ACS 4.0 Local firewall devices
All,
I just read a message labeled "ACS 4.0 firewall" and he talked about opening 2004 for 5000 ports to access the ACS server that is behind the firewall. My question is this same range of ports apply if you try to access and authenticate on a device that is behind a firewall. When I try to access one of my devices located behind the firewall I can't authenticate via the GBA so I find myself using the local username and password. Can someone tell me what are the ports I need to open the firewall to allow the authetication return to the ACS server. Thank you
Hello
GANYMEDE + authentication service between network devices and AAA server is running on TCP 49. The port 2004-5000 range applies only if you need to access the ACS server (for the purposes of management) from the outside / internet. In your case, if you want to access your devices behind the firewall from external network, what you need is to map your internal network with the public IP devices and open the port of ddesired service, for example SSH (tcp 22) on your Firewall outside interface ACL to allow incoming access.
For your internal devices, you must have the configuration appropriate AAA that point to ACS (e.g. GANYMEDE +). In your GBA, set these devices as customer AAA and set up appropriate IP, key secret and using GANYMEDE +.
Before testing ssh access internet/external network, test your SSH access locally. He must succeed in getting AAA to authenticate your request of SSH connection.
I hope this helps.
Rgds,
AK
Tags: Cisco Security
Similar Questions
-
ACS read only access to devices
We are using ACS ver 4.2 and trying to setup users with limited access to our switches and routers. Here's what we did:
(1) created a user in ACS
(2) create Shell permission Set - ReadOnly command
Unmatched orders - deny
Commands added
Show
output
* This should limit the user to show command and exit only (correct)?
3) established a group - support with the following parameters of GANYMEDE.
Shell (exec) is checked
Privilege level is check with 15 as the assigned level
Assign permission to command Shell Set for any network - selected device
ReadOnly - set current shell command authorization
When the user connects to the router/switch, it seems that he has full access. It can enter the enable config terminal command command. Everything we want it to be able to do is to issue the command show.
Any help would be appreciated.
Please refer to this document
and compare the config as you well say ACS config looks OK on the switch/router, you must also do the following command
aaa authorization config-commands aaa authorization commands 0 default group tacacs+ local aaa authorization commands 1 default group tacacs+ local aaa authorization commands 15 default group tacacs+ local
-
found wireless local access device has no fa internet access
Hello friends please help I have Sony model led tv KDL-32EX520 wifi ready I have brought a UWA BR100 for WIFI, IT DETECTS my wifi but it says:
found wireless device
local access failed
Internet access failedPls help me pls!
Thank you for your post and welcome to the forums.
Please click on the link and follow the troubleshooting steps:
-
Ganymede does not not on the firewall device
Hello
I am trying to add config for a 5585 of Cisco firewall on the command line for I can connect via Ganymede and only return to local password if necessary. Local password works ok but the account of Ganymede.
svrCiscoACS is my radius server on the network of the company (10.1.2.3)
RADIUS protocol AAA-server acs2_3
simultaneous accounting mode
AAA-server acs2_3 (inside) host svrCiscoACS
key PASS
RADIUS protocol AAA-server acs2
simultaneous accounting mode
AAA-server acs2 (inside) host svrCiscoACS
key PASSidentity of the user by default-domain LOCAL
enable authentication AAA console LOCAL acs2_3
AAA authentication http console acs2_3
authentication AAA ssh console LOCAL acs2_3
authentication of AAA serial console LOCAL acs2_3don't know what you've tried, but the ASA-config for GANYMEDE looks like the following:
aaa-server TAC protocol tacacs+ aaa-server TAC (inside) host 10.1.2.3 key YOUR-SHARED-KEY ! aaa authentication ssh console TAC LOCAL aaa authentication http console TAC LOCAL
-
Alternative ACS 5 ip local pool
Hello
We have the problem with ACS 5.3, that local ip pools are more supported. Until we have a 4.2 ACS where worked the PPPoE configuration below (the pool has been configured dynamically in the user attributes or group of ACS 4.2). Now we would like to use a local DHCP pool (pool INTERNET) for some of the PPPoE clients, but at the same time, we have a few customers who should have a static IP address (managed by a box-IP-Address).
Now we have the problem, that the DHCP pool is not used for dynamic PPPoE clients, can anyone help?
local group AAA of ADSL ppp authentication RADIUS
AAA authorization network group local ADSL RADIUS authenticated by FIS
start-stop radius group AAA accounting network ADSL
AAA accounting system default start-stop Ganymede group.
INTERNET IP dhcp pool - new
import all
network 192.168.1.0 255.255.255.0
.ch domain name
!
IP vrf ADSL INTERNET
RD 65500:101
Route target export 65500:101
Route-target import 65500:101
!
interface Loopback3
IP vrf forwarding ADSL INTERNET connection
IP 10.10.10.10 address 255.255.255.255
!
interface virtual-Template1
model description of the incomming PPPoE sessions
MTU 1492
Loopback3 IP unnumbered
not the peer default ip address of - old
! peer default ip address dhcp-pool INTERNET - new
KeepAlive 5
PPP mtu Adaptive
Protocol chap PPP authentication ADSL
authorisation of PPP ADSL
Accounting ADSL PPP
!
