Access Cisco ACS v5.3 via 2FA

Similar Messages

• Cannot access Cisco MIBs via SNMPGET

  Hello, I'm sure this is a simple fix and I'm too stupid to figure it out, but I'm having trouble accessing Cisco ACE specific OIDs via Net-SNMPs tools. If I run snmpwalk on the device, I get a nice list of standard SNMP OIDs such as SNMPv2-MIB, IF-MIB, IP-MIB, etc with values such as the device name, interface IP counters and all that stuff. But I don't see any Cisco specific OIDs in the list. I really want to be able to monitor the load across real servers and server farms and such on this ACE module.
  So, for example, I try running the following command and it says no such object:
  snmpget -m +CISCO-SLB-MIB -On -v 2c -c communityname ipaddress CISCO-SLB-MIB::slbServerFarms
  .1.3.6.1.4.1.9.9.161.1.2 = No Such Object available on this agent at this OID
  I read you should try adding an index to the OID as there may be multiple sub objects (and of course there are multiple server farms) but I get the same thing:
  snmpget -m +CISCO-SLB-MIB -On -v 2c -c communityname ipaddress CISCO-SLB-MIB::slbServerFarms.0
  .1.3.6.1.4.1.9.9.161.1.2.0 = No Such Object available on this agent at this OID
  Just to confirm a valid OID, I get this:
  snmpget -m +CISCO-SLB-MIB -On -v 2c -c communityname ipaddress SNMPv2-MIB::sysDescr.0
  .1.3.6.1.2.1.1.1.0 = STRING: Application Control Engine Service Module
  I also tried snmptable with CISCO-ENHANCED-SLB-MIB::cesServerFarmRserverTable and it just says "Was that a table?"
  So I think it must be a permission problem or some config that I have to tweak. Right now the only SNMP config is:
  snmp-server community communityname group Network-Monitor
  My device version info is:
  Software
    loader:    Version 12.2[120]
    system:    Version A2(1.4) [build 3.0(0)A2(1.4) adbuild_11:54:12-2009/03/05_/auto/adbu-rel2/rel_a2_1_4_throttle/REL_3_0_0_A2_1_4]
    system image file: [LCP] disk0:c6ace-t1k9-mz.A2_1_4.bin
    installed license: ACE-SEC-LIC-K9 ACE-SSL-05K-K9
  Thank you for your help!

  This is an interesting thread, and probably something which is unclear to a lot of people.  Tables and their entries (think header rows) are inaccessible because they do not contain data directly.  Data is only contained in the cells within the table.  The cells in this case are the SNMP objects defined within each table entry (or row).  So, a table is inaccessible as a whole, but each of its data cells can be accessed.
  If you think of it like a spreadsheet, it may be a little more useful.  But let's try a visual.
  cesServerFarmRserverTable
  cesServerFarmRserverPort
  cesServerFarmRserverAdminWeight
  cesServerFarmRserverOperWeight
  80
  100
  100
  8080
  50
  10
  The header row in this table is called cesServerFarmRserverEntry.  It contains the column names for our data.  Each row has a unique number associated with it.  That is the cseServerFarmRserverPort.  In a typical spreadsheet program, this would be the column at the far left which you cannot edit.  It just enumerates the rows.  In this example, that column is named cesServerFarmRserverPort.  If I wanted to tell someone how to get the value of cesServerFarmRserverAdminWeight at a particular row, I would say, "go to row 80, and read the value from the cesServerFarmRserverAdminWeight column.  In this case, they would read 100.
  SNMP operates in the same fashion.  For one to get a specific value (i.e. perform an SNMP GET), one must know the specific column name and row number.  In the actual case of the cesServerFarmRserverTable, the row number is actually a combination of the slbEntity, slbServerFarmName, cesRserverName, and cesServerFarmRserverPort, but the concept is the same.  You can only do an SNMP GET on a precise address in a given table (i.e. on a cell).  To do a GET on cesServerFarmRserverTable directly would make no sense since an atomic value could not be returned.
  An SNMP Walk, on the other hand, allows you to start with the table itself, then walk through each cell in the table, printing out the value at that cell.
  A tool like snmptable essentially performs recursive GET-NEXT queries to walk through all of the rows, then print the value of each cell in a tabular format.

