802.1x ACS 5.2 and AD

Similar Messages

• 802.1x, 350AP, 3550 Switch, and ACS 3.0

  Yikes!
  Whatta mess I got myself into! Im trying to implement a couple of security features (at the same time) due to higher corporate directives. I am trying to implement Radius, 802.1x port authentication on a Cat 3550 switch, and mac address athuentication for wireless clients. The idea was:
  1. The 3550 has port based authentication on it and should authenticate access points as well as any workstations that will/may connect to it.
  2. The wireless clients will be MAC authenticated via the access point passing requests to the radius server.
  Confused? I am too, help!
  Thanks

  Nilesh, Thanks for the reply.
  But I do have a few further questions if you are willing:
  1. Getting the AP to use 802.1x and talk with the radius server seems to be the big problem. I have not been able to find clear enough instructions on how to set the AP to do 802.1x through the switch. I do realize the LEAP is just cisco's implementation of 802.1x but we are trying to use non-proprietary protocols.
  2. We already have the clients MAC addresses in the AP's but want to get away from this (network mgt issues) by using the ACS server.
  I guess what makes this confusing for me is the chain of events and if they are possible to do. Here are the steps as I see them, please advise if this is not possible to do.
  1. Access point is plugged into 3550 and uses 802.1x authentication with radius through the switch. Once the switchport is authorized, then the wireless clients can try to associate with AP. To do this the MAC address of the client , is sent to ACS for authorization and when authorized allowed to communicate. Then the wireless client retrieves an IP address through DHCP.
  Whew.

• WLC / ACS / AD - Domain and non-Domain Laptops (802.1X / PEAP)

  Hi All,
  I'm implementing a solution based around 4404 WLC, 1113 ACS and Microsoft AD. What I want to achieve is have two WLAN (SSID), one that can only be used by domain users on domain laptops, the other can be used by domain users on personal laptops. The domain laptops will have full connectivity but the personal laptops will be restricted.
  I've created the two SSID using 802.1X via ACS / Remote Agent and can authenticate and logon OK.
  I thought that I should have user auth and machine auth for the domain laptops but just user auth for personal laptops.
  I can have non authenticated machines go to a specific ACS group or blocked but I need to allow them if they're on the restricted SSID. I can't quite figure out how to have two SSIDs authenticating to the same ACS / AD - allow one and block the other.
  Am I on the right path?
  Anyone done this before or have any bright ideas?
  Cheers,
  John

  With the use of SSID-based WLAN access, the users can be authenticated based on the SSID they use in order to connect to the WLAN. The Cisco Secure ACS server is used to authenticate the users. Authentication happens in two stages on the Cisco Secure ACS:
  1. EAP authentication
  2. SSID authentication based on Network Access Restrictions (NARs) on Cisco Secure ACS
  For the further description and configuraiton following URL may help you :
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml

• 802.1x Wireless - Enforce user AND machine authentication

  I am using ACS v5.6 and I'd like to confirm that it is not possible to enforce both user and machine authentication against AD before allowing wireless access to Windows 7 clients, using PEAP/MSCHAPv2 and the built-in 802.1x supplicant.
  The only workaround seems to involve MAR (Machine Access Restrictions), which has pretty significant drawbacks.
  I'd rather not have to deploy user and machine certificates.
  All I want to do is allow access to the wireless network only if the device and the user are in AD.
  It's such a simple scenario that I must be missing something.
  Any suggestions are welcome. Thanks in advance for your comments.
  Lucas

  In my opinion, the only solution that works is using NAM and EAP-Chaining with ISE as radius backend, last time i looked in ACS release notes was 5.4, and it didn't have eap-chaining support.
  Using the built-in windows supplicant will only authenticate user or machine at any time, not both. As you discovered, the feature called MAR used to be what was being recommended (mostly because nothing else existed), What most people miss when they say this will work fine with windows supplicant and acs, is the fact that you cannot be sure that when the user authenticates, he is doing it from an authenticated machine, this is mainly due to the shortcomings.of MAR. You should consider migrating to ISE if you are not using any TACACS features on ACS.

