ACS Authentication

Similar Messages

• Can Cisco Device Manager Support ACS Authentication?

  Background:
  My company has approximately 500+ devices all across the country (mainly 2801's, 2924's, 2950's, and 2960's) and approx 3 people that have a real idea of how to configure the devices, and 2 or 3 that have a general clue about how to do it. I am in the process of moving all of these devices to use ACS authentication for signing into the device. While I am doing this I am establishing a strong password for the secret password to provide as a backup.
  Problem:
  My supervisor would like the cisco device manager to be available to the people that don't have the in depth cli experience. However in my testing, it will only accept the strong password for its authentication, and does not try the ACS server for authentication. Is this possible?

  Hi,
  Actually, there is a difference as from where the authentication is picked from for HTTP authentication,
  With HTTP v1 server, same method list is picked, that is used by VTY lines.
  With HTTP v1.1 server, but before the integration of fix for bug CSCeb82510, the method list defined for console is checked.
  After the fix of the above mentioned bug, we have some different sent of commands that we can use.
  I would suggest you to give this a try,
  aaa authentication login CONSOLEandHTTP tacacs+ local
  aaa authorization exec CONSOLEandHTTP if-authenticated
  ip http authentication aaa
  line con 0
  login authentication CONSOLEandHTTP
  authorization exec CONSOLEandHTTP
  For detail please refer,
  http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008069bdc5.shtml
  Regards,
  Prem

• ACS authentication against AD

  I am in the process of installing an ACS demo and tying it to AD. I have the base stuff installed meaning ACS is in and operational and I have it joined to my domain. I am now to the point of selecting my AD groups and Attributes within those groups. I know very little about AD so that may be part of my confusion.
  First off I gathere that I need to specify a specific group to get the actual user name / password authentication process to work? I loaded the windows Active Director Editor (ADExplorer from Sysinternals) so that I could see and browse what AD groups I have available. I also thinkthat if my domain is 123.abc.corp that I need to use DC=123,DC=abc,DC=corp then pick the correct CN that I need?
  I have two ultimate goals for the use of ACS. First, we want to look into using it for our VPN authentication so figure we need say a remote group that has the users for VPN connectivity. Is it a simple matter of adding the group or are there any specific or recommended fields I need to have with this group?
  Secondly, we also want to use ACS for Dot1.x authentication on our Cisco switches but need VLAN information tied to the user. My question here is this something that we can add as a field to the user information or better to add it as a field in another group?
  I am looking for configuration examples but wanted to also make sure that I am following best practices so any assistance is appreciated.
  brent

  If you have single domain then you don't need to specify the domain name, just click on the 'select' button under directory groups to fetch/retrieve the AD groups and then add them.
  Use this page to select groups that can then be available for policy condition,
  Select Users and Identity Stores > External Identity Stores > Active Directory, then click the Directory Groups tab.
  For more information, you may visit the below listed URL
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1140999
  Once you are done, go to the access-policy >> on the right bottom corner, you would see a tab "customize" click on it and move the attribute AD1:ExternalGroups to thr right end side >> click ok >> create a new authorization policy and select the group you fetched in the directory groups under AD configuration.
  In order to do dynamic vlan assignment on ACS 5.1 you do the following:
  Policy elements >> Authorization  and permissions >> Network Access >> Authorization profile >> Create >> Give it a name like example "switch" >> Common tasks >> Click on VLAN ID name >> Select Static >> Give Vlan Number >> Click Submit >> Go to Access Policies >> Under default network access click on authorization >> Create >> Give the Rule a name like "vlan assignment for SWITCH" >> Click on Ad1:external groups >> Contains any >> Select -> choose the appropriate AD group >> Click ok >> Click select for authorization profiles >> Choose the profile that was previously create called "switch" >>   Click ok >> Now you assign the VLAN of "SWICTH" to the Group to the AD group >>  Click OK.
  HTH
  Regds,  Jatin
  Do rate helpful posts~

• 802.1x - ACS authentication issue.....

