ACS 4.0 and IBM TSCM

Similar Questions

• WLC / ACS / AD - domain and laptops no - domain (802. 1 X / PEAP)

  Hi all

  I implement a solution based on 4404 WLC, 1113 ACS and Microsoft AD. What I want to achieve is to have two WIFI (SSID), that can be used by users on laptops of the domain, the other can be used by the users in the domain on personal laptops. Field portable computers will have full connectivity, but personal laptops will be restricted.

  I created the two SSID using 802. 1 X by ACS / Remote Agent and can authenticate and connection OK.

  I thought I should have user auth and auth machine for laptops of area but just user auth for personal laptops.

  I have unauthenticated machines go to one group ACS or blocked, but I need to enable them in if they are on the SSID restricted. I can't quite understand how to have two SSID is authenticating with the same ACS / AD - one green and the other.

  I'm on the right track?

  Anyone done this before or have any bright ideas?

  See you soon,.

  John

  With the use of WLAN access based on the SSID, users can be authenticated based on the SSID they use to connect to the WLAN. The Cisco Secure ACS server is used to authenticate users. Authentication happens in two stages on the Cisco Secure ACS:

  1 authentication EAP

  2 resulting SSID authentication of network (NARS) on Cisco Secure ACS Access Restrictions

  For the new designation and configuraiton following URL can help you:

  http://www.Cisco.com/en/us/Tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml

• Ganymede + auth-proxy on acs 5.0 and later support?

  The nas is 2801 with ios 15.1 and acs 5.3.i want to deploy auth-proxy using Ganymede + protocol.but there no work.using RADIUS is ok.

  I want to know Ganymede + auth-proxy on acs 5.0 and later support?

  Thank you!

  GANYMEDE + Auth-Proxy is only supported after ACS 5.3 patch 5. Upgrade your ACS 5.x or use RADIUS for authentication Proxy.

• ACS, Service access and authorization

  I'm under ACS 5.2 and I'm trying to set up 3 new SSID, which 2 are not guaranteed and 1 which is secure.  I'm trying to understand the best way to allow their evolution on which network they come.  All authentication requests are from the same devices, LAN controllers without wire, so NDG cannot be used as criteria.  I was watching either create 3 Access Services and using selection rules, or by creating 1 Service access and using permission to choose.  However, I can't find an attribute to use for determining what network they came.

  Anyone has a suggestion for the best way to do it?  I have

  Go to the elements of the policy-> Conditions of network-> end of Station filters and create a rule CLI/DNIS that includes the name of the SSID, and then use it as a condition to any rule you create for authentication. The SSID will be preceded by MAC address, then enter * ssidname (i.e., match whatever it is before the name SSID, then match the SSID). For example, if the SSID is called lab, then you must enter * lab.

  Then go to access-> Service selection policies and create a service selection rule that has end Station filter as a criterion.

• ACS 5.4 and Juniper J-Web

  Hello

  I have set up a box of the ACS 5.4 and will test the devices on it.

  Cisco and Juniper, both works well with GANYMEDE

  I can connect both the use of SSH or Telnet but my problem is the Juniper J-Web GUI

  I can't access the J-web no problem with the root account.

  I can't seem to make it work, no matter what I try. Here is my shell of the GBA box

  

  And the following configuration of Juniper.  I tried to bind the local-user-name attribute to the remote and remoteadmin with no luck. Anyone got any ideas how I can fix this problem? Or if its even possible?

  version 9.6R1.13;

  System {}

  host name of Juniper-pare-fire;

  authentication-order [tacplus password];

  {root-authentication

  password encrypted "$1$ $1tRuy9o2 LwSPxNwe4XGNMOMIMo1pd1"; # SECRET - DATA

  }

  {tacplus-Server

  10.251.200.25 {}

  secret ' $9$ zaUL6/AtuOIRS5QF/CuEhws2 "; # SECRET - DATA

  Timeout 10;

  Single-connection;

  }

  }

  accounting {}

  events [connection change-journal interactive-commands];

  {destination}

  tacplus;

  }

  }

  {Login

  the user admin {}

  UID, 2001;

  root class;

  {authentication

  password encrypted "$1$ MNUZBLFW$ X2sJL/UTgRYcgBNV4RLe.0"; # SECRET - DATA

  }

  }

  user remote {}

  full name of the "remote user";

  UID 2025;

  operator class;

  }

  the user remoteadmin {}

  full name of "Remote Admin";

  UID 2026;

  root class;

