Acs & 802.1x & external db (odbc)

Similar Messages

• 802.1X ACS Self Signed External Windows DB

  I can configure the ACS server whit Self Signed and integrate it into a Windows database?
  The users will be authenticate whit 802.1X configured in a WLAN in WLC4400.

  Thanks Sthephen,
  I have configured this in the ACS:
  1. The ACS server is member server, for example LAB.
  2. In External User Database / Windows Database / Configure / In the configure domain list I select the domain called LAB.
  3. System Configuration/ACS Certificate Setup/Generate Self-Signed. I enter all parameter requerided and the certificate is created.
  4. The certificate is installed in the wireless client and the wireless profile is configured selecting the certificate. In the windows profile of the wireless conection, I uncheck the Automatically use my Windows logon name and password, this option is disable to use the local database of the ACS.
  The only configuration necessary for the integration of the ACS server whit the Windows domain. Is that the server is a member of the Windows domain and select the domain in the domain list in the acs? and check the option "Automatically use my Windows logon name and password"

• 802.1x, catalyst, ACS & active directory external DB!

  Hi,
  I'm working with 802.1x over catalyst switch, ACS 3.1 as Radius and external DB users authentication on Ms Active Directory with LDAP.
  My questions are:
  1) Are the only EAP's version supported by catalyst, MD5-EAP and EAP-TLS (not PEAP and LEAP);
  2) The only supported method to authenticate users from ACS to AD is EAP-TLS? is EAP-MD5 not supported over LDAP access protocol?
  3) Can I import the users from Active Directory to Internal ACS data base? (like a RDBMS...)
  thanks,
  Graz.

  I am in a installation with 802.1x.
  I have install a Cisco ACS and cisco 2950 Switch and I am authorizating users via MS-CHAPv2 against the Cisco ACS
  ACS is validating users against a Microsoft Active directory.
  I have the following problem: When user logs in, it takes between 45 to 90 seg to log the user and change the vlan.
  I have install Windows XP Service Pack 2 and patches:
  xp-kb817778-x86-esn
  xp-kb826942-x86-esn
  I have change the switch software to the latest release.
  How can I reduce this delay? Any idea?

• User authentication in Cisco ACS by adding external RADIUS database

  Hi,
  I would like to configure the below setup:
  End user client (Cisco Any connect/VPN client) -> ASA 5500 (AAA client) -> ACS server -> External RADIUS database.
  Here ACS server would send the authentication requests to External RADIUS server.So, i have added the external user database (RADIUS token server) in
  ACS under External databases.I have added AAA client in Network configuration (selected authenticate using RADIUS(VPN 3000/ASA/PIX 7.0) from the drop down.
  Here how do i make ASA recognize that it has to send the request to ACS server. Normally when you use ACS as RADIUS server you can add an AAA server in ASA and test it.But here we are using an external RADIUS server which has been configured in ACS, so how do i make ASA to send the requests to ACS server?
  Any help on this would be really grateful to me.
  Thanks and Regards,
  Rahul.

