Help on GBA

Hello

I have 4.1 installed ACS and the difficulties to integrate with the following for authentication.

<1>Router Cisco 4500

<2>Cisco AiroNet-Access Point

All the admin for 4500 router should be authenticatd via an ACS server and incase ACS server is down, then they must be authenticated through local DATABASE...

All past or failure of the attempt must be connected in ACS; all changes made on the device (change the config / reboot) must be connected on ACS as well...

Can I get a link where it shows the router config part and ACS...

Amin

Is it important for you what interface is used for GANYMEDE? If so, then configure this interface as a source.

When you have configured the ACS server told you to wait the packages from the address in VLAN 1. If you do not want to change the configuration of the ACS, and then configure the VLAN 1 as source address for GANYMEDE.

HTH

Rick

Tags: Cisco Security

Similar Questions

  • Help: GBA 5.4 two factor authentication

    Dear all,

    We present ACS POC in one of our client.

    We have done using GANYMEDE authentication + AD user with different previllages and works very well.

    And also, we implemented a secure RSA ID authentication and his works fine.

    our client need for two-factor authentication using the RSA secureID and AD password ID password (via GANYMEDE +).

    can someone help me how to implement this scenario?

    It is very urgent, please help me how to implement two authentication using RSA secure ID and user name and password.

    Thank you

    P.Ramkumar.

    Hi again,

    You should be able to find the information you need here:

    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/users_id_stores.html#wp1123587

    Useful section:

    With two-factor authentication identity stores

    See you soon

    Chris

  • The Ambassador Hall profiles GBA 5.3

    We have installed our WCS to AAA through our ACS 5.3 which works very well. Then in order to connect to the WCS for Administration or as Ambassador Hall (to create guest etc. users) the AAA is now over by the FAC, EXCELLENT!

    I assigned a user set the role of the Ambassador Hall transmitted by GANYMEDE to the WCS, if users have their configuration of the role as an Ambassador of Lobby and are limited to do anything, as expected.

    What I want to know is: with normal local AAA on the WCS, when you created an account the Ambassador lobby, you could give the account a set of default values for all customer accounts created by this account Ambassador Hall, which was good, so Lobby ambassadors failed to configure accounts for unlimited time and stuff like that.

    What I want to know now is that since I now do all the AAA on GBA, is there an attribute that I can spend to WCS in the Shell profile, as well as roles etc saying the WCS that creating guest user is default on behalf of the Ambassador lobby, so that we can continue to limit the default values of the guest account who create accounts of the Ambassador Hall , as it used to be? We would really like different lobby ambassadors to be able to do different things as well. that is, the Ambassador Hall X can create accounts for a region. Hall, Ambassador Y can create unlimited time accounts where others cannot. We used to do this by assigning different creation of guest user is default to different accounts of the Ambassador Hall on the WCS.

    Help appreciated

    Hello

    at the moment the only solution to your needs is to create local accounts of NCS/WCS with exactly the same username in your ACS, any password. Authentication will be done via GANYMEDE + while the default values will be taken from the local user account. Please be aware that this mechanism is case sensitive.

    Concerning

    Stefan

  • Trying to block "configures terminal" on GBA 5.3

    Hi friends!

    I'm trying to block users to use the command "Configure Terminal Server" using GBA 5.3, but so far it is working properly.

    The same set of orders, if I put any other command (such as reload, telnet) and choose to refuse, it works very well, but to prevent the user to enter in Setup mode, I'm not able to block again.

    I really appreciate if someone here can help me or if she has already passed for this situation.

    Thank you!

    MOV

    On GBA, please use "Deny set up" and do not fill the field argument. Remove the other sets of similar orders.

    On the side of the IOS, make sure you have

    aaa authorization config-commands

  • force GBA v.5 to join the domain with a certain domain controller

    Hello world

    I try to join a CBS c. 5.3 to the domain.  My acs in A location, I can join without problem using my account. When I try to join the ACS in location B to the same domain with the same account, it does not work.

    I looked for the ad client debugging logs and noticed that the ACS in location B goes to some a domain controller. However, I would have expected the ACS to contact a different DC, located on the same site that GBA... This does not happen.

    My question: how to determine what contact DC GBA? Is it possible to force HQ to reach by connecting a certain DC?

    Thanks for any help or ideas?

    IDA

    Hello

    Please check your sites and services in your DNS configuration to see if the right domain controllers are sent to the ACS when attempting to connect to the domain. This function is essential and allows to optimize the links that GBA chooses to join the domain.

