AAA ACS and Nexus

Similar Messages

• Aaa New format configuation on IOS and Nexus-OS based devices ?

  Dear all,
  I have been working on an assignment to get our TACACs servers  standardized and to change the old format  aaa configs to the new  standard before the old format gets deprecated.
  I have many multiple IOS based model devices such as 2350, 2821,  3650,   Firewalls, Nexus based 3048s 3064s  and 7010s
  However,   I have tried the new format on both the IOS based 2350s and also on  the Nexus based 3048s which has error on both cases
  our plan is to move to the new style of aaa configuration and at  least to have one standard format configuration for IOS based devices  and one other standard format for Nexus based devices.
  •Our tacacs appliances are crashing on AD authentication on a fairly  regular basis. And I was wondering as to where to get resource on  Cisco.com to see if we are on the latest version. Can you point me  resource where I can find the latest version so that I will be able to  compare it with what we have
  Also if you have a forum recommendation for me to get help on this and other related staff that will be a huge help.
  probably we might need to upgrade our IOS for example the below new  aaa config format didn’t work?  when I tried it on 2350 based on  flash:/c2350-lanlite-mz.122-46.EY/c2350-lanlite-mz.122-46 version any  suggestion here?
  I have attached the sample config I have been trying to use-- If you have a better configuration suggestion let me know? Thanks a million for the help!
  Abe
  With Regards,
  Abe

  Yes, the focus with ML is certainly on trying to get people who have iOS devices to switch to using Apple computers.
  For long-time devotees of OS X like us, there's not much in it. Snow Leopard was still a far more versatile and more widely compatible OS than either 10.7 or 10.8. If you're on 10.6.8. I would think twice about upgrading.
  However, I think if you're on 10.7 already, it's worth upgrading to 10.8, simply because ML seems to be more stable and more refined. They have fixed some of the annoying things in Lion (like you can now put Devices back to the top of the Finder sidebar, Resume is turned off by default, 'Save As' has been resurrected, Launchpad actually has a filter bar etc etc.). Some of the apps are better too - some nice new features in Preview for editing and Safari has an all-in-one address/search bar).
  More features are advertised explained here: http://www.apple.com/osx/whats-new/features.html

• ACS and AAA deny statements

  I have 1 Windows box running ACS and four 7505 routers configured with AAA commands. Authentication is working fine on the routers via the ACS server. Now I need to deny certain commands like "DEBUG" to certain users without taking off their administrative rights. How can I achieve this?

  Hi
  there are many ways to achieve this, but the *correct* and most scalable is to enable command authorisation on your devices.
  In ACS create some groups based on the permissions levels each group should have.
  In the groups enable the shell (exec) service.
  At this point you can either list the denied commands for certains groups right in the group edit page itself.
  Alternatively, you can created Device Command Sets in the share profiles UI. These are more flexible because inside a single group you cap map to different DCSs based on the device being managed (either by device ip or by network device group)
  Its all there in the ACS docs!
  Good luck.

• Cisco Secure ACS and Windows NLB

  Hi,
  I have two ACS servers and have been trying unsuccessfully to setup Windows NLB for them. I can successful setup the NLB but ACS won't respond on the clustered IP. Other services running on the clustered IP will respond so I believe the NLB is working correctly.
  Has anyone had any success with ACS and Microsoft NLB? I can?t find any documentation to suggest that they are incompatible but I think this may be the case.
  Thanks,
  Neil

  Neil,
  ACS is not tested with NLB but if cluster hosts are attempting to communicate with the ACS using their clustered IP then ACS should reply.
  Do you see any hits on acs ? If you sniff the acs interface, what is the source IP address ? Is it clustered ip or clustered host IP ??
  Also on acs --->Network configuration add aaa client with host IP and clustered ip . Now see if acs responds to NLB.
  Regards,
  ~JG

• ACS and Windows Domain / AD

  Hi All,
  In my environment there are two Windows Domain - Doamin A and B. ACS is configured on member server in domain B and hence Windows Authentication for users in Domain B is working fine. However I'm unable to see domain A in Configure Domain List on ACS server in Windows Domain configuration menu.
  Please note, there is one way trust between domain A and B with Domain A trusting Domain B.
  Is there a way I can use the same instance of ACS to authenticate the users in Domain A as well? If YES, can you please guide me with some pointers - thanks.
  I'm using ACS and Windows AD elements to authenticate users for SSL Web VPN on ASA 5540.
  Apprecaite quick help on this.
  -Satishcp

  Unfortunatley we are not using the Cisco Secure ACS Appliances, rather its ACS Ver 3.3 running on Windows 2000 Server (member server in Domain B).
  My guess Remote Agents for Windows / Solaris works with Appliances alone.