  I will attempt to explain the history of our wireless controller configurations as best I can.  We are currently using a 4400 controller running 7.x software which authenticates to and ACS 4.1 appliance.  All of this was set up prior to my arrival on the job and the previous engineers had already left with no documentation in place so I'm trying to piece it together.  The ACS is setup to map to AD for specific groups. 
    In the controller we have an SSID called triton which is our corporate SSID that all internal users connect to.  Three different interfaces have been defined, a general one for most users and two others( lets call them INT1 and INT2) that place users on separate ip networks.  The reason for this is those ip networks can reach certain services that are not allowed for general users.  ACS maps those users upon authentication to the Vlans associated with those separate ip networks.
  Problem 1.  When I first took this job, users could not map drives or any services because only user authentication was taking place..After some troubleshooting and realization that ACS was authenticating, placing the "Domain Computers" group as an ACS group mapping fixed that issue, allowing the computers to authenticate prior and therefore execute the login script
  Problem 2.  Recently it has come to my attention that some of the users on one of the other interfaces (INT1 and INT2) that should be placed in the vlans associated with their AD group mapping are not.  Upon further investigation it was discovered that the reason they are not is that the authentication is not correct.  When the computer first authenticates before the user logs on its shows in ACS as host/xxxxx.yyyy.org where the user authentication shows as xxxxx/username .  So some of the computers never change from authenticating as a host to a user and the ip address ends up in the wrong vlan.
  Please help.  I'm not extremely familiar with Cisco 802.1x setup and the documentation is poor at best.

  Ok, maybe I should be asking what the proper way to set up both machine authentication and user authentication through the 4400 and ACS 4.1 is then.
    The topology that I know of is this.  Single 4.1 ACS appliance and single 4400 controller with approximately 35 LWAPP's.  In the past ONLY user authentication was being used which presented problems with Group Policies and login scripts executing.  Adding the AD "Domain Computers" group as an ACS mapped group solved that problem by allowing the domain computers to authenticate and gain access to the network prior to logon (but maybe they were still actually using "user authentication"?).  Not sure if this was the proper way to solve the issue but it worked and we at the time didn't notice any side effects.  Although now we are seeing users end up in the wrong VLans and when we look at the logs in the controller the computer they are on is only registering as host/xxxx.yyyy.org (machine authentication) which drops them into the default vlan instead of the vlan which they should be based upon AD group membership from ACS.
    I am very familiar with other wireless products and controllers such as Aruba.  In the Aruba, when the machine first booted up and gained access to the network it was using machine authentication, but as soon as the user logged on the supplicant would push the user credentials and change the method to user authentication.  In the Aruba we used the windows supplicant.  I'd like to do the same with Cisco. 
    As far as I can tell, there is only a server side (ACS) certificate from Thwate that is used to authenticate.

• ACS Authentication Errors

  Friday I upgraded my CiscoSecure ACS from version 3.3 to 4.1. Upgrade seemed to go fine. Today I come in to find out that no one is getting authenticated. I have APs in WLSE configed with WDS that are not authenticating. I also have AP's not in WLSE that are not authenticating. All these worked before the upgrade.
  Any ideas??
  Thanks,
  Becky

  Yes. I was getting Radius Server not responding. BUT, I just got it fixed!!! During the upgrade ACS wiped out the IP address of the AAA server. Once I re-entered it, things starting coming back up.
  Thanks to everyone who thought about this!!
  Becky

• ACS Authentication in another (trusted) domain bij ACS Agent

  Hi
  I have got two domains. Domain A is top level domain. Domain B is Child domain from Domain A.
  The ACS Agents are installed on two DC's in Domain A.
  Authentication of clients in Domain A is ok.
  Authentication of clients in Domain B is a problem.
  I created a Universal Group in Domain A. In this Universal Group, I put a Global User Group from Domain B. Authentication not ok.
  The ACS "Failed Authentication Log": sais: "External DB account Restriction".
  What is the problem here ?
  Gr.
  Remco

