ACS 5.2 and Microsoft AD authentication to IOS

I am looking for documentaion on implimenting ACS and MS., active directory for authentication to IOS (switches and routers) devices.
I would like to authenticate with AD, then if not possible local ACS database.

Please check this link. I believe it covers just what you're asking about.
More details for setting up your TACACS server with MS AD are in the ACS User Guide here.

Similar Messages

VPN 3005 and Microsoft AD authentication

I would like to use Microsoft Active
Directory (AD) to authenticate
remote access users connecting to the
VPN3005 concentrator. Everything is
working fine but I want the VPN3k to use
microsoft ds (tcp port 445) instead of
netbios (tcp port 139) when it communicates with the AD server.
In the vpn 3005 I specified port 445
as the communication port between vpn3k
and the AD server but in my tcpdump,
i see this:
[Expert@cp]# tcpdump -i eth1 -n host 192.168.1.4
tcpdump: listening on eth1
14:41:54.664335 192.168.1.4.1034 > 10.250.97.29.netbios-ssn: S 1464837366:1464837366(0) win 8192 <mss 1460,nop,wscale 0,nop,nop,timestamp 732419 0>
14:41:54.666758 192.168.1.4.1034 > 10.250.97.29.netbios-ssn: . ack 2621223901 win 8192 <nop,nop,timestamp 732419 0>
14:41:54.669135 192.168.1.4.1034 > 10.250.97.29.netbios-ssn: P 0:72(72) ack 1 win 8192 <nop,nop,timestamp 732419 0>NBT Packet
14:41:54.671835 192.168.1.4.1034 > 10.250.97.29.netbios-ssn: P 72:240(168) ack 5 win 8192 <nop,nop,timestamp 732419 579729>NBT Packet
14:41:54.700474 192.168.1.4.1034 > 10.250.97.29.netbios-ssn: P 240:371(131) ack 110 win 8192 <nop,nop,timestamp 732419 579729>NBT Packet
14:41:54.704467 192.168.1.4.1034 > 10.250.97.29.netbios-ssn: P 371:414(43) ack 223 win 8192 <nop,nop,timestamp 732419 579729>NBT Packet
14:41:54.706526 192.168.1.4.1034 > 10.250.97.29.netbios-ssn: F 414:414(0) ack 262 win 8192 <nop,nop,timestamp 732419 579729>
14:41:54.715653 192.168.1.4.1034 > 10.250.97.29.netbios-ssn: . ack 263 win 8192 <nop,nop,timestamp 732419 579729>
obviously, it is using port 139 instead
of port 445.
How can I fix this on the vpn3k? Thanks.

Hi Kevin, I've looked at this message to see any replies for a while and I don't know if you have already resolved this issue.. I used vpn3005 as well but use different method of authentication which is RADIUS from our Windows AD, I tend to believe this may be more of a PPTP client netbios setup and not the VPN , where? I don't know but clearly the tcpdump the client is initiating netbios session and even though vpn is setup for port 445 it still forwards netbios port... well just a thought .
Rgds
Jorge

WLC / ACS / AD - Domain and non-Domain Laptops (802.1X / PEAP)

Hi All,
I'm implementing a solution based around 4404 WLC, 1113 ACS and Microsoft AD. What I want to achieve is have two WLAN (SSID), one that can only be used by domain users on domain laptops, the other can be used by domain users on personal laptops. The domain laptops will have full connectivity but the personal laptops will be restricted.
I've created the two SSID using 802.1X via ACS / Remote Agent and can authenticate and logon OK.
I thought that I should have user auth and machine auth for the domain laptops but just user auth for personal laptops.
I can have non authenticated machines go to a specific ACS group or blocked but I need to allow them if they're on the restricted SSID. I can't quite figure out how to have two SSIDs authenticating to the same ACS / AD - allow one and block the other.
Am I on the right path?
Anyone done this before or have any bright ideas?
Cheers,
John

With the use of SSID-based WLAN access, the users can be authenticated based on the SSID they use in order to connect to the WLAN. The Cisco Secure ACS server is used to authenticate the users. Authentication happens in two stages on the Cisco Secure ACS:
1. EAP authentication
2. SSID authentication based on Network Access Restrictions (NARs) on Cisco Secure ACS
For the further description and configuraiton following URL may help you :
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml

Looking for successful auth debug between cisco 1113 acs 4.2 and Active Directory

Hello,
Does anyone have a successful authentication debug using cisco 1113 acs 4.2 and Active Directory? I'm not having success in setting this up and would like to see what a successful authentication debug looks. Below is my current situation:
Oct 6 13:52:23: TPLUS: Queuing AAA Authentication request 444 for processing
Oct 6 13:52:23: TPLUS: processing authentication start request id 444
Oct 6 13:52:23: TPLUS: Authentication start packet created for 444()
Oct 6 13:52:23: TPLUS: Using server 110.34.5.143
Oct 6 13:52:23: TPLUS(000001BC)/0/NB_WAIT/46130160: Started 5 sec timeout
Oct 6 13:52:23: TPLUS(000001BC)/0/NB_WAIT: socket event 2
Oct 6 13:52:23: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
Oct 6 13:52:23: T+: session_id 763084134 (0x2D7BBD66), dlen 26 (0x1A)
Oct 6 13:52:23: T+: type:AUTHEN/START, priv_lvl:15 action:LOGIN ascii
Oct 6 13:52:23: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:12 (0xC) data_len:0
Oct 6 13:52:23: T+: user:
Oct 6 13:52:23: T+: port: tty515
Oct 6 13:52:23: T+: rem_addr: 10.10.10.10
Oct 6 13:52:23: T+: data:
Oct 6 13:52:23: T+: End Packet
Oct 6 13:52:23: TPLUS(000001BC)/0/NB_WAIT: wrote entire 38 bytes request
Oct 6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:23: TPLUS(000001BC)/0/READ: Would block while reading
Oct 6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:23: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 16bytes data)
Oct 6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:23: TPLUS(000001BC)/0/READ: read entire 28 bytes response
Oct 6 13:52:23: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
Oct 6 13:52:23: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
Oct 6 13:52:23: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:10, data_len:0
Oct 6 13:52:23: T+: msg: Username:
Oct 6 13:52:23: T+: data:
Oct 6 13:52:23: T+: End Packet
Oct 6 13:52:23: TPLUS(000001BC)/0/46130160: Processing the reply packet
Oct 6 13:52:23: TPLUS: Received authen response status GET_USER (7)
Oct 6 13:52:30: TPLUS: Queuing AAA Authentication request 444 for processing
Oct 6 13:52:30: TPLUS: processing authentication continue request id 444
Oct 6 13:52:30: TPLUS: Authentication continue packet generated for 444
Oct 6 13:52:30: TPLUS(000001BC)/0/WRITE/46130160: Started 5 sec timeout
Oct 6 13:52:30: T+: Version 192 (0xC0), type 1, seq 3, encryption 1
Oct 6 13:52:30: T+: session_id 763084134 (0x2D7BBD66), dlen 15 (0xF)
Oct 6 13:52:30: T+: AUTHEN/CONT msg_len:10 (0xA), data_len:0 (0x0) flags:0x0
Oct 6 13:52:30: T+: User msg: <elided>
Oct 6 13:52:30: T+: User data:
Oct 6 13:52:30: T+: End Packet
Oct 6 13:52:30: TPLUS(000001BC)/0/WRITE: wrote entire 27 bytes request
Oct 6 13:52:30: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:30: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 16bytes data)
Oct 6 13:52:30: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:30: TPLUS(000001BC)/0/READ: read entire 28 bytes response
Oct 6 13:52:30: T+: Version 192 (0xC0), type 1, seq 4, encryption 1
Oct 6 13:52:30: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
Oct 6 13:52:30: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
Oct 6 13:52:30: T+: msg: Password:
Oct 6 13:52:30: T+: data:
Oct 6 13:52:30: T+: End Packet
Oct 6 13:52:30: TPLUS(000001BC)/0/46130160: Processing the reply packet
Oct 6 13:52:30: TPLUS: Received authen response status GET_PASSWORD (8)
Oct 6 13:52:37: TPLUS: Queuing AAA Authentication request 444 for processing
Oct 6 13:52:37: TPLUS: processing authentication continue request id 444