• 802.1x Authentication on Wired and Wireless LAN

  I have successfully configured 802.1x authentication on wired and wireless Lan. We have Cisco Switches, ACS SE and Windows AD.
  But i have one issue regarding the Single Sign on while authentication using the 802.1x with Windows Active directory the users that are login first time not able to logon but the users that have their profiles already existed in their PC then there is no issue and they successfully authenticated and login easily.
  Is there any way of login successfully for the users first time using 802.1x authentication with Windows AD like a Single Sign On?

  We ran into the same situation from time to time. We implemented 802.1x authentication using the Cisco Secure Services Client (SSC) on the windows hosts.
  At the beginning we were completly unable to logon on the maschines where no locally stored windows profile exists. After change to timeout to authenticate at the network in the SSC options we are able to logon to the network and also be authenticated by the domain controller.
  Sadly this works out often as a timing issue. Most times the user needs to try a couple of times. At the moment, I'm also very interessted in a good way to avoid this (as it seems to be) racecondition.
  Hope that someone else has any clue?

• Looking for successful auth debug between cisco 1113 acs 4.2 and Active Directory

  Hello,
  Does anyone have a successful authentication debug using cisco 1113 acs 4.2 and Active Directory?  I'm not having success in setting this up and would like to see what a successful authentication debug looks.  Below is my current situation:
  Oct  6 13:52:23: TPLUS: Queuing AAA Authentication request 444 for processing
  Oct  6 13:52:23: TPLUS: processing authentication start request id 444
  Oct  6 13:52:23: TPLUS: Authentication start packet created for 444()
  Oct  6 13:52:23: TPLUS: Using server 110.34.5.143
  Oct  6 13:52:23: TPLUS(000001BC)/0/NB_WAIT/46130160: Started 5 sec timeout
  Oct  6 13:52:23: TPLUS(000001BC)/0/NB_WAIT: socket event 2
  Oct  6 13:52:23: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
  Oct  6 13:52:23: T+: session_id 763084134 (0x2D7BBD66), dlen 26 (0x1A)
  Oct  6 13:52:23: T+: type:AUTHEN/START, priv_lvl:15 action:LOGIN ascii
  Oct  6 13:52:23: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:12 (0xC) data_len:0
  Oct  6 13:52:23: T+: user: 
  Oct  6 13:52:23: T+: port:  tty515
  Oct  6 13:52:23: T+: rem_addr:  10.10.10.10
  Oct  6 13:52:23: T+: data: 
  Oct  6 13:52:23: T+: End Packet
  Oct  6 13:52:23: TPLUS(000001BC)/0/NB_WAIT: wrote entire 38 bytes request
  Oct  6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:23: TPLUS(000001BC)/0/READ: Would block while reading
  Oct  6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:23: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 16bytes data)
  Oct  6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:23: TPLUS(000001BC)/0/READ: read entire 28 bytes response
  Oct  6 13:52:23: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
  Oct  6 13:52:23: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
  Oct  6 13:52:23: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:10, data_len:0
  Oct  6 13:52:23: T+: msg:  Username:
  Oct  6 13:52:23: T+: data: 
  Oct  6 13:52:23: T+: End Packet
  Oct  6 13:52:23: TPLUS(000001BC)/0/46130160: Processing the reply packet
  Oct  6 13:52:23: TPLUS: Received authen response status GET_USER (7)
  Oct  6 13:52:30: TPLUS: Queuing AAA Authentication request 444 for processing
  Oct  6 13:52:30: TPLUS: processing authentication continue request id 444
  Oct  6 13:52:30: TPLUS: Authentication continue packet generated for 444
  Oct  6 13:52:30: TPLUS(000001BC)/0/WRITE/46130160: Started 5 sec timeout
  Oct  6 13:52:30: T+: Version 192 (0xC0), type 1, seq 3, encryption 1
  Oct  6 13:52:30: T+: session_id 763084134 (0x2D7BBD66), dlen 15 (0xF)
  Oct  6 13:52:30: T+: AUTHEN/CONT msg_len:10 (0xA), data_len:0 (0x0) flags:0x0
  Oct  6 13:52:30: T+: User msg: <elided>
  Oct  6 13:52:30: T+: User data: 
  Oct  6 13:52:30: T+: End Packet
  Oct  6 13:52:30: TPLUS(000001BC)/0/WRITE: wrote entire 27 bytes request
  Oct  6 13:52:30: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:30: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 16bytes data)
  Oct  6 13:52:30: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:30: TPLUS(000001BC)/0/READ: read entire 28 bytes response
