Cisco ACS 5.3 - attributes Radius, and "Administration/Shell device profiles.

Similar Questions

• Configuration of the Cisco ACS 5.3 AnyConnect VPN and management of a Cisco ASA 5500.

  We have configured a Cisco ASA 5505 as a VPN endpoint for one of our user groups.  It works, but it works too well.

  We have a group called XXX we need to have access to the Cisco AnyConnect Client.  We have selected this group of our Active Directory and added to our ACS configuration.  We've also added a group called YYY that will manage the ASA. However, this group has no need to access the VPN.

  We added XXX movies for the elements of the policy of access to the network-> authorization profiles.  We also have a profile of YYY.

  She continues to knock on our default Service rule that says allow all.

  We have also created a default network access rule. for this.

  I am at a loss.  I'm sure I missed a checkbox or something.

  Any help would be really appreciated.

  Dwane

  We use Protocol Management GANYMEDE ASA and Ray for VPN access?

  For administration, you must change the device by default admin access strategy and create a permission policy. Even by the way, you can change the network access by default for vpn access and create a respective policy for that too.

  On the SAA, you must configure Ganymede and Ray both as a server group.

  For the administration, you can set Ganymede as an external authentication under orders aaa Server

  AAA-server protocol Ganymede GANYMEDE +.

  Console HTTP authentication AAA GANYMEDE

  Console Telnet AAA authentication RADIUS LOCAL

  authentication AAA ssh console LOCAL GANYMEDE

  Console to enable AAA authentication RADIUS LOCAL

  For VPN, you must set the authentication radius under the tunnel-group.

  I hope this helps.

  Kind regards

  Jousset

  The rate of useful messages-

• Cisco ACS 5.4 and VPN 3000

  Hello

  I'm trying to use CIsco ACS 5.4 for RADIUS authentication for VPN by using VPN concentrator 3000 users.

  I added the VPN 3000 on ACS and added GBA on VPN group with a shared secret authentication server. When I do a test on the authentication server using the local account that I created on ACS it happens as no response was received from the server so that I can see the RAIDUS AAuth in green.

  Any help would be much appreciated.

  Concerning

  AR

  Hey,.

  What is the report on GBA?

  "RAIDUS AAuth in green"

  If so, a pcap help between the two.

  Concerning

  Ed

• Cisco ACS 4.1 for external advertising for authentication

  Hello

  We have just configured Cisco ACS 4.1 solution engine and using a Windows 2003 domain controller as a remote agent.we use as Protocol Ganymede.

  Users that are created in ACS himself are able to connect to various network devices. but users in domain (active directory) can not connect. We get the access denied message. same time we get external DB is not operational message in ACS.

  Active directory server where agent that runs in CSWINAgentlog, we get the following error 'NDLIB'... FOUND 0 TRUSTED DOMAIN.

  Could you please help us to isolate the problem.

  Thank you & best regards

  Make sure that the worm of acs and remote agent software is the same. And also execution of remote agent account must have special domain administrator rights, like the act as part of operating system and log in as a service.

  Kind regards

  ~ JG

• [Cisco ACS] 11036 the RADIUS Message Authenticator attribute is invalid

  Hello

  I had a lot of Cisco AP related to Cisco WLC 2.

  On each WLC, I configured a primary and a secondary RADIUS server.

  RADIUS servers are Cisco ACS 5.2.0.26 (patch 10)

  ACS primary and secondary configurations are synchronized.

  There is no problem between primary rules WLC and Cisco ACS (primary and secondary).

  When secondary WLC asks primary Cisco ACS, I get this error "11036 the RADIUS Message Authenticator attribute is not valid.

  WLC secondary contacts automatically secondary Cisco ACS and it works fine.

  Cisco ACS description for this error: "this can be reason of mismatched shared Secrets."

  The two Cisco ACS are synchronized, so I should have the same error on them...

  Why primary ACS generates this error?

  Thanks for your help,

  Patrick

  Patrick: The shared secret mismatch could be on the side WLC, not on the side of the ACS.

  Make sure that the shared secret of the radius primary server is configured correctly on the secondary WLC.

  HTH

  Amjad

  Rating of useful answers is more useful to say "thank you".

• Can ACS adds more Juniper RADIUS attributes?

