dot1x with SecurID

Following facilities:

RSA ACE/Server with SecurID token

ACS 3.2 (1) with the RSA ACE/Agent 5.6 component

EWA1 catalyst 4506 with IOS 12.2 (25)

Customer with WindowsXP SP1 (responsible KB826942) connected by cable (not wireless)

I can do:

-Authentication on console CLI Cat4506 via GANYMEDE + and ACS with SecurID

-Authentication Windows XP Professional on Switchport via 802. 1 x, PEAP (Microsoft-) and ACS with account in the local ACS database

I can't:

-Authentication Windows XP Professional on Switchport via 802. 1 x, PEAP (Microsoft-) and ACS with SecurID

Error in failed_attempts.csv is "Auth external DB failed.

There is no communication between ACE/Agent and ACE/Server in this configuration.

Can 802.1 x and PEAP work with SecurID authentication? If so, what is the problem?

Is there a way of communication traces between AEC and ACE/Agent for further error descriptions?

Kai

Office of the Prosecutor by using Microsoft PEAP (EAP-MSChapV2) is not yet supported. To use OTP, you need to use "supplicant" Cisco PEAP (EAP - GTC) and activate the ACS for EAP - GTC. You can use 3rd begging out of Funk or Meetinghouse. To enable EAP - GTC on ACS go to 'System Configuration-> Global Authentication Configuration' and check ' enable EAP - GTC "." See the table in the middle of the following FAQs for more information.

http://www.Cisco.com/en/us/products/sw/secursw/ps2086/products_qanda_item09186a0080124e7c.shtml

Tags: Cisco Security

Similar Questions

  • 802.1 x (dot1x) with IP phone / workstation using several authentication domains (MDA)

    Scenario:

    Workstation (behind the phone)

    8.5 (2) software IP Phone 7911

    ACS 4.1 with AD on the same server

    Cisco switch WS-C3750E-24PD with c3750e-universalk9 - mz.122 - 53.SE1.bin

    Guide used:

    http://www.Cisco.com/en/us/Tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml

    http://www.Cisco.com/en/us/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml

    To accomplish:

    Computer and authentication of the IP phone with 802. 1 x. The phone using EAP - MD5 and the workstation with PEAP-MSCHAP version 2.

    Tried and worked:

    Workstation using EAP - MD5 (with ACS username) and use PEAP (with AD user name) and it also acceded to the vlan correct according to the username.

    The journal of the ACS, authentication failed:

    Message-Type-name of user - Group-Name-Caller ID - network access profile name - Code failure-authentic -.

    Authentic has no EAP type - CP 7911 G-SEP00254594D6BA--00-25-45-94-D6-BA VOZ - (default) - not configured

    Configuration of the Switch:

    Group AAA dot1x default authentication RADIUS

    Group AAA authorization network default RADIUS

    RADIUS-server host 10.32.250.250 auth-port 1645 acct-port 1646 borders 7 095F4B07110445425B54

    interface GigabitEthernet1/0/3

    switchport mode access

    switchport nonegotiate

    switchport voice vlan 200

    multi-domain of host-mode authentication

    Auto control of the port of authentication

    periodic authentication

    MLS qos trust device cisco-phone

    MLS qos based on vlan

    dot1x EAP both

    dot1x quiet-time 20

    dot1x timeout server-timeout 100

    dot1x tx-delay 100

    broadcast storm control 15.00

    multicast storm-control level 10.00

    spanning tree portfast

    spanning tree guard root

    Summary of ACS Configuration:

    Configured the AAA

    2 group - voice and data, each with their VLAN respective and the ACS configuration parameters (attribute / value (AV))

    Added the user name and password for IP phones

    Mapped the announcement to the DataSet

    A certificate and installed in the workstation

    Set up the configuration of global authentication, where I ticked the boxes PEAP and EAP - MD5

    So, as I said, it only authenticates the workstation w / IP phone.  When I add the IP phone it does not authenticate any of them.

    Someone at - it one day?

    Hello

    First of all, you can try a different sw for phone (for example 8.4.2S). I have a similar problem with the 8.5 software and phones 7945/7965. Secondary, you must attribute av-pair confiigure side ACS for the correct placement of the voice phone to vlan.

    Concerning

    Stanislav

  • Secure ACS Authentication and Authorization with SecurID

    I am able to authenticate connection attempts using an external database (RSA SecurID).  The problem is that everyone with a token is authorized to connect on any switch with priv15 or whatever I put (but no way to control who gets what access).  How can I allow users based on a certain type of belonging to a group?  The SecurID server is already integrated with LDAP, it only checks to see if the user exists in the database.

