Authentication certificate ACS 5.1 Administrator?

Similar Questions

• Authentication Radius ACS with WLC 5508 and AD 2012 5.5 failure

  Hello

  I need help on these errors.

  Here is my configuration: WLC 5508 7.6.130.0-> ACS 5.5.0.46-> AD 2012

  I have (2) errors in ACS 5.5

  12514 EAP - TLS failed SSL/TLS handshake because of unknown CA in the client certificate chain

  22044 result of identity politics is configured for certificate-based authentication methods but based received password

  Already installed the CA cert and cert local in ACS as well as in the client PC.

  Please see screenshots

  OK, in this case:

  1. you will need to properly configure the Windows pleading before that this can work. You need to set the type of authentication and the trusted certification authority. If the certification authority is not available in the list of certificates, you need to import

  2. If you do PEAP then your identity store should be Active Directory and no profile authentication certificate. The certificate authentication profile is used for the basis of certificates (EAP - TLS) authentication.

  Thank you for evaluating useful messages!

• Authentication card smart - authentication certificate user

  I am developing an authentication solution for BlackBerry based on cryptographic SIM cards. I managed to create a pilot smart card reader and a driver of smart card using the RIM Crypto API. The use of these two, I'm able to import a
  certificate stored on the SIM card, enable the authentication of users in two phases that checks the password device and the STEM to the certificate. I can also set up a TLS session using private keys and certificates stored on the card.

  However, when you try to activate the "Authentication certificate" option in the password options panel, I encounter a problem. After selection of the certificate and click on save, the device asks me to enter the password device and the PIN smart card, what I'm doing. Debugging tells me, that the PIN is properly checked with the card. Subsequently, a 'Card access smart' popup appears with information that the 'Options' of RIM application attempts to access the card with the information "the private key will be used to initialize authentication certificate". When I enter PIN code OK, I said: 'failed to initialize authentication certificate. Check that the certificate is not on the smart card used for two-factor authentication. »

  Can someone tell me why this is? Must the certificate be special in some way (content, restriction of the use of the key etc.)? The certificate is obviously present on the map, as there is for example a client certificate for TLS sessions setting. Also, what makes this "initialization" all of the average of certificate?

  Well, I think I'll answer myself that I managed to solve this problem

  After some debugging I realized that:

  • After the second PIN prompt appears, the method of signRSA (net.rim.device.api.crypto.RSACryptoSystem, net.rim.device.api.crypto.CryptoTokenPrivateKeyData, byte [], byte [], int, int, java.lang.Object) in our RSACryptoToken extension is called
  • This method gets a context (last parameter) object, which is a SmartCardSession
  • during the processing of the request of sign (cf. the smart card and examples of smart card of RIM drive) must not create an another smart card session, but instead reuse the provided in the framework.

  Trying to establish a new session of chip due to the demand to block, because the sessions are exclusive, i.e. only can be opened simultaneously.

• Devices configured for authentication under ACS

  Hi friends,

  Would like to know how many devices can be configured for authentication under ACS version 5.6.0.22 (Cisco Secure Network Server 3415).

  I'm not able to find the same everywhere.

  Concerning

  JN

  Hello

  It depends on the license that you install on the ACS 5.6.

  All deployments of 5.6 ACS supports customers AAA 100 000, 10,000 network, 300,000 users and 150 000 host device groups. 5.6 ACS collector server log can handle 2 million records per day and 750 messages per second for stress sent by the various nodes of ACS in the deployment on the server of log collector.

  Please visit this link:

  http://www.Cisco.com/c/en/us/TD/docs/net_mgmt/cisco_secure_access_contro...

  With the Base license, a Cisco Secure ACS 5.6 appliance or virtual machine software can support the deployment of up to 500 devices of access network (DNA) such as routers and switches. These are not authentication, authorization and accounting clients (AAA). The number of network devices is based on the number of unique IP addresses that are configured. The limit of 500-device is not a limit for each individual device or the instance, but a limit of scale that applies to a set of instances of Cisco Secure ACS (primary and secondary instances) that are configured for replication.

  The optional add-on of large deployment license allows deployment to support over 500 network devices. Only one major deployment license is required by the deployment because it is shared by all instances.

  Please visit this link:

  http://www.Cisco.com/c/en/us/products/collateral/security/secure-access-...

