ACS 5.4 political accΘs

Hi gentlemen,

I tried to solve this for a long time, but I am out of ideas now. Here's the Dealio. I have a Cisco ACS 5.4 VM used for authentication network Radius with a Cisco WLC 7.0, I did the initial installation and all the rules, everything worked perfectly until now. now I am trying to add access rules more (identity/authorization), it seems ok in the graphical user interface and save the configuration even if I restart the device, but when I check the log control report and the new rules do not match. I will attach a screenshot for this.

the identity of the party there is a corresponding rule users this Radius_IETF user name attribute starts with "g_" without the quotes to identify with local database. "JV1\" to identify them using Active Directory (it's the old rule that worked) the default is to deny access

in permissions, for users who assign the user name begins with "g_", they had a policy of service X and for the 'JV1\', they get a service policy Y.

new users added to the local database (beginning with "g_") are adapted in the identity store, but in the authorization they have hit the default rule which is denied access. the only condition of the authorization must be part of the group identity 'wireless users.

I had this problem with ACS 5.2 in the past and I used to remove the rule that to create this back once again, but it doesn't seem to work for version 5.4

Thanks & best regards,

Habib

I have encountered this problem as well on my ACS 5.4 and never found a bug that matched. I ended up installing the latest patch and I have not had problems since.

Thank you

Tags: Cisco Security

Similar Questions

ACS 5.6 Maximum by user sessions

Hi all,

I have a client that has installed a 5.6 ACS joined his announcement. He wants to limit the maximum number of sessions per user, but these users are authenticated by the AD. How can I limit sessions maximum?

I tried to do in the configuration of the ACS, access policies > Max user Session policy > Max Session user settings, but is does not match this policy. I apply this policy, authorization policy? How can I do this?

If you can leave me a link where it is explained, thank you much.

Kind regards.

David.

Hi David. In my opinion, that these settings apply to internal groups of the ACS. So in order to take advantage of those you need to map your ad to an internal group ACS groups and then apply the 'Max user political Session' to those. Here is a link with more information:

http://www.Cisco.com/c/en/us/TD/docs/net_mgmt/cisco_secure_access_control_system/5-3/user/guide/acsuserguide/access_policies.html#pgfId-1162308

I hope this helps!

Thank you for evaluating useful messages!

ACS 5.1 upgrade

Update to CSACSE-1113-K9 unit run 4.2.0.124 and 5.1 supported?

I don't think that's going to happen, unless a new upgrade of the hardware Kit is created, look at this for comparison of system memory:

ACS 4.2:

http://www.Cisco.com/en/us/prod/collateral/vpndevc/ps5712/ps2086/data_sheet_c78-453387_ps5338_Products_Data_Sheet.html

ACS 5.1

http://Cisco.com/en/us/prod/collateral/netmgtsw/ps5698/ps6767/ps9911/ps9915/data_sheet_c78-504202.html

Also a new DVD would need to be developed from ACS unit Versions are hardware specific. I suppose it is not impossible to use the same DJ, but I have not heard of any close of plans occur.

Now, keep in mind that the ACS 4.X to 5.X upgrade is consider a Migration complete... a lot of differences in the way you manage your customers, users, political...

HTH.

ACS 4.2 install question - need help

Hello

Once installed the 4.2 of the ACS, the ACS HTML interface leave empty when accessd locally using the icon from the desktop or by typing http://127.0.01:2002, so I'm not able to configure the user name and password.

When I accessd GBA from another host by: http:// 10.1.115.222:2002 (the 10.1.115.222 is the ACS server address), the prompt "username" and "password" appeared. But not able to loggin as I don't have username and password configured.

When I tried to access locally by: http://10.1.115.222:2002, IE still leave empty.

Note: OS: Server 2003 in vmware esx, IE 8.0, Java,.

Thanks in advance!

Please go to ACS--> Admin---> political Session control and uncheck--> allow local access auto connection

Now try to connect.

Kind regards

~ JG

Note the useful messages

SSID on ACS 5 authentication

Hello world

I noticed that with a base on 5 ACS configuration I can't the difference between PEAP I want to authenticate to AD and customers PEAP that I want to authenticate with a created database locally on GBA. All customers, no matter what SSID, they are connected, what will be judged against the AD if it does not match the customer is invited to a user name and password to be authenticated on the local information store.

Can someone point me to some documentaion which describes how I can separate the two, so that clients on one SSID are checked against the AD and customers on another are checked by the local information store.

