4.2 of the ACS and 4096 bit certificate

Similar Questions

• 4.2 of the ACS and auth with certificate 802.1 x

  Hi all

  I have geerated new certificate and installed on my ACS 4.2, it's only auto generated the certificate by the Association. Now, the end user cannot authenticate automatically.

  If I mnually install this certificate on the computer of the end user, then the end user is able to authenticate.

  Is it possible to authenticate the end user automatically?

  Oh, I'm sorry...

  Here are the comments;

  1.] you must uncheck "Validate server certificate" on the client side, this way, you don't need to install the certificate on the computers of end users.

  2. uncheck the option 'Automatically use my windows password and domain name user name' by these users windows credentials will be saved and the client will be connected whenever you log on to the windows machine.

  HTH

  Rgds, jousset

  Note the useful posts ~

• authentication between the ACS and AD

  Hello

  I would like to know what kind of authentication mechanism ACS 5.1 use to speak with Active Directory. Does simply use MSCHAP, MSCHAPv2 or PAP. By default, it uses PAP to talk between the Cisco IOS and the AEC on the 5.1.

  If you llook at the default admin tab and click on allowed protocols---> he mentions PAP.

  Should I use a safe means of transport between the ACS and AD. IDF, so anyone can say the authentication mechanism?

  Thank you

  Any meeting of directors like telnet, ssh and comfort they always use PAP as an authentication method.

  Although communication pap can be captured and read in this case in clear text. However, since we have Ganymede in use, he always encrypt the whole package with shared secret defined on the IOS and ACS/GANYMEDE so if you capture traffic between the radius and the device you won't be able to decipher it without the key.

  In case you have Ray then using SSH (Putty) so that it can help you for a safe communication.

  ACS and AD support PAP, CHAP, MSCHAPv1 and MSCHAPv2.

  However, the administration does not work on another method of authentication except PAP.

  HTH

  Regds,

  Jousset

  Note the useful posts ~

• Should I install the 64 and 32-bit photoshop on my Vista 64-bit?

  Should I install the 64 and 32-bit photoshop on my Vista 64-bit?

  Some plug-ins require the 32-bit version. If you just want to use it as it is, without plug-ins for devices, then version 64-bit e should be fine.

• 5.3 of the ACS and Enterasys A2 switch support

  Hi experts,

  I use ACS 5.3.I need to do macauthentication on Enterasys switch with Cisco ACS 5.3.I the following error get;

  Error analysis or an event of unknown type: xxxxxxxxxxxxx ERROR RADIUS: RADIUS packet contains invalid attributes. A failed - request Attepmt:Radius dropped

  How can I integrate Custom attribute A2 Enterasys switch with Cisco ACS 5.3?

  Thank you.

  I think you need to do is to define the attributes of the seller for this device

  Can be done as follows:

  Go to System Administration > Configuration > dictionaries > protocols > RADIUS > RADIUS VSA

  can set the new seller of the RAY by pressing 'create '. Vendor ID is the ID assigned. Prefix of the attribute allows you to assign a standard prefix to all the attributes of this provider. All RADIUS attributes names must be unique across all providers

  Once having set the RADIUS vendor can select from the list and press 'display the attributes of the seller '. Can now set the attributes of this provider. This option is also available from the navigation on the left to choose the name of the seller.

  Note that the Remove of the attributes of the seller takes a bit of time (a few seconds) and so are not disturbed

• 4.1 of the ACS and 802. 1 x dynamic assignment of VLANS

  Hi guys,.

  a customer wants to implement assignment of VLANs with 802 dynamics. 1 x. The customer has the following facilities, Cisco ACS 4.1 for Windows, Cisco ASA 5540, CSA 5.2 with CSA MC, several routers and Cisco switches.

  Now, the questations are, we can implement assignment of vlan dynamic without a unit of the ANC and the customer also wants to decide between customers with real antivirus signatures and the old signatures. Older clients are denied access to the anti-virus server and the update of the signature and if everything is ok, to have access to the internal network.

  How could implement us this without a new hardware or software?

  Any ideas? Thanks for help.