    I need to create two groups, or even only allow a single group and deny everyone, but anyone in the organization with a token is allowed to connect.  I can't find guides who do anything beyond authentication when you use a SecurID token.

    Thank you.

    Hello

    Have routers and switches, you given the command "authorization exec default group aaa GANYMEDE", it seems that you have only defined authentication on devices. When the control is in place, user access privileges may be governed by the ACS. In network administrator access by default policy (if you are using the default strategy for GANYMEDE), to set the authorization rule to verify membership in a user group and provide the appropriate profile of shell. Make the default rule to give DenyAccess shell profile to other users.

  • Dot1x / NAC without account AD

    Hello

    I've already implemented some networks dot1x with ACS 4.2 linked to an Active Directory server, but I've never implemented of the NAC.

    But now we have a customer with a Citrix environment and they have devices running Windows XP embedded, but they are not integrated with Active Directory. Is there a possibility - other authentications do Mac - to check if this machine is a machine of the company?

    If I understand correctly, NAC will not work if the base 802. 1 x (authentication) does not work, it?

    Thank you in advance and best regards

    Dominic

    If you're referring to the Cisco NAC appliance, it is not compatible with 802. 1 x (except if you deploy NAC device in the Strip, which is not recommended).

    On authentication, it is mainly authentication of users. So he would recognize if the user is in Active Directory, not if the machine is in Active Directory.

    Machine authentication is used only as an exception to the access points, printers, ip phones, which cannot use the authentication of the user.

  • Dot1x: no failling above comments - vlan

    Hello

    I am deploying dot1x in the office and I will have little difficulty with allowing to achieve the two dot1x with mab and then switch on the vlan comments.

    A simple scenario where a device of the end-user cannot provide authentication, I want the switch to automatically put the user on the vlan comments. I did not allow for periodicals of authentication at the lowest of excessive authentication and I configured maximum attemps but the switch will constantly try to authenticate the device.

    Switch model: WS-C2960-24LT-L with 15.0 (2) SE6.

    The switch configuration:

     aaa accounting dot1x default start-stop group radius aaa authentication dot1x default group radius dot1x system-auth-control

    Port configuration:

     interface FastEthernet0/15 switchport access vlan 144 switchport mode access authentication event fail action next-method authentication event server dead action authorize vlan 550 authentication event no-response action authorize vlan 550 authentication host-mode single-host authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication violation restrict mab dot1x pae authenticator dot1x max-req 3 dot1x max-reauth-req 1 spanning-tree portfast !

    Any help will be greatly appreciated.

    UPDATE: see the comments below.

    Good job on your own Oliver problem and for taking the time to update everyone here! (+ 5 from me). If your problem is resolved you must mark the thread as answered ;)

  • How to generate CSR on switches for web auth with NGS

    Hello

    I do solution dot1x with web auth on switches cisco 3750.

    Once the wired customer put in the web authentication status (after dot1x and mab) and goes to a website, he receives a certificate warning. This is because as the switch cisco selfsigned certificate.

    I want to use a verisign certificate to resolve this error, but I can't find a way to generate a CSR on a switch. I only found a guide how to request a certificate from a CA on the local network, but it is also not a solution, because the customers with the help of web authentication, won't the internal certification authority.

    Is it possible to fix this?

    Greetings

    Steven

    Hi Steven,

    The document below is really for IOS SSLVPN, but the part of the certificate must be the same:

    http://www.Cisco.com/en/us/prod/collateral/iosswrel/ps6537/ps6586/ps6657/white_paper_c07-372106_ps6657_Products_White_Paper.html

    Search for the 'Annex B' and it goes into the creation of a trustpoint and then a section for the self-signed and another is to generate a certificate request to send to an external certification authority.

    Once created a trustpoint command to actually generate the CSR is "crypto PKI enroll."

    This document goes into a bit more details on orders of the person and what they do:

    http://www.Cisco.com/en/us/docs/iOS/sec_secure_connectivity/configuration/guide/sec_cert_enroll_pki.html

    Also, you can use something external to the switch as OpenSSL to generate the CSR and private key and then use it to request a certificate from your Verisign CA and then import the cert/key pair in the IOS device.

    Thank you

    Nate

  • Dot1x - difference between "mab" and "mab eap.

