I have been using aes 256 with dh group 2 and pfs group 2 for my site to site vpn tunnels.Now I am considering modifying the dh groups both for p1 and pfs to group 5 or keep it group 2.Is this a must to have dh group 5 with aes 256 or having dh group 2 with aes 256 is also common ?
View 1 RepliesI try to map LDAP Group to ASA Group policy following documentation:
[URL]
This is a config for ASA 8.0. I would have expected it to work on 8.4 as well but I do run into problems. The mapping as shown in LDAP Debug and ASA Log will actually happen but it is overwritten by the "GPnoAccess" Group Policy configured locally in the Tunnel Group. From earlier works with RADIUS I would have expected the user specific Attribute to be "stronger"?
ASA Log:
AAA retrieved user specific group policy (correct Policy) for user = XXX
AAA retrieved default group policy (GPnoAccess) for user = XXX
how to associate an AD group - which i have defined in users and identity stores/external identity stores/Active Directory/Directory attributes to associate with the relevant identity groups - Users and identity stores/identity groups Is there an example of this being done somewhere as i am having problems understanding how to do this from the user guide.All i want to do is associate identity groups with ad groups.
View 3 Replies View RelatedWe have two 4404's and WCS. The 4404's are almost maxed out. We have an addition 4404 which we would like to add to the group of 4404's
View 1 Replies View RelatedI'm trying to set a VPN connection to a router using group authorization with the ACS 5.2 but cannot make it work. I configured everything based on the procedure used for ACS 4.2. I created a user that corresponds to the group name, used the password cisco and used all the requiered Cisco AV pairs in an authorization profile. (Based on document: [URL]
While testing with ACS 4.2 this works fine, I can see that the ACS returns the group attibutes correctly (here is a debug output)
Apr 9 16:16:59.256: RADIUS: Received from id 1645/22 192.168.1.212:1645, Access-Accept, len 203Apr 9 16:16:59.256: RADIUS: authenticator 02 07 F5 E6 46 78 73 CA - 46 6D 47 90 FE 92 38 9AApr 9 16:16:59.256: RADIUS: Vendor, Cisco [26] 30 Apr 9
[Code].....
My remote VPN clients aren't able to do anything network wise once they have connected to the VPN. The ASA keeps coming up with "no translation group found" in the log.
Result of the command: "show running"
: Saved:ASA Version 7.2(2) !hostname ciscoasadomain-name office.propertyfinder.comenable password ######## encryptednamesdns-guard!interface GigabitEthernet0/0 description Office Network Interface nameif Office-LAN security-level 100 ip address 10.121.10.4 255.255.255.0 ospf cost 10!interface GigabitEthernet0/1 description 4Mbps BTNet Internet Connection nameif Internet-Primary security-level 0 ip address 213.121.253.33 255.255.255.248 ospf cost 10!interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address!interface GigabitEthernet0/3 description Office Wireless Interface nameif Office-Wireless security-level 10 ip address 172.16.0.1 255.255.255.0 ospf cost 10!interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 ospf cost 10 management-only!passwd 2KFQnbNIdI.2KYOU encryptedboot system disk0:/asa722-k8.binftp mode passivedns domain-lookup Office-LANdns server-group DefaultDNS name-server 10.121.10.20 name-server 10.121.10.21 domain-name
[code]....
I Have an issue about AP Group.On my scenario, I have one Flex WLC 7510 using software version 7.0.220, And all APs are 1131.I have some sites with H-Reap, where H-Reap is configured properly.The Access Points are set with AP Group. AP Group is configured properly too. Each AP Group was configured for one site and was configured 2 SSIDs in each AP Group. All sites has 2 differents SSIDs.During some basic tests, in one site with 9 APs, I saw:
1. When the Access Points are registred on WLC, all APs are working fine. All APs has its 2 SSID added on slot 0 (radio 0)
2. If I disable the link between WLC and Access Points, 7 Access Points delete SSIDs on your AP Groups and replace it with 16 SSIDs (SSIDs on Default Group configured on WLC)
with LMS 4.1 Reporting in several areas it is possible with selecting devices to use 'Group Selector' (e.g. Syslog Severity Level Summary Report).Group Selector dynamically chooses devices in selected Group at Report runtime to get the latest devices.Not all Reports in LMS 4.1 provide this Group Selector, e.g. Best Practices Deviations/Discrepancies.Is that a bug? As DCR changes often (add/delete) we urgently need to dynamically perform reports to latest DCR-Population.
View 1 Replies View RelatedI am trying to issue command "ssh key-exchange group dhgroup14" on several of my ASA firewalls. The key-exchange command is failing on 3 of 4 ASA firewalls. According to Cisco documentation, this command was introducted in 8.4. My ASA's are running version 8.6.1.10, 9.1.1.8, 9.1.1.10 and 9.1.2. The command is available only with 9.1.2.
