Cisco ACS 5.1 and RSA Authentication Manager 6.1

Similar Questions

• Cisco Secure ACS groups 5.1 Active Directory and RSA Authentication Manager 7.1 for profiles

  / * Style definitions * / table. MsoNormalTable {mso-style-name: "Table Normal" "; mso-knew-rowband-size: 0; mso-knew-colband-size: 0; mso-style - noshow:yes; mso-style-priority: 99; mso-style - qformat:yes; mso-style-parent:" ";" mso-padding-alt: 0 cm 0 cm 5.4pt 5.4pt; mso-para-margin: 0 cm; mso-para-margin-bottom: .0001pt; mso-pagination: widow-orphan; font-size: 11.0pt; font family: 'Calibri', 'sans-serif"; mso-ascii-font-family: Calibri; mso-ascii-theme-make: minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-make: minor-fareast; mso-hansi-font-family: Calibri; mso-hansi-theme-make: minor-latin ;}"}

  Hello

  I'm deploying an ACS connected to an RSA AuthManager (that is connected to an Active Directory domain)

  I create several groups within the Active Directory server, I try to give to users for their groups different access rights.

  I tried to define an access policy "NetOp/NetAdm" and two authorization rules:

  Rule-1 AD - AD1:ExternalGroups contains all dir. INTRA/groups/NETOP 'Auth for net operators' 0

  Rule 2 AD - AD1:ExternalGroups contains all dir. INTRA/groups/NETADM 'Auth net admin' 0

  Default: refuse

  In the identity, I have configured the RSA identity source, so that users get authenticated by the RSA Authentication Manager.

  But I still refuse to get access, RSA authentication is successful, but the group membership, active directory does not work, even with the unix attributes or group principal defined for the user.

  My question is this valid configuration scenario? Is there another way to define several profiles according to the Group of users of external source?

  The stages of monitoring:

  Measures

  Request for access received RADIUS 11001

  11017 RADIUS creates a new session

  Assess Service selection strategy

  15004 Matched rule

  Access to Selected 15012 - NetOp/NetAdm service policy

  Evaluate the politics of identity

  15004 Matched rule

  15013 selected identity Store - server RSA

  24500 Authenticating user on the server's RSA SecurID.

  24501 a session is established with the server's RSA SecurID.

  24506 check successful operation code

  24505 user authentication succeeded.

  24553 user record has been cached

  24502 with RSA SecurID Server session is closed

  Authentication 22037 spent

  22023 proceed to the recovery of the attribute

  24628 user cache not enabled in the configuration of the RADIUS identity token store.

  Identity sequence 22016 completed an iteration of the IDStores

  Evaluate the strategy of group mapping

  15006 set default mapping rule

  Authorization of emergency policy assessment

  15042 no rule has been balanced

  Evaluation of authorization policy

  15006 set default mapping rule

  15016 selected the authorization - DenyAccess profile

  15039 selected authorization profile is DenyAccess

  11003 returned RADIUS Access-Reject

  Thank you

  Christophe

  I think you need to do is to create a sequence of identity with RSA as a selection in

  Authentication and recovery research list of attributes and AD in the additional attribute list recovery research. Then select this sequence as a result of the politics of identity for the service

• Cisco ACS 5.4 and VPN 3000

  Hello

  I'm trying to use CIsco ACS 5.4 for RADIUS authentication for VPN by using VPN concentrator 3000 users.

  I added the VPN 3000 on ACS and added GBA on VPN group with a shared secret authentication server. When I do a test on the authentication server using the local account that I created on ACS it happens as no response was received from the server so that I can see the RAIDUS AAuth in green.

  Any help would be much appreciated.

  Concerning

  AR

  Hey,.

  What is the report on GBA?

  "RAIDUS AAuth in green"

  If so, a pcap help between the two.

  Concerning

  Ed

• RSA Authentication Manager 7.1

  We had a problem with RSA Authentication Manager 7.1 told me of RSA, is that:

  The features of VMware ESX 4.0 following are supported: cloning, physics-conversion virtual, Virtual to physical conversion advanced VMware infrastructure features such as Snapshots, VMotion, DRS, HA, and Consolidated Backup are not supported. RSA recommends that customers use the features built into the RSA Authentication Manager 7.1 for these types of services.

  Seems strange that VMotion, DRS and HA are not supported but the cloning and P2V is supported. Everyone had problems with the RSA and VMware?

  Mike

  Hi Mike,.

  In fact, there are other suppliers of applications that do not officially support these features. Most of the time, it's because they do not trust the suspension mechanism used when hot - move a virtual machine from one host to another. They consider that they can guarantee the integrity of the data in such situations.

  If you do not have much choice: either you follow the rules that will be supported, or you do not have and keep fingers crossed not not have any question.

