ACS 5.2 - Support for RADIUS attributes per user

Hi all

Does anyone know if it is possible to configure the RADIUS attributes on a per user in GBA 5.2 basis?

That was possible under ACS 4.x, however, that I can't seem to find reference if ACS5.2 supports.

Thank you

Leon

You can do this by setting by using attributes and then by substution attribute.

You can see an example of it to set an internal user attribute to use as the value for the field address-IP-box

This is just an example and can be applied also to any attribute RADIUS in which set an attribute of the user of the same type. Values can also be taken from an external identity as AD store

Tags: Cisco Security

Similar Questions

  • same host for radius and Ganymede

    Hello

    can I put a host (asa for example) twice in the acs Server? one for Ganymede to grant administrators access exec and the other for radius authenticate remote users.

    I don't want remote users to be able to get exec mode.

    Or how should I configure this?

    Yes, you can do it. Network configuration ON acs

    Add

    ASA---> 10.1.1.1---> Auth using Ganymede +.

    ASA1--> 10.1.1.1---> Auth using RADIUS

    Host name cannot be the same.

    Kind regards

    ~ JG

    Note the useful messages

  • WLC with ACS 5.1 (RADIUS) for management * AND * Network users

    Hello

    I have authentication RADIUS of installation for the users of the network AND management on my NM - WLC (5.2 ongoing execution) against ACS 5.1

    My Question is:-

    For users to log in to Admin, I need to come back "Service-Type = Administrative - User" in order to make it work.

    Because the ACS sees all applications from the same device (WLC) for Admin and network users,

    the way I am currently treats it is by creating a filter based on the user name

    Thus, users that contain 'admin' in their ID, use a set of

    Network access policy authorization, who has an authorization associated with the attributes RADIUS profile.

    Normal users have a ' network access policy authorization different rule ", with a different profile.

    While this DOES WORK fine, still me I was wondering if there is a better way to do it, rather than create a rule

    based on the user name.

    I could use GANYMEDE + for the management, but I don't think that ACS allows the same client AAA (WLC) to use both protocols.

    Thank you

    I think it's something very common for things to do

    You may notice that ACS 5 comes preinstalled with a selection policy of service that differentiates them the Protocol-based queries and orders or service 'Access to the network by default' or "Default Device Admin" out of the box

    If you want only to RAY can either disable or delete the rule for applications of GANYMEDE + or not choose GANYMEDE + in the definitions of the unit

  • Add under "Setting up groups" RADIUS attributes ACS 4.2

    Hi Security Experts,

    I need to add RADIUS attributes to a custom under the 'Groups Configuration' page provider ACS 4.2. From now on, I see of Cisco Aironet RADIUS attributes.

    IETF RADIUS attributes etc in the page "setting up groups. How can I ensure that the RADIUS attributes for a provider also appear on this page?

    PS: I have the useful messages rate

    Thank you

    Boudou

    Under the "Interface", you can set which you want to view the RADIUS attributes. It is probably just a missing check for your provider.

    The Options for RADIUS are described here:

    http://www.Cisco.com/en/us/partner/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/A_RADAtr.html

  • ACS 5.1 - profile of the authorization, the RADIUS attributes

    Hello

    I am setting up Radius AAA for cat6K switch.

    For the authentication of its work and the user can connect to. But for the assignment of a privilege level, it does not work.
    After loging in, I always get the privilege 1.

    I need your guide on how to Setup GBA 5.1, RADIUS attribute.

    I followed the document to configure the cisco-av-pair to assign 15 privilege and privilege 5, but it does not work.

    This format of the attribute has been shown in document is to define the privilege 15 "shell: priv-lvl = 15.

    Please refer to my screen shot, it's the right way to set it up on ACS 5.1

    Creation date: June 12, 2011 05:56 by: Damiano, Anisha A(ANDAMANI,279917) problem:

    =========

    Authorization does not not as expected

    Resolution:

    ============

    Adding a type of NAS-Prompt service

  • File formats supported for attributes of the BLOB

    Hi all

    I have an attribute of type BLOB. Can any body tell me what all file formats are supported for attribute of type blob in the sites.