• Linksys WAP54G connecting to CISCO ACS via LEAP

  I understand that Linksys WAP54G support WPA and 802.1x authentication. Will a cisco compatible client card get connected to the WAP54G via LEAP authentication to a Cisco ACS server ?
  Connection scenario:-
  Cisco compatible client card <-WPA/LEAP-> WAP54G <-WPA/LEAP-> Cisco ACS3.1
  Pls advise if such setting is feasible.
  Tks

  This is really a question for Linksys support. The Cisco wireless BU has no involvement with the Linksy's product line. They operate as a totally separate wholly own subsidiary of Cisco.
  As for LEAP, no, to my knowledge the Linksys AP does not support LEAP, which is not tested or part of the WPA certification program. To my knowledge the ONLY APs that support LEAP are Cisco Aironet APs.
  If the Linksys supports WPA-Enterprise, then any client that supports WPA-Enterprise should work using EAP-TLS. The Cisco ACS server supports EAP-TLS.
  One word of caution. Early CCX cards do not necessarily support WPA. The CCX specification and certification were out before WPA was released. You will need to check with the actual vendor of the card to verify WPA compatibility.;
  Also there are two types of WPA. WPA-Personal, which supports only the WPA encryption, and the keys are handles by a Pre-shared Key input system (no radius server) and WPA-Enterprise, which is certified using WPA encryption an 802.1x EAP-TLS radius server (in fact using Microsoft and Funk Software servers). make sure that the Linksys supports WPA-enterprise, or it may not support 802.1x.
  Bruce Alexander, Cisco

• Unable to access cisco asa via https or asdm!! connection interrupted message appears on the browser

  Hey guys,
  I am unable to access cisco asa device using https and cannot lunch asdm, after recent power failure at our location. I have asdm installed on my machine and whenever i try to access the asdm, receive Error: unable to lunch device manager from X.X.X.X The following is log from java console
  Trying for ASDM version file; url = https://x.x.x.x/admin/
  javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
  When i try to access it from the browser it show error message
  "The connection was interrupted"
  I am running CISCO ASA 8.3 (1)
  with asdm image as asdm 7.1.3
  JAVA version installed Java 7 update 71
  I have added the https:> to exception site list and set security level to medium,
  even ssh access is not working !!
  I would appreciate if anyone can help me out!!
  Thanks
  Fareed

  Hey lcaruso,
  thanks for information!!
  i was able to connection through console as suggested and regenerated the rsa key .. was able to connection through ssh, but the issue with the asdm or web access was not resolved. 
  I have tried few of the steps as suggested on 
  https://supportforums.cisco.com/document/49741/asa-pixfwsm-unable-manage-unit-sshtelnetasdm#collect_captures
  capture output 
  ZHHFP-FIREWALL1(config)# sh cap capin
  139 packets captured
     1: 18:50:17.654720 802.1Q vlan#1 P0 192.168.160.113.58084 > 192.168.160.126.8
  443: S 2567327150:2567327150(0) win 8192 <mss 1260,nop,wscale 8,nop,nop,sackOK>
     2: 18:50:17.654812 802.1Q vlan#1 P0 192.168.160.126.8443 > 192.168.160.113.58
  084: S 590825877:590825877(0) ack 2567327151 win 8192 <mss 1380>
     3: 18:50:17.655621 802.1Q vlan#1 P0 192.168.160.113.58084 > 192.168.160.126.8
  443: . ack 590825878 win 65520
     4: 18:50:17.656078 802.1Q vlan#1 P0 192.168.160.113.58084 > 192.168.160.126.8
  443: P 2567327151:2567327332(181) ack 590825878 win 65520
     5: 18:50:17.656139 802.1Q vlan#1 P0 192.168.160.126.8443 > 192.168.160.113.58
  084: . ack 2567327332 win 8192
     6: 18:50:17.656475 802.1Q vlan#1 P0 192.168.160.126.8443 > 192.168.160.113.58
  084: FP 590825878:590825878(0) ack 2567327332 win 8192
     7: 18:50:17.657696 802.1Q vlan#1 P0 192.168.160.113.58084 > 192.168.160.126.8
  443: . ack 590825879 win 65520
     8: 18:50:17.657802 802.1Q vlan#1 P0 192.168.160.113.58084 > 192.168.160.126.8
  443: F 2567327332:2567327332(0) ack 590825879 win 65520
     9: 18:50:17.657848 802.1Q vlan#1 P0 192.168.160.126.8443 > 192.168.160.113.58
  084: . ack 2567327333 win 8192
    10: 18:50:17.658108 802.1Q vlan#1 P0 192.168.160.113.58085 > 192.168.160.126.8
  443: S 1351758892:1351758892(0) win 8192 <mss 1260,nop,wscale 8,nop,nop,sackOK>
  also i have downgraded the java to 1.6_45 but still not luck.
  error message i received on java console
  Trying for IDM. url=https://x.x.x.x/idm/idm.jnlp/
  javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
  at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
  at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
  at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
  at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
  at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
  at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
  at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
  at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
  at com.cisco.launcher.w.a(Unknown Source)
  at com.cisco.launcher.s.for(Unknown Source)
  at com.cisco.launcher.s.new(Unknown Source)
  at com.cisco.launcher.s.access$000(Unknown Source)
  at com.cisco.launcher.s$2.a(Unknown Source)
  at com.cisco.launcher.g$2.run(Unknown Source)
  at java.lang.Thread.run(Unknown Source)
  Caused by: java.io.EOFException: SSL peer shut down incorrectly
  at sun.security.ssl.InputRecord.read(Unknown Source)
  ... 15 more
  Any help would be highly appreciated!!
  Thanks
  Fareed 