    Hi guys,.

    can someone explain the difference between "mab" and "mab eap" for me?

    I'm doing dot1x with EAP - TLS with MAB as a backup method.

    The explanation that I found in the config guides are very poor.

    Thank you for your help.

    Mathias

    Hello Mathias.

    This is an old post but I stumbled across it while trying to find another post I answered before. In case you have not found an answer yet, please take a look at this thread where I think you'll find your answers.

    https://supportforums.Cisco.com/message/3768500#3768500

    Kind regards

    Thanks for the note!

  • 802. 1 x authentication issues

    I have configured the authentication port dot1x on the switched telephone network using a cisco ACS SE and on computers (windows XP/SP2) PEAP and EAP-MSCHAPV2, everything works fine, while the user was already loaded his letters of credence on the PC, but if someone tries to connect the pc as a new user, the authentication process fails, then I have to force authentication for access to the network once I have reverse automatic authentication and the user log off and then the authentication process works again.

    what Miss me?

    Please help...

    What we see here is the known behavior of dot1x of authentication. To work around this problem, we need to configure the machine as well as the auth user authentication. Here are the 802. 1 x process which explains the behavior we knew with the cached credentials.

    When the machine authentication is enabled, authentication occur in this order:

    When you start a computer,

    * Machine authentication-ACS authenticates the computer before the user authentication. ACS checks the credentials to the computer from the Windows user database. If you use Active Directory and the corresponding Active Directory computer account has the same credentials, the computer accesses the services of Windows domain.

    * Field if user authentication machine successful authentication, the windows domain authenticates the user. If machine authentication failed, the computer does not have access to the services of Windows domain and the credentials of the user are authenticated using the credentials cached that retains the local operating system. When a user is authenticated by identifying cache instead of the domain, the computer does not apply the domain policies, such as login scripts running that dictates the field.

    * You can also only have the user without authentication of the computer authentication. It gives only the problem if first time user who is not yet registered once on the announcement. So, with the authentication of the computer, you have an AD network connection, and so the first time the user have no problem. In addition without authentication of the computer (not), you need to make sure you have the credential to user on the cash position. Machine authentication AD and the machine will generate its own username and password (you don't know) = machinename, for authentication of the dot1x. So after startup

    the machine will do dot1x with this credetial of the machine. As soon type you CTRL-ALT-DEL login the user will start.

    Kind regards

    ~ JG

    Note the useful messages

  • Several protocols on ASA single multifactor authentication?

    We currently use the AnyConnect client combined with SecurID from RSA to multifactor authentication for Windows laptops.

    We plan to do some portable computers that do not support the software AnyConnect (for example Chromebooks).

    Chromebook supports VPN using L2TP/IPsec + preshared key or certificate of the user and their user ID and static password.  There is no user interface provided type of token and SecurID PIN code so SecurID is not supported.

    If the native VPN client connection was combined with something like Microsoft Phonefactor Azure Multifactor authentication or Duosecurity operating RADIUS, it would via automated phone call multifactor authentication, SMS or a smartphone app, and the device of Chromebook end user has no need to 'support' directly from this authentication happens on the main server.  All the user needs is the pre-shared key, or name of certificate and username, password and access to their phone.  They connect with their user name and password and then get an automated phone call or text they need to answer to until authentication is allowed.

    Can RSA SecurID and multifactorial authentication Azure times be supported in the same time, so AnyConnect use RSA and users without AnyConnect use Azure?

    You should be able to do it with different connection profiles, each with their own primary and secondary authentication method.

    A (unique) given profile can use only one set of primary and secondary authentication methods.

    Either by the way, I used the Duosecurity solution for remote access to a VPN client and thought it was very well done.

  • Confused: Switching/Local Central switching

    I was wondering if someone could explain a little more local/central switching away, when it comes to HREAP/FlexConnect modes for CAPWAP AP

    So in our environment, we are short 7.5.102.0 code on all our WLC.  We have a WLC in two of our regions (United States and Europe).  Each region provides internet services for remote sites connected.  So a site in Chicago returned to our head office on a MPLS for their internet services; as a site in Italy returned to our head office in the United Kingdom to their internet service over MPLS.  These remote sites have AP which are in mode FlexConnect back to Central in WLC.

