ACS 4.2 Windows Radius Attributes for VPN-dial-in

Similar Messages

• Radius Attributes for WAP321 AP

  Hi
  Is there a list with the supported radius attributes for wlan-user-authentication? Now I have the following freeradius entry in my users file:
  DEFAULT Ldap-Group == 'wlanusers', Huntgroup-Name == 'accesspoint'
          Service-Type := Login,
          Fall-Through := No
  But it doesn't work. Have I forgotten some attributes?
  thx for any help
  Matthias

  Hi,
  Can you please take a screenshot of your configuiration and attach so that it will be used to root cause the issue.
  Regards,
  Phanikrishna

• The window title attribute for the page layout region has not been set

  Hi, I am a newbie to OA Framework extensions. Could you please advise me how to get rid of below error ?
  "The window title attribute for the page layout region has not been set. This attribute value will be used for the browser window title and should be set according to the UI standards. A default window title will be displayed for all such pages that violate the standards. Action: Set the window title or title attribute for the page layout region. The title attribute is used as a secondary source for the window title if the window title is missing."
  My requirement is to extend a VO and almost done with that but when i run the PG ( HomePG.xml ) file to ensure everything is fine , The target page is being displayed with above error. Just to let you know that i have already set the Titile and Window Title attributes for the HomePG.xml region i.e PageLayoutRN.
  One more thing i would like to share is that i was set the Window Title to 'Oracle Applications Home Page' , but target page name is being displayed as 'Oracle Applications'.
  Any suggestions ??
  Thanks.

  Hi all, I now getting below error when i click on notification from notification page ( AdvancWorklistPG.xml ) which should have taken me to the notification details page ( NotifDetailsPG ). Please note that i am running the page from Jdeveloper.
  Exception Details.
  oracle.apps.fnd.framework.OAException: oracle.jbo.SQLStmtException: JBO-27122: SQL error during statement preparation. Statement: SELECT NtfEO.NOTIFICATION_ID,
  NtfEO.RECIPIENT_ROLE,
  NtfEO.BEGIN_DATE AS BEGIN_DATE_F,
  NtfEO.DUE_DATE AS DUE_DATE_F,
  DECODE(NtfEO.MORE_INFO_ROLE, NULL, NtfEO.SUBJECT, FND_MESSAGE.GET_STRING('FND','FND_MORE_INFO_REQUESTED')||' '||NtfEO.SUBJECT) AS SUBJECT,
  NtfEO.PRIORITY AS PRIORITY_F,
  NtfEO.STATUS,
  NtfEO.END_DATE AS END_DATE_F,
  NtfEO.USER_COMMENT,
  NtfEO.MORE_INFO_ROLE,
  NtfEO.FROM_USER,
  NtfEO.FROM_ROLE,
  NtfEO.TO_USER
  FROM WF_NOTIFICATIONS NtfEO
  WHERE NtfEO.NOTIFICATION_ID = ?
       at oracle.apps.fnd.framework.OAException.wrapperException(OAException.java:888)
       at oracle.apps.fnd.framework.webui.OAWebBeanHelper.processRequest(OAWebBeanHelper.java:597)
       at oracle.apps.fnd.framework.webui.OAWebBeanContainerHelper.processRequest(OAWebBeanContainerHelper.java:247)
       at oracle.apps.fnd.framework.webui.beans.nav.OAPageButtonBarBean.processRequest(OAPageButtonBarBean.java:351)
       at oracle.apps.fnd.framework.webui.OAWebBeanHelper.processRequestChildren(OAWebBeanHelper.java:953)
       at oracle.apps.fnd.framework.webui.OAWebBeanHelper.processRequestChildren(OAWebBeanHelper.java:899)
       at oracle.apps.fnd.framework.webui.OAWebBeanHelper.processRequest(OAWebBeanHelper.java:640)
       at oracle.apps.fnd.framework.webui.OAWebBeanContainerHelper.processRequest(OAWebBeanContainerHelper.java:247)
       at oracle.apps.fnd.framework.webui.OAPageLayoutHelper.processRequest(OAPageLayoutHelper.java:1095)
       at oracle.apps.fnd.framework.webui.beans.layout.OAPageLayoutBean.processRequest(OAPageLayoutBean.java:1569)
       at oracle.apps.fnd.framework.webui.OAWebBeanHelper.processRequestChildren(OAWebBeanHelper.java:932)
       at oracle.apps.fnd.framework.webui.OAWebBeanHelper.processRequestChildren(OAWebBeanHelper.java:899)
       at oracle.apps.fnd.framework.webui.OAWebBeanHelper.processRequest(OAWebBeanHelper.java:640)
       at oracle.apps.fnd.framework.webui.OAWebBeanContainerHelper.processRequest(OAWebBeanContainerHelper.java:247)
       at oracle.apps.fnd.framework.webui.beans.form.OAFormBean.processRequest(OAFormBean.java:385)
       at oracle.apps.fnd.framework.webui.OAWebBeanHelper.processRequestChildren(OAWebBeanHelper.java:932)
       at oracle.apps.fnd.framework.webui.OAWebBeanHelper.processRequestChildren(OAWebBeanHelper.java:899)
       at oracle.apps.fnd.framework.webui.OAWebBeanHelper.processRequest(OAWebBeanHelper.java:640)
       at oracle.apps.fnd.framework.webui.OAWebBeanContainerHelper.processRequest(OAWebBeanContainerHelper.java:247)
       at oracle.apps.fnd.framework.webui.beans.OABodyBean.processRequest(OABodyBean.java:353)
       at oracle.apps.fnd.framework.webui.OAPageBean.processRequest(OAPageBean.java:2298)
       at oracle.apps.fnd.framework.webui.OAPageBean.preparePage(OAPageBean.java:1711)
       at oracle.apps.fnd.framework.webui.OAPageBean.preparePage(OAPageBean.java:497)
       at oracle.apps.fnd.framework.webui.OAPageBean.preparePage(OAPageBean.java:418)
       at OA.jspService(OA.jsp:40)
       at com.orionserver.http.OrionHttpJspPage.service(OrionHttpJspPage.java:56)
       at oracle.jsp.runtimev2.JspPageTable.service(JspPageTable.java:317)
       at oracle.jsp.runtimev2.JspServlet.internalService(JspServlet.java:465)
       at oracle.jsp.runtimev2.JspServlet.service(JspServlet.java:379)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
       at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:727)
       at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:306)
       at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:767)
       at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:259)
       at com.evermind.server.http.HttpRequestHandler.run(HttpRequestHandler.java:106)
       at EDU.oswego.cs.dl.util.concurrent.PooledExecutor$Worker.run(PooledExecutor.java:803)
       at java.lang.Thread.run(Thread.java:534)
  ## Detail 0 ##
  java.sql.SQLException: ORA-01008: not all variables bound

