ACS 5.3 authorization with Juniper ROB-3400

Similar Questions

• Secure ACS Authentication and Authorization with SecurID

  I am able to authenticate connection attempts using an external database (RSA SecurID).  The problem is that everyone with a token is authorized to connect on any switch with priv15 or whatever I put (but no way to control who gets what access).  How can I allow users based on a certain type of belonging to a group?  The SecurID server is already integrated with LDAP, it only checks to see if the user exists in the database.

  I need to create two groups, or even only allow a single group and deny everyone, but anyone in the organization with a token is allowed to connect.  I can't find guides who do anything beyond authentication when you use a SecurID token.

  Thank you.

  Hello

  Have routers and switches, you given the command "authorization exec default group aaa GANYMEDE", it seems that you have only defined authentication on devices. When the control is in place, user access privileges may be governed by the ACS. In network administrator access by default policy (if you are using the default strategy for GANYMEDE), to set the authorization rule to verify membership in a user group and provide the appropriate profile of shell. Make the default rule to give DenyAccess shell profile to other users.

• ACS 5.2 assignment of authorization with nested groups in LDAP

  I have a Cisco Secure ACS 5.2 on a virtual machine. We use it for administrative access to our equipment Cisco GANYMEDE +. I use LDAP to authenticate with acitive directory. I currently run when a user is directly in the group that is assigned.  I change the way in which assign us group permissions and have created nested groups.

  For example:

  -User1 is a member of group1

  g -roup1 is a member of the "Group 2".

  I have card group2 to have access to my devices. However, User1 is not get mapped to the Group of law and access is denied.

  When I go to the monitoring, reporting and authentication GANYMEDE + details, under other attributes where it shows the outside groups the user is a member, I don't see group2, only group1.

  However when User1 is a member of group2 directly, the user is able to log on.

  GBA 5.2 not does support permissions allow this how to use nested groups?

  Mapping of nested groups is not supported by LDAP (because users containing that attribute memberOf groups just above them, are not nested). It is a behavior deafult when we use nested with LDAP groups. You must add subgroups for GBA and both respective authorization rules.

  Kind regards

  Jousset

  The rate of useful messages-

• With the help of Cisco ACS 5.2 (GANYMEDE +) with other than Cisco devices

  Hi all

  I was hoping that someone could help me with what might be a silly question. I'm trying to implement a solution whereby an operator can control all their nodes (other than Cisco) network via GANYMEDE + involved nodes are

  Juniper M10i running Junos 9.2, M120

  M320 running Junos 8.5 Juniper

  Extremes of BD8810 and BD8806 running 12.4.1.17 XOS

  3804 Alpine extreme Extremeware 7.8.3.5 running

  My question is, can I use Cisco ACS 5.2 (or 4.2) to authenticate using GANYMEDE + to these other than Cisco devices. Has anyone else done this or I have to use RADIUS? If someone has done this are problems of interoperability with Cisco CS and Junos or XOS extreme. Thank you

  / John

  John,

  We have a very large deployment of Juniper (T-series, series MX, etc.). We use Cisco ACS and GANYMEDE to manage these devices. The configuration of the ACS is fairly simple. You'll want to create users to connect and match them to the classes on your JUNOS routers. Here is an example:

  set system login user uid of engineering 2000
  Set system login user engineering genius-class class
  set the connection user uid to NOC 2001 System
  Set system login user AC AC-class class

  define the system connection Engineering-class idle-timeout 15
  define a connection system class engineering-class permissions all
  define the system connection AC-class idle-timeout 15
  define the connection class AC system class view permissions
  Set connection AC-class permissions see the system configuration

  We use two classes of genius and NOC. One is defined as a read / write and the second read-only. This is in turn then mapped in ACS (in our case version 4.2) by user or group (preferred). First, you change the configuration of the interface and add a Ganymede junos-exec service and do not enter the Protocol field. Then, you change the attributes of the user group. I've attached screenshots for both on this subject.

  Hope this helps.

  Derek

• ACS 5.1 integration with WLC

  Hello

  can someone help me find a document for ACS 5.1 appliance, integration GANYMEDE + (configuration) with my WLC. configuration of RADIUS also for clients.

  all configuration of wireless controller shows only acs 4.x integration.

