Cisco ACS AD authentication

Hello!

IM currently deploying Cisco ACS 5.4 on our netwrok and I'm looking for in some additional measures to ensure authentication and authorization to the devices.

I would like to ask if anyone has any advice on the following as I may have been embarrassed to do this way myself.

OK the users that now are authenticated with an external identity store (Active Directory). I would like to know if theres a way also to authenticate these users or allow them to ACS so that when the IT Department adds a user who should not be in a group, but the group is authenticated to a set of devices, this user will be nto be able to access devices.

A simpler explanation is as follows.

E.t.c groups are ficitonal

I have group in AD called "Engineers" that contains 2 users, user A and user B.

Engineers have a shell on ACS profile that gives permissions/privileges superuser on the devices.

However, Active Directory is managed by the it Department that could be social designed to add a C user in this group.

What I need to know is a way to allow the user has and user B to access devices while maintaining the profile of the shell with the Group of ads "engineers."

I am aware of the conditions is devoted to profiles/authorization rules. Is that mean I have to create both local users and assign their passwords as well?

Im a bit confused as you can see it...

Any help will be greatly appreciated!

Thank you!

Because user C would be added to the same group that already contains users A and B and the authorization rule is configured to grant access from root of users A and B belonging group engineering, then user C will also be granted this access.

ACS has no way to know what the users are members of the engineering group, nor can it detect that the user C has been successfully added.

If you want to use the credentials of the AD and at the same time maintain a canonical list of users for ACS check, you will need to create local GBA users, as you suggested above.

Tags: Cisco Security

Similar Questions

  • Cisco ACS wireless authentication

    Hello guys,.

    I'm testing wireless authentication and authorization with my users wireless via ACS 4.2. I have version 4.2 test on Windows 2003 for the test. I also WLC 5508 and 3602i in my lab. My AD/NPS and CA are Windows 2008 R2.

    Windows 2003 is part of the field; and the GBA, if I go to the external database > Database Configuration > Windows database > configure

    From there, I chose my domain name, select "devices the EAP - TLS Machine authentication. I've also mapped the domain to the group I created in ACS.

    I also looking default RADIUS ports 1812 and 1813 the GBA.

    On my WLC 5508, I created a WLAN and define the RADIUS IP to the IP address of the ACS. However, I tried to join the wireless network. It keep the default.

    I installed the cert of the user on the laptop for EAP - TLS. If I changed the server RADIUS on the WLAN and pointed to AD/NPS that I, my portable test was able to join the network wireless through EAP - TLS.

    I'm a little confused on the ACS GANYMEDE +. GANYMEDE + is only used for the connection to network for managing devices or can be used for regular users for authentication and authorization?

    For example, a user wireless, which is part of the domain, need to join a corporate network without wire in his office. Can I use GANYMEDE + for it or it must be the RADIUS by ACS 4.2?

    Thank you

    Yes it's true, and it applies as well in Wired.

    On GBA, please add WLC as an AAA client with RADIUS (Cisco airespace)

    Configuration of WLC and ACS for the RADIUS settings.

    http://www.Cisco.com/en/us/Tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml

    You can visit the listed link below to install the certificate on ACS 4.2

    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/configuration/guide/peap_tls.html

    ~ BR
    Jatin kone

    * Does the rate of useful messages *.

  • Cisco ACS 5.1 and RSA Authentication Manager 6.1

    Hi all

    We recently had a Cisco Secure ACS 1120 and I improved the Unit 5.1 5.0 with all your support

    Now, I need to integrate Cisco ACS 5.1 with RSA Authentication Manager 6.1. I have config file of RSA ACE Server successfully downloaded and exported to 1120 ACS.

    I also added as NetOS Agent ACS in the RSA server during the process, I found a few warnings. The ACE Server is not able to resolve the IP address to the name (is it necessary?).

    I have not created any file of secret key for communication between FAC and RSA and I used encryption is FOR.

    Now, when I log into ACS and search for devices in the identity store sequences I am not able to get Sever Token RSA.