Thank you very much

Simon

Simon,

One of the attributes that the WLC sends a RADIUS authentication request is the Called-Station-ID field. This field contains the BSSID and ESSID (name of the WLAN), the client attempts to access, which means you can do a comparison on this field as a condition of your access rule. The format is xx-xx-xx-xx-xx-xx:wlanName. We don't really care the BSSID, but the WIFI network at the end of this string is very useful.

Here's how you can use this attribute value to influence political decisions access:

1. create a custom (under the elements of the policy) session state type IETF RADIUS using the Called-Station-ID (not the Calling-Station-ID).

2 customize your template access policy so that your new custom session state is available at your access policies

3. change your strategy of access: a) check the custom session state to enable it, b) choose the operator "ends by" and c) type the name of your WLAN (not case sensitive).

Justin

ACS NAC 5.2 comments Sponor Radius Authentication

For some reason, I can't get the Hall "sponsors" for authentication on the server of comments of the NAC (2.0.2) using ACS 5.2 via Radius.

I managed to find a way to get feedback from the NAC authentication Radius for 'Administrator' to work by adding the value of custom RADIUS IEFT-6 under...
- Elements of strategy
- Authorization & permissions
- Access to the network
- Authorization profiles
I added a strategy & tab attributes Radius... I manually entered an attribute that looks like the following:
- Dictionary type: = IETF RADIUS
- The RADIUS attribute: = Type of Service
- Type of attribute: = enumeration
- Attribute value: = static
- Value = "administrative".
Then I created an access policy... I looked for an ad group specific - result = 'Name of custom political upstairs'...

All this works fine... the Docs of the NAC comments you say the Radius server must return a value of IETF-6...

When he enters in the sponsor section, it does not tell you the value of your server Radius must return... so just to smile, instead of 'Name custom top political', I tried "Allow access"... I tried the 'name of the custom policy above "... Don't know what else to try to get this working... Anyone have any ideas?

This is a similar to the document I'm following:

http://www.Cisco.com/en/us/docs/security/NAC/guestserver/configuration_guide/20/nacguestsrvr.PDF

Page 68 refers to the "Sponsor configuration authentication" Ray... it just tell you to change the order of authentication & add the Radius server...

Use NAS prompt (7) instead of administrative (6) for users of sponsor.

-Jesse

ACS password policy

My company wishes to replace the existing LDAP servers with Cisco ACS. A requirement of our VPN security policy is that the user must change his password VPN account before their first newspaper in. If the user tries to connect to the VPN without changing their password, then they are denied access.

Is there a rule in ACS which can achieve this?

Hello Michael,

Yes, there is a way to change the password, you will need to set the 'password-management' under the Group of the tunnel you have created for this connection with the AAA server that will authenticate users, please consider the following information:

GBA can be configured to check users in an AD database. Change and at the end of the password is supported when Microsoft Challenge Handshake Authentication Protocol version 2 (MSCHAPv2) is used;

On a SAA, you can use the password management feature, as described in the next section, in order to force the ASA to use MSCHAPv2. ACS uses the appeal of Common Internet File System (CIFS) Distributed Computing environment/Remote Procedure Call (DCE/RPC) when it comes into contact with the directory of the domain controller (DC) in order to change the password.

ASA may use both the RADIUS and protocols GANYMEDE + to get in touch with ACS for a password AD change, the command:

ASA (config) # tunnel - group general attributes

ASA(config-tunnel-General) # password - management

For more information about PAP and MSCHAP with RADIUS, you can find it here:

http://www.Cisco.com/c/en/us/support/docs/network-management/remote-ACCE...

Please proceed to the note this post and the previous one and mark it as correct, keep me posted if anything happens!

Kind regards

David Castro,

802. 1 x with the ACS and Windows AD

Hello

Im trying to configure 802. 1 x with ACS 5.2 but I am wrong as his very differnet ACS 4.2.

I installed the ACS for the field and think that I installed the external Idnetity store, however when I try to authenticate a pc using probable authentication "PEAP (EAP-MSCHAPv2), I get a reason for failure 22056 object was not found in the store there is identity.

Marco

Hi Marco,.

I guess you missed a mapping configuration in the Section of access policy.

Create an Access Service name AS-802. 1 x select user select the Service Type, and select network access. Select the identity of political Structure and authorization. Select PEAP as the authorized Protocol. Click on finish

You will see the new service click on identity.

Select the source of the identity you have created, then save.

Click permission

Select an access permission by default authorization rule and save.

