the ACS 5.1 and cisco ACE module

Similar Questions

• HP J4853A and Cisco SFP Module 100BASE-FX

  Hi all!

  HP J4853A and Cisco SFP Module modules 100BASE-FX is not compatible?

  Thank you!

  Both are 100Base FX for at layer 1, they are interoperable.

  Higher tier features will not be handled on one platform or another.

• 5.2 of the ACS and Cisco ACE RBAC does not...

  Would be grateful for help here if it can be provided.

  I am configuring GANYMEDE auth for a Cisco ACE through our 5.2 ACS server. I think that I installed everything correctly but when I connect with my GANYMEDE account it gives me only monitor network privileges.

  This is the Configuration of ACE, I use:

  XXXXXXXX, host 1.1.1.1 key radius-server

  XXXXXXXX, host 2.2.2.2 key radius-server

  RADIUS-server timeout 10

  RADIUS-server deadtime 30

  !

  AAA group Ganymede Server + ACS

  Server 1.1.1.1

  2.2.2.2 Server

  output

  !

  AAA authentication login default group local ACS

  AAA authentication login console Group local ACS

  Default accounting AAA group ACS

  !

  This is the Configuration of the ACS:

  

  When I connect to the ACE I see authenticating and pulling the right group of the ACS journal:

  Connected to the ACS status details user peripheral name server device name group Service identity store identity network access group

  Apr 8:57:40.566 30.13 AM xxxckxxx

  AFA-ACE-internal

  Device Type: all device Types: load balance devices, network, location: Cameron Enterprises: Oklahoma: Data Center - 1 unit Access.TACACS

  AD1 all groups: administrator - full HAPP-CSACS

  Apr 8:52:20.256 30.13 AM xxxckxxx

  AFA-ACE-internal

  Device Type: all device Types: load balance devices, network, location: Cameron Enterprises: Oklahoma: Data Center - 1 unit Access.TACACS

  AD1 all groups: administrator - full xxx movies

  Apr 8:43:43.276 30.13 AM xxxckxxx

  AFA-ACE-internal

  Device Type: all device Types: load balance devices, network, location: Cameron Enterprises: Oklahoma: Data Center - 1 unit Access.TACACS

  AD1 all groups: administrator - full xxx movies

  But when I log in AS and do a show users that I get:

  * xxxckxxx Dev_VC pts/2 Apr 30 09:57 (x.x.x.x) monitor-network-default domain

  I've searched for days to find a solution for this with no luck. Any help would be greatly appreciated.

  Thank you.

  Well, it should work effectively at the same time.

  Could you please check the GANYMEDE of ACS logs and check the newspaper correct PROFILE of SHELL (Shell Administrator profile-material) are selected.

  This can be checked by virtue:

  Monitoring & reports >

  Reports >

  Catalog >

  AAA Protocol > authorization Ganymede

  They provide an output of

  Field of Show running-config

  Would appreciate if you can share the result here.

  Jatin kone

  -Does the rate of useful messages-

• Authentication RADIUS and Cisco ACE load balancers?

  Is it necessary to have user accounts local on the load balancers Cisco ACE as well as the user accounts on GANYMEDE where authenticated?

  Thank you very much

  Florrie

  The username account should be there (I agree this is stupid), but the password is arbitrary because it is auth back to ACS. From what I remember, he had something to do with access to the contexts and ACS is not able to determine what context is which and for which user. If all goes well it is 'fixed' in DCC 5 and later version of the ACE.

• Clients vpn AnyConnect and cisco using the same certificate

  Can use the same certificate on the ASA client Anyconnect and cisco vpn ikev1-2?

  John.

  The certificate is to identify a user/machine rather than the Protocol, then Yes, generally 'yes' you can use the same certificate for SSL/IKEv1/IKEv2 connections.

  What you need to take care of, it's that said certificate is fulliling Elements of the Protocol, for example implmentations IKEv2 is 'necessary' particular KU are defined and client-server-auth/auth EKU are defined on the certificates.

  M.

• ACS 5.4 and Juniper J-Web

  Hello

  I have set up a box of the ACS 5.4 and will test the devices on it.

  Cisco and Juniper, both works well with GANYMEDE

  I can connect both the use of SSH or Telnet but my problem is the Juniper J-Web GUI

  I can't access the J-web no problem with the root account.

