ACS - cisco-av-pair

Similar Messages

• ISE 1.1.1 cisco-av-pair:Wireless-WCS

  Hello,
  Has anyone configured ISE yet to authenticate WCS against ISE using RADIUS?  I have created the Authorization Profiles with rule0=SuperUsers, tack0=...ect, but I am wondering how everyone has done the authentication and authorization rules.  Any lessons learned would be great.
  Kyle

  Yes, I have patch 1 installed.  I am trying to add the following cisco-av-pairs:
  Wireless-WCS:role0=Admin
  Wireless-WCS:task0=Users and Groups
  Wireless-WCS:task1=Virtual Domain Management
  Wireless-WCS:task2=Audit Trails
  Wireless-WCS:task3=TACACS+ Servers
  Wireless-WCS:task4=RADIUS Servers
  Wireless-WCS:task5=Logging
  Wireless-WCS:task6=License Center
  Wireless-WCS:task7=Scheduled Tasks and Data Collection
  Wireless-WCS:task8=User Preferences
  Wireless-WCS:task9=System Settings
  Wireless-WCS:task10=View Alerts and Events
  Wireless-WCS:task11=Email Notification
  Wireless-WCS:task12=Delete and Clear Alerts
  Wireless-WCS:task13=Pick and Unpick Alerts
  Wireless-WCS:task14=Ack and Unack Alerts
  Wireless-WCS:task15=Configure Controllers
  Wireless-WCS:task16=Configure Templates
  Wireless-WCS:task17=Configure Config Groups
  Wireless-WCS:task18=Configure Access Points
  Wireless-WCS:task19=Scheduled Configuration Tasks
  Wireless-WCS:task20=Migration Templates
  Wireless-WCS:task21=Configure Choke Points
  Wireless-WCS:task22=Configure Spectrum Experts
  Wireless-WCS:task23=Configure ACS View Servers
  Wireless-WCS:task24=Auto Provisioning
  Wireless-WCS:task25=Monitor Controllers
  Wireless-WCS:task26=Monitor Access Points
  Wireless-WCS:task27=Monitor Clients
  Wireless-WCS:task28=Monitor Tags
  Wireless-WCS:task29=Monitor Security
  Wireless-WCS:task30=Monitor Chokepoints
  Wireless-WCS:task31=Monitor Spectrum Experts
  Wireless-WCS:task32=RRM Dashboard
  Wireless-WCS:task33=Mesh Reports
  Wireless-WCS:task34=Client Reports
  Wireless-WCS:task35=Performance Reports
  Wireless-WCS:task36=Security Reports
  Wireless-WCS:task37=Compliance Assistance Reports
  Wireless-WCS:task38=Voice Audit Report
  Wireless-WCS:task39=Config Audit Dashboard
  Wireless-WCS:task40=Location Server Management
  Wireless-WCS:task41=View Location Notifications
  Wireless-WCS:task42=Maps Read Only
  Wireless-WCS:task43=Maps Read Write
  Wireless-WCS:task44=Client Location
  Wireless-WCS:task45=Rogue Location
  Wireless-WCS:task46=Planning Mode
  Wireless-WCS:task47=High Availability Configuration
  Wireless-WCS:task48=Health Monitor Details
  Wireless-WCS:task49=Configure WIPS Profiles
  Wireless-WCS:task50=Global SSID Groups
  Wireless-WCS:task51=WIPS Service
  Wireless-WCS:task52=Configure Lightweight Access Point Templates
  Wireless-WCS:task53=Configure Autonomous Access Point Templates
  Wireless-WCS:task54=Guest Reports
  Wireless-WCS:task55=Handover Server Management
  Wireless-WCS:task56=Monitor Handover Server
  Wireless-WCS:task57=Configure Ethernet Switch Ports
  Wireless-WCS:task58=Configure Ethernet Switches
  Wireless-WCS:task59=Monitor Interferers
  Wireless-WCS:task60=Device Reports
  Wireless-WCS:task61=Network Summary Reports
  Wireless-WCS:task62=Compliance Reports
  Wireless-WCS:task63=CleanAir Reports
  Wireless-WCS:task64=Report Launch Pad
  Wireless-WCS:task65=Run Reports List
  Wireless-WCS:task66=Saved Reports List
  Wireless-WCS:task67=Report Run History
  Wireless-WCS:task68=Automated Feedback
  Wireless-WCS:task69=TAC Case Attachment Tool
  Wireless-WCS:task70=Ack and Unack Security Index Issues
  Wireless-WCS:task71=View Security Index Issues
  Wireless-WCS:task72=Monitor Media Streams
  Wireless-WCS:task73=Voice Diagnostics
  Wireless-WCS:task74=ContextAware Reports
  Thanks,
  Kyle