  Thanks in advance

  Hello

  There is unfortunately no official configuration example for this right now.
  Haowever, you can view these screenshots I took an example of laboratory, to set up the profile of shell and pass it back due to the authorization rule.

  Hope this helps,

  Fede

  --
  If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

• ACS 5.2 authorization policy

  Hello

  is there a method to control access to the WLAN (PEAP) different on the same ACS 5.2 and WLC?

  In other words, ago 14:00 one of the groups have access to the domain network only the other group only have access to the internet
  and maybe a third group with access to both networks.

  Currently if I add new authorization policy, the user will have access to two networks...

  Thank you, in advance.

  Yes HRT is possible, the ssid is transported in the station id called which is an av pair sent in the access-request packet. The called-station-id format is, so you can combine this with the AD1:ExternalGroups and assign the result of access permit or deny access depending on your implementation, you can build your strategy for leave to a compound affection of "called-station-id ends with ssid". Also, the ssid is case-sensitive when acs makes its decision so keep that in mind.

  If you look at the ACS authentication report, you can see the ssid that I am referring to the id of the station called the newspaper.

  Hope that helps

  Tarik Admani
  * Please note the useful messages *.

• ACS - configure the authorization of shell commands to work under the configuration mode (conf t)

  Hello world

  I'm trying to set up a shell commnds set orders (including t conf mode) will be allowed, with the exception of administrative commands, such as writing, copy, admin, format etc.

  He worked for the commands in privileged mode (most) (such as writing and copy), but did not order t conf mode. It is important to prevent users to perform the ' write for the "and" copy run start "commands, for example.

  Here is the entry in the series of command shell (Partial_access) approval:

  Unmatched orders: permit

  List of commands:

  Admin

  copy

  delete

  do

  format

  To write

  (Relevant) group settings:

  V - shell (exec)

  Privilege level of V - 15

  Shell command authorization set

  Assign permission to command Shell Set to any device network - Partial_access (group name)

  I use CiscoSecure ACS version 4.2 (0)

  Thank you

  Lior

  Hi Lior,

  Please make sure you typed in the AAA client, the following commands: -.

  AAA authorization config-commands

  Thanks for posting your AAA client configuration via "run sh |" I have aaa "and if possible your configuration of privilege"

  HTH

• ACS 5.6: Problem with deleting a file via cli

  Hello world

  I am trying to automate the removal of 5.6 ACS network devices.

  I have delete.csv file with the list of devices I want to delete:

  name:String(64):RequiredTest0Test1

  When I connect to ACS CLI and run the command to remove the import file I get this result:

  .../acsadmin(config-acs)# import-data add device tftp delete.csv delete_res.txt abort-on-error noneCannot start import.Header is incorrect. Download Import Template for required header record.

  But when I run the web management import file, everything goes well:

  -------- Summary --------Total Number of Records Processed 2Number of Records Failed 0Number of Records processed successfully 2

  So please, this is where someone who knows what I did wrong? Thank you

  To remove devices, try the following command:

  import data delete device tftp delete.csv delete - res .txt abort error no

  In addition, make sure that the file is plain text only. If you're still having problems, check the following debugging:

  mgmt-log debug level debugging

  Then repeat the process, download a support package and to look at the logs for clues.

• ACS 5.7 - compatibility with the latest Internet browsers

  The most recent version of the CSA is 5.7.0.15.1, published on 14/08/2015. However, it does not support the latest browsers except Internet Explorer 11. My organization supports using the latest versions of Firefox and Chrome. However, Cisco does not any version of Chrome or any Firefox version newer than 37.x as being compatible. I was informed by several Cisco support technicians who, using a browser not supported can cause database corruption if the browser is used to make changes via the web interface of ACS.

  Because the support of Cisco will blame explainable questions about using an unsupported browser, I'm forced to use a portable copy of Firefox running to the 37.0.2 version if I can get support without my browser version be blamed. Use a browser not supported could have security implications because it doesn't have the latest security patches.

  I would like to see Cisco officially support the latest versions of Chrome and Firefox. Together, these browsers are more widely used Internet Explorer and display the ACS web interface better than Internet Explorer.

  Browser for the Mac is still darker than Cisco officially supports Firefox 28.x, 29.x or 24.4 ESR. On a Mac, it would be useful to support the latest versions of Safari and Chrome with the latest version of Firefox.

