AAA authentication for networking devices using ACS 4.1 SE

Similar Messages

• I have multiple apple devices mainly used between me and my wife , my question is that can i have two sets of contacts backed up to icloud one for her devices and one for my devices using the same itunes account

  i have two sets of devices one ipad, iphone and mac which i use and one iphone ipad and mac which my wife uses
  now is it possible to have two sets of contacts and calendar synchronised for her devices and one for my devices using the same icloud account
  i dont want a separate itunes account as we use the same music books and apps to be automatically downloaded which is very convenient
  please guide

  You can set up different iCloud accounts on each device using different Apple IDs (to keep your mail, calendars, contacts, etc. separated), and still share the same iTunes account (in Settings>Store on your device).  There is no requirement that you use the same Apple ID for purchases and for iCloud.

• AAA Authentication for Traffic Passing through ASA

  I am setting up AAA authentication for traffic that will pass through my ASA. I am having difficulty enabling 'aaa authentication secure-http-client'. Without secure communications enabled access functions as expected. When I enable access, I get prompted for a username/password. The username/password is entered. Authentication passes (show uauth). The requested page (http://www.cisco.com) switches to https://x.x.x.x (a resolved IP address for the site). Eventually (5 seconds), I am asked to accept or deny a certificated. Interestingly, the certificate is for the ASA and not the requested site (http://www.cisco.com).
  Am I missing something?
  firewall# show run aaa
  aaa authentication http console TACACS+ LOCAL
  aaa authentication telnet console TACACS+ LOCAL
  aaa authentication serial console TACACS+ LOCAL
  aaa authentication ssh console TACACS+ LOCAL
  aaa authentication enable console TACACS+ LOCAL
  aaa authentication match guestnetwork_access guestnetwork RADIUS
  aaa authentication secure-http-client
  firewall# show access-li guestnetwork_access
  access-list guestnetwork_access; 2 elements
  access-list guestnetwork_access line 1 extended deny udp 10.255.255.0 255.255.255.0 any eq domain (hitcnt=33)
  access-list guestnetwork_access line 2 extended permit ip 10.255.255.0 255.255.255.0 any (hitcnt=412)
  firewall# show run aaa-s
  aaa-server RADIUS protocol radius
  aaa-server RADIUS (inside) host 192.168.250.14
  key xxxxx
  firewall# show run http
  http server enable

  your definition for the aaa-server is different to the aaa authentication server-group
  try
  aaa authentication http console RADIUS LOCAL
  aaa authentication telnet console RADIUS LOCAL

• Can't auth to Nortels networks devices using RADIUS with ACS 5.1

  Hi,
  I've got a problem with the ACS 5.1 RADIUS Authentication for Nortel network devices (Baystack 470, ERS 5530 5510, Passport 8606).
  After configuring RADIUS on these device (primary serv, secondary serv, secret key, port...) and adding them to my ACS Servers.
  I can't manage to login using RADIUS and i get the following message.
  "Permission denied, please try again" or "No response from RADIUS server"(?) (depending on the device type)
  But in my ACS View, I can see : "Authentication succeeded."
  I've also checked the RADIUS frames, the "Access-Request" and "Access-Accept" are correctly transmitted.
  I've got no problems with RADIUS Auth using other brand devices
  Is there any known issues with Nortels devices using Cisco ACS 5.1 with RADIUS  Authentication ?
  Regards.

  Are you sure that setting up a compound condition will help ?
  To me, the RADIUS Nortel VSA are used for Authorization,and my problem is about Authentication (usually for a simple authentication, we stay in the IETF RADIUS Standards ? no ?)
  Also, does setting this condition will change the Access-Accept packets sent by the ACS to the device ?
  Here is my steps in the ACS View
  11001  Received RADIUS  Access-Request
  11017  RADIUS created a new  session
  Evaluating Service Selection  Policy
  15004  Matched rule
  15012  Selected Access  Service - Default Network Access
  Evaluating Identity Policy
  15006  Matched Default Rule
  15013  Selected Identity  Store - Internal Users
  24210  Looking up User in  Internal Users IDStore - radius
  24212  Found User in Internal  Users IDStore
  22037  Authentication Passed
  Evaluating Group Mapping  Policy
  Evaluating Exception  Authorization Policy
  15042  No rule was matched
  Evaluating Authorization  Policy
  15006  Matched Default Rule
  15016  Selected Authorization  Profile - Permit Access
  11002  Returned RADIUS  Access-Accept
  So I think the ACS does its job

