Posture Validation on ACS 5.3

Similar Questions

• ACS + NAC-L2-IP & 802. 1 x

  Hello! I implement NAC now, I knew of the NAC Framework configuration guide, I can use the NAC-L2-IP for posture validation, but this model (technology) does not provide the identity of the user. So the question is - at the same time we use the NAC-L2-IP for the validation of the posture and 802. 1 x for authentication of the user (using MS-CHAPv2) on Catalyst 3560 G and with ACS 4.1?

  Thank you in advance!

  Yes, this can work. If you are migrating at some point to have NAC with 802. 1 X, well, you will get are studying twice on the ports configured for two well.

• ACS 4.2 - one local user to be part of several local groups

  Hello

  I have a group of network engineers that require administrator access complete in two groups locally GBA - network and directors of the LMS<--- (new="" group="" created="" for="" recent="" lms="" ciscoworks="">

  I have two NDG - Cores and LMSserver<-->

  Issue: If a user belongs to the Administrators group for the network, user can connect to the LMS server but limited features.  If the user is moved to LMS admin has full functions, but loses 15 access to routers and switches, which are the AAA clients for carrots.

  I tried many different settings and still can't find the right one.  Is it feasible in ACSv4.2?

  Thank you in advance for your input.

  See you soon!

  With the current ACS version 4.2 the best option, you can think of is the network access profile

  Network access profiles are a feature that could be very useful. They allow the classification of access requests based on the network location, device belonging to a group of devices, network, Protocol, or other RADIUS attributes that are sent by the appliance, the user connects via. In addition, authentication, access control, posture validation and authorization policies can be mapped to the profiles.

  Network access profile

  http://www.Cisco.org.lv/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/NAPs.html#wp1103807

  GBA 5.x, same user can belong to different groups at a given time.

  HTH

  JK

  The rate of useful messages-

• Check the ISE for the VPN Cisco posture

  Hello community,

  first of all thank you for taking the time to read my post. I have a deployment in which requires the characteristic posture of controls for machines of VPN Cisco ISE. I know that logically once a machine on the LAN, Cisco ISE can detect and apply controls posture on clients with the Anyconnect agent but what about VPN machines? The VPN will end via a VPN concentrator, which then connects to an ASA5555X that is deployed as an IPS only. Are there clues to this?

  Thank you!

  The Cisco ASA Version 9.2.1 supports the change in RADIUS authorization (CoA) (RFC 5176). This allows for the gesticulations of users against the ISE Cisco VPN without the need of an IPN. Once a VPN user connects, the ASA redirects web traffic to the LSE, where the user is configured with a Network Admission Control (NAC) or Web Agent. The agent performs specific controls on the user's computer to determine its conformity against one together configured posture rules, such as the rules of operating system (OS) patches, AntiVirus, registry, Application, or Service.

  The posture validation results are then sent to the ISE. If the machine is considered the complaint, then the ISE can send a RADIUS CoA to the ASA with the new set of authorization policies. After validation of the successful posture and CoA, the user is allowed to access internal resources.

  http://www.Cisco.com/c/en/us/support/docs/security/Adaptive-Security-Appliance-ASA-software/117693-configure-ASA-00.html

• VPN to ASA with ISE and Posture

  Hello

  I'll put up a new facility of ISE. I want to install AnyConnect 4.1 and use ISE for authentication & posture validation. I'm ok with the side of the authentication of things.

  http://www.Cisco.com/c/en/us/support/docs/security/Adaptive-Security-app...

  This configuration applies to time AnyConnect 3.1 & 4.x?

  Any help would be appreciated.

  Thank you

  Hi Stuart,

  Yes - this configuration applies as well to the AC3 and AC4.

  The new feature of AC4 is available directly from ISE ability:

  http://www.Cisco.com/c/en/us/support/docs/security/AnyConnect-secure-mob...

  But the posture itself works in a similar way.

  Thank you

  Michal

• Cisco NAC server and check active number? Would this work?

