ACS 5.1 Anyconnect Atributes

Similar Messages

• Cisco ACS 5.4 + Anyconnect 3.1 NAM with 802.1x, problem with changing ACS Radius user password

  Dear all,
  Presently, we are testing 802.1x using Cisco ACS 5.4 and Cisco Anyconnect v3.1 as 802.1x supplicant. We have created predefined NAM profiles (with Cisco Profile Editor) and applied as default in on our test machine. We are using PEAP (MsCHAPv2) and ACS local user credentials for authenticating process. We have noticed that, when we try to authenticate the network with predefined profile (network profile has Administrator Network privileges) and Windows user on test machine has no Admin privileges we are not able to change ACS user password (checked "Change password on next login" in the ACS user profile). In the Monitoring and Report View we get Failure Reason "24203 User need to change password"  but no popup window apears in Anyconnect. When we change Windows local user privileges to Admin or create Anyconnect network profile localy (privileges User Network) then, we are able to finish the process.
  Have you ever been facing the problem described above. Is it Anyconnect bug? How can we fix it?
  Best regards,
  Piotr

  If this happens with all machines then if a microsoft guy can look the app logs/privileges. It seems the app is requesting privilege that it is not authorized to and that's why the propmt window fails to appear. If we know what that privilege is we can probably fix it. If that privilege is not even required for smooth work Cisco need probably to fix this behavior.
  I am sorry if I am not able to help but I am not using the anyconnect for production.
  Regards,
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Anyconnect VPN-Authentication multiple profiles via ACS

  Hi,
  I'm currently facing the issue, that I need to migrate a customer VPN-structure from VPN-client to the new Anyconnect.
  There is an ASA5515 and they have ACS with local users and AD-Integration.
  The problem: The old system used different profiles with PSK, so every external partner who had a VPN connection got it's own profile, which was secured by the IKEv1 PSK. The credentials for externals are saved locally on ACS. Also there is a profile for the normal employees, which authenticate via AD or RSA. The guys who implemented this did it the easy way, means when a user connects, the whole user-table is checked (AD, local, RSA). So if an external would have the .pcf from an internal user, it would be possible for him to connect to internal resources. There was no profile-to-usergroup binding.
  I should now implement a new ASA with Anyconnect and also keep up the different profiles. But in this case the problem is - there is no PSK any more. So if a smart guy changes the group in his XML-profile to e.g. "Internal", it would authenticate and grant access to all resources, since the internal pool isn't restricted by ACL's, but the externals are. 
  I'm looking for a guide, how to set up different policies on the ACS, which look up the user only in the one group, depending on the profile he connected. As far as I understand, I must somehow define already on the FW which group or policy it should look up. How can I achieve this? 
  What do I need e.g. for 10 different profiles?
  - 10  groups on ACS?
  - 1 Access-Policy? (Network Access) -> with 10 different Authorization Policy rules? 
  - Anything else?
  Where do I define the policy to use in Anyconnect?
  Thanks in advance!
  BR

  I've done a similar deployment where all authentication/authorization and accounting was pointed from ASA to ACS.
  There are multiple layers to your question. 
  First of all, you have ACS, hopefully 5.x which gives you a nice policy driven authentication and authorization schema. 
  1st layer - setup group-alias and group-urls for specific users on ASA. 
  2nd layer - on ACS decides where those connection should be authenticated/authorized against (go to AD, RSA, local DB). ASA passess tunnel group name in authentication calls to ACS. 
  3rd layer - group-lock feature ensures that user can only have access to resources if they are in a specific group. 

• PAP for anyconnect 3.0 to ACS RSA

  Hi, how to move anyconnect authentication method from nschapv2 to pap ?
  ASA uses mschapv2 when it talks with ACS 5.3 and ACS 5.3 doesn't want to authenticate with external RSA Manager for MSCHAPv2.
  thanks
  renato                 

  MSCHAPv2 is configured on the ASA:
  tunnel-group VPNgr1 general-attributes
    password-management
  If password-management is removed, it uses PAP.