  I can't seem to make it work, no matter what I try. Here is my shell of the GBA box

  

  And the following configuration of Juniper.  I tried to bind the local-user-name attribute to the remote and remoteadmin with no luck. Anyone got any ideas how I can fix this problem? Or if its even possible?

  version 9.6R1.13;

  System {}

  host name of Juniper-pare-fire;

  authentication-order [tacplus password];

  {root-authentication

  password encrypted "$1$ $1tRuy9o2 LwSPxNwe4XGNMOMIMo1pd1"; # SECRET - DATA

  }

  {tacplus-Server

  10.251.200.25 {}

  secret ' $9$ zaUL6/AtuOIRS5QF/CuEhws2 "; # SECRET - DATA

  Timeout 10;

  Single-connection;

  }

  }

  accounting {}

  events [connection change-journal interactive-commands];

  {destination}

  tacplus;

  }

  }

  {Login

  the user admin {}

  UID, 2001;

  root class;

  {authentication

  password encrypted "$1$ MNUZBLFW$ X2sJL/UTgRYcgBNV4RLe.0"; # SECRET - DATA

  }

  }

  user remote {}

  full name of the "remote user";

  UID 2025;

  operator class;

  }

  the user remoteadmin {}

  full name of "Remote Admin";

  UID 2026;

  root class;

  }

  }

  services {}

  SSH;

  Telnet;

  Web-management {}

  {https}

  System - certificate generated;

  interface fe-0/0/0.0;

  I worked on almost similar issues today and he confirmed that he is able to access J-WEB with the credentials of Ganymede. You can check the config here: https://supportforums.cisco.com/message/3953224#3953224

  Through your config it seems that you have not defined/created classes as he did:

  for example:

  {Login

  class CLASS Number {}

  permissions [view configuration];

  }

  class CLASS RW {}

  permissions in full;

  }

  user {JUNOS-RO

  UID 2000;

  Jatin kone
  -Does the rate of useful messages-

• Problem ACS 4.0 and Server RSA Token

  Hello

  We are having a problem trying to get 4.0 for Windows GBA authenticate users on a Server Token RSA wireless.

  Our Cisco 1200 AP series is configured for WPA2 and LEAP Authentication. He points to the ACS server for RADIUS authentication. Now, it works very well for users with a static password defined on the internal database of GBA. However, for obvious security reasons, we? d as the transmitted authentication to our server internal RSA.

  I installed RSA Agent on the same server as the ACS along (after adding the sdconf.rec file in the System32 folder). The RSA server was added to the ACS external database and a user configured to use the Token RSA server for password.

  When we try to authenticate, the ACS fails the attempt with reason? External DB passes invalid?. The same user can authenticate successfully during the use of the RSA test authentication tool that is installed on the ACS server under the RSA Agent software.

  After running some debugs a pix in front of the servers, I see traffic to and from the servers when you use the test tool (that works), but it looks like GBA doesn't? t even send traffic to the RSA server during authentication.

  Any help or advice appreciated.

  Thank you

  no no no no! Do not use EVER of RSA with WIFI + PAP.

  The token + pin can be sniffed and is good for 60 seconds... on the Wifi which is disastrous.

• The ACE IPS Cisco and Cisco ASA AIP - SSM (IPS)

  Is there a difference between the features offered by the Cisco ACE IPS and Cisco ASA AIP - SSM (IPS) devices?

  Can we do without Cisco ASA AIP - SSM (IPS) of 'only' configuration/implementation Cisco ACE IPS.

  Cisco AVS/ACE emphasis on commissioning and to secure web-based applications. IP addresses do not focus on just the web applications and trying to get the multiple layers of the OSI stack. Consider the IPS as a general practitioner and the ACE/AVS as an eye surgeon, or something :)

  Here is the response from Cisco itself:

  http://www.Cisco.com/en/us/prod/collateral/modules/ps2706/ps6906/prod_qas0900aecd8045867c_ps6492_Products_Q_and_A_Item.html

  Q: how is Cisco AVS Firewall application differs from an intrusion prevention system (IPS)?

  A. IPSs are solid solutions of protection against targeted attacks of known vulnerabilities in major platforms such as Windows, Solaris, Apache or Microsoft Internet Information Services (IIS). Cisco AVS excels to protect against targeted attacks Web sites or enterprise applications. These applications can be built custom internal applications or software vendor. Signatures and security patches are generally not available for these types of applications, and building these security levels in each application, it would be almost impossible.

  Q: how is Cisco AVS Firewall application differs by a network firewall?

  A. The Cisco AVS 3120 and Firewall network such as the Firewall of Cisco PIX® and Cisco ASA 5500 Series Adaptive Security appliances are complementary products. The application Cisco AVS Firewall secures Web applications; excellent network in the network security firewall. and the Cisco AVS provides defense in depth for Web applications.

  Firewall network apply policy networks, IP addresses and ports; they have a wide range of application for many different protocols layer features. The firewall can and will be deployed in many locations, including the edge, edge of the enterprise network, branch, etc. Cisco AVS imposed the policy on data HTTP as URL, headers and parameters. Cisco AVS is deployed in the data center in front of Web applications

  Concerning

  Farrukh

• Cisco ACS 5.1 and ASA SSL VPN change or notify the expired password

  Hello

  Now, my ACS and ASA related to RADIUS (MSCHAPv2). I've set up password life on GBA and password management on SAA. But Cisco ASA did prompt change or whatever it is to notify when the user tries to log on with Clientless SSL VPN. Could you advice me everything to change, or notify the expired password?