    My question... I understand that the AP in Central switch mode tunnels traffic to the central controller, so that local switching is not.  However, what does this mean?  If the WAN link goes down, how does help local switching?  The internet is still down, since this is how the internet is announced from the central location.  Does this mean that this local server can be accessed on wireles, since we are in local switching mode?  Same question for authentciation;  Our servers are located on the central sites, with no ad servers on remote sites.  Local authentication mode, how an AP would record a user, if the MPLS link is down?  It downloads a sort of directory cache for authentication?

    Thanks for your help!

    Yes, local switch mode, locally customer traffic wireless turned on at the branch (you must set their IVR on the Steering switch) and they can access resources of the Directorate General whiel WAN link is down. If the internet served is issued by your central, while they won't get internet services so that your WAN links is down.

    If you have configured the local authentication, yes WLC pass credentials (if WLC has credentials user as WAP2-PSK or WEP) AP where he can use for local authentication. If you are using dot1x with RAY & AD, then you should have the redundancy of these services in order to AP of the branch to use these in a controller of the situation is not available.

    Design guide will help you understand what

    http://www.Cisco.com/en/us/docs/solutions/enterprise/mobility/emob73dg/ch7_HREA.html#wp1103070

    Here are some of my notes related to the different modes of operation of H-REAP/FlexConnect, that should help you as well

    http://mrncciew.com/2013/03/10/h-reap-modes-of-operation/

    HTH

    Rasika

    Pls note all useful responses *.

  • Certificate error when you use AnyConnect with AD and SecurID auth on a few clients

    Hello

    We have a set ASA5510 in place with AnyConnect Essentials, with clients that connect both XP and Win7.

    This works as expected on most clients, but on the 3 XP clients, we get a strange error.

    They identify installed software and connects successfully the first time.

    Each attempt to connect after that, they get a message saying "VPN connection interrupted, the certificate is not found on the smart card or smart card does not exist".

    We use certificates for authentication at all (only LDAP and securid).

    Try to connect with a good name of user and password known on one of these computers, gives the same error.

    Connection with one of the users on a well-known work VPN setup/PC problem works every time.

    If remove us the AnyConnect Client of a computer problem, and then it installs again, it works the first time (as before).

    Then, all attempts after that gives the error of samme.

    The connection profile and the settings for the affected users are identical to all the others who work.

    What could be the problem?

    upgrade to

    3.0.5075 solved my problem

  • View 5.1 with RSA Securid 7.1

    We deploy VMware View with RSA Securid 7.1 5.1. We have a RSA and RSA 7.1 installed agent on the server and display the VM VDI and to challenge the value. The View Manager is configured to use RSA according to the doc.

    http://www.RSA.com/rsasecured/guides/imp_pdfs/RSA%20SecurID%20Ready%20Implementation%20Guide-view%20Manager%203.PDF

    We also use Cisco VXC 2111 zero clients (connected to the Cisco voip phone). The thin client connects and manages to authenticate with the password. However, the client also asked that the password and then passes the user on the desktop.

    I can't find info on how to do to prevent it ask the password too. Any ideas?

    EDIT: I discovered that the Cisco VXC 2111 running 4.6 View Client. I wonder if this is the problem?

    I'll have to test it with a Wyse P20 and see if there is a difference.

    1. with RSA SecurID authentication, find password guests once SecurID authentication is complete. The password is necessary in order to perform SSO to the virtual office. If the view does not request password, SSO is not possible and the user must sign - one for each virtual desktop in any case. SecurID represents an additional authentication at the beginning of the sequence.

    2. you need not install the RSA Agent on view connection server. View has all that he needs to perform SecurID authentication against RSA Authentication manager.

    3. it is a very old document you are referencing. It's to see 3.0. See here for the latest documentation for each version of the view. http://KB.VMware.com/kb/2003455

    I hope this helps.

    Select this option.

  • Dot1x authentication with IP and Hub phone behind

    Hi all

    I have a question about the following scenario:

    If I ISE deployment with x endpoint license, I have the following configuration:

    ISE - Hub SW - phone IP - 4 connected devices

    I need to authenticate and profile of all 4 devices connected to the hub, but at the same time, I have no need to authenticate the phone using the ISE IP, since this will consume additional endpoint for the number of licenses, and I need overcome this scenario.

    From the point of view configuration, using "authentication host-mode multi-auth" will solve the problem for the devices connected to the hub, but how can I exclude the IP phone number of endpoint from the point of view of ISE?

    Thank you.

    Ahmad.

    That's right, but the only problem that you are experiencing is the ability to put 'data' devices on different VLAN. So if a computer caches and must have guest access, they will be placed on the same vlan as the first device that connects to it.

