ACS 5.2 custum attributes

Hello world

Speaking in general I question for Ganymede + custum attributes on ACS 4.2 the custom attribute is written for cisco CRC. But on ACS 5.2 deferential attributes and how do I configure ACS 5.2 custum attributes.

Thank you for helping!

GANYMEDE + custom ACS 4.x to 5.x attributes

The format of GANYMEDE + custom attributes are slightly different between ESA 4.x and 5.x

4.2 the CSA, there is just a field that has a combination of;

Attribute (whether required or optional) and value.

Example 4.2 ACS

The area of custom attribute "access * touch."

So GBA 5.x, it will be listed;

Attribute - access

Requirement - optional

Value - touch

Another example;

The area of custom attribute "access = touch."

Attribute - access

-Mandatory requirement

Value - touch

«* "means optional and compulsory means «=»

Jatin kone
-Does the rate of useful messages-

Tags: Cisco Security

Similar Questions

  • [Cisco ACS 5.2] EAP - TLS authentication failure

    What we are e

    Hello

    I set up a WiFi connection on Windows XP and Windows 7 with EAP - TLS (using Cisco WLC 7.0.235.3 and Cisco ACS 5.2.0.26.10). It is configured with the authentication of the computer and computer certificates are automatically registered for Microsoft PKI.

    It works well!

    Now, I configured Windows 8 with the same configuration.

    First authentication works, but if I manually disconnect and reconnect, I got this error on ACS: 22047 username main attribute is missing from the client certificate

    In the EAP packets, we could see that Windows 8 sent a TLS session but ticket session has not properly taken over by ACS...

    Configuration of the ACS, we checked the option "enable EAP - TLS Session resume' with the session timeout"7200 ".

    I found this bug

    http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId= CSCtn26538& from = summary

    It seems to be my problem but the reboot does not work in my case...

    It is set at 5.3 (0.40.2).

    I plan to install version 5.4.

    Do you know if this fix is supported by 5.4?

    Thanks for your help,

    Patrick

    Hi Patrick,

    What is set in point 5.3 must be set in point 5.4.

    Even if the same issue appeared with 5.4 there an ID different bug and identified as an independent issue (with different causes, usually)

    HTH

    Amjad

    Rating of useful answers is more useful to say "thank you".

  • ACS 4.0 and IBM TSCM

    Hello

    I try to load the attributes of the CNA for IBM Corporation (TSCM) of the FTP (the attributes of the NAC management), but these do not appear in the system

    Configuration-> Configuration-> CSV connection failed attempts Configuration or CSV file past Authentication Configuration file.

    My server is ACS 4.0 device. On ACS 3.3 my attributes of the NAC is working well.

    [attr #0]

    Vendor id = 2

    name of the vendor = IBM Corporation

    application = 50 ID

    SCM = application name

    attribute id = 00020

    attribute name = political Version

    Profile attribute = off

    type of the attribute = string

    [attr #1]

    Vendor id = 2

    name of the vendor = IBM Corporation

    application = 50 ID

    SCM = application name

    attribute id = 00021

    name of the attribute = number of Violation

    Profile attribute = off

    type of attribute unsigned whole =

    [attr #2]

    Vendor id = 2

    name of the vendor = IBM Corporation

    application = 50 ID

    SCM = application name

    attribute id = 00010

    Action = attribute name

    Out = attribute profile

    the attribute type = String

    I loaded the list with attributes for Symantec on ACS 4.0 and it is OK, but for Tivoli Security Compliance doesn't work.

    Please help me if you have a solutions!

    Thank you!

    Hello

    Well Yes, you can't have a space between the name of the seller, I case that after loading the file I do not have the attribute of the GBA unit, but can see logging. After the reboot of the ACS that's ok.

    I also, can deployment of the NAC with IBM TSCM, you share the experince? What version of client TSCM, we should use? I can't get the 5.1.0 version but it looks like no need version 5.1.2 above only can patch the last update.

    Thank you

  • Add new OPNET VSA ACS 4.2

    I need to add attributes Radius OPNET ACS 4.2. How can I add a specific attribute again GBA?  Google search points me to CSUtil.exe and I can not find this utility in the ACS installation files.

    These are the values I need added to OPNET.

    When configuring the RADIUS server to take over of the ACE Live device, use the Code provider and specific attribute of the following (VSA) provider:

    Manufacturer code: 7119

    VSA: 33

    Thanks for your help.