• ACS 3.3 Send Radius Attribute 135 & 136

  Hi
  I need an ACS box to return IETF RADIUS attributes 135 & 136 to a NAS for the assignment of DNS servers to clients.
  The ACS 3.3 user guide lists these as supported IETF RADIUS Attributes however they don't seem to be available under Interface Configuration--> Radius IETF.
  Would anyone know how I can enable these ?
  Thanks
  Leon

  Hi Leon,
  That is quite strange. You should have those attributes.
  As you mentioned you have ACS SE, if you could console into it. Issue command,
  stop csadmin
  start csadmin
  Or rebooting ACS SE will re-start the CSAdmin server.
  If you are restarting services from, System Configuration > Service Control, then that wont restart the CSAdmin service.
  Give that a try.
  Regards,
  Prem

• ACS 4.2 - add RADIUS Attributs

  Hello,
  I want to add Radius attribut to Radware devices , so I will have the option to grant "read only" permission to users.
  as I understand I need to add VSA for the "read only" permission, or configure specific "Service-Type value 255"
  in the following picture you can see the required information from Radware:
  Thanks

  anyone know of that?
  Thanks

• Secure-ACS: Special RADIUS-Attributes for Enterasys E7

  Hi,
  we were running a pretty old version of the  Cisco Secure ACS for AAA our network devices.
  Unfortunately the  server crashed an we had to install and set it up with a new server.
  Using  TACACS+ for our Cisco devices works fine.
  We have a couple of  switches made by a vendor called Nexans, which only support RADIUS -  this works fine too.
  Furthermore we still have some Enterasys E7  and with those RADIUS doesn't work at all.
  Sniffering the packets,  everything looks good.
  With the old server it worked well.
  Does  anybody know if there are special configurations (e.g. attributes) when  configuring an ACS for Enterasys RADIUS-Clients?
  Thanks,
  Rolf

