AAA authenticate to ACS Server

Similar Messages

• AAA / Adding additional ACS server

  Hello Guys,
  Need to setup AAA proposed plan as attached.We have been using current setup since very long for both our office devices and data centre devices.Now we wanna to add one more ACS apart from the existing two and need to point out all the data centre devices to this new ACS server.
  Is it possible to configure multiple groups for multiple devices and seperate ACS server's for defined groups ? If possible please let me know the commands and if not, please let me know the alternate ways.
  Hope you could understand my requirements and current setup. PFA..
  Many Thanks in advance !!
  Best Regards,
  Anurag.K

  Hi Anurag,
  You can add the new ACS/tacacs server and have that server in top of the sequence.
  tacacs server host 10.16.2.10
  tacacs server host 10.16.2.8
  tacacs server host 10.16.2.9
  tacacs server key xxxxx
  If you really want to create a seperate group for the new ACS/tacacs server then you need to have below listed configuration.
  aaa group server tacacs+ GROUP1
  server 10.16.2.8
  server 10.16.2.9
  aaa group server tacacs+ GROUP2
  server 10.16.2.10
  aaa authentication login default group GROUP1 GROUP2 line
  Let me knoiw if you have any doubts.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• AAA Radius Authentication for Remote VPN With ACS Server Across L2L VPN

  Hi,
  I have an ASA running fine on the network which provide L2L tunnel to remote site and provide Remote VPN for remote access users.
  Currently, there is a need for the users to authenticate against an ACS server that located across the L2L VPN tunnel.
  The topology is just simple with 2 interfaces on the ASA, inside and outside, and a default route pointing to the ISP IP Address.
  I can ping the IP address of the ACS Server (which located at the remote site, IP addr: 10.10.10.56) from the ASA:
  ping inside 10.10.10.56
  However when I configure the ASA for the AAA group with commands:
  aaa-server ACSAuth protocol radius
  aaa-server ACSAuth host (inside) 10.10.10.56 key AcsSecret123
  Then when I do the show run, here is the result:
  aaa-server ACSAuth protocol radius
  aaa-server host 10.10.10.56
  key AcsSecret123
  From what I thought is, with this running config, traffic is not directed to the L2L VPN tunnel
  (seems to be directed to the default gateway due to the default route information) which cause failure to do the AAA authentication.
  Does anybody ever implement such this thing and whether is it possible? And if yes, how should be the config?
  Your help will be really appreciated!
  Thanks.
  Best Regards,
  Jo

  AAA is designed to enable you to dynamically configure the type of authentication and authorization you want on a per-line (per-user) or per-service (for example, IP, IPX, or VPDN) basis. You define the type of authentication and authorization you want by creating method lists, then applying those method lists to specific services or interfaces.
  http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/schaaa.html

• Backup ACS server not used by switch.

  I am experiencing a strange issue: During a primary ACS failure, our switches are not resorting to the backup ACS for login authentication, except for enable mode. This means we can only use the emergency local login, but once logged in we cannot enable due to the switch attempting to authenticate that to the backup ACS.
  Once I created the local user in the backup ACS I was able to log in, and after I removed then re-addded the primary server as a TACACS host it worked as expected - using the backup only. I can't help but think there is some minor command I am missing so that the switches will recognize the failure of the primary ACS.
  What am I missing that a failure of an ACS server does not cause the switches to use other configured servers?

