Cisco VPN :: ACS 5.3 / Assign Group Membership Attribute To DAP For Radius Logins Via SSL

May 14, 2012

Basically I want to query Radius for AD group membership and apply a set of Bookmarks based on that group. I would use LDAP, but we have two domains and I need both to be available for login, so I am using ACS 5.3 as a proxy. I saw that using attribute 4242 for DAP for group membership, but what is the Group syntax?

View 1 Replies


ADVERTISEMENT

Cisco AAA/Identity/Nac :: ASA 5505 Does Some LDAP Attribute Mapping To Get Group Membership For DAP

Dec 21, 2012

I have a working ASA 5505 that is used for remote access.  It authenticates users via RADIUS (Microsoft AD using two IAS servers), it also authorises users via LDAP and it does some LDAP attribute mapping to get group membership for DAP.  This is all working fine however recently I enabled IPv6 to do some testing.  I have a /126 subnet on the Inside interface (maps to its equivalent /30 IPv4 subnet) and OSPFv3 running so the ASA has visibility of the internal IPv6 networks.  DNS client is enabled in the ASA and all the authentication servers are entered as hostnames.  The two RADIUS servers only have A records and the two LDAP servers (Windows DC's) have both A and AAAA records.  My plan was to begin test IPv6 on the AnyConnect VPN clients (once I was happy the ASA was working fine with IPv6).

When I initially enabled IPv6 everything continued to work as before, however I had to reboot the ASA today and after it all came back up authorisation stopped working.  I did a bit of troubleshooting and the ASA is complaining of not being able to resolve the addresses of the two LDAP servers.  From the CLI I can ping the hostnames and the LDAP servers resolve to IPv6 addresses and the RADIUS servers resolve to IPv4 addresses.  When I issue the command 'show aaa-server LDAP' (LDAP is the name of the group) I see the servers listed but the address displays 0.0.0.0:
 
Prior to the reboot both the LDAP servers were showing thier addresses (IPv4) correctly.  I can workaround it by disabling IPv6 on the ASA, letting it lookup the (IPv4) addresses of the LDAP servers (so they appear in the 'Server Address:' field above) and then re-enabling IPv6.  Strangely deleting and re-adding the servers just with their IPv4 addresses also fails but I haven't fully tested this.  I don't know but I think I would have the same behaviour if the RADIUS servers also had AAAA records.
 
I assume when IPv6 is enabled on the ASA it will perform AAAA lookups as well as A lookups but the LDAP client cannot use IPv6?  Just guessing at the moment as I haven't managed to get a LAN capture. [code]

View 1 Replies View Related

Cisco Switches :: SG200-18 - Validating User-logins And 802.1x Via Radius (ACS)

Apr 30, 2012

In our environment we've got a Cisco ACS-Server providing Tacacs+ (mainly for access to routers/switches) and Radius (for 802.1x-validating end hosts) services.
 
Aside from our IOS-based switches we've got a SG200-18 acting as a workgroup switch.
 
I'd like to set up user authentication on the SG200 (i.e. authentication of users accessing the switch) as well as 802.1x validation of end hosts via our existing Cisco ACS 5.x.
 
Unfortunately the docs for the SG200 in the chapter "Configuring RADIUS Parameters" only mentions "...For the RADIUS server to grant access to the web-based switch configuration utility, the RADIUS server must return cisco-avpair = shell:priv-lvl=15.... - no examples etc.
 
Since the WEB-based SG200-interface is absolutely new to me I'm looking for some hints/examples on how to set up the Cisco ACS Radius Server in order to interact with the SG200.

View 2 Replies View Related

Cisco :: ACS 5.2 / NAC - Allocating Vlans To Host Ports Based Upon AD Group Membership

Jan 6, 2011

My customer requires the hostport on an access switch to be allocated to a specific Vlan based upon the AD Group that the user is a memeber of ?  I am planning to setup NAC in a Real Gateway OOB deployment, using an ACS 5.2.  I was initially thinking that the initial authentication server would be the ACS and then the AD, which using group mappings within the AD, I could then assign the user to a specific ACS group and then pass a Radius attribute back to the NAC manager for processing?