  Oct  6 13:52:30: T+: Version 192 (0xC0), type 1, seq 4, encryption 1
  Oct  6 13:52:30: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
  Oct  6 13:52:30: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
  Oct  6 13:52:30: T+: msg:  Password:
  Oct  6 13:52:30: T+: data: 
  Oct  6 13:52:30: T+: End Packet
  Oct  6 13:52:30: TPLUS(000001BC)/0/46130160: Processing the reply packet
  Oct  6 13:52:30: TPLUS: Received authen response status GET_PASSWORD (8)
  Oct  6 13:52:37: TPLUS: Queuing AAA Authentication request 444 for processing
  Oct  6 13:52:37: TPLUS: processing authentication continue request id 444
  Oct  6 13:52:37: TPLUS: Authentication continue packet generated for 444
  Oct  6 13:52:37: TPLUS(000001BC)/0/WRITE/46130160: Started 5 sec timeout
  Oct  6 13:52:37: T+: Version 192 (0xC0), type 1, seq 5, encryption 1
  Oct  6 13:52:37: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
  Oct  6 13:52:37: T+: AUTHEN/CONT msg_len:11 (0xB), data_len:0 (0x0) flags:0x0
  Oct  6 13:52:37: T+: User msg: <elided>
  Oct  6 13:52:37: T+: User data: 
  Oct  6 13:52:37: T+: End Packet
  Oct  6 13:52:37: TPLUS(000001BC)/0/WRITE: wrote entire 28 bytes request
  Oct  6 13:52:37: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:37: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 33bytes data)
  Oct  6 13:52:37: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:37: TPLUS(000001BC)/0/READ: read entire 45 bytes response
  Oct  6 13:52:37: T+: Version 192 (0xC0), type 1, seq 6, encryption 1
  Oct  6 13:52:37: T+: session_id 763084134 (0x2D7BBD66), dlen 33 (0x21)
  Oct  6 13:52:37: T+: AUTHEN/REPLY status:7 flags:0x0 msg_len:27, data_len:0
  Oct  6 13:52:37: T+: msg:  Error during authentication
  Oct  6 13:52:37: T+: data: 
  Oct  6 13:52:37: T+: End Packet
  Oct  6 13:52:37: TPLUS(000001BC)/0/46130160: Processing the reply packet
  Oct  6 13:52:37: TPLUS: Received Authen status error
  Oct  6 13:52:37: TPLUS(000001BC)/0/REQ_WAIT/46130160: timed out
  Oct  6 13:52:37: TPLUS(000001BC)/0/REQ_WAIT/46130160: No sock_ctx found while handling request timeout
  Oct  6 13:52:37: TPLUS: Choosing next server 101.34.5.143
  Oct  6 13:52:37: TPLUS(000001BC)/1/NB_WAIT/46130160: Started 5 sec timeout
  Oct  6 13:52:37: TPLUS(000001BC)/46130160: releasing old socket 0
  Oct  6 13:52:37: TPLUS(000001BC)/1/46130160: Processing the reply packet
  Oct  6 13:52:49: TPLUS: Queuing AAA Authentication request 444 for processing
  Oct  6 13:52:49: TPLUS: processing authentication start request id 444
  Oct  6 13:52:49: TPLUS: Authentication start packet created for 444()
  Oct  6 13:52:49: TPLUS: Using server 172.24.5.143
  Oct  6 13:52:49: TPLUS(000001BC)/0/NB_WAIT/46130160: Started 5 sec timeout
  Oct  6 13:52:49: TPLUS(000001BC)/0/NB_WAIT: socket event 2
  Oct  6 13:52:49: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
  Oct  6 13:52:49: T+: session_id 1523308383 (0x5ACBD75F), dlen 26 (0x1A)
  Oct  6 13:52:49: T+: type:AUTHEN/START, priv_lvl:15 action:LOGIN ascii
  Oct  6 13:52:49: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:12 (0xC) data_len:0
  Oct  6 13:52:49: T+: user: 
  Oct  6 13:52:49: T+: port:  tty515
  Oct  6 13:52:49: T+: rem_addr:  10.10.10.10
  Oct  6 13:52:49: T+: data: 
  Oct  6 13:52:49: T+: End Packet
  Oct  6 13:52:49: TPLUS(000001BC)/0/NB_WAIT: wrote entire 38 bytes request
  Oct  6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:49: TPLUS(000001BC)/0/READ: Would block while reading
  Oct  6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:49: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 43bytes data)
  Oct  6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
  Oct  6 13:52:49: TPLUS(000001BC)/0/READ: read entire 55 bytes response
  Oct  6 13:52:49: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
  Oct  6 13:52:49: T+: session_id 1523308383 (0x5ACBD75F), dlen 43 (0x2B)
  Oct  6 13:52:49: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:37, data_len:0
  Oct  6 13:52:49: T+: msg:   0x0A User Access Verification 0x0A  0x0A Username:
  Oct  6 13:52:49: T+: data: 
  Oct  6 13:52:49: T+: End Packet
  Oct  6 13:52:49: TPLUS(000001BC)/0/46130160: Processing the reply packet
  Oct  6 13:52:49: TPLUS: Received authen response status GET_USER (7)
  The 1113 acs failed reports shows:
  External DB is not operational
  thanks,
  james

