4.2 of the ACS and EAP - TLS with AD and prefix problem

Similar Questions

• Authentication EAP - TLS with ACS 5.2

  Hi all

  I have question on EAP - TLS with ACS 5.2.

  If I want to implement the EAP - TLS with Microsoft CA, how authentication computer and user will be held?

  Understand that the cert is required on the client and the server end, but is this certificate to the computer links or links to individual users?

  If the links to the user, and I have a shared PC connection by few users, is that each user account will have their own certificates?

  And each individual user will have to manually get the CA cert? is there another method that my environment has more than 3000 PCs.

  And also if it binds to the user, any user can get their CA cert with their AD username and password, if they bring in their own device and try to get the CA certificate, they will be able to properly install the cert in their device on the right?

  I hope you guys can help with that. Thank you.

  Hope this will answer most of your questions:

  Client certificate or user

  http://www.Cisco.com/en/us/Partner/Tech/tk59/technologies_tech_note09186a00804b976b.shtml#T10

  Computer certificate

  http://www.Cisco.com/en/us/Partner/Tech/tk59/technologies_tech_note09186a00804b976b.shtml#T15

  In the case of EAP - TLS we have the certificate of computer and user installed on the machines.

  Kind regards

  Jousset

  The rate of useful messages-

• authentication between the ACS and AD

  Hello

  I would like to know what kind of authentication mechanism ACS 5.1 use to speak with Active Directory. Does simply use MSCHAP, MSCHAPv2 or PAP. By default, it uses PAP to talk between the Cisco IOS and the AEC on the 5.1.

  If you llook at the default admin tab and click on allowed protocols---> he mentions PAP.

  Should I use a safe means of transport between the ACS and AD. IDF, so anyone can say the authentication mechanism?

  Thank you

  Any meeting of directors like telnet, ssh and comfort they always use PAP as an authentication method.

  Although communication pap can be captured and read in this case in clear text. However, since we have Ganymede in use, he always encrypt the whole package with shared secret defined on the IOS and ACS/GANYMEDE so if you capture traffic between the radius and the device you won't be able to decipher it without the key.

  In case you have Ray then using SSH (Putty) so that it can help you for a safe communication.

  ACS and AD support PAP, CHAP, MSCHAPv1 and MSCHAPv2.

  However, the administration does not work on another method of authentication except PAP.

  HTH

  Regds,

  Jousset

  Note the useful posts ~

• Test command of the AAA for EAP - TLS authentication for wireless users

  Hi all

  Can anyone suggest me the test command to verify the eap - tls authentication for the Cisco WAP's wireless.

  If it's an authetication jump we can use the command to test the connection below

  Radius of group aaa Testwap-01 #test [email protected] / * / o4 & yJ) NoL$ new-code %0
  Trying to authenticate with the server radius group
  User successfully authenticated

  But eap - tls is not delivered with the password. He insists that for the user name.

  We strive for remote location then test remotely before production.

  If someone help pls in that if we have a command to test or debug command to test this authentication.

  EAP - TLS requires a client certificate. How can you have a simple command that analysis without loading any certificate on the router/switch? It does not exist. This is why eap - tls is not considered an easy to deploy eap method: because it can go wrong on several levels.

  The aaa command test performs a PAP authentication, therefore, it tests the connectivity of the base RADIUS and name of user and password.

  If it works, the only thing that can break for eap - tls are certificates, as well as the radius server will be able to tell if something worng.

• 802. 1 x with the ACS and Windows AD

  Hello

  Im trying to configure 802. 1 x with ACS 5.2 but I am wrong as his very differnet ACS 4.2.

  I installed the ACS for the field and think that I installed the external Idnetity store, however when I try to authenticate a pc using probable authentication "PEAP (EAP-MSCHAPv2), I get a reason for failure 22056 object was not found in the store there is identity.

  Marco

  Hi Marco,.

