ACS 5.0 self of authentication

Similar Questions

• Cisco ACS 5.1 and RSA Authentication Manager 6.1

  Hi all

  We recently had a Cisco Secure ACS 1120 and I improved the Unit 5.1 5.0 with all your support

  Now, I need to integrate Cisco ACS 5.1 with RSA Authentication Manager 6.1. I have config file of RSA ACE Server successfully downloaded and exported to 1120 ACS.

  I also added as NetOS Agent ACS in the RSA server during the process, I found a few warnings. The ACE Server is not able to resolve the IP address to the name (is it necessary?).

  I have not created any file of secret key for communication between FAC and RSA and I used encryption is FOR.

  Now, when I log into ACS and search for devices in the identity store sequences I am not able to get Sever Token RSA.

  Let me know what was wrong, where can I fix and also please tell me what is the communciaction between the RSA and ACS?

  Hoping that you guys help me as usual when I'm in a hurry...

  Sree

  Were you able to successfully create the RSA identity server. After selecting the sdconf.rec and you press on submit what happened? The RSA instance created OK?

  If you go to

  Users and identity stores > external identity stores > RSA SecurID Token servers, what do you see in the list?

• How 2 Configure ACS 4.2 to delegate authentication to the radius server

  Hello

  We need run the following scenario:

  Cisco VPN client (or any connect, Cisco SSL VPN client)---> Cisco ASA 5520---> Cisco ACS 4.2---> CAT Authentication Server

  The CAT authentication server is a Radius server. It can receive Radius authentication requests and respond. It is used for strong authentication TFA WBS similar to RSA OTP tokens.

  The question is: how we set up the 4.2 ACS to delegate authentication request to another Radius server.

  Thnx

  Add the RSA server as an external database, configure the drop user profile or a group to authenticate on the new external database rather than ACS DB Local (or Windows DB).

  Easy as pie!

  Please rate if this is useful.

• ACS 5.1 13030 GANYMEDE + authentication error Question

  Hi all

  I am trying to set up a new server GANYMEDE + and am trying to update all configurations of our network to point to the new server devices.  Everything is fine looking up now, but on the ACS monitoring tool, two of our switches are constantly spamming '13030 request authentication GANYMEDE + lack a username' error.  The network admin group have no problem is authenticating with these two switches and they confirm that it is not trying to connect.  Does anyone know if ACS monitor will show any sauce to the IP addresses of these applications?

  If you click on the detail in your authentication error message, you should be able to find the 'Remote-address' field, which should tell you the remote IP address.

  If you haven't seen an IP in the address 'remote' field, you may need to check the console port / switch to see if something is connected to, what could cause the problem.

• Cisco Secure ACS 5.1 and strong authentication ACS administrators?

  Hello

  Is it possible to authenticate administrators using an RSA SecurID token?

  There is no indication on this issue in the Panel "System Administration > directors > settings > authentication.

  (I'm under Server Secure ACS 5.1.0.44)

  Thank you

  Christophe

  Hi Christophe,

  Unfortunately not.

  The DB supported only for accounts of Administractors is the internal DB of GBA.

  I hope this helps.

  ARO
  Tiago

• [Cisco ACS 5.2] EAP - TLS authentication failure

  What we are e

  Hello

  I set up a WiFi connection on Windows XP and Windows 7 with EAP - TLS (using Cisco WLC 7.0.235.3 and Cisco ACS 5.2.0.26.10). It is configured with the authentication of the computer and computer certificates are automatically registered for Microsoft PKI.

  It works well!

  Now, I configured Windows 8 with the same configuration.

  First authentication works, but if I manually disconnect and reconnect, I got this error on ACS: 22047 username main attribute is missing from the client certificate

  In the EAP packets, we could see that Windows 8 sent a TLS session but ticket session has not properly taken over by ACS...

  Configuration of the ACS, we checked the option "enable EAP - TLS Session resume' with the session timeout"7200 ".

  I found this bug

  http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId= CSCtn26538& from = summary

  It seems to be my problem but the reboot does not work in my case...

  It is set at 5.3 (0.40.2).

  I plan to install version 5.4.

  Do you know if this fix is supported by 5.4?

  Thanks for your help,

  Patrick

  Hi Patrick,

  What is set in point 5.3 must be set in point 5.4.

  Even if the same issue appeared with 5.4 there an ID different bug and identified as an independent issue (with different causes, usually)

  HTH

  Amjad

  Rating of useful answers is more useful to say "thank you".