  Kind regards

  Aditya

  Please evaluate the useful messages.

• Dot1x in ISE authentication certificate more

  Hi all

  Can someone help me to configure Dot1x more authentication of the certificate in the box of the ISE. We have the ISE 3315 with 1.1.1 version to configure certificate based authentication.  The idea behind is that we want to restrict access to the device that do not belong to the personal active average active employee company must limit if they try to connect to the corporate network.

  How can we configure dot1x more basic authentication certificate in the ise cisco box?

  Can someone help me out to solve this kind of problem?

  Thank you

  Pranav

  Pranav,

  Here are the steps by activating / verfying if the machine authentication is enabled on the Win7 clients:

  http://social.technet.Microsoft.com/forums/en-us/w7itpronetworking/thread/5e1bbaa4-9dad-40DA-8e53-a7d67e17c20b/

  Also here are the steps in the configuration of the timer to cache for machine access restrictions to ISE

  http://www.Cisco.com/en/us/docs/security/ISE/1.1.1/user_guide/ise_man_id_stores.html#wpxref37158

  Here is some information on how EHT applies access restrictions machine:

  http://www.Cisco.com/en/us/docs/security/ISE/1.1.1/user_guide/ise_authz_polprfls.html#wp1116684

  In your political permission for domain users, you need to add the condition "authenticated machine was" and that the true value.

  Tarik Admani
  * Please note the useful messages *.

• ASA SSLVPN trustpoints authentication certificate

  Hello

  I have an Asa with a few set up Trustpoints. How can I allow only the client certificates to a trustpoint in a tunnel-group? I've seen client-side settings as a profile connection or certificate-cards, but they don't stop with the right certificate authentications.

  Could I send the client certificate to a RADIUS as with dot1x and check on the authentication server?

  Hi Marcel,.

  First of all, you can use certificate-card on the SAA for a new SSL session link to the connection profile desired.

  However as you said, the ASA will validate a certificate issued by a certification authority (the one for which you have the certification authority in a trustpoint), providing it is indeed valid and optional check CRL alright.

  If for some reason you have a scenario where you want to deny access SSLVPN to users who have a valid certificate issued by a given CA, you can use the card-certificate to bind these new SSL sessions to a "dead end" connection profile that has the maximum session set to 0:

  Example config:

  ! first set the group policy and profile to catch these sessions that should not have access:

  internal DeadEnd_GP group strategy

  attributes of Group Policy DeadEnd_GP

  VPN - concurrent connections 0

  client ssl-VPN-tunnel-Protocol

  remote access to tunnel-group DeadEnd type

  tunnel-group DeadEnd General attributes

  Group Policy - by default-DeadEnd_GP

  tunnel-group DeadEnd webvpn-attributes

  authentication certificate

  ! Then, set the criteria of certificate card, mapping of certificates to a 'good' profile:

  Crypto ca certificate card mycertmap 10

  name of the issuer attr cn eq myIssuer

  Crypto ca certificate card mycertmap 20

  ! This rule is a rule of 'catch-all '.

  ! Finally, define the mapping in the section overall webvpn:

  WebVPN

  Certificate-Group-map mycertmap 10 myProfile1

  Certificate-Group-map mycertmap 20 DeadEnd-profile

  --

  Note that:

  1. in the configuration of certificate card, your ASA will request certificates for SSL connections client-side. If you also have AAA only authenticated profiles, maybe that's a problem - I'm not sure it will work 100% ok, I would need to test.

  2. If you use ASDM, you will find the definition of certificate card in the menu

  Setup > remote access VPN > advanced > certificate Anyconnect and Clientess SSL VPN connection profile cards

  ===

  Secondly, on the use of RADIUS - it is not possible to send the certificate itself to RADIUS (AFAIK), but you can use Radius authorization as an extra step after the validation of the certificate.

  The ASA will extract everything first a username of the client certificate subject name - it is configurable, and can even be in Lua script.

  A Radius access request is sent to extract username - then you will probably need the user to exist on the Radius server.

  In ASDM, you will find this configuration by the connection profile, in advanced, subsection authorization of editing connection profile.

  You may be interested in research in this guide explaining a use case where this authority has been used to allow only certain users who have had a certificate from a national public key infrastructure:

  http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a00808e00ec.shtml

  In step 6, point L, the authorization is configured.