Example from one my ASA.
lbjinetfw# show version | in Version
Cisco Adaptive Security Appliance Software Version 8.6(1)10
Device Manager Version 7.1(2)
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4
lbjinetfw# config t
lbjinetfw(config)# ssh
[code]....
I scheduled a periodic job (for example the compliance check job) on week basis and I specified one user's device group for this job (for example the branch_routers group). All is working, but when new devices are added to this group (the branch_routers group), the scheduled job is not provided for these new devices. Is it the default behaviour? Can I change it?
View 1 Replies View RelatedI have a problem implementing a NAR for a specific device group. I am running Cisco ACS 4.2 and it works fine for all the other stuff I do but this issue is perplexing me a bit.
I have a device group with Juniper devices in it and I authenticate using RADIUS (Juniper) as the radius setting. I have a Administration user group set up.
I placed a NAR into the group "Per Group Defined Network Access Restrictions" specific to the device group with * for port and address
I placed this group into both the Define IP-Based as well as the Define CLI/DNIS-based section.
No matter what I do I keep getting authenticated.
When I go to the passed authentications page I see my login and the group-name is identified correctly and the network device group is identified correctly too. The filter says "no filters activated". So how can I get this NAR to kick in? I would like to restrict one device group from a ACS user group.
I am trying to implement PEAP authentication with ACS 5.3. I have two SSID's with peap authentication and i have two groups in AD. I need to map one ssid with one group and another SSID with the other group.
View 3 Replies View RelatedI have Cisco RVS4000 and Linksys Befsx41.I can make a VPN connection when bought are in Static ip-address.RVS in static ip and Linksys in ISP changing ipconnection is not made.
Here is some log:
Feb 9 20:48:17 - [VPN Log]: "xxxxx"[1] xxx.xxx.xxx.185 #4: multiple ipsec.secrets entries with distinct secrets match endpoints: first secret used
Feb 9 20:48:17 - [VPN Log]: "xxxxx"[1] xxx.xxx.xxx.185 #4: multiple ipsec.secrets entries with distinct secrets match endpoints: first secret used
Feb 9 20:48:17 - [VPN Log]: "xxxxx"[1] xxx.xxx.xxx.185 #4: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
[code]....
I'm currently using a LMS 4.2.x System and an ACS 5.3 System.
I solved the problem to authenticate the LMS WebGUI login to the ACS Server. But, I can't not find any document, which descripes how I can assing the group roles via ACS.
We have ACS 4.2 and has been integrated with AD. Now, a new user group has been added in AD but we are not able to see that new AD group in ACS to do the mapping. We have refreshed the sgent in ACS and also have restarted the ACS agent in AD. But still we rae not able to fetch the new AD group in ACS in group mapping.any way to fetch the new group in ACS from AD.
View 1 Replies View RelatedI'am a novice with LMS 4.0.I create 4 device group in Group Management, I restarted my server and since this reboot, I haven't any device in my groups. I would like to use the archive synchronization but I can't see my device in my groups.
View 6 Replies View Relateddell 3000 xl os 149gb I set up a home office. to try to transfer files to my new one.oce i found out you can't do it. there was a group policy in place.how do i get rid of it. it's interfering with a lot of stuff, including my firewall. had to buy another.
View 3 Replies View RelatedI have a Question i am testing mobility group with Failover for redundend connection between 2 Cisco 5500 Wlc.On both the controllers i got the mobility working And both the controllers have the same version.And configuration. But when i unplug the main controller the access-Points don't convers to the second one .The just keep on creaming can't find the main controllerAlso with this thus the second wlc need to have the same.Interface ip address like management.
View 8 Replies View Relatedi am not able to apply an access-list to FastEthernet 0 as the ip access-group is not supported in Interface mode but only in interface vlan mode.How can I stop traffic into the LAN network?
View 6 Replies View RelatedI am configuring a new ACS 5.3 system. Part of the rules is that I want to match the users specific AD group membership, and match appropriatly to an identity group.What i'm trying to do is say that if the user is a member of the AD Group (G-CRP-SEC-ENG) then associate them with the Identity Group SEC-ENG. The under the access service, authorization portion, i assign shell profiles and command sets based on Identity Group.It seems that the ACS server will not match the AD Group for the user, and it will match the Default of teh Group Mapping portion of the policy every time.
I tried several configuration choices from : AD1:ExternalGroups contains any <string showing in AD>, AD1:memberOf <group>.Is there something special i need to do in the Group Mapping Policy to get it to match and active directory group and result in assigning the host to an Identity Group?
How many WLCs 5508 can you add to the mobility group?
