Cisco ACS 5.4 and VPN 3000

Similar Questions

• Configuration of the Cisco ACS 5.3 AnyConnect VPN and management of a Cisco ASA 5500.

  We have configured a Cisco ASA 5505 as a VPN endpoint for one of our user groups.  It works, but it works too well.

  We have a group called XXX we need to have access to the Cisco AnyConnect Client.  We have selected this group of our Active Directory and added to our ACS configuration.  We've also added a group called YYY that will manage the ASA. However, this group has no need to access the VPN.

  We added XXX movies for the elements of the policy of access to the network-> authorization profiles.  We also have a profile of YYY.

  She continues to knock on our default Service rule that says allow all.

  We have also created a default network access rule. for this.

  I am at a loss.  I'm sure I missed a checkbox or something.

  Any help would be really appreciated.

  Dwane

  We use Protocol Management GANYMEDE ASA and Ray for VPN access?

  For administration, you must change the device by default admin access strategy and create a permission policy. Even by the way, you can change the network access by default for vpn access and create a respective policy for that too.

  On the SAA, you must configure Ganymede and Ray both as a server group.

  For the administration, you can set Ganymede as an external authentication under orders aaa Server

  AAA-server protocol Ganymede GANYMEDE +.

  Console HTTP authentication AAA GANYMEDE

  Console Telnet AAA authentication RADIUS LOCAL

  authentication AAA ssh console LOCAL GANYMEDE

  Console to enable AAA authentication RADIUS LOCAL

  For VPN, you must set the authentication radius under the tunnel-group.

  I hope this helps.

  Kind regards

  Jousset

  The rate of useful messages-

• Cisco ACS 5.1 and RSA Authentication Manager 6.1

  Hi all

  We recently had a Cisco Secure ACS 1120 and I improved the Unit 5.1 5.0 with all your support

  Now, I need to integrate Cisco ACS 5.1 with RSA Authentication Manager 6.1. I have config file of RSA ACE Server successfully downloaded and exported to 1120 ACS.

  I also added as NetOS Agent ACS in the RSA server during the process, I found a few warnings. The ACE Server is not able to resolve the IP address to the name (is it necessary?).

  I have not created any file of secret key for communication between FAC and RSA and I used encryption is FOR.

  Now, when I log into ACS and search for devices in the identity store sequences I am not able to get Sever Token RSA.

  Let me know what was wrong, where can I fix and also please tell me what is the communciaction between the RSA and ACS?

  Hoping that you guys help me as usual when I'm in a hurry...

  Sree

  Were you able to successfully create the RSA identity server. After selecting the sdconf.rec and you press on submit what happened? The RSA instance created OK?

  If you go to

  Users and identity stores > external identity stores > RSA SecurID Token servers, what do you see in the list?

• Cisco ACS 5.2 and IOS XR

  We deploy devices with IOS XR and I was wondering if anyone has experience their deployment with GANYMEDE authenticate on the Cisco ACS 5.x platform. If so, can you give some examples of how you have mapped the groups predefined by the user.

  Thank you

  Here's an example of how to do that crs to ensure share you the correct tasks under the profile of the shell.

  http://www.Cisco.com/en/us/docs/routers/CRS/software/crs_r4.1/Security/Configuration/Guide/syssec_cg41crs_chapter1.html

  http://www.Cisco.com/en/us/docs/routers/CRS/software/crs_r4.1/Security/Configuration/Guide/syssec_cg41crs_chapter1.html#con_1185183

  Thank you

  Tarik

• Cisco ACS 3.1 and Logging of Nortel Passport CLI commands

  Good afternoon

  We try to log commands CLI Cisco ACS version 3.1 of Nortel Passport 8600. The version of the code that runs on the Passport does not support Ganymede +.

  Passports authenticate OK but don't sign any order information. I "think" the problem is maybe that the VSA Radius of Nortel for cli-commands-attribute, 195, is not collected by ACS.

  Does anyone know how I would go to get this added to the existing list of Radius (Nortel) VSA?

  Thank you very much

  Kind regards

  Flett.

  Foisy,

  You must add the attribute Nortel 193-195 to activate the posting of the order.

  Unfortunately you can't download on code 3.x, you will need to upgrade acs to the 4.x code.

  Kind regards

  ~ JG

  Note the useful messages

• Cisco ACS 5.1 and ASA SSL VPN change or notify the expired password

  Hello

  Now, my ACS and ASA related to RADIUS (MSCHAPv2). I've set up password life on GBA and password management on SAA. But Cisco ASA did prompt change or whatever it is to notify when the user tries to log on with Clientless SSL VPN. Could you advice me everything to change, or notify the expired password?

  

  PS.

