Cisco VPN :: ASA With 4.2 - How To Authorize Clients On ACS

Oct 1, 2012

(with certificate)------>ASA(with SSL VPN enabled)---------->ACSserver
 
Client authentificates on ASA via certificate, and after successful authentification I want to Authorize my clients on ACS with DACL association per client. ASA get username from CN-field in certificate, and sends to ACS, ACS respond to ASA authentification fail, password incorrect, and no DACL assign happends. How can I define in ACS that it should be only authorization process without any password, just username from certificate?

View 1 Replies


ADVERTISEMENT

Cisco AAA/Identity/Nac :: ACS 5.1 How To Authorize Using Both MAB And AD Info

Sep 26, 2010

Nowadays, people have smartphones, typically iPhones and Android phones, and they all have WiFi.We already have a wireless net set up, with 802.1x security, where people connect using certificates and user informations stored in AD..I would like to see the smartphones use the same SSID as the computers, using the owners user info from AD.But I think user info from AD only is too weak (since I cannot use certificate enrollment on the phones), so I would like to add the smartphone's mac address to the internal hosts database, too, so I have 2 layers of security:If smartphone mac exists in internal hosts, then authenticate it with AD information.When I try this, I only get the message that the user credentials does not exist in Internal users, and then it fails.

View 12 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Command Set - How To Authorize Empty Arguments

May 19, 2011

after switching from a very old ACS 3.2 to ACS 5.2 I'm wondering on how to specify an empty argument in a command set.
 
Example:
 
I want to permit:
write 
but I don't want to permit:
write terminal
write erase
write network
write core
and so on.
 
If I specify command="write" and leave the argument field empty, every argument is allowed. This would also permit "write erase" what I don't want.
 
In ACS 3.2 I could specify command="write" and argument="^<cr>$". This does exacly what I want. The command write with an empty argument is allowed. If there is any argument, the command is denied.
 
In ACS 5.2 if I enter the same string in the argument field, the "<cr>" is filtered out and in the config is now only the string "^$" which is not working.
 
how to specify an empty argument?
 
BTW: ACS View shows only [ CmdAV=write  ] in the logs...

View 3 Replies View Related

Cisco AAA/Identity/Nac :: C3560E / Authentication Event Fail Action Authorize VLan

Jul 15, 2012

when the supplicant is missing vlan500 is open for port and everything is ok, but when supplicant has wrong configuration something happend and port is always authenticating(every 30s, vlan500 is not assign to this port with bad configuration supplicant) and logs show something like that
 
Jul 10 10:20:12.362: %AUTHMGR-5-START: Starting 'dot1x' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A3545161E4 Jul 10 10:20:44.365: %AUTHMGR-5-START: Starting 'mab' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A45451DF11 Jul 10 10:20:44.399: %MAB-5-FAIL: Authentication failed for client (001e.3718.7297) on Interface Ga0/1AuditSessionID 0A0EFF5B000004A45451DF11 Jul 10 10:20:44.399: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A45451DF11 Jul 10 10:20:44.399: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A45451DF11 Jul 10 10:20:44.399: %AUTHMGR-5-START: Starting 'dot1x' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A45451DF11
  
version - Cisco IOS Software, C3560E Software (C3560E-UNIVERSALK9-M), Version 15.0(1)SE2
  
port config:

interface GigabitEthernet0/1
switchport access vlan 104
switchport mode access
switchport voice vlan 200
authentication event fail action authorize vlan 500

[code]....

View 3 Replies View Related

Cisco VPN :: ASA 5505 VPN Clients Can't Ping Router Or Other Clients On Network

Jun 18, 2012

I have a ASA5505 and it has a vpn set up. The VPN user connects using the Cisco VPN client. They can connect fine (the get an ip address from the ASA), but they can't ping the asa or any clients on the network. Here is the running config:
 
Result of the command: "show running-config"
 
: Saved
:
ASA Version 7.2(4)
!
hostname ASA
domain-name default.domain.invalid
 
[code].....

what I need to add to get the vpn client to be able to ping the router and clients?

View 3 Replies View Related

Cisco VPN :: 5520 / 5510 - Can VPN Clients Communicate With Other Dynamic Clients

Nov 5, 2012

We currently have an ASA 5520 communicating with 10 ASA 5510's, all on static outside addresses.  I was asked to add 5 additional 5510's on dynamic address.  All worked well in testing until it was decided that some of the dynamic clients needed to talk to each other.

