ACS 4.0 Local firewall devices

All,

I just read a message labeled "ACS 4.0 firewall" and he talked about opening 2004 for 5000 ports to access the ACS server that is behind the firewall. My question is this same range of ports apply if you try to access and authenticate on a device that is behind a firewall. When I try to access one of my devices located behind the firewall I can't authenticate via the GBA so I find myself using the local username and password. Can someone tell me what are the ports I need to open the firewall to allow the authetication return to the ACS server. Thank you

Hello

GANYMEDE + authentication service between network devices and AAA server is running on TCP 49. The port 2004-5000 range applies only if you need to access the ACS server (for the purposes of management) from the outside / internet. In your case, if you want to access your devices behind the firewall from external network, what you need is to map your internal network with the public IP devices and open the port of ddesired service, for example SSH (tcp 22) on your Firewall outside interface ACL to allow incoming access.

For your internal devices, you must have the configuration appropriate AAA that point to ACS (e.g. GANYMEDE +). In your GBA, set these devices as customer AAA and set up appropriate IP, key secret and using GANYMEDE +.

Before testing ssh access internet/external network, test your SSH access locally. He must succeed in getting AAA to authenticate your request of SSH connection.

http://www.Cisco.com/en/us/partner/products/sw/secursw/ps2086/products_user_guide_chapter09186a008052e996.html

I hope this helps.

Rgds,

AK

Tags: Cisco Security

Similar Questions

  • ACS read only access to devices

    We are using ACS ver 4.2 and trying to setup users with limited access to our switches and routers.  Here's what we did:

    (1) created a user in ACS

    (2) create Shell permission Set - ReadOnly command

    Unmatched orders - deny

    Commands added

    Show

    output

    * This should limit the user to show command and exit only (correct)?

    3) established a group - support with the following parameters of GANYMEDE.

    Shell (exec) is checked

    Privilege level is check with 15 as the assigned level

    Assign permission to command Shell Set for any network - selected device

    ReadOnly - set current shell command authorization

    When the user connects to the router/switch, it seems that he has full access.  It can enter the enable config terminal command command.  Everything we want it to be able to do is to issue the command show.

    Any help would be appreciated.

    Please refer to this document

    http://www.Cisco.com/en/us/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

    and compare the config as you well say ACS config looks OK on the switch/router, you must also do the following command

    aaa authorization config-commands aaa authorization commands 0 default  group tacacs+ local aaa authorization commands 1 default  group tacacs+ local aaa authorization commands 15 default group tacacs+ local

  • found wireless local access device has no fa internet access

    Hello friends please help I have Sony model led tv KDL-32EX520 wifi ready I have brought a UWA BR100 for WIFI, IT DETECTS my wifi but it says:

    found wireless device
    local access failed
    Internet access failed

    Pls help me pls!

    Thank you for your post and welcome to the forums.

    Please click on the link and follow the troubleshooting steps:

    https://us.en.KB.Sony.com/app/answers/detail/A_ID/32464

  • Ganymede does not not on the firewall device

    Hello

    I am trying to add config for a 5585 of Cisco firewall on the command line for I can connect via Ganymede and only return to local password if necessary.  Local password works ok but the account of Ganymede.

    svrCiscoACS is my radius server on the network of the company (10.1.2.3)

    RADIUS protocol AAA-server acs2_3
    simultaneous accounting mode
    AAA-server acs2_3 (inside) host svrCiscoACS
    key PASS
    RADIUS protocol AAA-server acs2
    simultaneous accounting mode
    AAA-server acs2 (inside) host svrCiscoACS
    key PASS

    identity of the user by default-domain LOCAL

    enable authentication AAA console LOCAL acs2_3
    AAA authentication http console acs2_3
    authentication AAA ssh console LOCAL acs2_3
    authentication of AAA serial console LOCAL acs2_3

    don't know what you've tried, but the ASA-config for GANYMEDE looks like the following:

     aaa-server TAC protocol tacacs+ aaa-server TAC (inside) host 10.1.2.3  key YOUR-SHARED-KEY ! aaa authentication ssh console TAC LOCAL aaa authentication http console TAC LOCAL

  • Alternative ACS 5 ip local pool

    Hello

    We have the problem with ACS 5.3, that local ip pools are more supported. Until we have a 4.2 ACS where worked the PPPoE configuration below (the pool has been configured dynamically in the user attributes or group of ACS 4.2). Now we would like to use a local DHCP pool (pool INTERNET) for some of the PPPoE clients, but at the same time, we have a few customers who should have a static IP address (managed by a box-IP-Address).

