ACS 5.1 administrator authentication via AD

Similar Messages

• AP Authentication via ACS.

  Hi All,
  Just a basic question regarding MAC based authenitcation of AP with ACS.
  The scenario is - If I have a ACS installed and I want all my Cisco 3502 APs to be authenticated on MAC basis via ACS. I know that AP mac is used as a username and password at ACS so that whenever we plugin the new AP in the network, it gets authenticated via ACS first and if the AP is authorised to be used in network then only it gets the IP address from DHCP.
  My question is - What will happen, if the AP is connected in local mode on a remote location and the WLC, ACS & DHCP are in Datacenter. The traffic coming from remote location will pass through the Remote-site router and during that pass, it will remove the source mac address of AP and put the router interface MAC address as source, so how will the ACS authenticate the AP in that case.
  When working in a LAN I know its possible, but how will it work over the WAN.
  Pls. suggest ASAP.
  Thanks in Advance.
  Regards
  Harish

  Harish:
  As you may know that traffic between WLC and APs is encapsulated in CAPWAP tunnel.
  The information insdie the CAPWAP should tell the WLC what MAC address the AP uses.
  CAPWAP RFC metniones that you can do AP authorization by two ways:
  - with certificates
  - with PSK.
  The standards does no imply what the PSK should be, however, Cisco seems to use it to be the mac address of the AP when the ap authorization is enabled. RFC recommends to use mac address of AP as PSK.
  2.4.4.4.  PSK Usage
     When DTLS uses PSK Ciphersuites, the ServerKeyExchange message MUST
     contain the "PSK identity hint" field and the ClientKeyExchange
     message MUST contain the "PSK identity" field.  These fields are used
     to help the WTP select the appropriate PSK for use with the AC, and
     then indicate to the AC which key is being used.  When PSKs are
     provisioned to WTPs and ACs, both the PSK Hint and PSK Identity for
     the key MUST be specified.
     The PSK Hint SHOULD uniquely identify the AC and the PSK Identity
     SHOULD uniquely identify the WTP.  It is RECOMMENDED that these hints
     and identities be the ASCII HEX-formatted MAC addresses of the
     respective devices, since each pairwise combination of WTP and AC
     SHOULD have a unique PSK.  The PSK Hint and Identity SHOULD be
     sufficient to perform authorization, as simply having knowledge of a
     PSK does not necessarily imply authorization.
     If a single PSK is being used for multiple devices on a CAPWAP
     network, which is NOT RECOMMENDED, the PSK Hint and Identity can no
     longer be a MAC address, so appropriate hints and identities SHOULD
     be selected to identify the group of devices to which the PSK is
     provisioned
  you may spend more time reading the CAPWAP RFC if you are interested
  CAPWAP RFC: http://www.ietf.org/rfc/rfc5415.txt
  Hope this answers your concern.
  Amjad

• HTTP authentication via ACS TACACS+.

  Hi.
  I configure a router for tacacs+ access and the console and CLI work fine.
  HTTP access continually prompts for password and I can never gain access via web.
  I have tried the various cli combinations of IP HTTP AUTHENTICATION, but still does not seem to work with tacacs+.
  Debug authentication and authorization are ok (PASS)!
  Any suggestions??
  Thanks.
  Andrea.

  Hi Andrea,
  Make sure that you have privilege level 15, for your account, as telnet can work without it, but for http its a must.
  You can configure it for Group, under whihc you have your user account or per user basis too.
  Select group > Edit Settings > TACACS+ section
  Check "Shell" and "Privilege level" and in box in front of privilege level, put number "15".
  Also if you have configured enable authentication via TACACS+ ,amake sure under your user account you have selected "Use CiscoSecure..." option under TACACS+ enable password if you have your account configured on ACS, of select other as appropriate.
  Let me know if it helps :)
  I suppose you have "ip http authentiaction aaa" command configured.

• Cisco Prime Infrastructure 2.1 GUI authentication via RADIUS server (Cisco ISE 1.2 integrated with AD)

  Hi,
  I want to access Cisco PI 2.1 GUI using my AD credentials, so on PI I've enabled RADIUS AAA Mode and added RADIUS servers (two ISE nodes in our case). On ISE I added PI as RADIUS client and configured the same keys. Next, on ISE I created authorization profile PRIME_ADMIN_ACCESS with only attribute settings defined:
  My authentication and authorization rules relating that case are as on following screenshots:
  So when I open GUI of PI and enter my AD credentials to log in I have no success and I receive following message:
  Looking in ISE's Authentication section I can see following:
  Time difference between these two authentication/authorizations is just 25 msecs and clicking on each of them reveals following:
  So at first I can authenticate and authorize (authorization profile has necessary attributes defined for PI management access (NCS:role0=Root, NCS:virtual-domain0=ROOT-DOMAIN)) and after 25 msecs I am getting failure. So what could be cause of such things and how I can successfully log in to PI GUI authenticating via ISE using AD credentials?

