The ACS authentication

Similar Questions

• authentication between the ACS and AD

  Hello

  I would like to know what kind of authentication mechanism ACS 5.1 use to speak with Active Directory. Does simply use MSCHAP, MSCHAPv2 or PAP. By default, it uses PAP to talk between the Cisco IOS and the AEC on the 5.1.

  If you llook at the default admin tab and click on allowed protocols---> he mentions PAP.

  Should I use a safe means of transport between the ACS and AD. IDF, so anyone can say the authentication mechanism?

  Thank you

  Any meeting of directors like telnet, ssh and comfort they always use PAP as an authentication method.

  Although communication pap can be captured and read in this case in clear text. However, since we have Ganymede in use, he always encrypt the whole package with shared secret defined on the IOS and ACS/GANYMEDE so if you capture traffic between the radius and the device you won't be able to decipher it without the key.

  In case you have Ray then using SSH (Putty) so that it can help you for a safe communication.

  ACS and AD support PAP, CHAP, MSCHAPv1 and MSCHAPv2.

  However, the administration does not work on another method of authentication except PAP.

  HTH

  Regds,

  Jousset

  Note the useful posts ~

• the ACS 5.1 stopped authentication logs after restart!

  Hi all

  I recorded the configuration running on first startup and restarted the ACS 5.1. Since then he stopped authentication logs, if I can connect to network devices using Ganymede connection, but I get no logs of authentication Ganymede? Your prompt response will be appreciated

  Rgds

  HK

  Hello

  Can you please access the ACS CLI through SSH or Console and run "display the acs application state? Are all ACS services running or some hang on the State "Initializing" or "not tested"?

  If so, you might want to try a restart of services ACS with 'stop acs', then 'start acs '.

  If the reports are not displayed on the follow-up and reports it is generally considered a problem with ACS View services.

  I hope this helps.

  Kind regards.

• Is there a problem with accounting and 4.1 of the ACS

  Good day to all,

  I just installed a new server with ACS 4.1.

  This new installation 4.1 ACS is approved, I will retire my old server that ACS 3.1.

  At this point, the only problem I have with ACS 4.1 is with the accounting.

  For example:

  I used a test-router with all the necessary config pointing to my old 3.1 ACS. Everything works fine (authentication and accounting). If I enter a command on the router test it's journal on GBA 3.1.

  Now, if I change the test-router to point to the new 4.1 ACS, the ACS 4.1 will authenticate the router test correctly, but won't save any command that I enter the router test. I did a shot between the test-router and 4.1 of the ACS and the router test sends accounting statement ACS 4.1.

  There are many different configuration of ACS 3.1 4.1, but as far as I can see the config on the two ACS is as similar as possible.

  Y at - there anyone out there who could do 4.1 ACS to process accounting properly?

  Any idea will help you.

  Thank you

  Frank

  Here is my config:

  AAA new-model

  AAA authentication login default group Ganymede + local

  connection of AAA No.-AUTH authentication no

  AAA authorization exec default group Ganymede + local

  AAA authorization commands start-stop Group 1 Ganymede +.

  AAA authorization commands start-stop group 15 Ganymede +.

  AAA accounting exec default start-stop Ganymede group.

  orders accounting AAA 1 by default start-stop Ganymede group.

  AAA accounting command 15 by default start-stop Ganymede group

  !

  192.168.100.16 host key radius-server *.

  (the above command is the only command I change to point the finger 3.1 ACS or ACS 4.1)

  RADIUS-server application made

  Please use the following link. It has 4.1 cumulative patch that contains the hotfix for bug.

  http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-win-3DES

  Don't forget to download the readme text also.

  Rate me if it helps.

• The AAA authentication configuration

  We have ACS server 3.1 to AAA for authentication for all routers and switches. I want each person to connect the router using its own id, password password and activate. If the ACS server is unavailable, I want to have different id, password and enable password for console and telnet access. What is the right way to do this? I also want to follow all orders entered on the router.

  That's what I have:

  AAA new-model

  AAA authentication login default group Ganymede + local

  enable AAA authentication login no_tacacs

  the AAA authentication enable default group Ganymede + line

  AAA authorization exec default group Ganymede + local

  AAA authorization commands 15 default group Ganymede + local

  AAA accounting exec default start-stop Ganymede group.

  orders accounting AAA 15 by default start-stop Ganymede group.

