Authentication ACS 16:01

We have an existing servers Cisco ACS 4.1 ha deployment wireless with 802 user authentication. 1 X against AD. We are seeking to remove a number of former DCs in the near future. Before retiring from the DCs, I want if ensure no authentication request is not sent to them. Since the interface of GBA, I can't determine what DC IP / host names GBA points to. Within databases users Exernal-> Database Configuration-> database Windows, I see no mention of the server ip address / host name. I ran through the configuration he guide but have not seen any place where you enter the information either. Is it possible that the IP addresses of the servers DC may also be stored in a file of configuration on the server itself? Are there any suggestions short of performance capture wireshark to/from each of the domain controllers to see if authentication requests from the ACS servers? Any advice or suggestions would be appreciated.

From the perspective of the ACS, this may be because it is not under the control of the AEC to choose the domain controller. ACS sends the user credentials to a database of Windows by passing the user credentials for the Windows operating system of the computer running ACS for Windows or the remote agent Solution engine. The success or failure of the ACS authentication request Windows database.

You can refer to the link listed below:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_ser....
2/user/guide/UsrDb.html#wp353547

If you run ACS on windows you have a freedom to use the lmhost windows file.

The final goal to ensure communication with specific domain controllers, on the member server running ACS, configure an LMHOSTS file to include entries for each domain controller that must authenticate the ACS. The format of an LMHOSTS file is very special. Make sure you understand the requirements of configuration of the LMHOSTS file. For more information, see:

-Microsoft.com: LMHOSTS file
-L' sample LMHOSTS file is provided with the Windows operating system.
The default location and name of the file of the sample is
SystemRoot > \system32\drivers\etc\lmhosts

For more information, please see the below listed doc
http://www.Scribd.com/doc/50262863/345/using-the-Lmhosts-file

NOTE: In order to check what domain and ACS DC trying to connect, check auth.log when complete the value of logging.

I hope this helps.

Kind regards

Jatin kone

* Make the rate of useful messages *.

Tags: Cisco Security

Similar Questions

  • Cisco Secure ACS 5.1 and strong authentication ACS administrators?

    Hello

    Is it possible to authenticate administrators using an RSA SecurID token?

    There is no indication on this issue in the Panel "System Administration > directors > settings > authentication.

    (I'm under Server Secure ACS 5.1.0.44)

    Thank you

    Christophe

    Hi Christophe,

    Unfortunately not.

    The DB supported only for accounts of Administractors is the internal DB of GBA.

    I hope this helps.

    ARO
    Tiago

  • Any user can get authenticated ACS SE 4.1

    Hi all

    I'm having a devil of a time to get a new 4.1 SE ACS configured in a new network. I have a 3560 now that I first try but I can't authenicated. I have the user/group account set up, the group is correspondence in my AAA statements although I saw some errors on the Group has not been configured. I even created two different groups and tried different names, but again, no luck. I'm just using the internal PB, nothing special. I read the administration guide, but it has not helped. When I turn on debugging, I don't see a lot of activity, only on the group to be wrong, but I don't understand how that's possible. I'm short on time, I would really appreciate the help. Thanks in advance!

    When we EXEC permission, give the ACS/authorization server exec privileges the user for example.

    Under users/settings group looking for check "Shell (exec)" this. This should allow you to. If you want you must also get certain privileges directly that you log, and then also check 'privilège level' and type the value in the box, 0-15.

    I recommend referring to,.

    http://www.Cisco.com/en/us/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

    If this is your first configuration of authorization.

    Kind regards

    Prem

    Please rate if this can help!

  • Authentication ACS 5.4 & AD

    I have the job of authenticating AD, but something funny happens. Under the terms of the identity, it is set to AD1 and I have our security group defined in the Directory groups active directory but anyone with an AD account is able to authenticate. Any ideas?

    That said your default policy (deny or allow)? If she refuse and other users still access access devices then go on Ganymede of authentication, click the magnifying glass and check what allow rule matches request crosses.

    Jatin kone
    -Does the rate of useful messages-

  • ACS SE - domains Windows AD

    Can I use groups of network devices ACS to have one device acting as authenticator ACS two Windows domains to 802. 1 x for a single switch?

    Hope the question makes sense but to put it a little more meat on the issue:

    I have a single ACS device that I try to use for authentication of 802. 1 x on a switch. The problem is that I want to have the part of allocation of VLAN implementation allocated through the ACS server on the control dependant users with an account domain, but we have two domains without trust between them. the remote agent in ACS to should not be installed on servers in different domains and that two agents available are for resiliance only, so does not fit this unfortunatley.

