How 2 Configure ACS 4.2 to delegate authentication to the radius server
Hello
We need run the following scenario:
Cisco VPN client (or any connect, Cisco SSL VPN client)---> Cisco ASA 5520---> Cisco ACS 4.2---> CAT Authentication Server
The CAT authentication server is a Radius server. It can receive Radius authentication requests and respond. It is used for strong authentication TFA WBS similar to RSA OTP tokens.
The question is: how we set up the 4.2 ACS to delegate authentication request to another Radius server.
Thnx
Add the RSA server as an external database, configure the drop user profile or a group to authenticate on the new external database rather than ACS DB Local (or Windows DB).
Easy as pie!
Please rate if this is useful.
Tags: Cisco Security
Similar Questions
-
Setup
Cisco Catalyst 2960-S running 15.0.2 - SE8
Under Centos freeRadius 6.4 RADIUS server
Client (supplicant) running Windows 7
When Windows client is connected to the port (port 12 in my setup) with authentication of 802. 1 x active switch, show of Wireshark that catalyst sends ask EAP and the client responds with EAP response. But it made not the request to the Radius server. The RADIUS test utility 'aaa RADIUS testuser password new-code test group' works.
Here is my config running. Any advice would be greatly appreciated.
#show running mySwitch-
mySwitch #show running-config
Building configuration...Current configuration: 2094 bytes
!
version 12.2
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname myswitch
!
boot-start-marker
boot-end-marker
!
activate the password secret 5 $1$ Z1z6$ kqvVYRQdVRZ0h8aDTV5DR0 enable password!
!
!
AAA new-model
!
!
AAA dot1x group group radius aaa accounting dot1x default start-stop radius authentication group!
!
!
AAA - the id of the joint session
1 supply ws-c2960s-24ts-l switch
!
!
!
!
!
control-dot1x system-auth
pvst spanning-tree mode
spanning tree extend id-system
!
!
!
!
internal allocation policy of VLAN no ascendant interface FastEthernet0 no stop ip address!
GigabitEthernet1/0/1 interface
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
switchport mode access
Auto control of the port of authentication
dot1x EAP authenticator
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
IP 10.1.2.12 255.255.255.0
!
IP http server
IP http secure server
activate the IP sla response alerts
recording of debug trap
10.1.2.1 host connection tcp port 514 RADIUS-server host 10.1.2.1 transport auth-port 1812 acct-port 1646 timeout 3 retransmit testing123 key 3.
Line con 0
line vty 0 4
password password
line vty 5 15
password password
!
endinterface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20Have you run wireshark on the server because the request to switch? If so you make sure that there is a response from the server? For Windows network POLICY Server (I've never tried Centos), you must ensure that the request is related to a policy which then authenticates, or denies access. Usually, it is a matter of such attributes and the seller.
Regarding the configuration, it seems a bit out of the AAA. Try to remove the:
line "aaa dot1x group service radius authentication" and this by using instead:
"aaa dot1x default radius authentication group". After the dot1x word you are supposed to provide a list of the authentication or the default Word if you do not want to use a list.
-
How to restrict Internet access by using the RADIUS server via switch Catalyst 3560
Dear all,
I need a configuration using any. I have a small network of 15 users a 3560, which is in turn connected to a router ISR 2811. Interface fastethernet 0/24 switch 3560 I intend to connect to a unix based server RADIUS. ISP is connected on the opposite side of the 2811 to the fa0/0 interface.
I want to make is that if someone among the 15 users tries to access the internet, they must be validated in the RADIUS server by their pre-configured user credentials. (I'm going to store 15 user credentials here). If someone else tries to connect (except those 15) he or she should be denied internet access.
The RADIUS server will be having a login page to type the name of user and password.
Please guide based on what commands I should inject into the 3560 or what specifically, I need to have to run this task.
Thanks in advance!
Samrat.
I only did this in a very long time, but you probably want to do is activate the web authentication.