• Cisco av-pairs SSID vs Dynamic Vlan Assignment

  Hello,
  Once upon a time, there was a Cisco av-pairs attribute to allow a Wireless user to a given SSID through Radius servers.
  If I'm not wrong, this feature has not been supported anymore (for several years) on WLC.
  Dynamic vlan assignment is an alternative way to control user acces to a given vlan. It simplifies the architecture, because only one SSID is needed and the user traffic is then redirected to the right vlan. But... There is an important issue with it, since only one SSID (and BSSID) is used, broadcast packets from all vlans are transmitted to everybody. It is an issue when some services use broadcast to announce their features (IPv6 autoconf, Bonjour, and so on...).
  So the question is if a working alternative to SSID av-pairs exists.
  Thanks.     

  To be honest, I have never heard of this SSID av-pair ever working in wireless:)
  You would need at least two ssids and the radius server would need to ability to send a CoA to dissassociate the device so that the device would join the other SSID. The radius server would also have to push out the wireless profile to the client for the SSID they need to associate to. This can be done using Cisco ISE, but not Microsoft radius or even Cisco ACS.  
  You can still use aaa overuse to place devices on specific vlans and use the WLC to allow bonjour or  ACLs to filter what you don't want going out of the vlan.  WLC has bonjour capabilities and thus you can specify that on the interface and not on the WLAN.  If course their are limitations, but with newer requirements means that there is no one answer.  You might be able to meet certain requirements, but other you will have to sort of figure out.  
  -Scott

• Cisco-av-pair

  Hi all,
  i'm trying to configure ACS Radius and a Pix to work as Proxy Cut-Through.
  i wanna set up some acl to have a certain type of traffic for some users and another one for some others.
  I tried by downloadable acl but it doesn't work (could it be caused from a bug on IOS?), now i'm tring to set up cisco-av-pair and i have another problem...
  if i write
  ip:inacl#1=permit tcp any any
  ip:inacl#2=permit udp any any
  ip:inacl#3=permit ip any any
  ip:inacl#4=permit icmp any any
  ip:inacl#5=deny tcp any any
  it works fine... but if i configure with this one
  ip:inacl#1=permit tcp any any eq 20
  ip:inacl#2=permit udp any any eq 20
  ip:inacl#3=permit ip any any eq 20
  ip:inacl#5=permit tcp any any eq 21
  ip:inacl#6=permit udp any any eq 21
  ip:inacl#7=permit ip any any eq 21
  ip:inacl#8=permit tcp any any eq 80
  ip:inacl#9=permit ip any any eq 80
  ip:inacl#101=deny tcp any any
  ip:inacl#102=deny ip any any
  ip:inacl#103=deny udp any any
  the pix denies everything.
  which is the mistake?
  thanks in advaces.

