AAA / adding additional ACS server

Similar Questions

• Enable AAA fails on the second ACS server

  I have 2 servers Windows 2003 4.2 ACS, who authenticate with AD. I have configured authentication GANYMEDE + both for my PIX 515 running version 7.24. GANYMEDE + authentication works fine on both. However, when I use the 'aaa authentication enable console LOCAL ProsperAdminAuth', the enable password only works with the first ACS server. When the first server is unavailable, it fails on the second ACS server and authentication failed on ACS "ACS invalid password" reports. It does not allow the LOCAL password. I checked all the password and there is no problem there. I know that for you, because GANYMEDE auth works. Someone at - he seen elsewhere issue or know what I might try?

  Thank you

  Vivek

  Hello

  Configuration of external database is not replicated between servers ACS so my guess here that is on your ACS secondary if you go to the external-> unknown user policy user databases, you will find that under configure enable password behavior you are on "internal data" instead of "The database which the user profile is required."

  -Jesse

• ASA - added a public server and it is limited to this traffic

  I added an internal e-mail server to a whole new ASA5510 today.  I used the GUI because it is a fairly simple installation.  In any case, I added a mail server to allow the port 25 inbound on an address static nat dedicated to this server.  But now, this server can not do anything on the internet: the navigation or search DNS, etc..  The server is also the internal DNS server.  I'm probably missing?

  Hello

  It not on MAC address about proxy arp

  • Addresses on the same network as the interface is mapped.

  If you are using addresses on the same network that the mapped interface, the ASA uses proxy ARP to respond to all ARP requests for mapped addresses, thus intercepting traffic destined to a mapped address. This solution simplifies the delivery because the ASA is not to be the gateway for all additional networks. This solution is ideal if the external network contains a sufficient number of free addresses, a consideration if you are using a 1:1 translation as dynamic NAT or static dynamic NAT PAT greatly expands the number of translations, which you can use with a small number of addresses, so even if the addresses available on the external network is small, this method can be used. For PAT, you can even use the IP address of the mapped interface.

  

  Note If you configure the mapped interface to be any interface and you specify an address that is mapped to the same network as one interfaces mapped, then address topographiee in an ARP request for who arrives on a different interface, then you must manually configure an ARP entry for this network on the interface of penetration, by specifying its MAC address (see the arp command). Normally, if you specify an interface for the mapped interface, then you are using a single network for addresses mapped, so that this situation would not occur.

  • Addresses on a single network.

  If you need more addresses available on the mapped interface network, you can identify the address on a different subnet. The upstream router needs a static route for mapped addresses that points to the ASA. Otherwise for routed mode, you can configure a static route on the SAA for mapped addresses and then redistribute the route using your routing protocol. For transparent, if the real host is directly connected, configure the static route on the router upstream to point to the ASA: specify the IP address of the bridge group. For remote hosts in transparent mode, in the static route on the router upstream, you can also specify the IP address of router downstream.

  Mapped addresses and routing

  http://www.Cisco.com/c/en/us/TD/docs/security/ASA/asa91/configuration/firewall/asa_91_firewall_config/nat_overview.html

  HTH

  Sandy

• SSH after ACS server "locked up" and had to be reconfigured is no longer works.

  Hello

  I have a VPN tunnel between an ASA5520, and a Cisco 891.

  I had the 891 configured with the following text:

  AAA server Ganymede group + VTY
  Ganymede IP source-interface Loopback0
  !
  AAA server Ganymede group + GANYMEDE-ACS
  Server 10.8.x.x
  Server 10.16.y.x
  !
  AAA authentication login CONSOLE none
  Connection authentication AAA VTY Ganymede + local group
  VTY AAA authorization exec group Ganymede + local
  AAA authorization commands VTY 0 group Ganymede +.
  AAA authorization commands 15 VTY Ganymede group.
  orders accounting AAA 15 VTY arrhythmic group Ganymede +.
  orders accounting AAA 15 CONSOLE arrhythmic group Ganymede +.

  !

  Ganymede IP source-interface Loopback0

  !