  It's a pretty old guide remains real, you will see that it uses the LOCAL server for authorization, but apart from that it's the same principle.

  ===

  I hope this helps, please let us know.

  See you soon,.

  Chris

• Authentication of ACS with PEAP / MSCHAPv2 - customer rejecting Server

  Hello

  Have a network setup wireless with Cisco 1131AG towers, c6500 WISN module test (4404-WLC) is authenticating with a Cisco ACS appliance (1113) using PEAP and MSCHAPv2 authentication.

  The laptops have the Cisco SSC customer (in collaboration with Mgmt SSC utility).

  A self-signed certificate created on the fate of ACS and root exported and installed on the laptop computer of TCL.

  IF CSSC box 'validation Server' is not selected, the authentication process works and I am able to connect to the network.

  IF CSSC "Validation of server" is checked, the authentication will fail.

  The problem, it appears that the customer refuses the server certificate:

  "Server certificate chain is not valid.

  The GBA, in the 'fail' authentication logs, message the following is stated:

  "Authentication failed during SSL negotiation" (which obvioously refers to the strand of string not valid)

  Any ideas?

  When you create a self-signed certificate, is there a specific directory, when the server certificate must be located? as c:\cert\certificate.cer

  Also, the certificate name must match host name of GBA?

  i.e." CN ="

  Any advice or pointers would be appreciated.

  Thank you

  Questions, it's that when you check the validation of server Box, you must make sure you have the certification authority in the root Certification Authority trusted. For example, in windows, there is a list of servers CA where you check the server certificate validation and also one of the root certification authority is on the list. If the root CA is not listed, then you must add to the list and check it out.

  You are right on the client rejecting the sever cert... Authentication failed during SSL negotiation

  This doc will give you an overview:

  http://www.Cisco.com/en/us/products/sw/secursw/ps2086/products_configuration_example09186a0080545a29.shtml

• AAA ACS RADIUS ASA administrative access

  We have an ASA 8.2 we'd like to AAA to configure ssh access using a 5.5 running ACS RADIUS.

  Can get users authenticate, but ASA retains user record in user EXEC instead level privileged EXEC.

  Installation on the ASA:

  RADIUS protocol Server AAA rad-group1
  AAA-server host of rad-Group1 (inside_pd) rad-server-1
  key *.
  AAA-server host of rad-Group1 (inside_pd) rad-Server-2
  key *.
  authentication AAA ssh console LOCAL rad-group1
  AAA authentication telnet console LOCAL rad-group1
  HTTP authentication AAA console LOCAL rad-group1
  AAA authorization exec-authentication server

  Have you tried pushing various combinations of these attributes of the ACS:

  Value CVPN3000/ASA/PIX7.x-Priviledge-Level = 15
  Value of RADIUS-IETF Service-Type = administrative (6)
  Cisco-av-pair value = "" shell: priv-lvl = 15 ""

  Hi Phil,

  You are able to manage the privilege level is assigned to a user with Ganymede, however, you are not able to go to privilege level without enable authentication, unless you go to 9.1 (5) code.

• authentication certificate "don't ask again"

  I connect to a remote server using MS Server 2008 R2 of the House using a laptop Win7 and remote desktop. During the connection process, I am presented with a certificate of authentication failure message to which I respond usually "do it anyway". Last night as I clicked in the box 'Do not ask again' and now I can't connect at all. I see an error message saying: the server is not available or is turned off, etc..

  Anyone know how I can "reactivate" the failure of original certificate message?

  Carol

  This issue is beyond the scope of this site and must be placed on Technet or MSDN

  http://social.technet.Microsoft.com/forums/en-us/home

  http://social.msdn.Microsoft.com/forums/en-us/home

• Authentication certificate has expired or is not valid

  Get the error connection PC with remote access, error: "authentication".

  Certificate from the remote computer has expired or is not valid. »

  Hi Chandan,

  You can ask your question here to improve the assistance:

  http://social.technet.Microsoft.com/forums/en-us/category/w7itpro

  It will be useful.

• Authentication of ACS in the VPN tunnel

  We want to enable the ACS authentication to connect to different routers (Cisco 881 s) we have obtained who are communicating with our WAN via VPN tunnels. We want to avoid using public IP of the router to communicate and pass information to user/password with the ACS server and rely on the IP of the server private instead. The problem is that external interfaces of the router connect to the Internet using public IP addresses and when the router wishes to communicate with the ACS server it will use its IP of the interface to the public and which will fail. We can ping on the server of course when we set the source to the internal LAN IP.