  If all goes well, having more virtual servers in the world, many applications now come with no restrictions against VMotion and DRS.

  Concerning

  Franck

• [Cisco ACS 5.2] EAP - TLS authentication failure

  What we are e

  Hello

  I set up a WiFi connection on Windows XP and Windows 7 with EAP - TLS (using Cisco WLC 7.0.235.3 and Cisco ACS 5.2.0.26.10). It is configured with the authentication of the computer and computer certificates are automatically registered for Microsoft PKI.

  It works well!

  Now, I configured Windows 8 with the same configuration.

  First authentication works, but if I manually disconnect and reconnect, I got this error on ACS: 22047 username main attribute is missing from the client certificate

  In the EAP packets, we could see that Windows 8 sent a TLS session but ticket session has not properly taken over by ACS...

  Configuration of the ACS, we checked the option "enable EAP - TLS Session resume' with the session timeout"7200 ".

  I found this bug

  http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId= CSCtn26538& from = summary

  It seems to be my problem but the reboot does not work in my case...

  It is set at 5.3 (0.40.2).

  I plan to install version 5.4.

  Do you know if this fix is supported by 5.4?

  Thanks for your help,

  Patrick

  Hi Patrick,

  What is set in point 5.3 must be set in point 5.4.

  Even if the same issue appeared with 5.4 there an ID different bug and identified as an independent issue (with different causes, usually)

  HTH

  Amjad

  Rating of useful answers is more useful to say "thank you".

• [Cisco ACS] 11036 the RADIUS Message Authenticator attribute is invalid

  Hello

  I had a lot of Cisco AP related to Cisco WLC 2.

  On each WLC, I configured a primary and a secondary RADIUS server.

  RADIUS servers are Cisco ACS 5.2.0.26 (patch 10)

  ACS primary and secondary configurations are synchronized.

  There is no problem between primary rules WLC and Cisco ACS (primary and secondary).

  When secondary WLC asks primary Cisco ACS, I get this error "11036 the RADIUS Message Authenticator attribute is not valid.

  WLC secondary contacts automatically secondary Cisco ACS and it works fine.

  Cisco ACS description for this error: "this can be reason of mismatched shared Secrets."

  The two Cisco ACS are synchronized, so I should have the same error on them...

  Why primary ACS generates this error?

  Thanks for your help,

  Patrick

  Patrick: The shared secret mismatch could be on the side WLC, not on the side of the ACS.

  Make sure that the shared secret of the radius primary server is configured correctly on the secondary WLC.

  HTH

  Amjad

  Rating of useful answers is more useful to say "thank you".

• Cisco ACS 5.2 and IOS XR

  We deploy devices with IOS XR and I was wondering if anyone has experience their deployment with GANYMEDE authenticate on the Cisco ACS 5.x platform. If so, can you give some examples of how you have mapped the groups predefined by the user.

  Thank you

  Here's an example of how to do that crs to ensure share you the correct tasks under the profile of the shell.

  http://www.Cisco.com/en/us/docs/routers/CRS/software/crs_r4.1/Security/Configuration/Guide/syssec_cg41crs_chapter1.html

  http://www.Cisco.com/en/us/docs/routers/CRS/software/crs_r4.1/Security/Configuration/Guide/syssec_cg41crs_chapter1.html#con_1185183

  Thank you

  Tarik

• Cisco ACS 3.1 and Logging of Nortel Passport CLI commands

  Good afternoon

  We try to log commands CLI Cisco ACS version 3.1 of Nortel Passport 8600. The version of the code that runs on the Passport does not support Ganymede +.

  Passports authenticate OK but don't sign any order information. I "think" the problem is maybe that the VSA Radius of Nortel for cli-commands-attribute, 195, is not collected by ACS.

  Does anyone know how I would go to get this added to the existing list of Radius (Nortel) VSA?

  Thank you very much

  Kind regards

  Flett.

  Foisy,

  You must add the attribute Nortel 193-195 to activate the posting of the order.

  Unfortunately you can't download on code 3.x, you will need to upgrade acs to the 4.x code.

  Kind regards

  ~ JG

  Note the useful messages

• Authentication PEAP with Cisco ACS 5.3 and Lotus Notes DB

  Hello

  I want to authenticate clients wireless against the name of user/passwords stored in a lotus notes database.

  Network: PEAP SSID-> Accesspoint-> controller-> ACS 5.3 WLAN 4404-> Notes DB

  Is this possible?

  I can connect to the attributes and ldap groups and query. but when I try to authenticate a user, I always get an error "object not found in the identity store.

  Bind test succeeds (> 100 groups and > 100 subjects.)