  René

  You can have a look on the frame of the NAC system. If you want only the posture validate cable customers then there no extra components to buy. If you want to go wireless, you will likely need to buy a Cisco client that supports wireless. You can get the configuration from here guide:

  http://www.Cisco.com/application/PDF/en/us/guest/NetSol/ns617/c649/cdccont_0900aecd8040bbd8.PDF

  I suggest you prototype and see what you think, the good thing is that you can deploy on a per switchport basis so you can make the installer on ACS without disturbing what is there already and apply it by configuring the switch.

• 4.1 of the ACS and Windows AD authentication

  Hi all

  I want to install an ACS, 1113 and will authenticate users through AD.

  It is preferable to install the remote agent on a domain controller or a member server? What are the Pro and cons

  Thank you

  Randall

  Randall,

  You can install it on the DC and the Member Server. My suggestion would be to install on a member for this domain controller server use its resources for activities in the field.

  Kind regards

  ~ JG

  Note the useful messages

• Level of privilege of the ACS and sets of commands

  Hi all

  I was in charge of the implementation of 5.6 ACS in order to allow members of the groups of domain security MS Access of specific order to our equipment. I the area association and groups added, I have an access policy with a rule that works so my field trial account can connect to the switch and perform only the commands in my command set.

  The problem is that when I assign a Shell profile with privilege level 7 min/max to the rule and the user logs on with this level, they are unable to see the commands that I welcomed in the Set command. Is it possible to have the ACS to say IOS to automatically change the visible commands to a specific privilege level when the user connects, even if they are not at this level of privilege?

  Any help greatly appreciated,

  Chris Menuey

  Because you're using command authorization and restrict the user to some orders, why do we use privilege 7 and not 15?

  ~ Jousset

• 4.2 of the ACS and Kaspersky antivirus

  Hi all

  I want to install Kaspersky Anti-virus on ACS version 4.2 with windows 2000.

  It is aplicable or not?

  Thanks in advance,

  Ayman Yehia

  Hi Ayman,

  As a general rule of thumb, there should be no limitation to install Kaspersky on Windows 2000 with ACS 4.2.

  In the past, we have seen problems with some anitviruses, such as Norton, for example, block the ACS services.

  Unfortunately, the AVs and releases are too different between them to build a specific compatibility matrix.

  As said, nothing should prevent ACS 4.2 to work when Kaspersky is installed, as long as Kaspersky does not block specific ports/services.

  Kind regards

  Fede

  --

  If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

• 802. 1 x with the ACS and Windows AD

  Hello

  Im trying to configure 802. 1 x with ACS 5.2 but I am wrong as his very differnet ACS 4.2.

  I installed the ACS for the field and think that I installed the external Idnetity store, however when I try to authenticate a pc using probable authentication "PEAP (EAP-MSCHAPv2), I get a reason for failure 22056 object was not found in the store there is identity.

  Marco

  Hi Marco,.

  I guess you missed a mapping configuration in the Section of access policy.

  Create an Access Service name AS-802. 1 x select user select the Service Type, and select network access. Select the identity of political Structure and authorization. Select PEAP as the authorized Protocol. Click on finish

  You will see the new service click on identity.

  Select the source of the identity you have created, then save.

  Click permission

  Select an access permission by default authorization rule and save.

  Create a Service access rule name 802. 1 x

  Select the Protocol Radius as a Condition and as a compound Condition select RADIUS - IETF:Service - Type match box, then select the service that you created before.

  then you can try again.

  concerning

  Alex

• 5.2 of the ACS and Cisco ACE RBAC does not...

  Would be grateful for help here if it can be provided.

  I am configuring GANYMEDE auth for a Cisco ACE through our 5.2 ACS server. I think that I installed everything correctly but when I connect with my GANYMEDE account it gives me only monitor network privileges.

  This is the Configuration of ACE, I use:

  XXXXXXXX, host 1.1.1.1 key radius-server

  XXXXXXXX, host 2.2.2.2 key radius-server

  RADIUS-server timeout 10

  RADIUS-server deadtime 30

  !

  AAA group Ganymede Server + ACS

  Server 1.1.1.1

  2.2.2.2 Server

  output

  !