• ACS and Windows Server

  I have installed ACS 5.2 on a machine and I am trying to integrate with that Windows Server 2003 ( Active Directory ) . On the ACS when i do test connection it shows me sucess but when i save the setting it gives me Time error . I kept the clock and timezone of Active Directory and ACS server as same but still it gives me error . I read on one of the blog that it is better to configure NTP on a router and then sync both the devices with same NTP .
  Is it necessary to configure NTP or manual config should also work ?

  I have ran into issues like what you are seeing without using NTP. I would suggest setting up NTP and having ACS and your servers sync to that.
  Sent from Cisco Technical Support iPhone App

• ACS and Windows 2000 user database communication port

  Could my Windows 2000 SP4 + ACS v3.23 can install any new Windows 2000 service pack ?
  I'm affraid to infect ACS Service.
  So, I want to install firewall on this server to block malicious traffic.
  However, my ACS used external user database Windows 2000 for authentication.
  Who can tell me What protocols or port list they are communication?
  I have to avoid these traffic on my firewall.

  Hi cheng
  I think you can install any servie pack without problem and the SP4 is the latest one for WIN2000 and you server already has this SP
  For your second question you need to specify many protocols according to your active directory config in this link you can find a list of this protocols and the best way is to make debug or logging or use a siniffer to know the exactly protocols flow between your ACS and AD server
  http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/deploy/confeat/adrepfir.mspx
  Best Regards

• Can i configure a network with ACS and ISE?

  I have both acs and ise, how do i integrate these appliance to work togheter?
  Thanks

  ISE does not interoperate with Cisco Secure ACS deployments. The Cisco Identity Services  Engine can work in tandem with Cisco NAC Manager to provide the same  profiling service as the NAC Profiler, which has reached end-of-sale  status.
  Existing Cisco Secure ACS customers using network  access can easily migrate to the Cisco Identity Services Engine platform  using migration part numbers and tools. However, existing Cisco Secure  ACS customers using TACACS functions will not be able to migrate to the  current version of ISE for network device identity management which is  often acceptable for customers who prefer to keep user and network  identity on separate systems.

• ACS and HA

  Hello,
  The purpose is to use a 802.1X authentication with ACS server, AD and high availibility.
  I have 2 sites with one AD with a 4 mega link bandwidth and one ACS for each site.
  I know that it is possible to use ACS active/passive mode with replication of database.
  but I also read that it's possible to use 2 groups on ACS and use HA,and my question is
  In my configuration with one AD and 2 ACS, can I use this functionality ?
  Is it possible to know the bandwidth between ACS in case of replication or active/active mode?
  Regards

  You can make it active / active too... Second Only one AD it is not at all problem. As sson as it need one IP or Name of AD server. Specify same name at both server. It will be replicate.
  Regards,
  Dharmesh Purohit

• ACS and CAR integration

  Hi,
  Is it possible to integrate ACS and CAR with DB-2 Database and if yes, are there any limitations or issues related to that? Does CAR or ACS loose any functionality in such integration?
  I am not looking for detailed process of the integration at this time, all I want to know is if it is supported and are there any issues.
  Thanks,
  Habib U Dashti

  Hi Habib,
  Yes, ACS can be integrated with DB-2, as ACS is ODBC compliant and so as DB-2, The other way round is that you can convert DB-2 database in flat file structure and import it into ACS database. Regarding limitations or issues i do not have any info.
  And CAR has its own database & does not support DB-2.
  Thanks.

• Skype not connecting Moto G and Nexus 4 in ANDROI...

  I have Moto G 2nd Gen and Nexus 4 device with latest Android 5.0.2. I donwloaded Skype on both devices yesterday and installed them. Then I opened two new skype accounts and tried making a call from one device to other. My wife was on the other device. Neither a normal call or a video call was going. Skype wasnt connecting at all. The phone from where I was making call was ringing but not the phone receiving call. Can somebody please help.
  Regards
  Ashok Kumar 

  Unfortunately the truth is prepaid support is not very well trained and was
  not much help
  My issue was solved ultimately not by prepaid support but upper level
  support in NJ (or NY, not sure).
  The problem was that my line was provisioned as having a 1X device (which I
  never had). So even though we tried switching the device to an iPhone and
  reprogramming it didn't matter. Any incoming MMS were simply discarded by
  the system and all I would get were the silent SMS messages that ping my
  phone to check the MMS server, but nothing was held to be retrieved.
  If you are on VZW (pre or post paid) and having this problem, ask support
  to check the "Mobile Type" and ensure its not set to 1X.
  On Feb 25, 2014 5:25 AM, "Verizon Wireless Customer Support" <