    Let me know what was wrong, where can I fix and also please tell me what is the communciaction between the RSA and ACS?

    Hoping that you guys help me as usual when I'm in a hurry...

    Sree

    Were you able to successfully create the RSA identity server. After selecting the sdconf.rec and you press on submit what happened? The RSA instance created OK?

    If you go to

    Users and identity stores > external identity stores > RSA SecurID Token servers, what do you see in the list?

  • [Cisco ACS 5.2] EAP - TLS authentication failure

    What we are e

    Hello

    I set up a WiFi connection on Windows XP and Windows 7 with EAP - TLS (using Cisco WLC 7.0.235.3 and Cisco ACS 5.2.0.26.10). It is configured with the authentication of the computer and computer certificates are automatically registered for Microsoft PKI.

    It works well!

    Now, I configured Windows 8 with the same configuration.

    First authentication works, but if I manually disconnect and reconnect, I got this error on ACS: 22047 username main attribute is missing from the client certificate

    In the EAP packets, we could see that Windows 8 sent a TLS session but ticket session has not properly taken over by ACS...

    Configuration of the ACS, we checked the option "enable EAP - TLS Session resume' with the session timeout"7200 ".

    I found this bug

    http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId= CSCtn26538& from = summary

    It seems to be my problem but the reboot does not work in my case...

    It is set at 5.3 (0.40.2).

    I plan to install version 5.4.

    Do you know if this fix is supported by 5.4?

    Thanks for your help,

    Patrick

    Hi Patrick,

    What is set in point 5.3 must be set in point 5.4.

    Even if the same issue appeared with 5.4 there an ID different bug and identified as an independent issue (with different causes, usually)

    HTH

    Amjad

    Rating of useful answers is more useful to say "thank you".

  • [Cisco ACS] 11036 the RADIUS Message Authenticator attribute is invalid

    Hello

    I had a lot of Cisco AP related to Cisco WLC 2.

    On each WLC, I configured a primary and a secondary RADIUS server.

    RADIUS servers are Cisco ACS 5.2.0.26 (patch 10)

    ACS primary and secondary configurations are synchronized.

    There is no problem between primary rules WLC and Cisco ACS (primary and secondary).

    When secondary WLC asks primary Cisco ACS, I get this error "11036 the RADIUS Message Authenticator attribute is not valid.

    WLC secondary contacts automatically secondary Cisco ACS and it works fine.

    Cisco ACS description for this error: "this can be reason of mismatched shared Secrets."

    The two Cisco ACS are synchronized, so I should have the same error on them...

    Why primary ACS generates this error?

    Thanks for your help,

    Patrick

    Patrick: The shared secret mismatch could be on the side WLC, not on the side of the ACS.

    Make sure that the shared secret of the radius primary server is configured correctly on the secondary WLC.

    HTH

    Amjad

    Rating of useful answers is more useful to say "thank you".

  • Cisco ACS. Two-factor authentication.

    Hello.

    We intend to use the connection diagram: cisco asa + cisco acs 5.4 + rsa securid.
    We use two groups on Cisco ACS. Group "A" must use two-factor authentication, and the 'B' group don't.
    How to create this rule?

    Perform the rule base identity selection with dap-tunnel-group-name as a selector.

    ASA will send auth request name of the tunnel group.

    Attached example.

  • Cisco ACS 4.1 for external advertising for authentication

    Hello

    We have just configured Cisco ACS 4.1 solution engine and using a Windows 2003 domain controller as a remote agent.we use as Protocol Ganymede.

    Users that are created in ACS himself are able to connect to various network devices. but users in domain (active directory) can not connect. We get the access denied message. same time we get external DB is not operational message in ACS.

    Active directory server where agent that runs in CSWINAgentlog, we get the following error 'NDLIB'... FOUND 0 TRUSTED DOMAIN.

    Could you please help us to isolate the problem.

    Thank you & best regards

    Make sure that the worm of acs and remote agent software is the same. And also execution of remote agent account must have special domain administrator rights, like the act as part of operating system and log in as a service.

