Cisco Wireless :: 4.2 No Authorization Information Found For Remote Authenticated User
Apr 18, 2013
I've just installed NCS. When trying to configure NCS for ACS Tacacs+ authentication, I receive the message below when trying to login to NCS. ACS records my login in the 'passed authentications' log. I am using ACS 4.2."No authorization information found for Remote Authenticated User. Please check the correctness of the associated task(s) and Virtual Domain(s) in the remote server". I used the following link to configure ACS for NCS, url...
View 3 Replies
ADVERTISEMENT
Jan 22, 2012
802.1x is working properly, 802.1x port is up,but;when I do a remote desktop to machine that is 802.1x authenticated by an user(Wired), first, login to pc successfuly then(3 minutes) is switch port down..
Debug radius authentication
Debug aaa authentication
Does not appear in the log only message port is down
Equipment;
Cisco 2960, Cisco ACS 4.2 ,MS Active Directory Authentication
Client:windows xp, windows 7
Cisco 2960 Port Config
switchport mode access
dot1x pae authenticator
dot1x port-control auto
spanning-tree portfast
spanning-tree guard loop
View 1 Replies
View Related
Jun 30, 2011
ASA 5510 ASA 8.0 ASDM 6.1 I want some remote users to have split-tunnel connection, others not. I used Cisco Document ID 100936 "Allow Split Tunneling for AnyConnect VPN Client on the ASA Configuration...". I created a new Group Policy with split-tunnel enabled. I created a new Connection Profile and assigned to it the new Group Policy. When I authenticate at the AnyConnect client I get a dropdown of the 2 connecton profiles, to choose the one I want. Each of them works, enabling or disabling split-tunnel. But I want to assign a connection profile to the particular user, not give the user a choice. The problem is I'm using LDAP authentication. The Local Users I set up before LDAP are obsolete, assigning them a Group Policy does nothing. I really don't want to give up LDAP and force people back to another local password. But the LDAP authentication to Active Directory just says yes or no, it won't assign a connection profile. At the AnyConnect Connection Profiles page I have set a switch "Allow user to select connection profile, identified by its alias, on the login page. Otherwise, DefaultWebVPNGroup will be the connection profile". If I clear that switch every user will be assigned the same default profile, which does not work.
View 2 Replies
View Related
Oct 31, 2012
We've just replaced our Fortinet Firewalls with 5525's but are struggling to get a feature working that worked great on the Fortinet firewall.All our users use a proxy for internet access that's configured in IE but from time to time some users need to remove this proxy and go directly out to the internet, with the Fortinet devices we created a rule right at the bottom of the inside access out rule that had it authenticate users via TACACS which worked a treat and could be used from PC or laptop. We want to do a similar thing on the 5525 and I thought the Authenticated user would give me this access but I don't seem to be able to get it to work. I've got the AD side of it working fine the ASA can pull user and groups from AD but I'm struggling to get this working for a user.
View 3 Replies
View Related
Jul 13, 2012
I would like to authorize a friend in my house to access my wifi I was told to go to http://192.1.1 and enter the MAC address of my friend. However on the site I was unable to enter the information into the box - how can I authorize my friend to use my wifi?
View 1 Replies
View Related
Oct 8, 2012
I have a user authentication issue with our WLAN deployment. My issue relates to the guest access WLAN. First a brief descrition of our setup. We have a local WLC in the branch office (5508) with two SSIDs configured, CorpNet for the internal network and GuestNet of external guest access. We also have a WLC (5508) in the DMZ to provide the guest access. We are using Cisco ISE server to authenticate guest users via a web portal.
The authentication process works as it should. An external client gets an IP in the DMZ and is redirected to the web portal to authenticate their account. When they do they are able to access and browse the internet. No problems. My issue is that if we disable their account (ie suspend or delete it) in ISE it does not seem to terminate the users session and they can continue to have internet access. What I would like to happen is that when the account is disabled in ISE then the associated device's access to the internet is removed.
View 2 Replies
View Related
Feb 28, 2013
I'm trying to configure an ASA5510 with release 9.1(1) in order to authenticate VPN AnyConnect users through LDAP. In a first step the logs shiw me this kind of error:
[-2147483632] Session Start
[-2147483632] New request Session, context 0xadf415d4, reqType = Authentication
[-2147483632] Fiber started
[Code]......