    Faucher

    Well well well, you can use the RDBMS synchronization feature to add the new custom provider ACS with its custom attributes that complement the standard list of the IETF.

    What you need to do is set the file accountactions.csv with the actions needed to add the new custom as well as its attributes provider.

    As a reference to how to implement the accountactions.csv file, please see the following link:

    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/A_RDBMS.html#wp148322

    Walk through all of the above chapter.

    One last thing, you need to find the file of the dictionary for OPNET with their custom attributes.

    If you need the fish, just provide the dictionary file and I will make the file for you.

    ------------------------------------------------------------------

    Pleae make sure that correct rate

  • CEA and AAA (GANYMEDE +)

    Hello

    I have configuerd my acs with a custom attribute: shell: Admin = Admin. AAA with the ACE works very well... But now I can't log into my switches :-(I got permission to massage failed. Here is the debug aaa of the switch:

    13:41:38.433 Jul 12 UTC: AAA: analyze name = tty2 BID type =-1 ATS = - 1

    13:41:38.441 Jul 12 UTC: AAA: name = tty2 flags = 0 x 11 type = 5 shelf = 0 = 0 = 0 = channel 2 = 0 port adapter slot

    13:41:38.441 Jul 12 UTC: AAA/MEMORY: create_user (0x16E1F28) user = ruser 'NULL' = 'NULL' ds0 = 0 port = 'tty2' rem_addr ='* '= ASCII service CONNECTION priv = authen_type = 1 initial_task_id = ' 0', vrf = (id = 0)

    13:41:44.590 Jul 12 UTC: tty2 AAA/AUTHOR/EXEC (945064986): Port = 'tty2' list = "service = EXEC

    13:41:44.590 Jul 12 UTC: AAA/AUTHOR/EXEC: tty2 (945064986) user ='* '

    13:41:44.590 Jul 12 UTC: tty2 AAA/AUTHOR/EXEC (945064986): send service AV = shell

    13:41:44.590 Jul 12 UTC: tty2 AAA/AUTHOR/EXEC (945064986): send AV cmd *.

    13:41:44.590 Jul 12 UTC: tty2 AAA/AUTHOR/EXEC (945064986): found the 'default' list

    13:41:44.590 Jul 12 UTC: tty2 AAA/AUTHOR/EXEC (945064986): method = Ganymede + (Ganymede +)

    13:41:44.590 Jul 12 UTC: AAA/AUTHOR/TAC +: (945064986): user = *.

    13:41:44.590 Jul 12 UTC: AAA/AUTHOR/TAC +: (945064986): send service AV = shell

    13:41:44.590 Jul 12 UTC: AAA/AUTHOR/TAC +: (945064986): send AV cmd *.

    13:41:44.799 Jul 12 UTC: AAA/AUTHOR (945064986): position of authorization = PASS_ADD

    13:41:44.799 Jul 12 UTC: AAA/AUTHOR/EXEC: service treatment AV = shell

    13:41:44.799 Jul 12 UTC: AAA/AUTHOR/EXEC: treatment AV cmd *.

    13:41:44.799 Jul 12 UTC: AAA/AUTHOR/EXEC: treatment AV priv-lvl = 15

    13:41:44.799 Jul 12 UTC: AAA/AUTHOR/EXEC: treatment AV shell: Admin = Admin

    13:41:44.799 Jul 12 UTC: AAA/AUTHOR/EXEC: received unknown AV required: shell: Admin = Admin

    13:41:44.799 Jul 12 UTC: AAA/AUTHOR/EXEC: permission DENIED

    13:41:46.804 Jul 12 UTC: AAA/MEMORY: free_user (0x16E1F28) user ='* 'ruser = port 'NULL' = 'tty2' rem_addr =' * ' authen_type = AS

    No idea what is the problem?

    Best regards Dirk

    Hi Dirk,

    Any reason/specific requirement, you must configure the attribute, shell: Admin = Admin?

    Outside of the device is rejected, because it is not able to understand, and in addition to this we made a required attribute.

    Try this,

    Shell: Admin * Admin

    *-> Optional attribute

    Kind regards

    Prem

  • ACS RADIUS lost: 11051 RADIUS packet contains invalid state attribute

    Hi all

    We lack a very strange problem since a few days now. Our v5.2.0.26 ACS began to drop the connection of wired connections and wireless, with a message "RADIUS request to drop". The detailed message is: "ask RAY dropped: 11051 RADIUS packet contains invalid state attribute.