My testing shows packets just dying in the 5520.

View 1 Replies View Related

Routers / Switches :: Dlink DIR 615 Router - Wireless Clients Can't See Ethernet Clients

Feb 1, 2011

I have 4 desktops cat5 to Dlink DIR 615 router. All work fine. Any wireless clients, laptop or netbooks, see the desktop computers for a while then disconnect somehow. All machines can see the Internet through the router at all times. The desktops disappear from the laptop/netbooks but the wireless machines can be seen from the desktop computers but clicking on them gets 'Access Denied' message after a wait.3 desktops = XP, 1 98SE. All laptop/netbooks = XP

View 2 Replies View Related

Netgear WNDR4500 - Clients Not Showing Up In Clients List

Jul 6, 2012

I have a Netgear WNDR4500 running the stock firmware, acting as a router for my home. I also have 2 routers that are flashed with DD-WRT (Linksys WRT54G and Asus WL-520GU) running as client bridges. The Netgear is 192.168.1.1 and the other 2 client bridges are 192.168.1.2 and 192.168.10.3. The Netgear router is performing DHCP giving addresses from 192.168.10.100 to 192.168.10.254. I have numerous machines connected to the Netgear, wirelessly and wired, and numerous machines wired to each client bridge. All machines have IP addresses that are 192.168.10.100, 192.168.10.101, 192.168.10.102, etc... Everything is working fine, but I have one question: When I access the Netgear router, it shows the client bridges as clients, machines that are wired and wireless to the Netgear router are listed as clients, but the client list does not show any clients that are connected to the client bridges. I assumed that since the router is performing DHCP that all clients would show up.

View 2 Replies View Related

Cisco VPN :: ASA5510 Can't Ping VPN Clients But Clients Can Ping

Feb 29, 2012

I have a strange issue on my ASA 5510 (8.4). I can't ping or connect to the VPN clients but the VPN clients can ping/connect to any inside resources. I have checked all the NAT extemtion entries.

View 3 Replies View Related

Cisco VPN :: 881 - VPN Clients Can Connect But Cannot See Anything Else

Jan 5, 2012

Once a client connects to my VPN (VPN Client 5) they can not see anything other than the outside interface. If I ping anything on the LAN for example I get a reply from the outside interface. I can not see any WAN either (even by IP) My LAN clients can see the clients within the VPN Pool. I would like all traffic to flow through the VPN. I have tried split tunneling to verify if the internet would work and local lan would stay connected. It does work but I was still unable to access anything on the remote netwok. I am not sure if I am missing a nat command or something simple.
 
The current setup is as follows. 881 Router with windows 2008 radius authentication. The client is authenticating and reciving an IP address from the local ip pool. Please see below for the running config.
 
 crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap

View 12 Replies View Related

Cisco WAN :: 921 Router With Actually No Clients Working

Mar 28, 2012

I have a Cisco 2921 Router with actually no clients working on it but the CPU temperature is 76 degree celsius. Is this normal? I think this is too hot.My room is aircondishened to 21 degree celsius. What can I do?

View 5 Replies View Related

Cisco WAN :: Multiple PPPoE Clients On 881

Mar 2, 2011

Is it possible to set up a pppoe client on a VLAN interface, or a switch interface associated to an VLAN?. For example, in a 881 ethernet router, could I configure a pppoe client on any of the lan interfaces in addition to the pppoe client configured on the WAN interface?.

View 4 Replies View Related

Cisco Wireless :: WAP 321 No Clients Can Connect

May 10, 2013

I just purchased a WAP 321 and followed the setup wizard. Its powered by a poe switch. The issue I have is no clients can connect to it. I updated the firmware. I reset to factory and tried setting it up manually till no one can connect. I dont understand what im doing wrong here. Unless its a bad unit. I will have about 10 to 15 clients connecting to it. Its the only ap in the building.

View 12 Replies View Related

Cisco Wireless :: 881-W Wi-Fi Clients Not Getting DHCP?

Mar 8, 2009

I'm monkeying around with an 881-W.  Clients can associate and authenticate to ssid 'test', but they cannot get a DHCP address.  Clients plugged into f 0 - 3 get DHCP addresses just fine. 
 