  Richard,
  I have reviewed the information, however, the debugs are not clear enough as the only outputs displayed other than Accounting logs are the following lines:
  012697: Jan  3 22:37:16.866 GMT: AAA/AUTHEN/LOGIN (0000094B): Pick method list 'default'
  012698: Jan  3 22:37:24.743 GMT: AAA/AUTHEN/LOGIN (0000094B): Pick method list 'default'
  There are known issues with IOS devices not triggering the fallback/failover to the secondary ACS/TACACS+ server when the primary returns an "ERROR" response. "ERROR" refers to a process failure on the server side dropping the request and would not be the same as User Invalid or Bad Password responses which are failures referring to the Authentication information and not the process itself.
  Would it be possible for you to collect a capture on the Secondary ACS switchport while the primary is down in order to determine if the IOS device is reaching the secondary server at all?
  Known issue:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsd48175
  Symptoms
  AAA does not failover to the backup tacacs server defined when it receives ERROR
  from the primary server .
  Conditions
  Occurs when tacacs is configured for authentication, and backup servers are
  configured. When the primary server returns error due to csauth not running on
  the primary server, in that case  authentication request does not fail over to
  secondary server.
  Frequency:
  Not a common scenario.
  Workaround:
  None
  NOTES
  1) If you have an ACS for Windows (3.x or 4.x) then you can install Wireshark on the Windows Server and collect the capture.
  2) If you have an ACS Appliance (3.x or 4.x) or an ACS 5.x you might need to configure a SPAN session on the switch.
  After collecting the capture you can use Wireshark > Edit > Preferences > Protocols > TACACS+  > TACACS+ Encryption Key > type the shared secret value. This will  allow you to review the unencrypted packets.
  You can filter the capture as well using ip.addr==x.x.x.x where x.x.x.x is the IOS device IP address.
  Feel free to share the capture with me as well along with the shared secret key. I would gladly review the information.
  NOTE: If the capture shows no traffic going to the secondary unit a useful test would be to configure the "Secondary" server as the primary on the IOS and verify if it works that way.
  NOTE: If possible, a capture on the primary server switchport while it is down might be useful in order to verify how is the IOS determining that the primary server is down as I do not see it trying to contact the primary either... We should see atleast timeouts when contacting the primary ACS.
  Regards.

• Two ACS Server failover

  hi all,
  we have a asa firewall,and we want to authentication login user by ACS server ,
  in order to eliminate single failure,we build two ACS server and make one as backup,we also use two protocol tacacs+ and RADIUS.
  I just want to know how long will take,if the active ACS server failed and the login is authenticated by standby ACS.
  I have no idea about any "keyword" to search,so please kindly help me,or could you provide a Doc , I will learn it by myself.
  think you very much.

  Generally in failover scenarios we create AAA server group on ASA. The security appliance contacts the first server in the group. If that server is unavailable, the security appliance contacts the next server in the group, if configured. If all servers in the group are unavailable, the security appliance tries the local database if you configured it as a fallback method (management authentication and authorization only). If you do not have a fallback method, the security appliance continues to try the AAA servers.
  To create a server group and add AAA servers to it, follow these steps:
  Step 1 For each AAA server group you need to create, follow these steps:
  a.] Identify the server group name and the protocol. To do so, enter the following command:
  hostname(config)# aaa-server server_group protocol radius
  For example, to use RADIUS to authenticate network access and TACACS+ to authenticate CLI access, you need to create at least two server groups, one for RADIUS servers and one for TACACS+ servers.
  You can have up to 15 single-mode server groups or 4 multi-mode server groups. Each server group can have up to 16 servers in single mode or up to 4 servers in multi-mode.
  When you enter a aaa-server protocol command, you enter group mode.
  b.] If you want to specify the maximum number of requests sent to a AAA server in the group before trying the next server, enter the following command:
  hostname(config-aaa-server-group)# max-failed-attempts number
  The number can be between 1 and 5. The default is 3.
  Also, the default timed out for a server is 5 seconds so if the first server in the group is not responding the ASA will take 5 seconds * 3 attempts = 15 seconds before it tries second server in the group.
  If all the servers in the group fail to respond, then the group is considered to be unresponsive, and the fallback method is tried that could be LOCAL database as well. The server group remains marked as unresponsive for a period of 10 minutes (by default) so that additional AAA requests within that period do not attempt to contact the server group, and the fallback method is used immediately. To change the unresponsive period from the default, see the reactivation-mode command in the following step.
  If you do not have a fallback method, the security appliance continues to retry the servers in the group.
  c.]  If you want to specify the method (reactivation policy) by which failed servers in a group are reactivated, enter the following command:
  hostname(config-aaa-server-group)# # reactivation-mode {depletion [deadtime minutes] | timed}
  Where the depletion keyword reactivates failed servers only after all of the servers in the group are inactive.
  The deadtime minutes argument specifies the amount of time in minutes, between 0 and 1440, that elapses between the disabling of the last server in the group and the subsequent re-enabling of all servers. The default is 10 minutes.
  The timed keyword reactivates failed servers after 30 seconds of down time.
  Hope this helps.
  Regards,
  Jatin
  Do rate helpful posts-