  !

  username admin password 7 xxxxxxxxxxxxxxxx

  !

  !

  Line con 0

  connection of authentication no_tacacs

  line to 0

  line vty 0 4

  password 7 xxxxxxxxxxxxxxxxxxxxxxxx

  !

  Yes, it's Joy on the right. Thank you, Renault

• Ensure the redundancy of the ACS

  Salvation;

  What happens if my ACS only breaks down? ACS is active on my access switches.

  What deployment scenario are we talking about here? For example, with 802.1 X deployments there a function (called inaccessible Authentication Bypass) that allows you to access a VLAN specific in the scenario where connectivity to the ACS server is compromised. Is that something can help you?

• In an another (trusted) domain bij Agent ACS ACS authentication

  Hello

  I had two areas. Domain A is the top level domain. B is the child domain of the domain A.

  The ACS Agents are installed on two domain controllers in domain A.

  Authentication of clients in domain A is ok.

  Authentication of clients in domain B is a problem.

  I created a universal group in the field. In this universal group, I put a global group of users from the domain b. authentication not ok.

  The ACS "Journal of authentication failed": SAIS: "external DB account Restriction".

  What is the problem here?

  Gr.

  Remco

  Check if users are not mapped to a group of people with disabilities. Do not map several windows for ACS group groups. The following link can help you

  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/QG.html

• AAA GANYMEDE + accounting - CLI question by user not appear in the report of the ACS.

  Can I know why CLI cancelled by the user does not show on GANYMEDE ACS accounting report. The length of time is displayed, but I also wanted to connect what is the commands issued by the user.

  WHA is missing here?

  enable AAA authentication login VTY P1_ACS local group

  Group default AAA authorization exec local P1_ACS authenticated by FIS

  AAA authorization exec CONSOLE none

  AAA exec by default start-stop accounting P1_ACS group

  AAA commands 5 default start-stop accounting P1_ACS group

  AAA commands 15 arrhythmic default accounting P1_ACS group

  Accounting logs command is stroed in the newspapers of the administration of Ganymede.

  There is also a known issue on ver 4.1.1 and we must

  apply the ACS 4.1.1.23.5 patch to fix the problem.

  Patch for the unit is available on

  http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-Soleng-3DES

  The patch name: ACS SE 4.1.1.23.5 rollup

  Acs hotfix for windows is available on

  http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-win-3DES

  The patch name: ACS 4.1.1.23.5 rollup

  CCIE Security

• Secure ACS Authentication and Authorization with SecurID

  I am able to authenticate connection attempts using an external database (RSA SecurID).  The problem is that everyone with a token is authorized to connect on any switch with priv15 or whatever I put (but no way to control who gets what access).  How can I allow users based on a certain type of belonging to a group?  The SecurID server is already integrated with LDAP, it only checks to see if the user exists in the database.

  I need to create two groups, or even only allow a single group and deny everyone, but anyone in the organization with a token is allowed to connect.  I can't find guides who do anything beyond authentication when you use a SecurID token.

  Thank you.

  Hello

  Have routers and switches, you given the command "authorization exec default group aaa GANYMEDE", it seems that you have only defined authentication on devices. When the control is in place, user access privileges may be governed by the ACS. In network administrator access by default policy (if you are using the default strategy for GANYMEDE), to set the authorization rule to verify membership in a user group and provide the appropriate profile of shell. Make the default rule to give DenyAccess shell profile to other users.

• Excluding the lines of Terminal Server in the AAA authentication

  Hi all

  Hope you can help, I'm trying to find a solution to exclude only the following line port by using the AAA authentication (ACS GANYMEDE +) on a map of Terminal Server on a Cisco 2600 router.  Does anyone know how to do this, or point me in the right direction to solve?

  I've included the output below:

  AAA authentication login default group Ganymede + local
  AAA authorization exec default group Ganymede + local
  AAA accounting exec default start-stop Ganymede group.
  AAA accounting network default start-stop Ganymede group.
  AAA accounting default connection group power Ganymede
  AAA accounting system default start-stop Ganymede group.
  AAA - the id of the joint session

  line 41
  session-timeout 20
  decoder location - XXXXXX XXXXXX BT
  No banner motd
  No exec-banner
  absolute-timeout 240
  Modem InOut
  No exec
  transport of entry all
  StopBits 1
  Speed 38400

  Is it a question of disabling the command line or using a defined group?