  

  PS.

  I check change password on the first login of th on ACS this confirmation of the ASA to change password dialog box. But I want change or warn when the expired password

  Thank you

  The default password is marked as disabled after expiry

  I think that there is an improvement for this in the 5.2.0.26.2 patch and above, which includes the following:

  CSCtk32168: Add an option to change the password when the password expires (T + and Radius)

  After you install this hotfix, you get an option to the user authentication settings is:

  -Disable the user account

  -Expire the password

  When the expiration period is exceeded

  If password is expired then user will be asked to change password next authentication

  Note this latest patch for 5.2 is 5.2.0.26.4. All patches are cumulative

• Cisco ACS 5.6 generating the CSR, the private key file and PK file

  Dear,

  I'll install the trusted certificate of 3rd party, they ask the file CSR, I know i need a key private in order to generate the CSR, actully I don't know where I can find the private key or the private key file.

  Hello OER.

  You don't have a private key to generate a CSR. The private key is actually created during the process of generation of CSR. The CA provider needs a signed certificate for the CSR for you. Once you get the signed certificate you will be 'link' with your CSR to the ACS.

  I hope this helps!

  Thank you for evaluating useful messages!

• Is there a problem with accounting and 4.1 of the ACS

  Good day to all,

  I just installed a new server with ACS 4.1.

  This new installation 4.1 ACS is approved, I will retire my old server that ACS 3.1.

  At this point, the only problem I have with ACS 4.1 is with the accounting.

  For example:

  I used a test-router with all the necessary config pointing to my old 3.1 ACS. Everything works fine (authentication and accounting). If I enter a command on the router test it's journal on GBA 3.1.

  Now, if I change the test-router to point to the new 4.1 ACS, the ACS 4.1 will authenticate the router test correctly, but won't save any command that I enter the router test. I did a shot between the test-router and 4.1 of the ACS and the router test sends accounting statement ACS 4.1.

  There are many different configuration of ACS 3.1 4.1, but as far as I can see the config on the two ACS is as similar as possible.

  Y at - there anyone out there who could do 4.1 ACS to process accounting properly?

  Any idea will help you.

  Thank you

  Frank

  Here is my config:

  AAA new-model

  AAA authentication login default group Ganymede + local

  connection of AAA No.-AUTH authentication no

  AAA authorization exec default group Ganymede + local

  AAA authorization commands start-stop Group 1 Ganymede +.

  AAA authorization commands start-stop group 15 Ganymede +.

  AAA accounting exec default start-stop Ganymede group.

  orders accounting AAA 1 by default start-stop Ganymede group.

  AAA accounting command 15 by default start-stop Ganymede group

  !

  192.168.100.16 host key radius-server *.

  (the above command is the only command I change to point the finger 3.1 ACS or ACS 4.1)

  RADIUS-server application made

  Please use the following link. It has 4.1 cumulative patch that contains the hotfix for bug.

  http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-win-3DES

  Don't forget to download the readme text also.

  Rate me if it helps.

• 4.1 of the ACS and 802. 1 x dynamic assignment of VLANS

  Hi guys,.

  a customer wants to implement assignment of VLANs with 802 dynamics. 1 x. The customer has the following facilities, Cisco ACS 4.1 for Windows, Cisco ASA 5540, CSA 5.2 with CSA MC, several routers and Cisco switches.

  Now, the questations are, we can implement assignment of vlan dynamic without a unit of the ANC and the customer also wants to decide between customers with real antivirus signatures and the old signatures. Older clients are denied access to the anti-virus server and the update of the signature and if everything is ok, to have access to the internal network.

  How could implement us this without a new hardware or software?

  Any ideas? Thanks for help.

  René

  You can have a look on the frame of the NAC system. If you want only the posture validate cable customers then there no extra components to buy. If you want to go wireless, you will likely need to buy a Cisco client that supports wireless. You can get the configuration from here guide:

  http://www.Cisco.com/application/PDF/en/us/guest/NetSol/ns617/c649/cdccont_0900aecd8040bbd8.PDF

  I suggest you prototype and see what you think, the good thing is that you can deploy on a per switchport basis so you can make the installer on ACS without disturbing what is there already and apply it by configuring the switch.