  Hello

  These attributes RADIUS Juniper taken in charge by Cisco default ACS4.0

  Juniper-Local-user name

  Juniper-allow-orders

  Juniper-deny-orders

  Is it possible to add more 2 attributes

  Juniper-help-Configuration

  Juniper-deny-Configuration

  Kind regards

  Audrey

  Hi Audrey,.

  4.0 the only way to add these attributes is to contact TAC and get the script directly from the developers.

  This problem has been resolved in ACS 4.1.23

  http://www.Cisco.com/cgi-bin/support/Bugtool/onebug.pl?BugID=CSCsi18979&submit=search

  If that answers your question, then please mark this thread as solved, so that others can benefit from.

  Kind regards

  Jagdeep

• RADIUS does not not on Cisco ACS SE v4.1 (1)

  Hello

  I have a CiscoSecure ACS version 4.1 (1) build 23.

  I can't configure the Cisco ACS for granular control of access router. I have a Netopia Router that is configured to use RADIUS to authenticate remotely for a telnet connection. The router sends the request to access the Cisco ACS SE RADIUS and a sniff on the side of the ACS shows the application of GBA, but I see no response from the ACS. RADIUS authentication to work with a Windows 2003 server.

  I configured an AAA client and a user of the ACS and use the default group. I use IETF RADIUS. Should what attributes I configure. In Windows, I use Service Type framed and Framed-Protocol PPP. This does not work with the Cisco ACS SE. Nothing shows up in the newspapers. It shouldn't be so difficult, but for some reason I can't make it work.

  Thanks for any help.

  Jutta Kullmann

  Jutta,

  Good to know it works very well. Please mark this thread as solved so other can benefit from.

  Kind regards

  ~ JG

• Integration of Cisco ACS and Cisco NAC Manager - downloadable ACLs

  Hello

  I have Setup Cisco NAC in my environment. These are all works well. The users themselves will get authenticated via Cisco NAC Manager. The Cisco NAC Manager meets with Cisco ACS for the part of the user database. These are all works well. I would like to activate downloadable ACLs. I tried to use the CISCO-AV-PAIR method and creating a downloadable ACL entry in the shared components, but nothing works. It's either I'm doing wrong or this configuration of the mine does not support downloadable ACLs? Please advice kindly.

  Kind regards

  RAM

  + 6 012-2918870

  Hello

  It is not possible.

  You cannot push the ACL in the NAC manager.

  If you make the Radius of NAC authentication manager, you can do is create roles the NAC Manager, and on the roles you define traffic strategies.

  Using the Radius attributes you can then map users to roles.

  Please, take a look at this:

  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_auth.html#wp1158789.

  HTH,

  Tiago

  --

  If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

• Configuration of the Cisco ACS Radius

  Hello

  I'm trying to set up authentication radius on cisco ACS but short question. When I set up my group of network devices in the configuration of the AAA Client as one of ray device groups, my authentications fail with authentication as a failure code"

  CS invalid password' but when I change my group of devices to "Unassigned", everything started working.

  On my AAA client, when authentication fail, I see

  Server RADIUS audit package fails:

  Please note that the AAA client is a non-cisco device.

  Any suggestions?

  It seems that you run ACS 4.x. You are facing this problem because the key is set on the excessive rides of the level (Group of devices network XYZ in your case) NDG key at the level of the AAA client.  Please make sure that you don't have different secret key on the client inside the NDG AAA and on the NDG himself.

  Not affected is working because it has no key defined in the NDG.

  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/NetCfg.html#wp342738

  "Each device that is assigned to the network device group will use the shared key you enter here. The key that has been attributed to the device when it has been added to the system is ignored. If the Enter key is null, the key of the AAA client is used. »

  ~ BR
  Jatin kone

  * Does the rate of useful messages *.

• Problem with Cisco ACS and different areas

  Hello

  We are conducting currently a problem with Cisco ACS that we put in place, and I'll try to describe:

  We have ACS related directory AD areas, where we have 2 domains and appropriate group mappings.

  Then we have our Cisco switches with the following configuration,

  AAA new-model

  AAA-authentication failure message ^ CCCC

  Failled to authenticate!

  Please IT networks Contact Group for more information.

  ^ C

  AAA authentication login default group Ganymede + local

  AAA authorization exec default group Ganymede + local

  AAA authorization network default group Ganymede + local

  AAA accounting exec default start-stop Ganymede group.

  orders accounting AAA 15 by default start-stop Ganymede group.