  Thanks Ajay,
  As you said nothing needs to be done on ASA side, if we are using an external user database for authentication.
  Im a newbie to ACS and this is the first time i'm trying to perform a two factor authenticaton in Cisco ACS using external user database.
  By two factor authentication i mean, username + password serves as first factor (validated by RADIUS server), username + security code (validated by RADIUS server) serves as second factor.So, during user authentication i enter only username in username field and in "password" field i enter both "password + security code". Our RADIUS server has already been configured with AD as user store, so we dont have to specify AD details in ACS. I have done the following in ACS to perform this two factor authentication.
  -> In external user databases, i have added a external RADIUS token server.
  -> In unknown user policy , i have added the external data base that i configured in ACS into the selected databases list.
  -> under network configuration, i have added the Cisco ASA as AAA client (authenticate using RADIUS (Cisco VPN 3000/ASA/PIX 7.x+)).
  Just to check whether user authentication is successful, i launched the ACS webVPN using https://IP:2002, it asked me to enter username and password. So, i entered username and in password field i entered "password + security code". But, the page throws an error saying "login failed...Try again".I cant find any logs in external RADIUS server.
  Here is what i found in "Failed attempts" logs under Reports and activities.
  Date,Time,Message-Type,User-Name,Group-Name,Caller-ID,Network Access Profile Name,Authen-Failure-Code,Author-Failure-Code,Author-Data,NAS-Port,NAS-IP-Address,Filter Information,PEAP/EAP-FAST-Clear-Name,EAP Type,EAP Type Name,Reason,Access Device,Network Device Group
  02/28/2012,00:31:52,Unknown NAS,,,,(Unknown),,,,,10.204.124.71,,,,,,,
  02/28/2012,00:41:33,Unknown NAS,,,,(Unknown),,,,,10.204.124.71,,,,,,,
  02/28/2012,00:42:18,Unknown NAS,,,,(Unknown),,,,,10.204.124.71,,,,,,,
  Filtering is not applied.
  Date
  Time
  Message-Type
  User-Name
  Group-Name
  Caller-ID
  Network Access Profile Name
  Authen-Failure-Code
  Author-Failure-Code
  Author-Data
  NAS-Port
  NAS-IP-Address
  Filter Information
  PEAP/EAP-FAST-Clear-Name
  EAP Type
  EAP Type Name
  Reason
  Access Device
  Network Device Group
  02/28/2012
  00:42:18
  Unknown NAS
  (Unknown)
  10.204.124.71
  02/28/2012
  00:41:33
  Unknown NAS
  (Unknown)
  10.204.124.71
  02/28/2012
  00:31:52
  Unknown NAS
  Am i missing any thing in configuration side with respect to ACS?
  Thanks

• ACS 4.1 External DB with Windows 2008 AD

  I have the following scenario:
  - ACS ver 4.1.1.23 on Windows 2003 Standard with SP2, Domain controller server
  - The main AD database is running on Windows 2008
  Does anybody knows if I still need to upgrade from 4.1.X.Y to 4.2.X.Y to be able to authenticated users against Windows 2008 AD database?
  Or I only need the 4.2 upgrade when the ACS is installed on a Windows 2008 server?
  Thanks in advanced.
  Oscar Perez

  If ACS is on member server you need to upgrade it to 4.2 patch 9 to make acs work with 2008 DC.
  2008 DC support is included from 4.2 patch 4 but I recommend to go for patch 9.
  Regards,
  ~JG
  Do rate helpful posts

• Acs admin via external database?(MS AD)

  Is it possible, and if so, where would i go about doing it, to set ACS up so that it pulls from AD for ACS admins. For example, I create an AD group called ACSADMIN, and therefore everyone in that group has ACS admin rights

  Hi Tuyen,
  The feature you're looking for has been introduced in ACS 5.4. You may go through the below listed link:
  Check Release notes of ACS 5.4 under System Administration Enhancements
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/release/notes/acs_54_rn.html#wp71092
  If you've ACS 5.4 running in your setup and you'd like to configure this feature, please refer the below listed link:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/admin_admin.html#wp1089044
  Summary of steps you need to perform:
  1. Define ACS as a AAA/tacacs client in ACS
  2. Login to the ACS CLI through SSH or console session and execute a command
     - aaa authentication tacacs+ server key
  3. Go to System Administration || Administrative Access Control || Identity || Select AD as a Identity source.
  4. Click on Authorization || create a new rule || select the username from AD that you want to login with || select the       role that you want to assign to user. You may first create a user with super-admin role
  5. Save the changes, logout and login again with the ad account.
  NOTE: If you're not comfortable with the above changes, you may open a TAC case.
  Hope it helps.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• ACS 3.0 External dbase error

  Once in a while, we have to restore from backup the config. We get the message " An error has occured while processing the External Database Configruation Page because an internal error"
  What log file can tell me what happens when the error occured.
  Johann folkestad

  I think I've corrected the problem. Was the strangest thing. I was interfacing with the admin pages using Firefox and apparently, even though I typed the same secret key, ff was encrypting the key wrong. I viewed the same page in IE and got bizzar I think I've corrected the problem. It’s the strangest thing. I was interfacing with the admin pages using Firefox and apparently, even though I typed the same secret key, ff was encrypting the key wrong. I viewed the same page in IE and saw bizarre characters in the key field. Retyped it and the error went away.
  I had switched to using generic LDAP because I was seeing this same problem using WindowsNT/2000. I switched back to WindowsNT/2000 and am no longer seeing the problem their either. However, I am seeing
  Attempting authentication for Unknown User 'testuser'
  External DB [NTAuthenDLL.dll]: Starting authentication for user [testuser]
  ttempting NT/2000 authentication
  External DB [NTAuthenDLL.dll]: NT/2000 authentication SUCCESSFUL (by BDC-NS2)
  External DB [NTAuthenDLL.dll]: Obtaining RAS information for user testuser from BDC-NS2
  External DB [NTAuthenDLL.dll]: RasAdminUserGetInfo returned error 0x78
  External DB [NTAuthenDLL.dll]: Failed to get RAS information for user testuser from BDC-NS2
  Having some problems resolving this problem… anyone got a suggestion?