    It is that I am trying to download a format .map file. I'm able to download but when I try to fetch the URL of the BLOB, it gives the error of content server. Looks like the blob server does not support the .map files. My logic works well for other formats such as pdf, jpeg, css, js, etc etc.

    Is there any file where configure us formats all we will support in blob.

    Hello

    Maybe the problem is that you do not have this extension in the table of MIME type and you must add it.

    It will be useful,

    Gerardo

  • IOS Easy VPN Server / Radius attributes

    Hello

    I made an easy VPN server installation with a running 12.2 2621XM router (15) output T5. VPN Clients/users are authenticated against Cisco ACS 3.2 by RADIUS.

    It works fine, but there is a problem that I can't solve. Each user must have the same VPN assigned IP address whenever it is authenticated.

    The ACS sends the right radius attribute (box-IP-Address) back to square of IOS, but this address is not assigned to the client. The customer always gets the next available IP address in the local set on the router.

    How can I solve this problem?

    You will find the relevant parts of the configuration and a RADIUS "deb" below.

    Kind regards

    Christian

    AAA - password password:

    AAA authentication calls username username:

    RADIUS AAA authentication login local users group

    RADIUS AAA authorization network default local group

    crypto ISAKMP policy 1

    Group 2

    !

    crypto ISAKMP policy 3

    md5 hash

    preshared authentication

    Group 2

    ISAKMP crypto identity hostname

    !

    ISAKMP crypto client configuration group kh_vpn

    mypreshared key

    pool mypool

    !

    Crypto ipsec transform-set esp-3des esp-sha-hmac shades

    !

    mode crypto dynamic-map 1

    shades of transform-set Set

    !

    users list card crypto mode client authentication

    card crypto isakmp authorization list by default mode

    card crypto client mode configuration address respond

    dynamic mode 1-isakmp ipsec crypto map mode

    !

    interface FastEthernet0/1

    IP 192.168.100.41 255.255.255.248

    crypto map mode

    !

    IP local pool mypool 172.16.0.2 172.16.0.10!

    Server RADIUS attribute 8 include-in-access-req

    RADIUS-server host 192.168.100.13 key auth-port 1645 acct-port 1646 XXXXXXXXXXXXXXXX

    RADIUS server authorization allowed missing Type of service

    deb RADIUS #.

    00:03:28: RADIUS: Pick NAS IP for you = tableid 0x83547CDC = 0 cfg_addr = 0.0.0.0 best_a

    DDR = 192.168.100.26

    00:03:28: RADIUS: ustruct sharecount = 2

    00:03:28: RADIUS: success of radius_port_info() = 0 radius_nas_port = 1

    00:03:28: RADIUS (00000000): send request to access the id 192.168.100.13:1645 21645.

    4, len 73

    00:03:28: RADIUS: authenticator 89 EA 97 56 12 B1 C5 C2 - C0 66 59 47 F7 88 96

    68

    00:03:28: RADIUS: NAS-IP-Address [4] 6 192.168.100.26

    00:03:28: RADIUS: NAS-Port-Type [61] Async 6 [0]

    00:03:28: RADIUS: username [1] 10 "vpnuser1".

    00:03:28: RADIUS: Calling-Station-Id [31] 13 "10.1.14.150".

    00:03:28: RADIUS: User-Password [2] 18 *.

    00:03:28: RADIUS: receipt of 192.168.100.13:1645, Access-Accept, id 21645/4 l

    in 108

    00:03:28: RADIUS: authenticator C1 7 29 56 50 89 35 B7 - 92 7 b 1 has 32 87 15 6

    A4

    00:03:28: RADIUS: Type of Service [6] 6 leavers [5]

    00:03:28: RADIUS: connection-ip-addr-host [14] 6 255.255.255.255

    00:03:28: RADIUS: Tunnel-Type [64] 6 01:ESP [9]

    00:03:28: RADIUS: Tunnel-Password [69] 21 *.

