ACS and APC UPS - radius authentication

Similar Messages

• APC (UPS) RADIUS authentication with ACS 5.X

  I am trying to do RADIUS authentication for APC (UPS) using ACS 5.2 Appliance. It is working fine with ACS 4.2, but unfortunately not with ACS 5.2. I tried creating RADIUS VSA (Vendor Specific Attributes) for APC in ACS 5.2.
  According to the APC dictionary file
  VENDOR APC 318
  # Attributes
  ATTRIBUTE APC-Service-Type 1 integer APC
  ATTRIBUTE APC-Outlets 2 string APC
  VALUE APC-Service-Type Admin 1
  VALUE APC-Service-Type Device 2
  VALUE APC-Service-Type ReadOnly 3
  # For devices with outlet users only
  VALUE APC-Service-Type Outlet 4
  I have added the attributes in blue(attached), how do I add the VALUE's (shown red) in ACS 5.2? What else should I do to get this working?
  The hit count on the ACS shows that it is getting authentication request from the APC appliance.
  Thanks in advance.

  Hi,
  I am working on the same issue and i manage to login (using Ldap A/D backend authentication). When using the standard Radius attribute Service-Type (1 for read-only and 6 for admin) i manage to get this working. I am however trying to use the APC VSAs (as above) without any success. The objective is to have outlet management for specific users, admin or read-only others. Did u manage to get this working and how?
  ./G

• ACS 4.0.2 Radius Authentication Setup

  Dear Experts,
  I am having ACS 4.0.2 in my network, which I want to use for 802.1x Radius Authentication for Clients on PEAP-MSCHAPv2 methodology.
  As per the documentation " EAP Authentication with RADIUS Server",  Doc ID: 44844
  I have configured Network Configuration and populated AAA client IP range and Secret Key.
  Question1:
  Under Authenticate Using option, there are various RADIUS flavors available for selection. For a Non Cisco AAA client, should I select RADIUS IETF?
  Question 2:
  In the above snap shot, It has an option called Global Authentication Setup, where we can setup EAP configuration. Under PEAP subsection there is an option to "Allow EAP-MSCHAPv2" check box.
  After checking that, is a restart required to the ACS Server? Would it cause any disruptions to the existing services on the ACS?
  Kindly help as it is not mentioned in the documentation available with me.
  Regards,
  Karthik

  Hello,
  As per the ASCII and HEXA settings concern you might want to ignore those fields and leave them as they are by default.
  As per the "Bad request from NAS" and "Invalid message authenticator in EAP request" it is 99% of the times a Shared Secret Mismatch.
  Under the ACS Interface Configuration > Advanced Options > Is the Network Device Groups option enabled? If yes, please check the Shared Secret Key at the NDG level where the device was created. Remember the NDG Shared Secret takes precedence over the one configured on the AAA Client entry itself.
  Attaching an Example:
  AAA client with Shared Secret as "Cisco123":
  NDG Entry (which allocates AAA clients) with Shared Secret as "cisco"
  In order to check the NDG Shared Secret go to Network Configuration > Click the appropriate NDG > Scroll to the bottom and click on Edit Properties.:

• Cisco power supply and APC UPS question

  Good afternoon, I am running a 4507 with the Power Supples PWR-C45-2800ACV
  http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps4324/product_data_sheet09186a00801f3dd9.html
  Can I plug this power supply into this UPS unit?
  http://www.apc.com/products/resource/include/techspec_index.cfm?base_sku=SMX3000RMLV2UNC&tab=models

  Jason:
  My guess is that 2800w power supply is looking for two legs of AC in to make the DC stable on the switch.   I've installed a lot of 45XXx over the years but I never have more than 100 ports of active POE on them as most buildings have lots of computers and printers and a few VOIP phones and access points.  
  Now, those power supplies are pretty fault tolerent and well built.  They can take (probably) swing voltage from 40-240V and 50-60Hz.    You can wire up the L6-30 into the TWLK cable and only have 20A of 120V on one leg from the output of your UPS.     You just have a single 30A hot, neutral and ground and a dead leg for hot into the power supply.   You use half the power supply.  
  The capacitors on the power supply will just have to absorb that and deal with it.   That's their job.  Short term batteries. 
  One thing you need to realize is that you don't have to have two full-capacity 2800w circuits for the switch.   The 2800 is a reference number and that's based on a lot of inneffiencies in the entire system.  
  You've got at max a 2800w load and either 1 or two power supplies will feed it.    Two power supplies will be slightly less efficient than one but you're not pulling 5600w.   
  If you could, answer the questions above on the number of POE devices you've got and we can work a solution to solve the power to the switch and to your nodes.  
  You've got a lot of expensive, quality gear and the best solution isn't always to double up and re-buy what you've got.  
  I am going to recommend a metered PDU so that you can watch the amperage as when you approach the limit of what your wires can haul, you need to pay attention to the national electric code.
  If you can PM me, do.
  -Luke