-
How to account for the Radius Server cisco vpn client
Hello
I would like to realize vpn cisco customers
My config is:
AAA authentication login default local radius group
RADIUS AAA authentication login aaa_radius local group
RADIUS group AAA authorization exec default authenticated if
AAA authorization vpn LAN
failure to exec AAA accounting
action-type market / stop
RADIUS group
!
AAA accounting network aaa_radius
action-type market / stop
RADIUS groupRADIUS-server host x.x.x.x auth-port 1812 acct-port 1813 key xxxxx
No package of accounitng is sent to the server radius, only the packages autthetication
RADIUS server is freeradius
Thank you
Pet
Hello!
The sequence of commands you add to your configuration:
1. in the case of former card crypto
crypto-NAME of the customer accounting card card list aaa_radius
2. in the case of isakmp profiles
Profile of crypto isakmp PROFILE NAME
accounting aaa_radius
When the NAME of the map and the PROFILE NAME real names for you profile crypto map or isakmp respectively.
I hope this helps.
Best regards.
-
How to configure ACS 5.2 to manage the Junos 10.4R6.5 fwl via GANYMEDE.
Hi all
I have a camera ACS 5.2 newly installed, integrated with our announcement and his work with cisco product, routers switches and etc. Now I would like to include Juniper firewalls so to be authenticated via ACS 5.2 either via ssh and web access. Can someone share me how to initiate this, creating policies.
FYI: I have 14:00 groups regionaladm and regionalops, read/write and read-access, respectively.
Kind regards
Marlon
Marlon,
I stuck in a config below file I made for our ScreenOS Firewall work with Cisco ACS v5.2. This configuration may not work because yours is Junos, but it could bring closer you reach to understand. Also, if you have not been on the Juniper J-Net ask autour, give it a shot. (forums.juniper.net)
Good luck!
-Chris
Title: Example configuration - GSU of Juniper and Cisco ACS v5.x
Product: SSG320M juniper (Cisco ACS v5.x)
Version: 6.3.0r10.0 ScreenOS (Cisco ACS v5.2.0.26.8)
Network topology:
[Juniper SSG320M]-[Cisco 3560 Switch]-[Cisco ACS VM]
Description:
Goal - authenticate GSU administrators using GANYMEDE + instead of local connections
Description - This configuration for Cisco ACS v5.x, JTACS had only configuration v3.3.
ACS v5.x is a VM based on Linux with a completely new user interface and structure.
Configuration:
Configure the Juniper (CLI)
1. Add configuration Cisco ACS and GANYMEDE +.
Set id CiscoACSv5 of auth-server 1
set the auth-CiscoACSv5 server ServerName 192.168.1.100
set server CiscoACSv5-type of admin account
set the server CiscoACSv5 auth type Ganymede
Define auth-server CiscoACSv5 Ganymede secret CiscoACSv5
define CiscoACSv5 Ganymede 49 auth-server port
Set the server auth admin CiscoACSv5
Set admin auth distance primary
Remote admin auth root set
define outer-get administrator privilegesConfigure the Cisco ACS (GUI) v5.x
1. navigate to elements of strategy > authorization and permissions > peripheral Administration > Shell profiles
Create the profile of Shell of Juniper.
Click the button [create] at the bottom of the page
Select the general tab
Name: Juniper
Description: Custom for Juniper SSG320M attributes
Select the custom attributesAdd the vsys attribute:
Attribute: vsys
Requirement: required
Value: root
Click on the [Add ^] button above the field for the attributeAdd the attribute of privilege :
Attribute: privilege
Requirement: required
Value: rootNote : you can also use "read-write", but then the local admin does not work correctly
Click on the [Add ^] button above the field for the attribute
Click the button [send] at the bottom of the page2. navigate to access policies > Access Services > default device Admin > authorization
Create the authorization policy of Juniper and filter by IP address.