• AAA Radius Authentication for Remote VPN With ACS Server Across L2L VPN

  Hi,
  I have an ASA running fine on the network which provide L2L tunnel to remote site and provide Remote VPN for remote access users.
  Currently, there is a need for the users to authenticate against an ACS server that located across the L2L VPN tunnel.
  The topology is just simple with 2 interfaces on the ASA, inside and outside, and a default route pointing to the ISP IP Address.
  I can ping the IP address of the ACS Server (which located at the remote site, IP addr: 10.10.10.56) from the ASA:
  ping inside 10.10.10.56
  However when I configure the ASA for the AAA group with commands:
  aaa-server ACSAuth protocol radius
  aaa-server ACSAuth host (inside) 10.10.10.56 key AcsSecret123
  Then when I do the show run, here is the result:
  aaa-server ACSAuth protocol radius
  aaa-server host 10.10.10.56
  key AcsSecret123
  From what I thought is, with this running config, traffic is not directed to the L2L VPN tunnel
  (seems to be directed to the default gateway due to the default route information) which cause failure to do the AAA authentication.
  Does anybody ever implement such this thing and whether is it possible? And if yes, how should be the config?
  Your help will be really appreciated!
  Thanks.
  Best Regards,
  Jo

  AAA is designed to enable you to dynamically configure the type of authentication and authorization you want on a per-line (per-user) or per-service (for example, IP, IPX, or VPDN) basis. You define the type of authentication and authorization you want by creating method lists, then applying those method lists to specific services or interfaces.
  http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/schaaa.html

• Controlling Access to devices using ACS

  I am using ACS 3.2 and on the NAR section,I have used a wildcard (*) to define all the network devices on my network.All my users are in one group. However,I have just realised there is the need for me to create another group and put some users in that group so they only have access to some routers and switches and not all as define by the wildcard.
  How do I achieve this goal.?

  Under NAR select the Per Group Defined Network Access Restrictions.
  Select the AAA clients you want the group to access.
  Use the wildcard mask in the port and the address field.
  You can also group the devices which you want to give access under a seperate NDG and in the NAR give permission to only this NDG for the group. In this way you may need not add individual AAA clients
  HTH, rate if it does
  Narayan

• ASA enable authentication for AD user by ACS TACACS fails

  In order to authorize command on ASA8.x for different users, I have to put 'aaa authentication enable console TACACS' into ASA configuration, and in ACS - user setup - TACACS+ enable password - Use separate password, I set an enable password.
  It works fine for ACS local users, they are able to get into priv EXEC mode by entering 'enable' command and use my pre-set password, however, the password doesn't work for AD user.
  So, how to setup enable authorization for AD user?
  Or is there a way to drop a user directly into level 15 on ASA just like it on router?
  below is the debug info.(I'm sure the password is the one I set in ACS)
  LABASA1(config)# AAA API: In aaa_open
  AAA session opened: handle = 884
  AAA API: In aaa_process_async
  aaa_process_async: sending AAA_MSG_PROCESS
  AAA task: aaa_process_msg(d45bd5c8) received message type 0
  AAA FSM: In AAA_StartAAATransaction
  AAA FSM: In AAA_InitTransaction
  Initiating authentication to primary server (Svr Grp: TACACS)
  AAA FSM: In AAA_BindServer
  AAA_BindServer: Using server: 192.168.1.221
  AAA FSM: In AAA_SendMsg
  User: fostco\user1
  Resp:
  callback_aaa_task: status = -1, msg =
  AAA FSM: In aaa_backend_callback
  aaa_backend_callback: Handle = 884, pAcb = d5b193e0
  aaa_backend_callback: Error:
  Incorrect password.
  AAA task: aaa_process_msg(d45bd5c8) received message type 1
  AAA FSM: In AAA_ProcSvrResp
  Back End response:
  Authentication Status: -1 (REJECT)
  AAA FSM: In AAA_NextFunction
  AAA_NextFunction: i_fsm_state = IFSM_PRIM_AUTHENTICATE, auth_status = REJECT
  AAA_NextFunction: authen svr = TACACS, author svr = <none>, user pol = , tunn pol =
  AAA_NextFunction: New i_fsm_state = IFSM_DONE,
  AAA FSM: In AAA_ProcessFinal
  AAA FSM: In AAA_Callback
  user attributes:
  None
  user policy attributes:
  None
  tunnel policy attributes:
  None
  Auth Status = REJECT
  aaai_internal_cb: handle is 884, pAcb is d5b193e0, pAcb->tq.tqh_first is d441d1d8
  AAA API: In aaa_close
  AAA task: aaa_process_msg(d45bd5c8) received message type 3
  In aaai_close_session (884)

  I have run into a similar situation. I just want to authenticate via TACACS to enable mode in an ssh session. After using the "aaa authentication enable console TACACS LOCAL" command on the ASA, the ACS server rejects the password.
  I have tried everything I can think of on the ACS as far as "TACACS+ enable password" using both a windows database or a separate password, and PIX/ASA command sets. I cannot go into enable mode unless I set the ASA to LOCAL authentication, which just uses the globally defined enable password.