  }

  }

  services {}

  SSH;

  Telnet;

  Web-management {}

  {https}

  System - certificate generated;

  interface fe-0/0/0.0;

  I worked on almost similar issues today and he confirmed that he is able to access J-WEB with the credentials of Ganymede. You can check the config here: https://supportforums.cisco.com/message/3953224#3953224

  Through your config it seems that you have not defined/created classes as he did:

  for example:

  {Login

  class CLASS Number {}

  permissions [view configuration];

  }

  class CLASS RW {}

  permissions in full;

  }

  user {JUNOS-RO

  UID 2000;

  Jatin kone
  -Does the rate of useful messages-

• Problem ACS 4.0 and Server RSA Token

  Hello

  We are having a problem trying to get 4.0 for Windows GBA authenticate users on a Server Token RSA wireless.

  Our Cisco 1200 AP series is configured for WPA2 and LEAP Authentication. He points to the ACS server for RADIUS authentication. Now, it works very well for users with a static password defined on the internal database of GBA. However, for obvious security reasons, we? d as the transmitted authentication to our server internal RSA.

  I installed RSA Agent on the same server as the ACS along (after adding the sdconf.rec file in the System32 folder). The RSA server was added to the ACS external database and a user configured to use the Token RSA server for password.

  When we try to authenticate, the ACS fails the attempt with reason? External DB passes invalid?. The same user can authenticate successfully during the use of the RSA test authentication tool that is installed on the ACS server under the RSA Agent software.

  After running some debugs a pix in front of the servers, I see traffic to and from the servers when you use the test tool (that works), but it looks like GBA doesn't? t even send traffic to the RSA server during authentication.

  Any help or advice appreciated.

  Thank you

  no no no no! Do not use EVER of RSA with WIFI + PAP.

  The token + pin can be sniffed and is good for 60 seconds... on the Wifi which is disastrous.

• Between R2 2012 Windows and IBM Http Server SSL connection failed periodically.

  Hi, I have a problem recently. I found that my windows server 2012 R2 has sometimes failed to connect with IBM Http Server ssl. Here it is the information of the two servers:

  1 windows 2012 R2

  -Already activate TLS 1.2 and TLS 1.0

  -Already the latest version of windows update and restart

  IIS - 8.5

  2 IBM Http Server

  -Apache 2.2.31

  -using OpenSSL 1.0.2f

  -Allow TLS1.2 and TLS 1.0

  I also captured network traffic when the two server. If the ssl connection has managed to create. Traffic will be like the following screen:

  

  If the ssl connection was impossible to create, network traffic was like the below:

  

  You will see that the ssl connection failed when the version of the TLS protocol was passed to TLSv1. And returned access denied.  The details of the access denied was like the below:

  

  As the captured screen reproduced above, you will see that the SSL for Client Hello was TLSv1.2 but running on the recording layer TLSv1. this Hello customer was sent by the server r2 windows 2012. I don't know why the ssl connection has been passed to TLSv1 suddenly.

  I found that Microsoft has released an update on January 12, 2016. This fix is the resumption of SSL. Update ID was 3109853 , but I have already applied this update on my server. I tried to do the with the other type of server ssl connection, the ssl connection is possible in a stable condition and has happened the problem I mentioned. Is there someone met this case and resolve it finally?

  Hello

  Post your question in the TechNet Server Forums, as your question kindly is beyond the scope of these Forums.

  http://social.technet.Microsoft.com/forums/WindowsServer/en-us/home?category=WindowsServer

  See you soon.

• Authentication PEAP with Cisco ACS 5.3 and Lotus Notes DB

  Hello

  I want to authenticate clients wireless against the name of user/passwords stored in a lotus notes database.

  Network: PEAP SSID-> Accesspoint-> controller-> ACS 5.3 WLAN 4404-> Notes DB

  Is this possible?

  I can connect to the attributes and ldap groups and query. but when I try to authenticate a user, I always get an error "object not found in the identity store.

  Bind test succeeds (> 100 groups and > 100 subjects.)