    This message is usually preceded by a ' RADIUS request dropped: 24444 Active Directory operation failed because of an error that is not specified in the ACS ' error.

    Communication with Active Directory seems to be ok, since workstations receive a valid ip address when it is connected to a non 802. 1 x switch (Cisco 4506) port.

    Any help grealty appreciated,

    Best regards and happy new year to all members,

    Laurent

    Hello Lawrence,.

    Please check the connectivity status of AD between the ACS and advertising on all of your ACS (secondary instances as appropriate) servers.

    Users and identity stores > external identity stores > Active Directory

    The connectivity status shows CONNECTED or DISCONNECTED on any of your ACS servers? If one of the servers is showing as DISCONNECTED, what could be the root cause of the problem.

    Hope that does you in the right direction.

    Kind regards.

  • Can ACS adds more Juniper RADIUS attributes?

    Hello

    These attributes RADIUS Juniper taken in charge by Cisco default ACS4.0

    Juniper-Local-user name

    Juniper-allow-orders

    Juniper-deny-orders

    Is it possible to add more 2 attributes

    Juniper-help-Configuration

    Juniper-deny-Configuration

    Kind regards

    Audrey

    Hi Audrey,.

    4.0 the only way to add these attributes is to contact TAC and get the script directly from the developers.

    This problem has been resolved in ACS 4.1.23

    http://www.Cisco.com/cgi-bin/support/Bugtool/onebug.pl?BugID=CSCsi18979&submit=search

    If that answers your question, then please mark this thread as solved, so that others can benefit from.

    Kind regards

    Jagdeep

  • ACS 5.2 - Adding custom for Juniper Netscreen GANYMEDE + authentication attributes

    Hello

    I'm trying to add custom for authentication Juniper Netscreen GANYMEDE + an ACS v5.2 attributes. The notice is to add it to the group as follows:

    ervice = netscreen { vsys = root privilege = read-write }

    I know how this adds a version v4.x ACS

    However, I do not know how to apply this to the attribiutes custom to an ACS v5.x

    Can I add the vsys and privilege attribute separately or together? What should be the attribute name? NetScreen? Should it be mandatory?

    Advice please

    Make groups of different volumes and shell authorization profiles mapped to different profiles fixed my problem BTW.

    This is the configuration I did for Juniper. I'll try the netscreen (last photo) later today ' today/tomorrow

  • Secure ACS: Special-attributes RADIUS for Enterasys E7

    Hello

    We were in a pretty old version of the Cisco Secure ACS for AAA our network devices.

    Unfortunately, the server crashed a needed to install and configure it with a new server.

    GANYMEDE + for our devices using Cisco works very well.

    We have a couple of switches made by a seller called Nexans, which support only the RADIUS - it works fine also.

    In addition, we have still a few E7 Enterasys and with those RADIUS does not at all.

    Sniffering packages, everything looks good.

    With the old server has worked well.

    Does anyone know if there are special configurations (attributes, for example) when you configure a GBA for the RADIUS Enterasys customers?

    Thank you

    Rolf

    Try this

    ID attribute [011] filter to ' Enterasys:version = 1:mgmt = su:

  • Cannot create VSA attributes in ACS 5.1

    I upgraded to ACS 5.1 inorder to use the VSA RADIUS feature that has been added. I am able to create the VSA provider object, but get an error during the creation of the real attributes. Therror States: this failure has occurred: {0}. your changes have not been saved. Click OK to return to the list page. Is anyone else getting this error?

    I went through a process of upgrading on my system and I am able to reproduce your problem.

    Problem occurs if you have "Include attribute in the newspaper" check box selected.

    As a work around to continue without the selected square and should be able to add the attribute.

    Impact of not selecting this is that the attribute will not appear in the monitoring and troubleshooting of newspapers but will not affect what is sent in response (s) of RADIUS.

    I sync upward with the development team to see what can be done to solve this problem

  • ACS 5.2 selection policy/access service attribute question

    Hello

    I use ACS 5.2.0.26 and formed the selection air Service to authenticate the PEAP wireless clients based on the suffix of the domain that is used by clients. If I use the IETF-RADIUS-RADIUS attribute: User name to do this, am I right to say that this corresponds to the 'roaming identity' as opposed to the actual connection of the users id?

    In respect of Access Services, I can use the system attribute: username that corresponds to real customers login id-based. My questions are:

    Is the IETF RADIUS: use attribute Name corresponds to the "roaming identity"?