  AAA authentication login default group local ACS

  AAA authentication login console Group local ACS

  Default accounting AAA group ACS

  !

  This is the Configuration of the ACS:

  

  When I connect to the ACE I see authenticating and pulling the right group of the ACS journal:

  Connected to the ACS status details user peripheral name server device name group Service identity store identity network access group

  Apr 8:57:40.566 30.13 AM xxxckxxx

  AFA-ACE-internal

  Device Type: all device Types: load balance devices, network, location: Cameron Enterprises: Oklahoma: Data Center - 1 unit Access.TACACS

  AD1 all groups: administrator - full HAPP-CSACS

  Apr 8:52:20.256 30.13 AM xxxckxxx

  AFA-ACE-internal

  Device Type: all device Types: load balance devices, network, location: Cameron Enterprises: Oklahoma: Data Center - 1 unit Access.TACACS

  AD1 all groups: administrator - full xxx movies

  Apr 8:43:43.276 30.13 AM xxxckxxx

  AFA-ACE-internal

  Device Type: all device Types: load balance devices, network, location: Cameron Enterprises: Oklahoma: Data Center - 1 unit Access.TACACS

  AD1 all groups: administrator - full xxx movies

  But when I log in AS and do a show users that I get:

  * xxxckxxx Dev_VC pts/2 Apr 30 09:57 (x.x.x.x) monitor-network-default domain

  I've searched for days to find a solution for this with no luck. Any help would be greatly appreciated.

  Thank you.

  Well, it should work effectively at the same time.

  Could you please check the GANYMEDE of ACS logs and check the newspaper correct PROFILE of SHELL (Shell Administrator profile-material) are selected.

  This can be checked by virtue:

  Monitoring & reports >

  Reports >

  Catalog >

  AAA Protocol > authorization Ganymede

  They provide an output of

  Field of Show running-config

  Would appreciate if you can share the result here.

  Jatin kone

  -Does the rate of useful messages-

• 1.2 of the ISE and iPEP required certificates

  Hello

  For version 1.1.x of ISE, there are a few constraints on the certificates used for iPEP and Admin:

  Both EKU attributes must be disabled, if the two attributes, EKU are disabled in the certificate of Inline Posture, or the two attributes, EKU must be activated, if the server attribute is enabled in the certificate Postur Inline.

  • [http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bea904.shtml]
  • The same applies for iPEP ISE 1.2? For ISE 1.2 User Guide and Setup Guide material does not mention anything about EKU and the attributes of specific certificate...
  • Any thoughts?
  • Thank you
  • Octavian

  Validation of EKU has been removed in version 1.2

  "If you configure ISE for services like Inline Policy Enforcement Point (iPEP), the model used to generate the ISE server identity certificate must contain attributes to authenticate client and server if you use ISE Version 1.1.x or earlier." This allows the admin and inline nodes to mutually authenticate each other. The validation of the EKU for iPEP was removed in ISE Version 1.2, which makes this less relevant requirement. »

  Source:

  http://www.Cisco.com/en/us/products/ps11640/products_tech_note09186a0080bff108.shtml

• 4.2 of the ACS and EAP - TLS with AD and prefix problem

  Hello

  We have the following situation:

  -2 X ACS (ACS SE 4.2 1 x and 1 x 4.2 ACS) for domain

  -2 x ACS (ACS SE 4.2 1 x and 1 x 4.2 ACS) for domain b.

  First of all, there is a problem to have an ACS SE and a CBS work together for an area, I do not? When we haven't had that one area and the two SE ACS were responsible for domain A, it worked.