• ACS server authentication

  Hello, it is possible that an ACS server authenticates with TACACS some clients and RADIUS other clients?
  Thank you.
  Regards

  Yes it is possible,
  You should configure AAA clients accordingly in ACS for Radius/Tacacs.
  ~Rohit

• How do I create a default account with an ACS Server

  Has anyone seen this. I have an ACS Solution engine appliance with Several devices using it for authentication and accounting. It all seems to work great.
  When I add a new device (router or switch) i noticed that it will let me login via the acs based authentication even before i even setup the aaa-client account for this device in the acs appliance. I do have the tacacs key and all the appropriate information on the router or switch but i dont have an entry for it in the acs appliance yet. This has puzzled me Where is this default account setup. I have another ACS server (Windows Based) It seems to have a completely different behavior when it encounters an unconfigured AAA-client compared to the ACS Appliance. Can anyone tell me how to configure the ACS server to do the same and where these configuration options exist?
  This really concerns me from a security perspective.

  Hmm, ACS should not (by default) accept traffic from any old device.
  Could it be you have a wild-card IP Addr in your ACS network config somewhere that accidentally includes the new device?
  Or possibly a DNS name (instead of an IP Addr) that resolves to the address of the new device?
  Try changing the shared secret in the device - you should find you get errors in the Failed Attempts Log.
  Also check the Passed Authenications report as this included the ACS network config device name in the Access-Device column.

• CSM 4.0.1 is removing ACS Server password and then cannot add a new

  Hi,
  We just wanted to use CSM 4.0.1 to change ACS Server keyword on a FWSM 3.2(5) but in the transcript I see how he removes the key and then the next statement is to add a 127.0.0.1 ACS Server that I have never defined and that failes because the connection is lost.
  Can CSM be used to change the ACS keyword and not loose the connection before changing it? The product allows such a change and does not stop albeit it should now that this is unsuccessful.
  Here is the transcript!
  Line# 2. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): no snmp-server host fwsm-admin-context xxxx poll community comm1
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 3. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): aaa-server aaa-central (fwsm-admin-context) host xxxx
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 4. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010):  no key oldkey
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 5. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): exit
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 6. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): no logging host fwsm-admin-context xxxx
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 7. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): ssh timeout 30
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 8. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): ssh version 2
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 9. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): logging buffer-size 1048576
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 10. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): no logging debug-trace
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 11. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): logging trap informational
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 12. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): logging asdm debugging
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 13. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): logging buffered debugging
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 14. (ERROR) Sent (Thu Dec 16 16:22:13 CET 2010): aaa-server aaa-central host 127.0.0.1
  Received (Thu Dec 16 16:22:14 CET 2010): ERROR: Interface "(inside)" does not exist. Please specify a valid interface name for this server
  ! COMMENT: Device reported error here and stopped accepting further commands
  ! COMMENT: BULK END
  Line# 15. (ERROR) Sent (Thu Dec 16 16:22:14 CET 2010): https://xxxx/config?context=admin Received (Thu Dec 16 16:22:14 CET 2010): 24300 : Login failed
  Caused by: Authentication failed on device [193.47.16.28]. Check the credentials.
  Error: Server returned HTTP response code: 401 for URL: https://xxxx/config?context=admin
  I think there are multiple problems, first it removes the key but does not add one and then it wants to add 127.0.0.1 to it and does not use an interface?

