Cisco GANYMEDE 3.1 Setup first on ACS 5.6.0.22

Seek to use Secure ACS in the AAA for our first Cisco 3.1 control. Someone at - it instructions or whitepapers for reference?

Hello

Use the following doc to help you get started:

http://www.Cisco.com/c/en/us/support/docs/security/secure-access-control...

Thank you

John

Tags: Cisco Security

Similar Questions

  • First and ACS View Server Integration

    Can someone point me in the right direction for a good doc on implement first (1.3) with a display ACS (5.1) Server?

    Guy: I was doing a little research on this topic and I just wanted to add that there is not much config, that we have to do on ths ACS.

    All you have to have this command on ACS CLI "view of acs config-web-interface to activate".

    On the first, we already have information ip and port view ACS server. In addition, include the first with ACS using a privileged account super admin. Default acsadmin has super admin rights, so we can use it on the preferred side or you can create a specific account on GBA and assign the super admin under system administrator rights > directors > accounts > new account.

    Once this done, please try to shoot balls of NCS and let me know how it goes.

    Jatin kone
    -Does the rate of useful messages-

  • No report of Directors GANYMEDE + after upgrading to 4.1 ACS

    Hello

    I was running ACS 4.0 demo version. Everything worked very well.

    After the upgrade, and keep the old configuration, I can't see logs in the reports of the directors of GANYMEDE. I kept the configurations of the router and get the same thing, so I think that the problem lies in the ACS software.

    I tested a few debug, and it seems that the router sends the command that is typed to the ACS.

    Here is the config I have? m using:

    AAA new-model

    GANYMEDE-Server 192.168.X.X XXXXXXXXXXX host key

    AAA authentication telnet connection group Ganymede + activate

    enable console AAA authentication login

    the AAA authentication enable default group Ganymede + activate

    AAA accounting send stop-record an authentication failure

    AAA accounting exec default start-stop Ganymede group.

    orders accounting AAA 1 by default start-stop Ganymede group.

    orders accounting AAA 15 by default start-stop Ganymede group.

    AAA accounting arrhythmic telnet connection group Ganymede +.

    Line con 0

    exec authorization no.-AUTH

    console login authentication

    line vty 0 4

    exec authorization AUTH

    authentication telnet connection

    AUTH AAA authorization exec group Ganymede + none

    AAA authorization config-commands

    No.-AUTH AAA authorization exec no

    AAA authorization commands 0 default group Ganymede + none

    1 default AAA authorization commands group Ganymede + none

    default 15 AAA authorization commands group Ganymede + none

    Hello

    It is a known issue, you must apply the hotfix ACS 4.1.1.23.5 to solve the problem.

    Patch for the unit is available on

    http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-Soleng-3DES

    The patch name: ACS SE 4.1.1.23.5 rollup

    Patch for windows acs is available on

    http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-win-3DES

    The patch name: ACS 4.1.1.23.5 rollup

    That should solve the problem

    Kind regards

    Jagdeep

    Note: If this answers your question, then please mark this thread as solved, so that others can benefit from.

  • Cisco ACS wireless authentication

    Hello guys,.

    I'm testing wireless authentication and authorization with my users wireless via ACS 4.2. I have version 4.2 test on Windows 2003 for the test. I also WLC 5508 and 3602i in my lab. My AD/NPS and CA are Windows 2008 R2.

    Windows 2003 is part of the field; and the GBA, if I go to the external database > Database Configuration > Windows database > configure

    From there, I chose my domain name, select "devices the EAP - TLS Machine authentication. I've also mapped the domain to the group I created in ACS.

    I also looking default RADIUS ports 1812 and 1813 the GBA.

    On my WLC 5508, I created a WLAN and define the RADIUS IP to the IP address of the ACS. However, I tried to join the wireless network. It keep the default.

    I installed the cert of the user on the laptop for EAP - TLS. If I changed the server RADIUS on the WLAN and pointed to AD/NPS that I, my portable test was able to join the network wireless through EAP - TLS.

    I'm a little confused on the ACS GANYMEDE +. GANYMEDE + is only used for the connection to network for managing devices or can be used for regular users for authentication and authorization?

    For example, a user wireless, which is part of the domain, need to join a corporate network without wire in his office. Can I use GANYMEDE + for it or it must be the RADIUS by ACS 4.2?

    Thank you

    Yes it's true, and it applies as well in Wired.