• How do I restrict access to 4 devices using ACS

  Currenlty in our ACS we have Group A configured to have access to all network devices-f with ull privilege level 15 access to all devies
  We are now trying to implement 4 new users, however we only want them
  to have access to 4 devices-routers (4 IP addresses)-and only have
  basic level 1 functions in the router
  Is this done under Network Access Filter or Network Access Group?
  Do I need to create a new group or can I somehow implent that into

  I'm using ACS v 4.2 on windows server-TACACS
  Under NAF I have configured the IP's of the server I want them to access under Selected Items
  Under NAR I have permitted calling point
  with the NAF and  *  *
  Under the Group Settings
  Network Access Restrictions (NAR)
    Shared Network Access Restrictions
  Only Allow network access when
  All selected NARs result in permi
  all selected NARs result in permit..with the NAR i just configured in the selected NAR list

• 2 Factor Authentication for Anyconnect VPN using ISE

  We are planning to implement dual factor authentication for Anyconnect VPN.
  The end users will be authenticated using domain name in machine certificates and username password with
  ISE used as radius server.
  We have the following approaches to achieve this :-
  1. Use primary and secondary authentication with user credentials as primary authentication
  and CN field of the certificate as secondary authentication.However this option prompts users for password for
  both the fields while we want the machine certificate to authenticate itself without a password.
  2. Second approach is to authenticate using user credentials and authorize the user to access the network if
  the machine certificate has a domain name in CN field which we are able to validate from the AD using
  Dynamic Access Policy.
  We are looking forward for discussions on the above approaches and are open to any other
  solution.

  Hi Umahar,
  Not sure I understood correct. You would like to authenticate the user using machine certificate for anyconnect and want to extract CN attribute the client's certificate and send it to the ISE server for further authenticate with AD. And also you don't want an additional password prompt to be produced to the user.
  If my understanding is correct. Then user would get a prompt for the password atleast because in the machine certificate there won't be password, but to authenticate with RADIUS/TACACS , we need both username and password. So how will the user gets authenticated without password.
  If you are looking a way to just see if the user is present under AD, not exactly and authentication then this might not be possible.

• Aaa authentication for https access

  I have several Catalyst 3750 switches that I'm running Tacacs on. I set the switch up to be an http server so that some of our admins could administer the switches through the web gui. Is it possible to login to the web console via your Tacacs login (in our case, our Windows username/password)? I found the "ip http authentication aaa" command but this doesn't seem to do it. I just don't want to share the local passwords if I don't have to.
  Thanks in advance,
  Eric

  My experience of the web interface is that it uses the local password on the device and not the aaa authentication IDs and passwords.
  HTH
  Rick

• Error importing network device using CSV file

  While importing a CSV file of a single network device, I am getting this error:
  Value for attribute TrustSecDeviceID is Mandatory
  In the CSV template (downloaded from ISE web gui), I don't see a field TrustSecDeviceID. What is the error referring to?

  Kashish,
  This looks like a bug but I attached a template that you can use and i tested with my ise 1.1.1 patch 1 and it worked fine, just replace the fields that I entered and you should be good to go! Were you able to get the password reset successfully on the PSNs?
  Good luck!           
  Tarik Admani
  *Please rate helpful posts*

• Support for Network Devices

  Hi All,
   I am working on the network evaluation for a client environment and was looking for using Prime Infra as a solution for Network management. I see that following devices are not listed in the support matrix. Can someone help me to understand if this can be monitored and managed in cisco prime Infra 2 ?
  Cisco 2248
  cisco 4948
  cisco 4300
  cisco 3745
  cisco ASA FWSM
  Cisco WS-C4948
  Cisco C3550-48
  Cicso C3550-24
  Cisco C4006
  Cisco WS- CBS3020-HPQ
  Cisco WS-CBS3120X-S
  Cisco WSX 5302
  Skr...

  What version of ISE are you on? There isnt a maximum number of network devices listed anywhere but I am sure that exceeding 500 is no where near the threshold. What has worked for me in the past is adding one device manually and exporting that device using the csv method and use that csv to add the other devices ip address and copy and paste the same columns.
  It could be something as simple as missing a field where the UI isnt catching or an undocumented issue that are hitting.
  Thanks,
  Tarik Admani

• SSH to network devices using "name" or "IP" - What is the industry norm?

  Hi Everyone,
  Looking for anyone to provide feedback on the "Industry Norm" for accessing network devices, by DNS Name or IP? If anyone has any opinions or information about this I would certainly appreciate the information. I use name, which I have been told "is not the industry norm" so obviously I would like some level of validation on comment.
  Thanks!