    00:03:28: RAY: box-IP-Netmask [9] 6 255.255.255.0

    00:03:28: RADIUS: Framed-IP-Address [8] 6 172.16.0.5

    00:03:28: RADIUS: [25] the class 37

    00:03:28: RADIUS: 43 49 53 43 4F 41 43 53 3 A 30 30 30 30 30 31 30 [CISCOACS:0

    000010]

    00:03:28: RADIUS: 2F 33 63 30 61 38 36 34 31 61 76 70 75 73 [3/c0a8641a 6F 2F

    /vpnus]

    00:03:28: RADIUS: 65 72 31 [1]

    00:03:28: RADIUS: saved the authorization for user 83547CDC to 83548430 data

    00:03:29: RADIUS: authentication for data of the author

    00:03:29: RADIUS: Pick NAS IP for you = tableid 0x82A279FC = 0 cfg_addr = 0.0.0.0 best_a

    DDR = 192.168.100.26

    00:03:29: RADIUS: ustruct sharecount = 3

    00:03:29: RADIUS: success of radius_port_info() = 0 radius_nas_port = 1

    00:03:29: RADIUS (00000000): send request to access the id 192.168.100.13:1645 21645.

    5, len 77

    00:03:29: RADIUS: authenticator 13 B2 A6 CE BF B5 DA 7th - 7B F0 F6 0b A2 35 60

    E3

    00:03:29: RADIUS: NAS-IP-Address [4] 6 192.168.100.26

    00:03:29: RADIUS: NAS-Port-Type [61] Async 6 [0]

    00:03:29: RADIUS: username [1] 8 'kh_vpn '.

    00:03:29: RADIUS: Calling-Station-Id [31] 13 "10.1.14.150".

    00:03:29: RADIUS: User-Password [2] 18 *.

    00:03:29: RADIUS: Type of Service [6] 6 leavers [5]

    00:03:29: RADIUS: receipt of 192.168.100.13:1645, Access-Accept, id 21645/5 l

    in 94

    00:03:29: RADIUS: authenticator C4 F5 2F C3 EE 56 DA C9 - 05 D6 F5 5 d EF 74 23

    AF

    00:03:29: RADIUS: Type of Service [6] 6 leavers [5]

    00:03:29: RADIUS: connection-ip-addr-host [14] 6 255.255.255.255

    00:03:29: RADIUS: Tunnel-Type [64] 6 01:ESP [9]

    00:03:29: RADIUS: Tunnel-Password [69] 21 *.

    00:03:29: RADIUS: [25] class 35

    00:03:29: RADIUS: 43 49 53 43 4F 41 43 53 3 A 30 30 30 30 30 31 30 [CISCOACS:0

    000010]

    00:03:29: RADIUS: 2F 34 63 30 61 38 36 34 31 61 2F 6 b 5F 68 76 70 [4/c0a8641a

    [/ kh_vp]

    00:03:29: RADIUS: 6 [n]

    00:03:29: RADIUS: saved the authorization for user 82A279FC to 82A27D3C data

    Assignment of an IP address via a server Raidus is currently not supported, even if your Radius Server is through an IP address, the router will ignore it and just assign an IP address from the pool locla. In fact, the pool room is the only way to assign IP addresses currently.

    On the only way to do what you want right now is to create different groups VPN, each reference to a local IP pool with an address in it. Then ask each user connect to the appropriate by their VPN client group.

    Yes, messy, but just try to provide a solution for you.

  • WAAS for RADIUS and Windows Server 2012 NPS server configuration

    I have trouble getting our WAAS to authenticate devices and connection via RADIUS.  Running NPS on Windows Server 2012.  Confirmed that my device WAAS can ping the IP address of the RADIUS server.  Using the attribute Type of administrative service under network policies.  Look in the event viewer, I get an error with event ID 15, "a malformed RADIUS message has been received of the xxxx-WAAS-01 customer. The data is the RADIUS message. »

    Right now, I can connect with only the local default user and password name.  Here are a few config for WAAS, running version 6.2.1:

    RADIUS server key *.
    Server RADIUS auth-host 10.194.10.13 port 1645
    !
    connection of local authentication enable secondary
    enable login authentication RADIUS primary
    local authentication configuration enable secondary
    Service radius Authentication configuration Select primary
    failover of authentication server unavailable

    I confirmed that my shared key is entered correctly on the WAAS and the NPS.  I have the switches/routers Cisco works well on the same RADIUS server.