View 1 Replies View RelatedI'm sure it can be done just haven't been able to find it. I'm running ACS 4.2 and have 2 network groups, one is wireless where I have a WLC and the other is the default where vpn users authenticate with their tokens. Is there a way to have the Wireless network group authenticate using AD and the other group use RSA? I can't find the switch or switches I need.
View 1 Replies View RelatedOptions a user may reside in Austin, TX and I want the user to utilize the local proxy (i.e. texasproxy:8080). We currently only require the user to enter the RSA passcode and username to authentication (RSA/AD username are identical). Is there a way to have the user authenticate via RSA and have the user's AD group membership (TX) assign the user the specific IE proxy settings? We are utilizing an ASA 5520 on 8.2, but we are willing to upgrade to newer IOS or even consider anyconnect to resolve this issue.
View 2 Replies View RelatedHow can I add devices onto the customizable group1? I am trying to creat a group of trunk ports and monitor just the up/down.
View 1 Replies View RelatedI am configuring windows nt authentication on asa 5520 firewall for clientless web vpn. is there a way i can specify to only authentication from the specific AD group only using windows nt or other way?
View 1 Replies View RelatedI've configured RA VPN on ASA5520 with OpenLDAP server authentication. It works fine for all the users existed in LDAP database, but my requirement is I want one particular group to be able to access VPN and not all the users. I have checked most of Cisco documents but all are leading to Microsoft's AD and LDAP attribute map creation. Is there any way to achieve the same thing with OpenLDAP server and not with AD?
View 4 Replies View RelatedI have a Cisco ASA (8.2) with several group-policies setup. By default, I can hit the SSL page, and have a selection of available group-policies for a user to login to. I want to have different ACLs for each group, to go along with the subnet that each particular group hands out. Right now, as long as a user is authenticated through AAA, they can log in to any group they select, and therefore, have more permissions than another group.
I know how to hide the list, but I need to be able to assign a specific group to a user based on an attribute in ACS.
I've setup ACS to use the "CVPN3000/ASA/PIX7.x-Tunnel-Group-Lock" Atttribute, to which I match the group-policy name in the ASA, to the attribute on the user account in ACS.This doesn't seem to work, and it just throws the user into DfltGrpPlcy, which doesn't give the user anything. So it's either wide-open, or it's broken.
I'm using RADIUS authentication and not TACACS, so it should retrieve the attributes, and according to the ACS, it grabs the attribute during the authentication process.
A bit of a Catch-22 here: I am trying to delete VPN Group Policies but receive the error message that the policy is in use by a particular Connection Profile. When I try to delete the Connection Profile I receive the message that it is in use by a VPN Group Policy..
What else is there to delete or do I have to use the CLI?
I have a VPN network (in ASA 5520) with two VLAN (999 and 997) and two remote clients (User1 and User2). The VPN connection with both users is correctly connected but I can't make a ping to another computer of the same VPN network, when the VPN network is connected. For eg: When User1 is connected, has the IP: 172.16.1.230, but can't make ping to another connected PC (IP:172.16.1.236). [code]
View 3 Replies View RelatedIs there way to group APs to get different profiles. I need to have some that have the 2.4GHz turned down and some wiht the 2.4 and 5.0 GHz on.
View 7 Replies View RelatedI've two wlc model CT5508 version 7.0.116.0. They are working fine except for the RF grouping part. When I look at the RF Group members part in the configuration, I can see only one wlc (the one I'm connected to). If I connect to the second one, in the same part, I've just one controller (so the second one..). I tried to restart the algorithm but no change. Each controller is configured with Group Mode set to auto, and their respective role are auto-leader...I tried to change the RF group name on both wlcs, but it didn't fix the problem. When I look at the logs, there is one which appear quite often:
*emWeb: Nov 29 10:32:07.764: %LOG-6-Q_IND: dtl_arp.c:2581 ARP input q exceeds limit. Current val = 50 [...It occurred 38 times.!]
We have 4 x 4xxx WLCs setup in our Core. I just created an AP group in one of WLC and in theory I should see that AP group in the other 3 x WLCs
For some reason, I do not see that AP group appear in other 3 x WLCs. Very much appreciated if someone could point me to the right information or trouble shooting steps.
I have some problem to get working ACLs. The main purpose of this ACLs is to control what is going out from vlan to internet. (For example, i want that only my proxy can access to the web.) So, i use Cisco Packet Tracer and test new rules in lab without any problem.
interface Vlan1
ip address x.x.x.x x.x.x.x
ip flow ingress
ip flow egress
ip nat inside
[Code]...
But it doesn't work on my Cisco 1811w and i dont uderstand why and i'm not sure to have sufficient knowledge to aolve my problem by my own.