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ASA-5510 / IPSec Client Authentication Based On AD Group Membership?

Aug 26, 2009

Looking to fine tune Cisco IPSec client RA-VPN authentication on our ASA-5510.  Currently using NT Domain authentication.  It's been working fine for quite a while but is too broad a brush.  It authenticates anyone who is in the domain.  We need to only authenticate folks who are in a specific AD remote access security group.  I'm testing LDAP but am getting the same results.  I can get it to authenticate based on overall domain membership but can't seem to figure out how to check group membership. 
 
We've updated to ASA 8.2(1) and ASDM 6.2(1).  It seems to have more LDAP functionality but I'm not an LDAP expert.  I've posted an image of the LDAP server dialog from the ASDM.  I originally tried putting the Group DN in the Base DN field but kept getting a "can't find user" error when testing.  I also tried adding the group info in the "LDAP parameters for group search" field at the bottom.  But it doesn't seem to be looking there.  Note that the current value is the Group Base DN only.  I also tried putting "memberOf=" in front of that.  Still no luck.  The values shown in the image work for simple domain membership.

View 3 Replies View Related

Cisco VPN :: ASA 8.4.x - Sending A Client Attribute To Radius Server

Dec 11, 2011

I'm using an ASA version 8.4.2 and a Radius Server.
 
Is-it possible to configure ASA for sending the name of the connection profile to the Radius Server ?
 
By default, the radius server doesn't receive this information.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 3.3 / RADIUS Vendor-Specific Attribute?

Feb 21, 2005

I'm using Cisco ACS 3.3 for RADIUS. How to do I make Vendor-Specific attribute available? (Attribute number 26, format: OctetString) The online help makes reference to it, but does not tell you how to make it available.

View 9 Replies View Related

Cisco VPN :: ASA 5540 - AnyConnect Profile As Radius Attribute

Nov 25, 2012

Is it possible to send profile name as an Radius atribute during client authentication? I would like to match users depends on profile name to sperate Identity Stores in my ACS. ASA 5540 8.4, anyconnect 3.1.01065, ACS 5.1

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 Suppress Radius Class / CACS Attribute

May 13, 2013

ACS 5.3 always sends the class=cacs:xyz attribute in an authentication response. How can I suppress that behaviour? The Cisco Email Security Appliance doesn't support multiple class attributes (defect 49096) and even treats  guest users as administrators.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 / 11014 RADIUS Packet Contains Invalid Attribute(s)?

Mar 19, 2012

how I can determine what attribute is coming up as 'invalid' ?Tried full debug and looked at all the logs - nothing.

View 1 Replies View Related

Cisco Switching/Routing :: Radius-server Attribute 61 Extended On ASR1004

Nov 9, 2011

We faced with problem after upgrade ASR from 12(2) 33 XNE2. I know that this is an old XE release but our Radius deny authization from ASR with more new XE version. Here is our radius attribute configuretion:
 
!
radius-server attribute 44 include-in-access-req
radius-server attribute nas-port format d
radius-server host x.x.x.x auth-port 1812 acct-port 1813 non-standard

[Code]....

How can I add in my configuration that ASR send necesserry NAS-Port-Type - VPDN

I couldn't found out any info ((( for radius-server attribute 61 extended

View 1 Replies View Related

Cisco AAA/Identity/Nac :: 3650 - Radius Return Attribute To Set Duplex Settings?

Feb 28, 2012

I am doing 802.1X for a user on Cisco 3650 and wanted the Radius Server to return an attribute to set the Duplex setting of the port. with the correct Radius Return Attribute.