• ACS 5.5 External User with Internal Attribute

  Hi Guys,
  i'm wondering, if i using LDAP for external authentication, can i use the internal identity attribute?
  for example :
  i create an user X , his password type is LDAP, but the identity group is "Group 1"
  can i define rules
  Idenitty Group in "Group 1" permit access ?
  or i need to do group mapping first?
  Thanks,
  Regards,

  It is possible to define an internal user whose password is taken from an external store.
  In internal user definition select "Password Type" to be the LDAP database and then define the rest of the user definition, including identity groups, as desired

• 802.11N external antenna configuration

  Newbie question.
  I want to deploy a WAP with an outside antenna to improve my range.  After  a few hours googling and reading,
  can I ask some questions.
  It seems that I will need an 1250 WAP, which requires 3 antennas to work correctly.
  Trawling the Cicso antenna options,  the only 2 that seem relevant are the AIR-ANT1728, which says it is inside/outside,
  and the more promising AIR-ANT2506 which is a mast mount option.  Unfortunately, they do not offer an outside mulitple
  antenna mounting kit.
  So if I have to fabricate something....  what sort of configuration do I use. I have checked out some of the hobbyist
  web sites and there are some "spectacular" designs ;-)
  Do I have to have all of the antennas in a row ?  Or it does not matter.
  Is the spacing between the antennas important ? If so  .. what are the measurements ?
  The antennas offered by Cisco have short "pigtails".  So if mounting outside, I will have to use a cable
  extension.  How do I waterproof the join ?  One of the installation guides "helpfully" mentions some
  coaxial sealant.  Just looks like some sort of "silastic" to me.
  Your thoughts. ?
  TIA
  Peter

  New wall-mounted Indoor/Outdoor antennaes are the following:
  Cisco Aironet 2.4-GHz MIMO 6-dBi Patch Antenna (AIR-ANT2460NP-R)
  http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/data_sheet_ant2460np.pdf
  Cisco Aironet 5-GHz MIMO 6-dBi Patch Antenna (AIR-ANT5160NP-R)
  http://www.cisco.com/en/US/prod/collateral/wireless/ps7183/ps469/data_sheet_ant5160np.pdf
  What we've done is mount the AP and antennae units higher than the cable run.  That way moisture won't go UP the AP or antennae enclosures.  You can also get weather enclosures to protect either the AP or antennae (or both separately).
  Please don't forget to rate useful posts.
  NOTE:  When you are perusing these links, pay close attention to the horizontal and veritical azimuth.  This will tell you what the signal pattern is like.

• 802.1X for wired environments using Radius/ACS for Dynamic Vlan Assignment

  Currently Being Moderated
  802.1X for wired environments  using Radius/ACS for Dynamic Vlan Assignment
  Could someone please provide me with a simplest set of configuration steps to fire up Radius in ACS and 802.1X for dynamic vlan assignment. The objective is to roll out NAC L2 OOB using the 802.1X method for dymamic vlan assignments.
  If possible show:
  1. ACS/Radius Configurations.
  2. End User Switch Configurations
  Variables:
  Switch A
  MAC Address aaaa.bbbb.cccc     Vlan 10
              bbbb.cccc.dddd     Vlan 20
  Also, if someone posts the Pros and Cons of using Radius/ACS/802.1X for Dynamic Vlan Assignments.
  Other technology sets that can be used for Dynamic Vlan assignment EXCEPT from deprecated/obsolete VMPS.
  Thanks in advance. .