  RADIUS-server host 10.8.x.x touches yadayadayadayada 7
  RADIUS-server host 10.16.y.x touches yadayadayadayada 7
  RADIUS-server application made

  !

  line vty 0 4
  access-class 1
  authorization of VTY 15 orders
  exec authorization VTY
  accounting orders 15 VTY
  VTY login authentication
  entry ssh transport
  line vty 5 15
  access-class 1
  authorization of VTY 15 orders
  exec authorization VTY
  accounting orders 15 VTY
  VTY login authentication
  entry ssh transport

  I can't access device remotely. I'm sure it has to do with the ACS server, but don't know where to look.

  Any help would be greatly appreciated.

  Hello

  When you say you cannot remote access device you are not able to ssh to the device or there is no rechablity itself?

  Is ssh is the problem while you get a login prompt? Error message? Also have you checked ACS has no newspapers for all messages?

  Concerning

  Najaf

• Design of ACS server question 4.2 - role - based is a limit?

  Currently, I've implemented this ACS server.

  An ACS group maps to a group of active live in AD. For example, the Group ACS router_access maps to AD group called $f (gbr) raccess. If the user tries to connect to a router and it has this group in its profile AD, that it will be accepted and if not rejected.

  If for example, I want to revoke, allow access to some features I use NARS (for example accept connections from devices switch and router).

  It works - but this apparently isn't the way I do things.

  The best way is to have a group of ads by device group.

  EG for access to the router, you must $g (t) of group routers in your AD profile

  To get access to switch the Group $g (t) must spend in your AD profile

  Now, we hit the problem - the EC will use the first group in your AD profile to apply for pass/fail.

  Let as well as John has $g routers and switch (t) $g (t) group in its AD profile. When he tries to connect to a switch, the ACS attempts to use routers $g (t) because it's the first ACS AD Group in his profile. Subsequently, it fails, which means that ACS will not look through several AD strategies.

  I hope this makes sense.

  Anyway, I can't get it to work because it keeps failing!

  Hi Will,

  This is a limitation of how ACS 4.x performs operations. It defines everything based on your local user group on ACS as opposed to your ad groups - so the mapping of the group comes first and then everything else comes later.

  If you use Radius (this does not apply to the GANYMEDE) you may be able to use the network access profile feature to substitute some access. If for example you can tell if the user is in the local group, but authentication comes from a certain type of device, you can transmit different attributes. However, in terms of blocking, it is always based on the local group you are a member. He can do some additional checking of LDAP group, but I don't know if that will solve your problem.

  Is 5.x ACS to a new level - the entire platform is built as the network access profiles - so you can make rules as granular as you want - that is to say: If you are in a specific ad group (do not need to map - we can draw external groups) and it is a router then go down a permission set with a Pass. If it is a different ad group (or a different device type), then send a failure.

  Thank you

  Nate

• local user name and password if the ACS server fails

  Hello

  I have every router and switch configuration for authentication of the connection via the ACS server.  I used these 12 lines below and it works very well.  Each engineer has their own account.

  AAA new-model
  AAA of default login authentication group Ganymede + activate
  the AAA authentication enable default group Ganymede + activate
  AAA authorization exec default authenticated if
  AAA authorization commands 15 default group Ganymede + authenticated if
  AAA accounting exec default start-stop Ganymede group.
  orders accounting AAA 15 by default start-stop Ganymede group.
  Default connection accounting AAA power Ganymede group.
  AAA - the id of the joint session

  RADIUS-server host x.x.x.x
  RADIUS-server application made
  radius-server key, regardless of

  ----------------------------------------------

  I would add to this a local username and password so that if the ACS server was offline engineers have yet to connect with a knowledge of username and default password

  username privilege 15 secret mypassword MYUSERNAME

  line vty 0 4
  local connection

  Q. How do I make ACS a first preference and connection server only local users username and password if the ACS server is down?

  Kind regards

  Kevin

  Now you have the password to enable as the fall back method:

  AAA of default login authentication group Ganymede + activate

  Change 'enable' for 'local' and the local (to the router) database of user names and passwords is used.