  Hi David,

  I suggest raising the issue to your account team so that it can be brought in the opinion of the developers. If there is a similar application of different customer so it might be a version supporting the latest versions of browser including chrome and safari.

  Kind regards

  Kanwal

  Note: Please check if they are useful.

• ACS 4.1 compatible with WLC 6.0.196.0

  Hello

  I have to upgrade our WLC4404s from version 4.2.207.0 to 6.0.196.0 so that our new 1142N APs are supported. Is someone can you please tell me if I am required to upgrade to Cisco Secure ACS version 4.1 and 4.2 to stay compatible (Windows) Please?

  The WLC 6.0.196.0 notes publication to State "this product has been tested with CiscoSecure ACS 4.2 and later and works with any RFC-compliant RADIUS server."

  Thank you

  Brodie

  An upgrade is not required for the current features continue to work. You only need to upgrade to 4.2 improvements. 4.1 conforms to the RFC.

• 4.2 of the ACS and EAP - TLS with AD and prefix problem

  Hello

  We have the following situation:

  -2 X ACS (ACS SE 4.2 1 x and 1 x 4.2 ACS) for domain

  -2 x ACS (ACS SE 4.2 1 x and 1 x 4.2 ACS) for domain b.

  First of all, there is a problem to have an ACS SE and a CBS work together for an area, I do not? When we haven't had that one area and the two SE ACS were responsible for domain A, it worked.

  Now after the changes, authentication of machine with EAP - TLS is no longer in effect. In the newspapers, it always says that "external user DB is unknown" for a username (machine) as host/abc.domain.ch

  This is the normal output of the Remote Agent, he finds the host but then nothing happens:

  CSWinAgent 2009-11-30 16:32:13 0140 3672 0x0 customer who connects from x.x.x.x:2443
  CSWinAgent 2009-11-30 16:32:14 0507 3512 0x0 CPP: NT_DSAuthoriseUser received
  CSWinAgent 2009-11-30 16:32:14 0474 3512 0x0 NTLIB: Creating Domain cache
  CSWinAgent 2009-11-30 16:32:14 0549 3512 0x0 NTLIB: domain Cache loading
  CSWinAgent 2009-11-30 16:32:14 0646 NTLIB 3512 0x0: none of the trusted domains found
  CSWinAgent 2009-11-30 16:32:14 0735 3512 0x0 NTLIB: cache loaded field
  CSWinAgent 2009-11-30 16:32:14 2355 3512 0x0 NTLIB: user "host/abc.domain.ch" found [FIELD]
  CSWinAgent 2009-11-30 16:32:14 0584 0 x 3512 0 RPC: NT_DSAuthoriseUser response sent

  So I did a test of the ASA to see if the host is a problem (until changes have been made it was not a problem):

  AAA authentication RADIUS host 10.3.1.9 username host/abc.domain.ch to test (the ASA becomes the host / entry for the correct Windows scheme with the $):

  CSWinAgent 2009-11-30 15:39:23 0140 3672 0x0 customer who connects from x.x.x.x:1509
  CSWinAgent 2009-11-30 15:39:23 0390 0 x 3728 0 RPC: NT_MSCHAPAuthenticateUser received
  CSWinAgent 2009-11-30 15:39:23 0474 3728 0x0 NTLIB: Creating Domain cache
  CSWinAgent 2009-11-30 15:39:23 0549 3728 0x0 NTLIB: domain Cache loading
  CSWinAgent 2009-11-30 15:39:23 0646 NTLIB 3728 0x0: none of the trusted domains found
  CSWinAgent 2009-11-30 15:39:23 0735 3728 0x0 NTLIB: cache loaded field
  CSWinAgent 2009-11-30 15:39:23 1762 3728 0x0 NTLIB: had WorkStation CISCO
  CSWinAgent 2009-11-30 15:39:23 1763 3728 0x0 NTLIB: Windows authentication attempts for user ABC$
  CSWinAgent 2009-11-30 15:39:23 1815 3728 0x0 NTLIB: Windows authentication FAILED (Error 1326 L)
  CSWinAgent 2009-11-30 15:39:23 0373 3728 0x0 NTLIB: retry authentication to the domain
  CSWinAgent 2009-11-30 15:39:23 0549 3728 0x0 NTLIB: domain Cache loading
  CSWinAgent 2009-11-30 15:39:23 1762 3728 0x0 NTLIB: had WorkStation CISCO
  CSWinAgent 2009-11-30 15:39:23 1763 3728 0x0 NTLIB: Windows authentication attempts for user ABC$
  CSWinAgent 2009-11-30 15:39:23 1815 3728 0x0 NTLIB: Windows authentication FAILED (Error 1326 L)
  CSWinAgent 2009-11-30 15:39:23 0456 0 x 3728 0 RPC: NT_MSCHAPAuthenticateUser response sent