View 0 Replies
View Related
Feb 12, 2012
Actually I have a lab with ACS 5.3 running with 802.1x, but when when the user is successfully authenticated, it's assigned and IP address from the DHCP server, is there a way to assign a static IP address depending of login username??
View 13 Replies
View Related
Oct 30, 2012
I recently installed an RE1000, which seemed to be working fine. Then, on 3 PC's with no wireless adapter installed we began being prompted for user name and password for the wireless router. Once I unplugged to extender the problem went away. I know what you're thinking: Maybe I just think there's no wireless adapter on these PC's. NO, I looked in device manager and the only network adapter installed is the ethernet adapter. These are all 4+ year old machines with no hardware changes made to them. Wireless adapters are not necessarily standard issue on old towers--even on new towers. The Acer I'm using right now was purchased new in November 2011 and did not come with a wireless adapter installed.
View 3 Replies
View Related
Jan 17, 2012
I would like to configure RADIUS authentication and authorization in ASA 8.2 (ADSM 6.2) by configuring Cisco anyconnect VPN client connection profile.So the end result would be user enters his username, password and a token in any connect client, then the RADIUS server validates this information and sends the user attributes to ASA upon successful authentication.I would be grateful if i can get the step by step procedure to achieve this:The below is what iam trying to do:
1) Create an AAA server group.
2) Add the AAA server to this group (here its RADIUS).
3) create an LDAP-cisco ASA group mapping (for authorization)
3) Add a group policy and create IP pool. (We can add two types of group policies, one is internal and external. Not sure which one to select here).
4) create a any connect vpn client connection profile. Here we specify the created server group name, IP pool and group policy.(While creating a connection profile, it asks us to select an interface. As of now i have only one interface which is "inside". Not sure what the interface "outside" means).
View 5 Replies
View Related
Aug 23, 2012
A short background. Our corporate SSID is being migrated from using PEAPv0 to EAP-TLS. This restricts access only to company notebooks. Additionally we have barcode scanners which are used to inventory assets. Those devices are not able to use EAP-TLS as they cannot be integrated in the domain and being unable to do certificate based authentication.
As a workaround we planned to use another SSID with access to the same network but using PEAPv0 as authentication method, basically the same SSID but with a different name. As this naturally allows anyone to access the corporate network with a valid username/password I now wanted to add another step into the authentication process - the MAC of the device. I know I can do the filtering at the WLAN controller, but as it has a limited database as well as the fact that it is cumbersome to maintain the MAC list on all the controllers I thought I can do it over our ACS system.
I am now trying to accomplish the following: The user gets authenticated via the internal user store, which is succesful. Now I want to authorize the user via the MAC address, which is stored in the internal host store of the ACS, if access is granted or not.
For this I created the following policy:
Service Selection Policy -- (Rule based result selection)
-- (NDG:Device Type in All Device Types:Wireless And RADIUS-IETF:Called-Station-ID contains <SSID>) | Result: PEAP access
-- Default | Result: DenyAccess
Service PEAP access Identity: Internal Users -- (Single result selection) Authorization -- (Rule based result selection) -- Internal Hosts:HostIdentityGroup in All Groups:Valid_MACs
When I then try to access the wireless network I won't get authenticated. The error I get, when I look into the logs is: 15039 Selected Authorization Profile is DenyAccess
Is it not possible to use one identity store as "attribute database" for the other identity store?
View 5 Replies
View Related
Jan 8, 2013
I am getting Authorisation requests failed log entries for a user however there aren't any successful authentication logs.
The user would never be able to authenticate as it no longer exists in ACS (it was the user for someone who left the company 3-4 month ago)
The other wierd thing is that the caller-id is 0.0.0.0 BTW the NAS is a Cisco ASA firewall running 8.0(3)
View 4 Replies
View Related
May 21, 2012
Is this a good price *NEW* for this unit...325.00
NEW SEALED* Cisco ASA5505-BUN-K9 Firewall 10-User
I assume 10-user means this device comes with a 10 user VPN license? Is there anything else I should be looking for when purchasing an ASA? Mainly looking to use my NetGear WNDR3700 as just a WiFi AP and not my edge device.
View 19 Replies
View Related
Sep 27, 2012
I have a question about Cisco ASA 5505 firewall.We need 3 interfaces on the firewall , "inbound", "outbound" and "DMZ" , to control traffic between these zones.