  Windows Group Mapping Limitations
  ACS has the following limits on group mapping for users who are authenticated by a Windows user database:
  •ACS can only support group mapping for users who belong to 500 or fewer Windows groups.
  •ACS can only perform group mapping by using the local and global groups to which a user belongs in the domain that authenticated the user. You cannot use group membership in domains that the authenticated domain trusts that is for ACS group mapping. This restriction is not removed by adding a remote group to a group that is local to the domain providing the authentication.
  What does the second bullet actually mean ?
  Is it not allowed to make a domain local group in Domain A (in which the Remote Agents are) that contains users (not groups) from Domain B ?
  Do you have to connect to Domain B in ACS (seen due to Trust relationship) and create a group mapping directly in Domain B ?

• ACS Authentication against Lotus Notes

  Hi Team, is it possible to authenticate Users via ACS against Lotus Notes, similar to MS AD? Regards, Michael

  I don't think it is possible to use ACS with Lotus notes for user authentication. These are the external databases supported with ACS.
  a) Windows User Database
  b) Generic Lightweight Directory Access Protocol (LDAP)
  c) Novell NetWare Directory Services (NDS) when used with Generic LDAP
  d) LEAP Proxy Remote Authentication Dial-In User Service (RADIUS) servers
  e) Token servers
  f) Open Database Connectivity (ODBC)-compliant relational databases (ACS for Windows)

• Peap ACS authentication - 1242AG - AP authentication Tab

  Hello,
  We are trying to get a 1242AG access point to have users connected to it to authenticate on it to the ACS server. The 1242AG has a new menu - AP authentication. Has anyone delt with this menu and gotten this setup to work? Version is 12.4(10b)JA. Looks like AP isn't talking to the ACS. Thanks

  Look over this doc... it has the basic to get it working:
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml
  This is for LWAPP, but has information on configuring ACS also:
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml#t23

• ACS authenticating Windows DB

  Hi everybody,
  I've a server running ACS for windows 3.3 used for 802.1x authentication. I only have 1 local ACS account (test) and I use an external DB to authenticate other users.
  I asked Windows Domain administrator to create 3 groups:
  - VLAN1 with 2 users
  - VLAN2 with 2 users
  - VLAN3 with 2 users
  I configure "unknown user policy" to check windows db if the user is not locale, and I configured the domain and mapped the ACS groups in the following way:
  - ACS group VLAN1 is mapped to Windows leaf VLAN1 of domain ESMLAB
  - ACS group VLAN2 is mapped to Windows leaf VLAN2 of domain ESMLAB
  - ACS group VLAN3 is mapped to Windows leaf VLAN3 of domain ESMLAB
  /Default DB is mapped to <no-access>.
  The strange thing is that ACS first choice is to use /Default so user don't access the network! I tried to map /Default to VLAN1 and users access the network and was associated to correct VLAN. In this way I check that the ACS correctly connect to DB to authenticate the user.
  Which could be the cause that ACS first seems to use /default instead of the correct mapping? What I forget? Is the windows DB configured correctly?
  Thanks
  Regards
  Roberto