    Now we have the problem, that the DHCP pool is not used for dynamic PPPoE clients, can anyone help?

    local group AAA of ADSL ppp authentication RADIUS

    AAA authorization network group local ADSL RADIUS authenticated by FIS

    start-stop radius group AAA accounting network ADSL

    AAA accounting system default start-stop Ganymede group.

    INTERNET IP dhcp pool - new

    import all

    network 192.168.1.0 255.255.255.0

    .ch domain name

    !

    IP vrf ADSL INTERNET

    RD 65500:101

    Route target export 65500:101

    Route-target import 65500:101

    !

    interface Loopback3

    IP vrf forwarding ADSL INTERNET connection

    IP 10.10.10.10 address 255.255.255.255

    !

    interface virtual-Template1

    model description of the incomming PPPoE sessions

    MTU 1492

    Loopback3 IP unnumbered

    not the peer default ip address of - old

    ! peer default ip address dhcp-pool INTERNET - new

    KeepAlive 5

    PPP mtu Adaptive

    Protocol chap PPP authentication ADSL

    authorisation of PPP ADSL

    Accounting ADSL PPP

    !

    ! IP local pool INTERNET 83.144.249.1 83.144.249.254 group ADSL - old

    Thanks a lot and best regards

    Dominic

    Hi Dominic

    As we have already tested together in the lab, the following RADIUS attribute works for you, then you can always use the "local ip pool" on the router:

    Attribute: cisco-av-pair

    Value: ip:addr - pool = TEST

    Best regards

    Heiko

  • ESX Server guests and Local USB devices

    Is this possible with ESX Server 3.5 to connect to a guest operating system and load a USB device as a card reader connected to your laptop remotely?  How if possible?

    Is there a device that can be installed for the smart card reader, biometric readears, etc.. ??

    To summarize how ESX allows a remote user to plug in a usb device locally and have ESX assign to the team desired vmware instance?

    Thank you and sorry to be so green!

    Green is in fashion now Kyle - get with the program!

    MNANCE152 - doesn't this sound viable, or do you think you will have to take another route?  I'd be interested to hear what you come in the end, if you don't mind me posting it here.

    Good luck!

  • Ping local IP devices

    Is it possible to Ping connected local IP addresses on different VLANS / subnets connected to the LAN, for example (192.168.0.5) ports, since the Web Interface of FVS336Gv2 when you're connected remotely? This would be very useful to try to solve the problems of local LAN if for any reason a peripheral LAN has been declared inadmissible. I know that the command ping WAN is possible through ports WAN 1 and 2.

    I don't see the "acceptable Solution" button anywhere on this forum, where is he?

  • Very annoying local firewall alert detechting a parent request unauthorized

    Alert Firewall detected an unauthorized request of parent. I block and remove a notice of our protection of fiewall search protocal host exe application is the parent of a process that is in communication. Do you want to be an authorized parent. He continues to appear several times every time I connect to internet even though I check only me this alert again.

    Hello

    First I suggest you to disable any program of security on your computer and check if it solves the problem.

    After reviewing the question you must reactivate the security on your computer program.

    Also turn off UAC and check if the problem persists.

    1. open Control Panel.
    2. under the user account and family settings click on the "add user account / remove."
    3. click on one of the user accounts, for example, you can use the guest account.
    4. in the user account, click on the link "go to the main page of the user account.
    5. under "Make changes to your user account", click on the link "change security settings".
    6. in him "turn User Account Control (UAC) to make your computer more secure" click to deselect the "use User Account Control (UAC) to help protect your computer. Click the Ok button.
    7. you will be asked to restart your computer. Do when you're ready.