View 4 Replies View Related

Cisco :: How To Assign Group Roles Via ACS 5.3

Oct 10, 2012

I'm currently using a LMS 4.2.x System and an ACS 5.3 System.
 
I solved the problem to authenticate the LMS WebGUI login to the ACS Server. But, I can't not find any document, which descripes how I can assing the group roles via ACS.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Assign VLAN Based On AD Group?

Apr 18, 2011

I'm trying to configure ACS 5.2 to assign the VLAN to a user dynamically based on the AD group that the user belongs to. I've gone into:
 
Users and Identity Stores -> External Identity Stores -> Active Directory -> Directory Groups tab
 
and selected the group name from the AD. If I understand correctly, I should now see this group under:
 
Policy Elements -> Authorization and Permissions -> Network Access -> Authorization Profiles -> Common Tasks -> VLAN ID/Name
 
However, it does not. Am I missing something?

View 2 Replies View Related

Cisco :: LMS 4.0.1 Authenticate User On Group Base And Assign Different Privilege?

Sep 7, 2011

having LMS 4.0.1 is it possible to authenticate user on a group base and assign different privilege to different groups?. The user's group are available in the LDAP server.Do I have to use a TACACS/RADIUS server between the Ciscoworks LMS and the LDAP repository?

View 1 Replies View Related

Cisco VPN :: ACS 5.X - How To Assign Connection Profile Without Using Group Drop-down List

Mar 8, 2013

i've configured 4 connection profiles (IT,HR,Admon,VIP) on the asa everything works well, but our boss wants to know if it's possible to assign the right connection profile without using group drop-down list, what he wants is to use a unique connection profile (non-default) and via radius attributes using ACS 5.X  to assing the right profile.

View 6 Replies View Related

Cisco AAA/Identity/Nac :: Assign QoS Service Policy Via RADIUS To Catalyst 45k / 3750?

May 4, 2011

is there a way to assigen a QoS service policy via Radius to an Caltalyst 4500/3750 Switchport?
 
in detail, we would like to assign this policy
 
policy-map SET_EF     class class-default       set dscp ef
 
to an interface. All traffic should be marked with a defined DSCP value.
 
This works find when doing it statically with
 
interface FastEthernet2/1         service-policy input SET_EF
 
but we would need to assign such a policy via Radius during the 802.1x Authentication. different users should get differnt policies. We use Cisco ACS 5.2 as Radius Server and there actually is a field for that in the Authorization Profile Common Tasks Configuration. in detail, this uses the cisco-av-pair "sub-policy-In=<policy name>" attribute to assign a service policy to an NAS.
 
we found also two other attributes "sub-qos-policy-in" and "ip:sub-qos-polcy-in" for that. CCO says that "ip:sub-qos-polcy-in" works with Catalyst 65k [URL]
 
unfortunately this seems to not work on Catalyst 45k and 37k.
 
In the ACS Logs we can see that these attributes are attached to the Radius Reply, but unfortunately they are ignored by the switch.
 
it is interesing that when entering "show aaa attributes" on the Catalyst 45k, these attributes are displayd - so for my understanding the switch should understand these attibutes (?)
 
4503-E#sh aaa attributes         AAA ATTRIBUTE LIST:        Type=1     Name=disc-cause-ext                 Format=Enum        Type=2     Name=Acct-Status-Type               Format=Enum

[Code]......

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Add RADIUS Attributes Under Group Setup In ACS 4.2

Jul 5, 2012

I need to add RADIUS attributes for a custom vendor under "Group Setup" page in ACS 4.2. As of now, I see Cisco Aironet RADIUS Attributes, IETF RADIUS Attributes etc in "Group Setup" page. How can I make sure that the RADIUS attributes for a vendor also appear on that page?

View 2 Replies View Related

Cisco VPN :: Automatic Tunnel Group Selection Through Radius On ASA 5.3?

