RADIUS in ACS 5.2 Ports

where can I find the ports assigned to RADIUS ACS 5.2. I check the port for Ganymede settings + under Configuration-> Global Options-> settings GANYMEDE system +.

Thank you

Vikram

They are 1645/1646 and 1812/1813.

Looking to change those?

Tags: Cisco Security

Similar Questions

  • How to stop the Radius/Ganymede ACS 5.2?

    Hi, is it possible to stop the Radius/Ganymede ACS 5.2 from the GUI?

    The command line, you can stop the ACS instance itself - but I don't think you can even components.  It simulate an instance ACS failed.

    I think that his:

    request stop acs

    or

    judgment of the ACS

    To start, it's the same thing with the start of keyword.

  • Radius on ACS 5.2 accounting command

    order accounting for RADIUS supported ACS 5.2? status of implementation of radius of the provider supports this feature.

    Well radius account management is supported on ACS so if your aaa client's accounting controls, they will appear on ACS without problem.

  • Dynamic ACL for Radius outer (ACS 5.3) accounts

    We have a Cisco ACS 5.2 server that queries another server radius for some AnyConnect VPN connections. We already use for some users dynamic access lists in the user Interal identity store. We would like to link in a list of dynamic access to users in the external database, based on the username passed back from the external radius server. We run ACS 5.3.0.40. Is it possible to do?

    [5.3 running and use AD then suggests to install the latest patch 5.3]

    Ok. Suppose attribute is in AD and called DACL. then proceed as follows

    1) go to

    Users and identity stores > external identity stores > Active Directory

    and select the tab "Directory attributes.

    (2) add the attribute named list DACL and save changes

    (3) build the authorization profile which will return the DACL

    Reach

    Elements of strategy > authorization and permissions > network > permission profiles > create

    in tab "Common tasks", select "Dynamic" for downloadable ACL name

    then select "AD - AD1" and the attribute selected in step 2

    and press on submit

    You know a profile authoirzation which will be dynamically retrieve the AD attribute and use the name of the downloadable ACS

    (4) further to the authorization policy, select this profile authoirzation

    for example:

    Access policies > access > by default access to network > permission

    Should be good to go

  • Add under "Setting up groups" RADIUS attributes ACS 4.2

    Hi Security Experts,

    I need to add RADIUS attributes to a custom under the 'Groups Configuration' page provider ACS 4.2. From now on, I see of Cisco Aironet RADIUS attributes.

    IETF RADIUS attributes etc in the page "setting up groups. How can I ensure that the RADIUS attributes for a provider also appear on this page?

    PS: I have the useful messages rate

    Thank you

    Boudou

    Under the "Interface", you can set which you want to view the RADIUS attributes. It is probably just a missing check for your provider.

    The Options for RADIUS are described here:

    http://www.Cisco.com/en/us/partner/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/A_RADAtr.html

  • Which ports are involved for the synchronization of the ACS - ACS DB?

    Hi all

    What ports are used when an ACS pushes its database to another ACS?

    With ACS v4.x port 2000.

  • Newbie question on access to the RADIUS server

    I've worked before on RADIUS servers running on Windows but not on Unix. I'm new to an environment without any documentation and I make sure I have access to the GANYMEDE/ACS config.

    I go to my config switch and I see that ' 10.0.0.1 radius-server.

    Then I ssh into ' 10.0.0.1' and I see the below after "method.

    From the bottom, you have an idea on how to access the configuration of the ACS in case I need to change any setting it? I tried http://10.0.0.1 but it does not work.

    -bash-3, $00 ls
    bin features core net sbin TT_DB
    Start the etc. opt system usr lib
    export of CDROM lost + found tftpboot var platform
    dev House Dem proc tmp flight-bash-3. $00 ls
    bin features core net sbin TT_DB
    Start the etc. opt system usr lib
    export of CDROM lost + found tftpboot var platform
    dev House Dem proc tmp flight

    Try http://10.0.0.1:2002 for ACS listening on port default 2002.

    Pete

  • Cisco ACS wireless authentication

    Hello guys,.

    I'm testing wireless authentication and authorization with my users wireless via ACS 4.2. I have version 4.2 test on Windows 2003 for the test. I also WLC 5508 and 3602i in my lab. My AD/NPS and CA are Windows 2008 R2.

    Windows 2003 is part of the field; and the GBA, if I go to the external database > Database Configuration > Windows database > configure

    From there, I chose my domain name, select "devices the EAP - TLS Machine authentication. I've also mapped the domain to the group I created in ACS.