    WARNING    : User Account Control (UAC) can help prevent your computer from unauthorized changes. It works by asking permission when a task requires administrative rights, such as installing software or changing settings affecting other users. We do not recommend disable user account control. If you turn it off, you must reactivate as soon as possible.
     
    I suggest you try a Virus scan online to remove all infections, as appropriate.
     
    Follow the link below to start the free online scan:
    http://OneCare.live.com/site/en-us/default.htm
     
    The following thread discusses the removal of viruses and malware online:
    http://social.answers.Microsoft.com/forums/en-us/vistasecurity/thread/ba80504b-61f1-4D71-960f-b561798b7b42

    Thank you, and in what concerns:
    I. Suuresh Kumar-Microsoft Support.
    Visit our Microsoft answers feedback Forum and let us know what you think.

  • How can I save a pdf file on my local mobile device without using iTunes? [iOS 9 Beta]

    I just know... I can't save a PDF of safari or by e-mail at my iPad...

    I open it... But when I type 'my documents' and try to return back and rename the files... nothing happens...


    the file I opened is not in my local machine... I can not find...

    going on what?  Help me pls...

    thx a lot

    Hello

    This particular compatibility problem iOS 9 has been fixed in Adobe Reader for iOS version 15.1.0 (released August 11, 2015).

    Open PDF documents from other applications (Mail, Safari) via the function "open in" should now appear in the sections 'Local' and 'Recent '.

    Please try it and let us know if you find other problems with iOS 9 beta.

    Thank you very much for your help!

  • An FTP error occurred - cannot connect to the host. Maximum number of users reached or not authorized to make the connection because of local firewall blocks FTP data

    For days now, I have tried every index in the book simply download a page Web of DW CC. I get this error no matter what I do. I asked the server administrator to check. GoLive CS2 works perfectly with the same information to the ftp server. But I wanted to pass to CC... It seems the problem and this error message is well known, there are lots of places of in-depth discussions. With so many variables and so many simple solution, which seems a matter of luck if it works or not, simply download your page.

    There are two different questions:

    1. Dreamweaver cannot connect to your site by FTP, but may of FileZilla.
    2. Uploaded by FileZilla pages are not displayed.

    Assuming that the files downloaded by FileZilla are correct root folder, the second question is the result of your being not properly propagated via DNS servers domain name. It could also have an impact on the first question (Dreamweaver cannot connect because it can't find the correct server).

    You should contact your hosting and Network Solutions company (where you have registered the domain name) to ensure that the correct name servers have increased to oyafilm.com. Until this issue is resolved, it is impossible to untangle why Dreamweaver cannot connect.

  • ACS 5.3 should consider a local database, if the ad is inaccessible

    Dear support team

    We have ACS 5.x, integrated with AD and members are authenticated using AD user name or local user name

    configured on ACS.

    is it possible that ACS checks the local database only when AD is unreachable, customer doesn't want local database ACS to use as long as AD is available. It's the accounting requirements of their Department system.

    Thanks in advance for your time.

    Ahad

    You're right about everything except the last part, device Admin 1 and 2 are "Selection rules", so they'll be mapped according to their Conditions, if applications authentication is rule Eric the device Admin 1 then the ACS will stay with this service regardless of whether or not the DB is down, ACS will not return to the device Admin 2.

    The only option to use a second database where the primary is down is with identity store sequence, but this option will also use the second database if the primary DB is unable to find the user.

    Unfortunately, there is not an option at the moment to accomplish this objective with specific detail you need.

    Rate if this can help.

  • Two of us have MacBook and iPhone and you want to share a library on the local hardware. We want to get the photos off the coast of our devices to save memory. Recommendations of the how?

    How can I put any libraries of MacBooks and iPhotos in a single library on a local, external device to give us access and eliminate our cameras?

    An iPhoto Library is a library of unique user. If you try to open different user accounts, you will have problems with the file ownership.