  Mappings are checked from a top-down perspective, so if you have the \DEFAULT domain appearing below the ESMLAB domain then this should be OK. What's probably happening is that ACS is unable to get any of the users windows group mapping properties and therefore doesn't know that they're in the VLANx Windows group. Because of this ACS always maps them through to the catch-all \DEFAULT group and they get no access accordingly.
  As for why ACS can't get the users group mappings from Windows is usually a permissions problem, specifically in what user the CS services are running under on the ACS device, most often even a domain administrator doesn't have the right permissions. You don't mention if ACS is running on a DC or just on a member server. Running it on a DC usually resolves most permissions problems, particularly on an AD.
  You can try the following to set the permissions correctly:
  Instructions for changing privileges:
  1) on the AD, go to Administrative Tools -> Domain Security Policy ->
  Security Settings -> Local
  Policies -> User Rights Assignment and
  a) double click on "Act as part of the operating system"
  b) check the "Define these policy settings" checkbox
  c) Click add and enter : "domain\adminstrator"
  d) Click Ok
  e) double click on "Log on as a service"
  f) check the "Define these policy settings" checkbox
  g) Click add and enter : "domain\administrator"
  h) Click Ok.
  (Note: do the same for "Log on Locally")
  2) Right click on "Security Settings" header and choose "Reload"
  3) log into the ACS Machine with user = domain\administrator (please note that
  the user must be
  administrator and not another Domain Admin user).
  4) Change the ACS Services to run under domain\administrator and restart them
  all.
  If that doesn't work, enable Full Logging under System Config - Service Control page, and restart the ACS services. Then try an authentication request, and check the latest auth.log file under the Program Files\CiscSecure ACS v3.3\CSAuth\Logs, there'll probably be some errors about not getting RAS permissions. You may need to send this to the TAC for further analysis.

• ACS Authentication Limit

  Hi all, We currently are running 400 laptops that all utilize the same username to authenticate to our wireless network and we randomly see authentication issues. We are running verson 11.1 of the Intel client and we have a mix of LWAPP and Autonomous AP deployments. We have mostly 1242 AP's. Is there any kind of limit imposed by ACS or anything else that would be causing the random authentication failures we are seeing. We have to reboot the laptop for the authentication to work again once this happens. Our laptops are auto-login as is the wireless authentication. Is this a best practice or should we be auto-logging the wireless in with a seperate account for each laptop? Thanks for any opinions.

  If you are not using CCKM on the client, then you are not fast roaming. This is regardless of autonomous with an WDS server or centralized (LWAPP). Without CCKM, the AP or controller is not participating in the auth and cannot cache the credentials.
  This is a common misconception.
  Microsoft zero config has *no* support for fast roaming, so you will need to use the Intel ProSet client and confirm that 'Cisco CCX Extensions' and CCKM is enabled.
  I don't believe any client but Cisco's ADU supports fast roaming with LEAP. In most cases you will need to run WPA2/PEAP-MSCHAPv2 and CCKM (NOT 802.1x) with the Intel client.
  Note that if you enable WPA1+WPA2 and/or 802.1x+CCKM on the LWAPP controller then you will most likely *not* negotiate CCKM with the client. For the SSID that you want fast roaming, enable WPA2 only and use CCKM (only).
  I am assuming that you are running OS version 4.0.206 or higher on the controller and at least an Intel 2200BG with ProSet 10.0 or higher.

• ACS Authentication Logic Tree Diagraming

  I can't believe that this hasn't come up before, but I've searched for hours and literally found nothing.
  Like most org's we have an elaborate acs access policy, with many identity sources and tens of thousands of users.  The radius and tacacs authentication "steps" are great, but they're for a specific user.  What I was sure existed was a feature in acs or at least a thrid party product that simply and dynamically creates a radius and tacacs authentication/authorization logic or decision tree diagram....does nothing like this exist?  Am I really the first person that's ever desired something like this, in the history of the world????

  Hi David, you are not the only one :) Unfortunately, ACS does not have that functionality. ISE 1.3 started to include some authentication flows but they are all around the the flows that go through the HTTPs portals. 
  That is the reason I had to manually create a Visio document for all of my customers that I have deployed ISE/ACS for :)
  Thank you for rating helpful posts!