Can we do this with Cisco ASA 5505 50-user bundle , or do we need to purchase Cisco ASA 5505 Security Plus bundle to get the DMZ zone working.
View 4 Replies
View Related
Aug 19, 2012
We plan to use ACS 5.3 for remote vpn user authorization. We have found a document on to how to do this, but they use ASA 8.3.we would like to know if it is supported on ASA 8.2 or do we need to upgrade the ASA IOS.
View 2 Replies
View Related
Nov 3, 2011
I have a server computer running Windows Server 2008 R2 Standard operating system with 4 client computers connected to the network running Windows 7 Professional operating system. All worked great yesterday. This morning, one of the client computers encountered this error:
An error occurred while reconnecting F: to \SERVERData
Microsoft Windows Network: The user name could not be found.This connection has not been restored.No updates or changes have occured between yesterday and today and the three other client computers have no similar problems.Just this one client has the error.
View 6 Replies
View Related
Sep 29, 2011
I found a bug in Embedded Event Manager, on Catalyst 4500-E platform with supervisor V-10GE, on various IOS releases (in particular 12.2-50-SG IP BASE w/o crypto, 12.2-54-SG1 IP BASE w/o crypto, but also other releases included latest 15.0-2-SG1 ENTERPRISE SERVICES SSH).The problem is that when you set up a EEM applet that monitors syslog pattern matching, and you also configure remote host logging *with* the option "sequence-num-session", when the match occurs, the switch reboots with message:
Sw (sometimes prints a number instead)
VECTOR D00
and in some cases performs a second reboot with message:
VECTOR 0
DOUBLE FAULT
The reload reason message is:
System returned to ROM by abort at PC 0x0
The problem does *not* occur if remote logging has not the option "sequence-num-session". I verified this behavior on various configurations (included our production 130K long *and* factory defaults after erase startup-config).The configuration statements that cause reload are, for expample:
event manager applet prova
event syslog pattern %SYS-5-CONFIG_I
action 1.0 puts "configurazione modificata"
!
logging host 172.30.10.1 sequence-num-session
View 1 Replies
View Related
May 5, 2013
I have a client that wants to segment their wireless network behind their ASA. We currently have a normal setup, 5510, 2 interfaces, outside, inside. On the inside network there are Cisco Wireless APs that allow for internal access to the network. We want to move the APs to a new interface on the ASA and only allow traffic bettwen this new "Wireless" network and the internal network by using remote user VPN. So my question is, can you use remote user VPN from the new Wireless network to the inside network??
View 1 Replies
View Related
Jun 6, 2011
How do I setup remote login that would allow 3 or 4 people to login to the same computer.Each person would have their own Windows User Account name, with different privileges.I don't know what software could do this. The computer being connected to would be Windows 7, and there is no special network equipment besides a consumer router.
View 11 Replies
View Related
Jun 6, 2011
Each person would have their own Windows User Account name, with differentprivileges.I don't know what software could do this.The computer being connected to would be Windows 7, and there is no special network equipment besides a consumer router.This is a very small business and keeping costs under control is important
View 9 Replies
View Related
Oct 20, 2011
ip local pool VPNPOOL 192.168.200.1-192.168.200.100.
i can access servers with remote vpn which they located at dmz zone at asa(write nonat access-lsit) but i can not 192.168.193.0 subnet at asa.i configurated proxy server. my proxy server inside interface get ip address my dmz zone(172.16.10.254) and outside is ip adddress asa outside interface (10.0.0.254).the users (192.168.193.0/24) go internet from proxy server.
[code]....
View 4 Replies
View Related
Jun 21, 2011
It seemed that show vpn-sessiondb ra-ikev1-ipsec will not provide the client type of the remote vpn user as show vpn-sessiondb remote did before.
Is there a way to find it out on ASA running 8.3?
View 1 Replies
View Related
Aug 19, 2012
Someone hacked into my computer through my Netgear router. They took over as Administrator and setup a Atheros (sp) driver. They pretty much have total control over my computer. How can I rid myself of this hack and protect nyself in the future?