I've looked at a lot of different guides, ran debugs etc.  When wifi clients make DHCP requests the server never gets them.  So there must be some IRB thing going on.

View 5 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.2 Timed Out For AAA Clients

Aug 16, 2011

I have 2 ACS 5.2 (VMWARE) in my network configured as primary and secondary. When my AAA clients are configured for Primary ACS authentication works fine.But the clients configured with secondary  fails authenticating.My replication status  of the secondary box is showing UPDATED.

View 1 Replies View Related

Cisco :: How Many Clients Support AIR-AP1242AG-A-K9

Nov 1, 2012

I have question for you how many clients have recommended be hooked on Cisco AIR-AP1242AG-A-K9 simultaneously.

View 2 Replies View Related

Cisco Wireless :: WLC 2504 - Some Clients Gets IP As Zero

Aug 29, 2012

I've  problem with a WLC 2504. Some Clients like phones and Thin Clients get an IP 0.0.0.0.Software Version is 7.0.235.0. Test with a Laptop seams to be OK. Some printers also got an 0.0.0.0.Around 30% are not OK. also had the log: Impersonation of AP with Base Radio MAC 00:yy:yy:yy:yy:yyusing source address of 00:xx:xx:xx:xx:xx has been detected by the AP with MAC Address: 00:yy:yy:yy:yy:yy on its 802.11b/g radio whose slot ID is 0 The problem is, I cannot go to 7.2 version because I have 2 x AP 1231 and 2 x 1242 AP's.1231 AP's are not anymore supported in 7.2 Version.

View 14 Replies View Related

Cisco VPN :: ASA 5505 Cannot Connect Clients

Jun 3, 2012

 I configured the VPN on the ASA, I can not  get a client to connect to the ASA 
 
: Saved:ASA Version 7.2(2) !hostname domain-name enable passwordnamesddns update methodddns both!!interface Vlan1nameif insidesecurity-level 100ddns update hostname ddns update dhcp client update dnsip address 192.168.1.1

[Code].....

View 2 Replies View Related

Cisco Wireless :: How To Tell Which Clients Are Associated With WAP4410

Dec 21, 2010

Can you get a list of associated clients from an WAP4410N? How can you tell who's connected?

View 4 Replies View Related

Cisco :: Clients Will Not Connect To 1231G AP?

Sep 6, 2011

I bought 3 of the Aironet 1231g access points and cannot get any clients to connect to them.  I have tried everything from an Iphone, Droid2, Win 7 and XP laptops with built in wireless G cards. All say that they cannot connect to the wireless network. I have two setup currently, one on Vlan 1 that I have configured the way I want with WPA2 enterprise. The other one is just one I setup while playing around.

View 4 Replies View Related

Cisco VPN :: 892 And PPTP Clients Connection

Mar 6, 2011

We have a Cisco 891 with this configuration  belowI  got several computer on my lan that needs to connect to an external  Windows server with pptp. The windows server is not mine but it works.  The clients are using the windows connection manager. We can connect to  the windows pptp server for hours sometimes.But, sometimes we  can just connect about 3-4-5 minutes, and it auto-disconnects. Is there  something wrong in my configuration ? I heard the cisco router is  messing with the keepalive or the connection state.It seems to happens when i have more than 5-6 clients connected at the same time on the same server. I got theses mesages : Link to VPN failed. OR ERROR 619 OR ERROR 651Before,  I had a RV042 and it worked like a charm. We were 10 on the vpn server  and it was working. I dont see why Its not working now.

version 15.0no service padservice tcp-keepalives-inservice tcp-keepalives-outservice timestamps debug datetime msec localtime show-timezoneservice timestamps log datetime msec localtime show-timezoneservice password-encryptionservice sequence-numbers!hostname Quantis891!boot-start-markerboot-end-marker!!aaa new-model!!aaa authentication login local_authen localaaa authorization exec local_author local !!!!!aaa session-id common!!!clock timezone PCTime -5clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00!!!no ip source-route!!ip dhcp excluded-address 10.10.10.1ip dhcp excluded-address 10.1.1.201 10.1.1.254!
[Code] .....

View 2 Replies View Related

Cisco VPN :: Certificates For IPSEC Vpn Clients In ASA 8.0?