    On GBA, please add WLC as an AAA client with RADIUS (Cisco airespace)

    Configuration of WLC and ACS for the RADIUS settings.

    http://www.Cisco.com/en/us/Tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml

    You can visit the listed link below to install the certificate on ACS 4.2

    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/configuration/guide/peap_tls.html

    ~ BR
    Jatin kone

    * Does the rate of useful messages *.

  • Interaction of Ganymede + and radius ACS 2.6 download PIX ACLs

    We have ACS v2.6 running and control our connection to remote, routers and switches access. We are now looking to add support for a PIX firewall internal and want to use downloadable ACS ACL for the PIX. (to control outbound traffic through the PIX for authenticated users)

    We have achieved this help attributes RADIUS of Cisco IOS/PIX

    [009\001] cisco-av-pair on ACS. (and ACL restrictions of access on access to users)

    However the problem we noticed is that any user is valid in our database of CiscoSecure or SecureID can authenticate and gain access to through the firewall, even if they are not allowed to do this (and as it is by default on PIX from inside to outside is allowed unlimited full access).

    Was then imposed restrictions on network access on the CiscoSecure ACS for our PIX - to allow only access of corresponding user groups, but it did not work with RADIUS only GANYMEDE + (I guess that's because the RADIUS does not support approval).

    We must work with GANYMEDE + and the passes of the ACS to the bottom of the ACL number/ID for the PIX for users allowed.

    Question: We want to use downloadable s ACL of ACS for the PIX (for reasons of central support) is possible using GANYMEDE + and if yes how we re CiscoSecure ACS suitable for the ACL example below;

    pix_int list access permit tcp any host 10.x.x.x eq 1022

    pix_int list access permit tcp any host 10.x.x.x eq 1023

    Thank you

    Download ACL works only with the RADIUS, as described here:

    http://www.Cisco.com/warp/public/110/atp52.html#new_per_user

    You can continue to set the ACL on the PIX itself and simply pass the ACL via GANYMEDE number (as shown here: http://www.cisco.com/warp/public/110/atp52.html#access_list), but you can actually spend the entire ACL down via GANYMEDE, sorry.

  • First management LAN CiscoWorks LMS or Cisco? Help

    In my business, we look adds a network management solution:

    Some time ago, we installed CiscoWorks LMS 3.2, but we decided to install on the other more modern solution, what is the solution which recommend me?

    Requeriments:

    1 000 devices from cisco management.

    Regularly perform massive configurations.

    Constant monitoring of the network infrastructure.

    Backups of configuration.

    We have two solutions:

    -Update the current CiscoWorks to LMS 4.x version

    -buy the "First Cisco LAN Management" Solution

    What solution that recommend me?

    Thank you for your attention.

    Kind regards.

    Hi Jeffersson,

    The current product packaging is a bit confusing. Cisco is rebranding all of their management under the aegis of the first Cisco solutions. All prime products have a common appearance and take advantage of some approaches architectural.  From LMS 3.2 on 4.x will put you in the first territory of Cisco.

    In the 'first' products are (among others) "Cisco first Infrastructure" (also known as PI - 1.2 is the current version) and "Cisco first LMS" (4.2.3 is current). Preferred Infrastructure (1.0) began in the successor to management wireless Cisco (NCS) product and had been adding features on the way to bring it up to parity with LMS functionality to wired infrastructure. He isn't quite there right now (current comparison here) that existing customers of LMS are usually advised to stick with the latest version of the LMS for now.

    Still with me? Good. If the extra twist is that 4.2 LMS is "included" with licenses of FT 1.2 - see the link guide below. So, if you want LMS 4.x, you order indeed 1.2 FT with licenses "Cycle of life" according to the number of devices you manage. (There also is 'respect' and 'insurance' adding these new features of the respective licenses. Compliance is available from LMS 4.2 in the CAAM.  Insurance is almost a FT 1.2 functionality only.)

    So my recommendation to you would be to upgrade to version 1.2 of PI and to install and to use the LMS 4.2 (4.2.3 and put patched up-to-date with all the packaging of the products). If you have a VMware configuration, deployment option flexible device (file eggs) is the easier implementation,.

    You may find it useful to explain this point of view of Cisco the following two links:

    Functional reference LMS

    Control of IP and Licensing Guide

    Don't worry not-all this will not be on the test.

  • Cisco ACS patch

    I need to patch our ACS server at 4.2.0.124.6 4.2.0.124.17. My question is, do I need to apply the patch even to our remote agents? Cisco documentation indicates only that both the ACS and the Remote Agents must be 4.2.0.

    I just want to confirm.

    Thank you!

    Hello

    Well Yes, the ACS and RA, version including the patch must be same.

    I hope this helps.