Click [customize] at the bottom right of the page
In terms of customize, select IP address in the left window
Click the [>] button to add
Click the [OK] button to close the windowClick the button [create] at the bottom of the page to create a new rule
In general, the name of the new rule Juniper and make sure that this option is enabled
In Conditions, check the box next to IP address
Enter the ip address of the Juniper (192.168.1.100)
Under results, click the [Select] button next to the Shell profile field
Select "Juniper" and click the [OK] button
Under results, click the [Select] button under the command field sets (if used)
Select "allow all the" and make sure all other boxes are not CHECKED
Click the [OK] button to close the window
Click the [OK] button at the bottom of the page to close the window
Check the box next to the policy of Juniper , and then move the policy to the top of the list
Click on the [Save] button at the bottom of the pageAudit:
Connect to the CLI of Juniper and GUI using an ACS internal user account and try to change something to check the level of privilege.
-
How to configure ACS 4 with 802. 1 X
Hay
How to set up my ACS server to support 802. 1 X with PEAP.in to authenticate the me (PC).
Thank you initially
You can skip the part of the certificate.
-
How to configure it for oneself when coming out of the hibernation
How can I configure my windows vista Home premium Service Pack 2 for oneself during the recovery from hibernation?
When I take my LAPTOP it gets full access to what I was doing when I put it to Hibernate so I would be locked after recovery try it :(
Hi, my question was not entirely answered by you, but the link that you made me wonder if maybe check the menu Options of food I could find what I was looking for, and I did... How
Via - CHANGE POWER ADVANCED SETTINGS that find you in the menu SELECT a POWER PLAN in POWER OPTIONS window in the CONTROL PANEL
Control the Options of Panel\Power, and then CHANGE the PARAMETERS of POWER DEVELOPED
Thank U Mr. Braun
Hello
Please see this article: http://windows.microsoft.com/en-US/windows-vista/How-do-I-change-the-password-requirement-when-my-computer-wakes-from-sleep
-
How to configure windows xp to invite before you move the files/folders
Please advise... is a real pain when you inadvertently move a folder...
Windows doesn't have this capability, sorry.
-
The purpose of running two separate is Windows Live Mail accounts to have total privacy on each, avoiding different users can see other accounts or e-mail folders. I don't want to mix the different user accounts when the opening of windows live mail, each user must be able to open his account separately.
ThxsWhile this was possible with Outlook and Outlook Express identities as this function is not available with Windows Live Mail as detailed here
Basically, it says to put in place of the separate accounts for each user to connect to Windows to isolate the e-mail accounts in each of the other opinions.
On the only other option is to use some use webmail ISP provides you instead of Live Mail.
-
How to call a report from Oracle 10g lies in the application server to the server of DB using PLSQL
Hi all
I have the following requirement
I have a 10g Oracle compiled report and giving PDF as output...
1. I want to call the same report server DB using PLSQL to generate reports in bulk.
2. the production of the above-mentioned reports should be in the path specific and with the specific name
Please help me on this
Kind regards
SH
What you want is called "Event Driven publication":
http://docs.Oracle.com/CD/E17904_01/bi.1111/b32121/pbr_evnt001.htm#RSPUB23700
-
Hello
Is there any solution to use ADOBE 7? I have the boxed version and wanted to install on the new mcomputer that software do activation requre. Activation is disabled for Adobe 7.
Yes, there is no server activation and you can install is no longer your CD. The current version is 11.
But there is an alternative. l http://helpx.adobe.com/x-productkb/Policy-Pricing/Creative-Suite-2-activation-end-Life.htm
-
How to configure vMotion and storage?
I'm trying to set up with vMotion HA. I can see how the virtual appliance can be moved to another physical server. How to configure storage, so that data are available on the new server?
Thank you.
You cannot share your local storage space. That is unless you use a third-party application that turns your local storage space in your storage SAN Lefthands VSA. Think of it like this, you have two servers ESX (ESX1 and ESX2) you have a virtual machine with the disk it's on ESX2. If ESX2 fails, off, etc. it is impossible for the drive be accessible. HA is still based on a shared storage access to the virtual computer files.