    For iPhoto libraries the workaround is to move the library to an external drive, where the "Ignore ownership on this volume" indicator is on.  The procedure is explained in this document, see the link: iPhoto: sharing libraries among multiple users - Apple Support

    https://support.Apple.com/en-us/HT201517

  • Windows 3.0 for device 3.3.2.2 ACS database

    I have 3.0 for windows GBA and bought 2 ACS devices to replace ACS Windows. Is it possible to load the windows config ACS 3.0 for ACS 3.3.2.2 device

    Yes. The backup of the ACS 3.0 configuration, copy the file to an FTP server restore it on the device.

    If the restore fails, you may need upgrading to ACS 3.3 can back up and restore.

  • unidentified network - local access only

    Hi, so I have this old Sony Vaio for four years, I used a wired internet connection for the past four years, until what we moved house and received a wireless router. our friend connected to me, and everything worked well, until I had to format the system. I tried the troubleshooting, looked through various forums, but nothing helps, like many, I understood what to do. I reset the router and it works fine on the netbook to my mom, but on the vaio, it says unidentified network - local access only. just to add, it uses a system windows vista Home premium.

    Hi Zuzanna Feliszek,

    Method 1: You can follow the steps mentioned in the link below to retrieve the Winsock2 corruption

    How to determine and to recover from Winsock2 corruption in Windows Server 2003, Windows XP and Windows Vista
    http://support.Microsoft.com/kb/811259

    Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems can occur if you modify the registry incorrectly. Therefore, make sure that you proceed with caution. For added protection, back up the registry before you edit it. Then you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click on the number below to view the article in the Microsoft Knowledge Base.
    How to back up and restore the registry in Windows


    Method 2:     you can follow the steps described in the article below, which deals with a similar question

    Network connectivity fails when you try to use Windows Vista behind a firewall device
    http://support.Microsoft.com/kb/934430


    Method 3:     download and install all Windows Update available (Service pack (SP) 1 and 2)
    http://Windows.Microsoft.com/en-us/Windows-Vista/install-Windows-updates

  • ACS any Version with Windows Server 2008 R2 64-bit domain controller

    Hi all

    Is there any version of ACS is currently working with Windows Server 2008 R2 domain controllers?

    Our server controls has recently upgraded domain controllers to 2008r2 and off 2003 servers. This did not our ACS 4.1.4 really happy.

    I read now serveral messages about problems with the ACS and Server 2008r2 and hope to find a solution (not to mention that switching to LDAP, yukk).

    Thank you

    Pato

    ACS currently cannot be installed on a server running Windows 2008 R2.

    As an alternative, you can install ACS on a member server.  Authentication

    ACS uses the local machine net API authentication both compared to a 2008

    R2 domain will work.  The Remote Agent can also be installed on a 2008 R2

    Server if you use devices.

    If you install ACS on a member instead server here is how to configure services

    to authenticate properly with the domain:

    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/installation/guide/Windows/postin.html#wp1041304

    -Jesse

Maybe you are looking for

  • How can I get Flashplayer on Mozilla on preloaded version to explore?

    (11/2014) my new PC came with Internet Explorer pre-loaded. I configure Mozilla as my favorite homevbase and then tried to install Adobe Flash Player. After failing, I found that it is already installed under preload Exporer. However, I can't use Fla

  • I can't get firefox to work

    I tried on my pc and tablet to get fire fox to work but I can't, and there is support on your help as his attacking all straight and I desperately need a better search engine and then google for both, me and my search for partners for university grad

  • Code 80070663 with Windows 7

    I bought a laptop with Windows 7 in November already on this subject.  I did updates since then without any problems until a few months ago, I tried to download the update of security for Microsoft Office System 2007 (KB972581).  I get the error mess

  • OfficeJet 7610: Printing on computer paper Grafix

    I am trying to print photos on this book designed for transfers of art. The instructions on the paper say to take your printer to print on a transparency, but there is no setting for this on this printer. I tried to print on normal parameters and bes

  • His AXC 603 G problems

    I got this a few days ago and everyhting was great until last night and today, looks like someone is using a fax on my computer equipment every time I'm playing music.  It doesn't matter whether speakers or headphones, You Tube or windows media.  I s