View 5 Replies
View Related
Apr 19, 2011
I want to share the My Documents folder from an XP machine with ONLY one user (the administrator) on a networked Win 7 machine. I have turned off simple sharing on the XP machine. I hate XP!! So complicated to do anything. Anyway, under security, I have tried share this folder, and not to share folder. I have gone into Advanced and messed around with permissions, taking out Everyone, using Admin only, using Network. At one point I ended up not being able to access My Documents on the local computer and had to jump through many hoops to change ownership and disable read only so that the user could use her own files!The problem is, under Advanced in the permissions area, I cannot see the users on the remote pc to choose which one should be allowed access. how to actually find a particular user on the Win 7 pc and give ONLY that user permission to read (not to change) the files in My Documents on the XP pc.
View 3 Replies
View Related
Jun 6, 2011
How do I setup remote login that would allow 3 or 4 people to login to the same computer. Each person would have their own Windows User Account name, with different privileges.I don't know what software could do this. The computer being connected to would be Windows 7, and there is no special network equipment besides a consumer router.his is a very small business and keeping costs under control is important.
View 6 Replies
View Related
Sep 15, 2011
At first I use ACS 4.2 to create static ip address user for remote access VPN,It's easy,just configuration it at user set>Client IP Address Assignment>Assign static IP address,but when I use ACS 5.2 I can't find it.I try to add IPv4 address attribute to user by read "ACS 5.2 user guide" ,it says this: [code] I do this,but it's not work.When I use EasyVPN client to connect ASA 5520,user could through authentication but will not get that static IP address which I configuration on Internal Users.so,what should I do,if anyboby knows how to use ACS 5.2 to create a static ip address user for remote access VPN.
View 2 Replies
View Related
May 5, 2011
I have a 3845 router (12.4(13r)T10) with ZBF. On my LAN there is a user who need to access a remote IPSEC VPN server. He is able to get the tunnel but afterwards he cannot connect to any service in the remote LAN. As I'm using zbf I think that I should inspect traffic from my LAN zone to EXT zone, There is a document that describe a solution to this? What IP adressess should I use?
View 2 Replies
View Related
Oct 3, 2011
I have a 3845 router (12.4(13r)T10) with ZBF. On my LAN there is a user who need to access a remote IPSEC VPN server. He is able to get the tunnel but afterwards he cannot connect to any service in the remote LAN. As I'm using zbf I think that I should inspect traffic from my LAN zone to EXT zone
View 3 Replies
View Related
Apr 5, 2011
Our customer has an ASA5520 Security appliance, I have already config the remote vpn in asa , user can logon via internet by vpn client and can access internal network,customer hope us can make some configuration if the remote user logon asa by vpn and notify them someone login their vpn by email .
View 2 Replies
View Related
Jul 5, 2011
I need to configure our ASA5505 firewall for remote access to our network using EasyVPN software installed on a laptop. That laptop will be connected in the different places, using DSL or 3G toggle or Public Wi-Fi. For some people it's very easy, but I don't have any experience with firewalls.
View 9 Replies
View Related
Jun 16, 2012
how many remote user connect using Cisco VPN client on Cisco Firewall ASA5520-BUN-K9? Already i read VPN Client FAQ But their have no information about user limitation.
View 1 Replies
View Related
Jan 15, 2013
I am currently trying to decide on the best remote support software to purchase for a 50+ workstation business. I have experimented with Real VNC and TeamViewer, and whilst they are quite comparable I noticed that TeamViewer has a feature called "Seamless Windows" I will be providing remote support to local users, and several interstate branches - therefore the software that I decide on must accommodate a wide diversity of geographical locations.I was also looking at a product called GoverLAN, but it seems to me that GoverLAN only works on a single LAN and can't be used over a WAN in a similar way to both RealVNC & TeamViewer?
View 4 Replies
View Related
Aug 1, 2012
Running 7.0.220. There are several 'unknown' users every day reported in WCS. Investigating the connections on the WLC I find the clients are in a run state and passing traffic but there is no username listed on the client detail. (hence the unknown on WCS)
(mcm-189jsoc-wlc1) >show client detail 60:c5:47:07:b6:5a
Client MAC Address............................... 60:c5:47:07:b6:5a
Client Username ................................. N/A
AP MAC Address................................... 00:1e:13:42:16:a0
AP Name.......................................... mcm-208dorm-wap1
[code].....
Clients in this state are usually Apple products. From initial investigation it looks like the do authenticate with the ACS. r debugs to run, or fixes on the WLC? Perhaps there's a bug on this behavior?
View 11 Replies
View Related