    I also looking default RADIUS ports 1812 and 1813 the GBA.

    On my WLC 5508, I created a WLAN and define the RADIUS IP to the IP address of the ACS. However, I tried to join the wireless network. It keep the default.

    I installed the cert of the user on the laptop for EAP - TLS. If I changed the server RADIUS on the WLAN and pointed to AD/NPS that I, my portable test was able to join the network wireless through EAP - TLS.

    I'm a little confused on the ACS GANYMEDE +. GANYMEDE + is only used for the connection to network for managing devices or can be used for regular users for authentication and authorization?

    For example, a user wireless, which is part of the domain, need to join a corporate network without wire in his office. Can I use GANYMEDE + for it or it must be the RADIUS by ACS 4.2?

    Thank you

    Yes it's true, and it applies as well in Wired.

    On GBA, please add WLC as an AAA client with RADIUS (Cisco airespace)

    Configuration of WLC and ACS for the RADIUS settings.

    http://www.Cisco.com/en/us/Tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml

    You can visit the listed link below to install the certificate on ACS 4.2

    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/configuration/guide/peap_tls.html

    ~ BR
    Jatin kone

    * Does the rate of useful messages *.

  • ASA as a customer Radius in ACA

    Hi all

    I added ASA as Radius (version 8.0) client to the ACS (version 4.2) server. When I do "test the aaa authentication" on SAA and run 'debug RADIUS', I got this error message:

    aaa authentication ACS host 10.1.2.25 test test passwo username $
    INFO: Attempt to <10.1.2.25>IP address authentication test (timeout: 12 seconds)
    Ray mkreq: 0x6cb
    alloc_rip 0x29f79044
    new application 0x6cb--> 221 (0x29f79044)
    obtained the user 'test '.
    has obtained the password
    add_req 0x29f79044 0x6cb 221 session id
    RADIUS_REQUEST
    RADIUS.c: rad_mkpkt

    RADIUS packet decode (authentication request)

    --------------------------------------
    Data of raw packets (length = 62)...
    01 dd 00 3F 11 76 77 02 13 50 49 6f 7 c 4F 4 d e4 |  ... > .vw. M... PINo |
    05 5 a 8 b 68 01 06 74 65 73 74 02 12 11 ca 28 65 |  . Z.h.. test... (e
    A4 49 ee 8 a 76 46 29 10 3rd f9 3f 04 06 ac 1B 1f |  . I have... FV). >. ? .....
    FB 02 05 06 00 00 00 28 06 00 00 00 05 3d |  ....... (=.....

    Packet analyzed data...
    RADIUS: Code = 1 (0x01)
    RADIUS: Identifier = 221 (0xDD)
    RADIUS: Length = 62 (0x003E)
    RADIUS: Vector: 117677E44D021350494E6F7C055A8B68
    RADIUS: Type = 1 (0x01) - user name
    RADIUS: Length = 6 (0x06)
    RADIUS: Value (String) =
    74 65 73 74                                        |  test
    RADIUS: Type = 2 (0x02) username-password
    RADIUS: Length = 18 (0x12)
    RADIUS: Value (String) =
    11 ca 28 65 a4 49 ee 8 a 76 46 29 10 3rd f9 3f 1f |  .. (EI. FV). >. ?.
    RADIUS: Type = 4 NAS-IP-Address (0x04)
    RADIUS: Length = 6 (0x06)
    RADIUS: Value (IP address) = 172.27.251.2 (0xAC1BFB02)
    RADIUS: Type = 5 (0x05) NAS-Port
    RADIUS: Length = 6 (0x06)
    RADIUS: Value (Hex) = 0 x 28
    RADIUS: Type = 61 (0x3D) NAS-Port-Type
    RADIUS: Length = 6 (0x06)
    RADIUS: Value (Hex) = 0x5
    Send 10.1.2.25/1645 pkt
    RIP 0x29f79044 id State 7 221
    rad_vrfy(): bad auth req
    rad_procpkt: radvrfy failed
    RADIUS_DELETE
    remove_req 0x29f79044 0x6cb 221 session id
    free_rip 0x29f79044
    RADIUS: send empty queue
    ERROR: Authentication server is unresponsive: failure of decoding AAA... secret server incompatibility

    and I know not secret shared is the match between the ASA and ACS. any suggestions would be much appreciated.

    Thank you

    Alex

    Hi Alex,

    The ASA is defined in any NDG to GBA?

    If so, please remove the secret shared the NDG and try once again to test authentication please.