  I would say that it it the interface problem but not that it had no interface but it had another interface.
  The whole interface story is somewhat stupefying for me.
  What I wanted to do is to use a single AAA Server definition for all my contexts on a FWSM, due to multiple imports in the beginning I ended up having 40 or so in the objects.
  Each interface that we have on a context has a different name and it looks like CSM has a problem with this. We have tried to use interface with wildcards, but you cannot specify something like *context* or *vlan*. For us *context* is inside and *vlan* is outside.
  This verification of the AAA Server should be done before trying to deploy and then not having access. Luckily all our contexts had their own AAA connection setup, so I could make changes. Because we have not used the local use for more than 3 years and had 3 weeks to search it. We almost rebooted the FWSM this Sunday (using a maintenance window) but found the password last thursday.

• Upgrading an ACS Server from 5.0 to 5.1

  I'wont to upgade my ACS server 5.0.0.21 to 5.1 . I wont to use Active Directory .  it's seem that  in my curent version AD is not supported !
  I try to do it by CLI
  what CLi command I use and what patch ?
  Thanks !

  in the monitoring and report I have this
  AAA Protocol > TACACS+ Authentication
  Authentication Status :
  Pass or Fail
  Date :
  December 09, 2009
  Dec 9,09 11:52:20.200 AM
  13029 Requested privilege level too high
  admin.ad
  switch
  Device Type:All Device Types, Location:All Locations
  Default Device Admin
  AD1
  Thanks !

• EAP-TLS or PEAP authentication failed during SSL handshake to the ACS serve

  We are running the LWAPP (2006 wlc's and 1242 AP's) and using the ACS 4.0 for authentication. Our users are
  experiencing an issue, where they are successfully authenticated the first time, however as the number of them is increasing, they're starting to drop the connections and being prompted to re-authenticate. At this point, they are not being able to authenticate again.
  We're using PEAP for the authentication and Win XP SP2 clients as the supplicants. The error message that we are seeing on the ACS for that controller is "EAP-TLS or PEAP authentication failed during SSL handshake to the ACS server"...Not sure if this error msg is relevant since we have other WLC's that are working OK and still generating the same error msg on the ACS...
  Thanks..

  Here are some configs you can try:
  config advanced eap identity-request-timeout 120
  config advanced eap identity-request-retries 20
  config advanced eap request-timeout 120
  config advanced eap request-retries 20
  save config

• WPA2-Enterprise + EAP (PEAP) and 802.1x to authenticate to RADIUS server NPS

  I need to connect my iPhone and my iPad to the corporate wireless network using WPA2-Enterprise and 802.1x to authenticate against a RADIUS server with my corporate user. What is the procedure to configure the clients? Certificates is not necessary on the client. Radius server is a NPS of Microsoft and the WLC is a 5508 of Cisco.
  thanks !!!

  WPA and WPA2 are all actually interim protocols that are used until the standardization of IEEE 802.11i standard. Wi-fi appliance decided that ratification and standardization of 802.11i standards will take more time. So, they came up with WPA.
  Now, WPA2 is advanced version of WPA. WPA2 uses AES as encryption algorithm. Whereas, WPA use TKIP as encryption mode which in turn uses RC4 encryption algorithm.
  WPA and WPA2 are actually are of 2 types respectively.
  WPA/WPA2-PSK - This is mainly for small offices. This uses Pre-Shared Key for authentication.
  WPA/WPA2 -Enterprise - This uses a RADIUS Server for authentication. This is an extension to 802.1x authentication. But this uses stronger encryption scheme(WPA uses RC4 and WPA2 uses AES).
  Any authentication mechanism that involves a separation authentication server for authentication like ACS server is called 802.1x authentication.
  EAP stands for Extensible Authentication Protocol. It refers to the type or method of 802.1x Authentication by the RADIUS/Tacacs server. A RADIUS server can authenticate a wireless client with various EAP methods.
  LEAP is one type of EAP. It uses username and password for authenticating wireless clients. LEAP is cisco proprietory.
  There are also EAP types which uses other user credentials like Certificates, SIM etc for authentcation.
  The following document might clarify your doubts.
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_q_and_a_item09186a00805e8297.shtml