  Thanks a lot for your help.

  Jim.

  Hi Jim

  You may need to create another group for authentication to the and send your AAA configuration

  line to 0

  connection of authentication aux_auth

  AAA authentication login aux_auth line

  You can also configure a username local/pw and map it on the group to here...

  Console and telnet would still use the configured default group, or you can specify specific groups:

  Line con 0

  console login authentication

  line 4 vty0

  vty authentication login

  and specify the aaa authentication settings individually...

  I hope this helps... all the best

  REDA

• 5.6 ACS authentication problem

  We are in the process of upgrading our ACS 4.1 for a 5.6 ACS appliance.

  The unit is installed on the network, etc. correctly licensed.

  I joined the ACS server to the AD domain without problem. I created a few local and external (AD) users for testing.

  I created a network (switch catalyst) as a Ganymede client device + and specified single-connect.

  When I SSH into the switch, I can connect using my AD user name and password, but I can't go into enable mode. It says "authentication failure".

  My aaa settings are

  radius-server host 172.25.50.8
  RADIUS-server timeout 3
  RADIUS-server application made
  radius-server key

  Miss me something somewhere, I don't know where. If I try and download the bundle to support ACS, it says download, but does not say where (or how).

  any advice would be great. I'm new to this product.

  See the document: http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-6/migration/guide/migration_guide/Migration_support.html#pgfId-1014889

• To access the AIP-SSM-10 through the ACS

  Hye,

  Please, I would like to know if you can access the AIP-SSM-10 using a Cisco ACS account.

  Thank you

  IPS module does not support authentication to the ACS server.

  Please find the only authentication method for IPS in the following document:

  http://www.Cisco.com/en/us/docs/security/IPS/7.0/Configuration/Guide/IDM/idm_sensor_management.html

  Hope that answers your question.

• Administrator rights to the ACS using Active Directory groups

  Good afternoon

  We must be able to use administrative accounts for our device ACS who reside in an Active Directory group, if possible.  If this is not possible, what other safer options would we be able to use (RADIUS authentication or authentication RSA 2)?

  Thanks in advance

  You can only use the locally stored accounts within the ACS.

• Issue of operability of the ACS as RADIUS with ASA 5.0?

  Hello

  I'm trying my VPN to get authenticated user with RADIUS (ACS 5.0). and VPN users database is created in AD. Now when I am trying to connect through the Cisco VPN client, I am unable to do so. Infact, I get an error message (through debugging at the level of the SAA for aaa and isakmp) my RADIUS server is DOWN.

  Please let me know is there any compatibility issue with ACS 5.0 on it because everything was working fine on my version 4.2 of the ACS.

  Concerning

  Ritesh

  Ritesh,

  Yes, there is a lack of ACS 5.0 with vpn authentication.

  When you try to connect with the VPN client. you will not see any hits in the follow-up and the views.
  The ASDM logs: you'll see radius server is not accessible.
  Debugs you show RADIUS period.
  This will work with Ganymede.

  Access policy rule was does not. Also, could not use RADIUS as hit CSCsy17858

  http://cdetsweb-PRD.Cisco.com/apps/goto?identifier=CSCsy17858>; Used Ganymede + instead of RADIUS.

  If you want to use the RADIUS then you need to upgrade your version of acs to 5.1

  You can down load patch 9 (5-0-0-21 - 9.tar.gpg) and ADE-OS (ACS_5.0.0.21_ADE_OS_1.2_upgrade.tar.gpg) from the below path:

  Go to Cisco.com > support > download software > Security > Cisco Secure Access Control System 5.0 > Secure Access Control System Software 5.0.0.21 >

  Reference: update of the CSA since version 5.0 to 5.1:
  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.1/installation/guide/csacs_upg.html

  HTH

  Kind regards

  JK

  The rate of useful messages-

• 4.2 of the ACS and EAP - TLS with AD and prefix problem

  Hello

  We have the following situation:

  -2 X ACS (ACS SE 4.2 1 x and 1 x 4.2 ACS) for domain

  -2 x ACS (ACS SE 4.2 1 x and 1 x 4.2 ACS) for domain b.