• SMB 300 switch - RADIUS authentication

  Did anybody have any luck configuring radius authentication with SMB 300 managed switches? I just deployed one and struggling with radius authentication with AD. Radius server works because there are 10 other Catalyst switches and routers working fine.
  Any pointers on how to setup radius authentication for administrative connection? I need it for http, telnet and ssh management session to the switch.
  Thanks in advance,
  Sam

  yes, PAP always use plain text and that doesn't provide any kind of security.  However, administrative session with radius doesn't support chap/mschap.we can't configure firewall/IOS devices for aministration session like telnet/ssh to authenticate users on mschapv2 authentication method.
  If you need secure communication then you may implement TACACS.
  TACACS+ and RADIUS use a shared secret key to provide encryption for communication between the client and the server. RADIUS encrypts the user's password when the client made a request to the server. This encryption prevents someone from sniffing the user's password using a packet analyzer. However other information such as username and services that is being performed can be analyzed. TACACS+ encrypts not just only the entire payload when communicating, but it also encrypts the user's password between the client and the server. This makes it more difficult to decipher information about the communication between the client and the server. TACACS+ uses MD5 hash function in its encryption and decryption algorithm.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• ACS 5.3 Radius authentication with ASA and DACL

  Hi,
  I am trying to do Radius authentication on the ACS 5.3 for VPN access (cisco client) using a downloadable ACL with AD identity
  Clients are connecting to an ASA 5510 with image asa843-K8.bin
  I followed the configuration example on the Cisco site, but I am having some problems
  First : AD identity is not triggered, I put a profile  :
  Status
  Name
  Conditions
  Results
  Hit Count
  NDG:Location
  Time And   Date
  AD1:memberOf
  Authorization   Profiles
  1
  TestVPNDACL
  -ANY-
  -ANY-
  equals Network Admin
  TEST DACL
  0
  But if I am getting no hits on it, Default Access is being used (Permit Access)
  So I tried putting the DACL in the default profile, but when connecting I am immediately disconnected.
  I can see the DACL/ASA being authenticated in the ACS log but no success
  I am using my user which is member of the Network Admin Group.
  Am I missing something?
  Any help greatly appreciated!
  Wim

  Hello Stephen,
  As per the IP Pools feature, the ACS 5.x does not include such functionality. It is not on the ACS 5.x roadmap either as the recommended scenario would be to use a dedicated DHCP server.
  ACS 4.x included that functionality, however, it was not the best solution as the ACS returned the IP Address value as a RADIUS Attribute instead of acting as a real DCHP server.
  As per the IMEI and MISDN I am assuming you are referring to International Mobile Equipment Identity and Mobile Subscriber ISDN. Correct me if I am wrong.
  In that case it seems that the ACS 5.x should be able to Allow or Deny access based on Radius Attribute 30 (Called-Station-Id) and 31 (Calling-Station-Id).
  In that case you might want to use the End-Station Filters feature and use it as the condition for the Rule. The End-Station Filter feature uses CLI/DNIS where CLI is Radius Attribute 31 and DNIS is Attribute 30.
  I am assuming a Generic Username will be embedded on the devices request. In that case you will define which end-user devices will be granted access based on the above attributes.
  Here is a snapshot of the section:

• Cisco ACS 4.2 and Radius authentication?

  Hi,
  I have a Cisco ACS 4.2 installed and using it to authenticate users that log on to switches using TACACS+, when I use local password database, everything is working. But if i try to use external database authentication using a windows 2008 radius server, I have problem that I can only use PAP, not CHAP. Anyone who know if it's possible to use CHAP with external radius authentication?

  To access network devices for administrative purpose, we have only three methods available :
  [1] Telnet : Which uses PAP authentication protocol between client and the NAS device. So the communication between Client and NAS is unencrypted,  and when this information flows from NAS to IAS server gets encrypted using the shared secret key configured on device/IAS server.
  [2] SSH : Which uses  public-key cryptography for encrypting information between client and the NAS device, i.e, information sent between client 
  and NAS is fully secure. And the communication between NAS and IAS is encrypted using shared secret same as above. Good point on SSH side is that commincation channel is secure all the time.Again the authentication type would remain same that is PAP.
  [3] Console:Which is also the same it will not allow to use MSCHAP as there is no need to secure it as you laptop is connected directly to the NAS and then if you are using TACACS it will encrypt the payload .
  Summarizing, we cannot use CHAP, MS-CHAP, MS-CHAP V2 for communication between client and NAS device or administrative access.
  And the most secure way to administer a  device is to use SSH.
  Rgds, Jatin
  Do rate helpful post~