  Now after the changes, authentication of machine with EAP - TLS is no longer in effect. In the newspapers, it always says that "external user DB is unknown" for a username (machine) as host/abc.domain.ch

  This is the normal output of the Remote Agent, he finds the host but then nothing happens:

  CSWinAgent 2009-11-30 16:32:13 0140 3672 0x0 customer who connects from x.x.x.x:2443
  CSWinAgent 2009-11-30 16:32:14 0507 3512 0x0 CPP: NT_DSAuthoriseUser received
  CSWinAgent 2009-11-30 16:32:14 0474 3512 0x0 NTLIB: Creating Domain cache
  CSWinAgent 2009-11-30 16:32:14 0549 3512 0x0 NTLIB: domain Cache loading
  CSWinAgent 2009-11-30 16:32:14 0646 NTLIB 3512 0x0: none of the trusted domains found
  CSWinAgent 2009-11-30 16:32:14 0735 3512 0x0 NTLIB: cache loaded field
  CSWinAgent 2009-11-30 16:32:14 2355 3512 0x0 NTLIB: user "host/abc.domain.ch" found [FIELD]
  CSWinAgent 2009-11-30 16:32:14 0584 0 x 3512 0 RPC: NT_DSAuthoriseUser response sent

  So I did a test of the ASA to see if the host is a problem (until changes have been made it was not a problem):

  AAA authentication RADIUS host 10.3.1.9 username host/abc.domain.ch to test (the ASA becomes the host / entry for the correct Windows scheme with the $):

  CSWinAgent 2009-11-30 15:39:23 0140 3672 0x0 customer who connects from x.x.x.x:1509
  CSWinAgent 2009-11-30 15:39:23 0390 0 x 3728 0 RPC: NT_MSCHAPAuthenticateUser received
  CSWinAgent 2009-11-30 15:39:23 0474 3728 0x0 NTLIB: Creating Domain cache
  CSWinAgent 2009-11-30 15:39:23 0549 3728 0x0 NTLIB: domain Cache loading
  CSWinAgent 2009-11-30 15:39:23 0646 NTLIB 3728 0x0: none of the trusted domains found
  CSWinAgent 2009-11-30 15:39:23 0735 3728 0x0 NTLIB: cache loaded field
  CSWinAgent 2009-11-30 15:39:23 1762 3728 0x0 NTLIB: had WorkStation CISCO
  CSWinAgent 2009-11-30 15:39:23 1763 3728 0x0 NTLIB: Windows authentication attempts for user ABC$
  CSWinAgent 2009-11-30 15:39:23 1815 3728 0x0 NTLIB: Windows authentication FAILED (Error 1326 L)
  CSWinAgent 2009-11-30 15:39:23 0373 3728 0x0 NTLIB: retry authentication to the domain
  CSWinAgent 2009-11-30 15:39:23 0549 3728 0x0 NTLIB: domain Cache loading
  CSWinAgent 2009-11-30 15:39:23 1762 3728 0x0 NTLIB: had WorkStation CISCO
  CSWinAgent 2009-11-30 15:39:23 1763 3728 0x0 NTLIB: Windows authentication attempts for user ABC$
  CSWinAgent 2009-11-30 15:39:23 1815 3728 0x0 NTLIB: Windows authentication FAILED (Error 1326 L)
  CSWinAgent 2009-11-30 15:39:23 0456 0 x 3728 0 RPC: NT_MSCHAPAuthenticateUser response sent

  It is clear that the test failed because of the bad 'past to a computer' but it's a different output as before. I saw that in ACS 4.1, you can change the prefix of send_break_action for nothing, but in 4.2 it is no longer possible.

  This could be the problem, or if someone sees no other problem?

  Best regards

  Dominic

  Hello

  I encounter the same problem with my acs. I have all of the attempts failed for the default group. For the default group made configuration is not available. Is - this thereason behind all this?

• 5.1 of the ACS and the filtering of the SSID

  Hello

  We ACS5.1 and WLC with sw version 7. Anyone know how we can configure SSID 5.1 ACS filtering. ACS 4.2 done us with filter NAR and Gwendoline.

  Best regards

  STAS

  You can use "End Station filters" to filter by DNIS.

  Elements of strategy >

  ... >

  Conditions session >

  Network conditions >

  End Station filters

  Then, you can add a rule in "Access Service" using the filters of end Station above.

• 5.2 of the ACS and AD

  Hello

  We have engine ACS 4.1 and you want to upgrade to 5.x.

  Is that the new version of 5.2 ACS allows a user to belong to several ad groups?

  Best regards

  Yes, ACS 5.x allows this.

  But be aware that this is not an 'upgrade '. ACS 5 is a new device and migration is not fully automatic, you have to really plan the coming thing.