  I check change password on the first login of th on ACS this confirmation of the ASA to change password dialog box. But I want change or warn when the expired password

  Thank you

  The default password is marked as disabled after expiry

  I think that there is an improvement for this in the 5.2.0.26.2 patch and above, which includes the following:

  CSCtk32168: Add an option to change the password when the password expires (T + and Radius)

  After you install this hotfix, you get an option to the user authentication settings is:

  -Disable the user account

  -Expire the password

  When the expiration period is exceeded

  If password is expired then user will be asked to change password next authentication

  Note this latest patch for 5.2 is 5.2.0.26.4. All patches are cumulative

• Problems with VPN between Cisco PIX 6.3.3 and VPN 3000 Concentrator

  Hi guys,.

  I hope this is the right place and that someone has encountered this before I don't have much hair left to offset - I'm trying to set up a tunnel between our Pix 6.3.3 performer and a customer using a VPN3000.

  The customer wants us to be able to do checkups on a device without allowing anything to of our range of addresses network side private, just one public IP address.  We currently run a VPN to our recovery site to allow off-site replication, but the ACL on the other end of this VPN * does * allow the configuration that we had for our private network side, so traffic was not useful at that.  Here is a screenshot of what I tried:

  ethernet0 nameif outside security0
  nameif ethernet1 inside the security100
  nameif ethernet2 dmz1 security50

  name 172.16.1.48 Cust_DVR1

  permit 192.168.1.0 ip access list inside_outbound_nat0_acl 255.255.255.0 255.255.255.255 Cust_DVR1

  permit 192.168.1.0 ip access list outside_cryptomap_30 255.255.255.0 255.255.255.255 Cust_DVR1

  IP outside X.Y.Z.227 255.255.255.224
  IP address inside 192.168.1.1 255.255.255.0

  location of PDM Cust_DVR1 255.255.255.255 outside

  Global 1 X.Y.Z.230 (outside)
  Global (dmz1) 1 interface
  NAT (inside) 0-list of access inside_outbound_nat0_acl
  NAT (inside) 1 192.168.1.0 255.255.255.0 0 0

  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac

  outside_map 30 ipsec-isakmp crypto map

  outside_map 30 peer A.B.C.D crypto card game<--- (public="" ip="" of="" customer="">

  card crypto outside_map 30 match address centura_map_30

  card crypto outside_map 30 the transform-set ESP-3DES-MD5 value

  outside_map interface card crypto outside

  ISAKMP key * A.B.C.D netmask 255.255.255.255 No.-xauth No. config-mode

  part of pre authentication ISAKMP policy 30

  ISAKMP policy 30 3des encryption

  ISAKMP policy 30 md5 hash

  30 2 ISAKMP policy group

  ISAKMP duration strategy of life 30 86400

  My hope is that anything on the 192.168.1.0/24 would be able to get out of the external interface as our only our public IP addresses (i.e. X.Y.Z.230), but the traffic they see on the other end is coming from the 192.168.1.0 network.  I tried to remove the line inside_outbound_nat0_acl think she would use then the world but still do not have a bit of luck and the only difference I see on Kiwi Syslogd is that the src_proxy changes to 0.0.0.0 where is shows the IP address of my private side (for the purposes of the config above let's call it 192.168.1.135).

  THANKS MUCH FOR ANY HELP!

  -Mario

  Hello

  For example, you can NAT your internal via the tunnel network traffic when you go to this customer.

  In this way, they will see your unique internal network as an IP address.

  Let's say, rather than them seeing your internal 192.168.1.0/24, eelle will see your traffic like X.Y.Z.227

  Is this what you need?

  Federico.

• Authentication PEAP with Cisco ACS 5.3 and Lotus Notes DB

  Hello

  I want to authenticate clients wireless against the name of user/passwords stored in a lotus notes database.

  Network: PEAP SSID-> Accesspoint-> controller-> ACS 5.3 WLAN 4404-> Notes DB

  Is this possible?

  I can connect to the attributes and ldap groups and query. but when I try to authenticate a user, I always get an error "object not found in the identity store.

  Bind test succeeds (> 100 groups and > 100 subjects.)

  EAP MSCHAP v2 is not taken in charge with LDAP by ACS

  You can use EAP GTC

  You should a begging utility that supports PEAP (EAP-GTC)

  such as ADU, Intel Proset, CSSC Cisco AnyConnect,... you can google for a list of applicants

  Open the new thread for cause of Apple

  ------------------------------------------------------------------

  Be sure to note the correct answers and report this thread as answered

• Cisco ACS 4.0 and HTTPS

  New to ACS, is there a way to require (or even simply permit) https to access the administration web site?

  Thank you

  Tim

  Hello

  Yes there is:

  Administration control then the access policy. Check the box ' use HTTPS Transport for Admin Access.

  You need a good first server cert. The CERT management pages are Config system.

  Mounira

• How can I use Cisco ACS to save Shell commands

  Hi guys, pleeeease how can I configure Cisco ACS to do command authorization on my Cisco 3660 router. I get the accounting logs and authentication but no newspaper that show orders issued by users - shell and it's the most important paper that I need. I read materails and download articles on the site of Cisco... but the thing is still does not give me the papers.

  I have these lines on my router:

  ...

  AAA authorization config-commands

  AAA authorization exec default group Ganymede +.