• ACS Express radius authentication AD authorization

  I work at a University and for some reason we have multiple systems for authentication and authorization.  That being said I am trying to use radius to do authentication and AD for authorization for VPNs.  I have the radius authentication working against our radius server.  I have my ACS express setup to join the AD domain and everything looks good there.  I setup the AD server as a radius object in AAA server groups on my ASA.  Then I add the server below in the servers in selected groups window.  I put all the info in there and when I hit test I click authorization and put in the username that I know is in the domain group I have associated with this on the ACS.  The test fails and with authorization failed with invalid password.  When I look at the logs on the ACS I see
  01/06/2011 20:14:26 acsxp/server Warning Server 0 AD Agent Plain Text Authentication Failed for user: username@domain
  01/06/2011 20:14:26 acsxp/server Warning Server 0 Authentication for user username failed for reason = 0
  01/06/2011 20:14:26 acsxp/server Error Protocol 0 Request from 172.20.5.2: User username rejected . by RemoteServer: AD (InvalidPassword). 
  Username and domain are correct I just edited them for posting.  It seems like it is trying to authenticate rather than authorize.  All I want it to do is say yes the user is in this group or no the user is not in this group?  You can't even fill in the password when testing authorization?  Maybe I have something setup wrong on the ACS side but when I look at AD under users and identity stores, it says it is joined to the domain.  When I do AD domain diagnostics under troubleshooting everything looks good.  I have the ASA I am testing from defined as a device and in the ASA device group.  Under access services in Radius access services I have one service that I setup that connects to the AD and it found the group so I know it is connecting.  Any idea what I am doing wrong or where to look?
  Any help would be GREATLY appreciated!
  Thanks
  Joe

  Hi Joe,
  We could take a deeper look at what is happening through some logs and debugs:
  1. On ACS Express, under
  Reports & Troubleshooting > Troubleshooting > Server Logs
  please set the Express Server Trace Level to 5 and the Web Server Trace Level to 4.
  Also, for the Log Level under OS Logging, please set its value to "Debug".
  If previous old logs are not essential to you, you may also wanna delete all the log files first, so that we capture logs for the last day only.
  2. On the ASA, please enable the following debugs
  debug aaa authentication
  debug aaa authorization
  debug radius
  3. Then please first recreate a successful authentication attempt, and then recreate the authorization test issue with the same user account for which you tested the successful authentication.
  4. After the issue is recreated, please attach the debugs from the ASA and following files from the ACS Server Logs:
  acsxp_adagent.log
  acsxp_agent_server.log
  acsxp_mcd.log
  acsxp_server.log
  acsxp_server_trace.log
  Regards,
  Fede
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Radius Authentication in ACS 5.2 with AD

  Friend,
  I have a questión about radius authenticaction with AD, when I log in into the network with user in AD and I make a mistake in password my radius authenticaction event in ACS 5.2 dont show me this logg. only show the authentication succeeded but dont show me the authentication failed. Maybe i must to enable same service to show the authentiaction failed. The Voice authetication works fine..
  This is the confg in the port of the switch:
  interface FastEthernet0/12
  switchport mode access
  switchport access vlan 2
  switchport voice vlan 10
  authentication port-control auto
  authentication host-mode multi-domain
  authentication violation protect
  authentication event fail action authorize vlan 11
  authentication event fail retry 2 action authorize vlan 11
  authentication event no-response action authorize vlan 11
  authentication periodic
  authentication timer reauthenticate 60
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 10
  dot1x max-reauth-req 3
  spanning-tree portfast
  end
  Vlan 2: DATA
  Vlan 10: VOICE
  Vlan 11: GUEST
  thank...
  Marco

  Hi Marco,
  When you type in the wrong password do you see the login fail on the device you entered it? Depending on how you have configured fallback mechanisms on ACS, an attempt can still be permited eventhough the authentication failed.
  It would be best to take a look at the authentication steps under the RADIUS authentication log for an attempt you beleive should have failed to see what ACS is doing with the request.
  Steve.