  The question is are there any way to have the router contact ACS through the VPN tunnel using a private IP address?

  config is used and tested with success on local equipment:

  AAA new-model

  RADIUS-server host 10.x.x.x single-connection key xxxxxx

  AAA authentication login Ganymede-local group local Ganymede

  AAA authorization commands x Ganymede-local group Ganymede + if authenticated

  AAA authorization exec Ganymede-local group Ganymede + authenticated if

  See the establishment of privileges exec level x

  line vty 0 4

  Ganymede-local authentication login

  authorization controls Ganymede-local x

  -ACS ping to the router (WAN via VPN connection) when using public IP address of the router as the source address:

  RT881 #ping 10.x.x.x

  Type to abort escape sequence.

  Send 5, echoes ICMP 100 bytes to 10.x.x.x, time-out is 2 seconds:

  .....

  Success rate is 0% (0/5)

  -ACS ping to the router (WAN via VPN connection) when using IP private of the LAN as source address:

  RT881 #ping source 10.x.x.1 10.x.x.x

  Type to abort escape sequence.

  Send 5, echoes ICMP 100 bytes to 10.x.x.x, time-out is 2 seconds:

  Packet sent with a source address of 10.x.x.1

  !!!!!

  Success rate is 100 per cent (5/5), round-trip min/avg/max = 72/72/76 ms

  Looking forward to your responses and suggestions.

  Thanks, M.

  Hey Maher,

  You can use the command 'Ganymede-source interface ip' or 'RADIUS source-interface ip' for your scenario.

  I hope this helps!

  Kind regards

  Assia

• Setting up authentication Radius ACS 4.0.2

  Dear Experts,

  I have GBA 4.0.2 to my network, I want to use for 802. 1 x Radius for customers on the methodology of PEAP-MSCHAPv2 authentication.

  According to the documentation "" EAP authentication with RADIUS server ", Doc ID: 44844 "

  I have configured Network Configuration and populated by AAA client IP address range and the key secret.

  Question 1:

  Under option to authenticate using, there are various flavors available for the selection RANGE. For a Non AAA Cisco client, choose IETF RADIUS?

  

  Question 2:

  In the snapshot above, it has an option called Global authentication configuration, where we can configure EAP configuration. Under subsection PEAP, there is an option to 'allow EAP-MSCHAPv2' checkbox.

  After checking that a restart is required on the ACS server? It would cause disruptions to existing services on GBA?

  Kindly help that she is not mentioned in the documentation available with me.

  Kind regards

  Knockaert

  Hello

  Question 1:

  3 rd-Party devices should generally conform to the RADIUS standards. In this case select RADIUS (IETF) should be fine. If specific attributes of 3rd-party (for example the VLAN ID) are required and then contact support for 3rd - Party device to confirm if a RADIUS dictionary must be added to the RADIUS server in order to send vendor specific attributes.

  NOTE: We can add dictionaries of RADIUS for GBA in the case described above, but you will need to file the appropriate dictionary usually provided by 3rd - Party device support.

  Question 2:

  To enable PEAP or EAP 4.x GBA any other method, we need to use the option send + apply. ACS services will be restarted (RADIUS and Auth services). It should take less than a minute on a common scenario for the candidate countries to apply the changes. It is not a reboot of the server, but a restart of the services instead.

  I hope this helps.

  Kind regards.

• AnyConnect: User based authentication certificate filtering Configuration

  Hello colleagues in the network.

  recently I needed to configure AnyConnect SSL VPN with certificate authentication to meet the needs of connection at the request of the features of Cisco Jabber.

  Everything is ok, but I need to filter users based on their personal certificate information. For example - all those who have a personal certificate from our CA can now access this VPN. I want to set the users by e-mail of the certificate and only these users are granted access.

  I used this command:

  WebVPN

  allow outside

  AnyConnect image disk0:/anyconnect-win-3.1.04072-k9.pkg 1

  AnyConnect enable

  tunnel-group-list activate

  Certificate-Group-map Cert - filter 10 company-Jabber

  map of encryption ca Cert certificate - filter 10

  name of the object attr eq ea [email protected] / * /

  The problem is that I have to go can visit his profile - if I change [email protected] / * / to

  On the AnyConnect client - I connect to the GroupURL of the connection profile Company-Jabber

  Hi Alexandre

  There are several ways to approach this and this depends somewhat on the rest of the config, for example if you have other groups of tunnel etc..