    That's why I finished watching with several groups of devices.

    someone at - it ideas if this will work or if there is another way to make this work.

    Hello

    ACS cannot authenticate 'natively' in 2 different domains that do not have a defined relationship. If this is not possible, then you must make 2 ACS servers, one in each area. Configure the ACS 'primary' to the 'secondary' server proxy queries based on the provided field.

    This would require a second server ACS be set upwards (you will probably pay an additional fee for the second ACS server). You do not want to configure a proxy distribution table. This would require the user explicitly indicate the domain name with their user name.

    Kind regards

    ~ JG

    Please evaluate the useful messages

  • Excluding the lines of Terminal Server in the AAA authentication

    Hi all

    Hope you can help, I'm trying to find a solution to exclude only the following line port by using the AAA authentication (ACS GANYMEDE +) on a map of Terminal Server on a Cisco 2600 router.  Does anyone know how to do this, or point me in the right direction to solve?

    I've included the output below:

    AAA authentication login default group Ganymede + local
    AAA authorization exec default group Ganymede + local
    AAA accounting exec default start-stop Ganymede group.
    AAA accounting network default start-stop Ganymede group.
    AAA accounting default connection group power Ganymede
    AAA accounting system default start-stop Ganymede group.
    AAA - the id of the joint session

    line 41
    session-timeout 20
    decoder location - XXXXXX XXXXXX BT
    No banner motd
    No exec-banner
    absolute-timeout 240
    Modem InOut
    No exec
    transport of entry all
    StopBits 1
    Speed 38400

    Is it a question of disabling the command line or using a defined group?

    Thanks a lot for your help.

    Jim.

    Hi Jim

    You may need to create another group for authentication to the and send your AAA configuration

    line to 0

    connection of authentication aux_auth

    AAA authentication login aux_auth line

    You can also configure a username local/pw and map it on the group to here...

    Console and telnet would still use the configured default group, or you can specify specific groups:

    Line con 0

    console login authentication

    line 4 vty0

    vty authentication login

    and specify the aaa authentication settings individually...

    I hope this helps... all the best

    REDA

  • 802. 1 x authentication issues

    I have configured the authentication port dot1x on the switched telephone network using a cisco ACS SE and on computers (windows XP/SP2) PEAP and EAP-MSCHAPV2, everything works fine, while the user was already loaded his letters of credence on the PC, but if someone tries to connect the pc as a new user, the authentication process fails, then I have to force authentication for access to the network once I have reverse automatic authentication and the user log off and then the authentication process works again.

    what Miss me?

    Please help...

    What we see here is the known behavior of dot1x of authentication. To work around this problem, we need to configure the machine as well as the auth user authentication. Here are the 802. 1 x process which explains the behavior we knew with the cached credentials.

    When the machine authentication is enabled, authentication occur in this order:

    When you start a computer,

    * Machine authentication-ACS authenticates the computer before the user authentication. ACS checks the credentials to the computer from the Windows user database. If you use Active Directory and the corresponding Active Directory computer account has the same credentials, the computer accesses the services of Windows domain.

    * Field if user authentication machine successful authentication, the windows domain authenticates the user. If machine authentication failed, the computer does not have access to the services of Windows domain and the credentials of the user are authenticated using the credentials cached that retains the local operating system. When a user is authenticated by identifying cache instead of the domain, the computer does not apply the domain policies, such as login scripts running that dictates the field.

    * You can also only have the user without authentication of the computer authentication. It gives only the problem if first time user who is not yet registered once on the announcement. So, with the authentication of the computer, you have an AD network connection, and so the first time the user have no problem. In addition without authentication of the computer (not), you need to make sure you have the credential to user on the cash position. Machine authentication AD and the machine will generate its own username and password (you don't know) = machinename, for authentication of the dot1x. So after startup

    the machine will do dot1x with this credetial of the machine. As soon type you CTRL-ALT-DEL login the user will start.

    Kind regards

    ~ JG

    Note the useful messages

  • Setting up the VPN for ACS5.5 group

    I'm trying a group in the ACS5.5 which allows users to connect. I created a network called ASA - VPN group and he put in ray and Ganymede. The ACS is linked to AD. I am lost on what to do next as rules of extreme ass or attributes. I do business with ISE before but not of GBA.