• EAP Chaining with Cisco ACS 5.x and the Cisco Anyconnect NAM Client

  Hi Guys,
  Whilst I’m well aware of the limitations of the built in the windows Wireless 802.1x supplicant. Is there a way, using the NAM client to authenticate both a computer and a user simultaneously, when used for authentication to wireless networks?
  As has been posted many times before on this forum, this isn’t possible due to windows not authenticating with the 'computer account' whilst the user is logged in, but with the NAM client it seems possible to do both user and computer authentication based on the options it gives you with EAP-Fast and 'EAP Chaining'.
  Can anyone validate this is possible? I have the design guide for exactly this for Cisco ISE but i need it to work on ACS (5.x).
  Thanks in advance.
  SteveH

  Bobby, I ran into the same issue with the "15015 Could not find ID Store" issue.  It turned out to be an issue with communication between the ACS and AD.  It looked like AD was connected successfully, but until I rebooted ACS, I kept getting the same error.  It was like it couldn't see the AD security groups even though it could scan the AD tree successfully.
  So, try rebooting ACS if you haven't already and see if that resolves the error.

• Configuring AAA network client on ACS v5.1 using the same RADIUS atributes from ACS v3.3

  Hello,
  I was wondering if i should use the same RADIUS VSA attribute on ACS v5.1 to authenticate AAA clients as those i was using on my old     ACS v3.3 server.
  Exemple : under ACS v3.3 i was using RADIUS (Cisco Aironet) attribute to authenticate AP & WLC, should i do the same under ACS v5.1 ?
  Best regards.

  Hello,
  When defining AAA client on the new ACS 5.x server you just select TACACS+ or RADIUS. We no longer define the RADIUS "vendor"/"VSA" when creating the AAA Client entry. All AAA client would be defined as RADIUS or TACACS+ only.
  If you were using specific VSA Attributes then you need to send those attributes back configuring Authorization Profiles on the ACS 5.x. You will find the specific VSA attributes there. Refer to the following screenshots:
  And here are the available attributes for the ACS for RADIUS Aironet:

• Configuring AAA network client on ACS v5.1 using the same atributes from AC

  Hello,
  Actualy i'm new to use ACS v5.1 and i wanted to do the same AAA client configuration as it was configured on my old ACS V3.3 server.
  My old ACS v3.3 AAA clients type are WLC, LAP and Autonomous AP (using RADIUS (Cisco Aironet)) authentication protocol, PIX & a Router (using TACACS+ (Cisco IOS)) authentication protocol.
  I'm using PEAP_MS-CHAP v2 as a RADIUS authentication method.
  Can any one guide me to accomplish this configuration please ?.
  Best regards.
  Posted by WebUser Mourad Lafjer

  Hello,
  When defining AAA client on the new ACS 5.x server you just select TACACS+ or RADIUS. We no longer define the RADIUS "vendor"/"VSA" when creating the AAA Client entry. All AAA client would be defined as RADIUS or TACACS+ only.
  If you were using specific VSA Attributes then you need to send those attributes back configuring Authorization Profiles on the ACS 5.x. You will find the specific VSA attributes there. Refer to the following screenshots:
  And here are the available attributes for the ACS for RADIUS Aironet:

• ASA and ACS 5 multiple VPN profiles for one user

  Hi there
  I have a question about ACS 5.3 and ASA VPN profile authorization. I am not sure if it is possible to allow one single user for a set of VPN profiles on ASA, let's make an example:
  ACS 5.3 group hierarchy:
  - VPN users global
  -- VPN users A
  -- VPN users B
  ASA VPN profiles:
  - VPN profile A
  - VPN profile B
  - VPN profile Z
  VPN authorizations:
  1. VPN users global should have access to VPN profiles A, B and Z (here we create an authorization profile with no class an no lock attributes, so the group is allowed for all VPN profiles)
  2. VPN users A should have access to VPN profile A (here we create a authorization profile with class and lock attributes for profile A)
  3. VPN users B should have access to VPN profiles B and Z (is this possible and how does the authorization profile have to look like?)
  Thanks a lot in advance and best regards
  Dominic