Mar 10, 2008

I have configured MS CA and i setup vpn client and ASA 7.0 to make tunnel with certificates.Same configuration does not work with ASA 8.0  I get error
 
CRYPTO_PKI: Checking to see if an identical cert is
already in the database... 
CRYPTO_PKI: looking for cert in handle=d4bb2888, digest=
b8 e5 74 97 f3 bf 25 1c 2e e5 21 3e d1 93 d6 15    |  ..t...%...!>....
 CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND
CRYPTO_PKI: Cert not found in database.

[code]....
 
Why the key usage is invalid? What certificate template must be used in MS CA in order to get a regular key usage?

View 3 Replies View Related

Cisco VPN :: Redirect On ASA 5520 For SSL VPN Clients

Dec 26, 2011

You have a Cisco ASA 5520 where clients connect using Cisco Anyconnect SSL VPN, say the URL is connect.whatever.org. You would like for when a user enters either [URL] or just connect.whatever.org into their web browser that it automatically puts the required url...

View 1 Replies View Related

Cisco :: WLC5505 7.2.103 No Clients Able To Connect

Jul 3, 2012

Basically, yesterday while hanging some 3602's going to a different controller, I started getting task reports of wireless phones not working.  However, due to the area of complaint I mistakenly assumed it was due to me causing havoc in the area with AP replacements.  Then the issues started to spread with Carts and Cow's and other various devices not able to connect until it started affecting me. I was not able to connect to any SSID at all, kind of nerve racking when you talking ICU/NICU area's in a hospital.  Once I got to a wired device, my first thought was to move the AP's to a different controller to at least try and get things back up and then work on the controller to see what was going on.  However, in trying to get the AP's to move, most of them wouldn't.  In hind sight, I wish I had just shut off the etherchannel port on the 6500 that this wlc is on and force the AP's to move that way, but with people standing over me I ended up just rebooting the controller.  Of course, once it came back up the AP's reattached to it but everything was working fine.  I went ahead and moved the AP's off of it to another controller for now but am searching for answers.  About to start digging into bug reports, but am concerned with this line of code causing the issue and worried about moving to 7.2.110.  

View 4 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 Mac Filtering For WLC Clients?

Jul 30, 2012

Any upto date reference for setting up the ACS v 5.3 for mac filtering via built in radius with wireless lan controllers?
 
all I seem to find is this old document - which uses the user database.
 
the ACS 5.3 has host store, which seems like the logical place to setup mac address information
 
[URL]

View 1 Replies View Related

Cisco VPN :: 1760 - Cannot Ping Clients

Oct 21, 2011

I have a Cisco 1760 configured as easy VPN server. Using the cisco VPN  client I can connect to the VPN server. The problem is that there is no  ping between clients. When I connect several clients to the VPN server  there is no ping between the clients. But when I login into the router I can ping the clients and make ssh  remote logins into the clients. It seems that there is no access between  the clients and they cannot communicate at all.
 
The cisco router is placed in DMZ zone. Remote clients can connect into the router.

Here is the configuration of the VPN server:
 
[code]
!
version 12.4
service timestamps debug datetime msec

[Code]....

View 4 Replies View Related

Cisco WAN :: 887 Clients Can't Connect To Internet

Dec 13, 2011

Purchased an 887 my my home office. ADSL ATM0 and Dialer get an address from my ISP, have tried to configure NAT but none of my clients can browse the internet. I can't ping outside the network but I can ping clients internally as my clients are connected via a switch, which is plugged in before the 887. I can get access to the router via the Command Line and CP Express and Config Pro seems to work.
  
Building configuration...
Current configuration : 8900 bytes
!
! Last configuration change at 12:47:16 NewYork Wed Dec 14 2011 by elrooko

[Code].....

View 11 Replies View Related

Cisco VPN :: 5510 - Getting ASA (NEM) VPN Remote Clients (v8.4.5)?

Mar 30, 2013

I've some strange problems with multiple ASA (NEM) VPN remote clients (v8.4.5). On the HQ I've an ASA5510 (v8.4.5) with multiple NEM's connected to it. The group policy used on the HQ is configured for split tunneling. Now here's the problem;
 
The remote ASA (NEM) constructs easily a VPN connection to the main location; it seems that everything works well. Traffic through most of the tunneled networks works perfectly. Traffic to certain subnets or hosts brings me into trouble, there is no traffic flowing through the tunnel at all!
 