    Can I use the system attribute: user name with access but not it seems with a selection of the Service strategy. Why is this?

    Thank you

    Andy

    Hello

    Is the IETF RADIUS: use attribute Name corresponds to the "roaming identity"?

    -> No.The roaming identity is specific to certain claimants and didn't always match the user name.

    If the roaming identity is cleared, %domain%\%username% is the default value.

    When 802. 1 x MS RADIUS is used as an authentication server, the server authenticates the device using the username identity of roaming of the Intel PROSet/Wireless software and ignores the authentication protocol MS-CHAP-V2 user name. This feature is the 802 identity. 1 x supplied by the authenticator. Microsoft IAS RADIUS accepts only a valid username (dotNet user) for EAP clients. When 802. 1 x MS RADIUS is used, enter a valid user name. For all other servers, this is optional. Therefore, it is recommended to use the desired domain (for example, [email protected] / * /) instead of a true identity.

    Can I use the system attribute: user name with access but not it seems with a selection of the Service strategy. Why is this?

    -> Because this attribute is not valid for function selection policy. It was designed this way... we can't do anything.

    HTH,
    Tiago

    --

    If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

  • Question about the attributes Active Directory and ACS 5.2

    To authenticate on our wireless, our ACS server checks to ensure that a node is a member of a specific group of computers.  When we disable the computer account, the continuous ACS server to spend despite the account being disabled the authentication. This isn't the only thing that is checked, we also checked for a valid certificate issued by our CA.  Regardless, if the computer account is disabled I would like for the ACS server to the authentication failed.  Is it possible to map an attribute of the computer account to a radius attribute?  Or simply configure the ACS server to check a flag on the AD attribute?

    Specifically, here's what we see in the steps in the section for a machine that's account has been disabled:

    24475 account user or host is disabled; setting the IdentityAccessRestricted flag to true.

    I want to let him see this 'true' flag and fail authentication, but it does not work.  Any suggestions?

    The IdentityAccessRestricted attribute that is referenced in the steps is an additional attribute that can be used in conditions of approval

    It is set to true if access to the account is disabled, outside the period of access etc.

    This gives flexibility when AD attributes are retrieved for use in licensing requirements and will allow the application to be refused if the flag is set.

    To do this add a new condition in the authorization policy

    If (AD1-> IdentityAccessRestricted) == TRUE select profile permission to deny access to the suite

  • ACS 5.2 - Support for RADIUS attributes per user

    Hi all

    Does anyone know if it is possible to configure the RADIUS attributes on a per user in GBA 5.2 basis?

    That was possible under ACS 4.x, however, that I can't seem to find reference if ACS5.2 supports.

    Thank you

    Leon

    You can do this by setting by using attributes and then by substution attribute.

    You can see an example of it to set an internal user attribute to use as the value for the field address-IP-box

    This is just an example and can be applied also to any attribute RADIUS in which set an attribute of the user of the same type. Values can also be taken from an external identity as AD store

  • [Cisco ACS] 11036 the RADIUS Message Authenticator attribute is invalid

    Hello

    I had a lot of Cisco AP related to Cisco WLC 2.

    On each WLC, I configured a primary and a secondary RADIUS server.

    RADIUS servers are Cisco ACS 5.2.0.26 (patch 10)

    ACS primary and secondary configurations are synchronized.

    There is no problem between primary rules WLC and Cisco ACS (primary and secondary).

    When secondary WLC asks primary Cisco ACS, I get this error "11036 the RADIUS Message Authenticator attribute is not valid.

    WLC secondary contacts automatically secondary Cisco ACS and it works fine.

    Cisco ACS description for this error: "this can be reason of mismatched shared Secrets."

    The two Cisco ACS are synchronized, so I should have the same error on them...

    Why primary ACS generates this error?

    Thanks for your help,

    Patrick

    Patrick: The shared secret mismatch could be on the side WLC, not on the side of the ACS.

    Make sure that the shared secret of the radius primary server is configured correctly on the secondary WLC.

    HTH

    Amjad

    Rating of useful answers is more useful to say "thank you".

  • 802. 1 x with dACL - prefix of an invalid attribute: "ACS."

    Dear all,

    I spent half an update to fix this problem without success, I hope you could help me.

    I configured a simple solution of 802. 1 x on a PC driver who must authenticate through PEAP-MSCHAPv2 users against my user database internal GBA.