    Kind regards

    Anisha

    P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages.

  • New ACS server information box

    Hi all

    Please suggest how to install new ACS 1113 box in the network directly e.g how to change the ip address add box, is that material of acs appliance started with acs softwareor I have to install it?

    I got 3 CDs with box.

    Please help me

    Hi sandeep,

    You must first connect low ACS SE NIC with switch of production. From the start, to check if its pre-loaded with more recent/other images.

    Last image is 4.2.0.124 for 1113

    Establish a console connection series:

    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/solution_engine/instalap.html#wp1065399

    Initial setup of the ACS

    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/solution_engine/instalap.html#wp1024038

    Definition of ip address:

    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/solution_engine/cliap.html#wp1194461

    Complete reference of order:

    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/solution_engine/cliap.html

    HTH

    JK

    Please evaluate the useful messages-

  • ACS password policy

    My company wishes to replace the existing LDAP servers with Cisco ACS.  A requirement of our VPN security policy is that the user must change his password VPN account before their first newspaper in.  If the user tries to connect to the VPN without changing their password, then they are denied access.

    Is there a rule in ACS which can achieve this?

    Hello Michael,

    Yes, there is a way to change the password, you will need to set the 'password-management' under the Group of the tunnel you have created for this connection with the AAA server that will authenticate users, please consider the following information:

    GBA can be configured to check users in an AD database. Change and at the end of the password is supported when Microsoft Challenge Handshake Authentication Protocol version 2 (MSCHAPv2) is used;

    On a SAA, you can use the password management feature, as described in the next section, in order to force the ASA to use MSCHAPv2. ACS uses the appeal of Common Internet File System (CIFS) Distributed Computing environment/Remote Procedure Call (DCE/RPC) when it comes into contact with the directory of the domain controller (DC) in order to change the password.

    ASA may use both the RADIUS and protocols GANYMEDE + to get in touch with ACS for a password AD change, the command:

    ASA (config) # tunnel - group general attributes

    ASA(config-tunnel-General) # password - management

    For more information about PAP and MSCHAP with RADIUS, you can find it here:

    http://www.Cisco.com/c/en/us/support/docs/network-management/remote-ACCE...

    Please proceed to the note this post and the previous one and mark it as correct, keep me posted if anything happens!

    Kind regards

    David Castro,

  • Adding static route to the ACS

    How can I add a static route to my device SE ACS?

    I try to get AAA works on a Cisco 871 is an end of distance of a vpn s2s ASA to 871. On the router, I use as the source for Ganymede interface vlan1.

    My ACS server is on the subnet for my ASA management, but the GBA to the Remote LAN road is via its default gateway and interface from the INSIDE of the SAA. I need to get the traffic of Ganymede ACS to return through the management interface of ASA.

    Thanks in advance.

    John

    John,

    There is no way to set a static route in the GBA unit. The only network settings, you can set are the ip address/subnet, default gateway and dns servers.

    Kind regards

    ~ JG

    Please mark it is resolved so other can benefit from

  • Accounting control GANYMEDE

    Hello

    We have set up accoutnig in our network devices. But orders that users type does not appear in the section GANYMEDE + accounting. We use the ACS 4.1se and orders of posting to the devices are given below.

    AAA accounting exec default start-stop Ganymede group.

    orders accounting AAA 1 by default start-stop Ganymede group.

    orders accounting AAA 15 by default start-stop Ganymede group.

    Help, please

    Command accounting logs are stored in the newspapers of the administration of Ganymede. There is also a known issue on ver 4.1.1 and we must apply the ACS 4.1.1.23.5 patch to fix the problem.

    Patch for the unit is available on

    http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-Soleng-3DES

    The patch name: ACS SE 4.1.1.23.5 rollup

    Acs hotfix for windows is available on

    http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-win-3DES

    The patch name: ACS 4.1.1.23.5 rollup

    Kind regards

    ~ JG

    Note the useful messages

  • ACS v5.5 problem install

    I am installing ACS on a VM suite, the installation documentation Cisco VM, but the installation fails when his tent to install ACS after the operating system has been installed successfully.

    See screenshot to find errors.

    Someone came across this error before, and if so how did you get around it?

    Thank you

    Jon

    You have configured the virtual computer with all of the resources described in the Setup Guide of ACS hardware:

    http://www.Cisco.com/c/en/us/TD/docs/net_mgmt/cisco_secure_access_control_system/5-6/installation/guide/csacs_book/csacs_vmware.html

    Thank you for evaluating useful messages!