-
We currently have ADR installed 2.0.9 on WLS 10.3.6 running on Windows 2008R2 behind a F5 load balancer. When load balancing sends connections to the server, we have configured everything first, everything works fine. When load balancing sends connections to the server to scale, we get the ADR page with "this facility has not yet been configured. The defaults.xml and related directories were created automatically on the second server. We tried to change the debug.debugger and debug.printDebugToScreen entries in the second server defaults.xml, but nothing happened. What do we lack? How set us the second server?
The problem has been resolved. After looking at the directories and defaults.xml WLS created on the server to scale out, we thought that the configuration files were not created/copied from the original server. We ran the configuration of 'java-jar ords.war setup' on the second server, restarted the application of WLS and everything started working as expected.
-
How have use ACS supported wireless users and the VPN user?
I'm new to ACS and configure the following requirement:
(1) ACS to authenticate users wireless with window AD.
(2) once connected successfully to the radio, the user must use VPN for remote access with the ASA.
(3) the end-user will have only 1 common username but different password.
for example:
username: password: cisco: cisco wireless.
username: cisco password: 1234 for VPN.
ACS support can this, if yes how can we do? Do I need 2 sets of ACS?
Yes, acs should work properly according to your need.
ACS, we have a feature called NAP "network access profile" where we can define the condition based on ip source or attributes which allow to say if the request comes from wireless device acs will forward to AD and if the request is of the acs VPN will forward to this diff of database.
Basically, we need to use two acs database.
Kind regards
~ JG
Note the useful messages
-
How to use ACS 5.2 to create a static ip address user for remote access VPN
Hi all
I have the problem. Please help me.
Initially, I use ACS 4.2 to create the static ip address for VPN remote access user, it's easy, configuration simply to the user defined > address assignment IP Client > assign the static IP address, but when I use ACS 5.2 I don't ' t know how to do.
I'm trying to add the IPv4 address attribute to the user to read "how to use 5.2 ACS", it says this:
1Ajouter step to attribute a static IP address to the user attribute dictionary internal:
Step 2select System Administration > Configuration > dictionaries > identity > internal users.
Step 3click create.
Static IP attribute by step 4Ajouter.
5selectionnez users and identity of the stage stores > internal identity stores > users.
6Click step create.
Step 7Edit static IP attribute of the user.
I just did, but this isn't a job. When I use EasyVPN client to connect to ASA 5520, user could the success of authentication but will not get the static IP I set up on internal users, so the tunnel put in place failed. I'm trying to configure a pool of IP on ASA for ACS users get the IP and customer EasyVPN allows you to connect with ASA, everything is OK, the user authenticates successed.but when I kill IP pool coufigurations and use the "add a static IP address to the user 'configurations, EzVPN are omitted.
so, what should I do, if anyboby knows how to use ACS 5.2 to create a user for ip address static for remote access VPN, to say please.
Wait for you answer, no question right or not, please answer, thank you.
There are a few extra steps to ensure that the static address defined for the user is returned in the Access-Accept. See the instuctions in the two slides attached
Maybe you are looking for
-
Audio tinny in questions of fcp10.3
Hi everyone, I'm importing clips video mpeg4 of Dropbox, the audio sounds great they are studio quality registered. However, once imported into fcp, they sound "tinny." I saw somewhere a post by checking the guarded hunting ground, but when I go to
-
When I run firefox a little white box appears and I can't do anything?
I am running amd dual core windows 7 4 GB ram. When I run firefox everthing works ok, then a white box appears in the middle of the page. then it stops working. When I try to click on any key the only thing I get is a beep. my opening page is changed
-
How to connect a satellite with Qosmio G30-188 receiver?
Hello! How can I connect a satellite receiver to my Qosmio g30-188? I need to connect the AV signal (SCART) on the receiver to the laptop.can someone help me? Thanks in advance!
-
Try to download & install Java.
Try to download & install Java. Impossible to find on my computer error 404 I lost the color and a description on web sites. I think that woud Java helps, but it is absent. I've looked everywhere and tells me that it can not be found. I think that I
-
blue screen with 0xc00000f at 1 startup
After the image capturing process is complete and reboot, BSOD 0xc00000f.