  It is clear that the test failed because of the bad 'past to a computer' but it's a different output as before. I saw that in ACS 4.1, you can change the prefix of send_break_action for nothing, but in 4.2 it is no longer possible.

  This could be the problem, or if someone sees no other problem?

  Best regards

  Dominic

  Hello

  I encounter the same problem with my acs. I have all of the attempts failed for the default group. For the default group made configuration is not available. Is - this thereason behind all this?

• ACS 4.1 supported with Windows Server 2012 domain controller

  I put to level my domain controller / Active Directory from Windows Server 2003 to Windows Server 2012.

  In my environment, I use Cisco ACS 4.1 that is built into Windows Server 2003 Active Directory.

  ACS4.1 will be working perfectly with my new domain controller (Windows server 2012) or I need to improve my ACS too?

  Kind regards

  Junaid

  ACS 4.1 does not support the 2012 server that you should update

• ACS 5.2 synchronization with Windows 2008 AD but can not see groups

  Hi friends,

  Recently, I worked with the CSA (installed on VMWare) 5.2. At first, I was using a Win Server 2003 Enterprise edition AD, and he had no problem with the AD and the authority of CA. Because some of my customers use Win Server 2008 I change the advertising platform for Win Server 2008 Enterprise edition (x 64).

  I didn't really have a great experience with Win server platforms, and for what I've seen, the Services of Win Server 2003 deployment is easier than is the Win Server 2008.

  So, when I used the Win 2003 server, I can not only synchronize the ACS with AD but also use some groups created on the announcement to perform network access authentication. When I try to do the same with Win Server 2008 AD the CSA and the server is synchronized, but when I want to add groups for the purposes of authentication it is zero, absolutely nothing... so I can't do any test.

  Also, I searched for information on the compatibility between the ACS 5.2 and Win Server 2008 platforms, and in the end, the platforms are compatible.

  Any idea?

  Thanks in advance.

  Jose M Cortes:

  Hi Jose,

  Thank you for letting me know, glad your problem is solved now.

  Feel free to ping back in case you need assistance with GBA in the future.

  Kind regards

  Fede

  --

  If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

• Not use 5.4 ACS for TLS authentication with a certificate not in the string

  Hi all

  I have installed ACS 5.4 and several wireless environments.

  EAP - TLS is used to authenticate users of our area (of self-signed cetificates)

  Then use PEAP and need for a real external cert... (Signed by Terena)

  The problem is that I can use a single certificate for authentication EAP on ACS, and I need them both to work.

  I see only 2 options:

  1 configure the TLS network to authenticate without going through the ACS cert in the string (use the real one)

  2. set up somehow to use two certificates, one for each service.

  Please help, im desperate.

  Thank you!

  Naor

  You can't have several certificates of server/identity on ACS for EAP flavours. As a best practice, get the third-party certificate and check to associate the certificate with the EAP protocols that use SSL/TLS tunneling: EAP - TLS, PEAP and EAP-FAST.

  ~ BR
  Jatin kone

  * Does the rate of useful messages *.

• ACS 5.2 PEAP with the authentication of the computer

  Can someone point me in the direction of a good guide for configuring PEAP with Machine authentication to connect to the domain?

  This is a clean install on a new installation of 5.2.

  We move from 4.X to 5.2 and I want to make sure I don't miss anything.

  Thanks in advance for any help.

  Basics of infrastructure;

  • 440 x & 5508
  • ACS 5.2 VMWare
  • AD is used as the external database for the PEAP and Machine auth.

  This link might help.  I would like to know if that's what you're looking for.  It is not the exact game until you use but should be a grand of the directive.

  http://wnbu-press.Cisco.com/files/2010/09/CUWN_PEAPv1.PDF

  Grace and peace,

  Robert Roulhac Jr E