    Someone had a bit of luck plug their WAAS to RADIUS devices using Windows Server 2012 and NPS?  If so, please share additional measures you have taken to get things to work.

    Hi Paul,.

    Based on the RADIUS error you probably experience failure CSCva14731. This was discovered with Cisco ACS, but can affect other RADIUS servers.

    To confirm, you can check the corresponding error in syslog WAAS:

    authenticate: % WAAS-UNKNOWN-3-899999: pam_radius_auth: talk_radius: RADIUS server did not respond (timeout 5 (sec))

    Also, this defect would not affect peripheral on software 5.x WAAS.

    The problem will be solved in 6.2.3 to come free.

  • ASA5500 radius attributes web vpn

    Hello

    I'm working on obtaining ssl vpn users authenticated via radius. Whenver that authenticates a user, I get the following attributes of the ASA:

    Username = "user".
    User-password = «*»
    NAS-Port = 266403840
    Calling-Station-Id = "1.1.1.1".
    NAS-Port-Type = virtual
    NAS-IP-Address = 2.2.2.2
    Cisco-avpair = "" ip:source - ip 1.1.1.1 =<30><149>".

    Pretty things standard, but the ASA documentation supports many other attributes. Why are they not those passed in the authentication request? Is there something I need to do to activate these? Basically I have differnet tunnel groups with user names and the ASA does not give me information on which group or url, the user landed on, so I do not know how to authenticate these users. Kingdoms are not an option for me.

    Is it really all that is sent? RADIUS-request must include the tunnel-group-name like the following that is within a radius of "debug" on a 8.4 (5) ASA:

    Radius: Type = 146 (0x92) Tunnel-Group-Name
    Radius: Length = 8 (0x08)
    Radius: Value (String) =
    56 50 4e 2d 44 45                                  |  VPN-DE

  • ACS5.1 - AD and mapping of RADIUS attributes

    Hello

    I am trying to dynamically assign IP addresses for users of VPN of AD (without IAS service). Is it possible?

    I know that there is a restriction that "Dial-in users are not taken in charge by announcement in ACS (note in 'acsuserguide51') but I'm not exacly sure, which may or may not do with it."

    "Authorization profiles" RADIUS attributes tab I try manually add a specific attribute (box-IP-Address).

    I have no problem (everything works fine) with the award of a static in a way as address below:

    AD is already integrated with ACS and I managed to download the directory attributes particular msRADIUSFramedIPAddress

    When I change the ' attribute value 'static to the dynamic type I see to select AD (but "Select" which should list all of the available attributes is empty).

    Is it possible in this way or my concept wrong?

    I know I can do it directly (ASA <->AD attribute mapping), but I want to ACS to make

    best regards and thx for all help

    Przemek

    Your baisc approach is

    fix. However, when you dynamically assign the IP address of type RADIUS attributes in an authorization profile you get only presented for the selection of attributes in the store identities (in this case AD) which are also a type IP address. In your example, it is of the type "integer64.

  • WLAN 4402 for Radius Authentication

    Hi guys,.

    Please help me on how I can install my WLAN 4402 controller for Radius Authentication, if you have links or procedures that you can share, which will be very appreciated. :-)

    Thanks in advance.

    It depends on if you are using Cisco ACS or Windows IAS. Controller configuration is the same but the side RADIUS is different.

    Also what you are trying to configure, systems users, PEAP etc. through RADIUS

    PEAP via ACS is here

    http://www.Cisco.com/en/us/partner/products/ps6366/products_configuration_example09186a00807917aa.shtml

    PEAP via IAS is here

    http://www.Cisco.com/en/us/partner/products/ps6366/products_configuration_example09186a0080921f67.shtml

    Hope that helps

  • OEDQ support for the AV tools

    Hello

    Please someone let me know tools of support for OEDQ AV except Loqate and QAS.

    Thanks in advance.