• Please help me configure authentic connection with Caller ID via ISDN 30B+D using Cisco ACS

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin-top:0in;
  mso-para-margin-right:0in;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0in;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  Hi all
  I have set up a dial up connection between to PC's at remote site and center. It using ISDN 30B+D which is configured on Router 3845. Currently I have configured authentic connection with username and password using Cisco ACS. To enhance the security configuration I want to authenticate both the phone number which dialup with Cisco ACS. And currently I have not done this. Please help me solve this problem.
  Thanks so much
  Longn

  1) I deleted bridge-utils, netcfg
  2) I edited /etc/hostapd/hostapd.conf:
  interface=wlan0
  #bridge=br0
  edited /etc/dnsmasq.conf:
  interface=wlan0
  dhcp-range=192.168.0.2,192.168.0.255,255.255.255.0,24h
  and edited /etc/rc.local:
  ifconfig wlan0 192.168.0.1 netmask 255.255.255.0
  ifconfig wlan0 up
  3) I added in autostart these daemons: hostapd, dnsmasq and iptables.
  Profit!

• ACE 4700 and Cisco ACS aaa authentication

  ACE version Software
  loader: Version 0.95
  system: Version A1(7b) [build 3.0(0)A1(7b)
  Cisco ACS version 4.0.1
  I am trying to authenticate admin users with AAA authentication for ACE management.
  This is what I've done:
  ACE-lab/Admin(config)# tacacs-server host 192.168.3.10 key 123456 port 49
  warning: numeric key will not be encrypted
  ACE-lab/Admin(config)# aaa group server tacacs+ cciesec
  ACE-lab/Admin(config-tacacs+)# server ?
  <A.B.C.D> TACACS+ server name
  ACE-lab/Admin(config-tacacs+)# server 192.168.3.10
  can not find the TACACS+ server
  specified TACACS+ server not found, please configure it using tacacs-server host ... and then retry
  ACE-lab/Admin(config-tacacs+)#
  Why am I getting this error? I have full
  connectivity between the ACE and the ACS
  server. Furthermore, the ACS server
  works fine with other Cisco IOS devices.
  Please help. Thanks.

  Thanks. Now I have another problem. I CAN
  log into the ACE via tacacs+ account(s).
  However, I get error when I try going into
  configuration mode:
  ACE-lab login: ngx1
  Password:
  Cisco Application Control Software (ACSW)
  TAC support: http://www.cisco.com/tac
  Copyright (c) 1985-2007 by Cisco Systems, Inc. All rights reserved.
  The copyrights to certain works contained herein are owned by
  other third parties and are used and distributed under license.
  Some parts of this software are covered under the GNU Public
  License. A copy of the license is available at
  http://www.gnu.org/licenses/gpl.html.
  ACE-lab/Admin# conf t
  ^
  % invalid command detected at '^' marker.
  ACE-lab/Admin#
  The ngx1 account can access other Cisco
  routers/switches just fine and can go into
  enable mode just fine. Only issue on the ACE.
  Any ideas? Thanks.

