Secure ACS: Special-attributes RADIUS for Enterasys E7

Hello

We were in a pretty old version of the Cisco Secure ACS for AAA our network devices.

Unfortunately, the server crashed a needed to install and configure it with a new server.

GANYMEDE + for our devices using Cisco works very well.

We have a couple of switches made by a seller called Nexans, which support only the RADIUS - it works fine also.

In addition, we have still a few E7 Enterasys and with those RADIUS does not at all.

Sniffering packages, everything looks good.

With the old server has worked well.

Does anyone know if there are special configurations (attributes, for example) when you configure a GBA for the RADIUS Enterasys customers?

Thank you

Rolf

Try this

ID attribute [011] filter to ' Enterasys:version = 1:mgmt = su:

Tags: Cisco Security

Similar Questions

  • WLC with ACS 5.1 (RADIUS) for management * AND * Network users

    Hello

    I have authentication RADIUS of installation for the users of the network AND management on my NM - WLC (5.2 ongoing execution) against ACS 5.1

    My Question is:-

    For users to log in to Admin, I need to come back "Service-Type = Administrative - User" in order to make it work.

    Because the ACS sees all applications from the same device (WLC) for Admin and network users,

    the way I am currently treats it is by creating a filter based on the user name

    Thus, users that contain 'admin' in their ID, use a set of

    Network access policy authorization, who has an authorization associated with the attributes RADIUS profile.

    Normal users have a ' network access policy authorization different rule ", with a different profile.

    While this DOES WORK fine, still me I was wondering if there is a better way to do it, rather than create a rule

    based on the user name.

    I could use GANYMEDE + for the management, but I don't think that ACS allows the same client AAA (WLC) to use both protocols.

    Thank you

    I think it's something very common for things to do

    You may notice that ACS 5 comes preinstalled with a selection policy of service that differentiates them the Protocol-based queries and orders or service 'Access to the network by default' or "Default Device Admin" out of the box

    If you want only to RAY can either disable or delete the rule for applications of GANYMEDE + or not choose GANYMEDE + in the definitions of the unit

  • ACS 5.2 - Support for RADIUS attributes per user

    Hi all

    Does anyone know if it is possible to configure the RADIUS attributes on a per user in GBA 5.2 basis?

    That was possible under ACS 4.x, however, that I can't seem to find reference if ACS5.2 supports.

    Thank you

    Leon

    You can do this by setting by using attributes and then by substution attribute.

    You can see an example of it to set an internal user attribute to use as the value for the field address-IP-box

    This is just an example and can be applied also to any attribute RADIUS in which set an attribute of the user of the same type. Values can also be taken from an external identity as AD store

  • With Cisco Secure ACS for Windows GANYMEDE +, authentication fails with AD

    I'll put up a Cisco Secure ACS 4.2 server to act as a RADIUS server for switches and routers I use Windows 2003 server for the candidate countries.
    and an Active Directory of Windows 2003 server.  The ad server is very good, it is used for many other things.

    I've implemented ACS as defined nit it installation guide, including all the steps in the "Member Server" section of the installation guide
    When you use AD as an external database (e.g. setting up services to run with a domain administrator account, set up a machine called "CISCO"
    on the field, etc.).

    I've set the unknown user policy to use the database of Windows, if the internal database does not contain the details of the user.

    If I add a user to the internal database, authentication goes through fine, with an entry in the journal "Authentication," spent

    02-24-2010, 05:07:03, authentic failed, eXXXX, Network Administrators (NDG), X.X.X.X, (default), internal error, (get the internal error error message)

    I scoured google etc and just cannot come up with any reason why this should be the case.
    I followed all of the installation to the letter guides.  I need to get this up and running as soon as possible,
    so am eager to know if someone can help me with this one!

    Thanks and greetings

    Sharan

    George,

    Internal error is fairly generic, but a common situation, we see this error is when ACS is installed on a

    64-bit computer.  ACS would not work with the active Manager when it is installed on the 64-bit before machines

    ACS 4.2.1.

    -Jesse

  • Announcement for the external database - Secure ACS 5.2 or LDAP

    I'm working on the project with Secure ACS 5.2.  I'm trying to determine the external database appropriate to use.  LDAP or directly to the AD?

    In addition, the field in which I connect to a several subdomains.  All users are currently in the subdomains, but will move to the root domain later.  How do I set up the connection, I have to connect to each subdomain or can I connect just to the root?

    Thank you

    Hello

    If you are using PEAP (mschapv2) [password based authentication] your best bet is to tie ACS to AD, because PEAP-mschapv2 is a hash mechanism that is only supported when you bind to AD, it will not work if you use the ldap integration.

    Your best option is to connect ACS for the root domain, so he can use the transitive trust relationships to find the information in its subdomains.

    Thank you

    Tarik Admani
    * Please note the useful messages *.

  • Cisco Secure ACS vs IAS in Windows

    Hi all

    I need deploy an AAA for the following situations.

    (1) remote access via Cisco VPN Clients.

    (2) AAA for wireless windows PC in remote areas

    (3) AAA for Cisco switches and routers in remote areas

    (4) authentication with a windows domain

    The the Windows IAS would be virtually free that we already have Windows 2003 domain controllers at each remote site. However, Cisco Secure ACS might also be an option. Not all have experience in these two?

    What are the positives\negatives of each? and limits?

    Does anyone have any information on case study etc. in comparing the two?

    Your help is greatly appreciated.

    Kind regards

    Andy

    PS: There is a limitation in Windows 2003 Standard edition, which limits the number of Radius clients to 50. Although we have more than 50 potential clients in society, no site has more than 50 altogether.

    MS IAS allows you to implement the solution using only the RADIUS protocol

    ACS offers the feature to use RADIUS as well as GANYMEDE.

    Looking 4 solutions you want to implement, only 3rd solution will be a little easier with GANYMEDE, but even once it not something you can not implement using RADIUS.

    On the limitation of Radius client, ACS offers a large database that you can use for customers, so limiting to 50 customers. In addition many many features, you'll love to integrate into your network as the NAP/NAC implementation, made it easier.

    So you need to check if you have the budget, you can go to ACS, IAS on the other can work well for all solutions (except limitation of radius client, I m sure that MS can provide a workaround solution).

    the following link can help you with information on sales of ACS:

    http://wwwIn-nmbu.Cisco.com/thevault/files/1027/5/ACS4.1-Sales-guide%20April%204%202007.htm

  • Cisco Secure ACS Solution Engine ping

    1. I installed Cisco Secure ACS Solution Engine with V3.3 and I can access via the http port 2002 but I can't it ping from anywhere in the network, but the server can ping every thing, is this normal.

    2. If I can't ping haw I can define the service keeplaive to load balance 2 ACS engine using CSS

    By the way, I forgot that ACS 3.3 device has a CSA integrated. This agent is enabled by default. He explains why you can't ping it.

    For enable/disable it, go to "System Setup Configuration - device. Toggle the checkbox enabled the CSA according to needs.

    http://www.Cisco.com/en/us/partner/products/sw/secursw/ps5338/products_user_guide_chapter09186a008023361d.html#wp859228

    Rgds,

    AK

  • Attribute RADIUS 198

    Hello

    I try to get the attribute radius 198 of the access router with ios 12.3 (AS5300, C2610) remotely.

    With 'debug RADIUS' following output apears:

    * 01:06:02.679 Mar 1: RADIUS: Acct-Session-Id [44] 10 "00000009.

    * 01:06:02.679 Mar 1: RADIUS: Framed-Protocol [7] PPP 6

    [1]

    * 01:06:02.679 Mar 1: RADIUS: Framed-IP-Address [8] 6 192.168.1.1

    * 01:06:02.679 Mar 1: RADIUS: seller, Cisco [26] 35

    * Mar 1 01:06:02.679: RAY: Cisco-AVpair [1] 29 'connect-progress = L '.

    "A Up of his."

    * 01:06:02.679 Mar 1: RADIUS: Acct-Session-time [46] 23 6

    * 01:06:02.683 Mar 1: RADIUS: Acct-Input-bytes [42] 6 1377

    * 01:06:02.683 Mar 1: RADIUS: Acct-Output-byte 6 106 [43]

    * 01:06:02.683 Mar 1: RADIUS: Acct-Input-Packets [47] 6 14

    * 01:06:02.683 Mar 1: RADIUS: Acct-Output-Packets [48] 6 7

    * 01:06:02.683 Mar 1: RADIUS: Acct-Terminate-Cause [49] 6-user request

    [1]

    * 01:06:02.683 Mar 1: RADIUS: seller, Cisco [26] 39

    * Mar 1 01:06:02.683: RAY: Cisco-AVpair [1] 33 "disc-cause-ext = PPP.

    Receive the term. "

    * 01:06:02.683 Mar 1: RADIUS: authentic [45] RADIUS 6

    [1]

    * 01:06:02.687 Mar 1: RADIUS: username [1] 6 'test '.

    * 01:06:02.687 Mar 1: RADIUS: Acct-status-Type [40] stop 6

    [2]

    * 01:06:02.687 Mar 1: RADIUS: seller, Cisco [26] 16

    * Mar 1 01:06:02.687: RAY: cisco-nas-port [2] 10 "BRI0/0:1.

    * 01:06:02.687 Mar 1: RADIUS: NAS-Port [5] 6 30001

    * 01:06:02.687 Mar 1: RADIUS: seller, Cisco [26] 26

    * 01:06:02.687 Mar 1: RADIUS: Cisco-AVpair [1] 20 "interface = BRI0/0:1.

    "

    * 01:06:02.687 Mar 1: RADIUS: NAS-Port-Type [61] 6 ISDN

    [2]

    * 01:06:02.691 Mar 1: RADIUS: Calling-Station-Id [31] 12 '3334277535 '.

    * 01:06:02.691 Mar 1: RADIUS: Called-Station-Id [30] 8 '289981 '.

    * 01:06:02.691 Mar 1: RADIUS: Type of Service [6] 6 box

    [2]

    * 01:06:02.691 Mar 1: RADIUS: NAS-IP-Address [4] 6 192.168.255.104

    * 01:06:02.691 Mar 1: RADIUS: Acct-Delay-Time [41] 6 0

    Where the 198 attribute?

    Thank you

    Oliver

    Hello Oliver,.

    According to the "exclusive provider of additional RADIUS attributes" to

    http://www.Cisco.com/en/us/products/SW/iosswrel/ps1826/products_feature_guide09186a0080080efc.html

    In addition, it should be

    RADIUS-server host x.x.x.x non-standard

    in the config to inform the router, that other attributes will be used as well.

    See also http://www.cisco.com/en/US/products/sw/iosswrel/ps1828/products_configuration_guide_chapter09186a00800ca5f2.html#xtocid182645

    for a syntax of command in IOS 12.0

    I hope this helps!

    Regards, Martin

  • Secure ACS 5.7 - adding a secondary server to the primary

    Hello.

    I recently set up two servers Secure ACS 5.7 primary. I want to make one of the main servers a secondary server. When I try to register at the elementary level, I get the following message:

    This failure has occurred: save failed due to invalid certificate. Your changes have not been saved.

    Both servers have valid certificates. But other that to extend the validity of the cert, no other changes have been made.

    Any ideas please?

    Thank you

    Daniel

    Hello Daniel,.

    For the communication of trust option work. It is necessary to use certificates signed by one or the other it external or internal, and add to it, you must import the transmitter respective root/intermediate cases under "users and storage of identity > section"Certificate authorities"on both ACS servers.»

    Alternatively, you can choose not not to use the feature "Trust communication" by going in "System Administration > Configuration > global system Options > Trust Communication Settings." and uncheck the check box for the feature.

    Note: Please mark responded as appropriate.

    Note

    Note

  • Cisco Secure ACS 4.2 on VMware ESX 4.0.

    We must move from ESX 3.5 to ESX 4.0 a virtual machine running Cisco Secure ACS for Windows version 4.2.

    This solution is compatible and supported by Cisco?

    Thank you.

    Andrea

    ACS Windows 4.2 is not supported by Cisco, when installed on VMWare ESX 4.0 in accordance with the following documentation:

    http://Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/device/guide/sdt42.html#wp37898

    Only ACS 5.1 is supported on ESX 4.0:

    http://www.Cisco.com/en/us/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/installation/guide/csacs_vmware.html

  • Cisco Secure ACS 5.1 and strong authentication ACS administrators?

    Hello

    Is it possible to authenticate administrators using an RSA SecurID token?

    There is no indication on this issue in the Panel "System Administration > directors > settings > authentication.

    (I'm under Server Secure ACS 5.1.0.44)

    Thank you

    Christophe

    Hi Christophe,

    Unfortunately not.

    The DB supported only for accounts of Administractors is the internal DB of GBA.

    I hope this helps.

    ARO
    Tiago

  • Cisco Secure ACS 5.3 SNMP agent does not

    Hello

    I have problems with the SNMP on Cisco Secure ACS 5.3 agent (patch level 5) stop, is there a quick way to restart the SNMP daemon via the command line?

    Robert,

    I understand where you come, I encountered the following bug:

    CSCte39351

    The process of the SNMP agent in demon device ACS stops.

    and reboot the box will bring him back to the top and after about 3 days, he'd stop. I just want to see if it's the same bug that could be back in patch 5. The best thing to do at this stage is to plan a quick down and restart the box to see if the snmp process starts again. If this then gives IT a week to see if the snmp Protocol falls down. If it does then make reference to this bug and open a new case of tac for repair. If not, then you should be in the clear.

    Thank you

    Tarik Admani

  • Cisco Secure ACS 4.2 Windows authentication of different domain

    Hello

    I have a Cisco Secure ACS for Windows Server 4.2. The server belongs to a domain and the domain, the users belonging to a certain group are authenticated.

    Now, I have to change the configuration of the server and reassign it to another area. There is no trust relationship between two domains and I would like to know if users can always be authenticated against the previous domain.

    Hello

    First of all, take backup (by measure of precaution in order to restore config if something goes wrong) then continue witht the following:

    -Remove the configuration of the windows domain (group... mapping etc) from the server before changing the field.

    -Change the domain membership, and then restart.

    -follow the missions post-disiez for ACS (see this link): http://tiny.cc/zr6huw.

    -Configure the external database again on GBA (group mapping, strategy unknown user... etc).

    You should note that if the new domain controller is Windows Server 2008 R2, which is not supported by ACS 4.x.

    HTH

    Amjad

    Rating of useful answers is more useful to say "thank you".

  • When you use Firefox, a site jumped upward and said it is Firefox search virus. He said then I got dangerous viruses and need to download a security program. It's for real? The site is update32.escmce.ce.ms

    When you use Firefox, a site jumped upward and said it is Firefox search virus. He said then I got dangerous viruses and need to download a security program. It's for real? The site has been update32.escmce.ce.ms I googled this site and it does not exist. Now, I'm worried about security on my computer.

    Sounds very similar to what I had come last week. I did not now what the site was, but I noticed that the box seems to be analysis what were the Windows system files, it could not have been real. I do not download anything either, and I think that if you have not then you are probably safe. I am far from being an expert in the field and am sure that someone with more expertise will also. I learned that the best thing to do is vacuum history of cache, cookies and remove and close the browser. Don't try not even close the box that I have read. I don't know if I did or not. I think that there is some nasty things circulating right now try to deceive us in their installation on our Macs. I agree that it's a very scary experience. I was shaking when it first happened to me.

  • Can I have a special, separate trash for files deleted from my account?

    Original title: Special (additional) Recycle Bin.

    I have a folder on the PC of someone. Can I have a special, separate trash for files deleted from this folder of mine, so that if someone deletes the file from anywhere else that my folder the file transfers / moves to the normal trash. But if one of my files to my specific folder is deleted then this file transfers / moves in the special trash.

    Thank you!

    Awab!

    Hi fouchka,

    It is not possible to have more than one basket in Windows.

    If you have multiple user accounts on your computer, then also there only a basket.

    Hope the helps of information.

Maybe you are looking for