    Concerning

    Deborah

    External web services call is usually to the Disqualification by using a Script Processor (to where the script used depends on the web service interface). Note that the Script processor is limited to a single output, so normally, if multiple attributes are returned, they are returned in a table attribute, then split later. If you need to do something more advanced than this, you will need to write a new processor in Disqualification - we can tell you this if necessary.

    It is easier to illustrate the approach of Script for example.

    Here is an example of a legend to a code search service postal sample of GeoNames.org. It is a Script processor that takes three inputs (zip code and the country of the attributes of string and a number of maxresults attribute). It returns the results in a table.

    addLibrary ("http");

    Function GetValue (content, name) {}

    var value = "";

    startPos = content.indexOf ("<" +="" name="" +="" "="">") var;

    If (startPos >-1) {}

    endPos var = content.indexOf ("", startPos);

    value = content.substring (startPos + name.length + 2, endPos);

    }

    Returns the value;

    }

    function GetCDATAValue (content, name) {}

    var value = GetValue (content, name);

    If (value.indexOf ("))

    return value.substr (9, value.length - 12);

    on the other

    Returns the value;

    }

    try {}

    var result = new Array();

    var url = "http://api.geonames.org/postalCodeSearch?postalcode=" + input1 [0] + '& country =' + input1 [1] + '& LignesMax =' + input1 [2] + "& username = demo;

    var xmlHttp = new XMLHttpRequest();

    XMLHTTP.open("get",URL,true) ("GET", url, false);

    xmlHttp.send ();

    var response = "' + xmlHttp.responseXML;

    startPos = response.indexOf var (" ");

    while (startPos > -1) {

    var endPos = response.indexOf(" ", startPos);

    var record = response.substring (startPos, endPos);

    var postalcode = GetValue (record, 'postal code');

    var name = GetValue (record, "name");

    var countryCode = GetValue (record, 'postal code');

    var lat = GetValue (record, "lat");

    var lng = GetValue (file, "lng");

    var adminCode1 = GetValue (record, "adminCode1");

    var adminName1 = GetValue (record, "adminName1");

    var adminCode2 = GetValue (record, "adminCode2");

    var adminName2 = GetValue (record, "adminName2");

    var adminCode3 = GetValue (record, "adminCode3");

    var adminName3 = GetValue (record, "adminName3");

    result [result. Length] = zip + "|" +.

    name + "" + |

    Country code + "|" +.

    LAT + ' | ' +.

    LNG + "|" +.

    adminCode1 + "|" +.

    adminName1 + "|" +.

    adminCode2 + "|" +.

    adminName2 + "|" +.

    adminCode3 + "|" +.

    adminName3;

    startPos = response.indexOf var (')", endPos);

    }

    } catch (e) {

    result[result.length] = "Error: " + e.toString();

    }

    output1 = result;

  • Support for zoom

    Has anyone used MacKeeper and then Zoom support for aid in line with mac?  I have a mac book (not pro).

    Avoid MacKeeper. Your Mac runs the maintenance in the background for you.

    I don't know how MacKeeper and Support of Zoom have something to do with the other?

  • No support for npapi plugin?

    Hi, we use software that is based on JAVA for our clients to access our services. As I read in some news, support for NPAPI plugins will end in the 64-bit version of firefox 41 (so java no longer be supported). This is only version 64-bit windows or Linux and Mac also being targeted? We need this information so that we can tell our customers that we always support the browsers.
    Thanks in advance

    Only the start of Firefox Win64 41,0 + version will have only whitelisted Flash Player 64-bit for now.

    64 bit versions of Mac OSX and Linux may continue to use other plugins compatible 64-bit in addition to Flash Player.

    That the Firefox 42.0 is the current target for Win64 version as was 41.0 previously. The Fx Win64 41.0 b # is based on the beta channel will be affected by the white list.

  • now that we are in July 2015 support for windows xp is dead. Until when firefox will support xpsp3. It is until December 2015 as google chrome or mid-2016

    support for Windows xpsp3

    Mozilla has not announced a given as to when support for WinXp SP3 will end.

Maybe you are looking for