  EAP MSCHAP v2 is not taken in charge with LDAP by ACS

  You can use EAP GTC

  You should a begging utility that supports PEAP (EAP-GTC)

  such as ADU, Intel Proset, CSSC Cisco AnyConnect,... you can google for a list of applicants

  Open the new thread for cause of Apple

  ------------------------------------------------------------------

  Be sure to note the correct answers and report this thread as answered

• ACS - ASA authorization and accounting

  Hello

  I have a few questions about the authorization and accounting on the ASA via an ACS server

  1. When I activate the command 'aaa authorization command' users of SSH commands I get locked on console then I have to configure the console, telnet and allow to be authenticated via Ganymede too, is it possible to allow SSH via Ganymede while keeping the Console and telnet authenticated locally or not even no authentication?
  2. I visited command 'aaa accounting TAC' accountant on ASA, but I noticed that GBA records just mod configuration commands ' focus on in 15 "not show all command or privilege 1, is possible to fix this?"»
  3. RADIUS supports authorized SHELL?

  Thank you for your support

  1.] Unfortunately, it is currently not possible to exclude the command authorization serial number / console or ssh to users while having it apply to other methods of access in the case of ASA. Once you run this command, it would be applicable to all methods such as ssh, telnet, http, enable and console. This can be easily achieved by IOS (routers and switches) by creating a list of method.

  2.] when configuring the aaa accounting command , each other than display command command commands entered by an administrator is recorded and sent to accounts or servers. This is a default behavior on the SAA. IOS send/check orders show on ACS/Ganymede.

  http://www.Cisco.com/en/us/docs/security/ASA/asa81/command/ref/A1.html

  Kind regards

  Jousset

  The rate of useful messages-

• Cisco ACS 5.4 and VPN 3000

  Hello

  I'm trying to use CIsco ACS 5.4 for RADIUS authentication for VPN by using VPN concentrator 3000 users.

  I added the VPN 3000 on ACS and added GBA on VPN group with a shared secret authentication server. When I do a test on the authentication server using the local account that I created on ACS it happens as no response was received from the server so that I can see the RAIDUS AAuth in green.

  Any help would be much appreciated.

  Concerning

  AR

  Hey,.

  What is the report on GBA?

  "RAIDUS AAuth in green"

  If so, a pcap help between the two.

  Concerning

  Ed

• Approval of area ACS 5.3 and AD

  Hello, I m having this problem:

  I have 2 AD areas are 2 different forests (e.g. domain1.com and domain2.com) and they have been configured to trust each other (two-way).

  In the AD environment, it works fine.

  The problem is that in ACS, which is integrated with domain1.com can´t see the other domain2.com domain groups.

  If I look for them under Directory groups Don t appear and if I put them manually in the name of the Group (with the domain2.com/Users/GroupX syntax) and then I add with Add ^ button I can't add them and use them in the policies but they don t work (I get an error and nothing is authenticated).

  I m using ACS 5.3.0.40.5 version and Windows 2003 server enterprise edition.

  I ve read this post

  https://supportforums.Cisco.com/thread/2064843

  but I couldn t get it to work.

  If anyone knows how I can get this working I will really appreciate it.

  Thanks in advance.

  Kind regards.

  I would like to know if there is anything else I can help you and how everything is going.

  Thank you

  Tarik Admani
  * Please note the useful messages *.

• Cisco ACS 5.1 and RSA Authentication Manager 6.1

  Hi all

  We recently had a Cisco Secure ACS 1120 and I improved the Unit 5.1 5.0 with all your support

  Now, I need to integrate Cisco ACS 5.1 with RSA Authentication Manager 6.1. I have config file of RSA ACE Server successfully downloaded and exported to 1120 ACS.

  I also added as NetOS Agent ACS in the RSA server during the process, I found a few warnings. The ACE Server is not able to resolve the IP address to the name (is it necessary?).

  I have not created any file of secret key for communication between FAC and RSA and I used encryption is FOR.

  Now, when I log into ACS and search for devices in the identity store sequences I am not able to get Sever Token RSA.

  Let me know what was wrong, where can I fix and also please tell me what is the communciaction between the RSA and ACS?

  Hoping that you guys help me as usual when I'm in a hurry...

  Sree

  Were you able to successfully create the RSA identity server. After selecting the sdconf.rec and you press on submit what happened? The RSA instance created OK?

  If you go to

  Users and identity stores > external identity stores > RSA SecurID Token servers, what do you see in the list?

• ACS 5.1 and integration of advertisements

  I just installed ACS 5.1 as a virtual machine instance to provide GANYMEDE AAA.  So far, things are working properly with local authentication and now I want my users to authenticate via AD.  Looking at the user guide at page 8-39, looks like I need to create an AD identity store and join the ACS server to the domain.  Is this correct? and the username AD password required a time thing to join the ACS server to the domain or a special account to be established for the Ad Server?

  Thank you!