  Hi all

  A client has achieved a question when we introduced Cisco NAC today.  They wondered, lets say, a client of Cisco NAC agent installed may be connected to the network switch. It has all valid requests and patch levels on his machine (posture validation check pass)

  However, even if the customer takes the position of all the parameters, they want to know that if the host name of the client (for most Windows laptops) does not exist in their active database (this database is a database of estate number which is in a similar format or .csv) posture validation must fail.

  Have you met such request like this before? Is there a function on the NAC server which checks a field against an external database as an active database?

  See you soon.

  Dumlu,

  Currently, it is not possible. You can create controls who can check values locally, but not against external data warehouses, so for this card against your thinking, NAC would have to know all the names of workstation before hand and then check against that. It is unwieldy and very very difficult to scale.

  If it's something you and your client think would be a good addition (and it sounds like a good idea) Please engage with your account team and ask them to request a feature for you.

  Thank you

  Faisal

• Control NAC WSUS problem

  Hi, after I deployed WSUS check, the client connection take a long search time, about 2-3 minutes.

  NAC server: 4.1.8

  Client: 4.1.8 & 4.5.1 SP2 WinXP

  The slow NAC posture validation can be a greater stumbling blocks for a successful deployment of NAC. One of the main reasons for the slow posture validation is the time it takes for the control of the requirement of WSUS.

  troubleshooting steps:

  Option 1: Use the latest version of Windows Update Agent

  Option 2: Defragment datastore.edb

  Option 3: Remove the corrupted database

• MAR for VPN GBA 4.2 users

  Hello

  I use ACS 4.2 in my setup. We have my company VPN users. Authentication of the identity of the VPN users are currently happenning by ACS and AD. I want users to connect to VPN should be used that company provided laptop computer. That's why I want to impliment MAR who will verify the name of the computer in AD and if the computer name is in the computer to ad group then only his user ID and the password will be validated and based on this validation, the user will be allowed to access network resources. Currently I do not have any server certificate and users can connect to any cmputer VPN (Home computer), just using their login and password.

  All the paper I described x client about 802. 1 with the authentication of certificate through Mar.

  Please help me to achieve this requiremnet. I want without any certificate when a user wants to connect to the VPN its system name is validated through ACS & AD Group, then after username password verification will occure.

  Please help me...

  Satya,

  You cannot apply the MAR for a scenario of remote access since MARCH in the realm of GBA is for customers who are destined for switches using a supplicant and dot1x. In this case using a vpn client and an ASA, you can deploy a DAP policy in which you can search for a specific registry key on the workstations that belong to your network.

  You can ask the same questions in the forums VPN, but this is the configuration for DAP deployment guide:

  http://www.Cisco.com/en/us/products/ps6120/products_white_paper09186a00809fcf38.shtml

  Thank you

  Tarik

• VPN concentrator - using several authentication servers

  Hello

  I have a question regarding the use of more than one authentication server to authenticate users connecting to a VPN concentrator.

  Is it possible to add several, different (for example: SDI and RADUIS) servers for authentication in the list and make sure that users authenticate to each other to establish the VPN. It seems just a user to authenticate through one of them to establish a VPN. Can you make the user to authenticate through multiple servers?

  Thank you

  Cam

  Cam

  I have no experience with this issue, so I have an opinion but no facts. I suppose that it is possible to separate the authentication of the user of the NAC/posture validation.

  Perhaps someone with experience with this or the necessary expertise for this can help us with some facts.

  HTH

  Rick

• License of ACS

  Where can I get a license for ACS 5.8?

  An evaluation license is available?

  Hi Bill,

  Visit this link:
  https://supportforums.Cisco.com/document/12509071/Cisco-secure-access-control-server-evaluation-license-key-ACS-evaluation#LICENSE_KEY_Installation_Instruction

  You can get a 90 days trial license provided you have a valid contract and the device SN.

  Concerning
  Dinesh Moudgil

  PS Please rate helpful messages.