  EAP MSCHAP v2 is not taken in charge with LDAP by ACS

  You can use EAP GTC

  You should a begging utility that supports PEAP (EAP-GTC)

  such as ADU, Intel Proset, CSSC Cisco AnyConnect,... you can google for a list of applicants

  Open the new thread for cause of Apple

  ------------------------------------------------------------------

  Be sure to note the correct answers and report this thread as answered

• Cisco Secure ACS 5.1 and strong authentication ACS administrators?

  Hello

  Is it possible to authenticate administrators using an RSA SecurID token?

  There is no indication on this issue in the Panel "System Administration > directors > settings > authentication.

  (I'm under Server Secure ACS 5.1.0.44)

  Thank you

  Christophe

  Hi Christophe,

  Unfortunately not.

  The DB supported only for accounts of Administractors is the internal DB of GBA.

  I hope this helps.

  ARO
  Tiago

• Cisco ACS 5.1 and ASA SSL VPN change or notify the expired password

  Hello

  Now, my ACS and ASA related to RADIUS (MSCHAPv2). I've set up password life on GBA and password management on SAA. But Cisco ASA did prompt change or whatever it is to notify when the user tries to log on with Clientless SSL VPN. Could you advice me everything to change, or notify the expired password?

  

  PS.

  I check change password on the first login of th on ACS this confirmation of the ASA to change password dialog box. But I want change or warn when the expired password

  Thank you

  The default password is marked as disabled after expiry

  I think that there is an improvement for this in the 5.2.0.26.2 patch and above, which includes the following:

  CSCtk32168: Add an option to change the password when the password expires (T + and Radius)

  After you install this hotfix, you get an option to the user authentication settings is:

  -Disable the user account

  -Expire the password

  When the expiration period is exceeded

  If password is expired then user will be asked to change password next authentication

  Note this latest patch for 5.2 is 5.2.0.26.4. All patches are cumulative

• VI and RSA authentication client

  I have a firewall between all of my ESX hosts and vCenter vCenter then only can communicate with any host ESX service console interface. Administrators can connect their VI the vCenter Client, but I want them to run two facto authentication when connecting to the vCenter through the VI Client. Is this possible?

  I don't want to rely on RSA auth when connecting to vCenter via RDP as you will thus limit the connections for 2 sessions.

  Hello

  SecurID for the vCenter\Virtual Center is not available. Right now, I recommend putting the vCenter server and ESX management on a 'management LAN' consoles separate and using a firewall that supports SecurID RDP in the lan management. To work around the RDP, you mentioned, I would create XP workstations in lan management. If you use the view, you could create a pool of admin of computers residing in the management of local network, and you can use SecurID to get to them. View supports SecurID.

  Mike

  I work at the RSA

• Limit of Cisco ACS 4.2 Max Auth/authentication devices.

  Hi guys.

  Can someone tell me how many devices can an ACS works with GANYMEDE 4.2 +?.

  Is there a limit? and if there is, who he is and whence Cisco publishes.

  Has spent a whole morning and without success, reaching for the info.

  Ty in advance.

  Carlos.

  Hello

  I did a search for it and after that I found that GBA 4.2 Solution can support up to 35000 device. Here is the link where I got the information:

  http://www.Cisco.com/en/us/prod/collateral/vpndevc/ps5712/ps5338/qa_c67-453393.html

  A Cisco Secure ACS appliance server at least follows the same performance of the scalability of a server based on Windows Cisco Secure ACS. Cisco Secure ACS guidelines and performance analysis show that each ACS server can support anywhere from 20 000 to 80 000 users per server and can evolve to support up to 35 000 devices, according to configuration scenarios, the platform and its use

  In-house but we have also seen that it is recommended to use a 500 by NDG.

  I hope this helps.

  Thank you

  Waris Hussain.

• Cisco ACS 4.0 and HTTPS

  New to ACS, is there a way to require (or even simply permit) https to access the administration web site?

  Thank you

  Tim

  Hello

  Yes there is:

  Administration control then the access policy. Check the box ' use HTTPS Transport for Admin Access.

  You need a good first server cert. The CERT management pages are Config system.

  Mounira

• Using a Cisco VPN on iPad and incorporating RSA tokens

  Hello community of Cisco,

  I have what seems like a simple question.  I have almost no experience network so hopefully someone here can answer that.  I have this project iPad for my internship in which they want to create a remote access to their network using a VPN and a soft/hard security token.  It seems that they already use hard tokens RSA for their current home VPN connections.  They use portable computers to their home but want to start using iPads as well.  So my question is, an iPad can support a Cisco VPN using hard tokens RSA authentication? I just need a concrete answer to the management of work and literally just give them somewhere to start.  Thank you for taking the time to read my question and reply.

  Phil

  Phil,

  AnyConnect on iphone/ipad/ipod should be able to handle hardtoken auth, but with softoken itegration could be problematic (the last time I heard that it was not supported at all).

  M.