  Bob

  Yes, that's correct.

  Join the ACS to an AD domain
  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1140906

  ACS 5.1 must be configured with a valid NTP server for the time synchronization, preferably from where the domain controller is its time synchronization. Another is a valid DNS server that can resolve internal names.

  Two of them will be configured in the CLI:
  http://www.Cisco.com/en/us/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/command/reference/cli_use.html#wp1096003

  IP-name server
  http://www.Cisco.com/en/us/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/command/reference/cli_app_a.html#wp1729536

  NTP server
  http://www.Cisco.com/en/us/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/command/reference/cli_app_a.html#wp1013780

  And Yes, the name of user and password admin you use would be a time. It might be an admin account existing, make sure just some admin credentials you use GBA to integrate with AD must have privileges to add the computer on the domain.

  We will never recommend allows you to delete the admin account after integrate ACS with AD.

  HTH

  JK

  The rate of useful messages-

• MAB with ACS (internal store) and 802. 1 X with Active Directory (external store)

  Hello

  at the moment we´re using ACS MAB. Every Mac are stored as internal hosts on GBA. I want to migrate to 802. 1 X.

  Users have AD. During the migration, I need MAB and 802. 1. X is it possible to use the database internally and externally at the same time to the

  same access strategy?

  Concerning

  Horst

  Hello Horst-

  Yes, you can do this by creating an "identity" store sequence and fix the two AD and the data store is internal to it. Take a look at the link below:

  https://supportforums.Cisco.com/document/103901/ACS-5x-identity-store-sequence

  Thank you for evaluating useful messages!

• ACS 4.2 and Active Directory

  I'm putting in place our new ACS 4.2 server. This is version 4.2 Build 124, running on a Windows 2003 server. I'm having some trouble with the enumeration of the groups and just may not know what Miss me. We have 7 different areas, and I can only list one of them groups. We do not run ACS on one of our domain controllers, but the server is a member of the domain controllers. I even added a service account is a domain administrator and services run as account but I still cannot enumerate groups. Any help would be greatly appreciated.

  Hello

  I know that you have a domain administrator account that is running the services ACS. But I'd like to as go you through the steps listed below again.

  ------------------------------------------

  -You should have a user on AD.

  -To make it difficult to hack, give him a very complicated password for a long time.

  -Make the user member of the Domain Admins group.

  -Make the user member of the Administrators group.

  -Make the user member of the Enterprise Administrators group.

  On to Windows 2000/2003 server running ACS:

  -Add the new user to the appropriate local group.

  -Open "Administrative Tools" in the control panel.

  -Open "Computer management".

  -Open 'Local users and groups' and then 'groups '.

  -Double-click the group "Administrators".

  -Click on 'Add '.

  -Choose the domain in the box "search in".

  -Double-click the user created above to add it.

  -Click OK.

  -Give special rights to the new user on the ACS server.

  -Open "Administrative Tools" in the control panel.

  -Open "local security policy".

  -Open "local policies".

  -Open "User rights assignment."

  -Double-click "Act as part of operating system"

  -Click on 'Add '.

  -Choose the domain in the box "search in".

  -Double-click the user created above to add it.

  -Click OK.

  -Double click on "Log on as a service."

  -Click on 'Add '.

  -Choose the domain in the box "search in".

  -Double-click the user created above to add it.

  -Click OK.

  -Set the ACS services to run as long as the user created.

  -Open "Administrative Tools" in the control panel.

  -Open "Services".

  -Double-click the CSADMIN entry.

  -Click the 'connection '.

  -Click on "This account", and then on the button 'Browse '.

  -Choose the field, double-click the user created previously.

  -Click 'OK '.

  -Repeat for the rest of the CS services.

  -Wait for Windows to apply the security policy changes, or restart the server.

  -If you restarted the server, skip the rest of these instructions.

  -Stop and then start the CSADMIN service.

  -Open the GUI of the ACS.

  -Click on System Configuration.

  -Click on the Service order.

  -Click "restart."

  Note If domain security policy is set to override settings for "Act as part of operating system" and "Log on as a service" rights, rights of user changes listed above will also be to do here.

  If you log on several areas, a full two-way trust must exist between the domains, the user (ACS account) must be created and given the high access in each domainbto be questioned and FULL domain each domain must be listed as a DNS suffix in the properties of the IP Address of the server on which the ACS is installed (restart netlogon service after adding the FULL domain name).

  HTH

  JK

  Please help the rate of messages-