Create a Service access rule name 802. 1 x

Select the Protocol Radius as a Condition and as a compound Condition select RADIUS - IETF:Service - Type match box, then select the service that you created before.

then you can try again.

concerning

Alex

ACS 5.2 Access Services

Can someone explain the differences between

Default device Admin

and

Default network access

5.2 ACS uses a model policy for the processing of applications. When applications are received, they are initially processed by the rules defined in the selection of Service rules. They are assessed in a first basis of correspondence to decide what AccessService to use. Each AccessService contains within it a politics of identity, mapping Group (optional for more advanced use cases) and authorization. Identity politics is similarlyy a first political mactch which is used to determine the identity, such as internal users store or Active Directory, to use to authenticate the user. [Note indetity policy can be set for "single selection" in which cases, identity database is used for all applications]. The authorization policy is used to determine the results of authorzation must be returned to the user. In the case of RADIUS request that returns a set of authorization profiles which is a set of attributes RADIUS and their values. In the case of GANYMEDE + requests that this may return a profile (a set of attributes) of the shell and/or the command sets that determine approval of the order.

During installation and default Service selection rules are configured so that all RADIUS requests are handled by the default network access service and all GANYMEDE + applications managed by admin by default in either device, the politics of identity and authorization are defined at authentifcate on the internal database and access with no additional attributes retrurned. So when installing, everything it takes to get the applications processed is defined a corresponding user and the network device and processing must complete.

These default definitions allow you to start quicked and then change the settings to change the policies to meet the needs of the Organization

ACS 5.2 problem Cisco-AV-pair

Hi all

I have a problem with the chain of cisco-av-pair on the Cisco ACS and a SSID.

We have here some SSID and some ad groups. It was no problem with the old Cisco ACS 4.2. I've set up here the chain: cisco-av-pair ssid = myssid. Customers only have the rights to this ssid. It works without problem.

On the new 5.2 ACS. I have problem to configure this.

My setup is a new political identity.

Compound to Condition:

RADIUS - Cisco--> cisco-av - pair--> is equal to--> myssid

But this channel doesn't work.

Do you have any ideas on this problem.

My system:

Cisco ACS 5.2 with all new patches

New Version of Cisco WLC

Thank you

concerning

Andreas

You could try a condition:

Called-Station-ID ends - with ": 0FFEN".

IPSec vpn cisco asa and acs 5.1

We have configured authentication ipsec vpn cisco asa acs 5.1:

Here is the config in cisco vpn 5580:

standard access list acltest allow 10.10.30.0 255.255.255.0

RADIUS protocol AAA-server Gserver

AAA-server host 10.1.8.10 Gserver (inside)

Cisco key

AAA-server host 10.1.8.11 Gserver (inside)

Cisco key

internal group gpTest strategy

gpTest group policy attributes

Protocol-tunnel-VPN IPSec

Split-tunnel-policy tunnelspecified

value of Split-tunnel-network-list acltest

type tunnel-group test remote access

tunnel-group test general attributes

address localpool pool

Group Policy - by default-gpTest

authentication-server-group LOCAL Gserver

authorization-server-group Gserver

accounting-server-group Gserver

IPSec-attributes of tunnel-group test

pre-shared-key cisco123

GBA, we config user group: VPN users. all VPN users in this group. ACS can visit his political profile: If the user in the 'VPN users' group, access ACS.

When we connect from a VPN Client to the server, all users connect to success. When you see the parser in ACS journal, each user success connect also get

error:

22040 wrong password or invalid shared secret

(pls see picture to attach it)

the system still works, but I don't know why, we get the error log.

Thanks for any help you can provide!

Duyen

Hello Duyen,

I think I've narrowed the issue. When remote access VPN using RADIUS authentication we must keep in mind that authentication and authorization are included on the same package.

Depending on your configuration, the ACS is defined as a server RADIUS (Gserver Protocol radius aaa server) and becomes the VPN Tunnel authenticated and 'authorized' on this server group:

authentication-server-group LOCAL Gserver

authorization-server-group Gserver

As noted above, the RADIUS of request/response includes authentication and authorization on the same package. This seems to be a problem of incorrect configuration that we should not set up the 'permission' in the Tunnel of the group.

Please remove the authorization under the Tunnel of Group:

No authorization-server-group Gserver

Please test the connection again and check the logs of the ACS. At this point there are only sucessful newspaper reported on the side of the ACS.

Is 'Permission-server-group' LDAP permission when authenticating to a LDAP server so to retrieve the attributes of permission on the server. RAY doesn't have the command as explained above.

I hope this helps.

Kind regards.

ACS v5.3 selection of identity for authentication

I configured before ACS v4.2 to authenticate network devices using internal users first, and if the user does not use AD users list. But with v5.3, I have some problems doing so, the policy of identity I use result rule based selection option, I configured 2 policies for the source of identity, one for users inside and another user AD strategy, but it only works with the first policy, internal users or the AD, but only works for the first political identity.