  Hi Guys,
      Hmmm, well if your just looking for Mac based authentication the good news is that is very easy.  Just set create your Radius server, ACS, FreeRadius, Steelbelted radius etc.  Then create user with the name of the Mac address, in other words if the mac address is 0012.0021.1122 the the name would be 001200211122 and the password would be the mac address.  Then you set the vlan and tunnel stuff, like so tunnel-Type would be vlan, Tunnel-medium would be 802 and Tunnel-Private-Group-ID is the name of the vlan(not the vlan number)
     So for the Cisco ACS 4.x you would create a user as specified above, fill in all the password boxes with MAC address, I believe the mac has to be all lower case in the name and the password.  Then check the Separate(Chap/MS-Chap/ARAP) box.  Then you pick the group the machine belongs to, the group is the part that defines what vlan it is on.
     Before you create the user, create the group with info I wrote above and in addition specify the Service-Type as Authenticate Only.
      Freeradius is a bit harder to configure the specifics and I am just now testing a freeradius server so I do not know the process for Machine authentication.
      If, however, you are trying to authenticate a user that gets a bit trickier and is not so straight forward.

• Contractor information not generate in external database application.

  Hi all,
  I'm new in IDM, and now doing some Labs.
  When I was doing this Lab [http://codigoctm.files.wordpress.com/2012/09/lab-04-event-handler-development.pdf], I met a problem:
  After a user has been created, no contractor information generated in the external database application.
  Can anybody tell me how to check this problem and fix it?
  Any suggestions are appreciated.
  Many thanks,
  Arvin

  Did you restart ACS services after addingthe new ODBC database?

• Certificate on acs

  Hello Folks
  wifi users are authenticated via single sign on on ms AD  using acs(802.1X)
  question is. is it mandatory to generates a certificate in the acs than export it to the contoller in order to let the authentication works

  Hi Ibrahim,
  How are you?
  First, what 802.1X EAP are you using?What ACS rev are you on?
  I will assume PEAP.
  1) ACS Cert is requried. You have 2 options for a certifciate.
       a. You can do a self generated certifciate which is  created on and by the ACS server. This cert last 12 months from the time  you create      it. Here is further reading on the ACS self cert.
       Personally, Im not a fan of the self signed ACS  certiciate. Becuase if you vaildate the cert on the client you will need  to push this cert to      each client. I will explain that later.
  Self-signed Certificate Setup (only if you do not use an external CA)
  Note: When you test in the lab with self-signed certificates,  it results in a longer authentication time the first time a client  authenticates with the Microsoft supplicant. All subsequent  authentications are fine.
  Complete these steps:
  On the Cisco Secure ACS server, click System Configuration.
  Click ACS Certificate Setup.
  Click Generate Self-signed Certificate.
  Type something into the Certificate subject field preceded by cn=, for example, cn=ACS33.
  Type the full path and name of the certificate that you want to create, for example, c:\acscert \acs33.cer.
  Type the full path and name of the private key file that you want to create, for example, c:\acscert \acs33.pvk.
  Enter and confirm the private key password.
  Choose 1024 from the key length drop-down menu.
  Note: While Cisco Secure ACS can generate key sizes greater  than 1024, the use of a key larger than 1024 does not work with PEAP.  Authentication might appear to pass in ACS, but the client hangs while  authentication is attempted.
  Check Install generated certificate.
  Click Submit.
       b. You can get a CA signed certifciate. If you are  using 4.x ACS you can generate what is called a CSR. Certifciate Signing  Request. You           then send the CSR to a CA and they generate a cert for you.
  Here is a link to read up on the CA certifciate.
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a0080545a29.shtml#t14
  How and where to install the certs and how it works...
  1) The cert is installed on the ACS server and the  client IF a) you are vaildating the cert on the client b) you are using  an acs self signed cert
  So the ACS server has a cert  installed on it. This cert is used to building a secure tunnel between  the ACS server and the wireless client so that when the wireless client  passes its credentials they can not be seen as they are passed in the  tunnel created by the cerifciate (think HTTPS).
  When a  wireless client connects. The WLC / WLAN is configured with 802.1X. So  the WLC passes all the authentication traffic directly to the ACS. So  the WLC DOESNT NEED TO KNOW ABOUT THE CERT. This chatter is just between  the ACS and the wireless client and the WLC acts as the middle man.
  So  the wireless client connects. The ACS server sends the cert (the one  you added) to the wireless client. The wireless client has 2  configurable options. 1) Vaildate the certifciate 2) Not Vaildate the  certifciate. If you Vaildate the certifciate then that cert needs to be  on the client, becuase the client is going to look at the cert presented  by the acs server and see if it has it in its root store, thus  vaildating it. Or you can not vaildate it. If you dont vaildate it, it a  BIG security boo boo.
  Make sense?