  AAA authorization commands 15 default authenticated if

  AAA authorization network default group Ganymede +.

  ...

  It's funny, when I turn on debugging of the authorization of the AAA on the router, it shows me every command being sent by the user on the debug log. But nothing shows under Administration TACAC + on the Cisco Secure ACS. What is responsible for this?

  *****************************************************

  I installed the trial version of the Cisco ACS 90 days and made all necessary settings and I have to say I like what I see already. I'm opening moves to recommend the product to purchase. Thank you guys, I got about the features of this ACS software through this forum, keep up the good work. I recommend the software for those who need to have adapted to the management reports Security Audit logs.

  If I understand what you're asking correctly, the answer is not in the authorization, that it is in accounting. I set up on my routers and send to ACS orders that level 15 privilege users enter on the router.

  orders accounting AAA 15 by default start-stop Ganymede group.

• RADIUS does not not on Cisco ACS SE v4.1 (1)

  Hello

  I have a CiscoSecure ACS version 4.1 (1) build 23.

  I can't configure the Cisco ACS for granular control of access router. I have a Netopia Router that is configured to use RADIUS to authenticate remotely for a telnet connection. The router sends the request to access the Cisco ACS SE RADIUS and a sniff on the side of the ACS shows the application of GBA, but I see no response from the ACS. RADIUS authentication to work with a Windows 2003 server.

  I configured an AAA client and a user of the ACS and use the default group. I use IETF RADIUS. Should what attributes I configure. In Windows, I use Service Type framed and Framed-Protocol PPP. This does not work with the Cisco ACS SE. Nothing shows up in the newspapers. It shouldn't be so difficult, but for some reason I can't make it work.

  Thanks for any help.

  Jutta Kullmann

  Jutta,

  Good to know it works very well. Please mark this thread as solved so other can benefit from.

  Kind regards

  ~ JG

• Cisco ACS 5.2 with NX - OS (Nexus) devices user - questions

  Hey, I have a really strange problem with Cisco ACS 5.2 and Nexus NX - OS devices.

  I create an account on ACS, let's call him User1 and give privilege 15. With User1, I am able to access on all our IOS, IOS - XE, ASA and PIX devices with privilege 15.

  When I use the User1 account in our NEXUS devices, I do NOT receive the access privilege 15. As you probably know, the NEXUS devices have roles: predefined or custom roles. So I assumed I would get the role of "network-admin" (15 private read/write) User1 when you connect, but instead I got the role of 'vdc-operator' (private 1 read-only).

  Then I tried to twist User1 and give network-admin under profile Shell > Custom Attributes. I logged in the NEXUS and of course I was able to get a network-admin access. However, my access to ALL other devices (IOS, ASA, PIX, etc.) does NOT work! I am not even able to connect with my login and my password for these devices.

  Has anyone ever experience this problem? Help, please!

  Thank you

  neocec

  This is a common problem when you mix with RBAC and IOS devices authorization policies, the pair av that you created must be set 'optional' instead of 'compulsory', please make this change and you will be able to access all your devices.

  Thank you

  Tarik

• Cisco cisco ACS patch location site

  Hello

  I want to install cisco Acs 4.1 and I'm looking for the location on the Web site for patches can you please give the path?

  Thank you

  For ACS for windows:

  http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-win-3DES

  For ACS SE:

  http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-Soleng-3DES

  Kind regards

  Prem

• Cisco ACS 5.3 several AD domains

  Hello everyone

  I have a quick question about Cisco ACS 5.3 and multi domain authentication. How exactly is it treated?

  Can I join more than one field with the ACS server? Or do I still need to configure this two-way trust between forests AD relationship (even with GBA 5.3)?

  Thank you

  Markus

  Hello

  You can join only acs to a single domain. Here's a thread that will help you identify the confidence you will need to get this working.

  https://supportforums.Cisco.com/thread/2162234

  Thank you

  Tarik Admani

  Please evaluate the useful messages

  Sent by Cisco Support technique iPad App

• LAN-to-LAN tunnel between VPN 3000 and Cisco 1721

  Hello

  I have a current LAN-to-LAN tunnel configuration between VPN 3000 (3.6) and Cisco 1721 (12.2 (11) T).

  When I use the encryption = authentication and Des-56 = ESP\MD5\HMAC-128 for the IPSec Security Association, everything works fine.

  However, I would like to Turn off encryption for some time getting the speed improvements, so I changed

  Encryption = null esp (in 1721) and to "null" in VPN-3000.

  Now the tunnel is setup but I can spend only ICMP traffic. When I pass the traffic UDP\TCP the message below appears the Cisco 1721

  % C1700_EM-1-ERROR: error in packet-rx: pad size error, id 75, hen offset 0

  Has anyone seen this behavior?

  All those put in place an IPSec Tunnel with only the ESP authentication and NO encryption between VPN-3000 and Cisco 1721?

  Thanx------Naman

  Naman,

  Disable you the vpn Accelerator? "no accel crypto engine. Sure that you can't do with a null module vpn.

  Kurtis Durrett