  I guess you missed a mapping configuration in the Section of access policy.

  Create an Access Service name AS-802. 1 x select user select the Service Type, and select network access. Select the identity of political Structure and authorization. Select PEAP as the authorized Protocol. Click on finish

  You will see the new service click on identity.

  Select the source of the identity you have created, then save.

  Click permission

  Select an access permission by default authorization rule and save.

  Create a Service access rule name 802. 1 x

  Select the Protocol Radius as a Condition and as a compound Condition select RADIUS - IETF:Service - Type match box, then select the service that you created before.

  then you can try again.

  concerning

  Alex

• 4.1 of the ACS and 802. 1 x dynamic assignment of VLANS

  Hi guys,.

  a customer wants to implement assignment of VLANs with 802 dynamics. 1 x. The customer has the following facilities, Cisco ACS 4.1 for Windows, Cisco ASA 5540, CSA 5.2 with CSA MC, several routers and Cisco switches.

  Now, the questations are, we can implement assignment of vlan dynamic without a unit of the ANC and the customer also wants to decide between customers with real antivirus signatures and the old signatures. Older clients are denied access to the anti-virus server and the update of the signature and if everything is ok, to have access to the internal network.

  How could implement us this without a new hardware or software?

  Any ideas? Thanks for help.

  René

  You can have a look on the frame of the NAC system. If you want only the posture validate cable customers then there no extra components to buy. If you want to go wireless, you will likely need to buy a Cisco client that supports wireless. You can get the configuration from here guide:

  http://www.Cisco.com/application/PDF/en/us/guest/NetSol/ns617/c649/cdccont_0900aecd8040bbd8.PDF

  I suggest you prototype and see what you think, the good thing is that you can deploy on a per switchport basis so you can make the installer on ACS without disturbing what is there already and apply it by configuring the switch.

• 4.1 of the ACS and Windows AD authentication

  Hi all

  I want to install an ACS, 1113 and will authenticate users through AD.

  It is preferable to install the remote agent on a domain controller or a member server? What are the Pro and cons

  Thank you

  Randall

  Randall,

  You can install it on the DC and the Member Server. My suggestion would be to install on a member for this domain controller server use its resources for activities in the field.

  Kind regards

  ~ JG

  Note the useful messages

• Level of privilege of the ACS and sets of commands

  Hi all

  I was in charge of the implementation of 5.6 ACS in order to allow members of the groups of domain security MS Access of specific order to our equipment. I the area association and groups added, I have an access policy with a rule that works so my field trial account can connect to the switch and perform only the commands in my command set.

  The problem is that when I assign a Shell profile with privilege level 7 min/max to the rule and the user logs on with this level, they are unable to see the commands that I welcomed in the Set command. Is it possible to have the ACS to say IOS to automatically change the visible commands to a specific privilege level when the user connects, even if they are not at this level of privilege?

  Any help greatly appreciated,

  Chris Menuey

  Because you're using command authorization and restrict the user to some orders, why do we use privilege 7 and not 15?

  ~ Jousset

• 4.2 of the ACS and Kaspersky antivirus

  Hi all

  I want to install Kaspersky Anti-virus on ACS version 4.2 with windows 2000.

  It is aplicable or not?

  Thanks in advance,

  Ayman Yehia

  Hi Ayman,

  As a general rule of thumb, there should be no limitation to install Kaspersky on Windows 2000 with ACS 4.2.

  In the past, we have seen problems with some anitviruses, such as Norton, for example, block the ACS services.

  Unfortunately, the AVs and releases are too different between them to build a specific compatibility matrix.

  As said, nothing should prevent ACS 4.2 to work when Kaspersky is installed, as long as Kaspersky does not block specific ports/services.