  Hi Dominic,
  first of all, let's clarify that on the ASA you have tunnel-groups (named connection profiles in ASDM) and group-policies. These often, but not always, have a one-to-one mapping.
  The Tunnel-Group (TG) is either selected by the user (either from a drop down list or by entering a specifiv group-url), or automatically selected by a certificate map (i.e. based on a certain field in the user cert, the user is mapped to one TG or another). The TG mainly specifies what kind of authentication is used.
  The Group-Policy (GP) by default is the one specified in the TG, but it can be overridden by e.g. Radius.
  So from the ASA's standpoint itself your posibilities are rather limited: the ASA will just apply whatever group-policy you push from Radius (in IETF attribute 25 aka "Class"), and in addition it will deny access to a user if the TG he selected does not match the value of the group-lock attribute. Group-lock can only contain one TG name, so you cannot do something like "allow both B and Z".
  In other words you can not achieve your goal if the Radius server has a "static" set of attributes per user.
  However, as of ASA 8.4.3 the ASA now sends 2 vendor-specific attributes in the Access-Request:
  vendor ID = 3076, attribute 146 is "Tunnel Group Name" (string).
  vendor ID = 3076, attribute 150 is "Client Type" (integer)
  0 = No Client specified  1 = Cisco VPN Client (IKEv1)  2 = AnyConnect Client SSL VPN  3 = Clientless SSL VPN  4 = Cut-Through-Proxy  5 = L2TP/IPsec SSL VPN  6 = AnyConnect Client IPsec VPN (IKEv2)
  So if you can configure the Radius server to "dynamically" permit/deny access based on the TG attribute I suppose you could achieve what you want.
  If/how ACS can do this, I personally don't know; I suggest you ask in the AAA forum if you need help with that part.
  hth
  Herbert

• ISE + anyconnect 802.1x not getting IP

  Hello guys,
  I am currently testing ISE with the anyconnect.
  So the strange thing is that ISE tells me i am authenticated, authorized.
  And the switchport tells me the same...
  Switch#sh auth session int g0/7
              Interface:  GigabitEthernet0/7
            MAC Address:  5475.d063.fee8
             IP Address:  192.168.1.4
              User-Name:  contractor
                 Status:  Authz Success
                 Domain:  DATA
        Security Policy:  Should Secure
        Security Status:  Unsecure
         Oper host mode:  single-host
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  4
                ACS ACL:  xACSACLx-IP-PERMIT_ANY_ACL-5156419c
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  0AC801020000000600490514
        Acct Session ID:  0x00000008
                 Handle:  0xA4000006
  But my client just stays in the "Acquiring IP address" (never gets it) and then changed to "limited or no contectivity" due to the fact that it didnt get ip.
  Everuthing works smooth with the native windows client.
  What can i be missing?
  Regards,
  Emilio

  hola Emilio,
  try to stop the WIFI service in Windows services to give total priority to AnyConnect.
  Let us know the result.
  Regards.
  V.

• ASA5510 - VPN AnyConnect - Two Part Authentication

  Currently, we have the AnyConnect client authenticating our users to our AD environment.  All is working as desired.  Now our Controll Agency is requiring a two step authentication for VPN access.  Is it possible (and if so how do you do it) to also configure the AnyConnect client login to send a PIN to the AD usres registered Cell Phone and then require that PIN to be input to make complete the VPN login process? 
  This is basically the sequence that I forsee:
  1. The AnyConnect client requests and then validates the User's AD credentials
  2. The ASA 5510 generates and sends a one-time 4 to 6 digit PIN to the AD user's cell phone.
  3. The AnyConnect client presents a dialog box awaiting the PIN to be entered.
  4. The user enters the PIN and completes the login once the ASA validates the PIN.

  Hi,
  You can use secondary authentication:
  http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/s1.html#wp1452151
  Do you have any external server/vendor for that PIN (one time password) authentication ?
  How user in step 3 should know which PIN to type (if it's one-time generated) ?
  With RSA one time password you could configure it as radius and use secondary authentication feature.
  You could also use ACS as a proxy between ASA and RSA.
  Michal

• Using AnyConnect NAM for wireless and AD password changes

  Hi,
  I am having a problem with AD password changes and wireless profiles in AnyConnect. Once a user changes their password from their PC and then tries to connect to our WPA2 802.1x wireless it fails to authenticate and I cannot find a way to update the password that works. So we currently delete the wireless profile and create a new one. Is there a way that NAM could pull user/password from login or any other fix. We are also using ACS 4.1. AnyConnect version 3 to 3.0.5080.
  Thanks!                 

  In your anyconnect profile did you set the "use single sign on credentials"? Also did you try the repair option to see if it works after that (I am not suggesting a solution but for troubleshooting). Does logging on and off the machine help resolve the issue? Does this happen on all workstations?
  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac04namconfig.html#wp1166170
  Even though this is for user authentication this bug seems like a candidate:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtx03814&from=summary
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• How to configure AnyConnect/ASA/Certificate/MS CA together

  Hello
  We are looking to apply mobile device management utilizing some third-party cloud solution. Mostly iPad users will connect to our internal network using AnyConnect thru ASA. Third party MDM will be used to control and provision ipads and i need to provide solution for AnyConnect VPN.
  Looking for some guidance, docs, examples, white paper that will provide info how to configure the following:
  users will connect to ASA VPN using AnyConnect; certificate issued by internal Microsoft CA and unique to each user will be used for authenticate the user. ACS will communicate with Microsoft AD to check if the user is valid AD user. Once authentication is done, user will have access to internal network.
  I am struggling to get all those peace of puzzle togehter so i can work on solution.
  I would appreciate if someone will give me some ideas how this whole scenario will work.
  Thank you.

  Anyone from experts out there? I am sure someone heave doen this before.

• ASA 9.1 + ACS 5.4 SSL Web Portal Bookmarks according to AD Group.

  Hello.
  Have some issues, with ssl vpn on ASA 5515-X.
  I have ASA (9.1) connected to the  ACS (5.4) and configured anyconnect mobile client and clientless ssl web portal. ACS also have connection to Active Directory.
  So it's configured that AD users from group, for example, VPN_clients could connect via anyconnect client or without client via SSL web page. And it's working fine.
  My goal is that to make different SSL portal bookmarks (in terms of ASA different Group Polices) according to AD user group.
  For example: I have 3 groups in AD: VPN_admin, VPN_Finance, VPN_Logistic. I want that users from these group after authentication at SSL web portal would see only their own bookmarks available only for their group.
  As i inderstand after authentication process ACS must answer to ASA which AD groups the user consist of and ASA must choose the right group policy for the user, but i have no experience how to make this?

  Hello Ivan,
  You are right, ACS can let the ASA know which group-policy should assign based on the RADIUS attribute 25.
  Steps on ACS:
  1- Defined AD groups:
  2- Define the authorization profile under the Policy Elements tab:
  3- Create the Authorization policy and access criteria:
  Then, on the ASA:
  1- Create a group-policy and name it it.
  2- Through the ASDM, create and assign the bookmarks to this group-policy.
  3- Once a user authenticates, the ACS sends the attribute 25, which contains the string "ou=it".
  4- The ASA looks for the group-policy it and assigns it to the user's session.
  Let me know if you have any questions.
  HTH.
  Please rate any helpful posts.

• ACS/ASA authentication for vpn access vs. console management access

  I have an ACS 4.2 Server and an ASA 5540. I have setup AnyConnect SSL VPN on the ASA and want to authenticate users using AAA tacacs+ authentication with the ACS and an external Windows AD database. I have done this successfully. I also want to use the ACS for authenticating SSH management sessions into the ASA. I have setup a group in AD and on the ACS called VPNUSERS and NETADMINS. The problem is, I want the VPN users to ONLY be able to authenticate for VPN but not have access to logging into the ASA CLI or ASDM. The NETADMINS should be able to do both. The question I have is how do I setup the VPNUSER group in ACS to have access to connect to the ASA for VPN but not for the management console? It seems that if they can authenticate for vpn, they can also ssh the firewall which is what I want to prevent.

  Try using Network Access Restrictions (NAR)where you can restrict the administrative access on per device or on NDG basis.
  By default user accounts from external database such as AD in ACS will get authenticated through telnet on network device or a AAA client which can be restricted by enabling NAR in ACS.
  In your case it should be VPNUSERS group in ACS.
  HTH
  Ahmed

• Porting ACS 4.2 rules to ISE

  I'm trying to move AAA services from an ACS 4.2 integrated to AD to an ISE3355 supporting remote access VPN on an ASA/AnyConnect and wireless (PEAP). The ISE3355 is AD integrated.
  With respect to Remote Access VPN using AAA on the ACS, I currently map various AD groups to ACS groups, and use the RADIUS IETF Class [025] attribute for the ACS group that associates an ACL name hardcoded in the ASA configuration to enforce the access policy.
  Is this a valid approach to porting policies from the ACS to the ISE?
  Or alternatively, must I define the ACLs on the ISE instead of using those already defined in the ASA configuration?
  I need to do a quick port, so any suggestions are appreciated.

  Thanks for your response Vattullu. My local Cisco account security-focused SE pointed me to this youtube video:
  http://www.youtube.com/watch?v=HcMf3q_lmYo
  This addressed the issue of authorization issue exactly the way I needed it.