  Hi,
  -- Please Go to Administration > Logging > set the Message level to TRACE > Click save
  -- Then try to add the ISE.
  -- Once it fails, collect the logs from Administration > Logging > 
  check the "ncs-0-0.log"  & search the file for "ERROR" & paste the results here. This will give us exact reason.
  - Ashok
  Please rate the post or mark as correct answer as it will help others looking for similar information

• Using ACS for Cisco Prime authentication

  I'd like to use our Tacacs server running ACS to be the authentication method for user accounts in Prime, but don't even know where to start with this..
  Any pointers?

  The configuration on the Prime Infrastructure side is minimal:  define the authentication server Prime is to use and select a mode for Prime Infrastructure to use with it.
  Administration > AAA > TACACS+ Servers > add tacacs server.
  Administration > AAA > AAA Mode Settings > tacacs+ and enable fallback to local.
  The bulk of the configuration is on the authentication server side, particularly indefining groups, services and authorization tasks.  This is covered in the "Performing Administrative Tasks" chapter of the Prime Infrastructure Configuration Guide, starting with the topic "Configuring ACS 5.x"
  http://www.cisco.com/en/US/docs/wireless/prime_infrastructure/1.3/configuration/guide/admin.html#wp1595935
  "Configuring ACS 4.x"
  http://www.cisco.com/en/US/docs/wireless/prime_infrastructure/1.3/configuration/guide/admin.html#wp1625896
  https://supportforums.cisco.com/docs/DOC-17909
  In case it doesn't work, please get the logs from the ACS reports and monirtoring for tacacs authentication and error message while accessing cisco prime.
  Jatin Katyal
  - Do rate helpful posts -

• ISE Radius device administration authentication possible?

  Hi,
  does anybody know if Radius device administration authentication and authorization is possible with the actual ISE release? I know that TACACS will be available in future release.           
  Regards
  Joerg

  Yes it's possible according to "Ask the experts" forum :
  https://supportforums.cisco.com/thread/2172532
  "If you use RADIUS for device administration, ISE can be utilized using authorization policy elements that return Cisco av-pairs.  But personally, I think ACS is currently superior to ISE for this task."
  Anyway, I'm about to test "device admin" and "network access" simultaneously in the same switch with Radius and ISE.
  Please rate if it helps

• ACS + Wired dot1x machine authentication

  Hi,
  I am trying to setup wired machine based authentication. I have followed this guide
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00805e7a18.shtml#req
  However I simply get the same error all the time on ACS.
  Invalid message authenticator in EAP request
  Switch config;
  interface GigabitEthernet0/46
  switchport access vlan 20
  switchport mode access
  media-type rj45
  dot1x pae authenticator
  dot1x port-control auto
  dot1x reauthentication
  dot1x guest-vlan 20
  i am trying to setup group matching to perform vlan assignment however I am just entering under the unknown user policy at the min with no vlan assignment setup.
  Anyone shed any light on this, all I want to do is authenticate a machine via certificates issue a vlan id based on the machine name and AD group matching. No user authentication this can be done via the PDC.
  Purely using machine auth.
  Cheers
  Scott

  Hi Guys,
  The plot thickens, I can authenticate via user 802.1x and I can also authenticate the machine against my existing 4.1 ACS server however when using the new server 4.2 I get the external DB authentication failure??
  Thanks for your help.
  Scott

• NAC authentication via Windows AD

  Hi,
  we have a Nac enviroment with users that are defined on the ACS. Also the groups are defined on this machine.
  The problem is that we have to move all the users from the ACS to the domain controller, so all the users will become AD users.
  In which way we have to configure the NAC enviroment to permit the authentication via Active Directory instead of Radius that runs on the ACS?
  Thanks a lot!
  Leonardo

  You have to create a map rule if you have two or
  more Roles authenticating in the same LDAP Auth Server
  and not if you have two or more auth servers
  If the users authenticating today in Radius Server ACS is associated with a single Role XYZ, then you can configure the LDAP Server linking users to the same Role XYZ.
  You will have two providers for the same Role.

• ACS configuration for NAC authentication

  Hello,
  I've been trying to configure my ACS server to allow user authentication via the cisco NAM, but it does not seem to work anytime i try to log in with my configured username/password on the ACS server.
  I need someone to guide me through how to get this resolved.
  Regards,

  I am assuming you are having the NAM authenticate NAC Agent login requests against ACS.
  This can be done via RADIUS or LDAP.
  Check out the Cisco NAC Chalk Talks, particularly 'Configuring Authentication, Roles, and SSO'
  Chalk Talk Series
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_presentation0900aecd80549168.html

• Authentication via weblogic security realm

            My servlet needs to access a session bean. The action in the session bean requires
            that a user has been authorized, i.e. at some point the session been calls
            String name = d_ctx.getCallerPrincipal().getName()
            This name may not be null at this time.
            What I would like to have is that the user executing the URL gets authenticated
            by my server realm 'myrealm' and that the associated prinicpal gets passed to
            the session bean. Is this possible. If so, how can the user pass along the username
            and password as this query is executed programmatically?
            markus
            

  http://www.weblogic.com/docs51/classdocs/API_acl.html
  Michael Girdley
  BEA Systems Inc
  "gennot" <[email protected]> wrote in message
  news:[email protected]..
  Could you send me the complete URL of these example, please?
  Thanks
  Enrico
  Michael Girdley <[email protected]> wrote in message
  39b87078$[email protected]..
  The passing of the client's certificate should be automatic to WebLogic.We
  have an example of getting the client side certificate from inside of
  WebLogic in our documentation.
  This does not require for SSL to be used from the Web server to
  WebLogic.
  >>
  Thanks,
  Michael
  Michael Girdley
  BEA Systems Inc
  "Bob Simonoff" <[email protected]> wrote in message
  news:[email protected]..
  I have read through the docs and haven't found anything that would
  address
  the following confusion:
  Suppose I want to use Apache or IPlanet as the webserver with WebLogicas
  the back end application server (obviously). I have the need to use 2way
  SSL authentication. As I understand it the following applies:
  Client (browser) has a certificate as does the web server. Theyauthenticate
  each other.
  Now, the web server and weblogic need to communicate. WebLogic, in our
  environment does authentication via the security realm.
  What do I have to do to get the the web server (Apache or IPlanet) to
  communicate the client's certificate to WebLogic so the WebLogic canperform
  the authentication?
  Does the communication between the web server and WebLogic also need
  to
  be
  SSL?
  Thanks
  Bob Simonoff

• 802.1x wired authentication via PEAP, MD5

  Hi everyone,
  Thank you for taking the time for reading this, I am implementing a security solution and wanted to take th benefit of implementing 802.1x over wire. I have been searching a bit but no much info from start to finish on how to implementing this solution,
  i would really appreciate if someone could point me some where  to find  detailed instruction on how to do this, as so far i have been configuring in multiple way bit no result out of it. Still a orange port color on my switch, that means the first
  hop of security work but the next no.
  Thank you in advance to read this.

  Hi,
  According to your description, my understanding is that you want to deploy 802.1x wired authentication via PEAP, MD5 and need instructions about this.
  Some articles and just for your reference:
  802.1X Authenticated Wired Access Overview
  https://technet.microsoft.com/en-us/library/hh831831.aspx
  802.1X Authenticated Wired Access Design Guide
  https://technet.microsoft.com/library/dd378864(WS.10).aspx
  IEEE 802.1X Wired Authentication
  https://technet.microsoft.com/en-us/magazine/2008.02.cableguy.aspx
  Best Regards,
  Eve Wang
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Self Assigned IP even though I am Authenticated via PEAP(MSCHAPv2) to WPA2

  Help!
  After installing Snow Leopard 10.6.1 on my 2.16 GHz Core Duo MacBook Pro running OS 10.5, I can no longer connect to the WPA2 Enterprise network at the University of Ottawa. I can still connect to other encrypted networks, such as my home WEP encrypted network. Before the installation I was able to connect to the WPA2 enterprise network.
  When attempting to connect, under network preferences I can see that my computer is Authenticated via PEAP(MSCHAPv2) and a timer showing my time connected is running. However under status, it says that I have a self assigned IP and that I cannot connect to the internet. As a result I cannot connect to the internet.
  I have included a picture that describes my problem exactly:
  Does anyone have this problem? Can anyone help me?
  Thanks!

  The thing you and many others forget is that these forums are for those with problems. Those for whom the installs works without fault do not visit here. They do not post. There are about 9,000 topics in the Installation and Using forums (the largest two) and even if every topic were an unique fault, this would mean a small fraction of the installed base.
  According to AppleInsider the Q1 sales of SL would be circa 5 million copies, and other reports indicate these numbers have been surpassed in the early months. So lets go for one months sales at only 1.5 million copies. 9,000 faults in 1.5 million copies is only a 0.6% rate and that's if every topic is a different fault (which it plainly isn't).
  So I'm afraid your argument is even less convincing - a few people report your fault, and even if only 1% of the installed base uses it, its still infinitesimal. IMO, the vast majority of problems arise from an initial Leopard installation that had enough variability of build to make enhancements problematical. I'd be the first to admit its not Apples finest hour, but its certainly not bad for the overwhelming majority.
  Perhaps you could apply to be an Apple tester, to help solve this issue ? Its better than standing on the sidelines complaining about everyone elses work for certain.
  Or log a fault request as it will get looked at I can assure you, but only if there is a tester who is actually able and willing to test that particular piece of functionality.

• Sshd authentication via pam_userdb

  Hello
  I would like to configure ssh to authenticate against a database file which I've created.
  This is what I have done so far:
  1. Generate the database file out of a text file:
  db_load -T -t hash -f logins.txt /etc/vpasswd.db
  I have modified /etc/pam.d/sshd to be the below:
  %PAM-1.0
  auth requisite pam_securetty.so #Disable remote root
  auth sufficient pam_unix.so
  auth sufficient pam_userdb.so db=/etc/vpasswd crypt=hash use_first_pass
  auth required pam_nologin.so
  auth required pam_env.so
  account sufficient pam_unix.so
  account sufficient pam_userdb.so db=/etc/vpasswd crypt=hash use_first_pass
  account required pam_time.so
  password required pam_unix.so
  session required pam_unix_session.so
  session required pam_limits.so
  When I log is as a user specified in the database file the following logs are returned:
  Apr 1 00:29:47 dopey sshd[13778]: Failed none for invalid user testuser from 57.62.62.102 port 31794 ssh2
  Apr 1 00:29:52 dopey sshd[13778]: Failed password for invalid user testuser from 57.62.62.102 port 31794 ssh2
  Apr 1 00:29:55 dopey sshd[13778]: Failed password for invalid user testuser from 57.62.62.102 port 31794 ssh2
  What I'd like to happen is if the user exists as a Linux account then let them in as normal, but if not then check the vpasswd.db database file.
  Can anyone point me in the right direction? Is it possible to configure this?
  Thanks
  - eskay
  Last edited by eskay (2009-04-01 03:18:55)

  It looks like RADIUS authentication via the PAM module does work. We compiled the pam_radius module using the -bundle option to the linker. That seems to have fixed it. The link line ends up being
  gcc -bundle pamradiusauth.o md5.o -lpam -o pamradiusauth.so
  We'll send these simple changes to the pam radius developers.
  What this has allowed us to do is use RADIUS authentication for logging in remotely via ssh. However, we have yet to figure out how to get the main login "window" for OS X to allow PAM to be used.
  Pete

• ACS 3.3, RSA Authentication Manager, Win2k3 AD

  What is the best practice for implementing cisco ACS 3.3, RSA, Win2k3 AD.
  We want to use these combo to authenticate our Remote access client. Our VPN/Firewall box is a ASA5540.
  Thx

  Hi
  You basically have 2 posibilities:
  Posibility 1:
  Use the ACS as the Central AAA Server and integrate all other Authentication-Servers with the ACS.
  The ACS Supports different Token Servers / AD / RADIUS Server directly.
  This is very smooth, you use the ACS to control all Authentication Request from your Network devices , TACACS+ or RADIUS.
  There is some limitations'thoug: ACS only supports One AD Domain and no Trusts ... this can be painful..
  Poisibility2:
  Use The ACS as a RADIUS proxy-Server.
  There are no "direct intagration" with the other Radius Servers - such as the ACE or the different ISA-Servers, but still alll client can use the ACS as their "AAA Radius Server".
  This requires separate configuration of all RADIUS servers, but it overcomes the limitation of the ACS Support of Microsoft TRUSTS.
  It is possible to use a mixture of both Cenarios, and you could use things like the domain-suffix (everything behind @ in [email protected]) to deside wich RADIUS server should do the Authentication.
  Hope This Helps
  Greetings
  Jarle

• I need help, How could I add Aliases to Local Administrator account via terminal commands???

  I need help, How could I add Aliases to Local Administrator account via terminal commands???
  I want to use commands to add alias for existing administrator account remotly by using ARD.
  Thanks.

  Hi,
  a Windows Domain Controller does not have any local user or groups. So you might add the user to the admin group at Domain level.
  B RGDS,
  Gregor
  Edited by: Gregor Gasper on Jan 9, 2009 1:44 PM