• 802.1x RADIUS authentication problem with Cat 2950 to CiscoSecure ACS 3.3

  I wondered if anyone can help or shed any light on the following problem.
  I am getting an authentication error when doing a RADIUS authentication to CiscoSecure ACS 3.3 running on a Windows 2003 server, the authentication request is coming from a Catalyst 2950 switch which is doing 802.1x for Windows XP clients. This problem only happens when the XP client connects to 2950 switches, Cat 3550s and 3560s work fine.
  The Cat2950 is running 12.1.20 (EA1) which is more or less the latest IOS.
  The error I get from ACS 3.3 is "Invalid message authenticator in EAP request" when the 2950 tries to authenticate an XP client for 802.1x to the ACS server using RADIUS.
  Doing a RADIUS and 802.1x debug on the 2950 I see a message about 'Unknown EAP type', I am using PEAP on the XP client doing EAP-MS-CHAPv2 authentication, the same XP client authenticates fine with 3550 and 3560 switches problem only affects 2950s. Can anyone confirm the 2950 supports EAP-MS-CHAPv2?
  I have checked and re-checked the shared secret and it definitely matches on 2950 and ACS.
  One thing I noticed in the RADIUS debug is the 2950 sends 18 bytes for attribute 79 when the RFC defines attribute 79 should be 3 bytes or less, I don't know if this is related to the problem or is correct behaviour.

  Hi, I am new with 802.1x, and was hoping that someone would help with these queries:
  1. How is a certificate requested without being allowed on a network that is not authenticated with 802.1x. I had to first connect to an active network, retrieve a certificate with the proper username and password, and then physically connect to the port on the 2950 switch which was enabled to do 802.1x
  2. My config is as below:
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authenication login default group radius
  dot1x system-auth-control
  interface f0/1
  switchport mode access
  dot1x port-control auto
  end
  I able to login using the radius server, so radius is working (on ports other than f1/0). However when connecting to f1/0, the port on the 2950 remains blocked.
  3. The certificate is issued by the ca server, is viewable via Internet explorer,and is issued to the correct username which is on the active directory.
  I even tried using local authenication with 802.1x, this did not work
  4. If I have a certificate, will this automatically give me access to the 802.1x port?
  5. I have windows 2000, and authenication is set to 'Smart Card or other certificate.
  Am I missing anything?
  Any advise will be greatly appreciated
  Chris

• User authentication in Cisco ACS by adding external RADIUS database

  Hi,
  I would like to configure the below setup:
  End user client (Cisco Any connect/VPN client) -> ASA 5500 (AAA client) -> ACS server -> External RADIUS database.
  Here ACS server would send the authentication requests to External RADIUS server.So, i have added the external user database (RADIUS token server) in
  ACS under External databases.I have added AAA client in Network configuration (selected authenticate using RADIUS(VPN 3000/ASA/PIX 7.0) from the drop down.
  Here how do i make ASA recognize that it has to send the request to ACS server. Normally when you use ACS as RADIUS server you can add an AAA server in ASA and test it.But here we are using an external RADIUS server which has been configured in ACS, so how do i make ASA to send the requests to ACS server?
  Any help on this would be really grateful to me.
  Thanks and Regards,
  Rahul.

  Thanks Ajay,
  As you said nothing needs to be done on ASA side, if we are using an external user database for authentication.
  Im a newbie to ACS and this is the first time i'm trying to perform a two factor authenticaton in Cisco ACS using external user database.
  By two factor authentication i mean, username + password serves as first factor (validated by RADIUS server), username + security code (validated by RADIUS server) serves as second factor.So, during user authentication i enter only username in username field and in "password" field i enter both "password + security code". Our RADIUS server has already been configured with AD as user store, so we dont have to specify AD details in ACS. I have done the following in ACS to perform this two factor authentication.
  -> In external user databases, i have added a external RADIUS token server.
  -> In unknown user policy , i have added the external data base that i configured in ACS into the selected databases list.
  -> under network configuration, i have added the Cisco ASA as AAA client (authenticate using RADIUS (Cisco VPN 3000/ASA/PIX 7.x+)).
  Just to check whether user authentication is successful, i launched the ACS webVPN using https://IP:2002, it asked me to enter username and password. So, i entered username and in password field i entered "password + security code". But, the page throws an error saying "login failed...Try again".I cant find any logs in external RADIUS server.
  Here is what i found in "Failed attempts" logs under Reports and activities.
  Date,Time,Message-Type,User-Name,Group-Name,Caller-ID,Network Access Profile Name,Authen-Failure-Code,Author-Failure-Code,Author-Data,NAS-Port,NAS-IP-Address,Filter Information,PEAP/EAP-FAST-Clear-Name,EAP Type,EAP Type Name,Reason,Access Device,Network Device Group
  02/28/2012,00:31:52,Unknown NAS,,,,(Unknown),,,,,10.204.124.71,,,,,,,
  02/28/2012,00:41:33,Unknown NAS,,,,(Unknown),,,,,10.204.124.71,,,,,,,
  02/28/2012,00:42:18,Unknown NAS,,,,(Unknown),,,,,10.204.124.71,,,,,,,
  Filtering is not applied.
  Date
  Time
  Message-Type
  User-Name
  Group-Name
  Caller-ID
  Network Access Profile Name
  Authen-Failure-Code
  Author-Failure-Code
  Author-Data
  NAS-Port
  NAS-IP-Address
  Filter Information
  PEAP/EAP-FAST-Clear-Name
  EAP Type
  EAP Type Name
  Reason
  Access Device
  Network Device Group
  02/28/2012
  00:42:18
  Unknown NAS
  (Unknown)
  10.204.124.71
  02/28/2012
  00:41:33
  Unknown NAS
  (Unknown)
  10.204.124.71
  02/28/2012
  00:31:52
  Unknown NAS
  Am i missing any thing in configuration side with respect to ACS?
  Thanks