  !

  AAA - the id of the joint session

  But the problem is that with the users in a domain, we can authenticate, but not the other. Basically, the question is that when we check on the past of authentication, two authentications are passage and the display of 'Authentic OK', but on the side of the switch, there is a power failure.

  There may be something wrong with the ACS?

  Thank you

  Jorge

  Try increasing the timeout on IOS device using radius-server timeout 10.

  Do we not have journaling enabled on the ACS server remotely?

  -Philou

• Cisco ACS 3.1 and Logging of Nortel Passport CLI commands

  Good afternoon

  We try to log commands CLI Cisco ACS version 3.1 of Nortel Passport 8600. The version of the code that runs on the Passport does not support Ganymede +.

  Passports authenticate OK but don't sign any order information. I "think" the problem is maybe that the VSA Radius of Nortel for cli-commands-attribute, 195, is not collected by ACS.

  Does anyone know how I would go to get this added to the existing list of Radius (Nortel) VSA?

  Thank you very much

  Kind regards

  Flett.

  Foisy,

  You must add the attribute Nortel 193-195 to activate the posting of the order.

  Unfortunately you can't download on code 3.x, you will need to upgrade acs to the 4.x code.

  Kind regards

  ~ JG

  Note the useful messages

• Cisco ACS and the domain controller

  Hello

  We are currently using the Cisco ACS 3.2.3.11 solution engine and using a Windows domain as a remote agent controller.

  We now have the ACS to 4.1

  1. do I need to upgrade the remote agent on the domain controller as well?

  2. any computer on the network can be used as a Distribution Server?

  3. after an initial backup and upgrade then to 3.3.3.3 I make another backup before the upgrade to 4.1?

  You can use any PC in the network as a Distribution Server.

• Cisco ACS 5.1 and RSA Authentication Manager 6.1

  Hi all

  We recently had a Cisco Secure ACS 1120 and I improved the Unit 5.1 5.0 with all your support

  Now, I need to integrate Cisco ACS 5.1 with RSA Authentication Manager 6.1. I have config file of RSA ACE Server successfully downloaded and exported to 1120 ACS.

  I also added as NetOS Agent ACS in the RSA server during the process, I found a few warnings. The ACE Server is not able to resolve the IP address to the name (is it necessary?).

  I have not created any file of secret key for communication between FAC and RSA and I used encryption is FOR.

  Now, when I log into ACS and search for devices in the identity store sequences I am not able to get Sever Token RSA.

  Let me know what was wrong, where can I fix and also please tell me what is the communciaction between the RSA and ACS?

  Hoping that you guys help me as usual when I'm in a hurry...

  Sree

  Were you able to successfully create the RSA identity server. After selecting the sdconf.rec and you press on submit what happened? The RSA instance created OK?

  If you go to

  Users and identity stores > external identity stores > RSA SecurID Token servers, what do you see in the list?

• Can I use an ACS as RADIUS and GANYMEDE to the same ASA Server?

  I want to GANYMEDE to make the accounting of the SAA, meanwhile, the ASA need RADIUS for authentication ssl vpn. Is it possible to reach this object with only a CSA?

  Yes, you can use both. Allows you to add ASA as radius and Ganymede.

  ACS-->---> aaa-client network configuration

  (1) ASA---> 1.1.1.1---> authentic using Ganymede

  (2) ASA1---> 1.1.1.1---> optout by radius

  Don't forget the host name cannot be the same.

  Kind regards

  ~ JG

  Note the useful messages

• Cisco ACS 5.2 and IOS XR

  We deploy devices with IOS XR and I was wondering if anyone has experience their deployment with GANYMEDE authenticate on the Cisco ACS 5.x platform. If so, can you give some examples of how you have mapped the groups predefined by the user.

  Thank you

  Here's an example of how to do that crs to ensure share you the correct tasks under the profile of the shell.

  http://www.Cisco.com/en/us/docs/routers/CRS/software/crs_r4.1/Security/Configuration/Guide/syssec_cg41crs_chapter1.html

  http://www.Cisco.com/en/us/docs/routers/CRS/software/crs_r4.1/Security/Configuration/Guide/syssec_cg41crs_chapter1.html#con_1185183

  Thank you

  Tarik