  Try...
  ip:inacl#101=permit tcp any any eq 20
  ip:inacl#102=permit udp any any eq 20
  ip:inacl#103=permit ip any any eq 20
  ip:inacl#104=permit tcp any any eq 21
  ip:inacl#105=permit udp any any eq 21
  ip:inacl#106=permit ip any any eq 21
  ip:inacl#107=permit tcp any any eq 80
  ip:inacl#108=permit ip any any eq 80
  ip:inacl#109=deny tcp any any
  ip:inacl#110=deny ip any any
  ip:inacl#111=deny udp any any

• Cisco ISE with cisco-av-pair

  Hi All
  I am deploying a Cisco ISE together with a WLC to provide guest services. After the authentication the users will be redirected to the device registration page, this is done via the radius attribute "cisco-av-pair = url-redirect=https://FQDN:8443/guestportal/gateway?sessionId=SesionIdValue&portal=..." returned by the ISE. My problem is that there is no internal DNS server in the guest network (point to public DNS servers), so the clients cannot resolve the FQDN. We can manually add the redirect URL, however the SessionIdValue in the URL is a dynamic value, is there a way to put a dynamic value in the attributes manually?
  Thanks a lot!
  Leo

  Thanks Tarik, I saw u helped a lot of ppl on ISE configuration, really appreciate for your help.
  In ISE there is a place to set the default URL for Sponsor and My device, not sure why not for Guest portal. As the DNS server is not available at this moment, we are using the WLC to do the redirect (so not CWA), the downside is we cannot have a whitelist since all request will be redirected to the guest portal.

• Cisco ISE - CWA redirect in another way than cisco-av-pair?

  Hello.
  I'm trying to set up ISE as a CWA.
  I have made all the rules in both Authenticatin and Authorization, and I also see the clients hitting the right rules. The Authorizaton rule redirects the client to a captive web portal within ISE like this: cisco-av-pair = url-redirect=https://ip:port/portal/gateway?sessionId=SessionIdValue&portal=etc.
  But here is the problem: We use Aerohive as Accesspoints. And Aerohive does not support cisco-av-pair attributtes, since it's Cisco proprietary.
  Therefore, even if ISE says everything is fine, it's not, because Aerohive does not understand what's been sent to it.
  So the big question: Is there way to make the same redirect using standard radius attributes?
  Thank you.

  Unfortunately there isn't. I have done a project with ISE and Aerohive before and outside of basic 802.1x authentications, I was not able to deploy any of the other ISE features. There isn't an interoperability guide for ISE but just a compatibility one:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/compatibility/ise_sdt.html
  If could be wrong here so if someone else has done this before pls chime in.
  Thank you for rating helpful posts! 

• VLAN Assignment of SSID using Cisco AV Pair or Dot1x ?

  Hi.
  I am looking to setup wireless access to 2 of my internal VLANs. I am using Cisco 1130AG, PEAP and RADIUS for the authentication as one network is for employees only and one restricted to guests only.
  I was wondering which was the most recommended solution.
  1. To have 2 SSIDs, with one in each VLAN with the access restricted using the Cisco AV Pair attribute in RADIUS
  or
  2. Use one SSID and use Dot1x and the Tunnel attribute to assign the VLAN?
  This option I feel is more complicated and I am still unsure how this works in reality as the SSID itself can only be part of one VLAN????
  Do I have to configure a Dot11Radio and Fastethernet interface for each intended vlan in this case?
  Could someone please explain and suggest their preferred option.
  Thanks.

  You should have two ssid's one for your internal and one for guest. You should use 802.1x for your internal and your guest should be open with a Login page of some sort. You can still use dynamic vlan assignments so that your internal users who try to access the guest page will be put on the internal vlan. Of course the guest will always be placed on the guest vlan. If you have a WLC, the login page and setup is easier, because in autonomous you will have to use something like ZoneCD for guest if you want a HotSpot type wifi.

• LMS , AAA via Radius and cisco AV pair

  We are trying to authenticate users on a Ciscoworks LMS server 2.6 using Radius.
  Is there a radius vendor specific attribute that can be used to make the authenticated user part of the admin groups ?
  Ex : a Cisco-AV-pair , ?LMS?:groups="Network Administrator"
  I have tried a few, but none seem to work. And i havent found documentation on this.