• Upgrade to IOS and ACS authentication not working

  Hi. I have just upgraded my 1200AP to IOS Version 12.2(11)JA1. I am using LEAP with MAC address auth in the ACS (version 3.0). I cannot get onto LAN though. Error on ACS failed auth report says 'User Access Filtered' even though the MAC of the card is in there. I can still authenticate with AP's that are still at old version though. A debug on IOS AP shows that the ACS is replying with a FAIL auth after LEAP negotiation and the ACS interestingly gives the failed MAC address as AAAA.BBBB.CCCC (note dots between) making me think that the AP is sending it in that format instead of AAAABBBBCCCC. I cannot add the MAC to the ACS in the dotted format as it is a 12 character string. Is this a format issue with the RADIUS passthru? Has anyone any idea why this is happening? Thanks for any help in advance.

  Just thought I would let you know that I have got the cause of this. This happens if MAC authentication is enabled in the ACS. Once I turned that off it worked again. I think it is due to a format error in the data sent from ap to acs.

• ASA- ACS authentication

  I have an ASA, an ACS appliance, Active Directory, and RSA securID. SSL users should only authenticate with AD, while IPSec users should only authenticate with RSA. Not yet using anyconnect.
  here is my scenario:
  ACS -- AD - Dynamic users are created in ACS when authenticated with their AD domain login/password
  ACS -- AD - AD Group mapping to put user in the correct ACS group
  ASA SSL - matches username in ACS group to display customized SSL bookmarks
  all looks good
  ACS -- RSA - static users in ACS assigned to RSA group in ACS configured for authentication with external RSA DB
  ASA IPSec - Authenticates with ACS
  Question: How does the ASA or ACS know to authenticate IPSec users ONLY via RSA and SSL users only via AD?
  What do I have to do to not allow a windows user to simply enter their AD login/password into thei IPSec client and login. I could see this become common with users who dont have their keyfob handy or forget to use it.
  Thanks!

  You need to look at NAP feature in acs,
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/NAPs.html#wp1128143
  A NAP, also known as a profile, is essentially a classification of network-access requests for applying a common policy. You can use NAPs to aggregate all policies that should be activated for a certain location in the network. Alternatively, you can aggregate all policies that handle the same device type, for example, VPNs or Access Points (APs).
  Regards,
  ~JG
  Do rate helpful posts

• ACS Authentications via RSA or local database

  Hi Expert,
  Currently, I have a group of devices authenticate through RSA. Now, we are implementing Nagios monitoring system that require backup device configuration through ACS local database. Is that possible to create a login credential using local database while maintain two form factor authentication?
  Cheers,
  Jeffrey

  Hi,
  We had a same sceraria as well, which is required login credential by using ACS local database only as our NMS do not support two form factor login. Currently, we are using ACS 5.2. Appreciate if you could provide us some idea on this. Thanks!

• ACS Authentication, multiple domains

  Hi all,
  I have the following problem
  I have a Win 2003 domain (A) and a trust established with another Win
  2003 domain (B). Domain A is the one with the CiscoSecure software.
  We have many trusts with other domains (mostly Win 2000) and have
  configured the mappings by using CiscoSecure.
  But when trying to "add mappings" for this new 2003 Domain (B), I
  continually am getting "failed to enumerate Windows groups. If you are
  using Active Directory consult the installation guide for information."
  I am not able to see domain B's users and groups from within the Cisco
  Secure software.
  However, if I use Active Directory Users and Computers from Domain A,
  and "connect to domain" and choose Domain B, I am able to view all
  users and groups just fine.
  Do you know if there is a problem with configuring two 2003 domains in
  this software? Do you have any other areas that I should investigate?
  Some local policy on Domain B?

  If ACS is installed on a DC of DOM1 and DOM1 has trust relationship to a remote domain DOM2
  1) ACS Services (on DOM1 DC) run under a DOM1 Domain User (and Local Machine Administrator) - "acsacct"
  2) This account (acsacct) has "Act as part of the OS" permission in Domain Security Policy and Domain Controller Security Policy
  3) On DOM2 (The Remote Domain) , we Delegated Control to the acsacct User to the Custom Task of "Group Objects" and "User Objects".