    Let me know how it goes.

    Kind regards

    Anisha

    PS: Please mark this thread solved if you think that your query is answered.

  • False claims RADIUS of customer VPN Cisco ASA 5510

    Hello world

    I use the Cisco VPN client 5.0.7 and Cisco ASA 5510 (7.4 and 8.4.2) VPN RAS solution. Clients are authenticated using certificates and RADIUS AAA (ACS 3.3) and AD.

    Each time, when the client connects, ASA 2 RADIUS requests questions, correct first - which is successfully authenticated by FAC and immediately - second that always fails. I couldn't find information related to this strange behaivor. Function "Double Authentication" (more sympathetic to his name) is only accessible to Anyconnect customers who we do not. When I'm authenicated by using password group, there is only one query RADIUS.

    What is the source of such behavior?

    The negative impact is that my logs are filled with the failed authentication attempts fallacious and users are incrementig attempts failed in the AD meter.

    Debugging of ASA:

    -First application-

    RDS 2011-10-24 16:16:01 0232 14884 request code 172.16.8.1:1645 host = 1 id = 22, length = 145 on port 1025

    RDS 2011-10-24 16:16:01 I 2519 14884 [001] value of username: User1

    RDS 2011-10-24 16:16:01 I 2519 14884 [002] value username-password: 2D A9 B2 D0 15 5F 1E B8 BB DB 3A 38 F5 24 72 B5

    RDS 2011-10-24 16:16:01 I 2538 14884 [005] NAS-Port value:-1072693248

    RDS 2011-10-24 16:16:01 I 2538 14884 [006] Type of Service value: 2

    RDS 2011-10-24 16:16:01 I 2538 14884 [007] value Framed-Protocol: 1

    RDS 2011-10-24 16:16:01 I 2519 14884 [030] value Called-Station-Id: 172.16.8.1

    RDS 2011-10-24 16:16:01 I 2519 14884 [031] value of Calling-Station-Id: 10.4.14.14

    RDS 2011-10-24 16:16:01 I 2538 14884 [061] NAS-Port-Type value: 5

    RDS 2011-10-24 16:16:01 I 2533 14884 [066] Tunnel-Client-Endpoint value: [T1] 10.4.14.14

    RDS 2011-10-24 16:16:01 I 14884 2556 [004] value of NAS-IP-Address: 172.16.8.1

    RDS 2011-10-24 16:16:01 I 2561 14884 [026] Vendor-Specific vsa id: 9

    RDS 2011-10-24 16:16:01 I 2596 14884 [001] cisco-av-pair value: ip:source - ip = 10.4.14.14

    RDS 2011-10-24 16:16:01 I 0282 14884 ExtensionPoint: run the configured scan extension points...

    RDS 2011-10-24 16:16:01 I 0314 14884 ExtensionPoint: advertising [AuthenticationExtension] provider [Cisco EAP generic]

    RDS 2011-10-24 16:16:01 I 0763 14884 ExtensionPoint: Message-[generic EAP] lack of EAP, ignorant...

    RDS 2011-10-24 16:16:01 I 0319 14884 ExtensionPoint: [GenericEAP.dll-> AuthenticationExtension] returned [1 - ignored]

    RDS 2011-10-24 16:16:01 I 0314 14884 ExtensionPoint: asking provider [Download Cisco ACL] [AuthenticationExtension]

    RDS 2011-10-24 16:16:01 I 0763 14884 ExtensionPoint: [DnldACLs] asking not a download of ACL, ignorant...

    RDS 2011-10-24 16:16:01 I 0319 14884 ExtensionPoint: [DnldACLs.dll-> AuthenticationExtension] returned [1 - ignored]

    RDS 2011-10-24 16:16:02 I 14884 0475 AuthorExtensionPoint: run the configured scan extension points...

    RDS 2011-10-24 16:16:02 I 14884 0507 AuthorExtensionPoint: requesting provider [Download Cisco ACL] [AuthorisationExtension]

    RDS 2011-10-24 16:16:02 I 0763 14884 ExtensionPoint: looking for ACL from [DnldACLs] to [user1]

    RDS 2011-10-24 16:16:02 I 0512 14884 AuthorExtensionPoint: [DnldACLs.dll-> AuthorisationExtension] returned [1 - ignored]

    RDS 2011-10-24 16:16:02 3360 14884 sent response code 2, id 22 to 172.16.8.1 on port 1025

    RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9

    RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: ip:addr - pool = vpnpool

    RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9

    RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: ip:wins - servers = 10.2.9.12 10.3.9.10 10.4.2.202

    RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9

    RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: IP: DNS-servers = 10.2.9.12 10.3.9.10 10.4.2.202

    RDS 2011-10-24 16:16:02 I 2538 14884 [006] Type of Service value: 2

    RDS 2011-10-24 16:16:02 I 2538 14884 [007] value Framed-Protocol: 1

    RDS 2011-10-24 16:16:02 I 2538 14884 [013] box-Compression value: 1

    RDS 2011-10-24 16:16:02 I 14884 2556 [008] value box-IP-Address: 255.255.255.254

    RDS 2011-10-24 16:16:02 I 2519 14884 [025] value class: CISCOACS:002cb2a9/ac100801/3222274048

    -The second request-

    RDS 2011-10-24 16:16:02 0232 14884 request code 172.16.8.1:1645 host = 1 id = 23, length = 145 on port 1025

    RDS 2011-10-24 16:16:02 I 2519 14884 [001] value of username: User1

    RDS 2011-10-24 16:16:02 I 2519 14884 [002] value username-password: 06 EA 08 AB C7 8F 75 D0 A5 E5 AE B7 A8 1 48 96 b

    RDS 2011-10-24 16:16:02 I 2538 14884 [005] NAS-Port value:-1072693248

    RDS 2011-10-24 16:16:02 I 2538 14884 [006] Type of Service value: 2

    RDS 2011-10-24 16:16:02 I 2538 14884 [007] value Framed-Protocol: 1

    RDS 2011-10-24 16:16:02 I 2519 14884 [030] value Called-Station-Id: 172.16.8.1

    RDS 2011-10-24 16:16:02 I 2519 14884 [031] value of Calling-Station-Id: 10.4.14.14

    RDS 2011-10-24 16:16:02 I 2538 14884 [061] NAS-Port-Type value: 5

    RDS 2011-10-24 16:16:02 I 2533 14884 [066] Tunnel-Client-Endpoint value: [T1] 10.4.14.14

    RDS 2011-10-24 16:16:02 I 14884 2556 [004] value of NAS-IP-Address: 172.16.8.1

    RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9

    RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: ip:source - ip = 10.4.14.14

    RDS 2011-10-24 16:16:02 I 0282 14884 ExtensionPoint: run the configured scan extension points...

    RDS 2011-10-24 16:16:02 I 0314 14884 ExtensionPoint: advertising [AuthenticationExtension] provider [Cisco EAP generic]

    RDS 2011-10-24 16:16:02 I 0763 14884 ExtensionPoint: Message-[generic EAP] lack of EAP, ignorant...

    RDS 2011-10-24 16:16:02 I 0319 14884 ExtensionPoint: [GenericEAP.dll-> AuthenticationExtension] returned [1 - ignored]

    RDS 2011-10-24 16:16:02 I 0314 14884 ExtensionPoint: asking provider [Download Cisco ACL] [AuthenticationExtension]

    RDS 2011-10-24 16:16:02 I 0763 14884 ExtensionPoint: [DnldACLs] asking not a download of ACL, ignorant...

    RDS 2011-10-24 16:16:02 I 0319 14884 ExtensionPoint: [DnldACLs.dll-> AuthenticationExtension] returned [1 - ignored]

    RDS 2011-10-24 16:16:02 P 2237 14884 user: User1 - Windows user unknown or invalid password

    RDS 2011-10-24 16:16:02 3360 14884 sent response code 3, id 23 to 172.16.8.1 on port 1025

    RDS 2011-10-24 16:16:02 I 2519 14884 [018] value Reply-Message: rejected...

    RDS 2011-10-24 16:16:03 0232 14884 request code 10.2.47.200:1812 host = 1 id = 254, length = 227 on port 32769

    RDS 2011-10-24 16:16:03 2788 14884 (VSA unknown Vendor ID 14179)

    GBA debug:

    -First application-

    AUTH 24/10/2011 16:16:01 I 0365 13060 external DB [NTAuthenDLL.dll]: from [user01] user authentication
    AUTH 24/10/2011 16:16:01 I 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication attempt for the user1 user

    AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: authentication Windows successfully (by DCCORPMSK04)
    AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: information get RAS to the user user1 DCCORPMSK04

    -The second request-
    AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: from [user1] user authentication
    AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication attempt for the user1 user
    AUTH 24/10/2011 16:16:02 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication FAILED (Error 1326 L)
    AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: retry authentication to the CORP domain
    AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication attempt for the user1 user
    AUTH 24/10/2011 16:16:02 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication FAILED (Error 1326 L)