  No, It is pure authentication that is done.
  There is not way to select a role in LMS based on an AV pair.
  With tacacs+ something like that is possible.
  Cheers,
  Michel

• ZBF: Assign zone to interface via Cisco AV Pair

  Hello,
  I am terminating ADSL connections via an L2TP tunnel from a service provider and have configured Cisco AV Pairs to assign incoming sessions into different VRFs based on the username of the remote router. I am also using Zone Based Firewall configuration and need to also assign the created virtual access interface into a zone in the same manner as I am assigning VRFs.
  I am assigning VRFs like so:
  Cisco-AVpair+=ip:vrf-id=<vrf-name>
  I have tried assigning a zone with the following configuration but with no luck:
  Cisco-AVpair+=ip:interface-config=zone-member security <zone-name>
  Cisco-AVpair+=lcp:interface-config=zone-member security <zone-name>
  I have looked around but am unable to find a definitive list of Cisco AV Pairs to determine if there is one suitable specifically to assign a zone or a more generic AV Pair that can assign arbitrary configuration.
  Any help appreciated.
  Thanks.

  For anyone else who has a similar issue, I raised the issue with Cisco TAC and the solution was to use a Cisco AVpair of
  lcp:interface-config=zone security <zonename>
  I also had to add:
  aaa policy interface-config allow-subinterface
  Once I did this it worked a treat.

• Replace both Supervisor Engines on Cisco VSS pair

  Hi ,
  I have a VSS pair with one SUP on each switch , I'm preparing for a task to replace  SUP on Switch 1 , and switch 2  , I'm trying to see what are my options to do this task , 
  option1 : replace the SUP on both switches at the same time and built the VSS again , then apply the configuration  (this requires a maintenance window)
  option 2 : replace the SUP on switch2 (using the procedure on  http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-virtual-switching-system-1440/109334-replace-vss-sup-proc-v1.html)  , then do it again for Switch 1.
  if anyone did this change before , please share you experiences ,any ideas will be helpful.
  regards,

  Thanks Leo , 
  This is what I was  thinking also , to do a clean VSS configuration, I was more concerned about the configuration after the rebuild,  is it better to just copy the config file using tftp or copy the running config directly to the VSS CLI. , our VSS contains huge configuration with multiple routing protocol , filtering , MPLS , security ...etc , so if I chose to just copy the config and paste on the  VSS cli , I need to know the correct order ,of each set of commands , for example , I need to paste the Ip prefixes and acl before the route map command ..etc .
  anyway , thanks for your advice.

• Visio Stencil Secure ACS / Cisco Appliance

  Hello, Im trying to find Visio Stencil for:
  CSACSE‐1113‐K9 Cisco Secure ACS 4.X Solution Engine 1113 Appliance
  But in http://www.cisco.com/en/US/products/prod_visio_icon_list.html
  I didn't find any... I also search in xml file "http://www.cisco.com/en/US/prod/assets/visio/product_visio_icon0900aecd800940d9.xls" but dont exist.
  How can i found? Or is better to build one?
  Thanks in Advance.

  It doesn't seem to render correctly when I dropped it in a doc. Not sure if it's a version issue or not. I'm running Visio 2010.

• ACS4.2, NX-OS und Cisco AV-Pair

  Hi
  Although i configured the aaa stuff on the Nexus5k and the ACS with the Shell exec and role information i still end up with the default role "network-operator" in the Nexus
  I attached the main configuration for this feature.
  Does anybody has an idea where the problem could be found.
  Apparently the output of the debug aaa all is not very usfull - in this case NX-OS is not like IOS
  ACS 4.2 Configuration:
  User Config:
  shell exec (enabled)
  shell:roles*"network-admin"  (actually i tried also the shell:roles="network-admin")
  After Login - the output of the command "show user-account" says:
  user:ude3964
          roles:network-operator
  account created through REMOTE authentication
  AAA Configuration:
  rzsgwu3s097# sh run aaa
  version 4.1(3)N2(1a)
  aaa authentication login default group tacacs local
  aaa authentication login console group tacacs local
  aaa authorization config-commands default group tacacs
  aaa authorization commands default group tacacs
  aaa authentication login error-enable
  tacacs-server directed-request
  rzsgwu3s097# sh run tacacs+
  version 4.1(3)N2(1a)
  feature tacacs+
  tacacs-server timeout 3
  tacacs-server host 172.28.193.35 key 7 "xx"
  aaa group server tacacs+ tacacs
      server 172.28.193.35
      source-interface Vlan501
  In the ACS passed Authentication Report everything looks fine.
  Any hints?
  Cheers
  Patrick