    Version of the switch:

    Model number: WS-C3750V2-48PS-S

    Software: c3750-ipbasek9 - mz.122 - 52.SE.bin

    ACS:

    C1121 with version 5.3.0.40

    The problem occurs when the ACS sends within the radius Authentication accept packet the following attribute:

    Cisco-AV-pair=ACS:CiscoSecure-defined-ACL=#ACSACL#-IP-auth-4eb90704

    On the side of the switch, I see the following debug log:

    002558: 8 Nov 14:31:35.586: % AUTHMGR-5-START: start "dot1x' for the client (0022.680b.da7b) on the Interface Fa1/0/1 AuditSessionID AC1FFE4E0000003105BCDE19

    002559: 14:31:35.703 8 Nov: AAA/ATTR: prefix of an invalid attribute: "ACS."

    002560: 8 Nov 14:31:35.703: % DOT1X-5-FAIL: failure of authentication for the client (0022.680b.da7b) on the Interface Fa1/0/1 AuditSessionID AC1FFE4E0000003105BCDE19

    002561: 8 Nov 14:31:35.703: % AUTHMGR-7-RESULT: result of the "dead server" authentication of 'dot1x' for the client (0022.680b.da7b) on the Interface Fa1/0/1 AuditSessionID AC1FFE4E0000003105BCDE19

    802.1 x switch associated config:

    GLOBAL:

    Group AAA dot1x default authentication RADIUS

    Group AAA authorization network default RADIUS

    start-stop radius group AAA accounting dot1x default

    RADIUS-server host 172.31.254.140 auth-port 1645 acct-port 1646

    RADIUS-server host 172.31.254.141 auth-port 1645 acct-port 1646

    RADIUS server key 7 123415ASFASFAS55512

    RADIUS vsa server send accounting

    RADIUS vsa server send authentication

    analysis of IP device

    IP access-list extended by DEFAULT, ALL

    allow an ip

    SPECIFIC PORT

    interface FastEthernet1/0/1

    Description model Port 802. 1 x

    switchport access vlan 244

    switchport mode access

    IP access-group by DEFAULT, while

    authentication event fail following action method

    open authentication

    authentication priority dot1x mab

    Auto control of the port of authentication

    periodic authentication

    MAB

    dot1x EAP authenticator

    dot1x tx-time 10

    end

    Next to the ACS authentication ends successfully, but for some reason, the switch cannot understand attribute was sent by the ACS:

    Why Authentication translates as 'server-dead?

    Hereby, I have attached the authorization profile, the downloadable ACLs and the detail of the RADIUS authentication for the request...

    Any idea?

    Thank you very much!

    Yes, I came across the same issue and ended up as a bug with the 3750

    CSCtj28883 dACL attribute the parsing failed when debug "author of aaa" on

    Description is

    The DACL processing fails when the following debug settings are turned on.

    1 debug aaa attr

    2 debug aaa authorization

    The same works very well when they are turned down. Set the switch of newspaper.

    I believe has been resolved in version 3750-Build 12.2 (55) as to the next note, attached to the bug as proved to be irreparable on later constructions

    The issuer has confirmed that the bug is not seen on the image of 55SE.

    The issue is only seen in 53SE

    can also try and switch debug off

Maybe you are looking for

  • Is there a waterproof box for the Apple Watch of 38mm?

    l'm looking for a reliable sealed subwoofer for my Apple Watch of 38mm. Everywhere I looked was up here only for the 42mm case. If anyone has any suggestions please let me know.

  • Bike logo appeared all to itself.

    I have uninstall some app, motorcycle logo appeared suddenly (as one during startup) for a minute and restored screen back to normal. Is this something normal or something really to worry?

  • How can I get my T6i videos on my mac?

    How the hell I get my videos from my T6i on my computer? I have the new software installed, I rebooted my computer. The software seems to work when I open it fine, but when I plug in my camera to my laptop mac nothing happens. It is not the USB (port

  • Linksys EA6400 speed problems

    Hello My ISP is Virgin Media, and the line speed is 30 meg using their "Superhub". When I put the superhub in modem mode and connect my EA6400, the line speed drops to 8 meg. have tested all the cables and all tested OK. these speeds are the same, if

  • NAC Appliance and LDAP Lookup

    Hello I have two CAM HA and two CASES in HA. I set up LDAP search to create role assignment rule. In this configuration is only a windows server to find the properties of the user. There is a problem when this servers Windows is out of service. There