! IP local pool INTERNET 83.144.249.1 83.144.249.254 group ADSL - old
Thanks a lot and best regards
Dominic
Hi Dominic
As we have already tested together in the lab, the following RADIUS attribute works for you, then you can always use the "local ip pool" on the router:
Attribute: cisco-av-pair
Value: ip:addr - pool = TEST
Best regards
Heiko
-
ESX Server guests and Local USB devices
Is this possible with ESX Server 3.5 to connect to a guest operating system and load a USB device as a card reader connected to your laptop remotely? How if possible?
Is there a device that can be installed for the smart card reader, biometric readears, etc.. ??
To summarize how ESX allows a remote user to plug in a usb device locally and have ESX assign to the team desired vmware instance?
Thank you and sorry to be so green!
Green is in fashion now Kyle - get with the program!
MNANCE152 - doesn't this sound viable, or do you think you will have to take another route? I'd be interested to hear what you come in the end, if you don't mind me posting it here.
Good luck!
-
Is it possible to Ping connected local IP addresses on different VLANS / subnets connected to the LAN, for example (192.168.0.5) ports, since the Web Interface of FVS336Gv2 when you're connected remotely? This would be very useful to try to solve the problems of local LAN if for any reason a peripheral LAN has been declared inadmissible. I know that the command ping WAN is possible through ports WAN 1 and 2.
I don't see the "acceptable Solution" button anywhere on this forum, where is he?
-
Very annoying local firewall alert detechting a parent request unauthorized
Alert Firewall detected an unauthorized request of parent. I block and remove a notice of our protection of fiewall search protocal host exe application is the parent of a process that is in communication. Do you want to be an authorized parent. He continues to appear several times every time I connect to internet even though I check only me this alert again.
Hello
First I suggest you to disable any program of security on your computer and check if it solves the problem.
After reviewing the question you must reactivate the security on your computer program.
Also turn off UAC and check if the problem persists.
1. open Control Panel.
2. under the user account and family settings click on the "add user account / remove."
3. click on one of the user accounts, for example, you can use the guest account.
4. in the user account, click on the link "go to the main page of the user account.
5. under "Make changes to your user account", click on the link "change security settings".
6. in him "turn User Account Control (UAC) to make your computer more secure" click to deselect the "use User Account Control (UAC) to help protect your computer. Click the Ok button.
7. you will be asked to restart your computer. Do when you're ready.
WARNING: User Account Control (UAC) can help prevent your computer from unauthorized changes. It works by asking permission when a task requires administrative rights, such as installing software or changing settings affecting other users. We do not recommend disable user account control. If you turn it off, you must reactivate as soon as possible.
I suggest you try a Virus scan online to remove all infections, as appropriate.
Follow the link below to start the free online scan:
http://OneCare.live.com/site/en-us/default.htm
The following thread discusses the removal of viruses and malware online:
http://social.answers.Microsoft.com/forums/en-us/vistasecurity/thread/ba80504b-61f1-4D71-960f-b561798b7b42Thank you, and in what concerns:
I. Suuresh Kumar-Microsoft Support.
Visit our Microsoft answers feedback Forum and let us know what you think. -
I just know... I can't save a PDF of safari or by e-mail at my iPad...
I open it... But when I type 'my documents' and try to return back and rename the files... nothing happens...
the file I opened is not in my local machine... I can not find...
going on what? Help me pls...
thx a lot
Hello
This particular compatibility problem iOS 9 has been fixed in Adobe Reader for iOS version 15.1.0 (released August 11, 2015).
Open PDF documents from other applications (Mail, Safari) via the function "open in" should now appear in the sections 'Local' and 'Recent '.
Please try it and let us know if you find other problems with iOS 9 beta.
Thank you very much for your help!
-
For days now, I have tried every index in the book simply download a page Web of DW CC. I get this error no matter what I do. I asked the server administrator to check. GoLive CS2 works perfectly with the same information to the ftp server. But I wanted to pass to CC... It seems the problem and this error message is well known, there are lots of places of in-depth discussions. With so many variables and so many simple solution, which seems a matter of luck if it works or not, simply download your page.
There are two different questions:
- Dreamweaver cannot connect to your site by FTP, but may of FileZilla.
- Uploaded by FileZilla pages are not displayed.
Assuming that the files downloaded by FileZilla are correct root folder, the second question is the result of your being not properly propagated via DNS servers domain name. It could also have an impact on the first question (Dreamweaver cannot connect because it can't find the correct server).
You should contact your hosting and Network Solutions company (where you have registered the domain name) to ensure that the correct name servers have increased to oyafilm.com. Until this issue is resolved, it is impossible to untangle why Dreamweaver cannot connect.