No idea how to do this, if the user is not on the policy first, continue to the next policy.

Thank you

Juan Carlos

Juan Carlos,

Under the identity store sequence settings you can uncheck the "if internal user/host not found or disabled then quit sequence and treat it as"User Not Found"?"

Please try again with the AD user and share the results. Please share a screenshot the parameters of identity for the Administration of the unit.

If the problem persists to share details of the ACS of ACS monitoring and reports Error Message as well.

If this has been helpful, do not forget to rate

Kind regards.

ACS 4.0 and IBM TSCM

Hello

I try to load the attributes of the CNA for IBM Corporation (TSCM) of the FTP (the attributes of the NAC management), but these do not appear in the system

Configuration-> Configuration-> CSV connection failed attempts Configuration or CSV file past Authentication Configuration file.

My server is ACS 4.0 device. On ACS 3.3 my attributes of the NAC is working well.

[attr #0]

Vendor id = 2

name of the vendor = IBM Corporation

application = 50 ID

SCM = application name

attribute id = 00020

attribute name = political Version

Profile attribute = off

type of the attribute = string

[attr #1]

Vendor id = 2

name of the vendor = IBM Corporation

application = 50 ID

SCM = application name

attribute id = 00021

name of the attribute = number of Violation

Profile attribute = off

type of attribute unsigned whole =

[attr #2]

Vendor id = 2

name of the vendor = IBM Corporation

application = 50 ID

SCM = application name

attribute id = 00010

Action = attribute name

Out = attribute profile

the attribute type = String

I loaded the list with attributes for Symantec on ACS 4.0 and it is OK, but for Tivoli Security Compliance doesn't work.

Please help me if you have a solutions!

Thank you!

Hello

Well Yes, you can't have a space between the name of the seller, I case that after loading the file I do not have the attribute of the GBA unit, but can see logging. After the reboot of the ACS that's ok.

I also, can deployment of the NAC with IBM TSCM, you share the experince? What version of client TSCM, we should use? I can't get the 5.1.0 version but it looks like no need version 5.1.2 above only can patch the last update.

Thank you

Doubt on the RA aaa using ACS 5.3 vpn user

Hello

I'm putting in place of the VPN on 8.4 ASA with 2 - VPNGp1 and VPNGp2. VPNGp1 groups users will access 1.2.3.0/24 and VPNGp2 users will have access to 5.6.7.0/24. User authentication will be done using RADIUS 5.3 ACS.

On ASA, I configured pools VPN groups, ACL of VPN, IP, tunnel of groups and group for each group strategies.

GBA, I created vpn-user1 and user2-vpn for each of the 2 groups.

I don't know if some configurations more must be done on ASA and AC... Do I need to add new users - vpn-user1 and user2-vpn - on ASA, under each corresponding group policy, using the command political vpn-group? Or I need to do something else on the ACS?

Finally, how can I configure authorization and accounting for VPN users? I have to do this on GBA or ASA?

Please advice.

Thank you.

Hello

Authentication using radius aims to centralize user accounts and policies so that you will not have to configure these on the SAA. You must create a group of authentication servers that points to your ACS, then you will have to refer to this group of servers to your tunnel-group for user authentication queries will be forwarded to ACS for authentication. For accounting you will create an accounting server group and also assign to your tunnel group configuration.

The GBA, you will need to create a network client that is ASA, and the shared secret will be the same. You create an element of authorization policy network who have the permission settings, or you can choose allowed access, which allows authentication succeed without any special authorization.

You can debug the sessoin using crypto vpnclient 255 debugging to view the authentication stream.

Using SSL vpn (anyconnect) for these sessions?

Thank you

Tarik Admani

Based on rules of the ACS on Wireless SSID?

As part of our policy BYOD, mobile phones are supposed to use only certificates for authentication, but they use MSCHAP and creds set caching to authenticate without a certificate. I think I can fix this in ACS by creating a rule that ALLOWS access if the user is using the x 509 cert and a rule that mobile DENYS access whether MSCHAP is used.

I think it depends of ACS, be able to see users for particular SSID however. This is because we do not have another secure SSID and if I implement the above rules it would affect all looking wireless to auth.

Does anyone know how to create political ACS from 5.2 the different SSID authentication?

Josh,

You can add a compound condition using the called-station-id RADIUS attribute, you use the operator "ends with" and then type in the SSID (case-sensitive), and you combine that with the method of authentication of x 509.

Thank you

Tarik Admani
* Please note the useful messages *.

ACS 5.4 political accΘs

Similar Questions

Maybe you are looking for