    The ASA config:

    Crypto ikev1 allow outside
    Crypto ikev1 allow inside
    IKEv1 crypto ipsec-over-tcp port 10000
    life 86400
    IKEv1 crypto policy 65535
    authentication rsa - sig
    3des encryption
    md5 hash
    Group 2
    life 86400

    !

    internal Cert_auth group strategy
    attributes of Group Policy Cert_auth
    client ssl-VPN-tunnel-Protocol ikev1 l2tp ipsec
    Split-tunnel-policy tunnelspecified
    value of Split-tunnel-network-list aclVPN2
    the address value vpnpool pools
    rule of access-client-none

    !

    attributes global-tunnel-group DefaultRAGroup
    address (inside) vpnpool pool
    address vpnpool pool
    authentication-server-group RADIUS01
    authorization-server-group RADIUS01
    authorization-server-group (inside) RADIUS01
    Group Policy - by default-Cert_auth

    !

    RADIUS protocol AAA-server RADIUS01
    AAA-server host 10.2.9.224 RADIUS01 (inside)
    key *.
    RADIUS-common-pw *.
    AAA-server host 10.4.2.223 RADIUS01 (inside)
    key *.

    Hello

    It is a 'classic' error and has nothing to do with dual authentication, but rather with the fact that you do both radius and authorization of RADIUS authentication.

    If you remove this line:

    authorization-server-group RADIUS01

    you will see that it starts to work properly

    In short: when ASA no authorization of RADIUS, it sends a request to access radius with the username as a password, that's why you see the second application fails all the time.

    This is because the RADIUS authorization is intended to be used when authentication happens using certificates (only) so there is no password.

    Also note that within the RADIUS protocol, authentication and authorization are not separate things, both occur in a single step. So if the ASA makes the radius authentication, he already gets the user attributes in the authentication step and it makes no sense to also make a separate authorization stage (except in a few very rare scenario where you have 2 radius servers, one for authentication and another for permission).

    HTH

    Herbert

  • ACS 5.1 doesn't have to undress Username Prefix\Suffix in Peap?

    Hello

    We got the ACS 5.1 VMWare.

    We try to only send the user name to the proxy RADIUS after ACS strip the Kingdom of Prefix\Suffix.

    But ACS 5.1 could not strip the prefix\suffix in the Peap authentication method.

    If we put the NAS authentication method to PAP_ASCII then ACS can strip the prefix\Suffix @.

    (Conditions were matched and we could see the ACS did send requests to its proxy radius server extension.)
    Any idea?

    Hi Ed,

    The point is that while the ACS can process and strip the domain name of the RADIUS Username, which is not used for PEAP authentication properly in the external RADIUS.

    The reason is that the credentials used for authentication are inside the PEAP TLS tunnel, thus GBA acting as a proxy is just transmitting this information and it doesn't have access to this information.

    Consider the RADIUS Proxy to present works even if you forward the EAP methods that are not supported by AEC, then in this case, what ACS is not supposed to touch what's inside the package of RADIUS.

    I think that in your case the only solution is to configure the field stripping on the external RADIUS server, which is the one that will be able to extract the credentials of the TLS tunnel and to transform this info.

    If it is feasible or not is based on the features of the RADIUS server for external use, but I think that you can not do much more on the side of the ACS using RADIUS.

    Examine how RADIUS proxy works and the fact that you cannot even use the external RADIUS the two ID because you can't do the field stripping and you cannot use MSCHAPv2 based auth protocols (though this would work with PAP or EAP - GTC), you are dealing with is the PEAP username on the external server or... you must instead use another way to access the announcement.

    This would open up different scenarios and maybe go away from this post

    I hope that's clear on what makes ACS and why the field is not stripped by FAC on the internal credentials.

    Thank you

    Fede

  • Cisco Secure ACS vs IAS in Windows

    Hi all

    I need deploy an AAA for the following situations.

    (1) remote access via Cisco VPN Clients.

    (2) AAA for wireless windows PC in remote areas

    (3) AAA for Cisco switches and routers in remote areas

    (4) authentication with a windows domain

    The the Windows IAS would be virtually free that we already have Windows 2003 domain controllers at each remote site. However, Cisco Secure ACS might also be an option. Not all have experience in these two?

    What are the positives\negatives of each? and limits?

    Does anyone have any information on case study etc. in comparing the two?

    Your help is greatly appreciated.