  Hi James,
  We get External DB is not operational. Could you confirm if under External Databases > Unknown User           Policy, and verify you have the AD/ Windows database at the top?
  this error means the external server might not correctly configured on ACS external database section.
  Another point is to make sure we have remote agent installed on supported windows server.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/remote_agent/rawi.html#wp289013
  Also provide the Auth logs from the server running remote agent, e.g.:-
  AUTH 10/25/2007 15:21:31 I 0376 1276 External DB [NTAuthenDLL.dll]:
  Attempting Windows authentication for user v-michal
  AUTH 10/25/2007 15:21:31 E 0376 1276 External DB [NTAuthenDLL.dll]: Windows
  authentication FAILED (error 1783L)
  thanks,
  Vinay

• ACS 5.5 and Windows 2012 AD support

  Hi All,
  previously I had two AD domains based on 2008 and had machines in one domain and users in another domain
  and the condition statement "Was machine authenticated=True" worked fine when doing EAP-TLS machine then user
  authentication.
  I have now upgraded the machine's domain to 2012 and  machine authentication works fine and user authentication
  also works, but when you put the two together, and enable "Was machine authenticated=True" the ACS errors
  out when doing user authentication with the message "ACS unable to find previous successful machine authentication"
  even though machine authentication was successful. I have tried with with ACS being a member of both 2008 and 2012 domains at each stage.
  The clients are all windows 8.1
  Has anyone encountered this scenario before ?
  TIA

  I would like to share a good troubleshooting guide for ACS 5.X and later, Please have a look:
  http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113485-acs5x-tshoot.html

• Ask the Expert: Cisco's 802.11ac Solutions - Deployment, Design, and Interop

  Ask your Questions on Cisco’s 802.11ac Solutions - Deployment, Design, and Interop with Cisco Experts: Richard Hamby and Shankar Ramanathan.
  Monday, March 30th, 2015 to Friday, April 10th, 2015
   Richard Hamby is a senior technical support engineer and Team Lead of the Cisco Technical Assistance Center in Richardson, Texas.  He is an expert in Indoor and Outdoor wireless for the full line of Cisco Unified and Converged Access Wireless products, as well as TAC Engineering Engagement Engineer liaison to project engineering teams for new Cisco wireless products.  Prior to his current role, Richard was a customer support engineer with the AAA Security TAC team supporting Cisco identity management solutions and been with Cisco since 2009.
  Shankar Ramanathan is a Customer Support Engineer at the Cisco Technical Center. He is a Technical Content Engineer and Subject Matter Expert for Cisco Enterprise Unified and Converged Access wireless mobility solution including Wireless LAN Controller  2500/5500/WISM2/7500/8500, Converged access 5760/3650/3850 switches,  Access Points Lightweight and Autonomous, VoWLAN (792x/9971) , Cisco Prime Infrastructure SNMP management, Cisco Mobility Services Engine(MSE/ CMX). Prior to joining Cisco in  November 2011, he worked as a wireless network engineer at Elan Technologies, responsible for RF wireless network planning, simulation, propagation path analysis, and optimization of Wi-Fi 802.11 mesh and WiMax (802.16 d/e) networks for various system  integration and automation projects. Shankar holds a master of science degree in electrical engineering specializing in communications and signal process from the State University of New York, Buffalo. Shankar has a CCIE in Wireless(#40548) and CCNA  certified (number 410004168640IMZF) and has over six years of industry experience.
  Find other  https://supportforums.cisco.com/expert-corner/events.
  **Ratings Encourage Participation! **
  Please be sure to rate the Answers to Questions