    Kind regards

    ~ JG

  • Renew the certificate in Cisco ACS for PEAP authentication

    Hi, we installed in laptops wireless customer a certificate created by Cisco ACS to authenticate, but its about to expire.

    How can I do to renew the certificate whithout affecting users.

    (1) Yes, we can generate a new cert but install the latter.

    (2) install generated new cert on the client.

    (3) install the new cert in ACS.

    Good plan and will probably work.

    Kind regards

    ~ JG

    Note the useful messages

  • How can I use Cisco ACS to save Shell commands

    Hi guys, pleeeease how can I configure Cisco ACS to do command authorization on my Cisco 3660 router. I get the accounting logs and authentication but no newspaper that show orders issued by users - shell and it's the most important paper that I need. I read materails and download articles on the site of Cisco... but the thing is still does not give me the papers.

    I have these lines on my router:

    ...

    AAA authorization config-commands

    AAA authorization exec default group Ganymede +.

    AAA authorization commands 15 default authenticated if

    AAA authorization network default group Ganymede +.

    ...

    It's funny, when I turn on debugging of the authorization of the AAA on the router, it shows me every command being sent by the user on the debug log. But nothing shows under Administration TACAC + on the Cisco Secure ACS. What is responsible for this?

    *****************************************************

    I installed the trial version of the Cisco ACS 90 days and made all necessary settings and I have to say I like what I see already. I'm opening moves to recommend the product to purchase. Thank you guys, I got about the features of this ACS software through this forum, keep up the good work. I recommend the software for those who need to have adapted to the management reports Security Audit logs.

    If I understand what you're asking correctly, the answer is not in the authorization, that it is in accounting. I set up on my routers and send to ACS orders that level 15 privilege users enter on the router.

    orders accounting AAA 15 by default start-stop Ganymede group.

  • Problem with Cisco ACS and different areas

    Hello

    We are conducting currently a problem with Cisco ACS that we put in place, and I'll try to describe:

    We have ACS related directory AD areas, where we have 2 domains and appropriate group mappings.

    Then we have our Cisco switches with the following configuration,

    AAA new-model

    AAA-authentication failure message ^ CCCC

    Failled to authenticate!

    Please IT networks Contact Group for more information.

    ^ C

    AAA authentication login default group Ganymede + local

    AAA authorization exec default group Ganymede + local

    AAA authorization network default group Ganymede + local

    AAA accounting exec default start-stop Ganymede group.

    orders accounting AAA 15 by default start-stop Ganymede group.

    !

    AAA - the id of the joint session

    But the problem is that with the users in a domain, we can authenticate, but not the other. Basically, the question is that when we check on the past of authentication, two authentications are passage and the display of 'Authentic OK', but on the side of the switch, there is a power failure.

    There may be something wrong with the ACS?

    Thank you

    Jorge

    Try increasing the timeout on IOS device using radius-server timeout 10.

    Do we not have journaling enabled on the ACS server remotely?

    -Philou

  • RADIUS does not not on Cisco ACS SE v4.1 (1)

    Hello

    I have a CiscoSecure ACS version 4.1 (1) build 23.

    I can't configure the Cisco ACS for granular control of access router. I have a Netopia Router that is configured to use RADIUS to authenticate remotely for a telnet connection. The router sends the request to access the Cisco ACS SE RADIUS and a sniff on the side of the ACS shows the application of GBA, but I see no response from the ACS. RADIUS authentication to work with a Windows 2003 server.

    I configured an AAA client and a user of the ACS and use the default group. I use IETF RADIUS. Should what attributes I configure. In Windows, I use Service Type framed and Framed-Protocol PPP. This does not work with the Cisco ACS SE. Nothing shows up in the newspapers. It shouldn't be so difficult, but for some reason I can't make it work.

    Thanks for any help.

    Jutta Kullmann

    Jutta,

    Good to know it works very well. Please mark this thread as solved so other can benefit from.