    Take a look at the following link as it describes a step-by-step process:

    https://supportforums.Cisco.com/document/139141/remote-access-VPN-authentication-ACS-5x-using-RADIUS-protocol

    Let us know if you still have any questions.

    Thank you for evaluating useful messages!

  • ASA as a customer Radius in ACA

    Hi all

    I added ASA as Radius (version 8.0) client to the ACS (version 4.2) server. When I do "test the aaa authentication" on SAA and run 'debug RADIUS', I got this error message:

    aaa authentication ACS host 10.1.2.25 test test passwo username $
    INFO: Attempt to <10.1.2.25>IP address authentication test (timeout: 12 seconds)
    Ray mkreq: 0x6cb
    alloc_rip 0x29f79044
    new application 0x6cb--> 221 (0x29f79044)
    obtained the user 'test '.
    has obtained the password
    add_req 0x29f79044 0x6cb 221 session id
    RADIUS_REQUEST
    RADIUS.c: rad_mkpkt

    RADIUS packet decode (authentication request)

    --------------------------------------
    Data of raw packets (length = 62)...
    01 dd 00 3F 11 76 77 02 13 50 49 6f 7 c 4F 4 d e4 |  ... > .vw. M... PINo |
    05 5 a 8 b 68 01 06 74 65 73 74 02 12 11 ca 28 65 |  . Z.h.. test... (e
    A4 49 ee 8 a 76 46 29 10 3rd f9 3f 04 06 ac 1B 1f |  . I have... FV). >. ? .....
    FB 02 05 06 00 00 00 28 06 00 00 00 05 3d |  ....... (=.....

    Packet analyzed data...
    RADIUS: Code = 1 (0x01)
    RADIUS: Identifier = 221 (0xDD)
    RADIUS: Length = 62 (0x003E)
    RADIUS: Vector: 117677E44D021350494E6F7C055A8B68
    RADIUS: Type = 1 (0x01) - user name
    RADIUS: Length = 6 (0x06)
    RADIUS: Value (String) =
    74 65 73 74                                        |  test
    RADIUS: Type = 2 (0x02) username-password
    RADIUS: Length = 18 (0x12)
    RADIUS: Value (String) =
    11 ca 28 65 a4 49 ee 8 a 76 46 29 10 3rd f9 3f 1f |  .. (EI. FV). >. ?.
    RADIUS: Type = 4 NAS-IP-Address (0x04)
    RADIUS: Length = 6 (0x06)
    RADIUS: Value (IP address) = 172.27.251.2 (0xAC1BFB02)
    RADIUS: Type = 5 (0x05) NAS-Port
    RADIUS: Length = 6 (0x06)
    RADIUS: Value (Hex) = 0 x 28
    RADIUS: Type = 61 (0x3D) NAS-Port-Type
    RADIUS: Length = 6 (0x06)
    RADIUS: Value (Hex) = 0x5
    Send 10.1.2.25/1645 pkt
    RIP 0x29f79044 id State 7 221
    rad_vrfy(): bad auth req
    rad_procpkt: radvrfy failed
    RADIUS_DELETE
    remove_req 0x29f79044 0x6cb 221 session id
    free_rip 0x29f79044
    RADIUS: send empty queue
    ERROR: Authentication server is unresponsive: failure of decoding AAA... secret server incompatibility

    and I know not secret shared is the match between the ASA and ACS. any suggestions would be much appreciated.

    Thank you

    Alex

    Hi Alex,

    The ASA is defined in any NDG to GBA?

    If so, please remove the secret shared the NDG and try once again to test authentication please.

    Let me know how it goes.

    Kind regards

    Anisha

    PS: Please mark this thread solved if you think that your query is answered.

  • ACS, WCS, PEAP, Machine Authentication

    We are building a new wireless network with a new unit of ACS 5.2 and new controllers LAN with WCS.  We want to create a SSID encrypted/secure ONLY the machines managed by our care who can access the LAN with.  We are looking for the best solution with a minimum of complexity.  After that several internal discussions, we seek to use authentication PEAP (testing with a self-signed certificate), and then create a strategy to access the ACS to validate the machine is a member of Active Directory.  Unfortunately I can't find the way to validate membership of the machine.  I don't know if I'm missing something or if this is even possible.  If anyone has any suggestions for that to happen, or a better way to handle this, I would appreciate the help.