Oct 6 13:52:37: TPLUS: Authentication continue packet generated for 444
Oct 6 13:52:37: TPLUS(000001BC)/0/WRITE/46130160: Started 5 sec timeout
Oct 6 13:52:37: T+: Version 192 (0xC0), type 1, seq 5, encryption 1
Oct 6 13:52:37: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
Oct 6 13:52:37: T+: AUTHEN/CONT msg_len:11 (0xB), data_len:0 (0x0) flags:0x0
Oct 6 13:52:37: T+: User msg: <elided>
Oct 6 13:52:37: T+: User data:
Oct 6 13:52:37: T+: End Packet
Oct 6 13:52:37: TPLUS(000001BC)/0/WRITE: wrote entire 28 bytes request
Oct 6 13:52:37: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:37: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 33bytes data)
Oct 6 13:52:37: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:37: TPLUS(000001BC)/0/READ: read entire 45 bytes response
Oct 6 13:52:37: T+: Version 192 (0xC0), type 1, seq 6, encryption 1
Oct 6 13:52:37: T+: session_id 763084134 (0x2D7BBD66), dlen 33 (0x21)
Oct 6 13:52:37: T+: AUTHEN/REPLY status:7 flags:0x0 msg_len:27, data_len:0
Oct 6 13:52:37: T+: msg: Error during authentication
Oct 6 13:52:37: T+: data:
Oct 6 13:52:37: T+: End Packet
Oct 6 13:52:37: TPLUS(000001BC)/0/46130160: Processing the reply packet
Oct 6 13:52:37: TPLUS: Received Authen status error
Oct 6 13:52:37: TPLUS(000001BC)/0/REQ_WAIT/46130160: timed out
Oct 6 13:52:37: TPLUS(000001BC)/0/REQ_WAIT/46130160: No sock_ctx found while handling request timeout
Oct 6 13:52:37: TPLUS: Choosing next server 101.34.5.143
Oct 6 13:52:37: TPLUS(000001BC)/1/NB_WAIT/46130160: Started 5 sec timeout
Oct 6 13:52:37: TPLUS(000001BC)/46130160: releasing old socket 0
Oct 6 13:52:37: TPLUS(000001BC)/1/46130160: Processing the reply packet
Oct 6 13:52:49: TPLUS: Queuing AAA Authentication request 444 for processing
Oct 6 13:52:49: TPLUS: processing authentication start request id 444
Oct 6 13:52:49: TPLUS: Authentication start packet created for 444()
Oct 6 13:52:49: TPLUS: Using server 172.24.5.143
Oct 6 13:52:49: TPLUS(000001BC)/0/NB_WAIT/46130160: Started 5 sec timeout
Oct 6 13:52:49: TPLUS(000001BC)/0/NB_WAIT: socket event 2
Oct 6 13:52:49: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
Oct 6 13:52:49: T+: session_id 1523308383 (0x5ACBD75F), dlen 26 (0x1A)
Oct 6 13:52:49: T+: type:AUTHEN/START, priv_lvl:15 action:LOGIN ascii
Oct 6 13:52:49: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:12 (0xC) data_len:0
Oct 6 13:52:49: T+: user:
Oct 6 13:52:49: T+: port: tty515
Oct 6 13:52:49: T+: rem_addr: 10.10.10.10
Oct 6 13:52:49: T+: data:
Oct 6 13:52:49: T+: End Packet
Oct 6 13:52:49: TPLUS(000001BC)/0/NB_WAIT: wrote entire 38 bytes request
Oct 6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:49: TPLUS(000001BC)/0/READ: Would block while reading
Oct 6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:49: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 43bytes data)
Oct 6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:49: TPLUS(000001BC)/0/READ: read entire 55 bytes response
Oct 6 13:52:49: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
Oct 6 13:52:49: T+: session_id 1523308383 (0x5ACBD75F), dlen 43 (0x2B)
Oct 6 13:52:49: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:37, data_len:0
Oct 6 13:52:49: T+: msg: 0x0A User Access Verification 0x0A 0x0A Username:
Oct 6 13:52:49: T+: data:
Oct 6 13:52:49: T+: End Packet
Oct 6 13:52:49: TPLUS(000001BC)/0/46130160: Processing the reply packet
Oct 6 13:52:49: TPLUS: Received authen response status GET_USER (7)
The 1113 acs failed reports shows:
External DB is not operational
thanks,
james