• Not able to install or generate acs server certificate

  Hi,
  I have one test set-up with one layer 3 switch and one autonomous AP 1131. I have configured one SSID and without any authentication and it was not able to connect successfully.
  But now i want to try enable WPA2 enterprise ( Actually , after checking with the test set up , i am going to implement in live set-up where i have to configure WPA2 enterprise so that i would like to go for testing wpa2 enterprise not wpa2 personal ).
  I have ACS server 3.0 trial version and installed on windows server 2000 and
  on AP 1131 i have configured radius server commands
  ( aaa- new model  and radius server host ... ip address ... key ..... shared secret ... password .. ).
  I am confused with certificate which is required to install on acs server but i am not able to generate the certificate or not able to get the certificate from anywhere in acs server option.
  how to generate acs server certificate in trial version 3.0 and after generating how to install in acs server and what about client ... will it be same certificate which i need to install in cllient PC's and if yes how to add in client pc's and if not , where will i get cllient certificate ,..
  if i buy ACS software which i will be installed windows platform , i will get two certificate ,,,,,,,,, what about acs trial version software .... will i be able to get certificate .......
  i am trying to refer so many documents but it could not help me ..
  Your help will be appreciative.
  Looking for proper information.

  Hi,
  Thanks for your response ....
  obivously , This ACS 3.0 is end of supprt but when i tried to install the acs 4.0 or later , I am not getting an error saying " basic platform should be installed first , that is ACS 3.0 ".
  That is the reason i have gone for this edition .
  Should i go for upgrading the acs 3.0 to 4.1 or later version ?
  if so , will it be possible on trail version ?
  please give me your suggestion.

• Change network address of acs server

  Put in a new backup ACS server and the senior guy put in temp host address. Now
  need to change the temp host address to its permanent address but need a little clarification. Do you just change it in the Windows srvr 2003 tcp/ip stack or do you need to change it also inside the CSACS app?? Can't find it in the manuals easily.

  Yes you'll need to change ACS config. Just locate the AAA Server entry for the server (in Network Config) and set the ip address to the new value.
  Or you can always just enter the server name instead in case the address changes again.
  tip: in network config you can enter DNS names instead of ip addresses for devices & aaa servers.

• ACS Server certificate export

  Hello,
  We are in the process of renewing a certificate for our ACS server (v3.2). Is there a way to export the certificate currently in use?
  We don't want to lose it if we install a certificate that does not work. We are also exploring using a self-signed certificate, but we're not sure if that will meet our needs.
  Thanks!

  Thanks for the info...unfortunately, we tried doing the self-signed certificate, but clients couldn't connect to our wireless network (we use that to authenticate wireless users). We then tried to do a restore from a backup taken earlier this morning and it's still trying to restore - as if something is hung and won't shut down.
  This is ACS 3.2 running on a Windows 2003 server.

• ACS server replication Query

  Hi All ,
              I have two ACS server primary & secondary server . New secondary server to be deployed into network . My primary ACS server has got 1000 AAA clients configured with 15000 user id configured in multiple group profile . My question over here is when i do database replication between primary and secondary ,whether entire databse will be replicated from my primary server to secondary server like all AAA clients and end user , group profile , interface configuation etc , else it will replication has got restriction for database .
  Totally : AAA clients & User ID will be on one database backup   or it will reside on differnt location
  kindly clarify me over here ,Thank you .

  Hi,
  The entire Database will get over written in case of database restore.
  You use ACS Database Replication to copy various  components of the ACS internal database to other ACSs. This method can  help you plan a failover AAA architecture, and reduce the complexity of  your configuration and maintenance tasks.
  The components that can be replicated are:
  User and group database
  Group database only
  Network Configuration Device  tables
  Distribution table
  Interface configuration
  Interface security settings
  Password validation settings
  EAP-FAST master keys and policies
  Network Access Profiles
  Logging Configuration  (Enable/Disable Settings)
  The following link will give you details of the database replication.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SCAdv.html#wp756304
  Hope this helps.
  Regards,
  Anisha
  P.S.: Please mark this thread as resolved if you feel your query is resolved. do rate helpful posts.