ACS 5.3 Configuring 802.1x

Similar Messages

• Juniper SSG and Cisco ACS v5.x Configuration

  I searched for a long time unsuccessfully trying to find a resolution to my SSG320M and Cisco ACS v5.x TACACS dilemma.  I finally got it working in my network, so I'm posting the resolution here in case anyone else is looking.
  Configure the Juniper (CLI)
    1. Add the Cisco ACS and TACACS+ configuration
       set auth-server CiscoACSv5 id 1
       set auth-server CiscoACSv5 server-name 192.168.1.100
       set auth-server CiscoACSv5 account-type admin
       set auth-server CiscoACSv5 type tacacs
       set auth-server CiscoACSv5 tacacs secret CiscoACSv5
       set auth-server CiscoACSv5 tacacs port 49
       set admin auth server CiscoACSv5
       set admin auth remote primary
       set admin auth remote root
       set admin privilege get-external
  Configure the Cisco ACS v5.x (GUI)
    1. Navigate to Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles
          Create the Juniper Shell Profile.
          Click the [Create] button at the bottom of the page
                  Select the General tab
                          Name:    Juniper
                          Description:  Custom Attributes for Juniper SSG320M
                  Select the Custom Attributes tab
                      Add the vsys attribute:
                          Attribute:                vsys
                          Requirement:       Manadatory
                          Value:                    root
                          Click the [Add^] button above the Attribute field
                      Add the privilege attribute:
                          Attribute:                privilege
                          Requirement:       Manadatory
                          Value:                    root
                                  Note: you can also use 'read-write' but then local admin doesn't work correctly
                          Click the [Add^] button above the Attribute field
                  Click the [Submit] button at the bottom of the page
  2. Navigate to Access Policies > Access Services > Default Device Admin > Authorization
          Create the Juniper Authorization Policy and filter by Device IP Address.
          Click the [Customize] button at the bottom Right of the page
                  Under Customize Conditions, select Device IP Address from the left window
                          Click the [>] button to add it
                  Click the [OK] button to close the window
                  Click the [Create] button at the bottom of the page to create a new rule
                          Under General, name the new rule Juniper, and ensure it is Enabled
                          Under Conditions, check the box next to Device IP Address
                                  Enter the ip address of the Juniper (192.168.1.100)
                          Under Results, click the [Select] button next to the Shell Profile field
                                  Select 'Juniper' and click the [OK] button
                          Under Results, click the [Select] button below the Command Sets (if used) field
                                  Select 'Permit All' and ensure all other boxes are UNCHECKED
                          Click the [OK] button to close the window
                  Click the [OK] button at the bottom of the page to close the window
                  Check the box next to the Juniper policy, then move the policy to the top of the list
                  Click the [Save Changes] button at the bottom of the page
  3.  Login to the Juniper CLI and GUI, and attempt to change something to verify privilege level.

  Cisco Prime LMS is not designed to manage appliances like the ACS. ACS is not on the LMS supported device list and I would doubt that it would be as LMS's functions are mostly not applicable to the appliance or software running on it.
  You can use ACS as an authentication source for LMS, but authorization is still role-based according to the local accounts on the LMS server.

• ACS SE 4.2, 802.1x and certificates for machine authentication

  I'm trying to figure out how to put this lot together, but dont know enough about ACS when used with an external CA.
  What I want to get working is:
  A PC with a machine cert gets connected to a switch running 802.1x. The switch uses EAP with .1x to query PC, handing this off to ACS, that bit I'm ok with. The ACS needs to query the CA server to authenticate the PC, its this process I'm not sure about.
  Reading the documentation I think that I need to configure LDAP between the ACS and the CA, which is running on 64-bit 2008 server. But, ACS SE remote agent is 32 bit only.
  Is this correct, if so how do I get ACS SE to communicate with a 64-bit 2008 CA server?