    Here are a few reference documents on this scenario.

    http://www.Cisco.com/en/us/docs/switches/LAN/catalyst3750x_3560x/software/release/15.0_2_se/configuration/guide/sw8021x.html#wp1347331

    Thank you

    Tarik Admani
    * Please note the useful messages *.

  • VMWare View with RSA SecurID integration

    Hi all.

    We try to make VMware View to authenticate users through RSA SecurID according to the attached document. However, it is not clear where to put the node Secret file that is generated on the RSA Authentication Manager server? It is exported in the form of .rec file and is protected by a password, but server configuration view has all fields to load the node secret file. Should I simply rename the securid .rec file and put in %SystemRoot%\System32\securid? But how to do View Server to decrypt this file by using the password then?

    On the RSA server, I see in the newspapers:

    2010-03-12 08:05:49U-

    /viewservername.company.com-

    12/03/2010 03:05:49U verification of node doesn't have a rsa - ace - server.company.com

    RSA doc says

    "An incompatibility between the secret of node stored on an authentication manager and subsequently stored on an Agent Host may occur if you delete and re-create an Agent Host, or if you accidentally delete a secret file of the nodes. The incompatibility prevents messages between devices which is decrypted and causes the Agent Host deny access to all users who attempt to log on. Node of that check failed is recorded in the audit trail.

    Hello

    for me it is look like this attached image.

    MCP, VCP

  • dot1x system-auth-control on 62xx and all port/traffic goes down?

    Hello

    with three VLANS, and now presenting only certain ports that I do the dot1x:

    RD (config) #dot1x # system - auth - control enable

    RD (config) #aaa authentication dot1x default # spot within a RADIUS to RADIUS

    RD (config) #interface ethernet 1/g1 # bind it to a port

    RD #dot1x (config-if-1/g1) auto # config dot1x port-control

    I assumed dot1x must be forced/enabled on port/int per basis and before it's done there's no dot1x, but it seems that - dot1x system-auth-control - does not wait for anything and everything stops instantly.

    Is this desired behavior?

    And if yes then how introduced little by little dot1x, looking fixedly with an ethernet port that are configured as here:

    1/g1

    Flow control: enabled

    Port: g1/1

    Belonging to a VLAN: access mode Mode

    Operating parameters:

    PVID: 1

    Capture filtering: enabled

    Acceptable frame type: no label

    Default priority: 0

    GVRP status: Disabled

    Protected: disabled

    -Other - or ITU (q)

    Port 1/g1 is a member of:

    Rule of VLAN name evacuation Type

    ----    --------------------------------- -----------   --------

    1 by default not marked by default

    Static configuration:

    PVID: 1

    Capture filtering: enabled

    Acceptable frame type: no label

    Port 1/g1 is configured statically:

    Output name rule of VLAN

    ----    --------------------------------- -----------

    Prohibition of VLAN:

    Name of VLAN

    ----    ---------------------------------

    A lot! Thank you

    L.

    OK, you can implement other dot1x controls without having them no effect on the switch until the "dot1x system-auth-control' is given.

    I will certainly take a look at your other post.

Maybe you are looking for

  • Replace HARD drive without DATA Patition

    Hello I would like to change the disk HARD original for a 128 GB SSD.I ve two DVDs of the DATA Partition recovery.Now, I want to recover my Windows 7 for the new SSD but without the DATA Partition.It should only be a single partition on the new SSD.

  • T540P black Sceen with cursor when connecting

    I suspect this is a driver, but I have a T540P which is black screening with Windows 7 with the cursor to which seems to be the login name. Any ideas?

  • Issue of SQLite

    Hello and good day, Please, I want to know if it is allowed to use a thread to manage database connections using sqlite, is it OK? If I want to recover data from an sqlite database do I wrap like I would a network code to extract and display the resu

  • SSO with WebVPN ASA using RSA tokens

    Current configuration: Chip & PIN the user authenticates for-> ASA5510 8.2 Clientless VPN-> past to the 7.2 SDI RSA Authentication Manager. I've got of authentication works great, at the first connection, users can connect with their AD usernames and

  • AFTER I UPGRADE TO WINDOWS 8.1?

    Hello I have Windows 8, and I'm happy with it. I heard that eventually I'll be forced to upgrade to 8.1 Windows. I don't currently have a flash drive, nor do I have an external hard drive. All of my pictures and my music are all saved on a cd. What i