  The same works to activate authentication (the second line "authentication, aaa... ("in the config that you posted).

• ACS server replication request

  Hi all

  I have two primary & secondary ACS server. New secondary to be deployed in the network server. My primary ACS server got 1000 clients AAA configured with 15000 user id configured in several group profile. My question here is when I have the database replication between primary and secondary, if any database is replicated from my primary server to the secondary as all customers AAA and configuation etc., otherwise it will be the end user interface, profile of the group, replication has restrictions of database.

  Totally: AAA & ID customers user will be on the backup of a database or it will reside on different location

  kindly clarify me here, thanks.

  Hello

  The entire database will be written more when a restore of the database.

  The ACS database replication allows you to copy various components of the internal database of GBA in other ACSS. This method can help you plan a failover AAA architecture and reduce the complexity of your tasks of configuration and maintenance.

  The components that can be replicated are:

  User and group database

  Database group only

  Network device Configuration tables

  WBS

  Configuration of the interface

  Interface security settings

  Password validation settings

  EAP-FAST master keys and policies

  Network access profiles

  Configuration of logging (enable/disable settings)

  The following link will give you the details of database replication.

  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SCAdv.html#wp756304

  I hope this helps.

  Kind regards

  Anisha

  P.S.: Please mark this thread as solved if you feel that your query is resolved. Note the useful messages.

• Configuring the ACS server on windows server

  Hello

  I started to prepare my CCNA security and tried to configure AAA using ACS 4.2 on windows server 2003.

  I have configured the router to use the AAA authentication with the laboratory of cbtnuggets from ACS server.

  I checked the accessibility of the ACS server to client router and vice versa and also configuration.

  The problem is I'm not able to authenticate using ACS server, the router uses local authentication and I have no why the router communicates not eith ACS server.

  Help PLZ.

  Configuration of my router from AAA.

  ===============================================

  AAA new-model
  !
  !
  AAA authentication login default group Ganymede + local
  exact AAA authentication login group Ganymede + local
  AAA authorization exec default local

  RADIUS-server host 192.168.1.25 single-connection key ciscoacs--> (192.168.1.25 ACS, the key configured on the ACS server server is also ciscoacs)

  line vty 0 4
  exact connection authentication

  ================================================

  I created a user on ACS server and I believe that when I'm trying to telnet to the router I should use the user name and password configured on the ACS server.

  When I try to use, authentication fails, and also if the router accepts locallly configured user details then I think there was no communication between the router and the other GANYMEDE ACS server + will be used for authentication and if no communication between the router and acs server then only it should be the responsibility of local user

  Please help me.

  reports and activity--> passed authentication

  reports and activity--> failed attempts

  Rating of useful answers is more useful to say "thank you".

• ACS server not availble

  PIX 525 configured for authentication Ganymede + for telnet, ssh etc. access Pix... If Cisco ACS server is not available I can use the Local user database as I do in the world of router. I saw no reference to this

  failback AAA was introduced in the 6.3 (4) BONE of PIX. This isn't something I've tried, but this excerpt from a discussion earlier can help you

  http://Forum.Cisco.com/eForum/servlet/NetProf?page=NetProf&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1dd60f3e/0#selected_message

  See you soon

• HTTP on ACS server

  Hello

  I installed a Cisco ACS server. I am able to use the "remote desktop" to http to the server, however, what can I do if I wanted http in the application of GBA directly?

  Rgds

  Hello

  http://: 2002

  HTH

  PJD

• PuTTY and password change issue ACS server

  When a new user is created with the checkbox 'Must change the password at the next logon' checked, ACS does not allow the user to change the password.  The password prompt displays a message access denied. Could someone point me in the right direction to solve this problem?

  I created a new account on cisco ACS server and check the box "user must change password at the next logon". I then used ssh to test the newly created using PuTTY user account. When I ssh to the cisco devices [switch or router] password prompt appears and ask me to type the new password. Once I did this I get a message access denied.

  It worked well with secure CRT. But users do not have secure CRT, they are supposed to use PuTTY. Users can connect in devices using PuTTY. The problem is that when we try to change the password.