  I guess the easiest way (if it does not interfere with the rest of your configuration) is to add something like this:

  crypto ca certificate map Cert-Filter 65535 subject-name ne ""

  This would attract all users/certificates does not not from your previous rules.

  Under webvpn you map these users to another tunnel-group (connection profile):

  certificate-group-map Cert-Filter 65535 NoAccess

  And configure the NoAccess group so that access is denied (for example, by setting simultaneous connections to 0 in the corresponding Group Policy).

  Other means would be to use DAP (dynamic access policies) to pretty much the same as the certmap, or permission to LDAP (for example retrieves the user name for the certificate, then perform an LDAP search to see if the user is allowed to use the VPN - in this scenario, there is no need to list all the users on the ASA but for example you need to create a new group on your LDAP server that contains all VPN users).

  Let me know if you want to go further in the foregoing

  see you soon

  Herbert

• [ACS 5.2] Administration of switch using SSH

  Hello

  I want to use LDAP accounts to manage the switches.

  It works fine when I use telnet.

  I just need to push the RADIUS-Service attribute of connection (ID 15) with the value of Telnet (ID 0)

  Now, I want to use SSH (for security reasons)

  RADIUS must push the RADIUS-Service connection (ID 15) attribute with the value of SSH (ID 50)

  (For example with the belt steel RADIUS http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&taskId=110&prodSeriesId=4174801&prodTypeId=12883&objectID=c02602225 )

  SSH value does not exist in the dictionary of the IETF RADIUS for Login-Service attribute.

  I can't create value SSH because this dictionary is protected...

  Is there a solution?

  Thank you

  Patrick

  Hello Patrick,.

  GBA 5.x will not allow change/remove/add attribute to the IETF RADIUS dictionary values as it is standard and reserved.

  If you check the RADIUS RFC to http://www.ietf.org/rfc/rfc2865.txt under the description of the Service connection the SSH service is not listed there:

  5.15.  Login-Service

     Value       The Value field is four octets.        0   Telnet        1   Rlogin        2   TCP Clear        3   PortMaster (proprietary)        4   LAT        5   X25-PAD        6   X25-T3POS        8   TCP Clear Quiet (suppresses any NAS-generated connect string)

  5.x access control system will not need to modify these dictionaries as IETF RADIUS to the documented standards.

  The best approach at this point would be to contact the seller of switches to determine how to enable SSH on these devices.

  I hope this helps. Kind regards.

• Windows 7 slow login / delay authentication question user wireless via ACS 5.8

  Just set up a new ACS 5.8 farm (only 2 servers) here and which I hope someone here can shed light on the difficulties.

  The new ACS server is set up to correctly authenticate administration network device and I am currently working on the definition of profiles for our wireless users authentication and business laptops.

  Being new to this version of ACS (we will migrate manually ACS 4) I followed an excellent example of this task described in a video on this site: http://www.labminutes.com/sec0044_ise_1_1_wireless_dot1x_machine_auth_peap

  I managed to have a Windows XP sp3 client authenticate properly, first with the authentication of the computer, then the authentication of users... and the domain logon process takes place in a short period of time< 1min="" and="" the="" user="" gets="" all="" their="" networked="" drives="" via="" the="" domain="" login="">

  However, I'm fighting to get our Windows 7 clients to authenticate properly.  It seems that the machine authentication does not work as expected (I can ping the laptop test from another machine on the network while the test machine is sitting at the login screen; and I see Authentication host recorded in the papers of authentication Radius ACS).  But, when a domain user logs in with his credentials, the connection process takes 4-5 minutes before an event to authenticate the user is entered in the register authentication Radius ACS, after which the login process completes, except that the domain logon script does not work and the user does not receive the drive mappings.

  Can someone point me in the right direction here?  I would be grateful any entry on this.

  Thanks in advance,

  John

  I had a similar problem with Wireless 802.1 x Win 7 clients unable to connect unless they had cached credentials of the AD.  Authenticate in the machine, but the user would take a lot of time if the Windows credentials have been cached.

  I could solve the problem by expanding the ACL of the air space used during the user authentication to include all DC in the environment.