• Machine based authentication using EAP - TLS, MS CA and 5.2 of the ACS

  I use ACS 4.2 for Windows for a couple of years now and I'm pretty comfortable with it.  5.2 model is much more different than what I expected.  We downloaded the trial in our laboratory for 90 days, and I try to get 802. 1 x wired works so we can be sure that we want to buy it.  I've looked everywhere and I have been unable to find some basic instructions on how to configure the following in a step by step process scenario:

  1. integrated AD

  2 EAP - TLS

  3 certificates

  4 Microsoft CA

  5. the applicant is XP SP 3

  6 non-Cisco 802.1 x compatible switches (switches are not the question)

  I got GANYMEDE to work fairly easily, but I am confident the issues I have are user based :).  Does anyone know of a doc somewhere that goes on a scenario like this (in addition to the user manual and docs of migration ISBN)?  Also, we have the assurance of software on our box 4.2 - TAC support questions we have on the 5.2 box while we are it do demonstrations?

  Thanks in advance.

  Hello, Christopher.

  I'll try to give you some tips to achieve what you want.

  Additional info can be found in the user guide:

  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/acsuserguide.html

  1. in the identity store / Active directory, check "enable machine authentication.

  2 import a certificate for ACS

  Go to System Administration > Configuration > Local Server Certificates > Local certificates and click the Add button.

  Select how you want to import the certificate, and then verify the Protocol EAP

  3. Add your switches as aaa clients

  Access network resources > network hardware and the AAA Clients, click on create and add configure address IP + shared secret for the RADIUS.

  4-go to access policies > Access Services and click on create a new access service.

  Select the selected Type of Service and network access in the list.

  Verify the identity, group mapping and authorization

  5 - go to the access policies > rules of selection and select "Rule based selection result" if not already done, then click Customize at the bottom right of the screen, and then add the properties that allows you to match your device with which you want to do TLS.

  You can use the IP address of devices, or you can create a NDG (in network resources), assign devices to the NDG and match this NDG in your rule.

  If all your switches RADIUS will make eap - tls, you can change the rule

  Rule-1

  Ray game

  Default network access

  While in the result, you choose your service of access created in step 3.

  6 - go to the access policies and click on the access service that you created in step 3. In the allowed Protocols tab, see EAP - TLS

  7. unfold your access service menu, and then click identity. Select your ad as being the source of the identity

  8. check that the 'Allowed access' rule is selected in the authorization to access your service

  These measures define your devices, and then create a rule to say that ACS must use an individual service for this access devices and set this access service to use AD as authentication.

  Again, what are the basic steps, he may miss some things to do depending on your configuration, but I hope this will help you.

  ACS 5 may be difficult at first, but once you get your hands on it, you will see that it is powerful.

• authentication between the ACS and AD

  Hello

  I would like to know what kind of authentication mechanism ACS 5.1 use to speak with Active Directory. Does simply use MSCHAP, MSCHAPv2 or PAP. By default, it uses PAP to talk between the Cisco IOS and the AEC on the 5.1.

  If you llook at the default admin tab and click on allowed protocols---> he mentions PAP.

  Should I use a safe means of transport between the ACS and AD. IDF, so anyone can say the authentication mechanism?

  Thank you

  Any meeting of directors like telnet, ssh and comfort they always use PAP as an authentication method.

  Although communication pap can be captured and read in this case in clear text. However, since we have Ganymede in use, he always encrypt the whole package with shared secret defined on the IOS and ACS/GANYMEDE so if you capture traffic between the radius and the device you won't be able to decipher it without the key.

  In case you have Ray then using SSH (Putty) so that it can help you for a safe communication.

  ACS and AD support PAP, CHAP, MSCHAPv1 and MSCHAPv2.

  However, the administration does not work on another method of authentication except PAP.

  HTH

  Regds,

  Jousset

  Note the useful posts ~

• No option to simulate the peripheral cRIO after installing Labview and RT/FPGA Modules of downloads (lack of driver support?)

  Hi guys -.

  Basically, I need to simulate a cRIO device without yet having equipment on-site, like this:

  How to simulate the FPGA hardware target using with LabVIEW Project Explorer

  Instead, I only get the options presented in the attachment "Add Target Options.jpg.  I guess it's because of missing drivers, which I assume is due to an error that I made during a recent new LV installation installation went like this: I downloaded (not diskettes) and installed the following (in this order, the latest versions all around):

  (1) LabView development system

  (2) real-time module

  (3) FPGA module

  (4) NEITHER-RIO (previous installation-by-installation)

  (5) DAQmx

  At the end of (1) and (2), I got the screen shown in the second attachment ("Drivers Installer Message.jpg"), but could not able to recognize the folder "device drivers OR" (I also downloaded), or one of its subfolders.

  According to me, I'm missing an obvious option to load the necessary drivers after installation, but can't seem to find reference to it in the forums.  Could someone give me a little help in the right direction?

  Thanks a lot and have a nice day.