  First of all, there is a problem to have an ACS SE and a CBS work together for an area, I do not? When we haven't had that one area and the two SE ACS were responsible for domain A, it worked.

  Now after the changes, authentication of machine with EAP - TLS is no longer in effect. In the newspapers, it always says that "external user DB is unknown" for a username (machine) as host/abc.domain.ch

  This is the normal output of the Remote Agent, he finds the host but then nothing happens:

  CSWinAgent 2009-11-30 16:32:13 0140 3672 0x0 customer who connects from x.x.x.x:2443
  CSWinAgent 2009-11-30 16:32:14 0507 3512 0x0 CPP: NT_DSAuthoriseUser received
  CSWinAgent 2009-11-30 16:32:14 0474 3512 0x0 NTLIB: Creating Domain cache
  CSWinAgent 2009-11-30 16:32:14 0549 3512 0x0 NTLIB: domain Cache loading
  CSWinAgent 2009-11-30 16:32:14 0646 NTLIB 3512 0x0: none of the trusted domains found
  CSWinAgent 2009-11-30 16:32:14 0735 3512 0x0 NTLIB: cache loaded field
  CSWinAgent 2009-11-30 16:32:14 2355 3512 0x0 NTLIB: user "host/abc.domain.ch" found [FIELD]
  CSWinAgent 2009-11-30 16:32:14 0584 0 x 3512 0 RPC: NT_DSAuthoriseUser response sent

  So I did a test of the ASA to see if the host is a problem (until changes have been made it was not a problem):

  AAA authentication RADIUS host 10.3.1.9 username host/abc.domain.ch to test (the ASA becomes the host / entry for the correct Windows scheme with the $):

  CSWinAgent 2009-11-30 15:39:23 0140 3672 0x0 customer who connects from x.x.x.x:1509
  CSWinAgent 2009-11-30 15:39:23 0390 0 x 3728 0 RPC: NT_MSCHAPAuthenticateUser received
  CSWinAgent 2009-11-30 15:39:23 0474 3728 0x0 NTLIB: Creating Domain cache
  CSWinAgent 2009-11-30 15:39:23 0549 3728 0x0 NTLIB: domain Cache loading
  CSWinAgent 2009-11-30 15:39:23 0646 NTLIB 3728 0x0: none of the trusted domains found
  CSWinAgent 2009-11-30 15:39:23 0735 3728 0x0 NTLIB: cache loaded field
  CSWinAgent 2009-11-30 15:39:23 1762 3728 0x0 NTLIB: had WorkStation CISCO
  CSWinAgent 2009-11-30 15:39:23 1763 3728 0x0 NTLIB: Windows authentication attempts for user ABC$
  CSWinAgent 2009-11-30 15:39:23 1815 3728 0x0 NTLIB: Windows authentication FAILED (Error 1326 L)
  CSWinAgent 2009-11-30 15:39:23 0373 3728 0x0 NTLIB: retry authentication to the domain
  CSWinAgent 2009-11-30 15:39:23 0549 3728 0x0 NTLIB: domain Cache loading
  CSWinAgent 2009-11-30 15:39:23 1762 3728 0x0 NTLIB: had WorkStation CISCO
  CSWinAgent 2009-11-30 15:39:23 1763 3728 0x0 NTLIB: Windows authentication attempts for user ABC$
  CSWinAgent 2009-11-30 15:39:23 1815 3728 0x0 NTLIB: Windows authentication FAILED (Error 1326 L)
  CSWinAgent 2009-11-30 15:39:23 0456 0 x 3728 0 RPC: NT_MSCHAPAuthenticateUser response sent

  It is clear that the test failed because of the bad 'past to a computer' but it's a different output as before. I saw that in ACS 4.1, you can change the prefix of send_break_action for nothing, but in 4.2 it is no longer possible.

  This could be the problem, or if someone sees no other problem?

  Best regards

  Dominic

  Hello

  I encounter the same problem with my acs. I have all of the attempts failed for the default group. For the default group made configuration is not available. Is - this thereason behind all this?