TLS and PEAP on ACS
Hi all
I would like to ask a question here. In our production use us EAP - TLS for cable 802. 1 x (with ACS for authentication), but we are about to change for PEAP. Is it possible that these two can coexist together on ACS until we completely remove TLS? Unfortunately, we do not have test environment to test and of course I would avoid all users not being PC not able to authenticate.
Thank you
Radim
Hi Ramdin,
The GBA, you can enable the TLS and PEAP at the same time. This will make both tls and peap machine to connect successfully.
I'm taking into account the fact that you do not change your certificate provider.
Kind regards
~ JG
Note the useful messages.
Tags: Cisco Security
Similar Questions
-
PEAP configuration ACS 5 vs 4 ACS
I am Pentecost PEAP ACS 5 and Active Directory 2003, configuration in version 4 of ACS, the ACS must belong to the domain of Winbdows and then had to perform the following steps:
1 generate the certificate (using as base model named web server)
2. for authentication PEAP clients, ACS must obtain a CA certificate. The requested certificate is one that was created using the Web server template.
3. then, you must install the certificate for the ACS software. Download a certificate from base 64.
4. then in the system configuration / install the ACS certificate / installed the certificate of the local storage of AEC.
5 then ACS Certification Isle of installation, the *. ERC is installed
6 and the ACS is ready.Now in version 5 of ACS... In the stores of users & identity > external database > Active Directory, I especified the the domain name, the user and the password, if the connection is successful, the ACS will be "Member Server" in the windows domain. My question is: I have to install the certificate file extension *.cer (step 5) in version 5 of ACS?
Thanks and greetings
If I understand the question, yes you import the certificate. It is not downloaded because ACS has joined the domain. The general concept is the same as GBA 4.
Nicolas
-
How do I sync messages between active and reserve SE ACS
Hello world
I use two SE ACS (active and reserve).
And I would like to synchronous messages on active and standby SE ACS,
in other words, I would get messages on two of them are the same.
Can I configure ACS SE to answer this?
If the two SE ACS can have same recorded messages, how can I configure ACS SE?
ACS SE version is version 4.1 Build 23 Patch 1 (1).
Your information would be appreciated.
Best regards
Hello
On ACS SE you can not send logs to an another ACS.
4.1 allows you to send syslogs and newspapers to Remote Agents.
Kind regards
Vivek
-
EAP-FAST EAP and PEAP authentication configuration
Hello world
I'm pretty well EAP works, however with the help of LEAP
When I get to PEAP and EAP-FAST, I can't make it workWhat am I missing, I don't know that EAP-FAST and PEAP require certificates. However, how to configure their client side?
Hope you guys can help me on this point, stuck on this part xDFirst of all I would make that PEAP or FAST is configured correctly. Debugs them when test pay close attention to the newspapers on the WLC or do what is necessary to solve the problems.
Good read on local eap...
http://www.Cisco.com/c/en/us/TD/docs/wireless/controller/7-4/configurati...To set up your client I'll assume it windows 7 or newer?
https://supportforums.Cisco.com/document/68096/PEAP-authentication-confi...
-
Peap in ACS configuration affect my connections Ganymede?
So I've just set up peap (certs and eap - tls) on ACS 4.0. However since I can't connect to my routers more. I see the authentication on the ACS logs, but the router always tells me it's authentication has failed. I have a local user name and password, but who all of a sudden stopped working too. If I restart the ACS server I can connect to my routers then while it's down. Once he returns to the top, the authentication will fail again... ideas?
It is a known issue, workaround is to disable the remote logging feature entirely.
Bug have been collected for that matter,
CSCeg40355 Details of bug
Authentication failures when remote logging fails.
Kind regards
~ JG
Note the useful messages
-
I am puaaed on the shell and enable and configuration of consequence on the client.
(1) if I check the shell under the Group of users of ACS, I configured
AAA authorization exec default group Ganymede + local
AAA authorization commands 15 default group Ganymede + local
(2) if I check also enable on ACS and configure aaa authentication Ganymede enable default local group
Can I just use one of the two options or use them together?
Thank you!
You can use them together:
1 aaa authentication Ganymede activate by default local group--> use Ganymede +, so Ganymede + a failed/inaccessible, local use userID/pwd
You can use this only, but if you do not set permission, make sure your user in GANYMEDE ID + a priv 15. PIX accepts either priv 15 or 2 only (priv 2 is the default if you create a Userid in PIX without specifying a private level).
But it is better to use GANYMEDE + learn more / centralized control.
2 aaa authorization exec default group Ganymede + local--> use Ganymede + to allow what / cmd to run, use local if Ganymede + failed
AAA authorization commands 15 default group Ganymede + local--> use Ganymede + to allow for user cmd priv level 15 can run and refer to local authorization if Ganymede + has failed/inaccessible.
You can combine this with #1.
HTH
AK
-
Name of user and password for ACS?
I installed ACS 4.0 on one of our servers. The problem I have is when I open the browser to administer the server, I get several errors when I click on some links. I am unable to actually do anything on this server for any reason any (maybe a problem of java).
I thought it makes sense to open the administration tool of my laptop to see if I could handle it from here, however, I don't know what name to username/password should I enter (if applicable)
Microsofts (most come with IE) or Suns JVM will work with ACS.
There is no default logon for remote administration sessions. The only default connection comes from the same ip address and without credentials are required.
To create an admin account use the pages under "control of the Administration."
Mounira
-
A primary and backup/replica ACS server may be on different versions?
Hello
(2) ACS' (for example: a common unit 1120 5.x version and a version of runnig quanta 1113 4.x) 1 primary possible version 5.x with a replica version 4.x? If not, what are the requirements between implementation of a primary and backup/replica for devices?
Thank you
James
Hello
No, you can not made the two device replication you talked,
The only requirement is that the devices are exactly same version and patach construction so that the replication working.
Thank you
Waris Hussain.
-
VPN authentication and wireless through ACS 5.4
Hello,
I am in the process of migrating from ACS 4.1.1.23 to ACS 5.4. I have migrated our users and Network Device Groups and configured external Identity stores like AD and RSA. I want to authenticate our Wireless users with AD and VPN users through RSA. I am unable to create policies to get this UP and working. I need help in this regarding the policy creation.
As I am new to the ACS 5.4 any help with the step by step configuration of the WLAN and VPN
authentication will be appreciated.Thanks in advance.
Regards,
Anand
This is possible by creating access to two Services: one that authenticates with AD and the other against RSA.
Then have need develop a selection of Service policy that will result in one of these two services. One possibility could be NAS-Port-Type in the RADIUS dictionary which should be 'Wireless - IEEE 802.11.
-
5.3 and chenges wide ACS on network devices
Hi, I need to identify a way to modify a large number of ACS 5.3 network devices, name, type and location of update.
Exim is the best solution?
Thank you
Renato
Hello Renato.
Import/export is a good option already.
Another option are Python shell scripts:
http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.3/SDK/cli_imp_exp.html
Kind regards
Federico
-
Cisco Secure ACS 5.1 and strong authentication ACS administrators?
Hello
Is it possible to authenticate administrators using an RSA SecurID token?
There is no indication on this issue in the Panel "System Administration > directors > settings > authentication.
(I'm under Server Secure ACS 5.1.0.44)
Thank you
Christophe
Hi Christophe,
Unfortunately not.
The DB supported only for accounts of Administractors is the internal DB of GBA.
I hope this helps.
ARO
Tiago -
Someone knows where you load the certificate for PEAP CA if you use ISE as radius server?
Hello George,.
Refer to:
Adding a certificate authority certificate
http://www.Cisco.com/en/us/partner/docs/security/ISE/1.0.4/user_guide/ise10_man_cert.html#wp1053515
Step 1
Choose Administration > system > certificates.Step 2
Navigation pane of the operations of certificate on the left, click certificate authority certificates.The certificate authority certificates page appears.
Step 3
Click Add.I hope this helps.
Kind regards.
-
monitor the ASA remote site and allow the ACS to authenticate
Hi all
I have a VPN site to set up and works fine, but am struggling to get two things configured, hope can get help from you all
I need to monitor the ASA distance of my HQ, I use kulvik with snmp, but I am afraid if he would be a threat if I open snmp on my external interface
'access-list extended permitted snmp 20.x.x.x 19.x.x.x acl_outside' - is this safe
my configuration:
Remote
10.8.0.0/20---ASA---Internet---ASA---10.0.0.0
I was wondering is it otherwise I get my remote ASA monitored
My next challenge is to add GANYMEDE ASA configuration, my CSA is 10.6.1.186 that can be reached from LAN(10.8.0.0/20) remote, but not the ASA because of politics, how can I get this to work
I searched how to add the source interface in config GANYMEDE but couldn't get
Thank you very much for the support
See you soon...
For the interface you want to use, can you pls add the following command:
access to the administration
For example:
access to the administration server - vlan
or
access to data management - vlan
You can only configure 1 interface for the management interface.
-
Cisco ISE - eap-peap and eap - tls
Hello
Does anyone have an example of a policy of ISE, where from a WLC authentication requests can be processed by TLS and PEAP?
I don't seem to get that working, I however do the accident of ISE application with my config that is not the idea.
If peap uses this identity source, if tls uses 'this profile of authentication certificate '.
THX
Don't need to do in politics
Can create a sequence identity and understand that it contains a certificate OmniPass profile and identity store
Administration > identity management > identity Source sequences
Can then select and define the Certfiicate authentication profile for OmniPass based certificate and a list of authentication search
-
PEAP EAP/TLS, PORTEGE with WinXP sp2 Tablet Edition problem
We have: Rev AiroNet350 Cisco with WPA - EAP: Freeradius with EAP/TLS and PEAP, tablet PC PORTEGE with WinXP sp2 configuration.
This problem discribed in http://wiki.freeradius.org/index.php/FAQ#PEAP_Doesn.27t_Work
Perhaps to solve this problem we need a fix (http://support.microsoft.com/kb/885453/en-us), but microsoft support said to contact the laptop manufacturer.
Can someone help me with this problem?Hmmm I m not an expert in this area, but it seems that the MS OS update is necessary. (I hope)
The preinstalled Windows operating system is a simple OEM version and generally all updates should be possible. However, if MS guys told you to communicate with the manufacture of the laptop, you can contact the maintainer authorized Toshiba in your country for details.But I studied a bit on the net and found this site useful:
http://SearchNetworking.TechTarget.com/originalContent/0, 289142, sid7_gci945257, 00.html1. 802. 1 X is based on communication between your router and a RADIUS authentication server. If you use WEP, WPA or WPA2 with dynamic keys, 802. 1 X debugging following tips may be useful:
a. reintroduce the same RADIUS secret in your wireless router and the RADIUS server.
b. configure your RADIUS server to accept the request of the RADIUS of the IP address of your router.
c. use ping to check the accessibility of router-server.
d. package watch LAN account to verify that RADIUS and answers queries are fluid.
e. use an Analyzer like Ethereal Ethernet to watch RADIUS success/failure messages.
f. for XP SP2, turn on Wzctrace.log by typing "command netsh ras set followed * activated.2 if RADIUS is flowing but are rejected requests for access, you may have a problem of incompatibility or credential X Extensible Authentication Protocol (EAP) 802.1. This setting depends on Type EAP. For example, if your RADIUS server requires EAP - TLS, then select 'Card chip or other certificate' of your adapter wireless network properties / authentication Panel. If your RADIUS server requires PEAP, then select "Protected EAP" of the adapter. If your RADIUS server requires EAP-TTLS, then you will need a third-party wireless like AEGIS or in Odyssey client.
Make sure that this specific EAP properties match for your adapter and the server, including the server CA certificate root trust Server domain name (optional but must match when it is specified) and the customer (EAP-MSCHAPv2, EAP - GTC) authentication method. When you use PEAP, use the control panel to 'Configure' CHAP to prevent Windows from automatically re-use of your connection.
Maybe you are looking for
-
I don't see my external cd in the finder under devices, I can load a blank cd and iTunes says it's white and I can burn songs, then the cd icon appears on the desktop, went into preferences for the finder and ticked the box show the cd. Help please?
-
Satellite 2450-101 How do wirleless?
I have the 2450-101.If I dial my BT wireless home network, what should I do for this computer?Material is involved or just to download a driver? Sorry to be so thick - I am not a technophile.Thanks in advance.
-
Proving ownership of a domain in Windows Live.
I'm trying to setup email for a new domain in Windows Live Admin Center. I copied all the values of MX, CNAME, TXT and SRV in GoDaddy but Live records Admin Center is still saying ' you need prove the ownership of the domain by creating a DNS record.
-
Your representatives are "Canvassing" to your customers? I oppose this practice.
I got several calls recently where the appellant says it sounds of Windows to solve a problem. I have reported a problem and I therefore be said I'm waiting for a communication by e-mail or message Windows, or that there is no problem. I find it an
-
Berry blackBerry smartphones does not receive yahoo mail from only 10-28
I wonder if it's my area or anywhere. Only since this morning, I don't get mail yahoo account. I get another account, so it's just yahoo mail for me. Laptop computer checked and yahoo mail IS coming in there. Just sharing and you wonder if RIM know