    The way this works is that ACS is trying to resolve dns records for the global catalog servers and domain controllers for the dns server configured in the initial installation script. Then the dns makes a decision based on the source ip address of the dns request and think that the ACS is in a specific site and returns the result which domain controllers and global catalogs is configured in this specific site.

    Let me know if this helps.

    Tarik Admani
    * Please note the useful messages *.

  • Replaced the Cert has expired on GBA

    Hello

    I replaced an ACS certificate that had been installed then I did the following:

    1 has created a certificate request.

    2A issued the request to the certification of company.

    3. copy the certificate to an ftp server.

    4 install the certificate on GBA.

    5 configure the CTL again.

    6 restart the ACS.

    8 enable EAP - TLS.

    The problem is when I try to enable PAE I get the message no certificate ACS isn't installed.

    I searched on cisco and he said to turn off the CSA and follow the same process as I did without success.

    Any help appreciated.

    Thank you

    KeV

    What is the current version?

  • Refuse the AAA Clients to a specific group of users GBA v4.1

    With the help of 4.1 is there a method 'simple' simply deny a user group the ability to connect to specific clients of AAA? Customer has a group of phones they want to allow them to Telnet and check in all routers of the voice, but not other routers, they have sets of orders and that the installation but I wanted to see if a way to push this group simply to voice only routers?

    Thanks in advance,

    Dave

    You can configure using NAR GBA.

    http://www.Cisco.com/en/us/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml

    Kind regards

    ~ JG

    Note the useful messages

  • Syntax error of ACLs in PIX list after upgrade, need urgent help!

    Hello everyone

    We have a facility including Cisco ACS + a VPN 3005 concentrator and a PIX 515E (7.2.4)

    We have improved the version 7.0 to 7.2.4 PIX and suddenly our downloadable access list has been getting refused when authenticated users against GBA.

    What radius of debugging in the PIX we found typing this line in the list of downloadable access gives the error and prevent users from the ACL list.

    "deny ip any 192.168.0.0 0.0.255.255.

    PIX refused to treat their auth request when it encounters this line.

    Very well, we said, we changed the ACL syntax for that: deny ip any 192.168.0.0 255.255.0.0

    Does the PIX treat the ACL.

    We were happy to some time until what VPN users started complaining.

    It seems that the VPN 3005 cannot process the syntax we entered the PIX!

    VPN 3005 does not seem to be able to manage the acl line "deny ip any 192.168.0.0 255.255.0.0.

    It can handle that "deny ip any 192.168.0.0 0.0.255.255!

    Who cannot manage the PIX...

    I am a loss for what to do here...

    We got the VPN users who cannot surf now with these problems of ACL.

    What can I do? Someone else encountered this?

    We have improved the VPN 3005 to the latest SW version

    Really need help here guys!

    Thank you

    I don't think that Cisco has never changed anything on the PIX. It uses from day one subnet masks as far as I KNOW and Conc VPN use masks with joker as IOS. You can use the convert-netmask-acl command on the SAA to solve this problem. In this way, you define a willdcard ACL on the ACS/AAA server, then use this command on the ASA to use the downloadable ACLs even for both devices (PIX, VPNC).

    http://www.Cisco.com/en/us/docs/security/ASA/asa81/command/ref/A2.html#wp1622944

    Please note so useful.

    Concerning

    Farrukh

  • MAR for VPN GBA 4.2 users

    Hello

    I use ACS 4.2 in my setup. We have my company VPN users. Authentication of the identity of the VPN users are currently happenning by ACS and AD. I want users to connect to VPN should be used that company provided laptop computer. That's why I want to impliment MAR who will verify the name of the computer in AD and if the computer name is in the computer to ad group then only his user ID and the password will be validated and based on this validation, the user will be allowed to access network resources. Currently I do not have any server certificate and users can connect to any cmputer VPN (Home computer), just using their login and password.

    All the paper I described x client about 802. 1 with the authentication of certificate through Mar.

    Please help me to achieve this requiremnet. I want without any certificate when a user wants to connect to the VPN its system name is validated through ACS & AD Group, then after username password verification will occure.

    Please help me...

    Satya,

    You cannot apply the MAR for a scenario of remote access since MARCH in the realm of GBA is for customers who are destined for switches using a supplicant and dot1x. In this case using a vpn client and an ASA, you can deploy a DAP policy in which you can search for a specific registry key on the workstations that belong to your network.