Hi James,
We get External DB is not operational. Could you confirm if under External Databases > Unknown User Policy, and verify you have the AD/ Windows database at the top?
this error means the external server might not correctly configured on ACS external database section.
Another point is to make sure we have remote agent installed on supported windows server.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/remote_agent/rawi.html#wp289013
Also provide the Auth logs from the server running remote agent, e.g.:-
AUTH 10/25/2007 15:21:31 I 0376 1276 External DB [NTAuthenDLL.dll]:
Attempting Windows authentication for user v-michal
AUTH 10/25/2007 15:21:31 E 0376 1276 External DB [NTAuthenDLL.dll]: Windows
authentication FAILED (error 1783L)
thanks,
Vinay

ACS 5.5 and Windows 2012 AD support

Hi All,
previously I had two AD domains based on 2008 and had machines in one domain and users in another domain
and the condition statement "Was machine authenticated=True" worked fine when doing EAP-TLS machine then user
authentication.
I have now upgraded the machine's domain to 2012 and machine authentication works fine and user authentication
also works, but when you put the two together, and enable "Was machine authenticated=True" the ACS errors
out when doing user authentication with the message "ACS unable to find previous successful machine authentication"
even though machine authentication was successful. I have tried with with ACS being a member of both 2008 and 2012 domains at each stage.
The clients are all windows 8.1
Has anyone encountered this scenario before ?
TIA

I would like to share a good troubleshooting guide for ACS 5.X and later, Please have a look:
http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113485-acs5x-tshoot.html

Dacl on ACS 5.1 and Catalyst switch 3560

Dear all
I have ACS 5.1 and Catalyst switch 3560 with version 12.2(53)SE. I configure a dacl on the ACS and I use it on authorization profile.
This authrization profile is used on access policy.
I tried the authentication but it doesn't work. I checked the ACS logs and I found that the user is authenicated successfuly but the dacl gives this error (The Access-Request for the requested dACL is missing a cisco-av-pair attribute with the value aaa:event=acl-download. The request is rejected)
Steps:
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
11025 The Access-Request for the requested dACL is missing a cisco-av-pair attribute with the value aaa:event=acl-download. The request is rejected
11003 Returned RADIUS Access-Reject
DACL:
deny ip host 1.2.3.4 1.2.3.0 0.0.0.255 log
permit ip any any log
Thanks on advance,

Dear Tiago
I applied the command "radius-server vsa send". Now I can see the dacl is applied but I can't see it on the switch and even the authentication is succueeded ont the ACS logs but it give me unauthoized on the switchport. You can see the logs( started with the username acstest and the access-list is applied but it doesn't work and you can see theat it goes for mab after eap timed out). I hope you can help on this issue.
Dec 13,10 10:29:00.513 AM
00-23-AE-7A-58-A6
00-23-AE-7A-58-A6
Default Network Access
Lookup
Dot1x-3560-Switch
1.2.3.4
FastEthernet0/5
TESTACS
22056 Subject not found in the applicable identity store(s).
Dec 13,10 10:28:29.186 AM
#ACSACL#-IP-Guest-4cfcc14d
Dot1x-3560-Switch
1.2.3.4
TESTACS
Dec 13,10 10:28:28.726 AM
acstest
00-23-AE-7A-58-A6
Default Network Access
PEAP (EAP-MSCHAPv2)
Dot1x-3560-Switch
1.2.3.4
FastEthernet0/5
TESTACS
Thanks,

ACS 4.0 and RSA Token Server problem

Hi,
We are having a problem trying to get ACS 4.0 for Windows to authenticate wireless users on an RSA Token server.
Our Cisco 1200 series AP is configured for WPA2 and LEAP authentication. It points at the ACS server for RADIUS authentication. Now this works fine for users with a static password defined on the ACS internal database. However, for obvious security reasons, we?d like the authentication passed to our internal RSA server.
I have installed the RSA Agent on the same server as the ACS along (after adding the generated sdconf.rec file to the System32 folder). The RSA server has been added to the ACS external databases and a user configured to use the RSA Token server for password.
When we try to authenticate, the ACS fails the attempt with reason ?External DB password invalid?. The same user can successfully authenticate when using the RSA test authentication tool which is installed on the ACS server as part of the RSA Agent software.
After running some debugs on a PIX in front of the servers, I can see traffic to/from the servers when using the test tool (which works), however it looks like ACS doesn?t even send traffic to the RSA server when authenticating.
Any help or advice appreciated.
Thanks

Hi,
The token servers only support PAP. Please make sure that the request are going to the RSA in PAP.
Following link talks about the same.
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs40/user/o.htm#wp824733
Regards,
~JG

Integration between WLC 5508 and Microsoft NPS 2008

Hi guys,
Any of you, have working guidance for WLC 5508 and Microsoft NPS 2008 integration?
I managed to configure Wireless 802.1x feature (PEAP) but it failed. I'm running software ver. 7.0.116.0.
Is there any bug related 802.1x on this software version?
thanks in advance.
BR
shendy

Hi Shendy,
I am not aware about any bug related to this. I think you better check all configuration and make sure it is fine.
Logs from NPS and WLC (and possibly from the supplicant) may guide you where the problem resides.
What does the NPS logs tell about the reason of the authentication failure?
What does the WLC logs say about the failure (check show msglog and show traplog).
- Make sure the Radius server added correctly with correct IP and correct shared secret on WLC.
- Make sure that the radius is configured correctly to allow PEAP-MSCHAPv2.
- Make sure WLC is added successfully to WLC with correct IP address and correct shared secret.
- Make sure the clients are correctly configured and the server's (NPS) certificate is trusted on the clients.
HTH
Amjad

ACS v5.2 and Citrix Repeater - Configuring shell (exec)

Hi
I am trying to get a Citrix Repeater 8540 authenticating with a v5.2 ACS. I can get the authentication via TACACS+ to work OK but I do not have access to some the configuration options in the GUI (like logging) - It is saying I do not have the proper rights.
Googling around I have found that on a version 4.x ACS all you need to do is tick shell (exec) and set privilege 15 to get it to work (see screen shot) but I am having trouble with a v5.2 ACS. I can assign privilege 15 in the shell profile and assign execed to attribute shell but it is still not working.
I have configured the following shell profile but I can still not access most of the menu options:
This is the error when trying to access Admin Config on the Citrix Repeater
Any ideas please

Have you created individual user accounts in the Central Manager that match the user ID on you ACs system? If the user does not have an account in the CM under Admin>AAA>Users then they will probalby get logged in to the CM but will have no privileges.

ACS, Access Service and Authorization

I am running ACS 5.2 and I am trying to set up 3 new SSIDs, 2 of which are unsecured and 1 that is secured. I am trying to figure out the best way to authorize them based on which network they are coming from. All the authentication requests are coming from the same devices, the Wireless LAN Controllers, so NDG cannot be used as criteria. I have been looking at either creating 3 Access Services and using Service Selection Rules, or creating 1 Access Service and using Authorization to choose. Regardless, I cannot find an attribute to use that can determine which network they came from.
Does anyone have a suggestion for the best way to do this? I

Go to in Policy Elements -> Network Conditions -> End Station Filters, and create a CLI/DNIS rule that includes the name of the SSID, then use it as a condition in any rule you create for authentication. The SSID will be preceded by the MAC address, so enter *ssidname (ie, match anything before the SSID name, then match the SSID name). For example, if the SSID is called lab then you would enter *lab.
Then go to Access Policies -> Service Selection and create a service selection rule that has End Station Filter as the criteria.

IPad 802.1x and Microsoft RADIUS

Is anyone running iPad 2's in the enterprise using Microsoft RADIUS server? Now I understand that you can't use device certs because iPads cannot be joined to the domain, but I can use user certs. Now I read that iOS support PKCS#1 and #12, but I do not have this option on my CA for a cert request? Can someone share some tips on how they deployed these devices on the enterprise network? I could really use some help here. Thanks.

> [email protected] wrote:
>
> > You can do 802.1x authentication in Windows XP and 2000 with service
pack
> > 3 or above withou the Odyssey client. You can see this when you right
> > click on your network card, choos properties and you should see an
> > authentication tab if you have XP or 2000 with the right service
pack.
> > This is built into Windows and will use the users login name and
password
> > for authentication.
>
> Yes, I'm quite aware of that. I just didn't understand what you meant
by
> "override" in this context. The bottom line is that yes, you can use
OK. As long as I can use the Novell Client and Windows for
authentication. The testing that we are doing is using Direct XML on the
Novell Server and Remote Loader on an AD server with IAS. The user names
and groups are synchronized to AD. THe authentication with then happend
at the AD server with IAS.
> the Windows client to authenticate against 802.1x compliant RADIUS
> servers, and NO, Novell's is not 802.1x compliant, and never will be.
> It's *possible* (but not confirmed) that Novell may be providing
> detailed and supported steps to get freeRADIUS working for such tasks,
> though. That's all I can tell you as that's all I know.
>
> --
> Jim
> NSC SYsop

ACS Group mapping and restrictions

hi,
I would appreciate to receive some configuration steps on ACS to fulfill the following requirement and hope you can help me.
ACS Groups
Netadmin - need telnet/ssh/vpn/wireless
wireless - only wireless authentication
vpn - only vpn authenticaiton
I need to map the above ACS groups to one/or many AD groups and restric access as stated above.
Also please note that one user can be belongs to all three groups in ACS/AD.
thanks in advance.

In ACS user can only belong to one group. But in AD we can have one user a part of multiple group.
In this scenario, it is very important to understand how ACS group mapping works.
Lets say that you have three different groups on AD for NetworkAdmin, RouterAdmin, Wireless. Go to external user database ==Database Group Mappings==Windows NT/2000==select the domain to which you are authenticating==Add mapping.
Select the AD group NetworkAdmin and map it to ciscosecure group 1
select the AD group RouterAdmin and map it to ciscosecure group 2
select the AD group Wireless and map it to ciscosecure group 3
Group mappings work in the order in which they are defined, first configured mapping is looked upon first then second, third and so on. If a user is in AD group NetworkAdmin and that is mapped to ACS group 1 and it is first configured mapping it will be looked for FIRST (If a user exists in NetworkAdmin group it will always be mapped to ciscosecure group 1 and NO further Mappings for this user is checked and user is authenticated or rejected)
Scenario: if you have a user called cisco, in NetworkAdmin group, cisco1 in RouterAdmin group, and cisco2 in Wireless. They will always be dynamically mapped to ACS group 1, 2 and 3 respectively as per above mappings.
You can check the mappings on the passed authentications for users as to what group are they getting mapped to.
SCENARIO:
Now if you want a NetworkAdmin user to authenticate to NetworkAdmin devices and not wireless or RouterAdmin devices you would need to apply NARs to group 1 because NetworkAdmin users are connecting to that group. Which you will permit Access on group basis to a particular NetworkAdmin NDG or individual NetworkAdmin NAS device.
NOTE:
If you are applying NARs for Wireless or VPN devices.. you would need to configure both IP based AND CLI/DNIS based together because NARs were originally designed for cisco IOS for
routers and switches.
IMPORTANT: If a user successfully authenticates to AD database once, its username is cached on the ACS database (NOT password) the only way to remove the previously cached
username is to go to usersetup find that user and delete it manually.
ACS will not support the following configuration:
*An active directory user that is a member of 3 AD groups (group A, B and C) *Those 3 groups are mapped within ACS as follows Group1->A,Group2->B and Group3->C.
*The user is in all 3 groups however he will always be authenticated by group 1 because that is the first group he appears in, even if there is a NAR configured assigning specific AAA clients to the group.
However there if your mappings are in below order...
NT Groups ACS groups
A,B,C =============> Group 1
A =============> Group 2
B =============> Group 3
C =============> Group 4.
You can create a DIFFERENT rule for the users in A,B,C by configuring the NARs in group1.
This rule WILL apply for the use ONLY if he is present in ALL three groups (A,B and C).
You can create a rule for users in group A (Group 2)
You can create a rule for users in group B (Group 3)
You can create a rule for users in group C (Group 4)
Regards,
~JG
Do rate helpful posts

Question in ACS radius ports and how test connectivity between router

hi all
im asking here about default ports used in cisco acs for radius protocol
is it 1812 and 1813 ???
or there is another ports ??
Q2-
how to test connectivity between ACS "server aaa" and the router "client aaa " ??????
Q3-
can anyone give me simple config on router for radius protocol to connect acs based on radius protocol ?
regards

The default authentictaion port is 1812 and the default accounting port is 1813.
Here's an example config-
aaa new-model
aaa group server radius ACME-RADIUS
server-private 192.168.1.5 auth-port 1812 acct-port 1813 key SeCrEtPaSsWoRd
aaa authentication login default local
aaa authentication login ACME-AAA group ACME-RADIUS local
aaa accounting send stop-record authentication failure
aaa accounting exec default start-stop group ACME-RADIUS
line vty 0 4
login authentication ACME-AAA
You can test with-
test aaa group radius server 192.168.1.5 mmessier St@nleyCup
where mmessier is your username and the password is St@nleyCup

Cisco ACS 5.1 and MAC address identification/quarantining

A client is rolling out ACS 5.1, with the eventual intent of customization network access based on Active Directory credentials (user/group, etc) – ACL’s and VLAN restrictions will be implemented as part of a “2nd phase” deployment. For NOW, all they want is the ability to isolate devices connecting to the network by MAC address, meaning: if it’s a recognized MAC address (corporate asset), then allow full access through the port. If it’s NOT a recognized MAC address (non-corporate asset), then place it in the guest network/VLAN.
I’m familiar with ACS operation, configuration of policies and authorization rules, and MAC Authentication Bypass (for devices that should not have to authenticate to gain access). What I don’t know for sure (and haven’t yet been able to find), is if ACS has the ability to react simply to the MAC address and quarantine that host into a guest network.
Please confirm, and as always, reference links/docs are appreciated.

Hi,
The goal you want to achieve is possible but not with MAB.
What you want can easily be done if you do machine authentication rather then MAB.
With machine authentication you can have something called Machine Access Restriction, which mean that both machine and user authentication has to be done, for the user to have access to the network.
In this scenario, whenever a user tries to log in via dot1x, the ACS checks the machine on which the user is logging in, and the user authentication is only successfull if the machine authentication was successfull.
For this to work you have to register the machines in the domain as well as the users.
Machines that do not exist on the domain, will fail machine authentication, and no user will be allowed to login in that machine.
To configure this on the ACS you simply have to go to the Authorization part of the Access Policy, clic "Customize" and add the "Condition" "Was machine authenticated", as I show in the image below:
Then, you create a new Rule and this Condition will be available:
On the client side you need to make sure that they do dot1x machines authentication.
This allows you a very fast way of securing both machines and users, so that only trusted machines (that exist in the domain) are allowed on the network and users can only access network by logging in from a trusted machine.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

ACS 5.1 and 5.2 logs issue

Hi All,
I am having a lab set up with 2 ACS 5.1 and other with ACS 5.2. I am unable to see the logs for more than 2 days.The degault pathe is ... monitoring and reports > catalog AAA protocol > RADIUS Accounting. The problem is, if i need the logs for 7 days or more i can see only for last 2 days. Even on the CLI i tried to download, the format which i am getting is not readable and moreover i am able to see only for last 2 days. I raised a tac with cisco and their update to upgrade the s/w form 5.1 to 5.2.
Also the ACS which is having 5.1 is in production so i cant upgrade now . But i upgrade the other ACS from 5.1 to 5.2 and i ahve restored all the files from the production to lab ACS.
Now i am facing challenege in restoring the logs from 5.1 production to 5.2 lab setp.
Kindly help us to reslove the issue.
regards,
krishna

Hi Qobi,
In the RSA identity store properties you have the following option :
This Identity Store does not differentiate between 'authentication failed' and 'user not found' when an authentication attempt is rejected. From the options below, select how such an authentication reject from the Identity Store should be interpreted by ACS for Identity Policy processing and reporting .
Treat Rejects as 'authentication failed'
Treat Rejects as 'user not found'
And also, under your access service policy, if you click on "identity" you will be able to select "continue if user not found". Screenshot attached.
Hope this helps.
Nicolas
===
Don't forget to rate answers that you find useful

ACS 5.2 and Microsoft AD authentication to IOS

Similar Messages

Maybe you are looking for