• [Cisco ACS] 11036 the RADIUS Message Authenticator attribute is invalid

  Hello

  I had a lot of Cisco AP related to Cisco WLC 2.

  On each WLC, I configured a primary and a secondary RADIUS server.

  RADIUS servers are Cisco ACS 5.2.0.26 (patch 10)

  ACS primary and secondary configurations are synchronized.

  There is no problem between primary rules WLC and Cisco ACS (primary and secondary).

  When secondary WLC asks primary Cisco ACS, I get this error "11036 the RADIUS Message Authenticator attribute is not valid.

  WLC secondary contacts automatically secondary Cisco ACS and it works fine.

  Cisco ACS description for this error: "this can be reason of mismatched shared Secrets."

  The two Cisco ACS are synchronized, so I should have the same error on them...

  Why primary ACS generates this error?

  Thanks for your help,

  Patrick

  Patrick: The shared secret mismatch could be on the side WLC, not on the side of the ACS.

  Make sure that the shared secret of the radius primary server is configured correctly on the secondary WLC.

  HTH

  Amjad

  Rating of useful answers is more useful to say "thank you".

• ACS SE and Self sign Cert

  How can I get the certificate generated automatically from the SE of GBA. Is the only option for FTP? I already have the TEC installed on the ACS but I need to get a copy of it.

  You need FTP. To get it, there is no other choice.

  Kind regards

  ~ JG

  Note the useful messages

• Limit of Cisco ACS 4.2 Max Auth/authentication devices.

  Hi guys.

  Can someone tell me how many devices can an ACS works with GANYMEDE 4.2 +?.

  Is there a limit? and if there is, who he is and whence Cisco publishes.

  Has spent a whole morning and without success, reaching for the info.

  Ty in advance.

  Carlos.

  Hello

  I did a search for it and after that I found that GBA 4.2 Solution can support up to 35000 device. Here is the link where I got the information:

  http://www.Cisco.com/en/us/prod/collateral/vpndevc/ps5712/ps5338/qa_c67-453393.html

  A Cisco Secure ACS appliance server at least follows the same performance of the scalability of a server based on Windows Cisco Secure ACS. Cisco Secure ACS guidelines and performance analysis show that each ACS server can support anywhere from 20 000 to 80 000 users per server and can evolve to support up to 35 000 devices, according to configuration scenarios, the platform and its use

  In-house but we have also seen that it is recommended to use a 500 by NDG.

  I hope this helps.

  Thank you

  Waris Hussain.

• Authentication Radius 4.2 ACS and RADIUS Accounting

  Is it possible to configure 4.2 ACS to authenticate users of a wireless network (with autonomous APs) through RADIUS while I use the same ACS to provide the command represent the points of access via GANYMEDE +? This issue came out because when I configure the APs 'AAA Clients' under 'Network Configuration' of the ACS server (necessary config for authentication APs and end users), the authentication method used is the RADIUS (Cisco Aironet) and it prevents the generation GANYMEDE server command accounting reports under "reports and activities > GANYMEDE + Administration.

  Any idea on how to solve this problem?

  Thank you

  Antonio

  Hello

  Need to add a different hostname for the AP... IE, RPOS and APt, where you can use the same IP n but use radius for Ganymede and the other.

  Thank you

  Tarik Admani
  * Please note the useful messages *.

• ACS for device authentication

  Hello

  I'm looking to install a NAC appliance in our office and currently have an ACS server that handles wireless authentication.

  I would like to know if the CSA is able to authenticate users on a local network with 802.1 x and detection device (such as MAC address and ID)?

  If I can do it how you define on a CBS?

  Thanks in advance

  Paul

  As mentioned, the ACS authenticate what you ask. But you must enter all a mac address then.

  The ISE profiling engine did this in real time depending on the behavior of devices.

• ACS 5.0 - WLC could not authenticate

  Salvation of the Forumers

  My script is

  1 using the microsoft AD running on window 2008, use ad server to perform authentication of identity

  2. I let successfully the ACS 5.0 device link and join the domain created on the AD server.

  3. I have also set up on WLC 2100 series with the right key on pre-shared, server IP RADIUS (which is my ACS appliance IP)

  Problem statement:

  1. try to access the network Journal ACS showing the error log 'Unknow CA, a no authentication'. (I know I'm missing to place certificate for EAP protocol somehow...)

  Question:

  1. to solve this problem, I can generate self-signed certificate ACS, then let the WLC import the certificate self-signed GBA?