• Cisco acs 4.2 for bandwidth management

  hi sir ,
  I have a problem with my cisco acs 4.2. I have a cisco asa 5510 which is AAA client for my acs 4.2 . I want to limit bandwidth per user ,
  I have tested different radius attribute , but they didnt work ,
  How can i configure this feature ?
  best regards

  Jatin,
  Currently we're using TACACS+ for authentication.  We
  Here's a description of the requirement for 2 factor authentication:
  Id - NET0431
  Vulnerability
  Discussion
  AAA network security services provide the primary framework through which a network administrator can set up access control on
  network points of entry or network access servers, which is usually the function of a router or access server. Authentication identifies a
  user; authorization determines what that user can do; and accounting monitors the network usage. Without AAA, unauthorized users
  may gain access and possibly control of the routers. If the router network is compromised, large portions of the network could be
  incapacitated with only a few commands.Default Finding
  Details
  AAA server does not redirect/call to a two-factor authentication server.
  NET Authentication Access
  Procedure: The implementation varies and a thorough review is necessary. Have the SA review and discuss their
  implementation. A typical AAA process includes the network system redirecting user access requests either directly to an
  ACE/Server or to a CiscoSecure ACS (TACACS+) server which redirects the 'authentication' request to the ACE/Server for
  strong authentication via user tokens (keyfobs). During the review have the SA point out the calls from the TACACS+ or Radius
  servers to the authentication server performing the two-factor requirement
  From my understanding ACS can meet this requirement, I just need some ideas or case studies to see how it how implemented.
  Stephanie

• Cisco ACS v4.2

  Hi,
  I have created admin user in a Cisco ACS v4.2 used as TACACS+ server. Now the admin user ic created under the "default" Network Access Profile. However I would like to add another Network Access Profile to this admin user whiel maintaining the existing Network Access Profile.
  Please tell me how to achieve this?

  Your understanding of the issue is correct. The certificate installed in ACS is being used by wireless/wi-fi authentication and secure-http access (if configured). In case it expires, only wireless authentication and secure http access will be down. The network devices will continue to authenticate via tacacs. I guess LDAP in your case is actually acting as a backend database so radius or tacacs sending the user request back to the external database.
  Now, even if certificate expires, you've always an option to generate slef singed certificate until to you get the new third party certificate from you CA. Self-signed Certificate Setup (only if you do not use an external CA)
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a0080545a29.shtml#t14
  Jatin Katyal
  - Do rate helpful posts -

• VPN client and Cisco ACS

  hi,
  I'm trying to setup a VPN solution, connecting to a 800 series router and authenticating off a Cisco ACS tacacs server.
  I've basically followed the suggested config at http://www.cisco.com/en/US/customer/tech/tk59/technologies_configuration_example09186a00800a393b.shtml and the setup works fine if I use local authentication, but as soon as I switch to using TACACS the client authentication fails.
  Debugging tacacs on the router i can see the requests being sent to the server, and the replies coming back - the login detail are definitely correct so I'm guessing that TACACS isn't authorising me to use VPN or IPSEC or something. But there is nothing in the ACS logs to suggest why I'm not getting through - no failed attempts are shown.
  Any ideas?

  here is some debug from the router:
  Feb 24 12:28:58.973 UTC: TPLUS: processing authentication start request id 129
  Feb 24 12:28:58.973 UTC: TPLUS: Authentication start packet created for 129(vpngroup)
  Feb 24 12:28:58.973 UTC: TPLUS: Using server 10.10.10.10
  Feb 24 12:28:58.973 UTC: TPLUS(00000081)/0/NB_WAIT/823A9F04: Started 5 sec timeout
  Feb 24 12:28:58.989 UTC: TPLUS(00000081)/0/NB_WAIT: socket event 2
  Feb 24 12:28:58.989 UTC: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
  Feb 24 12:28:58.989 UTC: T+: session_id 1729330768 (0x67137E50), dlen 16 (0x10)
  Feb 24 12:28:58.989 UTC: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
  Feb 24 12:28:58.989 UTC: T+: svc:LOGIN user_len:8 port_len:0 (0x0) raddr_len:0 (0x0) data_len:0
  Feb 24 12:28:58.989 UTC: T+: user: vpntest
  Feb 24 12:28:58.989 UTC: T+: port:
  Feb 24 12:28:58.989 UTC: T+: rem_addr:
  Feb 24 12:28:58.989 UTC: T+: data:
  Feb 24 12:28:58.989 UTC: T+: End Packet
  Feb 24 12:28:58.989 UTC: TPLUS(00000081)/0/NB_WAIT: wrote entire 28 bytes request
  Feb 24 12:28:58.993 UTC: TPLUS(00000081)/0/READ: socket event 1
  Feb 24 12:28:58.993 UTC: TPLUS(00000081)/0/READ: Would block while reading
  Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: socket event 1
  Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: read entire 12 header bytes (expect 16 bytes data)
  Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: socket event 1
  Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: read entire 28 bytes response
  Feb 24 12:28:59.009 UTC: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
  Feb 24 12:28:59.009 UTC: T+: session_id 1729330768 (0x67137E50), dlen 16 (0x10)
  Feb 24 12:28:59.009 UTC: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
  Feb 24 12:28:59.009 UTC: T+: msg: Password:
  Feb 24 12:28:59.009 UTC: T+: data:
  Feb 24 12:28:59.009 UTC: T+: End Packet
  s9990-cr#
  Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/823A9F04: Processing the reply packet
  Feb 24 12:28:59.009 UTC: TPLUS: Received authen response status GET_PASSWORD (8)
  "AUTHEN/REPLY status:5" is a permanent fail according to the TACACS RFC
  In the VPN Client log it say "User does not provide any authentication data"
  So to summarise:
  -Same ACS server\router\username combination works fine for telnet access.
  -VPN works fine with local authentication.
  -No login failures showing in the ACS logs.

• How to hide line console parameters through Cisco ACS

  Hi,
  Can any one of you please help me in the following scenario ?
  I want to hide the line console, line aux and line vty configuration parameters of the cisco devices based on user level privillages through Cisco ACS. For example, if a user logs into the devices with privilege level 7, then he should not be able to see the line paramenters on the cisco devices for which he had privilege level 7 access.
  Can you please help me out how to achieve this?? Your help in this regard is highly appriciated.
  Thanks

  This thing is possible with local authorization on IOS device. With ACS this is not possible.
  In acs you can set what all commands a specific user can issue. That feature is called command authorization.
  For show run you need to give priv 15. ACS works in a different way if you compare it with setting up local priv lvls on router/switch.
  Best way to set it up is to give all user priv lvl 15 and then define what all commands user can execute.
  Note : Having priv 15 does not mean that user will able to issue all commands.
  We will set up command authorization on acs to have control on users.
  This is how your config should look,
  aaa authentication login default group tacacs+ local
  aaa authorization exec default group tacacs+ if-authenticated
  aaa authorization commands 1 default group tacacs+ if-authenticated
  aaa authorization commands 15 default group tacacs+ if-authenticated
  aaa authorization config-commands
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  Regards,
  ~JG
  Do rate helpful posts

• Cisco ACS 4.2 - Server Busy

  Hi!
  We're authenticating our Desktops and IP-Phones via 802.1x using two Radius-servers running Cisco ACS v4.2 on Win2k8.
  From time to time we run into the problem, that one of the servers 'get's too busy' and stops answering authentication requests. That results in many failed authentications with our VoIP-phones (Siemens OpenStage).
  What I don't understand is why the ACS acts that way...
  TAC says that all 42 or so threads are in use when the server says it's too busy.
  While the server is 'busy' the CPU runs at 1 - 2 % !! And there's loads of RAM left...
  This is an extract from the CSRadius-Log-File:
  RDS 06/09/2011 07:51:13 E 1495 2072 0x0 Server too busy - request from 10.104.204.249 ignoredRDS 06/09/2011 07:51:13 E 1495 5124 0x0 Server too busy - request from 10.104.204.249 ignoredRDS 06/09/2011 07:51:13 E 1495 5124 0x0 Server too busy - request from 10.100.204.22 ignoredRDS 06/09/2011 07:51:13 E 0958 3712 0x0 Error processing accounting request - no response sent to NASRDS 06/09/2011 07:51:13 E 5947 4916 0x0 Failed to update logged on list for IPPhone (UDB_SERVER_BUSY)RDS 06/09/2011 07:51:13 E 1495 5124 0x0 Server too busy - request from 10.100.204.22 ignoredRDS 06/09/2011 07:51:13 E 0958 1880 0x0 Error processing accounting request - no response sent to NASRDS 06/09/2011 07:51:13 E 6025 3560 0x0 Matching class attribute failed for user IPPhone, no further processing will be done assuming this is out-of-order packet due to UDPRDS 06/09/2011 07:51:13 E 1825 1532 0x0 Error UDB_SERVER_BUSY authenticating host/hostname.xxx.yyy - no response sent to NAS...RDS 06/09/2011 07:51:20 E 3089 2704 0x0 Error AS_NO_FREE_CONNECTIONS authenticating IPPhone - no response sent to NAS
  Did any of you encounter the same problem? Did you find a workaround or fix? Maybe there's a way to increase the number of authentication threads?
  Thanks alot!

  The key is to get all of the information needed. Normally when they say it takes too long for the client to answer that is not always the exact fault.
  You may seem to get that answer if the ACS is taking a long time to process the request and the switch or client has basically timed out its requests.
  The information needed is the following
  all of these items really need to be gathered at the same time
  switch debugs including
  debug radius
  debug aaa authen
  debug aaa accounting
  sniffer capture between the switch and the ACS
  logs from ACS with debugs enabled.
  If you are going to AD on the backend you may also want a sniffer capture between the ACS and the AD
  all of these together should tell you where the delay of failure lays and then at that time some changes can be suggested

• Rendering a Cisco ACS page is broken in Firefox 15

  Since updating to Firefox 15, a page inside my Cisco ACS appliance does not render: Access Policies > Access Services > Default Network Access > Authorization.
  The page has historically taken 15-20 seconds to fully load its contents, and the page now renders as if Firefox 15 got sick of waiting and just displayed what content it had. Is this a problem with rendering the page or perhaps did the value of a timer get changed in Firefox 15?
  The Cisco appliance is not public-facing, so I am happy to do a screen-sharing session with a Mozilla engineer if it would help troubleshoot. Thanks.

  Still broken in 16... Great, now I have to run a version that is 2 versions old.

• Cisco ACS for Unix authentication

  My company is looking for a single sign on for all the windows and unix servers mainly for admins. I was wondering if Cisco ACS will work for this.
  Basically the authentication will be all for the servers and routers ofcourse. I am thinking if I specifies windows AD in ACS config,  Can I get the unix boxes to get authenticated against Radius?
  Any help will be appreciated.
  Manny

  Hi,
  Authentication of unix servers  via ACS over radius protocol can be achiveable,check out the below link client end configuration needs to be done for radius authentication
  Hope that helps out your query !!
  http://www.ibm.com/developerworks/library/l-radius/
  Regards
  Ganesh.H

• Cisco NAC, Cisco ACS, Microsoft NAP, Anti Virus

  Hi,
  I'm doing a research on the Cisco NAC (without the appliance) concept and I would like to ask the following:
  1. Securing network access - Needed products are Cisco ACS and Cisco access devices (2960, for example). The feature needed is NAC Layer 2 IEEE 802.1x. Is this correct?
  2. Forcing Windows PC to download OS patches according to company policy. Needed products are Cisco ACS, Cisco access devices, Cisco Trust Agent and Microsoft NAP (Network Access Protection)? Is there a way to do this only with Windows Server (not using NAP)?
  3. Forcing Windows PCs to update Anti Virus software. Needed products are Cisco ACS, Cisco access devices, Cisco Trust Agent and Anti Virus server? Is this correct?
  Please, give me some advice.
  Thanks in advance,
  Mladen

  Thanks for the reply, but still I am a bit confiused (would you please try to answer the questions?):
  1. Securing network access - Needed products are Cisco ACS and Cisco access devices (2960, for example). The feature needed is NAC Layer 2 IEEE 802.1x. Is this correct?
  2. To force update of Windows patches, do I need a NAC appliance (I can only install CSACS)?
  3. To force AV updates, do I need a NAC appliance (I can only install CSACS)?
  I refer to
  "Implementing Network Admission Control Phase One Configuration and Deployment";
  "Network Admission Control Software Configuration Guide - Information About Network Admission Control".
  Thanks in advance,
  Mladen

• Cisco ACS Server Tacacs Based on LDAP AND Source IP Possible???

  Hi All,
  I have used Cisco ACS tacacs for authentication based on Active Directory. Is it possible to use Active Directory as a criteria for authentication AND source IP?
  For example, if someone wants to log in to a certain device... they must have correct credentials AND their IP must be sourcing from the acceptable subnet range.
  Thanks!

  I see your point. This will depend if the user's IP is provided in the authentication request, if this information is provided then you can use the feature called "End Station Filter". This feature is used as a Condition in the Access Policy to deny or allow access. Below are the steps:
  1. Create a End Station Filter, here configure the user's IP
  2. Customize your Conditions under Access Policies/Authorization to use End Station Filter
  3. Define your rule with the required result