  Hi Bernhard,
  That answers my questions, having never worked with AD, CA and LDAP etc I didn’t realise that you could assign attributes at a user (machine in my case) level, although it makes perfect sense when you indicated that, as LDAP is a method of supporting user accounts right?
  I suppose in that case I'll be able to assign an attribute through LDAP, which ACS will use to map that account/machine to a specific VLAN. The attribute value will be used to represent the VLAN mapping.
  What component in ACS do I use to match against attributes? I don’t see anything in the NAP, NAF or RAC sections about this.
  As an alternative, your reply prompted me to look at the ACS User Group mapping section, it describes mapping a windows group to an ACS group, which may also be a solution, although not as flexible as being able to match on an LDAP attribute associated with the machine accounts.
  Reading through this it seems this is an area where the SE and Windows based ACS platforms differ, I'm using SE.
  Andy

• ACS authorization plugins + configuration

  Hi,
  there have been rumors that there is a plugin providing an API that allows you to authenticate user with a given name/password
  combination. I.e. the users do not necessarily need an Adobe account.
  The rumor also says that this is somewhat related to Barnes & Noble's nook device...
  All I found so far is
  http://www.adobe.com/devnet/digitalpublishing/articles/barnes_noble_faq.html
  Can someone tell me where to find more detailed information. In particular how to download, install and configure that plugin
  (if it exists). The interface to be implemented is called "PassHashInfo", but cannot be found in anywhere in the ACS' WAR or JAR
  files.
  Quote 1:
  5.1   PasshashInfo Interface
  The PasshashInfo Interface provides the mechanism for providing the encryption key for the document
  encryption key during fulfillment when using Passhash based protection. The interface itself is a single  function:
  byte[] getPasshash(String transactionID, byte[] userID, byte[] distributorID) throws PasshashException;
  The transactionID and distributorID are specified in the fulfillmentToken. The userID comes from the
  fulfillmentRequest, which also contains the fulfillment token. Given these three pieces of information, it is  the responsibility of the ACS4 operator to determine the appropriate username and password to be used,
  and to generate the encryption key. It is the joint responsibility of the Distributor and the AC54 operator
  to communicate the username and password to be used to access the content, prior to initiating the
  fulfillment.
  It is expected that the AC54 operator will work with the distributor to retrieve the passhash to be used
  from the distributor. The exact mechanism to be used for this is outside the scope of ACS4.
  Quote 2:
  9    Password-Based Document Protection
  New in ACS 4.1 is the ability to use password-based encryption for protecting the document encryption
  key, instead of the current Public key-based encryption tied to a specific Adobe DRM user. Since the
  content is not tied to a particular Adobe DRM user, there is no activation required and therefore no limits
  on the number of devices the content can be used on. Because of the lack of activation requirements,
  neither returning contents (loans), nor consumable permissions are supported when using password-
  based document protections.
  Ths password-based encryption is different from the password security offered in the Acrobat file format,
  in that it requires a username and password, it is compatible with ACS, and the resulting files cannot be
  viewed with Adobe Acrobat or Adobe Reader.
  Password-based document protection is also referred to as ''Passhash''. To issue content using Passhash
  protection, you must create a DistributionRight for that content with usePasshash set to true, and supply
  the encryption hey to be used to the fulfillment service using the passhashlnfo interface. To set up the
  DistributionRights correctly, you can either use the adminConsole or directly call the
  ManageDistributionRights adm in AP l to set usePasshash to true for the DistributionRight. To configure
  the fulfillment service to look for your custom class that implements the passhashlnfo interface, in your
  fulfillment configuration file, you will need to set the value of the
  com.adobe.adept.fulfillment.passhashInterface
  setting to be the name of your class. You will also need to
  place your .jar file into a location that is in the library path for Tomcat. The Tomcat Libraries directory is
  usually the most convenient for this. For more information on the passhashlnfo interface, refer to the
  Technical Reference .
  Cheers
    Markus

  Hi Vinod,
  I noticed that you are creating several posts for the same things...
  Please follow up on https://supportforums.cisco.com/thread/2053653 where i posted answer for you.
  HTH.
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Anyone successfully configured 802.1x Cisco LEAP wifi connection?

  Till now I've tried couples of profile setting via iPhone configuration web utility, but finally I still didn't get there, the wifi connection of our office. Right account name and password, right protocol, but I didn't find the CKIP encryption option and domain name type-in frame. Anyone could help me? Thanks in advance!
  office wifi security: Cisco 802.1x/LEAP/CKIP

  Same problem here. Sometimes it says I'm connected with a 192.168.x.x address, and I can't get to the web, but other times it doesn't even pretend to connect, and has an IP address of 169.x.x.x.
  Our normal internal company IP addresses are 10.125.x.x.
  WEP encryption, CPIK.
  Corporate laptop connects just fine with the same settings (as far as I can tell anyway), the only odd thing is that we use the intel proset utility to enable cisco extensions to the LEAP section of the security. Don't know if the iPhone supports that or not?

• Configuring 802.11v - BSS Transition Management on Cisco WLC 5508

  Hi,
  I am new to the configuration of the WLC, and I am trying to enable 802.11v sub feature called BSS Transition Management.
  I am using WLC software version 8.0.115.0, but I can't find this feature not in the GUI and not in the CLI. I did, however, managed to find other 802.11v sub features like BSS Max Idle and DMS.
  Has anyone configured this feature?
  How is it done?
  Thanks,
  Udi Atar

  Yeah I want to tag all the VLAN's for sure.  Here is my switch config:
  Building configuration...
  Current configuration : 140 bytes
  interface Port-channel11
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 63,121,190,3000
  switchport mode trunk
  end
  3560-153#show runn int gi0/33
  Building configuration...
  Current configuration : 171 bytes
  interface GigabitEthernet0/33
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 63,121,190,3000
  switchport mode trunk
  channel-group 11 mode on
  end
  3560-153#show runn int gi0/34
  Building configuration...
  Current configuration : 171 bytes
  interface GigabitEthernet0/34
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 63,121,190,3000
  switchport mode trunk
  channel-group 11 mode on
  end

• Re-Auth Interval Configuration 802.1x

  How to configure Re-Auth Intervals on Cisco 6500 Switch - Cisco IOS Software, s3223_rp Software (s3223_rp-IPBASEK9-M), Version 12.2(33)SXI6, RELEASE SOFTWARE (fc4)
  Posted by WebUser Varun Thorvey from Cisco Support Community App

  Hi Amjad
  very good point on this, thanks a lot. In this case, I did not even think about the client firmware side, thought that I should be the WLC or the client settings, but not the driver. We will give a shot on this next week, maybe this will help us to solve the problem.
  It is normal to have the clietn in 802.1x_REQD if it is not yet authenticated and that is the expected state to be at in your situation untlil the client fully authenticates.
  Absolutely correct that the client is associated and in the 802.1x_REQD state as long as the authenticator did not get the EAP identity Response, but that the client takes such a long time to answer is not normal ;-)
  - What is the supplicant that is used on the windows machines? default WLAN supplicant? or you use some commercial supplicants?
  WZC.
  - what is the result when testing with user auth only?
  The same, it takes such a long time.
  - what ist he result when testing with machine auth only?
  Machine authentication works as expected, fast and as soon as the client is booted, the client gets authenticated.
  Regards and have a nice weekend
  Dominic

• Cisco ACS 1121 server configuration

  Hi,
  Anyone can tell me how to configure LAN teaming in Cisco ACS 1121. My requirement is to have virtual IP in the server with two physical IPs in the available 2 interface in the server.
  Regards,
  Haja Shajahan.M

  Currently Gig 0 is supported. Gig 1 is blocked. Check this link ((Blocked) Gigabit Ethernet 1).
  http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.2/installation/guide/csacs_hw_ins.html#wp1119105
  Paps

• ThinkPad + AC -- can't configure 802.1x

  Though I was able to configure WXP-Pro AC for a 802.1x profile, AC for Win 7 / 64 ThinkPad W700 does NOT allow me to do so (though I can for 802.11 b/g).
  After I have selected WIRELESS SECURITY TYPE of USE 802.1X OR OTHER SECURITY and press the PROPERTIES button, I receive the popup:
  ERROR: WIRELESS PROFILE NOT AVAILABLE
  FYI, WXP AC does NOT allow for the export of the the 802.1x profile (but does allow 802.11 b/g profiles).
  I have uninstalled and reinstalled the AC package marking sure that profiles were also removed. No difference.
  I did all of that w/oi the range of the 802.1x access point.
  This is extremely frustrating.
  /Pete

  I think I found a bypass:  create a non-802.1x profile e.g., 802.11 b/g;  then edit that profile to make it into an 802.1x.
  /Pete

• Use Profile Manager to configure 802.1x authentication to Active Directory

  I have an OS X Lion Server running profile manager, and I want to authenticate Macs against Active Directory. My test machine is running Lion as well.
  If I configure the profile to for WPA/WPA2 Enterprise security type and PEAP protocol with a generic user name and password with explicit access on the RADIUS server, the machine can get on the 802.1x network
  If I configure the profile to "Use as a Login Window configuration", the machine can get on the 802.1x network after entering the user name and password of an authorized RADIUS user.
  Here's my problem:
  I want to enable authentication for machines that are members of the Active Directory domain, but when I use the "Use Directory Authentication" option to authenticate with the target machine's directory credentials, the machine does not connect to my 802.1x network.
  Any thoughts?
  Thanks!!!!

  I'm trying to do the same thing, but I'm using Mountain Lion Profile Manager.  If I can't get this to work I'm going to try SCEP and certificate authentication.

• Need ACS 4.2 configuration help

  Hi team,
  We are using ACS 4.2 for the network device authentication.Now we need to create one user who can only able to shut and no shut the router interface.May i know how can i assign only three commands (conf t, Interface ,shut) to one user

  I forget to add the screenshots, here they are:
  Then you apply this in the User configuration:

• About Secure ACS Database Replication configure

  hi
       I have INSTALL the acs and the ACS DATABASE HAS replicated complete.
  but when I made some change ,the primary ACS has generate *.csv file.
  this file can replicated to the secondary ACS.
       THANKS

  Can you please clarify your issue? The post is not clear.
  Regards

• Configuring 802.11 wireless security in WRT110

  I wish to implement 802.11 wireless security settings in my router WRT110. I am unble to see how it can be done . Any suggestions ?
  Thanks
  Shrikant

  Gain access to your admin pages in the router and select the wireless tab.
  Then go here.

• Can ACS support multiple Active Directory Domains for 802.1x EAP-TLS?

  Hi
  I'm looking to implement ACS 5.2 using 802.1X, we have two seperate AD domains.
  Now.. this is the tricky part...
  A single switch will need to support both ADs, so if a machine in AD1 is connected, it will be authenticated to the ACS using AD1 and applied to VLAN1, while a machine that is in AD2 will be authenticated to AD2 and applied to VLAN 2.
  I'm looking at machine authentication, not user authentication, so I assume that I will need to import two certs from each AD.
  Can any expert please let me know if they think that this will be possible please??
  Many thanks

  Yes ACS can support multiple AD domains but you will have to configure one as your AD domain and the other as an LDAP database and this will work since you are planning to use eap-tls.
  The question I have is which version of ACS are you using? If you are using ACS 5.x then you can setup and identity store sequence so if the user is not found you can move to the next store and this will prevent you from installing two certificates on every machine.
  You can then setup an authorization rule for the seperate containers on where the workstations are located (this is assuming machine authentication is being used) for the AD database or the LDAP database and then assign the vlan based off that.
  Thanks and I hope this helps!
  Tarik Admani

• 802.1x with AD support via ACS 4

  Hello ,
  I have been trying to configure 802.1x Authentication on a test switch . Authentication will be provided by the ACS server . This worked when I had the client setup for EAP-MD5 and had local user accounts on the ACS server . However this is impractical if we were to deploy this on a large scale. How can i configure 802.1X authentication to occur via the ACS with the ACS looking at the AD database . The trouble is AD does not support EAP-MD5. It supports PEAP but the problem I am having is "EAP-TLS or PEAP authentication failed during SSL handshake "
  Has anyone here setup 802.1x with AD integration via ACS 4.0 . Please help.
  Thanks.
  Karthik

  Hi Karthik,
  The SSL handshake will fail in our experience for any of the following reasons:
  - The supplicant cannot access the private key corresponding to it's certificate - check that the system a/c has pemissions over the private key found in c:\documents and settings\all users\application data\microsoft\crypto\rsa\machine keys
  - The ACS sever does not trust the Root Certificate for the PKI that issued the supplicants certificate - Is the Supplicants Root CA present in the ACS Certificate Trust List?
  - CRL checking is enabled and the CRL has expired or is inaccessible
  If you up the logging levels to full and examine the csauth log closely you should get more detail as to the reason
  Hope that helps
  Andy