  Kind regards

  Fede

  --

  If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

• 5.3 of the ACS and Enterasys A2 switch support

  Hi experts,

  I use ACS 5.3.I need to do macauthentication on Enterasys switch with Cisco ACS 5.3.I the following error get;

  Error analysis or an event of unknown type: xxxxxxxxxxxxx ERROR RADIUS: RADIUS packet contains invalid attributes. A failed - request Attepmt:Radius dropped

  How can I integrate Custom attribute A2 Enterasys switch with Cisco ACS 5.3?

  Thank you.

  I think you need to do is to define the attributes of the seller for this device

  Can be done as follows:

  Go to System Administration > Configuration > dictionaries > protocols > RADIUS > RADIUS VSA

  can set the new seller of the RAY by pressing 'create '. Vendor ID is the ID assigned. Prefix of the attribute allows you to assign a standard prefix to all the attributes of this provider. All RADIUS attributes names must be unique across all providers

  Once having set the RADIUS vendor can select from the list and press 'display the attributes of the seller '. Can now set the attributes of this provider. This option is also available from the navigation on the left to choose the name of the seller.

  Note that the Remove of the attributes of the seller takes a bit of time (a few seconds) and so are not disturbed

• 5.2 of the ACS and Cisco ACE RBAC does not...

  Would be grateful for help here if it can be provided.

  I am configuring GANYMEDE auth for a Cisco ACE through our 5.2 ACS server. I think that I installed everything correctly but when I connect with my GANYMEDE account it gives me only monitor network privileges.

  This is the Configuration of ACE, I use:

  XXXXXXXX, host 1.1.1.1 key radius-server

  XXXXXXXX, host 2.2.2.2 key radius-server

  RADIUS-server timeout 10

  RADIUS-server deadtime 30

  !

  AAA group Ganymede Server + ACS

  Server 1.1.1.1

  2.2.2.2 Server

  output

  !

  AAA authentication login default group local ACS

  AAA authentication login console Group local ACS

  Default accounting AAA group ACS

  !

  This is the Configuration of the ACS:

  

  When I connect to the ACE I see authenticating and pulling the right group of the ACS journal:

  Connected to the ACS status details user peripheral name server device name group Service identity store identity network access group

  Apr 8:57:40.566 30.13 AM xxxckxxx

  AFA-ACE-internal

  Device Type: all device Types: load balance devices, network, location: Cameron Enterprises: Oklahoma: Data Center - 1 unit Access.TACACS

  AD1 all groups: administrator - full HAPP-CSACS

  Apr 8:52:20.256 30.13 AM xxxckxxx

  AFA-ACE-internal

  Device Type: all device Types: load balance devices, network, location: Cameron Enterprises: Oklahoma: Data Center - 1 unit Access.TACACS

  AD1 all groups: administrator - full xxx movies

  Apr 8:43:43.276 30.13 AM xxxckxxx

  AFA-ACE-internal

  Device Type: all device Types: load balance devices, network, location: Cameron Enterprises: Oklahoma: Data Center - 1 unit Access.TACACS

  AD1 all groups: administrator - full xxx movies

  But when I log in AS and do a show users that I get:

  * xxxckxxx Dev_VC pts/2 Apr 30 09:57 (x.x.x.x) monitor-network-default domain

  I've searched for days to find a solution for this with no luck. Any help would be greatly appreciated.

  Thank you.

  Well, it should work effectively at the same time.

  Could you please check the GANYMEDE of ACS logs and check the newspaper correct PROFILE of SHELL (Shell Administrator profile-material) are selected.

  This can be checked by virtue:

  Monitoring & reports >

  Reports >

  Catalog >

  AAA Protocol > authorization Ganymede

  They provide an output of

  Field of Show running-config

  Would appreciate if you can share the result here.

  Jatin kone

  -Does the rate of useful messages-

• Wrong with EAP - TLS with Wireless before Windows logon

  Evil begins with a list of equipment;

  5508 WLC

  3502i AP

  Cisco ACS 5.3

  Clients Windows 7

  WLAN is set up with WPA2 AES with 802. 1 x for key management.