Aug 20, 2012

I try to let Cisco ASA automatic select a tunnel group for users, after user input username and password. I try to do this without user selection a connection profile on login page. Authentication on ASA<>ACS 5.3<>MS AD. How i can will do this? Radius attribute class=group_policy don't work.

View 1 Replies View Related

Cisco VPN :: ASA 5510 - Group-Lock Not Working With Web VPN And RADIUS Authentication

May 16, 2013

I'm on an ASA 5510 running 8.2(5)41. I have clientless WebVPN configured to authenticate against an RSA RADIUS server, which has users assigned to RADIUS Class attribute 25 to match the group-lock values assigned to each ASA group-policy. This of course is to ensure users can only access the login page's drop-down VPN profiles they are assigned to by the RADIUS server. I have two other ASA 5510s (same code level) using the same RADIUS server with group-lock enabled but for IPSec remote access VPN's, and the group-lock feature works fine.

WebVPN, however, is authenticating any user to any VPN profile without regard to the RADIUS Class attribute 25 they are assigned. If I configure the VPN profiles to authenticate locally and assign group-lock to individual ASA user accounts, group-lock works. As soon as I point it back to the RADIUS server, group-lock does nothing. From the 'debug aaa' below for user 'corpvpnstp', you can see the RADIUS server sends back the attribute 25 values of "ou=stp.Client;" and "ou=stp.ClientDRC;" for this user. The ASA profile this user has attempted to connect to is "EMS-Admin", which should get denied by the ASA. Instead, the ASA successfully authenticates the user.

View 4 Replies View Related

Cisco :: WLC 2106 - Take Group B And Point It To A Radius Server For Authentication

Dec 13, 2011

In the WLC there are two groups (say A and B).  How would I take group B and point it to a RADIUS server for authentication? The server is ping reachable.  I have searched  but did not see any definitive answer.

View 3 Replies View Related

Cisco VPN :: 5510 - Separate RADIUS Profiles For SSLVPN Group

Sep 11, 2012

We are starting to deploy SSL VPN in our company and we recently purchased two ASA 5510 firewalls. I have already completed the initial configuration but I do have some inquiry on how to have it configured properly.
 
1. Employees and clients will access the URL
2. They will select the appropriate group on where they should login.
3. Enter credentials, etc.
4. Username/Password authentication is via RADIUS. The usernames were all created in Cisco ACS 5.3.
 
My challenge is, we have several clients and all their usernames were created in ACS5.3. Meaning if the configuration is just being differentiated by group settings, clientA can select the profile of clientB and still get authenticated. If that happens, they will be able to access the resources of each other. Also in the future, we will be deploying 2-Factor authentication for some of our clients.

View 4 Replies View Related

Cisco AAA/Identity/Nac :: 5510 Assigning A User Group Using RSA Secure ID RADIUS Server

Feb 3, 2007

We have several ASA 5510 firewalls which are being used as VPN gateways.RSA SecurID is the authentication mechanism using native SDI connectivity. No ACS server is being used.Is it possible to assign user Group and other attributes (such as ACL), using the SecurID RADIUS server? I know this is what the Cisco ACS is for, but is it possible using the RSA RADIUS server itself?

View 11 Replies View Related

Cisco AAA/Identity/Nac :: Use Radius On ASA 5505 To Block Outgoing User Access By Username In Group

Jan 15, 2012

Can I use AAA Radius on a ASA 5505 to block outgoing user access by user name in a group?

View 2 Replies View Related

Cisco Firewall :: Multiple Logins On ASA 5505?

May 24, 2011

I have an ASA 5505 that I log into and currently only need a password to log onto the device. How do I set it up so a username is required as well?Another user needs to access the device. How would I set that up so they have to user their own credentials?  I tried username apssword priv command and it does not work.

View 1 Replies View Related

Remote Logins To Different User Accounts?