• VPN 3000 and Radius authentication/authorization

  hello.
  I have to configure RADIUS authentication
  with a VPN 3000 concentrator.
  I'm completely new with this product
  (the concentrator).
  It seems that, if I want to perform authentication
  of username and password with Radius, then I also have to download the entire VPN configuration from the same Radius, using the attibute set loaded with the appropriate dictionary.
  am I rigth with this supposition?
  I mean: should be possible to authenticate only an username and password externally on RADIUS, while continuing to mantain the user (or group) VPN configuration locally in the concentrator?
  thank you.
  Davide

  No, downloading the entire VPN configuration from the RADIUS server is not necessary. If you are new to configuring VPN's on concentrators or the Concentrator iself, having a look at the support page will be agood idea. It is accessible at http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Hardware:Cisco_VPN_3000_Concentrator

• BBSM and RADIUS Authenticated Session Limits

  I have setup a BBSM System with RADIUS authentication, the authentication traffic is passed to a seperate RSA Box to authenticate user using fobs and everything works fine.
  My question is how do I limited the time a user can have a onnection to the BBSM without having to re-authentication

  If you are using the 'Access Code' pageset, when the 'Stop Date and Time' of the Access
  Code is reached, all currently connected users who have used that Access Code, are
  disconnected.
  When you define an Access Code, you define a 'Start Date and Time' and a 'Stop Date and
  Time' for the Access Code. All users who have Connected by using that Access Code will be disconnected when that Date/Time is reached.
  Please refer to
  http://www.cisco.com/en/US/products/sw/netmgtsw/ps533/products_user_guide_ch
  apter09186a0080192294.html#1038530
  for more information on Access Codes.
  HTH,
  -Joe

• Cisco ISE IPEP and Non Radius Authenticator

  Is it possible for a Juniper FW or Aruba Wireless or anything else that does native AD authentication can use an IPEP for policy enforcement without converting the authenticator (juniper / aruba etc…) to a Radius request to a PDP for the IPEP to build the session from?
  Does the IPEP simply "sniff" the packets and build a session from that or does it require RADIUS authentication to pass through for the IPEP to function?
  I believe RADIUS is required but the client said he was told it is not and the authenticator can pass the traffic through the IPEP even if it authenticates clients by Native AD.
  Anyone have any exmaples or traffic flows if this is possible?
  Thanks,
  Michael Wynston

  Got my answer and it is as I thought. The iPEP only works if it sees RADIUS requests to a PDP that then provides the iPEP with the policy to enforce.
  Have a client migrating from CCA which will natively check AD inline based on seen authentication requests. They were told (not by me) ISE can do that too.
  Guess not
  Sent from Cisco Technical Support iPhone App

• APC UPS, Mountain Lion, and system restart problem

  I have a Mac Pro (3,1) and it's been running Lion (10.7.x) for a long time. It's connected to an APC UPS XS 1500 via a USB cable for years. I've never had any problems with it.
  Two weeks ago I updated to Mountain Lion (10.8.2). Since then I've returned to my machine to find that it had rebooted itself. After logging in, the system tells me that there was a problem and asks if I want to send the error report to Apple.
  Yesterday, I tried unplugging the Mac Pro from the UPS, plugging it directly into a wall outlet, and disconnecting the USB-UPS cable. So far, I've had no problem with system restarts.
  Has anyone had a similar problem? If so, did you solve it? How?
  Thank you.

  Hi, macjack. Thanks for your response.
  So far, with the MP plugged directly into a wall outlet I've had no system initiated reboots or shut-downs.
  I looked in the console log and there's so much stuff in there, I'm simply lost. Are there one or two keywords I should search for that might help in debugging the problem?
  Again, thanks.