  A common question we are asked is 'why is my device not achieving 11ac data rates?'
  One of the most common answers relates to client compatibility/capability. To get the highest possible data rates of 11ac (assuming proper distance and RF health), the AP and the client device must both be capable supporting the requirements - 5GHZ, 80MHz Channel, short guard interval, 3 spatial streams. Each spatial stream has a max of 433.3Mb/s (at 80MHz, short GI).
  The majority of 11ac-capable wireless cards on the market do not support 3 spatial streams. Most adapters in wireless-capable devices are 1SS or 2SS.  For example, the Intel 7260 11ac adapter used in many devices is a 2SS adapter - therefore it's max possible data rate is 866.7.  Another common adapter in use is the 11ac Broadcom 3SS that Apple uses in the newer Macbooks.  These devices can achieve the 1.3GBs PHY data rate.
  This guidance is the same for 11n adapters as well.  To achieve max rate, your 11n AP and adapter must both support 40MHz channels, 3SS, short GI.
  Note: The 11n and 11ac standards both define support for 4SS.  4SS-capable devices are rare, so 3SS is essentially our reality.
  One of the most useful references for questions related to this topic is the AP Data Sheet for each AP.  Here's the AP3700 for example:
  http://www.cisco.com/c/en/us/products/collateral/wireless/3700-series-access-point/data_sheet_c78-729421.html
  Table 1 lists the expected data rate per MCS Index value by #SS at each channel width and GI. Indexes 0-7 are the same for 11n and 11ac (11n limited to 40MHz channels of course).  And MCS 8 & 9 are 11ac-only 256-QAM modulations. 

• Dacl on ACS 5.1 and Catalyst switch 3560

  Dear all
  I have ACS 5.1 and Catalyst switch 3560 with version 12.2(53)SE. I configure a dacl on the ACS and I use it on authorization profile.
  This authrization profile is used on access policy.
  I tried the authentication but it doesn't work. I checked the ACS logs and I found that the user is authenicated successfuly but the dacl gives this error (The Access-Request for the requested dACL is missing a cisco-av-pair attribute with the value aaa:event=acl-download. The request is rejected)
  Steps:
  11001  Received RADIUS Access-Request
  11017  RADIUS created a new session
  11025  The Access-Request for the requested dACL is missing a cisco-av-pair attribute with the value aaa:event=acl-download. The request is rejected
  11003  Returned RADIUS Access-Reject
  DACL:
  deny ip host 1.2.3.4 1.2.3.0 0.0.0.255 log
  permit ip any any log
  Thanks on advance,

  Dear Tiago
  I applied the command "radius-server vsa send". Now I can see the dacl is applied but I can't see it on the switch and even the authentication is succueeded ont the ACS logs but it give me unauthoized on the switchport. You can see the logs( started with the username acstest and the access-list is applied but it doesn't work and you can see theat it goes for mab after eap timed out). I hope you can help on this issue.
  Dec 13,10 10:29:00.513 AM
  00-23-AE-7A-58-A6
  00-23-AE-7A-58-A6
  Default Network Access
  Lookup
  Dot1x-3560-Switch
  1.2.3.4
  FastEthernet0/5
  TESTACS
  22056 Subject not found in the applicable identity store(s).
  Dec 13,10 10:28:29.186 AM
  #ACSACL#-IP-Guest-4cfcc14d
  Dot1x-3560-Switch
  1.2.3.4
  TESTACS
  Dec 13,10 10:28:28.726 AM
  acstest
  00-23-AE-7A-58-A6
  Default Network Access
  PEAP (EAP-MSCHAPv2)
  Dot1x-3560-Switch
  1.2.3.4
  FastEthernet0/5
  TESTACS
  Thanks,