  ACS Version: ACS 4.0

  Thank you

  Nachi

  When a user connects in SSH to the system and uses an expired password GANYMEDE, he is prompted to change their password. However, this password change does not work correctly.

  To resolve this problem, you must have the SSH v2 with "Keyboard interactive" authentication for SSH v2 game. Cisco bug ID CSCin91851 addresses this problem.

  Symptom:

  When you use the router as a ssh server is authenticating with a normal SDI/RADIUS, work of authentication backend. However, neither the new BUGS mode or mode next token dialogues completes successfully.

  Conditions:

  Problem only occurs in mode again PIN or next token dialogue mode.
  Specific SSHv2

  Workaround solution:

  Use telnet for authentication or to define vty lines to authenticate against RADIUS
  (non - SDI) server instead.

  Other Description of the problem:

  Not all ssh clients are supported the dialogue for the new PIN mode or next token to work.

• Whence the ACS server get the DNS Info for the IP pools?

  I'm changing the DNS servers that my VPN users are assigned from the pools of IP on the ACS server. Where IP pools Gets the DNS server information. I changed the IP addresses of the DNS on windows server and rebooted. But VPN clients are always assigned the old DNS servers.

  ACS ip pools do not grow the DNS server information

  It is either transmitted from the setup of group for the VPN concentrator or

  It is to be send to the setup of the user/group ACS > attributes Radius (VPN 3000) > [026/3076/005] primary DNS.

  I hope this helps.

  Concerning

  Rohit

• Adding additional disk space to Perc 6 / i server R710

  I have currently 3 250 GB installation as a raid 5 (original configuration) disks on a server R710 with a Perc 6 / i controller.  I ordered 3 discs (same readers) that we are running out of disk space. There is a set up disk C: and D:.  Can someone point me to instructions for adding these additional disks for the raid existing (drive D) without having dataloss?

  Thank you

  Gary

  If you don't have that one 'disk' listed in disk management, then you have only a single VD configured, which is good.

  You must install OMSA to broaden your VD. You then insert your new drives, make sure that they show as ready under physical disks, then go to virtual disks and select Reconfigure to your RAID 5. Adding two drives in your RAID 5 will add about 500GB (bit math makes it a little less) to your current Windows 'disk '. After the reconfigure statement, you will have something similar to below. Then, assuming that you do not run 2003, you click on the D: drive and choose Extend to finish with the second photo:

  

• Secure ACS 5.7 - adding a secondary server to the primary

  Hello.

  I recently set up two servers Secure ACS 5.7 primary. I want to make one of the main servers a secondary server. When I try to register at the elementary level, I get the following message:

  This failure has occurred: save failed due to invalid certificate. Your changes have not been saved.

  Both servers have valid certificates. But other that to extend the validity of the cert, no other changes have been made.

  Any ideas please?

  Thank you

  Daniel

  Hello Daniel,.

  For the communication of trust option work. It is necessary to use certificates signed by one or the other it external or internal, and add to it, you must import the transmitter respective root/intermediate cases under "users and storage of identity > section"Certificate authorities"on both ACS servers.»

  Alternatively, you can choose not not to use the feature "Trust communication" by going in "System Administration > Configuration > global system Options > Trust Communication Settings." and uncheck the check box for the feature.

  Note: Please mark responded as appropriate.

  Note

  Note

• Adding additional drives to the content server

  I intend to order the model of the device of the TCS (TCS-C220- PROBUN-K9).  But the condition is to have more than 2 TB of Hard drive in this server.  Model of the device comes with 600 GB of hard drive capacity (2 x 600 GB in RAID 1).  I would add 6 slots to over 600 GB hard drives that there are 6 free on the server.  Is this possible.  If so, may I know the part number for the HARD drive.  Thanks in advance.

  Although you are able to do this, it is not a supported Cisco configuration.

  The way to achieve additional storage available for a content server is to store the data on the external NAS.

  Refer to the section Setting Up Media external storage of Executive Guide.

  Wayne
  --
  Remember the frequency responses and mark your question as answered as appropriate.