ACS 5.3 confusion

Similar Messages

• EAP-TLS Vista Machine Authentication to ACS integrated to non AD LDAP

  Hello all,
  I've been working on a scenario with ACS 4.2 (trial) for Proof of Concept to a customer of ACS's abilities.
  His intended network plan is to use Vista Laptops doing Machine authentication only towards a ACS server integrated with a non-microsoft LDAP server. The mechanism of choice is EAP-TLS.
  We've set up the PKI on the right places and it is all up. We do manage to get a user certificate on the PC, authenticate via ACS to the LDAP repository, and everything is good.
  The problem that we are facing is when we want to move to do machine authentication, the behaviour is inconsistent. I'll explain:
  When the first authentication is done, the EAP-Identity requests are always prepended with a "host/". What we see is that the CN of a certificate is TEST, and the Identity request appears as host/TEST. This is no problem to LDAP, as we can get rid of the "host/" part to do the user matching and in fact it does match. After TLS handshake (certificates are ok), ACS tries to check CSDB (the internal ACS db) and afterwards it will follow the unknown user policy and query LDAP.
  All of this appears to be successful the first time.
  If we disassociate the machine, the problems start. The accounting STOP message is never sent.
  Any new authentication will fail with a message that CS user is invalid. The AUTH log shows that ACS will never try again to check LDAP, and invalidates the user right after CSDB check. In fact if we do see the reports for RADIUS, the authenticated user is host/TEST, but if we check the dynamic users, only TEST appears. Even disabling caching for dynamic users the problem remains.
  Does anyone have an idea on how to proceed? If it was possible to handle the machine authentication without the "host/" part, that would be great, as it works.
  My guess is that ACS is getting confused with the host/, as I'm seeing its AUTH logs and I do see some messages like UDB_HOST_DB_FAILURE, after UDB_USER_INVALID.
  IF someone can give me a pointer on how to make this work, or if I'm hitting a bug in ACS.
  Thanks
  Gustavo

  Assuming you're using the stock XP wifi client.
  When running XPSP3, you need to set two things:
  1) force one registry setting.
  According to
  http://technet.microsoft.com/en-us/library/cc755892%28WS.10%29.aspx#w2k3tr_wir_tools_uzps
  You need to force usage of machine cert-store certificate:
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]
  "AuthMode"=dword:00000002
  2) add the ACS certificate signing CA to the specific SSID profile "trusted CA".
  - show available wireless networks
  - change advanced settings
  - wireless networks tab
  - select your SSID, and then hit the "properties" button
  - select authentication tab, and then hit "properties" button
  - search for your signing CA, and check the box.
  I did with a not-so-simple autoIT script, using the "native wifi functions" addon.
  Unfortunately I'm not allowed to share the script outside the company, but I'll be more than happy to review yours.
  please cross reference to
  https://supportforums.cisco.com/message/3280232
  for a better description of the whole setup.
  Ivan

• CopyRights problem with "expires at the fixed time" uat mode

  Dear all
  I found a problem with rights parameter
  When I use rights parameter in uat mode or umt mode
  it can't be work with this two modes($uat and $umt)
  and I found a document in adobe jp
  the document says "only uat mode works well with expire function"
  so I change the rgihts to uat
  but it still has problem and does not work
  this is part of my ASP VBS code
  startTime=DateDiff ("s","1-Jan-1970",Date())
  endTime=DateDiff ("s","1-Jan-1970",DateAdd("n" , 1 , Now()))
  strQueryParams = oGBLink.AppendToQuery("bookid", pSku, strQueryParams)
  strQueryParams = oGBLink.AppendToQuery("rights", "$uat#"&endTime&"#"&startTime&"$", strQueryParams)
  strQueryParams = oGBLink.AppendToQuery("price", CStr(pPrice), strQueryParams)
  ....and more
  is there any problem with my code??

  I don't see a problem with your code. You might put in a print statement and make sure that strQueryParams contains what you're expecting.
  When you're testing, are you using the same book more than once? If so, ACS can get confused about which voucher to use and use an old one.
  - either use a different book each time
  - or after each test, reset Acrobat or Reader on your test download machine. Adobe has a KB article:
  http://support.adobe.com/devsup/devsup.nsf/docs/53857.htm

• Confusing ACS 5.4 Alarm - no remote repository configured

  The following message from ACS 5.4.0.46 is confusing me:
  "Configure Remote Repository under Purge Configuration which is used to take a backup of data before purge."
  cause it is configured:
  and it also seems to work cause I got also messages that the purge is beginning and that it was successful.
  What is the problem here?

  I had the same problem, ACS 5.4 with latest patch 6 installed. I had to figure this out by myself and the solution was pretty simple.
  Make sure you configure incremental backup before 4 AM as database purge is run every night at 4 AM. I configured it at 3 AM. Well, after you configure this via GUI you need to login CLI and stop/start Job Manager process:
  # acs stop view-jobmanager
  # acs start view-jobmanager
  After that I got rid of those error messages and backups and database purges are working smoothly.
  Cheers,
  Kari

• Private key file from acs 3.3

  Hi All ,
             I have my SSL server certficate on my old acs 3.3.along with private key file , How i can export this private file with .pem extension from windows 2000 server , This private key file is not identified under certficate mmc console  , Because my acs application is being installed on a separate hardisk partion under D drive .
  file path : d:\Certificates\bh02cacsw02.pem
               how i can export this.pem from that particular folder , Thank you

  Hi,
  i see that you have mentioned the path d:\Certificates\bh02cacsw02.pem.
  The private key will have an extension of .pvk.
  are you aware of the location where private key is stored?? if yes, you can directly copy the private key and export.
  I am bit confused of you requirement.. do you want to export the cert with the private key??
  You can check the cert in the ACScertStore folder in MMC.
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Calibri","sans-serif";}
  MMC > Click on File > Add/Remove Snap-in > Add > Certificates > Add > Computer Account > Local Computer > Finish > Close > OK.
  Hope this helps.
  Regards,
  Anisha
  P.S.: Please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

• Replaced Expired Cert on ACS

  Hi,
  I replaced an ACS certificate that had been installed i then did the following:
  1. Created a certificate request.
  2. Issued the request to the enterprise CA.
  3. Copied the certificate to an ftp server.
  4. Installed the certificate on the ACS.
  5. Configured the CTL again.
  6. Restarted the ACS service.
  8. Enable EAP-TLS.
  The problem is when i try and enable EAP i get the message no ACS certificate installed.
  I searched on cisco and it said to disable the CSA and follow the same process which i have done to no avail.
  Any help appreciated.
  Thanks
  Kev

  I found this book in the version of the ACS:
  CSCef61785 Bug Details Bug #79 of 92 | < Previous | Next >
  ACS Appliance fails to recognize installed certificate Symptom
  ACS appliance does not recognize the installed certificate.
  Conditions
  Cisco Security Agent is running.
  1. Install a certificate. The web interface will report the certificate as installed and validated.
  2. Enable PEAP.
  3. An error appears: Failed to initialize PEAP or EAP-TLS authentication protocol because CA certificate is not installed. Install the CA certificate using ACS Certification Authority Setup page.
  Workaround
  Disable the Cisco Security Agent and repeat the installation procedure. Re-enable the Cisco Security Agent.
  Possibly worth upgrading?
  If so can some one help me with the upgrade stages as im finding them a bit confusing.
  Thanks
  Kev

• Implementing max user sessions settings for TACACS with ACS 5.3

  I'm a little confused about the configuration of max user sessions for device administration with TACACS.
  When I've changed the configutration of unlimited sessions for a value in Access Policies > Max User Session Policy > Max Session User Settings
  I think this value could limit the maximum number of sessions for each user, but instead this value limit in a global meaning all of my sessions.
  For example: I need to limit the session for my users in 2.
  user1 = Max 2 sessions
  user2 = Max 2 sessions
  user3 = Max 2 sessions
  Whe i Put the value of 2 in Max Session User Settings
  user1 + user2 + user3 = Max 2 sessions
  This is a limitation of ACS 5.3 or my configuration needs something aditional.

  Luis,
  Are you saying that when you authenticate with user1 and user 2 that user3 isnt able to get access?
  Do you have tacacs accounting enabled on the network access device?
  Also what do you have configured for the group settings? If there is a maximum group setting and all the users are a member of the same group then the lesser of the two will be enforced. So if the group max sessions is set to 1 then the all users in that group will have a max session of 1.
  Here is some reference material.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/access_policies.html#wp1162177
  Thanks,
  Tarik Admani

• ACS authentication against AD

  I am in the process of installing an ACS demo and tying it to AD. I have the base stuff installed meaning ACS is in and operational and I have it joined to my domain. I am now to the point of selecting my AD groups and Attributes within those groups. I know very little about AD so that may be part of my confusion.
  First off I gathere that I need to specify a specific group to get the actual user name / password authentication process to work? I loaded the windows Active Director Editor (ADExplorer from Sysinternals) so that I could see and browse what AD groups I have available. I also thinkthat if my domain is 123.abc.corp that I need to use DC=123,DC=abc,DC=corp then pick the correct CN that I need?
  I have two ultimate goals for the use of ACS. First, we want to look into using it for our VPN authentication so figure we need say a remote group that has the users for VPN connectivity. Is it a simple matter of adding the group or are there any specific or recommended fields I need to have with this group?
  Secondly, we also want to use ACS for Dot1.x authentication on our Cisco switches but need VLAN information tied to the user. My question here is this something that we can add as a field to the user information or better to add it as a field in another group?
  I am looking for configuration examples but wanted to also make sure that I am following best practices so any assistance is appreciated.
  brent

  If you have single domain then you don't need to specify the domain name, just click on the 'select' button under directory groups to fetch/retrieve the AD groups and then add them.
  Use this page to select groups that can then be available for policy condition,
  Select Users and Identity Stores > External Identity Stores > Active Directory, then click the Directory Groups tab.
  For more information, you may visit the below listed URL
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1140999
  Once you are done, go to the access-policy >> on the right bottom corner, you would see a tab "customize" click on it and move the attribute AD1:ExternalGroups to thr right end side >> click ok >> create a new authorization policy and select the group you fetched in the directory groups under AD configuration.
  In order to do dynamic vlan assignment on ACS 5.1 you do the following:
  Policy elements >> Authorization  and permissions >> Network Access >> Authorization profile >> Create >> Give it a name like example "switch" >> Common tasks >> Click on VLAN ID name >> Select Static >> Give Vlan Number >> Click Submit >> Go to Access Policies >> Under default network access click on authorization >> Create >> Give the Rule a name like "vlan assignment for SWITCH" >> Click on Ad1:external groups >> Contains any >> Select -> choose the appropriate AD group >> Click ok >> Click select for authorization profiles >> Choose the profile that was previously create called "switch" >>   Click ok >> Now you assign the VLAN of "SWICTH" to the Group to the AD group >>  Click OK.
  HTH
  Regds,  Jatin
  Do rate helpful posts~

• Cisco WCS 7.x TACACS+ with ACS 5.2

  Ok, so I took my bday off today so I could stay home and setup my lab for ie v2 and have the birthday wish of 'leave daddy alone for awhile' come true.  Here we are at 7:00pm and everything is flowing good including my blue moons and I decided to get tacacs working on an eval version of acs 5.2 per the ie list of lab equipment. frack me.  Instead of walking away and coming back later and going 'doh!', I'm going to whine instead....
  So I'm trying to get WCS to work with TACACS per this document:
  http://www.cisco.com/en/US/docs/wireless/wcs/7.0/configuration/guide/7_0admin.html#wp1191980
  However, after having to enter EVERY SINGLE TASK, once you get down to:
  Creating Service Selection Rules for TACACS
  To create service selection rules for TACACS, perform the following steps:
  Step 1 Choose Access Policies > Access Services > Service Selection Rules.
  Step 2 Click Create.
  Step 3 Select the protocol as TACACS and Service as Default Device Admin (see Figure 18-49).
  I'm alittle confused as to where it wants me to do click 'Create' at.  I of course did the 'hunt and peck' method and the only place I see where there is a 'create' buttong is under
  Access Policies >
  Access Services >
  Default Device Admin >
  Authorization
  but it's grayed out.  Someone wanna tell me what the crap.. and really, why 5.2 cisco.. why.

  Yeah, I've heard that, but in trying to stick with the IE list of used equipment/software I'm going for 5.2.  I've learned it's best to stick with the list so that you are not only familliar with that exact software, but that exact versions 'issues' as well.  No panic in the lab from ACS going NO NO NO, NOT IN MY HOUSE.

• Machine authentication with MAR and ACS - revisited

  I'm wondering if anyone else has overcame the issue I'm about to describe.
  The scenario:
  We are happily using ACS 4.1 to authenticate wireless PEAP clients to an external Windows AD database.
  We do have machine authentication via PEAP enabled, but at this time we are not using Machine Access Restrictions as part of the external database authentication configuration.
  The clients (we care about) are using the native XP ZWC supplicant and are configured to "authenticate as machine when available".
  The passed authentications log does successfully show the machines authenticating.
  The challege:
  We only want to permit users on our PEAP protected WLAN if the machine they are using has an account in the domain (and they are a Windows XP box - the currents standard corporate image).
  In a testing lab, we enable Machine Access Restrictions, with the access mapped to "No Access" if there is no machine auth, or if machine auth fails.  If a machine is shut down and boots fresh, or if the logged on user chooses to logoff while on that WLAN - we see the Windows box sends its machine authentication.  As I understand it - a windows XP box will only attempt to authenticate as a machine when a user logs off, or upon initial boot.
  In our environment (and I'm sure many others) - if a user comes into the office and docks their laptop and is attached to the wired LAN and boots or logs on - the machine maybe authenticating - but it is authenticating directly to the AD as our wired LAN is not using 802.1x or ACS radius.
  So the user maybe logged on and working on the network - and then choose to undock which activates the wireless.
  The problem then - the machine does NOT attempt to authenticate as a machine and only processes the user credentials - which get passed onto ACS vial the WLC - and when MAR is enabled with the No Access mapping for no machine auth - the user auth obviously fails.
  Has anyone seen / over come this ?
  Our goal is to enforce that only standard XP imaged machines get on the wireless PEAP network (where the configuration is maintained by GPO).

  Here's the only thing I could find on extending the schema (I'm not a schema expert):
  http://msdn.microsoft.com/en-us/library/ms676900%28VS.85%29.aspx
  If all of your clients are Windows machines, it's easier to stick with PEAP for machine auth, user auth, or both.  However, your RADIUS (ACS) server should have a certificate that the clients trust.  You can configure the clients to ignore the RADIUS server cert, but then your clients will trust any network that looks/works like yours.  Get a cert/certs for your RADIUS server(s).
  You can have PEAP and EAP-TLS configured on your ACS server without causing problems for your PEAP clients (be aware that most of my experience is with 4.1/4.2.  Earlier versions may not work the same way).  Your comment about what you're testing is confusing me.  Let's say you have (only) PEAP configured for machine auth on both the client and the ACS server (no user auth is configured on the client, or in ACS).  Your client will offer it's machine account AD credentials to the ACS server in order to authenticate to the network.  Those credentials will be validated against AD by your ACS server, and then the machine will get an IP address and connect to your network.  Once your machine is on the network, and a user tries to log on, then the user's AD credentials will be validated against AD (without any involvement of ACS).  You should not need PEAP and EAP-TLS together.  Both are used for the same purpose: 802.1X authentication for network access.  PEAP only uses AD to validate machine credentials (or user credentials), because you configured your ACS server to use AD as a user database for validating 802.1X credentials.  You could just have easily used PEAP on the client side, but told ACS to an LDAP connection to a Linux box with a user/machine database. Validating credentials for network access (802.1X) is not the same thing as authenticating to AD for server/printer/email/whatever access.  I wish I could explain this better...

• ACS 5.4 with DACL over wireless and wired network

  Hi my name is Ivan, I have a question
  I have a deployment in my network wired at this way:
  Profile 1: corporate's users are working with 802.1X to authenticate computers and users with eap peap mschap v2 and Mac Filtering configuring in the Cisco WLC. My ACS 5.4 is integrate to the Active Directory.
  Profile 2: Telephonies IP authenticate with MAB. All the Mac Address are registered in to the ACS locally.
  Profile 3: user guest authenticate with portal web from Cisco Wireless Lan Controller over the wired network, and the account exist in to the WLC Lobby Ambassador
  A my deployment in the wireless network is in this way:
  Flex Connect with central authentication and local switching to connect 15 sites over the wan network.
  SSID 1: users corporate working with 802.1X to authenticate users with peap mschap v2 and Mac Filtering configuring in the Cisco WLC. My ACS 5.4 is integrate to Active Directory.
  SSID 2: users guest working with portal web from Cisco Wireless Lan Controller over the wireless network, and the account exist in to the WLC Lobby Ambassador.
  I would like to configure in the Cisco ACS 5.4 Downloadable Access List (DACL) to use in my network wired and wireless.
  How can I do it to my scenary?
  Please could you help me?
  Regards
  Ivan.

  Hello. To avoid confusion, let's divide the WLC based upon the operating system.
  There are WLCs who run AirOS. That includes WLC 4400, but also includes WLC 5500.
  There are WLCs who run IOS-XE. That includes the new Catalyst 3850-X and WLC 5700. (also I think can run AirOS too).
  IOS-XE fully support DACL. On the other hand AirOS support DACL partially.
  From ACS point of view, when you configure DACL for IOS you configure not only the name of the access-list, but also the access-list entries. That way the IOS devices don't need to have the ACLs pre-configured. This is great because  you only need to create and update the access-list entries from only one place (which is ACS) and deploy easily to hundreds of switches.
  On the other hand, when ACS configures DACL for AirOS it can only specify the name of the access-list. The AirOS device needs to configure the access-list with a name exactly as configured on the ACS. Sadly, each AirOS device also needs to configure all acess-list entries.
  It seems you want to configure DACL along with other attributes. If you explain me a little more your requirement I can show you what to configure.
  Best regards

• ACS 5.4 multiple network interfaces support

  In ACS 5.4 release note, it says:
  Multiple network interface connector support
  ACS  5.4 supports up to four network interfaces: Ethernet 0, Ethernet 1,  Ethernet 2, and Ethernet 3. ACS management functions use only the  Ethernet 0 interface, but AAA protocols use all configured network  interfaces. You must connect the ACS nodes in the distributed deployment  only to the Ethernet 0 interface. Therefore, the syslog messages are  sent and received at the log collector's Ethernet 0 interface. Data  forwarding from one interface to another interface is prohibited to  prevent potential security issues. The external identity stores are  supported only on the Ethernet 0 interface. In ACS 5.4, multiple network  interface connectors are also supported for proxies.
  But in the CSACS 1121 Series Appliance Rear View section, it still says on Ethernet 0 is usable. All other  interfaces are blocked.
  I am confused. Can anyone clarify for me if we can use multiple network interface in ACS 5.4? What about management interface?
  Thanks!

  We configured 2 interfaces in past within testing enviornment and it worked. ACS 5.4 supports multiple network interfaces on the UCS platform, on a virtual machine and on the legacy ACS 5.x IBM/CAM hardware. The ACS management functions use the interface eth0 only and the AAA protocols use all available network interfaces.
  Jatin Katyal
  - Do rate helpful posts -

• WLC 5508 + AP 3502i + ACS setup help

  Hello,
  I have a Cisco 5508 WLAN controller, three Cisco 3502i Access Points, and one Cisco ACS 5.2. I need to set up a simple wireless authentication system where a user is asked to enter in a username and password in a web portal before being allowed access on the wireless LAN.  The usernames and passwords are available in a CSV file and would need to be inputted into ACS.
  I have read several Cisco guides including the WLC configuration guide but I am still confused.  If someone can please give me some direction on how I could set this up, I would really appreciate it.
  Thanks a bunch.

  Thanks for the article Scott.  I followed the article and I was able to set up the WCS to allow Web users to browse the Internet.  But the Web Auth -> Web login did not work for me.  When I go to the Internet and type in www.google.com I am sent to the Google Website directly rather than being authenticated by the system with a Web Login page.  I followed all the steps outlined in the article, which is setting up WLANs with Layer 3 Web Policy Authentication and creating a user assigned to the WLAN group but nothing worked.  Can you direct me towards the right direction as to what I am missing?
  Thanks!

• 802.1x, 350AP, 3550 Switch, and ACS 3.0

  Yikes!
  Whatta mess I got myself into! Im trying to implement a couple of security features (at the same time) due to higher corporate directives. I am trying to implement Radius, 802.1x port authentication on a Cat 3550 switch, and mac address athuentication for wireless clients. The idea was:
  1. The 3550 has port based authentication on it and should authenticate access points as well as any workstations that will/may connect to it.
  2. The wireless clients will be MAC authenticated via the access point passing requests to the radius server.
  Confused? I am too, help!
  Thanks

  Nilesh, Thanks for the reply.
  But I do have a few further questions if you are willing:
  1. Getting the AP to use 802.1x and talk with the radius server seems to be the big problem. I have not been able to find clear enough instructions on how to set the AP to do 802.1x through the switch. I do realize the LEAP is just cisco's implementation of 802.1x but we are trying to use non-proprietary protocols.
  2. We already have the clients MAC addresses in the AP's but want to get away from this (network mgt issues) by using the ACS server.
  I guess what makes this confusing for me is the chain of events and if they are possible to do. Here are the steps as I see them, please advise if this is not possible to do.
  1. Access point is plugged into 3550 and uses 802.1x authentication with radius through the switch. Once the switchport is authorized, then the wireless clients can try to associate with AP. To do this the MAC address of the client , is sent to ACS for authorization and when authorized allowed to communicate. Then the wireless client retrieves an IP address through DHCP.
  Whew.

• Cisco Secure ACS 3.3(1) - 4.0(1) upgrade problems

  Hi all!
  I'm having problems upgrading my primary ACS from version 3.3 -> 4.0
  I always get the following error message while it's doing the upgrade:
  "The CiscoSecure ACS folder appears to be locked by another application: C:\Program Files\CiscoSecure ACS v3.3
  Please close any applications...blabla.."
  The thing is, I upgraded my backup ACS first and that upgrade worked like a charm.
  In both cases, both for the primary and backup I do a remote takeover with Dameware, copied the ACS 4 folder to the hard drive of the server and do the upgrade from that folder.
  As I said, the backup server upgrade worked without a hitch.
  This is what I've tried:
  1. I've verified that NO application is using the ACS 3.3 folder and no explorer window is open on that folder or subfolders.
  I verified this by using a small program called Filemon.exe from Sysinternals. According to that program nothing was accessing said folder.
  I also verified it again by actually renaming the ACS 3.3 folder after I shut down all the ACS services. I could not rename the folder if the services were started.
  2. I've tried to stop the ACS services first and then do the setup, got the same error.
  3. I disabled the antivirus software, got the same error.
  I'm basically at my wits end now...
  I have two options though:
  1. Un-install ACS 3.3, do a clean install of ACS 4.0 and import the all data from the backup ACS.
  Wouldn't that bring up the primary ACS with the backup ACS config? So I'm guessing I would need to go over it afterwards and do changes where appropriate ?
  2. Do a backup of the ACS 3.3 with csutil -b
  Uninstall ACS 3.3, do a clean install of ACS 4.0 and import all the data with csutil -r
  Would that work? I've seen conflicting information here in this forum, some say it works, other say it doesn't.
  I'm pretty much confused why this worked so well on the backup ACS but fails on the primary ACS.
  Any help would be greatly appreciated!
  Thanks!
  Ivar Thorolfsson

  Hi,
  The folder lock message is often seen if the logs in the ACS directory are too big.
  Move the Logs from the following Directories :-
  CSAdmin\Logs
  CSAuth\Logs
  CSDBSync\Logs
  CSLog\Logs
  CSMon\Logs
  CSRadius\Logs
  CSTacacs\Logs
  Logs
  Then try to upgrade.
  Regards,
  Vivek