• ACS 4.0 and RSA Token Server problem

  Hi,
  We are having a problem trying to get ACS 4.0 for Windows to authenticate wireless users on an RSA Token server.
  Our Cisco 1200 series AP is configured for WPA2 and LEAP authentication. It points at the ACS server for RADIUS authentication. Now this works fine for users with a static password defined on the ACS internal database. However, for obvious security reasons, we?d like the authentication passed to our internal RSA server.
  I have installed the RSA Agent on the same server as the ACS along (after adding the generated sdconf.rec file to the System32 folder). The RSA server has been added to the ACS external databases and a user configured to use the RSA Token server for password.
  When we try to authenticate, the ACS fails the attempt with reason ?External DB password invalid?. The same user can successfully authenticate when using the RSA test authentication tool which is installed on the ACS server as part of the RSA Agent software.
  After running some debugs on a PIX in front of the servers, I can see traffic to/from the servers when using the test tool (which works), however it looks like ACS doesn?t even send traffic to the RSA server when authenticating.
  Any help or advice appreciated.
  Thanks

  Hi,
  The token servers only support PAP. Please make sure that the request are going to the RSA in PAP.
  Following link talks about the same.
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/o.htm#wp824733
  Regards,
  ~JG

• ACS database users and passwords.

  Hi, i need to get all users and passwords from a acs 3.3 database unencrypted.
  How can i do it?
  Could you help me ?

  To get a list of the USers in the ACS database use the CSUTIL tool on Windows platform.
  go to bin directory under the ACS install folder and do
  CSUtil.exe -u
  this will generate a file "users.txt" in the same folder.
  But I dont think you can get the password in unencrypted form.

• ACS, Access Service and Authorization

  I am running ACS 5.2 and I am trying to set up 3 new SSIDs, 2 of which are unsecured and 1 that is secured.  I am trying to figure out the best way to authorize them based on which network they are coming from.  All the authentication requests are coming from the same devices, the Wireless LAN Controllers, so NDG cannot be used as criteria.  I have been looking at either creating 3 Access Services and using Service Selection Rules, or creating 1 Access Service and using Authorization to choose.  Regardless, I cannot find an attribute to use that can determine which network they came from.
  Does anyone have a suggestion for the best way to do this?  I

  Go to in Policy Elements -> Network Conditions -> End Station Filters, and create a CLI/DNIS rule that includes the name of the SSID, then use it as a condition in any rule you create for authentication. The SSID will be preceded by the MAC address, so enter *ssidname (ie, match anything before the SSID name, then match the SSID name). For example, if the SSID is called lab then you would enter *lab.
  Then go to Access Policies -> Service Selection and create a service selection rule that has End Station Filter as the criteria.

• ACS Group mapping and restrictions

  hi,
  I would appreciate to receive some configuration steps on ACS to fulfill the following requirement and hope you can help me.
  ACS Groups
  Netadmin - need telnet/ssh/vpn/wireless
  wireless - only wireless authentication
  vpn - only vpn authenticaiton
  I need to map the above ACS groups to one/or many AD groups and restric access as stated above.
  Also please note that one user can be belongs to all three groups in ACS/AD.
  thanks in advance.