    You can ask the same questions in the forums VPN, but this is the configuration for DAP deployment guide:

    http://www.Cisco.com/en/us/products/ps6120/products_white_paper09186a00809fcf38.shtml

    Thank you

    Tarik

  • Download ACL GBA 5.2 using authentication for 802. 1 x

    Hi all

    I configured ACS 5.2 for authentication authentication of 802. 1 x. It works as well, getting customers belong to their VLAN respective after a successful authentication.

    Now I want to assign downloadable ACLs for particular users can someone help me in the downloadable ACLs configuration GBA 5.2.

    Any feedback is much appreciated.

    Thanks in advance,

    Selva.

    Hi Selva,

    Based on that you want to assign the DACL? based on the user name? Group?... etc?

    This document will be useful for you:

    http://tiny.cc/ogrxvw

    ignore the part of the SAA. concentrate on the config of the ACS.

    The doc use ASA as the AAA client. The difference is that you use a switch. but the idea is the same.

    HTH

    Amjad

    Rating of useful answers is more useful to say "thank you".

  • Launch of RADIUS &amp; Ganymede + simultaneously on GBA

    Hi all

    I currently have a Setup ACS running GANYMEDE + that makes the normal AAA things we need to do.

    I searched around online and can not know if I can implement the ACS to perform Radius and GANYMEDE + in parallel on the same box? I tried to add new clients and servers with the same IP address, but using RADIUS instead of Ganymede but GBA denied the hosts already exist.

    The reason why we want Radius is we test 802. 1 x and need a radius server to do.

    Any help would be greatly appreciated

    Thanks again

    Oli

    Hi Oli,

    Same device name that you use? If you do this don't. You cannot use same name of the device.

    Use the name of a different device with the same IP address and change of RADIUS and that should probably work.

    Kind regards

    Amjad

    Rating of useful answers is more useful to say "thank you".

  • I have a lg 4 k tv (40 "40UH630V TV LG ULTRA HD 4 K) with HDMI 2. 0 and if I buy apple tv 4 can be used with HDMI 2. 0 port or do I HDMI 3 port to use this? Please help me

    I have a lg 4 k tv (40 "40UH630V TV LG ULTRA HD 4 K) with HDMI 2. 0 and if I buy apple tv 4 can be used with HDMI 2. 0 port or do I HDMI 3 port to use this? Please help me

    You can use it with your TV.

  • Need help to find an adapter for a third-party monitor

    Hi all! I find myself in need of a little guidance, and I hope that someone out there will have a quick n easy for me...

    I have a Mid-2011 27 'iMac. which has two ports Thunderbolt It is taken with a Wacom tablet that I use constantly, and the other is made by an external hard drive to a solid state, which has a built-in cable to Thunderbolt (no way to hang it on a different port). I also have a 27 "HP monitor that is currently connected via an HDMI USB adapter.

    The problem is that the HP monitor is actual "jiggy" - the USB does not seem fast enough to deal with requests for the monitor. It is almost unusable. I know I should run it via a HDMI adapter Thunderbolt, but as I have already mentioned the two my Thunderbolt ports are already in use.

    Someone at - it ideas? I need sort of three to two ports Thunderbolt hooks, but I can't seem to find anything for less than $300 that would work. (I am illiterate when it comes to the different cables, adapters, ports, etc., so I hope someone can point me in the right direction by using short words... Most of the products that I travel through list specifications that me Chicane).

    The monitor has two HDMIs and a VGA port, and my iMac has a Firewire 800 port, if that helps at all...

    2011 iMac have only 1 Thunderbolt port and there is no such thing as a Mid-2011, you must have an iMac of year later, if it has 2 ports Thunderbolt. All the 27 "iMacs, from 2012 to 2015 the current have 2 ports Thunderbolt.

  • Help with Safari!

    My macbook air from apple not to open the Web page like www.investing.com! Help! Different Web pages all okey, but it's not working!

    Works fine for me.

    What extension you have installed and activated?

    Do you have any adware installed on your MBA?

  • He can't change the region of my account! Help, please! Thank you ~ ~ ~

    Hello

    I want to change my account area. But I still balance ($0.02) so I couldn't change. Please delete my balance.

    Thank you!

    and now I can not contact the Apple Support it's always show

    We're sorry.

    We are unable to respond to your request at this time. Please try again or come back later.

    1c14bb55-ED82-4B43-9c22-fc79914a022c

    is could someone please help me contact the apple support to clear my balance or help me another way to change the region on my account please!

    Thank you!!

Maybe you are looking for