  We have this configuration and works fine with our network and associate in a good manner also the policy which we have configured it on Enterasys in this way
  Filter-Id===>
  Enterasys:version=1:mgmt=su:policy=Administrator
  After we make the update to ACS 5, the "ASA" consider this filter-id as access-list so it consider the field after the filter-id as the name of the acl, and diconnect the VPN connection.
  Could soneone help me to resolve that.

• RADIUS dictionary for VPN 30XX Concentrator.

  Where can I find the RADIUS dictionary with the new VSA for a VPN Concentrator sw 4.1.7?
  Thanks.
  Andrea.

  Please refer to this document for procedure : http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008007deec.html#41675

• CS password invalid ACS 4.0 window Radius

  Hi,
  Need help with Cisco Secure ACS 4.0

  Hi,
  ACS 4.0 will not work on a Windows XP machine.
  Please have a look at the system requirement of the installation guide of ACS 4.0
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/installation/guide/windows/install.html#wp1041324
  Hope this helps.
  Regards,
  Anisha
  P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

• Add RADIUS attributes under "Group Setup" in ACS 4.2

  Hi Security Experts,
  I need to add RADIUS attributes for a custom vendor under "Group Setup" page in ACS 4.2. As of now, I see Cisco Aironet RADIUS Attributes,
  IETF RADIUS Attributes etc in "Group Setup" page. How can I make sure that the RADIUS attributes for a vendor also appear on that page?
  PS: I rate useful posts
  Thanks,
  Kashish

  Under "Interface" you can enable which RADIUS-Attributes you want to display. Probably there's just one checkmark missing for your vendor.
  The Options for RADIUS are described here:
  http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/A_RADAtr.html

• How to get ACS3.2 to assign different attributes for multiples NAS's

  We are running ACS3.2 and have 3 different types of NAS for each group of users (two managed dial solutions and 1 home grown VPN concentrator solution).
  The problem is that the two dialup NAS's require different RADIUS attributes for the IP address assignment: one NAS uses a named pool, the other NAS assigns the pool based on an IP entry in attribute 8 (framed IP address). Users mapped to one ACS group must be able to use both dial services.
  Is it possible to configure ACS so that one type of attribute is used for one NAS and another type of attribute for the other for users belonging to the same group?
  Thanks,
  Matt

  Hmm, I thought you might say that:(
  I've done a bit of jiggery pokery and will be doing some testing tomorrow.
  I'll post back to this forum to let you know how it goes.
  Matt

• Can I use ISE IPN without posture for VPN with Base license only?

  I'm looking at ISE licensing, and both Base and Advanced licenses have VPN listed. I could not find any document that provides guideline for VPN implementation using ISE Base license only.
  1. Can I use ISE IPN (Inline Posture Node) functionality without posture assessment with ISE Base license only? (I know it has to be ISE hardware appliance, and I know that Posture assessment requires ISE Advanced license.)
  2. Do I have to use IPN for VPN deployment using ISE as the Radius server?
  3. If I do not have to use IPN for VPN, can I use ISE for Authentication and Authorization in the same way as I use ACS?
  Thanks,
  Val Rodionov

  Val,
  There is no need to consider IPN if you are not using posturing. You can use ISE much like ACS for radius authentication for vpn users.
  If posturing is down the road and your hope is to have an architecture in place and license later, then I am sure that you can use the ipn with base licensing, however I would strongle recommend working with the PDI (for partners) for help and confirmation.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• RADIUS Attribute 198