• Difference between ACS and ISE

  What is the big difference between the ACS and the ISE? We just purchased an ACS server to start locking down ports on our switches and use the Radius functions to better secure our wireless environment. It has been ordered but not yet arrived. I had a discussion with management today about preventing the IPads / IPhones / Smartphones / etc. of the world from accessing the network. If the user knows the credentials for getting their laptop onto the network then they can use these same credentials to get their IPad on the network. How do we detect and prevent is the current question.
  In discussing with others the ISE comes up. The questions now become what is the big difference between this and the ACS. Do they work together or independently since they both seem to have "radius on steroids". Can I configure the ACS to do the same functions? I figure this will have to be something on a MAC address level anyway. Oh and one other thing. My wireless infrastructure is not Cisco.
  Off to continue the research path ....
  Brent

  To put it simply I usually say ACS = RADIUS, ISE = NAC.
  ISE will do RADIUS functions as well as NAC functions. Eventually you'll probably see ACS go away and be simply replaced by ISE.
  ISE will do posturizing and profiling of a device to see if it truly meets requirements to be on a certain VLAN. For your example if you were to my credentials on my own smart device I would have access. ISE could profile this device to see if it truly is a corporate owned device or not. If it wasn't ISE can switch the network that the device connects to, say a guest network.
  ISE can also do captive web portals for wired/wireless guest access.
  I wouldn't rely on any type of MAC address authentication as I can easily spoof that.

• Lost connection between ACS and AD

  Hi
  I'm having a trouble with authentication to my WLAN. We are running a solution with LEAP and ACS 3.0 which gets it's users from our Active Directory. During the summer our ACS-servers seems to have lost the AD-connection and I'm no longer able to EAP-authenticate. All I get in the ACS is "Radius extension DLL rejected user".
  The AD and the ACS are on the same network but not on the same machine. I can log in if I add a local user in the ACS. I've also tried to empty my cached user database in the ACS but to no avail.
  One theory of mine is that it has something to do with a couple och hotfixes that Microsoft released in the middle of July.
  T.I.A
  /Tommy

  Hi
  Thanks for your replies. An update on the issue:
  I've gone through the issues in the suggestion made by cisco in the link:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_field_notice09186a00800b1583.shtml
  but to no avail.
  At first we could se an error in the eventlog stating that the user didn't have sufficient rights but it disapeared when we created an account and ran the ACS-services via it.
  After that we tried to set up a local user in the ACS and it works like a charm even then the AD-accounts can't connect.
  We also tried to remove the hotfixes released by Microsoft but still nothing.
  Right now it seems as if the AD authenticates the user correctly but then the ACS says no. Here's the eventlog and the corresponding ACS-log.
  NT
  AUTH 08/19/2004 08:20:27 I 0266 1524 External DB [NTAuthenDLL.dll]: Starting MSCHAP authentication for user [LINEDU\gustomedu]
  AUTH 08/19/2004 08:20:27 I 0266 1524 External DB [NTAuthenDLL.dll]: Attempting NT/2000 authentication
  AUTH 08/19/2004 08:20:27 I 0266 1524 External DB [NTAuthenDLL.dll]: NT/2000 authentication SUCCESSFUL (by METIS)
  AUTH 08/19/2004 08:20:27 E 0266 1524 External DB [NTAuthenDLL.dll]: LookupAccountSidA failed
  ACS
  08/19/2004 08:20:27 Authen failed LINEDU\gustomedu Default Group 000a8aa291a8 Radius extension DLL rejected user .. .. 37 148.136.120.30
  The status right now is that it is working as long as we restart the ACS-server once a day.
  Tommy

• Adapter-fex Supported VICs and Nexus Switches

  HI,
  I am thinking of using C220M4 in standalone mode. I have been reading about adapter-fex and I am wondering which Cisco VIC supports adapter-fex and which Nexus Switch will support adapter-fex.
  I am thinking of using a VIC1225 and Nexus 3000.
  Thanks.

  I believe that adaptor fex is supported only with Nexus 5k and N2k:
  Network Adapter Virtualization Design (Adapter-FEX) with Cisco Nexus 5500 Switches and Cisco Nexus 2232 Fabric Extenders
  http://www.cisco.com/c/en/us/products/collateral/switches/nexus-5000-series-switches/guide_c07-690080.html
  http://www.cisco.com/c/en/us/products/collateral/switches/nexus-5000-series-switches/data_sheet_c78-657397.html

• Cisco Nexus AAA authentication and console access

  We have nexus 7k with AAA authentication working now i have an issue i can't login using console port because my logins are rejected.Is there anyway we can login into console with local login details or we have to use ACS server (AAA) logins when connected to console (while ACS server is still reachable).
  My main question is i want to login using console port while ACS server is still reachable is it possible?

  Perhaps I am not understanding some parts of the original post and if so I would appreciate clarification of what I missed. But it seems to me that the main question in the original post is whether the original poster would be able to login on the console. And it seems to me that the high level answer is that yes login to the console should be possible. The details of how that would work are dependent on details of how the N7K is configured. If the original poster would provide some details of the configuration (especially all of the aaa authentication commands and the configuration of line con 0) we would be in a much better position to provide helpful answers.
  HTH
  Rick