouts which are a bit longer then the normal but this setting did not work. I created a policy which did not work for me. How to set connection specific timeout's? [code]

View 3 Replies View Related

Cisco Firewall :: ASA 5510 Security For One Specific User

Jan 18, 2013

We have an ASA 5510 version 8.3 (2) that we accept VPN users via a radius server. Is there a way to lock down a specific user that connects to the ASA as a SSL client or IPSEC VPN user? If the specific user were to connect to the ASA, we would want the user to have minimal to not access to our system.

View 1 Replies View Related

Cisco Firewall :: 5510 No Translation Group Found Error

May 31, 2011

I have a 5510 with just a inside and outside interface, everything works on the lan inc internet access and exchange hosting to the net, but I have another exchange server on the wan and I can't get to that because I'm not natting inbound traffic and the default route sends traffic elsewhere.
 
If I put a nat any statement on the inside interface inbound it works, however all LAN internet traffic fails with a  No translation group found error.I've removed the static nat commands as they are all named anyway, but below is what I have before I do a nat any inside inbound command global (outside) 1 interfaceglobal (inside) 2 interfacenat (inside) 0 access-list inside_nat0_outboundnat (inside) 1 0.0.0.0 0.0.0.0.

View 3 Replies View Related

Cisco Firewall :: ASA 5510 - Multiple Pools / Group Authentication?

Apr 8, 2011

can i have on asa 5510 multiple pools and multiple group authentication for various departments along with restricted access if any

View 3 Replies View Related

Cisco Firewall :: Object Group Network Limit With Asa 5510

Oct 29, 2012

We have Cisco ASA 5510, I am about to add another 2 Objectgroup network  groups on the firewall to our already growing list. Under this Object-group Network xxxx , we are planning to add about about 500 network-object host xxx.xxx.xxx.xxx . This objectgroup will then be applied to an ACL. Just wanted to know if thats possible - meaning addnig 500 hosts? If it is whats the limit?
 
Also are there any other things to keep in mind before i go-ahead with this huge object group?

View 3 Replies View Related

Cisco Firewall :: 5510 - No Translation Group Found For UDP Src Inside

Jan 10, 2013

I have seen many of these errors lately.  We have just moved to a new office and I have basically only assigned a new IP to the outside interface.
 
[code]....

View 6 Replies View Related

AAA/Identity/Nac :: Authenticate LAN Users Via Cisco 2911

Feb 9, 2012

We have remote users that dial-in over ISDN to a Cisco 2911. We have configured AAA to pass the authentication off to a RADIUS server. Once successfully authenticated, the router permits the users to access a single web server. However, we need to do some testing in our test environment, but unfortunately we don't have an ISDN line to test with. We have created a little environment in our LAB using a 2911, a switch, a RADIUS server & web server. I was hoping that we could simply create a "user" VLAN off the back of the 2911 to simulate our remote users, and access the web site from the test usr PC's over the LAN. I was hoping that the 2911 would be able to intercept the connection and pass the authentication off to the RADIUS server (as it does with the PPP ISDN traffic). But I cannot find anyway to do this, because I can only configure AAA to offload either PPP traffic or telnet/ssh connections to the router itself.
 
In summary what I want is for a user to access an internal web site over a LAN interface of a 2911 - but have the 2911 authenticate the user via a remote RADIUS server first. Is there a way to configure a 2911 (or any router!) to do this?Is the answer to configure port-based authentication (802.1X) on the switch?

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.1 Authenticate Wireless Users With 802.1x

Jun 9, 2011

I have an issue with an implementation, I had a ACS R5.1 that I'm using to authenticate the wireless users with 802.1x, that's OK and working fine. Now I want to use the same ACS to authenticate wired users using MAB (for IP phones, printers, servers, and other devices) and 802.1x (for corporate users). I already configured the authentication services (MAB and 802.1x) on ACS, but when I'm doing tests I can see that for example the phones are trying to authenticate using the 802.1x rules of wireless connection, not using the MAB rules. [code]
 
You could also see an screen from the ACS in the attached file. On the picture remark you could see a IP Phone trying to authenticate using the wireless Access Services insted of using MAB.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS V5.1.0.44 / WLC 5508 / Cannot Get Users To Authenticate

Sep 25, 2011

Having an issue with Cisco ACS v5.1.0.44 and the Cisco WLC 5508. Cannot get users to authenticate and keep getting error messages referring to EAP session timeouts from WLC filling our logs. Seems to be with this model WLC because we have Cisco 4400 WLCs pointing to the same ACS with no issues. Is there a bug or special configuration that is necessary to marry the 5508 with ACS v5.1.0.44?

View 9 Replies View Related

Cisco :: 802.1x Guest Function To Authenticate Users Against AD Via ACS 4.2

Dec 7, 2010

We have a customer with ACS 4.2 Appliances who currently uses the Layer 3 web-redirect guest function to authenticate users against AD via ACS and LDAP to the AD, its a mixture of un-managed Windows, Mac & linux clients.
 
They want to move to an 802.1x solution.
 
Now MS-CHAPv2 is proably the obvoius choice (maybe it isnt considering Linux and MAC clients ... comments???). However the only option to integrate with AD is LDAP i.e remote agents or an upgrade to 5.x is out of the question.

View 9 Replies View Related

Cisco :: ACS 4.2 - Authenticate Wireless Users Via Windows

Mar 12, 2013

we are using ACS4.2 to authenticate wireless users  for ssid : copr-wireless. the acs authenticate users via windows database (acs is a member of the windows doamin) no local user defined in acs. there is a mapping between all windows users and a local group in acs (wireless_group) in wireless group i defined the vlan as 80 so that corp-wireless clients will be in vlan 80 and they can take an ip address from one DHCP server in the network. vlan 80 is in our core switch. the dhcp also.
 
now we added a guest anchor WC with ssid: guest-wireless. we need to auth guests also via ACS/Windows. guests are the same users as corp-wireless but corp for lan only and guest for internet only my prob is that ACS will map guests to vlan 80 because they are member of the domain, however guest users should not  have any vlan. it is like if they are in DMZ. they will take ip address from the anchor WC.

View 4 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved