Wildcard AAA Client ACS4.1
Hi I am trying to solve the following problem:
I use ACS for authority accounting & administrative support to network devices, and I would like to distinguish which users have access to devices. I have about 2500 network devices in my network, and instead to add each one to the DB of the CSA, I created a generic client AAA with IP *. *. *. *.
It has worked well so far, extremely simple installation, I know, but now I want to add FWs and other sensitive devices and restrict access using NAR. The idea was to create new AAA customers for each type of device and deny access to restricted groups with NAR. The problem is that when you define new groups of an IP address conflict is detected with generic AAA client.
Is there another way to solve this problem outside the importation of all network devices and create NDG? That's what I wanted to avoid.
Any help is greatly appreciated.
Thank you
Niels
Niels,
First of all, I would not recommend to have this kind of facility. Anyone can plug aaa-client and send many wondering of acs caused a delay in the processing of legitimate applications. It's like opening the doors of the CSA for everyone.
For your question, there is no way that you can add separate IP since wildcard covers the full range.
Best way is to download your aaa devices. You can use the RDBMS synchronization to download everything at once.
Other easy way is to add networks like, 10.5. *. * / 30.34. *. * / 30.35. *. *
Kind regards
~ JG
Note the useful messages
Tags: Cisco Security
Similar Questions
-
Internal DB ACS4.2 replication - do not replicate the AAA clients
I'm trying to set up a new server ACS4.2. ACS is installed, a partner of replication configured, etc. Master and slave new run every two ACS4.2 (0) Build 124. (Master shows 'Patch 12', slave shows any patch info)
Replication on the new ACS server settings are identical to those on my current secondary ACS server that receives data replicated correctly.
Problem: I have reproduce manually master ACS server on the new ACS server. Logs on both servers show a successful replication. Users, groups of users, network device groups (NDG) all reproduce them correctly. However, there are zero features in each of the NDG.
Master is set to send, new slave set to receive:
User and group database
Network device Configuration tables
WBS
Configuration of the interface
Interface security settings
Password validation settings
I also tried to reproduce the network access profiles instead of peripheral Network Configuration tables. Still no customer AAA in the NDG.
I need my replicated AAA clients. Should I be reproducing different or additional components? Am I missing some settings elsewhere in ACS?
Hello
Please apply patch 12 on slave ACS as well.
Try the replication and let me know the results.
Also on the Configuration of the network see the name NDG? or just no customer AAA under each NDG.
Kind regards
Anisha
-
Import bulk of ACS - SE of AAA Clients
Hi all, I know that there is a feature of AAA Client import bulk in ACS, using a csv and csutil.exe. Is there a way to do this in an ACS Solution engine? Some tell me that there is a way to do it via FTP, is it? Thanks in advance, Michael
Not as far as I know, but rather than define each AAA clientindividually why not set them in groups using wildcards in IP addresses, for example; 192.168.10 *.
-
Hello
I am running CiscoSecure ACS v3.0 for Windows 2000/NT version 3.0 (1) build 40 in my environment. I have a problem when adding the AAA clients in a group of network devices, because it gives an error saying that the device already exist.
I did a manual search of the device and it can not be found. Is there any other way to remove this device by its ip address, which the system think already exist.
Diop
Hmm, you enter the peripheral IPS, ranges or DNS names?
Even an accidental overlap somewhere?
You can use regedit to inspect the network configuration db. He lives under HKLM/SOFTWARE/Cisco/CiscoAAAv3.3/Hosts
If you spot the duplicate, you can simply delete the subkey, and then restart all CS * services (including the CSAdmin) of the control panel.
Mounira
-
ISE has not found any AAA Client or network devices
During authentication using 802.1 x and MAB, I get a failure of authentication with the error 11007 (impossible to locate AAA Client or network device). The cause that ISE spits me is "Cannot find the network device or the AAA Client while accessing NAS by IP for authentication." I got almost everything by the book but instead use a loopback interface, I used a vlan with a defined ip address. Could it be the cause of the problem?
Here is the config of the port that I have tested on:
interface GigabitEthernet1/0/9
switchport access vlan 9
switchport mode access
switchport voice vlan 8
IP access-group ACL-LEAVE in
SRR-queue bandwidth share 1 30 35 5
queue-series 2
priority queue
authentication event fail following action method
action of death event authentication server reset vlan 4
action of death event authentication server allow voice
the host-mode multi-auth authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
restrict the authentication violation
MAB
MLS qos trust device cisco-phone
MLS qos trust cos
dot1x EAP authenticator
dot1x tx-time 10
Auto qos voip cisco-phone
spanning tree portfast
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
endRegardless of the IP address you entered in ISE when adding this switch must match the IP address of the interface configured under your command "ip source RADIUS interface. In your first post you said you use an IVR for this but in your message later, I see that your being RADIUS packets come from "TenGigabitEthernet1/0/1 interface" Doublecheck cela and make sure things.
If you have a Loopback interface configured it is strongly recommended that use you for the source of these services it (Radius, GANYMEDE +, SNMP, Syslog, etc.).
Thank you for evaluating useful messages!
-
How to count the number of AAA clients
Hello
As we know, ACS5.2 is necessary with a basic license - 500 devices support network.
Sometimes, there are a lot of AAA clients or network devices that are authenticate simultaneous. So my question is, how to count network devices allowed to auth on ACS5.2? This only includes network, including network devices, or the AAA clients or devices?
Rgds,
Laowu5017
Hello
ACS 5.x counts the number of AAA clients that are configured on the ACS.
Please note that clients and network devices of AAA is the same and they conform, switches, routers, WLCs, or any other device configured under
Network resources > ... > Network devices and the AAA Clients The AAA Clients aren't the AAA suplicants.
End-user PCs customers are the AAA suplicants, and for this, there is no limit to number.
HTH,
Tiago
--
If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.
-
Refuse the AAA Clients to a specific group of users GBA v4.1
With the help of 4.1 is there a method 'simple' simply deny a user group the ability to connect to specific clients of AAA? Customer has a group of phones they want to allow them to Telnet and check in all routers of the voice, but not other routers, they have sets of orders and that the installation but I wanted to see if a way to push this group simply to voice only routers?
Thanks in advance,
Dave
You can configure using NAR GBA.
http://www.Cisco.com/en/us/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml
Kind regards
~ JG
Note the useful messages
-
GANYMEDE + peripheral unknown network or Client AAA package
Hi all
I can do connect using the set of credentials to the ACS server, log it showed:
"Reason for failure: 13017 receipt GANYMEDE + peripheral unknown network or Client AAA package."
I know there are a few changes on GANYMEDE + room for new catalyst IOS, so I consult the guide and it is the end of my config:
AAA server Ganymede group + TAC_PLUS
the AUTH server name
RADIUS server AUTH
ipv4 10.10.21.251 address
key xxxxxx
AAA TAC_PLUS authentication connection group Ganymede + local line
TAC_PLUS AAA authorization exec group Ganymede + none
AAA authorization commands 15 default authenticated if
accounting AAA periodic update 1
exec accounting AAA TAC_PLUS start-stop group Ganymede +.
network accounting AAA TAC_PLUS start-stop group Ganymede +.
connect accounting AAA TAC_PLUS start-stop group Ganymede +.
My platform is
-C6500 running on IOS 12.2 (33) SXJ1
-ACS 5.2.0.26
Need advice on this subject, thanks
Noel
Hello
What is IP IOS appropriate set to network devices and the AAA Clients for the candidate countries? If Yes, what IP address is indicated on the failure of the ACS that includes the error "GANYMEDE + unknown cover peripheral network or Client AAA? ACS reports as unknown IP address when it is already set appropriately?
Kind regards.
-
LEAP authentication fails; that means this exit "debug aaa VAC?
I'm trying to authenticate from laptop (client of JUMP) and I do not succeed. Can you help me understand what the problem is?
Comment: Please find attached out of "debug aaa authentication" starting from the journal of Cisco Aironet and 'ACS failed attempts' respective.
Please note that the ACS 3.3, "Network Configuration", "Devices-> installation of the AAA Client to the AP1", I entered a value for the field "key". However, I found this 'key' in my configuration of gateway as indicated in the attached file. Can you please confirm if I should set up such "Key" and what is the command to do this in access point?
Thank you very much!
Marlon
Marlon,
at the end of this command:
RADIUS-server host 163.77.93.83 auth-port 1645 acct-port 1646
You can add a 0 and the key you defined on the AAA server.
-
AAA for PIX 7.2 (2)
Hello
Im having a problem on my PIX 7.2 newly upgraded (2). It seems that my authentication does not work. It maintains authenticate using my local user name not on my ACS. Here is my config
AAA-sever GANYMEDE + Protocol Ganymede +.
AAA-server GANYMEDE + (inside) host 172.x.x.x key
AAA authentication enable console LOCAL + GANYMEDE
ACS config:
AAA client: Add IP
Key to the AAA: even with PIX
Please help me.
Thank you
Jong
The reason for the authentication of the AAA to failure can be one of the following conditions:
(1) authentication key shift
User 2 password incompatibility).
(3) error in the configuration
Check if the keys are configured correctly on the device and also, username and passwords.
For more information, please visit the following url:
http://www.Cisco.com/en/us/docs/security/PIX/pix72/release/notes/pixrn722.html#wp201347
-
access to AAA server to remote problems
Hi all. I can ping and trace to this GANYMEDE server. but I can't authenticate my telnet users. I configured local AAA relief so that he tries the remote server several times and then returns to the local GANYMEDE. I noticed the logs show the TCP FINS. Which indicates that I am actually reach the remote server, but the server sends a TCP FIN or is the server simply is not available, as indicated by the newspapers. Why the server will be not not accessible if I can ping and trace it.
I also checked the NOC extranet firewall accepted my traffic through the RADIUS server. they took the newspapers showing that my traffic has been accepted.
February 4, 2011 13:04:12: % ASA-7-609001: built internal local host: AAA_SERVER
February 4, 2011 13:04:12: % ASA-6-302013: built 24726 for inner outbound TCP connection: AAA_SERVER / 49 (AAA_SERVER/49) to identity:17.2.2.2/28055 (17.2.2.2/28055)
February 4, 2011 13:04:12: % ASA-6-113014: AAA authentication server unavailable: server = AAA_SERVER: user = vzz19
February 4, 2011 13:04:12: % ASA-6-302013: built 24727 for inner outbound TCP connection: AAA_SERVER / 49 (AAA_SERVER/49) to identity:17.2.2.2/32029 (17.2.2.2/32029)
February 4, 2011 13:04:12: % ASA-6-302014: TCP disassembly 24726 for interior connection: AAA_SERVER / 49 to identity:17.2.2.2/28055 duration 0: 00:00 bytes TCP fins 41
February 4, 2011 13:04:12: % ASA-6-113014: AAA authentication server unavailable: server = AAA_SERVER: user = vzz19
February 4, 2011 13:04:12: % ASA-6-302013: built 24728 for inner outbound TCP connection: AAA_SERVER / 49 (AAA_SERVER/49) to identity:17.2.2.2/39039 (17.2.2.2/39039)
February 4, 2011 13:04:12: % ASA-6-302014: TCP disassembly 24727 for interior connection: AAA_SERVER / 49 to identity:17.2.2.2/32029 duration 0: 00:00 bytes TCP fins 41
February 4, 2011 13:04:12: % ASA-6-113014: AAA authentication server unavailable: server = AAA_SERVER: user = vzz19
February 4, 2011 13:04:12: % ASA-6-302013: built 24729 for inner outbound TCP connection: AAA_SERVER / 49 (AAA_SERVER/49) to identity:17.2.2.2/33702 (17.2.2.2/33702)
February 4, 2011 13:04:12: % ASA-6-302014: TCP disassembly 24728 for interior connection: AAA_SERVER / 49 to identity:17.2.2.2/39039 duration 0: 00:00 bytes TCP fins 41
February 4, 2011 13:04:12: % ASA-6-113014: AAA authentication server unavailable: server = AAA_SERVER: user = vzz19
February 4, 2011 13:04:12: % ASA-2-113022: AAA marking GANYMEDE + Server AAA_SERVER aaa-server group MYGROUP as being broken
February 4, 2011 13:04:12: % ASA-4-409023: method of rescue attempt LOCAL AAA for authentication of user vzz19 request: inaccessible Server Auth MYGROUP group
February 4, 2011 13:04:12: % ASA-6-113015: rejected AAA user authentication: reason = invalid password: local database: user = vzz19
February 4, 2011 13:04:12: % ASA-6-611102: failed authentication user: Uname: vzz19
February 4, 2011 13:04:12: % ASA-6-605004: connection refused from 10.2.2.2/26089 to inside:17.2.2.2/telnet for the user "vzz19".
February 4, 2011 13:04:12: % ASA-6-302014: TCP disassembly 24729 for interior connection: AAA_SERVER / 49 to identity:17.2.2.2/33702 duration 0: 00:00 bytes TCP fins 41
February 4, 2011 13:04:12: % ASA-7-609002: duration of dismantling inside local host: AAA_SERVER 0:00:00Here is my config from aaa
AAA-server protocol Ganymede MYGROUP +.
Max - a failed attempts 4
AAA-server host AAA_SERVER MYGROUP (inside)
timeout 3
Console Telnet AAA authentication LOCAL MYGROUP
Console to enable AAA authentication LOCAL MYGROUP
privilege MYGROUP 15 AAA accounting commandI can ping AND trace on the RADIUS server
ATLUSA01-FW01 # ping AAA_SERVER
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to AAA_SERVER, wait time is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = ms 02/01/10
ATLUSA01-FW01 # trace AAA_SERVERType to abort escape sequence.
The route to 151.162.239.2391 17.2.2.3 0 ms 0 ms 0 ms
2 17.2.2.4 0 ms 0 ms 0 ms - extranet fire barrier
3 10.4.7.1 0 0 0 ms ms ms
4 10.4.7.13 0 0 0 ms ms ms
5 10.4.7.193 0 0 0 ms ms ms
6 AAA_SERVER (10.5.5.5) 0 ms 10 ms 10 msYou'll certainly need the assistance of the administrator of the AAA, troubleshooting on the AAA client side shows only a fraction of what's going on.
Ask him or her to do the following:
Much easier and the most important thing is to check an 'attempt' journal and watch if there is no entry at all for your ASA.
If there is an entry, it should be automatic explaining like "Unknown SIN" or "Ganymede key bad argument" - be convinced on a good config and check it are two different things.
I have seen weird things like walking into a key on an AAA server via remote desktop and keyboard settings were inconsistent: English/German, traded resulting from letters 'Y' and 'Z' - do not trust your config until it you checked.
If there is no entry at all then it could be a device on the way which is allowing ping/traceroute tcp/49 but drops or a device is to translate the address of the ASA (well in this case, you should see an "unknown SIN" in the failed attempts).
You have the possibility to connect a device inside the network of the SAA as a laptop? If so, try Telnet for tcp/49 of the AAA server, you should see immediately, if it is allowed tcp/49 (get a blank screen immediately = connectivity, timeout = no connectivity)
That's all you can do on your side, unfortunately tha ASA isn't a telnet client.
Rgds,
MiKa
-
Hello
I'll put up our ACS server to authenticate access to networking with GANYMEDE + and it works fine, but when I create the network devices and the AAA Clients I like include the row set that these devices will be in (we have 200 + devices DMVPN). When I do thi I get an error message whenever I open the ACS server telling me "Managed Device exceeded" under the Administration of the system > Licensing > Base Server License. I was told it was a cosmetic thing to the Cisco TAC.
I'll be okay to add as many addresses that I need? I really don't want to have to go and add all addresses for each network in the network device - even if this would result in less than the limit of 500 devices.
Thank you
Hi Patrick,
There are two types of licenses the Base and the largest deployment license, with the base license GBA will tell you that you can add 500 devices, however for the countries candidates 5.x each IP address is a device, so if you add a router with range: 192.168.1.0/24 to EC is the same as adding 255 devices , so if you add more than 500 devices, you will get this information on the outdated "Managed Device" message but it is only cosmetic and you need not worry about this.
The largest deployment license the have a limit of devices and it will remove the message "information", but it will be for you to decide whether you need it or not.
Let me know if it helps.
-
Sync/copy customer AAA between two ACS5.2
Hi, all, we move peripheral network (200 +) authentication/authorization/management at new ACS5.2, is there an easy way to copy/sync all AAA clients to another ACS5.2 server configuration? I don't need configuration to be copied/synchronized to another server ACS5.2, thanks in advance.
Go to the menu of aaa clients and click "export."
Then on the other ACS, click 'file operations', 'Add' and you should be good to go...
-
Reg: Ganymede configuration
Hi all
I'm trying to configure the authentication of routers around 300 by Cisco GANYMEDE, AAA I installed acs4.2 on a windows Server 2003 and updated as a result of orders from AAA in the router, the RADIUS server host and the key on trialrouter
AAA new-model
!
!
AAA authentication login default group Ganymede + local
NO_AUTHEN AAA authentication login no
AAA authorization config-commands
AAA authorization exec default group Ganymede + authenticated if
NO_AUTHOR AAA authorization exec no
AAA authorization commands 1 default group Ganymede + authenticated if
AAA authorization commands 1 NO_AUTHOR no
AAA authorization commands 15 default group Ganymede + authenticated if
AAA authorization commands 15 NO_AUTHOR no
AAA authorization network series none
AAA accounting exec default start-stop Ganymede group.
accounting AAA commands default 15 stop only Ganymede group.
!
AAA - the id of the joint session
then I created a user and mentioned a secret key on the acs server, I added this router as an AAA client, the router no longer meets the old login name and password but did not username set to GBA, where I am a mistake? Kindly help.
Thank you.
ANU,
Are you Ganymede username-password prompt?
If you get the username-password prompt and it isn't taking Ganymede credentials, could you please connect with the local user name-password and run him debugs.
debugging Ganymede
Debug aaa authentication
term Lun
After this attempt to connect again with Ganymede username-password and send me the output.
Fix the failure of GBA attemopts > reports and activity.
HTH
JKThe rate of useful messages-
-
How can I create a network of groups ACS 4.2
Hello
I want to create a site wise groups in the ACS4.2 is possible or not, please send me the steps.
Secondly I am having nearly 5000 network devices in my network, I have to manually add all devices or any method is to import the devices in groups
Please let us now
With regard to the control of network group following link
About importing customer, you can use CSUtil database utility
check the section user and aaa client import
M.
hope that helps rate if it is
Maybe you are looking for
-
AppleScript to save the text from the view of results
Hello, I am working with applescript that takes the results in the window at the bottom of the editor, like this Now I try to write it in the text editor as a text but Applescript say that he can not with "can't turn"class IFAP in the text. and if I
-
Wireless on Satellite Pro L10 constantly connect & disconnect
The wireless connection on my computer worked for two years and this morning he started connect and disconnect every 5 minutes or more. The computer will work with the LAN cable but continues to connect disconnect and reconnect to the wireless networ
-
Compatibility question Satellite P200D-12 - need new motherboard-
Hello... I need to know the model motherboards that are compatible with the following model: Satellite P200D-12. Code: PSPBQE-02F019CE. AMD Turion 64 X 2 TL - 60 2.0 GHz. My motherboard has suffered internal damage, and I need to replace it with the
-
Is it safe to use on the Exchange 2003 Server security scanner? Thank you
-
I installed the printer and prints OK but the scan and save to PC is not currently available. HP Director is not displayed. I need to download and install it? Did I miss something?