    Kind regards

    ~ JG

  • Cisco ACS 5.4 and VPN 3000

    Hello

    I'm trying to use CIsco ACS 5.4 for RADIUS authentication for VPN by using VPN concentrator 3000 users.

    I added the VPN 3000 on ACS and added GBA on VPN group with a shared secret authentication server. When I do a test on the authentication server using the local account that I created on ACS it happens as no response was received from the server so that I can see the RAIDUS AAuth in green.

    Any help would be much appreciated.

    Concerning

    AR

    Hey,.

    What is the report on GBA?

    "RAIDUS AAuth in green"

    If so, a pcap help between the two.

    Concerning

    Ed

  • Problem with the configuration of SRW 2016 to 802. 1 x with Cisco ACS 4.2

    Hi all

    I have infrastructure cisco catalyst cisco 2960, 3560 and 2 x 4.2 ACS and authentication of 802. 1 x is working very well.

    I tried to add Linksys SRW2016 in rail infrastructure, but I encountered a problem.

    I did the same configuration on ACS for all other switches and I configured SRW2016 according to maunal for .1x and log on to ACS in FAILURE ATTEMPTS I got following error:

    Message Type: bad NAS request

    Authentic-failure-Code: authenticator of invalid message in the request of the EAP

    I have receked configuration especially the Shared Secret, and that's OK.

    No idea what is the problem and how to solve?

    Best regards

    Goran,

    It is especially indicative of a bad shared secret. Can you confirm if the Linksys switch is in a NDG, and if so, you have keys defined for the NDG?

    Faisal

  • Cisco ACS 5.5

    Hello

    I just installed Cisco ACS 5.5.0.46.  We managed to get Juniper devices to authenticate using RADIUS.

    The problem is that the authentication logs are empty.

    I intend to patch the ACS of Update Rollup 4 for tonight, hoping that it can fix the problem.

    Can someone advise?

    Concerning

    Vijay

    Good to hear your issue was resolved. Also, thank you for taking the time to come back and post the solution to the problem! (+ 5 from me). Now, if your issue is resolved, please check the thread as "answered" :)

  • [Cisco ACS] Memory usage limit

    Hello

    We have 2 CSACS 1121 with Cisco ACS 5.2.0.26.10

    The main server manages authentication 20000 + per day.

    Its memory usage is growing every day.

    It's now 83%

    Is there a limit?

    What happens when memory use reaches this limit?

    What can we do to purge the memory usage? (reboot, restarting the service...)

    Thanks for your help

    Patrick

    Check the secondary collector newspaper. This will help to balance the load between the two nodes and you will see the memory usage decreases.

    Thank you

Maybe you are looking for

  • Cannot download and install the update for Adobe reader + dongle mobile vodafone

    I have a problem downloading update for Adobe reader + dongle to wide band mobile vodafone. I get the message as followsInstall the windows service could not be accessed. This can happen if windows is not installed correctly.I just bought ultrabook w

  • Satellite P50 - A - 11 L - no card GeForce GT745M

    Hello! I had a problem. I noticed that the graphics card is not listed anywhere. Not in the material or any other program of reference Manager.I don't see the graphics chip HD processor (Intel HD graphics 4600). I tried to install a driver experience

  • drive not valid error 1327 F

    Running xp service pack 1 2 3 2 GB memory 5 GB of free space Direct X 9 Try to install elements 7 I have already installed 3 elements. Do not want to delete because it needs to work. 1327 error when I try to install something on my computer not chang

  • After each start up, screen resolution changes

    Under Windows XP.  I replaced my hard drive and since this event, my screen resolution changed.  When I change it back, it's OK for the rest of this session, but then, after a reboot, it is back.  I need to change once again.   How do I 'Finalize' my

  • Windows Media Player won't play certain DVD

    I'm able to play most DVDs.  But this one, a concert will start and then will not give me the main menu, so I'm not able to play.  It crashes just after the initial logo from the record company.     I would have thought it was the DVD, but I got to w