• ACS RADIUS lost: 11051 RADIUS packet contains invalid state attribute

  Hi all

  We lack a very strange problem since a few days now. Our v5.2.0.26 ACS began to drop the connection of wired connections and wireless, with a message "RADIUS request to drop". The detailed message is: "ask RAY dropped: 11051 RADIUS packet contains invalid state attribute.

  This message is usually preceded by a ' RADIUS request dropped: 24444 Active Directory operation failed because of an error that is not specified in the ACS ' error.

  Communication with Active Directory seems to be ok, since workstations receive a valid ip address when it is connected to a non 802. 1 x switch (Cisco 4506) port.

  Any help grealty appreciated,

  Best regards and happy new year to all members,

  Laurent

  Hello Lawrence,.

  Please check the connectivity status of AD between the ACS and advertising on all of your ACS (secondary instances as appropriate) servers.

  Users and identity stores > external identity stores > Active Directory

  The connectivity status shows CONNECTED or DISCONNECTED on any of your ACS servers? If one of the servers is showing as DISCONNECTED, what could be the root cause of the problem.

  Hope that does you in the right direction.

  Kind regards.

• Interaction of Ganymede + and radius ACS 2.6 download PIX ACLs

  We have ACS v2.6 running and control our connection to remote, routers and switches access. We are now looking to add support for a PIX firewall internal and want to use downloadable ACS ACL for the PIX. (to control outbound traffic through the PIX for authenticated users)

  We have achieved this help attributes RADIUS of Cisco IOS/PIX

  [009\001] cisco-av-pair on ACS. (and ACL restrictions of access on access to users)

  However the problem we noticed is that any user is valid in our database of CiscoSecure or SecureID can authenticate and gain access to through the firewall, even if they are not allowed to do this (and as it is by default on PIX from inside to outside is allowed unlimited full access).

  Was then imposed restrictions on network access on the CiscoSecure ACS for our PIX - to allow only access of corresponding user groups, but it did not work with RADIUS only GANYMEDE + (I guess that's because the RADIUS does not support approval).

  We must work with GANYMEDE + and the passes of the ACS to the bottom of the ACL number/ID for the PIX for users allowed.

  Question: We want to use downloadable s ACL of ACS for the PIX (for reasons of central support) is possible using GANYMEDE + and if yes how we re CiscoSecure ACS suitable for the ACL example below;

  pix_int list access permit tcp any host 10.x.x.x eq 1022

  pix_int list access permit tcp any host 10.x.x.x eq 1023

  Thank you

  Download ACL works only with the RADIUS, as described here:

  http://www.Cisco.com/warp/public/110/atp52.html#new_per_user

  You can continue to set the ACL on the PIX itself and simply pass the ACL via GANYMEDE number (as shown here: http://www.cisco.com/warp/public/110/atp52.html#access_list), but you can actually spend the entire ACL down via GANYMEDE, sorry.

• 4.1 of the ACS and 802. 1 x dynamic assignment of VLANS

  Hi guys,.

  a customer wants to implement assignment of VLANs with 802 dynamics. 1 x. The customer has the following facilities, Cisco ACS 4.1 for Windows, Cisco ASA 5540, CSA 5.2 with CSA MC, several routers and Cisco switches.

  Now, the questations are, we can implement assignment of vlan dynamic without a unit of the ANC and the customer also wants to decide between customers with real antivirus signatures and the old signatures. Older clients are denied access to the anti-virus server and the update of the signature and if everything is ok, to have access to the internal network.

  How could implement us this without a new hardware or software?

  Any ideas? Thanks for help.

  René

  You can have a look on the frame of the NAC system. If you want only the posture validate cable customers then there no extra components to buy. If you want to go wireless, you will likely need to buy a Cisco client that supports wireless. You can get the configuration from here guide:

  http://www.Cisco.com/application/PDF/en/us/guest/NetSol/ns617/c649/cdccont_0900aecd8040bbd8.PDF

  I suggest you prototype and see what you think, the good thing is that you can deploy on a per switchport basis so you can make the installer on ACS without disturbing what is there already and apply it by configuring the switch.