  Hi there,
  i am trying to get the radius attribute 198 from dial-in router (AS5300, C2610) with ios 12.3.
  With "debug radius" the following output apears:
  *Mar 1 01:06:02.679: RADIUS: Acct-Session-Id [44] 10 "00000009"
  *Mar 1 01:06:02.679: RADIUS: Framed-Protocol [7] 6 PPP
  [1]
  *Mar 1 01:06:02.679: RADIUS: Framed-IP-Address [8] 6 192.168.1.1
  *Mar 1 01:06:02.679: RADIUS: Vendor, Cisco [26] 35
  *Mar 1 01:06:02.679: RADIUS: Cisco AVpair [1] 29 "connect-progress=L
  AN Ses Up"
  *Mar 1 01:06:02.679: RADIUS: Acct-Session-Time [46] 6 23
  *Mar 1 01:06:02.683: RADIUS: Acct-Input-Octets [42] 6 1377
  *Mar 1 01:06:02.683: RADIUS: Acct-Output-Octets [43] 6 106
  *Mar 1 01:06:02.683: RADIUS: Acct-Input-Packets [47] 6 14
  *Mar 1 01:06:02.683: RADIUS: Acct-Output-Packets [48] 6 7
  *Mar 1 01:06:02.683: RADIUS: Acct-Terminate-Cause[49] 6 user-request
  [1]
  *Mar 1 01:06:02.683: RADIUS: Vendor, Cisco [26] 39
  *Mar 1 01:06:02.683: RADIUS: Cisco AVpair [1] 33 "disc-cause-ext=PPP
  Receive Term"
  *Mar 1 01:06:02.683: RADIUS: Authentic [45] 6 RADIUS
  [1]
  *Mar 1 01:06:02.687: RADIUS: User-Name [1] 6 "test"
  *Mar 1 01:06:02.687: RADIUS: Acct-Status-Type [40] 6 Stop
  [2]
  *Mar 1 01:06:02.687: RADIUS: Vendor, Cisco [26] 16
  *Mar 1 01:06:02.687: RADIUS: cisco-nas-port [2] 10 "BRI0/0:1"
  *Mar 1 01:06:02.687: RADIUS: NAS-Port [5] 6 30001
  *Mar 1 01:06:02.687: RADIUS: Vendor, Cisco [26] 26
  *Mar 1 01:06:02.687: RADIUS: Cisco AVpair [1] 20 "interface=BRI0/0:1
  *Mar 1 01:06:02.687: RADIUS: NAS-Port-Type [61] 6 ISDN
  [2]
  *Mar 1 01:06:02.691: RADIUS: Calling-Station-Id [31] 12 "3334277535"
  *Mar 1 01:06:02.691: RADIUS: Called-Station-Id [30] 8 "289981"
  *Mar 1 01:06:02.691: RADIUS: Service-Type [6] 6 Framed
  [2]
  *Mar 1 01:06:02.691: RADIUS: NAS-IP-Address [4] 6 192.168.255.104
  *Mar 1 01:06:02.691: RADIUS: Acct-Delay-Time [41] 6 0
  Where is the attribute 198?
  Thanks,
  Oliver

  Hello Martin,
  here is the information:
  Cisco:
  aaa new-model
  aaa group server radius hamlet
  server x.x.x.x auth-port 1812 acct-port 1813
  aaa group server radius dialin-user
  server x.x.x.x auth-port 1812 acct-port 1813
  aaa authentication login default group hamlet local
  aaa authentication sgbp default local
  aaa authentication ppp default group dialin-user
  aaa authorization exec default group hamlet
  aaa accounting network default start-stop group dialin-user
  aaa session-id common
  radius-server host x.x.x.x auth-port 1812 acct-port 1813 key 7 xxx
  A1507
  radius-server host x.x.x.x auth-port 1812 acct-port 1813 key 7 xxx
  radius-server vsa send accounting
  radius-server vsa send authentication
  We are using FreeRadius 0.8.1.
  Regards,
  Oliver

• AAA Radius Authentication for Remote VPN With ACS Server Across L2L VPN

  Hi,
  I have an ASA running fine on the network which provide L2L tunnel to remote site and provide Remote VPN for remote access users.
  Currently, there is a need for the users to authenticate against an ACS server that located across the L2L VPN tunnel.
  The topology is just simple with 2 interfaces on the ASA, inside and outside, and a default route pointing to the ISP IP Address.
  I can ping the IP address of the ACS Server (which located at the remote site, IP addr: 10.10.10.56) from the ASA:
  ping inside 10.10.10.56
  However when I configure the ASA for the AAA group with commands:
  aaa-server ACSAuth protocol radius
  aaa-server ACSAuth host (inside) 10.10.10.56 key AcsSecret123
  Then when I do the show run, here is the result:
  aaa-server ACSAuth protocol radius
  aaa-server host 10.10.10.56
  key AcsSecret123
  From what I thought is, with this running config, traffic is not directed to the L2L VPN tunnel
  (seems to be directed to the default gateway due to the default route information) which cause failure to do the AAA authentication.
  Does anybody ever implement such this thing and whether is it possible? And if yes, how should be the config?
  Your help will be really appreciated!
  Thanks.
  Best Regards,
  Jo