When using the command "show crypto ipsec sa | i caps|ident|spi” I can see all of the tunneled subnets. The subnets that works perfecly gives me the correct "local and remote ident" output. The subnets with problems gives me wrong values ​​in the "remote ident". The remote ident should be the IP address of the inside LAN (of the remote NEM) and not the IP address of the ouside interface (of the remote NEM). How is this posible?
 
Here's is the crypto ipsec sa output:
 
Result of the command: "show crypto ipsec sa | i caps|ident|spi"
 
local ident (addr/mask/prot/port): (10.200.60.0/255.255.255.0/0/0) <-- this is the good subnet of the inside interface (NEM)
remote ident (addr/mask/prot/port): (10.100.2.2/255.255.255.255/0/0) <-- this is the good subnet (HQ)
#pkts encaps: 54712, #pkts encrypt: 54712, #pkts digest: 54712
#pkts decaps: 31893, #pkts decrypt: 31893, #pkts verify: 31893
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
current outbound spi: A4FA947A

[code]....

View 1 Replies View Related

Cisco VPN :: 2921 - Clients All Have Same MAC Address?

Apr 21, 2011

We are deploying softphones for remote employees in our company. We currently are using Cisco 2921's with VPN enabled.
 
All of the clients who connect with the Cisco VPN x86 client are getting 00:00:00:00:00:00 for their MAC Addresses, and all of the Cisco VPN x64 bit clients are all getting the same MAC Address, although it is different than the x86 clients.
 
This is causing the softphones to not work, as they all need to be sending independant MAC addresses.

View 1 Replies View Related

Cisco :: ASA VPN Clients Creating Static Routes?

Nov 15, 2011

In my live VPN concentrator at work, my 5520 is showing a static route for each VPN client that is connected to my SSL vpn right now. This kind of confused me because wouldn't only one route to the address pools subnet be needed for my vpn users?

View 12 Replies View Related

Cisco :: Setting Up DHCP For VPN Clients On ASA 5510?

Jun 30, 2011

I'm trying to understand my options for assigning addresses to VPN clients on an ASA 5510. Under the ASDM, I have a field for DHCP servers, radio buttons: none, dhcp link, dhcp subnet, and field: client address pools. Cisco's VPN examples demonstrate setting up a client address pool, which I did, but the VPN client isn't assigned a gateway in the process so it can't connect to anything; I really don't understand the point of this. I'd like to create a DHCP pool on the ASA for VPN clients as this seems to be the standard configuration. However, I don't know where in the ASDM to configure this and how it's applied. The only DHCP options I found involved creating a DHCP server on an interface, which I don't want to do since VPN users aren't on a physical interface, right?

View 6 Replies View Related

Cisco WAN :: WLC 3750 With 41 APs Web With Layer 2 - Clients Get Deauthenticated

Jan 30, 2012

I have a WLC 3750 with 41 APs. We use Web Authentication with the combination of a layer 2 security feature (WPA/WPA2 with PSK). With this combination some clients have the problem that they get deauthenticated and have to authenticate again while being in an active session. For testing I disabled the layer 2 security feature i.e. I set it to "none" but I left the Web Authentication enabled. With these settings none of the clients has any more problems with getting deauthenticated. They stay online for the entire session.

View 5 Replies View Related

Cisco :: WLC 550 Associated Clients Falls Below Max Limit Number

Feb 20, 2013

I have 25 APs 1141 located in ten floor building and connected to WLC 5508 ver 7.4.100.0. After upgrade from wcl 7.0.116.0 few clients start to complain that there are affected by periodic disconnection from wirreless network. It happens twice an hour. In WLC log I noticed some errors on almost every AP:AP with MAC: c4:0a:yy:yy:zz:xx(AP1) radio 0: Associated Clients falls  below max limit number:200. Failure Cause:Clear Maximum Client Limit Reached in  WLAN..What does it exactly mean? I have no limit per WLAN (it is set to 0), but in WLC 7.4 i must put some limit for numbers of clients per AP and the max is 200. It is not possible that i have 200 users connected to one AP as in 10 floors there are like 150 users maybe. Number of all connected clients right now is 120.

View 7 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved