SSID on ACS 5 authentication

Similar Questions

• Cisco ACS wireless authentication

  Hello guys,.

  I'm testing wireless authentication and authorization with my users wireless via ACS 4.2. I have version 4.2 test on Windows 2003 for the test. I also WLC 5508 and 3602i in my lab. My AD/NPS and CA are Windows 2008 R2.

  Windows 2003 is part of the field; and the GBA, if I go to the external database > Database Configuration > Windows database > configure

  From there, I chose my domain name, select "devices the EAP - TLS Machine authentication. I've also mapped the domain to the group I created in ACS.

  I also looking default RADIUS ports 1812 and 1813 the GBA.

  On my WLC 5508, I created a WLAN and define the RADIUS IP to the IP address of the ACS. However, I tried to join the wireless network. It keep the default.

  I installed the cert of the user on the laptop for EAP - TLS. If I changed the server RADIUS on the WLAN and pointed to AD/NPS that I, my portable test was able to join the network wireless through EAP - TLS.

  I'm a little confused on the ACS GANYMEDE +. GANYMEDE + is only used for the connection to network for managing devices or can be used for regular users for authentication and authorization?

  For example, a user wireless, which is part of the domain, need to join a corporate network without wire in his office. Can I use GANYMEDE + for it or it must be the RADIUS by ACS 4.2?

  Thank you

  Yes it's true, and it applies as well in Wired.

  On GBA, please add WLC as an AAA client with RADIUS (Cisco airespace)
  

  Configuration of WLC and ACS for the RADIUS settings.

  http://www.Cisco.com/en/us/Tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml

  You can visit the listed link below to install the certificate on ACS 4.2

  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/configuration/guide/peap_tls.html

  ~ BR
  Jatin kone

  * Does the rate of useful messages *.

• 2611XM Terminal Server + ACS + new authentication when selecting menu options

  Hello

  I managed to configure ACS authentication on my 2611xm router,

  After you connect to the router, I have an autocommand configuration to run a menu.

  My problem is when you select the option in the menu,

  You are then re invited to reauthenicated against the router before connecting to the line,

  can someone tell me how to prevent it.

  Thank you for your time and effort in advance, I have attached a config below.

  DDRAS01 #sh running-config

  Building configuration...

  Current configuration: 6854 bytes

  !

  ! Last modification of the configuration at 10:28:49 GMT Sunday, February 21, 2010 by

  !  NVRAM config update at 19:25:53 GMT Saturday, February 20, 2010 by

  !

  version 12.4

  horodateurs service debug datetime msec

  Log service timestamps datetime msec

  encryption password service

  Service linenumber

  sequence numbers service

  !

  hostname DDRAS01

  !

  boot-start-marker

  boot-end-marker

  !

  Security of authentication failure rate 3 log

  Passwords security min-length 6

  logging buffered 51200 informational

  record of the rate-limit all 10000

  recording console critical

  enable password 7

  !

  AAA new-model

  !

  !

  AAA authentication login default group Ganymede + local

  AAA authentication login if_needed local

  the AAA authentication enable default

  AAA of authentication ppp default local

  AAA authorization exec default group Ganymede + local authenticated by FIS

  AAA accounting exec default start-stop Ganymede group.

  orders accounting AAA 15 by default start-stop Ganymede group.

  !

  AAA - the id of the joint session

  clock timezone WAS 10

  summer time clock WAS recurring last Sun Oct 02:00 last Sun Mar 03:00

  no location network-clock-participate 1

  No network-clock-participate wic 0

  IP cef

  !

  !

  !

  !

  list of IP domains

  list of IP domains

  IP domain name

  the IP 2033 172.16.1.1 host dd-cr-01F

  ddsws01 host IP 172.16.1.1 2034

  ddsws04 host IP 172.16.1.1 2035

  ddce565 host IP 172.16.1.1 2040

  IP-name server

  IP-name server

  !

  !

  !

  password username d ' operators 15 7 privilege

  !

  !

  property intellectual ssh source interface FastEthernet0/0

  property intellectual ssh event logging

  property intellectual ssh version 2

  !

  !

  interface Loopback0

  IP 172.16.1.1 255.255.255.255

  !

  interface FastEthernet0/0

  IP 255.255.255.0

  Speed 100

  full-duplex

  !

  interface Serial0/0

  no ip address

  Shutdown

  !

  interface BRI0/0

  no ip address

  encapsulation hdlc

  Shutdown

  !

  interface FastEthernet0/1

  no ip address

  Shutdown

  automatic duplex

  automatic speed

  !

  IP forward-Protocol ND

  IP route 0.0.0.0 0.0.0.0

  !

  IP http server

  no ip http secure server

  Ganymede IP source interface FastEthernet0/0

  !

  radius of the IP source interface FastEthernet0/0

  exploitation forest installation local6

  logging

  SNMP-server RO community

  SNMP-server RW community

  SNMP server location

  contact Server SNMP d ' operators

  !

  title of menu ddras01 ^ C

  Server Terminal Server for Cisco

  Select number from the list below

  Use "ctrl + shift + 6" then 'x' to switch to the menu

  ^ C

  text of ddras01 to menu 1 connect to the DD-CR-01

  order of menu 1 ddras01 resume JJ-cr-01 / dd-cr-01 2033 telnet connection

  ddras01 text menu 2 connect to DDSWS01

  order of menu 2 ddras01 resume ddsws01 / ddsws01 2034 telnet connection

  text menu 3 ddras01 connect to DDSWS04

  order of menu 3 ddras01 resume ddsws04 / ddsws04 2035 telnet connection

  text menu 8 ddras01 connect to DDCE565

  order of menu 8 ddras01 resume ddce565 / ddce565 2040 telnet connection

  menu 9 ddras01 text output

  menu ddras01 command menu-exit 9

  ddras01 menu clear-screen

  menu ddras01-status line

  menu-ddras01 line mode

  radius-server host 10.2.0.50

  RADIUS-server application made

  radius-server key 7

  !

  control plan

  !

  privilege exec 15 level write terminal

  writing level 15 privileges exec

  Ping privileges exec level 1

  privilege exec 10 undebug ip icmp level

  privilege exec 10 undebug ip level

  level of privilege exec 10 undebug all

  privilege exec 10 undebug level

  terminal monitor exec level 10 privileges

  privilege exec 10 level terminals

  privilege exec 15 level show running-config

  See configuration at the privileged exec level 5

  show privileges exec level 5

  privilege exec 10 debug ip icmp level

  privilege exec level 10 debug ip

  privilege exec 10 level debug all

  debugging privileges exec level 10

  clear interface of privileges exec level 10

  clear counters at level 10 privilege exec

  level of privilege exec 10 clear

  !

  Line con 0

  password 7

  Synchronous recording

  line 33 64

  No exec-banner

  exec-timeout 0 0

  no activation-character

  No exec

  preferred transport telnet

  transport of entry all

  character of exhaust-27

  StopBits 1

  FlowControl hardware

  line to 0

  line vty 0 4

  password 7

  Synchronous recording

  ddras01 menu autocommand

  line vty 5 181

  password 7

  Synchronous recording

  ddras01 menu autocommand

  !

  NTP-period clock 17208487

  source NTP FastEthernet0/0

  NTP server

  end

  Hello

  You have aaa login default configured for authentication, with this you get invited

  When you try to access the line.

  Under line VTY 5 181 try adding:

  authentication of the connection /NOAUTH

  exec authorization /NOAUTH

  Add the lines of aaa:

  /NOAUTH AAA authentication login no

  /NOAUTH AAA authorization exec no

  This should stop the authentication to the lines.

  -Jesse

• ACS wireless authentication failed

  Greetings,

  We have recently migrated to IAS in Windows to Cisco ACS 5.2.0.26 for our wireless authentication and use PEAP-MSCHAPv2 hit AD. Everything seems to work fine except when a user account has a restriction on which machines they are allowed to connect to, date to which an ACS journal entry shows as follows.

  24441 account not allowed to log on by using the current workstation

  This was work properly when we were using the IAS server and I think ACS is not just pass the attributes required at this time. All know how what extra configuration may be needed in ACS to support this configuration?

  See you soon,.

  Rob

  Sounds like you have enabled computer authentication. In the case of ACS wireless can get the names of the authentication request machine. With this strategy/limitation defined in Active Directory to apply the restriction of user login then ACS will have to provide a name of host machine for each request that it send to Active Directory. As it has already set up it is not possible for the CSA to know the name of the actual machine of the authentication of the user, ACS sends a default name for the machine its own name with each request to AD. On the ad, we create a computer by name of ACS account and then allow all users to connect to this computer. This way ACS is allowed to authenticate all.

  If please see Add GBA as a computer account on the ad with the same host name and see if helps.

  Rgds,

  Jousset

  The rate of useful messages-

• Cisco ACS AD authentication

  Hello!

  IM currently deploying Cisco ACS 5.4 on our netwrok and I'm looking for in some additional measures to ensure authentication and authorization to the devices.

  I would like to ask if anyone has any advice on the following as I may have been embarrassed to do this way myself.

  OK the users that now are authenticated with an external identity store (Active Directory). I would like to know if theres a way also to authenticate these users or allow them to ACS so that when the IT Department adds a user who should not be in a group, but the group is authenticated to a set of devices, this user will be nto be able to access devices.

  A simpler explanation is as follows.

  E.t.c groups are ficitonal

  I have group in AD called "Engineers" that contains 2 users, user A and user B.

  Engineers have a shell on ACS profile that gives permissions/privileges superuser on the devices.

  However, Active Directory is managed by the it Department that could be social designed to add a C user in this group.

  What I need to know is a way to allow the user has and user B to access devices while maintaining the profile of the shell with the Group of ads "engineers."

  I am aware of the conditions is devoted to profiles/authorization rules. Is that mean I have to create both local users and assign their passwords as well?

  Im a bit confused as you can see it...

  Any help will be greatly appreciated!

  Thank you!

  Because user C would be added to the same group that already contains users A and B and the authorization rule is configured to grant access from root of users A and B belonging group engineering, then user C will also be granted this access.

  ACS has no way to know what the users are members of the engineering group, nor can it detect that the user C has been successfully added.

  If you want to use the credentials of the AD and at the same time maintain a canonical list of users for ACS check, you will need to create local GBA users, as you suggested above.

• WLC / ACS / AD - domain and laptops no - domain (802. 1 X / PEAP)

  Hi all

  I implement a solution based on 4404 WLC, 1113 ACS and Microsoft AD. What I want to achieve is to have two WIFI (SSID), that can be used by users on laptops of the domain, the other can be used by the users in the domain on personal laptops. Field portable computers will have full connectivity, but personal laptops will be restricted.

  I created the two SSID using 802. 1 X by ACS / Remote Agent and can authenticate and connection OK.

  I thought I should have user auth and auth machine for laptops of area but just user auth for personal laptops.

  I have unauthenticated machines go to one group ACS or blocked, but I need to enable them in if they are on the SSID restricted. I can't quite understand how to have two SSID is authenticating with the same ACS / AD - one green and the other.

  I'm on the right track?

  Anyone done this before or have any bright ideas?

  See you soon,.

  John

  With the use of WLAN access based on the SSID, users can be authenticated based on the SSID they use to connect to the WLAN. The Cisco Secure ACS server is used to authenticate users. Authentication happens in two stages on the Cisco Secure ACS:

  1 authentication EAP

  2 resulting SSID authentication of network (NARS) on Cisco Secure ACS Access Restrictions

  For the new designation and configuraiton following URL can help you:

  http://www.Cisco.com/en/us/Tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml

• Autonomous aPs with several SSID in a VLAN?

  Hello

  We use autonomous APs to Cisco in our spirit of place several THAT SSID configured with WPA - PSK.

  Now, we want to add a different SSID using WPA - EAP authentication.

  Since many of our branches have flat architecture VLAN with only one VLAN, we would like to have two SSIDS in the same VLAN, in a subnet.

  This is supported in the autonomous APs?

  Kind regards

  Sinan

  It is possible, if it is not a standard way of configuration.

  Here's a solution if you willing to give it a try. If you have a dish vlan, you can configure your AP connected as access vlan switchport & configure your SSID two like that. It should work (I tested with Open Auth & you can try to add security as well). You may not be able to broadcast two SSIDS, but it's something you have to make compromises if you wish.

  CONFIG SWITCH PORT *.

  interface GigabitEthernet1/0/11

  Description of the AAP-1142

  switchport access vlan 143

  switchport mode access

  spanning tree portfast

  CONFIG OF AP *.

  A1140 hostname

  !

  dot11 ssid ARH

  open authentication

  !

  dot11 ssid MNR

  open authentication

  Comments-mode

  !

  interface Dot11Radio1

  SSID ARH

  SSID MNR

  root of station-role

  Bridge-Group 1

  no downtime

  !

  interface GigabitEthernet0

  Bridge-Group 1

  !

  interface BVI1

  DHCP IP address

  !

  Once you do this you can associate the client with different SSID, but all get flat IP of the same vlan (143 in my example)

  A1140 #show dot11 associations

  802.11 client Stations on Dot11Radio1:

  SSID [ARH]:

  MAC address IP Device Name Parent State

  a088.b435.c2f0 192.168.143.63 ccx-customer A1140 self Assoc

  SSID [MNR]:

  MAC address IP Device Name Parent State

  04f7.e4ea.5b66 192.168.143.64 unknown - homes Assoc

  A1140 #sh worm

  Cisco IOS software, software of C1140 (C1140-K9W7-M), Version 12.4 (25 d) JA, RELEASE SOFTWARE (fc1)

  HTH

  Rasika

  Pls note all useful responses *.

• ACS 3.2 breaks down when the RDBMS isn't available.

  Someone knows a problem connecting equipment that auths to ACS 3.2 if their ACS (ODBC) login record is down?

  I have not checked this bug yet but we have picked up our computer (postgresql) of ODBC logging, it was moved to another building. Throughout the weekend that the computer was down and I couldn't log into any of my ACS devices controlled (switches, AS5200). As soon as the computer was brought back online connections have started working again.

  I did not see this listed in the notes, but I may have missed. In any case I'm check if anyone else has experienced this problem and ask yourself how do I solve this problem (at least it was a bad surprise, luckly I hadn't started wireless auth to the GBA unit)

  Thank you

  Wes

  It is likely, although probably not documented anywhere.

  At the time current ACS works as follows:

  When ODBC is configured, ACS blocks authentication until the

  Log ODBC is done or has failed due to the delay. The failure of ODBC timeout

  occurs when the external database is unreachable. In this case, the

  authentication fails if this delay is longer than the

  timeout for the device.

  Workaround to activate authentication despite the failure of logging is to increase the radius-server on the device/NAS (for example time-out

  5 to 10 seconds). It can be done using the following CLI command:

  "radius-server timeout 10". You may need to increase it even more depending on how long the wait time is on your ODBC database.

  There is an enhancement request in to have the GBA behavior has changed, you can see here (http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCeb21974&Submit=Search). Because he considered a request for improvement, don't hold your breath waiting for that, playing with delays so that you don't get hit by it again.

• CS ACS Solution engine with external AD database

  I have a client who has set up a CS ACS Solution engine (device). They currently have VPN tunnels that terminate on the SAA and the ACS provide authentication via an external database to the AD. I did the installation or configuration of the device and I'm new to ACS. There is a group in an ad that was created to allow access to the VPN, and it works. I created a second group in AD and a test user. The user account will not correctly authenticate when establishing a VPN session. I checked the agent ACS logs on the controller of the AD is to show that the user performs the authentication correctly, and it seems that the agent is not transmitting this information to the ACS. Alternatively, the ACS is ignorant. The GBA, the generated error is "external DB account Restriction." I can't find anything specific to this topic. I checked that the announcement represent works and can log on to a workstation. I checked the properties of account for the test account. I think it's related to the membership of the group. I have a group in ACS named exactly the same as the ad group and of the test account is a member of this group. I don't know where to start any help would be appreciated.

  You must map this group

  User to external databases > database group mapping > Datbase of Windows... section

  A group of ACS, naming the group exactly the same as the Windows AD Group ACS establishes no relationship between them.

  I guess that your all other combinations in the group mapping are mapped to one ' "group, OR to a group that is disabled.

  Please ensure that the mapping of good group on ACS for the new group you created on AD.

  If you move in the right direction, problem seems to reside in group mapping

  Kind regards

  Prem

• Problem with the configuration of SRW 2016 to 802. 1 x with Cisco ACS 4.2

  Hi all

  I have infrastructure cisco catalyst cisco 2960, 3560 and 2 x 4.2 ACS and authentication of 802. 1 x is working very well.

  I tried to add Linksys SRW2016 in rail infrastructure, but I encountered a problem.

  I did the same configuration on ACS for all other switches and I configured SRW2016 according to maunal for .1x and log on to ACS in FAILURE ATTEMPTS I got following error:

  Message Type: bad NAS request

  Authentic-failure-Code: authenticator of invalid message in the request of the EAP

  I have receked configuration especially the Shared Secret, and that's OK.

  No idea what is the problem and how to solve?

  Best regards

  Goran,

  It is especially indicative of a bad shared secret. Can you confirm if the Linksys switch is in a NDG, and if so, you have keys defined for the NDG?

  Faisal

• ACS Cisco 1113 4.2 1113 configure auth. for Infoblox Appl.

  Hello

  I have a problem with Cisco ACS and an Infoblox appliance. We want to authenticate users, this connection on the Infoblox, through the Cisco ACS. After that the ACS should respond with authentication (RADIUS) passed and answer with an administrative groupname that the user belongs on the Infoblox. To do this, I have to import a VSA to have the option of the CSA to respond with this groupname. On the Infoblox, these groups are already done, and it must be the group that meets the CSA.

  Now I have imported the ASB and configured an AAA (infoblox) client to use the new RADIUS (VSA) to support the Infoblox. In the groupsetting, I lit the Infoblox-Group_info attribute and filled a specific groupname the authenticated user belongs. Now, here's the part where the news of group are returned, but the appliance Infoblox gives me a RADIUS error response message. As I see in the newspapers of the ACS user authentication part is fine. So there must be between the info ACS responds with, when the user connects.

  I have attached the VSA and a *.pcap of wireshark to see what is happening.

  Can we advice to suggest any option that can make this thing work.

  With respect,

  Richard Gosen

  Hi Richard,

  Please find attached the accountsActions to remove it, and you can use your original accountsActions to readd the ASB.

  Hope that works.

• Number of certificate to ACS secondary

  Hello

  We distributed the deployment model ACS where primary ACS can do the role of configuration and secondary ACS made the oversight role.

  Our certtificate of root has been exceeded two days back and we have installed this kind of forgot to install on secondary ACS primary GBA.

  For this reason, our some wirless useers could not connect wireless with authentication with fail messages.

  So my question is, ACS primary and secondary are accepting the request of AAA and you answer that we use the deployment of didtributted model.

  Or can share any document from cisco that shows this?

  The WLC send the primary ACS server authentication and will only use the secondary image if there is no response from the primary. The WLC is not fail the primary unless the secondary does not respond or if you have active relief in which the WLC will check if the primary is in place.

  Sent by Cisco Support technique iPhone App

• Installation of Cisco ACS 5.4

  I am setting up Cisco ACS 5.4 for my org. The way I put it in place, ACS passes authentication to a RADIUS server. The problem is that it does for the user and the password to enable on each account. Is there a a way to configure ACS to review on-site in its stores of internal identity for the enable password but keep passing on the user part of RADIUS?

  Hi Jessica,.

  I went through your query and it seems that you would like to authentication of the connection to be checked with another external radius (radius proxy server) server and can be verified with the password to enable configured locally on GBA.

  I don't think that if this cannot be done with the Protocol radius with Ganymede, however we can use service attribute and that you can set in the identity > selection if the service corresponds to point of AD database connection or if the matches allow it to point to the internal database based on rules. I've attached a screenshot of the same thing for your reference. The source of identity could be anything configured databases.

  

  ~ BR
  Jatin kone

  * Does the rate of useful messages *.

• ACS 5.4 with AD domains

  I read the release notes and the user guide for 5.4 ACS which mentions the ability to reach the nodes of GBA of the same deployment to different areas of the AD.  But each node can be attached to a single AD domain.  My question is this... in a failover situation that it buy me?

  Hypothetical:

  I have two sites, each with a CBS, and each has its own AD domain.  The ACSS is deployed in a primary/secondary relationship, devices to ACS use A of the Site A site as principal for authentication, devices to site B use of the ACS Site B as principal for authentication.

  Scenarios:

  1. The ACS Site A if Site A devices will attempt to join the Site B ACS for authentication.  But if they use different AD Site domains a user cannot authenticate and would be denied access.  Fix?
  2. If a Site B user trying to access a device to A Site, this device attempts to authenticate the user using the Site to ACS.  This will fail because the ACS Site A reference only the AD Site A domain?

  I'm missing what advantage I deploy the two SACRED if they cannot use or access the users on the two areas.  Maybe I'm not understanding something here.  Can someone shed light on this or point me to a document that could help?

  Thank you...

  I second you on that fact, it is not very well documented. In almost every deployment, the role of the secondary server (located on another site) is to provide a total where the failure of the primary ACS server redundancy.

  In your case, if you have both the ACS are attached to two different areas, as

  Site (ACS1-primary) - domain a.

  Site B (ACS2-secondary) - area B

  We have to make sure that domain A to trust domain B and vice versa because if the secondary server is configured for replication of the primary, which means that the authorization rules will be same on both GBA. Have full 2-way trust between the two domains would be you can extract the ACS 1 B domain groups and domain from DCC 2 groups.

  The ONLY advantage of this feature will come into play during authentication. If the users in the domain B showed up at ACS2 for authentication, group recovery time would be less if it's a direct field instead of across the field.

  The purpose of redundancy will fail where there is no possibility of 2-way trust. It is not right to these deployments.

  Hope it adds few specifics.

  ~ BR
  Jatin kone

  * Does the rate of useful messages *.

• ACS 4.2 - internal error

  Since yesterday, the newspaper has no authentication is showing Internal Error when people attempt to authenticate by using their AD credentials.  Until a few weeks ago, the ACS (windows 2003 SP2) server has been configured with two controllers/Server DNS - one was Win2003 and the other was Win2008.

  The controller Win2003 was demoted and replaced by a controller 2008-R2-, but this internal error problem appeared only yesterday.

  If I restart the ACS - normal authentication server using AD recover during a short period of time - but then the problem reappears.

  Any ideas?

  Hello

  The following link describes the migration of ACS 4.2 to 5.2 ACS.

  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/migrate.html

  I hope this helps.

  P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages.