ACS - cisco-av-pair
Hi Sir,
I have some doubts about the attribute in ACS: cisco-av-pair. I setup some ACLs in this attribute and hope this attribute can be sent from ACS to my PIX/ASA for future filtering usage if an user passes the first authentication attempt. I found that this attribute can not be installed in the PIX (when I checked the PIX using 'show access-list') even though the user passes the authentication. What is the reason?
Hello,
I am using ASA8.0 software. I also tried to use 'downloadable ACL' attribute, this attribute does the job as its name says. But cisco-av-pair cannot. Is there another possible reason?
Thanks.
Similar Messages
-
ISE 1.1.1 cisco-av-pair:Wireless-WCS
Hello,
Has anyone configured ISE yet to authenticate WCS against ISE using RADIUS? I have created the Authorization Profiles with rule0=SuperUsers, tack0=...ect, but I am wondering how everyone has done the authentication and authorization rules. Any lessons learned would be great.
KyleYes, I have patch 1 installed. I am trying to add the following cisco-av-pairs:
Wireless-WCS:role0=Admin
Wireless-WCS:task0=Users and Groups
Wireless-WCS:task1=Virtual Domain Management
Wireless-WCS:task2=Audit Trails
Wireless-WCS:task3=TACACS+ Servers
Wireless-WCS:task4=RADIUS Servers
Wireless-WCS:task5=Logging
Wireless-WCS:task6=License Center
Wireless-WCS:task7=Scheduled Tasks and Data Collection
Wireless-WCS:task8=User Preferences
Wireless-WCS:task9=System Settings
Wireless-WCS:task10=View Alerts and Events
Wireless-WCS:task11=Email Notification
Wireless-WCS:task12=Delete and Clear Alerts
Wireless-WCS:task13=Pick and Unpick Alerts
Wireless-WCS:task14=Ack and Unack Alerts
Wireless-WCS:task15=Configure Controllers
Wireless-WCS:task16=Configure Templates
Wireless-WCS:task17=Configure Config Groups
Wireless-WCS:task18=Configure Access Points
Wireless-WCS:task19=Scheduled Configuration Tasks
Wireless-WCS:task20=Migration Templates
Wireless-WCS:task21=Configure Choke Points
Wireless-WCS:task22=Configure Spectrum Experts
Wireless-WCS:task23=Configure ACS View Servers
Wireless-WCS:task24=Auto Provisioning
Wireless-WCS:task25=Monitor Controllers
Wireless-WCS:task26=Monitor Access Points
Wireless-WCS:task27=Monitor Clients
Wireless-WCS:task28=Monitor Tags
Wireless-WCS:task29=Monitor Security
Wireless-WCS:task30=Monitor Chokepoints
Wireless-WCS:task31=Monitor Spectrum Experts
Wireless-WCS:task32=RRM Dashboard
Wireless-WCS:task33=Mesh Reports
Wireless-WCS:task34=Client Reports
Wireless-WCS:task35=Performance Reports
Wireless-WCS:task36=Security Reports
Wireless-WCS:task37=Compliance Assistance Reports
Wireless-WCS:task38=Voice Audit Report
Wireless-WCS:task39=Config Audit Dashboard
Wireless-WCS:task40=Location Server Management
Wireless-WCS:task41=View Location Notifications
Wireless-WCS:task42=Maps Read Only
Wireless-WCS:task43=Maps Read Write
Wireless-WCS:task44=Client Location
Wireless-WCS:task45=Rogue Location
Wireless-WCS:task46=Planning Mode
Wireless-WCS:task47=High Availability Configuration
Wireless-WCS:task48=Health Monitor Details
Wireless-WCS:task49=Configure WIPS Profiles
Wireless-WCS:task50=Global SSID Groups
Wireless-WCS:task51=WIPS Service
Wireless-WCS:task52=Configure Lightweight Access Point Templates
Wireless-WCS:task53=Configure Autonomous Access Point Templates
Wireless-WCS:task54=Guest Reports
Wireless-WCS:task55=Handover Server Management
Wireless-WCS:task56=Monitor Handover Server
Wireless-WCS:task57=Configure Ethernet Switch Ports
Wireless-WCS:task58=Configure Ethernet Switches
Wireless-WCS:task59=Monitor Interferers
Wireless-WCS:task60=Device Reports
Wireless-WCS:task61=Network Summary Reports
Wireless-WCS:task62=Compliance Reports
Wireless-WCS:task63=CleanAir Reports
Wireless-WCS:task64=Report Launch Pad
Wireless-WCS:task65=Run Reports List
Wireless-WCS:task66=Saved Reports List
Wireless-WCS:task67=Report Run History
Wireless-WCS:task68=Automated Feedback
Wireless-WCS:task69=TAC Case Attachment Tool
Wireless-WCS:task70=Ack and Unack Security Index Issues
Wireless-WCS:task71=View Security Index Issues
Wireless-WCS:task72=Monitor Media Streams
Wireless-WCS:task73=Voice Diagnostics
Wireless-WCS:task74=ContextAware Reports
Thanks,
Kyle -
Cisco av-pairs SSID vs Dynamic Vlan Assignment
Hello,
Once upon a time, there was a Cisco av-pairs attribute to allow a Wireless user to a given SSID through Radius servers.
If I'm not wrong, this feature has not been supported anymore (for several years) on WLC.
Dynamic vlan assignment is an alternative way to control user acces to a given vlan. It simplifies the architecture, because only one SSID is needed and the user traffic is then redirected to the right vlan. But... There is an important issue with it, since only one SSID (and BSSID) is used, broadcast packets from all vlans are transmitted to everybody. It is an issue when some services use broadcast to announce their features (IPv6 autoconf, Bonjour, and so on...).
So the question is if a working alternative to SSID av-pairs exists.
Thanks.To be honest, I have never heard of this SSID av-pair ever working in wireless:)
You would need at least two ssids and the radius server would need to ability to send a CoA to dissassociate the device so that the device would join the other SSID. The radius server would also have to push out the wireless profile to the client for the SSID they need to associate to. This can be done using Cisco ISE, but not Microsoft radius or even Cisco ACS.
You can still use aaa overuse to place devices on specific vlans and use the WLC to allow bonjour or ACLs to filter what you don't want going out of the vlan. WLC has bonjour capabilities and thus you can specify that on the interface and not on the WLAN. If course their are limitations, but with newer requirements means that there is no one answer. You might be able to meet certain requirements, but other you will have to sort of figure out.
-Scott -
Hi all,
i'm trying to configure ACS Radius and a Pix to work as Proxy Cut-Through.
i wanna set up some acl to have a certain type of traffic for some users and another one for some others.
I tried by downloadable acl but it doesn't work (could it be caused from a bug on IOS?), now i'm tring to set up cisco-av-pair and i have another problem...
if i write
ip:inacl#1=permit tcp any any
ip:inacl#2=permit udp any any
ip:inacl#3=permit ip any any
ip:inacl#4=permit icmp any any
ip:inacl#5=deny tcp any any
it works fine... but if i configure with this one
ip:inacl#1=permit tcp any any eq 20
ip:inacl#2=permit udp any any eq 20
ip:inacl#3=permit ip any any eq 20
ip:inacl#5=permit tcp any any eq 21
ip:inacl#6=permit udp any any eq 21
ip:inacl#7=permit ip any any eq 21
ip:inacl#8=permit tcp any any eq 80
ip:inacl#9=permit ip any any eq 80
ip:inacl#101=deny tcp any any
ip:inacl#102=deny ip any any
ip:inacl#103=deny udp any any
the pix denies everything.
which is the mistake?
thanks in advaces.Try...
ip:inacl#101=permit tcp any any eq 20
ip:inacl#102=permit udp any any eq 20
ip:inacl#103=permit ip any any eq 20
ip:inacl#104=permit tcp any any eq 21
ip:inacl#105=permit udp any any eq 21
ip:inacl#106=permit ip any any eq 21
ip:inacl#107=permit tcp any any eq 80
ip:inacl#108=permit ip any any eq 80
ip:inacl#109=deny tcp any any
ip:inacl#110=deny ip any any
ip:inacl#111=deny udp any any -
Hi All
I am deploying a Cisco ISE together with a WLC to provide guest services. After the authentication the users will be redirected to the device registration page, this is done via the radius attribute "cisco-av-pair = url-redirect=https://FQDN:8443/guestportal/gateway?sessionId=SesionIdValue&portal=..." returned by the ISE. My problem is that there is no internal DNS server in the guest network (point to public DNS servers), so the clients cannot resolve the FQDN. We can manually add the redirect URL, however the SessionIdValue in the URL is a dynamic value, is there a way to put a dynamic value in the attributes manually?