  In ACS user can only belong to one group. But in AD we can have one user a part of multiple group.
  In this scenario, it is very important to understand how ACS group mapping works.
  Lets say that you have three different groups on AD for NetworkAdmin, RouterAdmin, Wireless. Go to external user database ==Database Group Mappings==Windows NT/2000==select the domain to which you are authenticating==Add mapping.
  Select the AD group NetworkAdmin and map it to ciscosecure group 1
  select the AD group RouterAdmin and map it to ciscosecure group 2
  select the AD group Wireless and map it to ciscosecure group 3
  Group mappings work in the order in which they are defined, first configured mapping is looked upon first then second, third and so on. If a user is in AD group NetworkAdmin and that is mapped to ACS group 1 and it is first configured mapping it will be looked for FIRST (If a user exists in NetworkAdmin group it will always be mapped to ciscosecure group 1 and NO further Mappings for this user is checked and user is authenticated or rejected)
  Scenario: if you have a user called cisco, in NetworkAdmin group, cisco1 in RouterAdmin group, and cisco2 in Wireless. They will always be dynamically mapped to ACS group 1, 2 and 3 respectively as per above mappings.
  You can check the mappings on the passed authentications for users as to what group are they getting mapped to.
  SCENARIO:
  Now if you want a NetworkAdmin user to authenticate to NetworkAdmin devices and not wireless or RouterAdmin devices you would need to apply NARs to group 1 because NetworkAdmin users are connecting to that group. Which you will permit Access on group basis to a particular NetworkAdmin NDG or individual NetworkAdmin NAS device.
  NOTE:
  If you are applying NARs for Wireless or VPN devices.. you would need to configure both IP based AND CLI/DNIS based together because NARs were originally designed for cisco IOS for
  routers and switches.
  IMPORTANT: If a user successfully authenticates to AD database once, its username is cached on the ACS database (NOT password) the only way to remove the previously cached
  username is to go to usersetup find that user and delete it manually.
  ACS will not support the following configuration:
  *An active directory user that is a member of 3 AD groups (group A, B and C) *Those 3 groups are mapped within ACS as follows Group1->A,Group2->B and Group3->C.
  *The user is in all 3 groups however he will always be authenticated by group 1 because that is the first group he appears in, even if there is a NAR configured assigning specific AAA clients to the group.
  However there if your mappings are in below order...
  NT Groups ACS groups
  A,B,C =============> Group 1
  A =============> Group 2
  B =============> Group 3
  C =============> Group 4.
  You can create a DIFFERENT rule for the users in A,B,C by configuring the NARs in group1.
  This rule WILL apply for the use ONLY if he is present in ALL three groups (A,B and C).
  You can create a rule for users in group A (Group 2)
  You can create a rule for users in group B (Group 3)
  You can create a rule for users in group C (Group 4)
  Regards,
  ~JG
  Do rate helpful posts

• Question in ACS radius ports and how test connectivity between router

  hi all
  im asking here about default ports used in cisco acs for radius protocol
  is it 1812 and 1813 ???
  or there is another ports ??
  Q2-
  how to test connectivity between ACS "server aaa"  and the router "client aaa " ??????
  Q3-
  can anyone give me simple config on router for radius protocol to connect acs based on radius protocol ?
  regards

  The default authentictaion port is 1812 and the default accounting port is 1813.
  Here's an example config-
  aaa new-model
  aaa group server radius ACME-RADIUS
  server-private 192.168.1.5 auth-port 1812 acct-port 1813 key SeCrEtPaSsWoRd
  aaa authentication login default local
  aaa authentication login ACME-AAA group ACME-RADIUS local
  aaa accounting send stop-record authentication failure
  aaa accounting exec default start-stop group ACME-RADIUS
  line vty 0 4
  login authentication ACME-AAA
  You can test with-
  test aaa group radius server 192.168.1.5 mmessier St@nleyCup
  where mmessier is your username and the password is St@nleyCup

• Complex problem: 802.11n, Bluetooth, Iphone 4 and Magic pheripherals...

  Hi folks,
  My hardware:
  - Macbook Pro with Apple LED Cinema Display
  - Magic Mouse, Trackpad and Wireless Keyboard
  - Time Capsule as WiFi Router
  - Apple TV
  - Iphone 4
  - Airport Express as WiFi printer connection
  My problem:
  - As known, time machine backup causes lags on BT devices when WiFi is run in 802.11n (b/g compatible) and switching to 802.11n only (5GHz) solves the problem. I solved the problem with my WiFi printer (Samsung 4500W, 802.11b/g) by connecting it to my Airport Express.
  - The persisting problem is that my Iphone 4 only supports 802.11n (2,4GHz) and this frequency seems to still interfere with BT so at this point I have to live with the following: Using my Iphone as a remote in my Apple-powered network with lags on BT peripherals OR using BT peripherals in a 802.11n (5GHz) environment without using my Iphone 4 in the WiFi.
  Does anyone know a solution to this?
  And if the guys from Apple read this:
  - Please update my Iphone to 802.11n (5GHz)
  - Please remove the f...... mouse acceleration in Lion ;-)

  When connected to the wi-fi network, on your iPhone go to Settings > Wi-Fi. Select the right facing arrow in a blue circle icon to view the wi-fi network settings. Select Forget this Network at the top.
  Follow this by rejoining the network.
  If no change after this, on your iPhone go to Settings > General > Reset and select Reset Network Settings. This will erase all wi-fi network settings for all wi-fi networks you have connected your iPhone with and will require re-joining every wi-fi network you have access to including your own.