• Authentication of ACS with PEAP / MSCHAPv2 - customer rejecting Server

  Hello

  Have a network setup wireless with Cisco 1131AG towers, c6500 WISN module test (4404-WLC) is authenticating with a Cisco ACS appliance (1113) using PEAP and MSCHAPv2 authentication.

  The laptops have the Cisco SSC customer (in collaboration with Mgmt SSC utility).

  A self-signed certificate created on the fate of ACS and root exported and installed on the laptop computer of TCL.

  IF CSSC box 'validation Server' is not selected, the authentication process works and I am able to connect to the network.

  IF CSSC "Validation of server" is checked, the authentication will fail.

  The problem, it appears that the customer refuses the server certificate:

  "Server certificate chain is not valid.

  The GBA, in the 'fail' authentication logs, message the following is stated:

  "Authentication failed during SSL negotiation" (which obvioously refers to the strand of string not valid)

  Any ideas?

  When you create a self-signed certificate, is there a specific directory, when the server certificate must be located? as c:\cert\certificate.cer

  Also, the certificate name must match host name of GBA?

  i.e." CN ="

  Any advice or pointers would be appreciated.

  Thank you

  Questions, it's that when you check the validation of server Box, you must make sure you have the certification authority in the root Certification Authority trusted. For example, in windows, there is a list of servers CA where you check the server certificate validation and also one of the root certification authority is on the list. If the root CA is not listed, then you must add to the list and check it out.

  You are right on the client rejecting the sever cert... Authentication failed during SSL negotiation

  This doc will give you an overview:

  http://www.Cisco.com/en/us/products/sw/secursw/ps2086/products_configuration_example09186a0080545a29.shtml

• ACS database does not not after having changed the secondary ip of acs.

  Hello.. Im having 2 ACS 3.1 server. ACS01 (primary) & ACS02 (secondary). We recently moved ACS02 to another site and has changed its ip address.

  When we of database replication from ACS01, we received the error message saying ACS02 has refused the request of replication.

  Any idea what can be the problem?

  Consider these elements when you implement the database replication feature Cisco Secure:

  (1) ACS supports only supported replication of database to other ACS servers. All ACS servers participating in the Cisco Secure database replication must run the same version and patch to FAC level.

  (2) the principal server copy compressed and encrypted the database on the secondary server components. This transmission is done via a connection TCP, Port 2000. The TCP session is authenticated and using an encrypted protocol, Cisco-owners.

  (3) only hosts properly configured, valid ACS can be secondary servers. To add a secondary server, configure it in the AAA servers table in the section of this document Network Configuration. When a server is added to the AAA servers table, the server is displayed for selection as a secondary server in the list of AAA servers as replication partners, on the Cisco Secure database replication page.

  (4) the principal server must be configured as an AAA server and must have a key. The secondary server must have a primary server configured as an AAA server and its key for the primary server must match the key primary servers.

  (5) secondary servers replication takes place sequentially in the order listed in the replication list under replication partners, on the Cisco Secure database replication page. (6) the secondary server that receives the replicated components must be configured to accept replication of database from the primary server. To configure a secondary server for database replication, refer to configuring a secondary Cisco Secure ACS Server of this document section.

  (7) ACS does not support two-way replication of database. The secondary server, which receives the replicated components, check that the primary server is not on its list of replication. If this is not the case, the secondary server accepts replicated components. If so, it rejects the components.

  (8) to replicate the seller of RADIUS defined by the user and the configurations of the specific attribute (VSA) provider successfully, definitions have to be replicated must be identical on the primary and secondary servers. This includes seller RADIUS slots occupy sellers RADIUS defined by the user. For more information on the sellers of the RADIUS and the VSA attributes defined by the user, see section User-Defined RADIUS vendors and VSA sets the document Cisco Secure ACS database command-line Utility.