Thanks a lot!
LeoThanks Tarik, I saw u helped a lot of ppl on ISE configuration, really appreciate for your help.
In ISE there is a place to set the default URL for Sponsor and My device, not sure why not for Guest portal. As the DNS server is not available at this moment, we are using the WLC to do the redirect (so not CWA), the downside is we cannot have a whitelist since all request will be redirected to the guest portal. -
Cisco ISE - CWA redirect in another way than cisco-av-pair?
Hello.
I'm trying to set up ISE as a CWA.
I have made all the rules in both Authenticatin and Authorization, and I also see the clients hitting the right rules. The Authorizaton rule redirects the client to a captive web portal within ISE like this: cisco-av-pair = url-redirect=https://ip:port/portal/gateway?sessionId=SessionIdValue&portal=etc.
But here is the problem: We use Aerohive as Accesspoints. And Aerohive does not support cisco-av-pair attributtes, since it's Cisco proprietary.
Therefore, even if ISE says everything is fine, it's not, because Aerohive does not understand what's been sent to it.
So the big question: Is there way to make the same redirect using standard radius attributes?
Thank you.Unfortunately there isn't. I have done a project with ISE and Aerohive before and outside of basic 802.1x authentications, I was not able to deploy any of the other ISE features. There isn't an interoperability guide for ISE but just a compatibility one:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/compatibility/ise_sdt.html
If could be wrong here so if someone else has done this before pls chime in.
Thank you for rating helpful posts! -
VLAN Assignment of SSID using Cisco AV Pair or Dot1x ?
Hi.
I am looking to setup wireless access to 2 of my internal VLANs. I am using Cisco 1130AG, PEAP and RADIUS for the authentication as one network is for employees only and one restricted to guests only.
I was wondering which was the most recommended solution.
1. To have 2 SSIDs, with one in each VLAN with the access restricted using the Cisco AV Pair attribute in RADIUS
or
2. Use one SSID and use Dot1x and the Tunnel attribute to assign the VLAN?
This option I feel is more complicated and I am still unsure how this works in reality as the SSID itself can only be part of one VLAN????
Do I have to configure a Dot11Radio and Fastethernet interface for each intended vlan in this case?
Could someone please explain and suggest their preferred option.
Thanks.You should have two ssid's one for your internal and one for guest. You should use 802.1x for your internal and your guest should be open with a Login page of some sort. You can still use dynamic vlan assignments so that your internal users who try to access the guest page will be put on the internal vlan. Of course the guest will always be placed on the guest vlan. If you have a WLC, the login page and setup is easier, because in autonomous you will have to use something like ZoneCD for guest if you want a HotSpot type wifi.
-
LMS , AAA via Radius and cisco AV pair
We are trying to authenticate users on a Ciscoworks LMS server 2.6 using Radius.
Is there a radius vendor specific attribute that can be used to make the authenticated user part of the admin groups ?
Ex : a Cisco-AV-pair , ?LMS?:groups="Network Administrator"
I have tried a few, but none seem to work. And i havent found documentation on this.No, It is pure authentication that is done.
There is not way to select a role in LMS based on an AV pair.
With tacacs+ something like that is possible.
Cheers,
Michel -
ZBF: Assign zone to interface via Cisco AV Pair
Hello,
I am terminating ADSL connections via an L2TP tunnel from a service provider and have configured Cisco AV Pairs to assign incoming sessions into different VRFs based on the username of the remote router. I am also using Zone Based Firewall configuration and need to also assign the created virtual access interface into a zone in the same manner as I am assigning VRFs.
I am assigning VRFs like so:
Cisco-AVpair+=ip:vrf-id=<vrf-name>
I have tried assigning a zone with the following configuration but with no luck:
Cisco-AVpair+=ip:interface-config=zone-member security <zone-name>
Cisco-AVpair+=lcp:interface-config=zone-member security <zone-name>
I have looked around but am unable to find a definitive list of Cisco AV Pairs to determine if there is one suitable specifically to assign a zone or a more generic AV Pair that can assign arbitrary configuration.
Any help appreciated.
Thanks.For anyone else who has a similar issue, I raised the issue with Cisco TAC and the solution was to use a Cisco AVpair of
lcp:interface-config=zone security <zonename>
I also had to add:
aaa policy interface-config allow-subinterface
Once I did this it worked a treat. -
Replace both Supervisor Engines on Cisco VSS pair
Hi ,
I have a VSS pair with one SUP on each switch , I'm preparing for a task to replace SUP on Switch 1 , and switch 2 , I'm trying to see what are my options to do this task ,
option1 : replace the SUP on both switches at the same time and built the VSS again , then apply the configuration (this requires a maintenance window)
option 2 : replace the SUP on switch2 (using the procedure on http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-virtual-switching-system-1440/109334-replace-vss-sup-proc-v1.html) , then do it again for Switch 1.
if anyone did this change before , please share you experiences ,any ideas will be helpful.
regards,Thanks Leo ,
This is what I was thinking also , to do a clean VSS configuration, I was more concerned about the configuration after the rebuild, is it better to just copy the config file using tftp or copy the running config directly to the VSS CLI. , our VSS contains huge configuration with multiple routing protocol , filtering , MPLS , security ...etc , so if I chose to just copy the config and paste on the VSS cli , I need to know the correct order ,of each set of commands , for example , I need to paste the Ip prefixes and acl before the route map command ..etc .
anyway , thanks for your advice. -
Visio Stencil Secure ACS / Cisco Appliance
Hello, Im trying to find Visio Stencil for:
CSACSE‐1113‐K9 Cisco Secure ACS 4.X Solution Engine 1113 Appliance
But in http://www.cisco.com/en/US/products/prod_visio_icon_list.html
I didn't find any... I also search in xml file "http://www.cisco.com/en/US/prod/assets/visio/product_visio_icon0900aecd800940d9.xls" but dont exist.
How can i found? Or is better to build one?
Thanks in Advance.It doesn't seem to render correctly when I dropped it in a doc. Not sure if it's a version issue or not. I'm running Visio 2010.
-
ACS4.2, NX-OS und Cisco AV-Pair
Hi
Although i configured the aaa stuff on the Nexus5k and the ACS with the Shell exec and role information i still end up with the default role "network-operator" in the Nexus
I attached the main configuration for this feature.
Does anybody has an idea where the problem could be found.
Apparently the output of the debug aaa all is not very usfull - in this case NX-OS is not like IOS
ACS 4.2 Configuration:
User Config:
shell exec (enabled)
shell:roles*"network-admin" (actually i tried also the shell:roles="network-admin")
After Login - the output of the command "show user-account" says:
user:ude3964
roles:network-operator
account created through REMOTE authentication
AAA Configuration:
rzsgwu3s097# sh run aaa
version 4.1(3)N2(1a)
aaa authentication login default group tacacs local
aaa authentication login console group tacacs local
aaa authorization config-commands default group tacacs
aaa authorization commands default group tacacs
aaa authentication login error-enable
tacacs-server directed-request
rzsgwu3s097# sh run tacacs+
version 4.1(3)N2(1a)
feature tacacs+
tacacs-server timeout 3
tacacs-server host 172.28.193.35 key 7 "xx"
aaa group server tacacs+ tacacs
server 172.28.193.35
source-interface Vlan501
In the ACS passed Authentication Report everything looks fine.
Any hints?
Cheers
PatrickOn ACS set the log level detail to full, reproduce the problem, collect a package.cab, then look at the auth.log and TCS.log files, see if any hints appear there.