• ACS 5.3 Stripping Radius User Prefix

  Hi,
  I have configure my ACS 5.3 to strip the prefix of the radius username (Domain\weekwang) it received and I also configured my ACS as the External Radius Server. However, this does not seem to work. The authentication protocol that I am using is PEAP Mschap v2.
  I have read inside this forum that due to the fact that the radius username and password is transited inside the TLS tunnel of the PEAP MsChap v2 thus ACS is not able to do the stripping as it is not allow to touch anything inside the TLS tunnel. Please advice if I have get the concept correctly.
  Rgds

  Hi Steven,
  this is unfortunately correct. Using yourself as radius proxy is a great workaround to strip things.
  However, by design if you use an external database (LDAP or proxy radius server), the mschapv2 encryption of the password makes it impossible to authenticate the user since the tunnel is ended on the first ACS. It will work with PEAP-GTC but all mschapv2 methods will fail.
  Nicolas

• RSA SecurID and Cisco ACS integration for user(s) with enable mode

  I thought I had this problem figured out but I guess not.
  I have a Cisco 2621 router with IOS 12.2(15)T17. Behind the
  router is a Gentoo linux, RSA SecurID 6.1 and Cisco ACS 3.2.
  I use tacacs+ authentication for logging into the Cisco router
  such as telnet and ssh. In the ACS I use "external user databases"
  for authentication which proxy the request from the ACS over
  to the RSA SecurID Server. I installed RSA Agents with
  sdconf.rec file on the Cisco ACS server. I renamed "user group 1"
  to be "RSA_SecurID" group. In the "External user databases" and
  "database configurations" I assign SecurID to this "RSA_SecurID"
  group.
  Everything is working fine. In the "User Setup" I can see dynamic
  user test1, test2,...testn listed in there as "dynamic users". In
  other words, I can telnet into the router with my two-factor
  SecurID.
  The problem is that if test1 wants to go into "enable" mode with
  SecurID login, I have to go into "test1" user setting and select
  "TACACS+Enable Password" and choose "Use external database password".
  After that, test1 can go into enable mode with his/her SecurID
  credential.
  Well, this works fine if I have a few users. The problem is that
  I have about 100 users that I need to do this. The solution is
  clearly not scalable. Is there a setting from group level that
  I can do this?
  Any ACS "experts" want to help me out here? Thanks.

  That is not what I want. I want user "test1" to be able to do this:
  C
  Username: test1
  Enter PASSCODE:
  C2960>en
  Enter PASSCODE:
  C2960#
  In other words, test1 user has to type in his/her RSA token password to get
  into exec mode. After that, he/she has to use the RSA token password to
  get into enable mode. Each user can get into "enable" mode with his/her
  RSA token mode.
  The way you descripbed, it seemed like anyone in this group can go directly
  into enable mode without password. This is not what I have in mind.
  Any other ideas? Thanks.

• ACS/ASA authentication for vpn access vs. console management access

  I have an ACS 4.2 Server and an ASA 5540. I have setup AnyConnect SSL VPN on the ASA and want to authenticate users using AAA tacacs+ authentication with the ACS and an external Windows AD database. I have done this successfully. I also want to use the ACS for authenticating SSH management sessions into the ASA. I have setup a group in AD and on the ACS called VPNUSERS and NETADMINS. The problem is, I want the VPN users to ONLY be able to authenticate for VPN but not have access to logging into the ASA CLI or ASDM. The NETADMINS should be able to do both. The question I have is how do I setup the VPNUSER group in ACS to have access to connect to the ASA for VPN but not for the management console? It seems that if they can authenticate for vpn, they can also ssh the firewall which is what I want to prevent.

  Try using Network Access Restrictions (NAR)where you can restrict the administrative access on per device or on NDG basis.
  By default user accounts from external database such as AD in ACS will get authenticated through telnet on network device or a AAA client which can be restricted by enabling NAR in ACS.
  In your case it should be VPNUSERS group in ACS.
  HTH
  Ahmed