  • Reg: Ganymede configuration

    Hi all

    I'm trying to configure the authentication of routers around 300 by Cisco GANYMEDE, AAA I installed acs4.2 on a windows Server 2003 and updated as a result of orders from AAA in the router, the RADIUS server host and the key on trialrouter

    AAA new-model

    !

    !

    AAA authentication login default group Ganymede + local

    NO_AUTHEN AAA authentication login no

    AAA authorization config-commands

    AAA authorization exec default group Ganymede + authenticated if

    NO_AUTHOR AAA authorization exec no

    AAA authorization commands 1 default group Ganymede + authenticated if

    AAA authorization commands 1 NO_AUTHOR no

    AAA authorization commands 15 default group Ganymede + authenticated if

    AAA authorization commands 15 NO_AUTHOR no

    AAA authorization network series none

    AAA accounting exec default start-stop Ganymede group.

    accounting AAA commands default 15 stop only Ganymede group.

    !

    AAA - the id of the joint session

    then I created a user and mentioned a secret key on the acs server, I added this router as an AAA client, the router no longer meets the old login name and password but did not username set to GBA, where I am a mistake? Kindly help.

    Thank you.

    ANU,

    Are you Ganymede username-password prompt?

    If you get the username-password prompt and it isn't taking Ganymede credentials, could you please connect with the local user name-password and run him debugs.

    debugging Ganymede

    Debug aaa authentication

    term Lun

    After this attempt to connect again with Ganymede username-password and send me the output.

    Fix the failure of GBA attemopts > reports and activity.

    HTH
    JK

    The rate of useful messages-

  • Access to the ACS SPECIFIC group router

    I want allows you to control access to all of our routers and switches Cisco GANYMEDE. I have a Cisco ACS device that can be used for centralized management accounts of the engineer. The ACS server, however, also used to store our business users VPN accounts.

    Can I restrict access to routers and switches only to users in the Group of engineers on the ACS server?

    Hello

    If you use ACS 4.x, limiting access through Restrictions on access network (NARS) could help you:

    http://www.Cisco.com/en/us/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml

    I would like to know if this helps, or alternatively if you use DCC 5 (in which case the scenario is a little different).

    Kind regards

    Fede

    --

    If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

  • RADIUS and GANYMEDE + authentication

    We authenticate our systems through dot1x. I also need to be able to authenticate our Cisco admins using the same ACS server. I see how to configure a switch to make the two GANYMEDE + and RADIUS, but I do not see how implement GBA to allow a switch to use GANYMEDE + and RADIUS.

    Can someone give me a pointer?

    Thank you

    You need to put in place once the authentication on the switch.

    AAA authentication login default group local Ganymede

    Group AAA dot1x default authentication RADIUS

    AAA authorization exec default group Ganymede + authenticated if

    Group AAA authorization network default RADIUS

    Cisco RADIUS-server host 2.2.2.2 keys

    Cisco GANYMEDE-server host 2.2.2.2 keys

    The GBA, you must add the switch twice.

    ACS---> network configuration---> add aaa-clinet

    Host name switch1

    IP: 3.3.3.3

    With the help of authentic: RADIUS IETF

    Add another switch

    SWITCH2 host name

    IP: 3.3.3.3

    With the help of authentic: Ganymede +.

    Kind regards

    ~ JG

    Note the useful messages

Maybe you are looking for

  • How to hide xfinity wifi because I use TC

    Hello I have a dual band xfinity router connected to my TC via ethernet. How can I hide my other two network served by xfinity and just use my TC?

  • Tecra M4-150: BSOD and restarts only

    I bought this excellent computer Tecra M4 - 150 2 days old - but it happened about 5 times now it shows a blue screen with white text, back style for fracture of a second and then restarts. This happened when I plug in a flash drive, when I wanted to

  • M475 MFP HP LaserJet Pro 400

    I just put a laptop for windows 7 64 bit. After you have installed the software package for a M475 MFP HP LaserJet Pro 400 via USB it analyzes not the sheet feeder. The scans are empty. Any ideas as to the cause.

  • Changing the language from Dutch to British English

    Please can someone explain how to change the default language for all programs on Windows 7 from DUTCH to ENGLISH UK, permanently, by default, totally, for ever and ever! Because, even if I managed to change the individual programs for English, he ne

  • Please HELP ME.suddenly I care, all the text is converted into strange shapes. PLEASE HELP ME

    Today, all of a sudden my text in ae had real crazy, ALL the text in the ae is either typed as strange shapes, btw my version is a former ae cs3 is on but it never gave me any problems, I don't know how it happened, I cleared the cache and still noti