-
ACS 5.3 should consider a local database, if the ad is inaccessible
Dear support team
We have ACS 5.x, integrated with AD and members are authenticated using AD user name or local user name
configured on ACS.
is it possible that ACS checks the local database only when AD is unreachable, customer doesn't want local database ACS to use as long as AD is available. It's the accounting requirements of their Department system.
Thanks in advance for your time.
Ahad
You're right about everything except the last part, device Admin 1 and 2 are "Selection rules", so they'll be mapped according to their Conditions, if applications authentication is rule Eric the device Admin 1 then the ACS will stay with this service regardless of whether or not the DB is down, ACS will not return to the device Admin 2.
The only option to use a second database where the primary is down is with identity store sequence, but this option will also use the second database if the primary DB is unable to find the user.
Unfortunately, there is not an option at the moment to accomplish this objective with specific detail you need.
Rate if this can help.
-
How can I put any libraries of MacBooks and iPhotos in a single library on a local, external device to give us access and eliminate our cameras?
An iPhoto Library is a library of unique user. If you try to open different user accounts, you will have problems with the file ownership.
For iPhoto libraries the workaround is to move the library to an external drive, where the "Ignore ownership on this volume" indicator is on. The procedure is explained in this document, see the link: iPhoto: sharing libraries among multiple users - Apple Support
-
Windows 3.0 for device 3.3.2.2 ACS database
I have 3.0 for windows GBA and bought 2 ACS devices to replace ACS Windows. Is it possible to load the windows config ACS 3.0 for ACS 3.3.2.2 device
Yes. The backup of the ACS 3.0 configuration, copy the file to an FTP server restore it on the device.
If the restore fails, you may need upgrading to ACS 3.3 can back up and restore.
-
unidentified network - local access only
Hi, so I have this old Sony Vaio for four years, I used a wired internet connection for the past four years, until what we moved house and received a wireless router. our friend connected to me, and everything worked well, until I had to format the system. I tried the troubleshooting, looked through various forums, but nothing helps, like many, I understood what to do. I reset the router and it works fine on the netbook to my mom, but on the vaio, it says unidentified network - local access only. just to add, it uses a system windows vista Home premium.
Hi Zuzanna Feliszek,
Method 1: You can follow the steps mentioned in the link below to retrieve the Winsock2 corruption
How to determine and to recover from Winsock2 corruption in Windows Server 2003, Windows XP and Windows Vista
http://support.Microsoft.com/kb/811259Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems can occur if you modify the registry incorrectly. Therefore, make sure that you proceed with caution. For added protection, back up the registry before you edit it. Then you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click on the number below to view the article in the Microsoft Knowledge Base.
How to back up and restore the registry in Windows
Method 2: you can follow the steps described in the article below, which deals with a similar questionNetwork connectivity fails when you try to use Windows Vista behind a firewall device
http://support.Microsoft.com/kb/934430
Method 3: download and install all Windows Update available (Service pack (SP) 1 and 2)
http://Windows.Microsoft.com/en-us/Windows-Vista/install-Windows-updates -
ACS any Version with Windows Server 2008 R2 64-bit domain controller
Hi all
Is there any version of ACS is currently working with Windows Server 2008 R2 domain controllers?
Our server controls has recently upgraded domain controllers to 2008r2 and off 2003 servers. This did not our ACS 4.1.4 really happy.
I read now serveral messages about problems with the ACS and Server 2008r2 and hope to find a solution (not to mention that switching to LDAP, yukk).
Thank you
Pato
ACS currently cannot be installed on a server running Windows 2008 R2.
As an alternative, you can install ACS on a member server. Authentication
ACS uses the local machine net API authentication both compared to a 2008
R2 domain will work. The Remote Agent can also be installed on a 2008 R2
Server if you use devices.
If you install ACS on a member instead server here is how to configure services
to authenticate properly with the domain:
-Jesse
Maybe you are looking for
-
How can I get Flashplayer on Mozilla on preloaded version to explore?
(11/2014) my new PC came with Internet Explorer pre-loaded. I configure Mozilla as my favorite homevbase and then tried to install Adobe Flash Player. After failing, I found that it is already installed under preload Exporer. However, I can't use Fla
-
I tried on my pc and tablet to get fire fox to work but I can't, and there is support on your help as his attacking all straight and I desperately need a better search engine and then google for both, me and my search for partners for university grad
-
I bought a laptop with Windows 7 in November already on this subject. I did updates since then without any problems until a few months ago, I tried to download the update of security for Microsoft Office System 2007 (KB972581). I get the error mess
-
OfficeJet 7610: Printing on computer paper Grafix
I am trying to print photos on this book designed for transfers of art. The instructions on the paper say to take your printer to print on a transparency, but there is no setting for this on this printer. I tried to print on normal parameters and bes
-
I got this a few days ago and everyhting was great until last night and today, looks like someone is using a fax on my computer equipment every time I'm playing music. It doesn't matter whether speakers or headphones, You Tube or windows media. I s