  AAA is designed to enable you to dynamically configure the type of authentication and authorization you want on a per-line (per-user) or per-service (for example, IP, IPX, or VPDN) basis. You define the type of authentication and authorization you want by creating method lists, then applying those method lists to specific services or interfaces.
  http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/schaaa.html

• ACS/ASA authentication for vpn access vs. console management access

  I have an ACS 4.2 Server and an ASA 5540. I have setup AnyConnect SSL VPN on the ASA and want to authenticate users using AAA tacacs+ authentication with the ACS and an external Windows AD database. I have done this successfully. I also want to use the ACS for authenticating SSH management sessions into the ASA. I have setup a group in AD and on the ACS called VPNUSERS and NETADMINS. The problem is, I want the VPN users to ONLY be able to authenticate for VPN but not have access to logging into the ASA CLI or ASDM. The NETADMINS should be able to do both. The question I have is how do I setup the VPNUSER group in ACS to have access to connect to the ASA for VPN but not for the management console? It seems that if they can authenticate for vpn, they can also ssh the firewall which is what I want to prevent.

  Try using Network Access Restrictions (NAR)where you can restrict the administrative access on per device or on NDG basis.
  By default user accounts from external database such as AD in ACS will get authenticated through telnet on network device or a AAA client which can be restricted by enabling NAR in ACS.
  In your case it should be VPNUSERS group in ACS.
  HTH
  Ahmed

• RADIUS Authentication for PI 2.1 with Windows Server 2008 (Windows NPS)

  Hello Community,
  can someone please provide a step-by-step guide (or at least the VSA part) for RADIUS configuration on a Windows 2008 R2 server for Prime Infrastructure 2.1 please?
  We already tried several setups with guides for PI 1.4 without success. The NPS itself authenticates and grants access, but on PI the login always fails.
  Thank you in advance,
  Benjamin

  I'm having the same issue and have a few questions/comments.
  I can get root/admin access working via NPS/radius by justing telling NPS to send PI the  NCS:role0=Root (or Admin) and NCS:virtual-domain0=ROOT-DOMAIN radius attributes.
  But I also have some users who I just want to give read only access.  I cannot seem to get this to work.  At first I configured NPS to send PI the NCS:role0=Monitor Lite and NCS:virtual-domain0=ROOT_DOMAIN attributes.  A user could login, but would immediate get a "You do not have access to the page Monitoring Dashboards" error.  Not to mention almost nothing shows in the menu.  So I tried adding all of the individual tasks related to the "Monitor Lite" role into the radius policy:
  NCS:role0=Monitor Lite
  NCS:task0=Services Menu Access
  NCS:task1=Alarm Stat Panel Access
  NCS:task2=Automated Feedback
  NCS:task3=Monitor Menu Access
  NCS:task4=Theme Changer Access
  NCS:task5=Maps Read Only
  NCS:task6=Help Menu Access
  NCS:task7=License Check
  NCS:task8=Rogue Location
  NCS:task9=Reports Menu Access
  NCS:task10=Monitor Tags
  NCS:task11=Alarm Browser Access
  NCS:task12=Configure Menu Access
  NCS:task13=Search Access
  NCS:task14=Tools Menu Access
  NCS:task15=Administration Menu Access
  NCS:task16=Monitor Clients
  NCS:task17=Home Menu Access
  NCS:task18=Client Location
  NCS:task19=OnlineHelp
  NCS:task20=TAC Case Management Tool
  but I'm not having any luck.  The NPS radius logs always show success, but the read-only users always get the same error and almost nothing visible in the menus.
  Has anyone successfully configured radius with something other than Admin or Root privileges?
  Thanks!