  I'd most definitely consider it the norm!
  I’ve worked in both pure tech companies and in tech teams in the banking industry and we’ve always had some form of name resolution for our devices. Normally using internal DNS but worse case scenario is a hosts file on the NMS.
  Trying to retain IP addresses for anything more than a handful of devices is just tiresome, especially if you are in a fault situation. I think most network teams out there with the support of some decent network management infrastructure or experience would consider it vital and take it for granted.
  Having said that, I’m a little pedantic when it comes to name resolution and have forward and reverse resolution for almost every numbered interface in our (not insubstantial) network, it makes traceroutes all the more powerful.

• Creation of a database engine for mobile devices using j2me

  am trying to develop a database engine for mobile devices.. it is to develop a miniature version of the DBMS that
  can be deployed on a mobile phone..I have to develop my own code for performing tasks such a s creating a table,
  inserting values into it, selecting from it etc..
  I limited my self to develop the software so that it can perform 3 functionalities of create, insert,select..
  I should be taking the details such as table name and its parameters from the user and then should be able to
  create a suitable data structure for it(i tried to develop a class)...
  Usage of RMS package helps me partially in this.. I did that and ll be doing that..
  I got stuck while developing the code for creation of a table.. I am facing problems in creating a dynamic data
  structure for a table and also to use such data structure else where in my project..
  I need help in developing an algorithm for this..
  I would be very grateful to u all if u help me out in developing the code for this project..

  I'm sorry for the amount of time it took me to get back. Derby is an open source database written entirely in Java. I do not know if it can support resource constrained devices like MIDP compliant, but may work okay with CLDC.
  But outside of Derby being a solution, let me give you a few ideas off the top of my head.
  Set up a database server in a separate thread. This server will really be your controller for RMS access.
  Since RMS is just a big sequential 'pipe' you will have to think of data as 'frames' - (starttable) (tableID) (tablename) (data) (tablename) (data).....(endtable).
  When you need to write additional data, just append it to the end of the RMS object.
  When you need to retrieve data, thing are more complex.
  1. Read in all data, looking for your particular tableID. This may be made much easier using RMS filters - (I'm not sure, I've never used them)
  2. Once start of table of interest is found, stick the data elements in either a java vector or array until you reach the table end identifier. I think vector will be a better choice - trust me. (I think its available in J2ME...)
  3. Package this into a do while loop until the element you are searching for is read. If you need to do some sorts on the data or something else that requires the all the data to be present then you need all the data for that particular table. One thing will always be clear. The first data you grab will always be some start table identifier and the last data you grab will be an end table identifier. We just don't know which table because of how we put stuff in the RMS resource.
  This provides you a few positives as well as negatives:
  Positive:
  1. Fast data writes, no need to search for a particular table before accessing it, nor do you need to search for an index in that table.
  2. When looking for data, data may* be found without searching through the entire table. This is accomplished with RMS filters or logic test within the RMS read loop.
  Negative:
  1. Slow when all data of a table is needed (i.e. compute sums or averages of entries). The entire RMS database must be read to ensure all the entries are searched. An example of how this is a problem is as follows: You have 5000 entries in you RMS database resource and you are looking to compute the average of a value in some table. When you first wrote the data to the table, it was done sequentially and no other data for that table exist. But we can't tell if that's the case, so we have to read through all 5000 entries to make sure we looked for every piece of data.
  Beacuse of this issue, this database structure, performance may be fine for 50K - 100K entries (depending on table element size), if the reading requirements don't force full data reads. Otherwise, 25K may be an upper limit.
  I hope this helps.
  Edited by: estarkey on Mar 17, 2009 9:15 PM
  Edited by: estarkey on Mar 17, 2009 10:01 PM

• Data desccription for Network devices

  Hi,
  We have a scenario where two IP's having a single host name. In SCOM the two IP addresses have been discovered under a single host name
  E.g
  abc.domain.com
  abc.domain.com
  When i click the properties i could see that these are two different IP's. We have created SNMP monitors for these devices and when they alert the alert descriptions looks confusing as they show the same host name for both the IP addresses. Tried to bing
  but could not find much help.
  http://blogs.technet.com/b/kevinholman/archive/2007/12/12/adding-custom-information-to-alert-descriptions-and-notifications.aspx 
  But these do not mention on how to pull out the IP addresses in alert description. We have currently used the below syntax but still get the host name rather than the IP.
  $Target/Property[Type="MicrosoftSystemCenterNetworkDeviceLibrary6172210!Microsoft.SystemCenter.NetworkDevice"]/IPAddress$  
  Please advise.
  Jesty Sam

  Hi!
  You could create an "override" for the alert name or alert description. More here:
  http://blogs.msdn.com/b/mariussutara/archive/2008/07/15/monitor-from-sealed-mp-generated-alert-and-i-do-not-like-its-description.aspx
  HTH,
  Patrick
  Please remember to click “Mark as Answer” on the post that helped you.
  Patrick Seidl (System Center and Private Cloud)
  Website: http://www.syliance.com
  Blog: http://www.systemcenterrocks.com