Also, consider capturing the traffic between the NX-OS switch and ACS, to see what ACS is receiving from the switch and what is sending back. -
Authenticating Trunk Ports - VLAN list
I have a requirement to authenticate trunk ports to wireless access-points on our Cisco switch, By default all ports are access ports and we run MAB authentication. I have managed to change the port to a trunk using Cisco-av-pair attribute in ACS (cisco-av-pair = deivce-traffic-class=switch)
My problem now is that I need to add a VLAN allowed list on the port once it has changed to a trunk port (switchport trunk allowed vlan x,y,z). ideally we would not want to statically assign the VLAN's on each port as an AP could be on any port and may wish to authenticate other trunk ports using different VLAN's in the future. Below is the configuration used on the ports.
cisp enable
interface FastEthernet0/2
description *** Client Device ***
switchport access vlan 2
switchport mode access
no logging event link-status
authentication event fail action next-method
authentication event server dead action reinitialize vlan 3
authentication event server alive action reinitialize
authentication order mab dot1x webauth
authentication priority mab dot1x webauth
authentication port-control auto
authentication fallback GUEST_FALLBACK
mab eap
dot1x pae authenticator
dot1x timeout tx-period 3
dot1x timeout supp-timeout 10
dot1x max-reauth-req 1
dot1x timeout auth-period 600
no cdp enable
spanning-tree portfast
Any help will be greatly appreciated.
Thanks
JohnHello
I would suggest the following:
>> Arrange for some physical enclosure (locked) or any other physical security control to ensure authorized access to the device. Any technical work-around or band-aid solution should only be temporary. What is someone just switches of your switches? DOS attack!! This could also be done by mistake, resulting in an unstructred threat.
>> Enable monitoring for these switches (ICMP,SNMP) so that you are alerted when they are unplugged.
>> Change the NATIVE VLAN from the default (VLAN 1)
>> Disable Trunk negotiation (ON mode)
Regards
Farrukh -
User $enable15$ in Cisco Secure ACS
Hi all,
I have a Cisco Secure ACS server, by default it has a username called "$enable15$"; I am using TACACS as the authentication protocol.
The question is if I need the $enable15$ user configured in the ACS server even if I am using TACACS as the authentication protocol. I want to delete it but I am not sure if it is possible.
regards
Regards.Group Setup, select the group and click on edit settings and scroll down to "Cisco IOS/PIX 6.x RADIUS Attributes" and enable "cisco-av-pair" and enter shell:priv-lvl=15.
-
Integrating Cisco ACS and Cisco NAC Manager - Downloadable ACL
Hi There
I have Cisco NAC setup in my environment. These are all working fine. The users will get themselves authenticated via Cisco NAC Manager. The Cisco NAC Manager talks to the Cisco ACS for the user database portion. These are all working fine. I would like to enable Downloadable ACL. I have tried using the CISCO-AV-PAIR method and creating a downloadable ACL entry in Shared Components, but nothing works. It's either I'm doing it wrongly or this setup of mine doesn't support downloadable ACL? Please kindly advice.
Regards,
Ram
+6-012-2918870Hi,
That is not possible.
You cannot push ACLs into the NAC manager.
If you are doing Radius authentication from NAC manager, what you can do is to create Roles on the NAC manager, and on those roles you define traffic policies.
Using Radius attributes you can then map users to Roles.
Please take a look into this:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_auth.html#wp1158789.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
Maybe you are looking for
-
JSplitpane refreshing issues when splitpane is expanded
Hi I am writing an app that models graphs in a 3d environment. I have a splitpane that has the 3d canvas on the right and a TabbedPane that is added to the left. In the tabpanel The tabpane has three tabs Jtree, 2dmap and Jtable. My problem is if you
-
I need to send a fax, but now apple's modem is incompatible on Lion... how can I do?
-
Hi , while creating purchase order iam getting an error of the following.can any body resolve this issue. Runtime Errors SYNTAX_ERROR Date and Time 08.07.2008 10:26:23 Short dump has not been completely stored (too big) Short text Sy
-
Is WebClient still existing in CRM7.0?
Experts: Information about CRM WebClient is only seen under CRM2007 in SMP. Is WebClient still existing in CRM7.0? Blogs and links appreciated. Best regards!
-
Unable to select/dial #'s in Meeting Invites
I'm just coming over from a couple years using a Blackberry to a Windows Mobile device, so bare with me if this is obvious. On my BB I was able to open a meeting invite, highlight the conference line number with my scroll wheel, and push in to dial.