    What you need is the authentication of the computer. The machine will first authenticate with its letters of nobility (AD account) and then the user authenticates too. This option is available in the windows client.

    Then, you can also set the ACS to only allow a user to authenticate if the machien was authenticated before.

    You must enable auth on the ACS server machine (users and identity stores--> external Identiry stores--> Active Directory, check the box to turn on computer authentication)?

    Also - under Access--> Access Services policies, tab protocols allowed, you enable the option "host Lookup process.

    Create an access policy, activate the search for PEAP-MSCHAPv2/process host, set the conditions by using the identity group and has been authenticated Machine that looks like:

    (1) if Identitty group to the computer group, then allow access

    (2) if Identtity group to the Group of users and the Machine has been authenticated, then allow access

    (3) deny access by default

    More details in discussions like https://supportforums.cisco.com/thread/2014145

    I hope this helps.

    Nicolas

    ===

    Remember responses of the rate that you find useful

  • Windows 7 slow login / delay authentication question user wireless via ACS 5.8

    Just set up a new ACS 5.8 farm (only 2 servers) here and which I hope someone here can shed light on the difficulties.

    The new ACS server is set up to correctly authenticate administration network device and I am currently working on the definition of profiles for our wireless users authentication and business laptops.

    Being new to this version of ACS (we will migrate manually ACS 4) I followed an excellent example of this task described in a video on this site: http://www.labminutes.com/sec0044_ise_1_1_wireless_dot1x_machine_auth_peap

    I managed to have a Windows XP sp3 client authenticate properly, first with the authentication of the computer, then the authentication of users... and the domain logon process takes place in a short period of time< 1min="" and="" the="" user="" gets="" all="" their="" networked="" drives="" via="" the="" domain="" login="">

    However, I'm fighting to get our Windows 7 clients to authenticate properly.  It seems that the machine authentication does not work as expected (I can ping the laptop test from another machine on the network while the test machine is sitting at the login screen; and I see Authentication host recorded in the papers of authentication Radius ACS).  But, when a domain user logs in with his credentials, the connection process takes 4-5 minutes before an event to authenticate the user is entered in the register authentication Radius ACS, after which the login process completes, except that the domain logon script does not work and the user does not receive the drive mappings.

    Can someone point me in the right direction here?  I would be grateful any entry on this.

    Thanks in advance,

    John

    I had a similar problem with Wireless 802.1 x Win 7 clients unable to connect unless they had cached credentials of the AD.  Authenticate in the machine, but the user would take a lot of time if the Windows credentials have been cached.

    I could solve the problem by expanding the ACL of the air space used during the user authentication to include all DC in the environment.

  • Cisco ACS wireless authentication

    Hello guys,.

    I'm testing wireless authentication and authorization with my users wireless via ACS 4.2. I have version 4.2 test on Windows 2003 for the test. I also WLC 5508 and 3602i in my lab. My AD/NPS and CA are Windows 2008 R2.

    Windows 2003 is part of the field; and the GBA, if I go to the external database > Database Configuration > Windows database > configure

    From there, I chose my domain name, select "devices the EAP - TLS Machine authentication. I've also mapped the domain to the group I created in ACS.

    I also looking default RADIUS ports 1812 and 1813 the GBA.

    On my WLC 5508, I created a WLAN and define the RADIUS IP to the IP address of the ACS. However, I tried to join the wireless network. It keep the default.

    I installed the cert of the user on the laptop for EAP - TLS. If I changed the server RADIUS on the WLAN and pointed to AD/NPS that I, my portable test was able to join the network wireless through EAP - TLS.

    I'm a little confused on the ACS GANYMEDE +. GANYMEDE + is only used for the connection to network for managing devices or can be used for regular users for authentication and authorization?

    For example, a user wireless, which is part of the domain, need to join a corporate network without wire in his office. Can I use GANYMEDE + for it or it must be the RADIUS by ACS 4.2?

    Thank you

    Yes it's true, and it applies as well in Wired.

    On GBA, please add WLC as an AAA client with RADIUS (Cisco airespace)

    Configuration of WLC and ACS for the RADIUS settings.

    http://www.Cisco.com/en/us/Tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml

    You can visit the listed link below to install the certificate on ACS 4.2

    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/configuration/guide/peap_tls.html

    ~ BR
    Jatin kone

    * Does the rate of useful messages *.