    Kind regards

    Andy

    PS: There is a limitation in Windows 2003 Standard edition, which limits the number of Radius clients to 50. Although we have more than 50 potential clients in society, no site has more than 50 altogether.

    MS IAS allows you to implement the solution using only the RADIUS protocol

    ACS offers the feature to use RADIUS as well as GANYMEDE.

    Looking 4 solutions you want to implement, only 3rd solution will be a little easier with GANYMEDE, but even once it not something you can not implement using RADIUS.

    On the limitation of Radius client, ACS offers a large database that you can use for customers, so limiting to 50 customers. In addition many many features, you'll love to integrate into your network as the NAP/NAC implementation, made it easier.

    So you need to check if you have the budget, you can go to ACS, IAS on the other can work well for all solutions (except limitation of radius client, I m sure that MS can provide a workaround solution).

    the following link can help you with information on sales of ACS:

    http://wwwIn-nmbu.Cisco.com/thevault/files/1027/5/ACS4.1-Sales-guide%20April%204%202007.htm

  • Cisco ACS 1113 appliance v4.1 - integration of RSA Securid v6.1

    The Windows of Cisco ACS version seems to have the ability of integration with RSA Securid its listed in external databases. It can also support the SDI Protocol if you install the agent on the Windows ACS platform. I need to use a Cisco ACS 1113 but RSA Securid does not appear in the section external databases. This mean that I won't be able to use the SDI Protocol only available RADIUS.

    And Yes you are right,

    With ACS, we need to configure using RADIUS, on ACS SE it won't work with SDI.

    Kind regards

    Prem

  • [Cisco AnyConnect] Certificate on RADIUS authentication

    Hello

    I use authentication and LDAP authorization certificates and it works fine.

    Now, I want to centralize authentication and authorization on the server RADIUS (Cisco ACS in my case)

    In the connection profile, we have 3 authentication methods:

    • AAA: I can choose RADIUS server group or LDAP--> the user is prompted to enter the username/password credentials
    • Certificate: I can't choose AAA server...--> user group will have to provide the certificate
    • Both: I choose the RADIUS or LDAP--> the user is prompted for username/password credentials and the user must provide the certificate

    If I choose the certificate authentication methods, I can't delegate the authentication and authorization of RADIUS server.

    Is there a solution to delegate the authentication of the certificate to the RADIUS?

    I have different authorization for each VPN connection profile rules

    ASA can send a VPN connection profile to the RADIUS? (in the RADIUS attribute...)

    Thanks for your help,

    Patrick

    Patrick,

    The essential in deployments using WLC is begging on client can talk to EAP (including EAP - TLS) so the AAA server can authenticate the certificate.

    In the case of Anyconnect, or old IPsec client there is no way to send the full cert to server AAA (not implemented/redundant from the point of view of the customer, or not in the standard).

    IOS also gives you a possibility to make calls for authorization of PKI:

    http://www.Cisco.com/en/us/docs/iOS-XML/iOS/sec_conn_pki/configuration/15-2mt/sec-cfg-auth-Rev-cert.html

    AFAIR is no similar mechanism on the SAA.

    M.

  • ACS 3.2 (2) Build 5 replication problem

    Hi all

    There are two ACS servers, sits inside an ASA 5510 at Headquarters and the other is inside an ASA 5510 on the hot site.

    These 5510 s ASA have been developed to replace two 515Es PIX and the claim is that since the ASAs went replication has stopped working. Of course, it makes no sense to me because there is communication between the ACS server and the firewall is down not anything whenever "replicate now" is issued.

    Unfortunately, I dunno much about ACS then is there something I can look for to help troubelshoot it ACS newspapers say

    WARNING cannot replicate to '4' Server - server does not

    That doesn't help us much, this is a way to get more detailed info journal which could indicate a problem? Thank you.

    Hello

    ACS uses the port TCP/2000 for replication. This port is also used by the skinny Protocol, making the port used by the ACS replication process.

    Fails replication of the ACS from the primary to the secondary, primary school reported that he cannot contact the secondary, and secondary shows any replication of the primary activity.

    A firewall between the two servers, ACS is configured to inspect the skinny Protocol, which uses the same port (TCP/2000) that the ACS replication process.

    If you do not have a call manager behind your firewall, please disable

    Skinny inspect if it is enabled.

    #Under overall policy, take the skinny inspection out of the inspection_default #class.

    don't inspect skinny

    You need to do this on both sides.

    HTH

    JK

    Please evaluate the useful messages-

Maybe you are looking for