  On ACS set the log level detail to full, reproduce the problem, collect a package.cab, then look at the auth.log and TCS.log files, see if any hints appear there.
  Also, consider capturing the traffic between the NX-OS switch and ACS, to see what ACS is receiving from the switch and what is sending back.

• Authenticating Trunk Ports - VLAN list

  I have a requirement to authenticate trunk ports to wireless access-points on our Cisco switch, By default all ports are access ports and we run MAB authentication. I have managed to change the port to a trunk using Cisco-av-pair attribute in ACS (cisco-av-pair = deivce-traffic-class=switch)
  My problem now is that I need to add a VLAN allowed list on the port once it has changed to a trunk port (switchport trunk allowed vlan x,y,z). ideally we would not want to statically assign the VLAN's on each port as an AP could be on any port and may wish to authenticate other trunk ports using different VLAN's in the future. Below is the configuration used on the ports.
  cisp enable
  interface FastEthernet0/2
   description *** Client Device ***
   switchport access vlan 2
   switchport mode access
   no logging event link-status
   authentication event fail action next-method
   authentication event server dead action reinitialize vlan 3
   authentication event server alive action reinitialize
   authentication order mab dot1x webauth
   authentication priority mab dot1x webauth
   authentication port-control auto
   authentication fallback GUEST_FALLBACK
   mab eap
   dot1x pae authenticator
   dot1x timeout tx-period 3
   dot1x timeout supp-timeout 10
   dot1x max-reauth-req 1
   dot1x timeout auth-period 600
   no cdp enable
   spanning-tree portfast
  Any help will be greatly appreciated. 
  Thanks
  John

  Hello
  I would suggest the following:
  >> Arrange for some physical enclosure (locked) or  any other physical security control to ensure authorized access to the device. Any technical work-around or band-aid solution should only be temporary. What is someone just switches of your switches? DOS attack!! This could also be done by mistake, resulting in an unstructred threat.
  >> Enable monitoring for these switches (ICMP,SNMP) so that you are alerted when they are unplugged.
  >> Change the NATIVE VLAN from the default (VLAN 1)
  >> Disable Trunk negotiation (ON mode)
  Regards
  Farrukh

• User $enable15$ in Cisco Secure ACS

  Hi all,
  I have a Cisco Secure ACS server, by default it has a username called "$enable15$"; I am using TACACS as the authentication protocol.
  The question is if I need the $enable15$ user configured in the ACS server even if I am using TACACS as the authentication protocol. I want to delete it but I am not sure if it is possible.
  regards
  Regards.

  Group Setup, select the group and click on edit settings and scroll down to "Cisco IOS/PIX 6.x RADIUS Attributes" and enable "cisco-av-pair" and enter shell:priv-lvl=15.

• Integrating Cisco ACS and Cisco NAC Manager - Downloadable ACL

  Hi There
  I have Cisco NAC setup in my environment. These are all working fine. The users will get themselves authenticated via Cisco NAC Manager. The Cisco NAC Manager talks to the Cisco ACS for the user database portion. These are all working fine. I would like to enable Downloadable ACL. I have tried using the CISCO-AV-PAIR method and creating a downloadable ACL entry in Shared Components, but nothing works. It's either I'm doing it wrongly or this setup of mine doesn't support downloadable ACL? Please kindly advice.
  Regards,
  Ram
  +6-012-2918870

  Hi,
  That is not possible.
  You cannot push ACLs into the NAC manager.
  If you are doing Radius authentication from NAC manager, what you can do is to create Roles on the NAC manager, and on those roles you define traffic policies.
  Using Radius attributes you can then map users to Roles.
  Please take a look into this:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_auth.html#wp1158789.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.