  • Authentication of ACS with PEAP / MSCHAPv2 - customer rejecting Server

    Hello

    Have a network setup wireless with Cisco 1131AG towers, c6500 WISN module test (4404-WLC) is authenticating with a Cisco ACS appliance (1113) using PEAP and MSCHAPv2 authentication.

    The laptops have the Cisco SSC customer (in collaboration with Mgmt SSC utility).

    A self-signed certificate created on the fate of ACS and root exported and installed on the laptop computer of TCL.

    IF CSSC box 'validation Server' is not selected, the authentication process works and I am able to connect to the network.

    IF CSSC "Validation of server" is checked, the authentication will fail.

    The problem, it appears that the customer refuses the server certificate:

    "Server certificate chain is not valid.

    The GBA, in the 'fail' authentication logs, message the following is stated:

    "Authentication failed during SSL negotiation" (which obvioously refers to the strand of string not valid)

    Any ideas?

    When you create a self-signed certificate, is there a specific directory, when the server certificate must be located? as c:\cert\certificate.cer

    Also, the certificate name must match host name of GBA?

    i.e." CN ="

    Any advice or pointers would be appreciated.

    Thank you

    Questions, it's that when you check the validation of server Box, you must make sure you have the certification authority in the root Certification Authority trusted. For example, in windows, there is a list of servers CA where you check the server certificate validation and also one of the root certification authority is on the list. If the root CA is not listed, then you must add to the list and check it out.

    You are right on the client rejecting the sever cert... Authentication failed during SSL negotiation

    This doc will give you an overview:

    http://www.Cisco.com/en/us/products/sw/secursw/ps2086/products_configuration_example09186a0080545a29.shtml

  • Cisco ACS 5.2 authentication and authorization processes

    I am designing a network and I asked me a few questions that I don't know how respond to those so I thought putting it in the forum to see if I can get help.

    First, thank you very much for reading this post and thank you if you can add comments to help out me.

    installation program:

    Two ACS on each center data in Server and application to the switches by dc + hybrid mode the Ganymede and fold to the other on the failure scenario.

    ACS - version 5.2 planning upgrade to 5.8, if she is stable.

    Result of the will

    If users fails authentication AD then it should be rejected.

    If defective AD on ACS and ACS needs to check the other ACS and other ACS has connection AD, then it should demand more diver ACS...

    I'm sure it is not possible, but that it was the main application... I disputed so now the new request

    If AD fails ACS should fall back to the local database. If the local database is not authenticte then it should allow to switch to interrogate the same request of ACS secondary rather then to reject the application.

    Litt: local database is reserved for the network admin but maybe some contractor need to access switches and other devices and they will have the entry in listing so if fails AD, they can always authenticates agaist DC2 AD via DC2 ACS.

    I think to set up

    Authentication rule 1 - authenticate again AD,

    If authentication failed - Reject

    If usernot has been found - reject

    If the process failed - continue

    This should take by default which will be the internal database.

    If authentication failed - Reject

    If the user has not found - drop

    If the process failed - drop

    This should give no answer to switch and then switch should try the second radius server in the list...

    Please someone explain this flow chart for me... and it's correct assumptions...

    I would like to know if there are a few good diagram that I can refer to see the whole process and can use in my presentation...

    Thank you very much for reading and you answer it...

    Hello

    I'm not sure I get your question, but I will try to answer in the way that I understood.

    If you send a drop as a result, this means that ACS deposited the request, causing the AAA client to try again another failure on toward another AAA server.

    A tree had fallen on the community a few years ago:

    (https://supportforums.cisco.com/discussion/11811801/aaa-servers#3931298)

    I hope that's what you are pregnant.

  • ACS 5.2 - Adding custom for Juniper Netscreen GANYMEDE + authentication attributes

    Hello

    I'm trying to add custom for authentication Juniper Netscreen GANYMEDE + an ACS v5.2 attributes. The notice is to add it to the group as follows:

    ervice = netscreen { vsys = root privilege = read-write }

    I know how this adds a version v4.x ACS

    However, I do not know how to apply this to the attribiutes custom to an ACS v5.x

    Can I add the vsys and privilege attribute separately or together? What should be the attribute name? NetScreen? Should it be mandatory?

    Advice please

    Make groups of different volumes and shell authorization profiles mapped to different profiles fixed my problem BTW.

    This is the configuration I did for Juniper. I'll try the netscreen (last photo) later today ' today/tomorrow

Maybe you are looking for