  Customer is set up with WPA2/AES, authentication method is Microsoft: card chip or other certificate on the computer. Authentication mode authentication is the user or computer.  The client is configured to use a certificate on the computer.  "It only works if the authenticating user or computer is seected."  If I use computer authenticate option... it says that it cannot find a certificate to use for the EAP.

  ACS is configured to allow only for the EAP - TLS protocol.

  We have created a stand-alone CA server and distributed CA certificates root and client authentication for all test systems.

  This whole process with EAP - TLS works very well if you are already connected to the machine, with the credentials of the cache.  Once I disconnect the Windows 7 client, I lose the connection to the WLAN.  We want to stay connected to the WIFI network.  W PEAP / MSCHAPV2 works very well with stay connected to the WLAN, but we want to use EAP - TLS.

  Any ideas?

  Thanks in advance,

  Ryan

  Hi Ryan,

  You actually answer your own question :) The reason for the fault is because the computer account doesn't have a certificate, so when your computer account user cannot connect to maintain the session going, and so you are disconnected. Provide the computer with a certificate account and your problem will be solved.

  Richard

• EAP - TLS with WLC 4404 (choose which layer option 2)

  Hi all

  I want to install a WLAN that uses EAP - TLS.

  WiFi PC <----->LWAP <------>WLC <---->Radius Server

  Should the layer tab 2 for security on the WLC which option I use for the following: -.

  Security Layer 2 (I'm assuming that WPA + WPA2 than what laptops will use)

  Key auth Mgmt?

  I'm a little confused by the 802. 1 x in two of these fields, a security layer two and one for Auth key Mgmt?

  Thx a lot indeed guys,.

  Ken

  You would choose layer 2 security: WPA + WPA2

  Then in the settings WPA + WPA2 choose political WPA2 with WPA2 encryption. Under authentication key Mgmt select 802.1 x.

  Now if you need the use of WPA policy, then also choose TKIP for this.

  Choose your radius servers so for your AAA server tab.

  That's all.

• EAP - TLS with ISE

  I read the Cisco ISE for BYOD and try to create an authentication policy for the EAP - TLS protocol. When I create the new policy and add a new condition, and then go to network access, EAPAuthentication is not an option. And I went to the element of strategy and created a new authentication, compond to condition added to the library. When I try to add to my authentication policy it does not choose it and said only the relevant conditions are selectable. Am I missing a step somewhere?

  Any help is greatly appreciated and thanks in advance!

  Hello

  If you want to use a different identity for BYOD devices store, all you have to do is change the dot1x default rule and add a condition above you by default of State/identity store.

  Add an attribute value of certificate - SAN/transmitter, etc., depending on what's your differentiator between the BYOD devices and active.

  Please see attached printscreen.

• The beeps from the BIOS and graphics problem

  1. when I start my computer (h9-1350), I get 6 short beeps, the computer is for a just half a minute, then continue to boot normally. I think it has something to do with a keyboard. I tried two different keyboards... KB USB provided with the computer and solar keyboard K750 from Logitech. He also sometimes appears an error message that I did not copy but the message said something about a keyboard.

  2. I can't get into BIOS to do the steps from HP FAQ Web site provides for the installation of a spare video card. As does the 6 beeps from the computer and then boots normally apparently it does not the button configuration screens to access the BIOS.

  The computer is a HP h9-1350 with Win8.

  H9-1350 HP / Intel i7 3770 / 12 GB
  Windows 8 / HP w2207 monitor / Radeon 6870
  Keurig ready for a coffee or Cup of hot tea

  Okay, I think that we have a fix/resolve. I found the LEGACY (just above), set it to Enable. I replaced the OEM video card with my Radeon 6870 and it booted right up less beeps. Thanks for the help.

  BTW, where can I find more information about this 'new' (for me at least) UEFI BIOS? I had no idea what Win8 make this change.

  Thanks again.