  (so EAPoW challenge can happen as ACS and WLC are reciprocal trust, which, in my view, ACS simply use the user of the AD, so in this cse ACS database is the authentication server and WLC is the authenticator and my AP / user's begging him, am I rite?)

  can I not like it? Appreciate all feedback and response!

  2. If we are not my thought, can you please suggest me a solution (my requirement, it is not using any third party trusted agent certificate)

  Thank you

  Noel

  Hi Noel,

  If I can update your list, the components must be the following:

  -ACS authentication server =

  -WLC = authenticator

  -wireless client = client

  Use of certificates for EAP authentication between client wireless and ACS (devices performing the EAP authentication): the WLC check all ACS certificate.

  You can certainly create a self-signed certificate on ACS for PEAP for example working.

  On the client, you must then either not to validate a server certificate or to import GBA self-signed certificate as a CA certificate root to trust the self-signed certificate ACS itself when sent by ACS during the configuration of the PEAP TLS tunnel.

  One final note, for WLC working with ACS 5.0, please make sure you are on the patch
  5.0.0.21.6 or later

  http://www.Cisco.com/cgi-bin/tablebuild.pl/acs5_patches

  in order to avoid the known bug CSCsy17858

  http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsy17858

  Kind regards

  Fede

  --

  If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

• Is there a problem with accounting and 4.1 of the ACS

  Good day to all,

  I just installed a new server with ACS 4.1.

  This new installation 4.1 ACS is approved, I will retire my old server that ACS 3.1.

  At this point, the only problem I have with ACS 4.1 is with the accounting.

  For example:

  I used a test-router with all the necessary config pointing to my old 3.1 ACS. Everything works fine (authentication and accounting). If I enter a command on the router test it's journal on GBA 3.1.

  Now, if I change the test-router to point to the new 4.1 ACS, the ACS 4.1 will authenticate the router test correctly, but won't save any command that I enter the router test. I did a shot between the test-router and 4.1 of the ACS and the router test sends accounting statement ACS 4.1.

  There are many different configuration of ACS 3.1 4.1, but as far as I can see the config on the two ACS is as similar as possible.

  Y at - there anyone out there who could do 4.1 ACS to process accounting properly?

  Any idea will help you.

  Thank you

  Frank

  Here is my config:

  AAA new-model

  AAA authentication login default group Ganymede + local

  connection of AAA No.-AUTH authentication no

  AAA authorization exec default group Ganymede + local

  AAA authorization commands start-stop Group 1 Ganymede +.

  AAA authorization commands start-stop group 15 Ganymede +.

  AAA accounting exec default start-stop Ganymede group.

  orders accounting AAA 1 by default start-stop Ganymede group.

  AAA accounting command 15 by default start-stop Ganymede group

  !

  192.168.100.16 host key radius-server *.

  (the above command is the only command I change to point the finger 3.1 ACS or ACS 4.1)

  RADIUS-server application made

  Please use the following link. It has 4.1 cumulative patch that contains the hotfix for bug.

  http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-win-3DES

  Don't forget to download the readme text also.

  Rate me if it helps.

• Several methods to access authenticated by RADIUS box

  I am trying to configure a number of different access methods all to be authenticated by the same ACS server. Basically, I want to be able to authenticate users on the level of exec of switches on the management UI http for some Aironet 350, on the network through the Aironet 350 or the network through some 1721 connection in a 3745.

  I want to be able to control access to each of these methods through the AD groups with are then mapped to groups within the ACS.

  I have authentication on a test switch works well, so I know that the ACS to the AD process works correctly.

  Thank you

  Hello

  Seems good... you can pass the same Test switch and to implement in the production network.

• Secure ACS unit and Remote Agents

  Hello

  We test Secure ACS 3.2 device and authentication against AD via remote agents. When two or more remote agents are registered with the device in the network menu, is the pretty smart device to try the second machine remote agent if she can't talk to the first? We tested this failover by stopping the service of the remote agent on the first domain controller where it has been installed. However, failover does not occur. We want to know if this failover is supposed to work, and if so what we need to do to make it work.

  Yoshi Nagase

  Hello

  I implement a solution similar to yours... 2 ACS unit with 2 Remote Agent...

  I set the remote agents on the Network Configuration and the external user DB - database of Windows - Windows Remote selection of the Agent.

  In this menu the value primary and secondary Remote Agent

  HTH

  Omar