Jun 6, 2011

Each person would have their own Windows User Account name, with differentprivileges.I don't know what software could do this.The computer being connected to would be Windows 7, and there is no special network equipment besides a consumer router.This is a very small business and keeping costs under control is important

View 9 Replies View Related

Sharing :: Remote Logins To Different User Accounts?

Jun 6, 2011

How do I setup remote login that would allow 3 or 4 people to login to the same computer. Each person would have their own Windows User Account name, with different privileges.I don't know what software could do this. The computer being connected to would be Windows 7, and there is no special network equipment besides a consumer router.his is a very small business and keeping costs under control is important.

View 6 Replies View Related

Cisco :: WS-C2960-48FPS-L / 3750G - Creating Additional Logins

Dec 9, 2012

we have a setup of about 14 WS-C2960-48FPS-L all running from a 3750G stack.What i want to be able to do is create dedicated accounts so that local IT admins can tag ports via CNA without calling me everytime something needs to change. How and where can i create these on CNA? Is it as simple as using the Users and Passwords options?What privledge level should i assign to these accounts so that it will give the least amount of previledge required to tag ports. I dont want them being able to change much else.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: 3750 AAA Authentication Banners And Banner Logins

Aug 10, 2009

I'm experiencing some problems with AAA authentication banners and banner logins.I'm trying to use spaces and empty lines, but when login, all the lines are after each other, no empty lines, no spaces.The problem appears on a 3750 with IOS version  12.2(5)SE2.

View 5 Replies View Related

Cisco Switches :: VLAN Port Membership Via SNMP On SG300-28

Sep 4, 2011

Any snmpset commands to modify port vlan membership on SG300-28 switches? I checked [URL] however this information is apparently only valid for catalysts.
 
The latest firmware is installed and the provided MIB files are used.

View 5 Replies View Related

Cisco Switches :: Linksys SRW248G4 And Multiple Membership In VLANs?

Jun 26, 2012

I can't figure out how to configure a port membership with multiple VLANs. My setup:

- VLAN10
- VLAN20
- port settings tab: port24 in general mode
- ports to VLANs tab: untagged everywhere, when I set port 24 membership to VLAN10 I can't set port 24 membership in VLAN20 because when I do that port 24 membership in VLAN10 dissapears and vice versa
- but I can set port 24 membership to both VLANs in VLANs to port tab, but I think it doesn't work because:
- when I connect hosts to ports 23 (port 23 is a member of VLAN10 only) and 24 (member of VLAN10 and VLAN20)
there are not any connectivity between them
- but connectivity is working when I set the same PVID for both ports 23 and 24 in port setting tab, I can't set multiple PVID in here.

So, is it possible to configure port membership for multiple VLANs on this linksys. [URL]

View 1 Replies View Related

Cisco Switches :: VLAN Membership Lost After Reboot SG300-20

Aug 31, 2012

I have two Cisco SG300-20 switches. Both of them are configured in L3 mode. They have several VLAN's configured.
 
When I reboot my switches some VLAN membership settings are lost! I have already saved the settings over and over before rebooting, and even tried to save it to the backup memory and so on. Say for example I have changed port 9 to 14 from VLAN 101 to VLAN 105. I save the configuration, reboot the switch. And then the changes are lost. This is a big problem, because servers and my iSCSI network loose connectivity. They already have the latest firmware. This issue was there three firmwares before.
 
This issue pop-ups when I have a power loss, or I need to reboot/shutdown them manually. It may be off-topic but I also have the feeling that the performance of the switches goes down during uptime. A reboot solves the performance issue. I don't have a performance benchmark, but I can notice it on the performance transfer rate between clients and servers.

View 4 Replies View Related

Cisco :: 3700 Layer 3 Switch - Cannot Find VLAN Membership Command

Nov 8, 2012

I cant find the v LAN-membership command on my 3700 layer 3 switch, I've searched Google on whether the command has upgraded to a new syntax to no avail, I'm using GNS3 and the IOS is c3725-adventerprisek9-mz.124-25d.bin

View 4 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved