ACS for Device authentication
Hello
I am looking to deploy a NAC device in our office and currently have an ACS server that handles wireless authentication.
I would like to know if the ACS is capable of authenticating users on a LAN with both 802.1x and device detection (such as MAC address and ID)?
If I can do the latter how do you set that up on an ACS?
Thanks in advance
Paul
So my answer is correct ...
ACS is an authentication server. It can authenticate devices.
NAC Profiler, that is now replaced with ISE Profiling Engine, analyzes real-time the behavior of devices to identify them. ACS will use that as a device database.
If using ISE, you only need ISE, it profiles and authenticates as well (it combines ACS+Profiler+other services).
What you seem to be uncomfortable with is the way the Profiling works, I would suggest you to read Profiler or ISE documentation to know more about it.
It identifies a device through his behavior. Then it authorizes the mac address. You are forced to trust on a mac address basis because the system is made for non-802.1x devices so you can't "talk" to the device or assign it any ID or whatever.
However, it's not a static list of mac address. The mac address is allowed only if it's online and it corresponds to an allowed type of device.
It can for example differentiate a phone, from an XBOX, from a laptop by looking at the fields of the DHCP request of the device, etc ... it can also do polling on the switch to check for CDP information etc ...
Similar Messages
-
Cisco ACS for Unix authentication
My company is looking for a single sign on for all the windows and unix servers mainly for admins. I was wondering if Cisco ACS will work for this.
Basically the authentication will be all for the servers and routers ofcourse. I am thinking if I specifies windows AD in ACS config, Can I get the unix boxes to get authenticated against Radius?
Any help will be appreciated.
MannyHi,
Authentication of unix servers via ACS over radius protocol can be achiveable,check out the below link client end configuration needs to be done for radius authentication
Hope that helps out your query !!
http://www.ibm.com/developerworks/library/l-radius/
Regards
Ganesh.H -
Two standalone ACS for TACacs authentication
Dear All,
I am having a network consists of some 30 routers and I have 2 ACS 5.3 appliances.
I am planing to configure the acs (a,b) boxes in the standalone mode .
and i want to configure both the acs as the TACACS server in all my routers
with ACS A as the primary in some routers and ACS B as the primary in some routers.
and there is no configuration sync between the ACS boxes.
Does this setup will have any issue in authentication in case if any of the acs fails ....
thanks in advance ...
SelvaThere will be no issue, unless the configuration is not same. My personal opinion distributed deployment is the best method if you are planning to keep more than one ACS with in a domain.
-
How to add a switch to acs for login and ads authentication
Hi all
I want to add my switch so that it authenticates to my acs for login auth, I have done the switch end, using radius, also added the switch on the acs, how do I force the acs to use windows auth for this login? do i just go under the network config where the device is and tick the box saying use windows database for authentication, and then do a group mapping ?
cheersHi,
Easiest way is to download the table eg into an Excel table (if possible) or text table. Drop the table from the database. Build your table with the new key field. Build the database table again and fill it.
You can do it also over the database into a new table. Drop the old one. Build the enhanced one and fill it. Afterwards drop your (temporary) table.
Maybe there are other ways, but this works.
Success,
Rob -
Using ACS for Cisco Prime authentication
I'd like to use our Tacacs server running ACS to be the authentication method for user accounts in Prime, but don't even know where to start with this..
Any pointers?The configuration on the Prime Infrastructure side is minimal: define the authentication server Prime is to use and select a mode for Prime Infrastructure to use with it.
Administration > AAA > TACACS+ Servers > add tacacs server.
Administration > AAA > AAA Mode Settings > tacacs+ and enable fallback to local.
The bulk of the configuration is on the authentication server side, particularly indefining groups, services and authorization tasks. This is covered in the "Performing Administrative Tasks" chapter of the Prime Infrastructure Configuration Guide, starting with the topic "Configuring ACS 5.x"
http://www.cisco.com/en/US/docs/wireless/prime_infrastructure/1.3/configuration/guide/admin.html#wp1595935
"Configuring ACS 4.x"
http://www.cisco.com/en/US/docs/wireless/prime_infrastructure/1.3/configuration/guide/admin.html#wp1625896
https://supportforums.cisco.com/docs/DOC-17909
In case it doesn't work, please get the logs from the ACS reports and monirtoring for tacacs authentication and error message while accessing cisco prime.
Jatin Katyal
- Do rate helpful posts - -
ACS SE setup for windows authentication
Dear All,
I'm trying to install an ACS Solution Engine in My network for access control (AAA). I succeed in setting up authentication using the internal database and that works fine. Now My boss want users to be authenticated through an external database (windows AD). I tried achieving this but kept getting different errors.(like EAP-TLS or PEAP authentication failed during SSL handshake) or (Authen session timed out: Challenge not provided by client).
Please I need someone who has done this setup successfully before to give Me a step by step procedure on how I can setup ACS SE for windows authentication using My domain windows authentication.
ThanksDear All,I'm
trying to install an ACS Solution Engine in My network for access
control (AAA). I succeed in setting up authentication using the
internal database and that works fine. Now My boss want users to be
authenticated through an external database (windows AD). I tried
achieving this but kept getting different errors.(like EAP-TLS or PEAP
authentication failed during SSL handshake) or (Authen session timed
out: Challenge not provided by client).Please
I need someone who has done this setup successfully before to give Me a
step by step procedure on how I can setup ACS SE for windows
authentication using My domain windows authentication.Thanks
Hi,
Check out the belwo link on your query,Hope that help !!
https://supportforums.cisco.com/docs/DOC-5542
If helpful do rate
Ganesh.H -
ACS best practices for device config
Can anybody tell me what the best practice is in regards to device setup in ACS?
Specifically, is it better to specify each device individually or is it ok to allow whole subnets access to access, therefore allowing all devices in those subnets access to ACS for AAA.Find My iPad is not a fully reliable way to secure data on a corporate iPad. The service is too easy to defeat and block you from wiping the data. You can, however, make settings that will make it much more difficult for someone to get data from your company iPads and iPhones even if they can defeat the Find My iPad connection. I'd suggest you read these Apple documents:
http://www.apple.com/ipad/business/docs/iOS_Security.pdf
http://www.apple.com/ipad/business/docs/iOS_MDM.pdf
They'll give you an overview of how to secure your devices.
Regards. -
ACs For Windows 4.1.(1) build 23
Hi.
We´ve got two Windows 2003 Server R2 machines, with installed Cisco ACS For Windows 4.1.(1) Build 23 used for RADIUS users authentication and now days we´re trying to deploy now a TACACS+ configuration to the network device manage now from those ACSs, TACACS+ Accounting tab works fine, but the Accounting administration records or logs are updated but when I click on the TACACS+ Administration Tab the showed log files are empty, I knew about a bug in the 4.1 versión, the question is?
Can I fix the issue if I upgrade or install only the 4.1.1.23-5 patch?
It´ll be enough?
Many thanks.Hi.
We´ve got two Windows 2003 Server R2 machines, with installed Cisco ACS For Windows 4.1.(1) Build 23 used for RADIUS users authentication and now days we´re trying to deploy now a TACACS+ configuration to the network device manage now from those ACSs, TACACS+ Accounting tab works fine, but the Accounting administration records or logs are updated but when I click on the TACACS+ Administration Tab the showed log files are empty, I knew about a bug in the 4.1 versión, the question is?
Can I fix the issue if I upgrade or install only the 4.1.1.23-5 patch?
It´ll be enough?
Many thanks. -
I have MAB set up through ACS 5.2 at one of my sites and it seems to be working fine for laptops, but not for printers. I can plug a laptop into the port the printer is connected to and it connects right away, but pluggin the printer in and I get a "notconnect" and the port goes amber.
I am using the following commands on the switch ports:
authentication port-control auto
mab
I checked the ACS reporting and I see no failed authentication attempts, just the successful authentifications by the laptops.Robert,
What version are you using and what model switch are you running and what model printer is this not working for? Also the mac address table behavior is expected for devices that fail dot1x or mab, they do not get applied to the mac address table.
Also dhcp behavior is also expected it will not pull an ip address till the port has been authorized.
Can you run a debug dot1x packets (just to make sure there is not a supplicant enabled on the printer)
Also can you run a debug radius authentication while the process is started and post the output here, keep in mind to blurr out any sensitive information.
Also please let me know the full port configuration and show auth session int
Thanks,
Tarik Admani -
Hi everyone,
I'm trying to deploy a Windows Embedded Standard 7 (trial key at the moment) image in SCCM 2012 SP1 with a very simple task sequence.
I have a 'build and capture' and an OSD TS. I'm testing these on Hyper-V PCs and both work fine when i create stand alone media. The problem arrises when I try to deploy (or build & capture) with a bootable media;
The TS starts, formats the disk, applies the OS, Windows and network settings, Apply Device Drivers etc., but when it reboots into Windows
(or WES7 to be exact) it cant boot. The Windows Boot Manager reports a 0xc0000359 for storvsc.sys
And I can't figure out what's wrong. I will post the SMSTS log further down below. The SAME TS works fine when it's a stand alone media.
I have tried to:
- Apply the WIM manually (nothing wrong - boots fine)
- Create and apply driver package for the Hyper-V machines (from the MSI's Windows5.x-HyperVIntegrationServices-x86 and Windows5.x-HyperVIntegrationServices-x64)
- No dice
- Create a new boot image with the hyper-v drivers in it. No dice
- Google everything related I can think of.
I suspect it has something to do with the lines where it says:
"Failed to find a suitable device driver for device xxx”
It also has a couple of 401 errors when trying to get the packages, but it seems like it DOES end up getting the content.
Please help! What could it be?
I have 2 Hyper-V machines; one w. legacy network adapter - one not. Both have same issue.
I have 2 Hyper-V machines; one w. legacy network adapter - one not. Both have same issue.
SMSTS log key points are (the log is too long to post here):
401 - Authentication failure on request with anonymous access, retrying with context credentials.
OSDDriverClient
5/6/2014 4:03:41 PM 612 (0x0264)
401 - Authentication failure on request with context credentials, retrying with supplied credentials.
OSDDriverClient
5/6/2014 4:03:41 PM 612 (0x0264)
Downloaded file from http://<CUSTOMER DP REMOVED>:80/SMS_DP_SMSPKG$/56D13589-D906-4697-8A1E-1CC3211902AA/sccm?/s3cap.inf to C:\_SMSTaskSequence\ContentCache\56D13589-D906-4697-8A1E-1CC3211902AA\s3cap.inf
OSDDriverClient
5/6/2014 4:03:41 PM
612 (0x0264) Downloaded file from http://<CUSTOMER DP REMOVED>:80/SMS_DP_SMSPKG$/56D13589-D906-4697-8A1E-1CC3211902AA/sccm?/vmbusvideo.cat to C:\_SMSTaskSequence\ContentCache\56D13589-D906-4697-8A1E-1CC3211902AA\vmbusvideo.cat
OSDDriverClient
5/6/2014 4:03:41 PM
612 (0x0264) Downloaded file from http://<CUSTOMER DP REMOVED>:80/SMS_DP_SMSPKG$/56D13589-D906-4697-8A1E-1CC3211902AA/sccm?/vms3cap.sys to C:\_SMSTaskSequence\ContentCache\56D13589-D906-4697-8A1E-1CC3211902AA\vms3cap.sys
OSDDriverClient
5/6/2014 4:03:41 PM
612 (0x0264) Download done setting progress bar to 100
OSDDriverClient
5/6/2014 4:03:41 PM
612 (0x0264) VerifyContentHash: Hash algorithm is 32780
OSDDriverClient
5/6/2014 4:03:41 PM
612 (0x0264) Failed to open Software\Microsoft\Sms\Mobile Client\Software Distribution registry key. The client should not get checked for RWH OpLock Type
OSDDriverClient
5/6/2014 4:03:41 PM
612 (0x0264) Failed to open Software\Microsoft\Sms\Mobile Client\Software Distribution registry key. The client should not get checked for RWH OpLock Type
OSDDriverClient
5/6/2014 4:03:41 PM
612 (0x0264) Failed to open Software\Microsoft\Sms\Mobile Client\Software Distribution registry key. The client should not get checked for RWH OpLock Type
OSDDriverClient
5/6/2014 4:03:41 PM
612 (0x0264) Installing driver "Microsoft Emulated S3 Device Cap"
OSDDriverClient
5/6/2014 4:03:41 PM
612 (0x0264) Adding "C:\_SMSTaskSequence\ContentCache\56D13589-D906-4697-8A1E-1CC3211902AA" to Windows driver store.
OSDDriverClient
5/6/2014 4:03:41 PM
612 (0x0264) Setting %SystemRoot% to "C:\WINDOWS"
OSDDriverClient
5/6/2014 4:03:41 PM
612 (0x0264) Getting namespace "Microsoft-Windows-PnpCustomizationsNonWinPE" for architecture "amd64"
OSDDriverClient
5/6/2014 4:03:41 PM
612 (0x0264) Added list item with key value '1'
OSDDriverClient
5/6/2014 4:03:41 PM
612 (0x0264) Writing configuration information to C:\_SMSTaskSequence\PkgMgrTemp\drivers.xml
OSDDriverClient
5/6/2014 4:03:41 PM
612 (0x0264) Successfully saved configuration information to C:\_SMSTaskSequence\PkgMgrTemp\drivers.xml
OSDDriverClient
5/6/2014 4:03:41 PM
612 (0x0264) Setting temporary directory to 'C:\_SMSTaskSequence\PkgMgrTemp'.
OSDDriverClient
5/6/2014 4:03:41 PM
612 (0x0264) Calling Package manager to add drivers to the offline driver store.
OSDDriverClient
5/6/2014 4:03:41 PM 612 (0x0264)
Command line for extension .exe is "%1" %*
OSDDriverClient
5/6/2014 4:03:41 PM
612 (0x0264) Set command line: "X:\windows\Pkgmgr\dism.exe" /image:"C:" /windir:"WINDOWS" /apply-unattend:"C:\_SMSTaskSequence\PkgMgrTemp\drivers.xml" /logpath:"C:\_SMSTaskSequence\PkgMgrTemp\dism.log"
OSDDriverClient
5/6/2014 4:03:41 PM 612 (0x0264)
Executing command line: "X:\windows\Pkgmgr\dism.exe" /image:"C:" /windir:"WINDOWS" /apply-unattend:"C:\_SMSTaskSequence\PkgMgrTemp\drivers.xml" /logpath:"C:\_SMSTaskSequence\PkgMgrTemp\dism.log"
OSDDriverClient
5/6/2014 4:03:41 PM 612 (0x0264)
Process completed with exit code 0
OSDDriverClient
5/6/2014 4:03:45 PM
612 (0x0264) Dism successfully added drivers to the offline driver store.
OSDDriverClient
5/6/2014 4:03:45 PM 612 (0x0264)
Successfully added "C:\_SMSTaskSequence\ContentCache\56D13589-D906-4697-8A1E-1CC3211902AA" to the Windows driver store.
OSDDriverClient
5/6/2014 4:03:45 PM
612 (0x0264) Successfully installed driver "Microsoft Emulated S3 Device Cap".
OSDDriverClient
5/6/2014 4:03:45 PM 612 (0x0264)
Entering ReleaseSource() for C:\_SMSTaskSequence\ContentCache\56D13589-D906-4697-8A1E-1CC3211902AA
OSDDriverClient
5/6/2014 4:03:45 PM
612 (0x0264) reference count 1 for the source C:\_SMSTaskSequence\ContentCache\56D13589-D906-4697-8A1E-1CC3211902AA before releasing
OSDDriverClient
5/6/2014 4:03:45 PM
612 (0x0264) Released the resolved source C:\_SMSTaskSequence\ContentCache\56D13589-D906-4697-8A1E-1CC3211902AA
OSDDriverClient
5/6/2014 4:03:45 PM
612 (0x0264) Ranking compatible drivers for VMBUS\{57164F39-9115-4E78-AB55-382F3BD5422D}\{FD149E91-82E0-4A7D-AFA6-2A4166CBD7C0}
OSDDriverClient
5/6/2014 4:03:45 PM
612 (0x0264) SCOPEID_4AA3EF76-E8E6-4FC3-8E79-00F39F7D1CB5/DRIVER_C01B80DA1C014302CC793357FF0F1C0486554D11_0E4046FEF6FF1BC7776A060DF1B19003E0B5640936488E08E61C41D47A8B26C2 (SMS Driver Rank = 0x0000)
OSDDriverClient
5/6/2014 4:03:45 PM
612 (0x0264) SCOPEID_4AA3EF76-E8E6-4FC3-8E79-00F39F7D1CB5/DRIVER_C01B80DA1C014302CC793357FF0F1C0486554D11_8E607B402D9A9C9A0FBC0881F11231BDA52B4C8851F1BA00F7E8B3D932FC4871 (SMS Driver Rank = 0x0000)
OSDDriverClient
5/6/2014 4:03:45 PM
612 (0x0264) SCOPEID_4AA3EF76-E8E6-4FC3-8E79-00F39F7D1CB5/DRIVER_C01B80DA1C014302CC793357FF0F1C0486554D11_54E81CFA62FCB88FCA9D60C01594AA5FCEE40F9D5B28F47DE2A7B70C91268F17 (SMS Driver Rank = 0x0000)
OSDDriverClient
5/6/2014 4:03:45 PM
612 (0x0264) Driver "Hyper-V Heartbeat" has already been installed.
OSDDriverClient
5/6/2014 4:03:45 PM
612 (0x0264) Failed to find a suitable device driver for device 'Intel 82443BX Pentium(R) II Processor to PCI Bridge'.
OSDDriverClient
5/6/2014 4:03:45 PM
612 (0x0264) Failed to find a suitable device driver for device 'Generic Monitor'.
OSDDriverClient
5/6/2014 4:03:45 PM
612 (0x0264) Ranking compatible drivers for VMBUS\{A9A0F4E7-5A45-4D96-B827-8A841E8C03E6}\{242FF919-07DB-4180-9C2E-B86CB68C8C55}
OSDDriverClient
5/6/2014 4:03:45 PM
612 (0x0264) SCOPEID_4AA3EF76-E8E6-4FC3-8E79-00F39F7D1CB5/DRIVER_C01B80DA1C014302CC793357FF0F1C0486554D11_0E4046FEF6FF1BC7776A060DF1B19003E0B5640936488E08E61C41D47A8B26C2 (SMS Driver Rank = 0x0001)
OSDDriverClient
5/6/2014 4:03:45 PM
612 (0x0264) SCOPEID_4AA3EF76-E8E6-4FC3-8E79-00F39F7D1CB5/DRIVER_C01B80DA1C014302CC793357FF0F1C0486554D11_8E607B402D9A9C9A0FBC0881F11231BDA52B4C8851F1BA00F7E8B3D932FC4871 (SMS Driver Rank = 0x0001)
OSDDriverClient
5/6/2014 4:03:45 PM
612 (0x0264) SCOPEID_4AA3EF76-E8E6-4FC3-8E79-00F39F7D1CB5/DRIVER_C01B80DA1C014302CC793357FF0F1C0486554D11_54E81CFA62FCB88FCA9D60C01594AA5FCEE40F9D5B28F47DE2A7B70C91268F17 (SMS Driver Rank = 0x0001)
OSDDriverClient
5/6/2014 4:03:45 PM
612 (0x0264) Driver "Hyper-V Heartbeat" has already been installed.
OSDDriverClient
5/6/2014 4:03:45 PM
612 (0x0264) Failed to find a suitable device driver for device 'Numeric data processor'.
OSDDriverClient
5/6/2014 4:03:45 PM
612 (0x0264) Ranking compatible drivers for VMBUS\{35FA2E29-EA23-4236-96AE-3A6EBACBA440}\{2450EE40-33BF-4FBD-892E-9FB06E9214CF}
OSDDriverClient
5/6/2014 4:03:45 PM
612 (0x0264) SCOPEID_4AA3EF76-E8E6-4FC3-8E79-00F39F7D1CB5/DRIVER_C01B80DA1C014302CC793357FF0F1C0486554D11_8E607B402D9A9C9A0FBC0881F11231BDA52B4C8851F1BA00F7E8B3D932FC4871 (SMS Driver Rank = 0x0001)
OSDDriverClient
5/6/2014 4:03:45 PM
612 (0x0264) SCOPEID_4AA3EF76-E8E6-4FC3-8E79-00F39F7D1CB5/DRIVER_C01B80DA1C014302CC793357FF0F1C0486554D11_54E81CFA62FCB88FCA9D60C01594AA5FCEE40F9D5B28F47DE2A7B70C91268F17 (SMS Driver Rank = 0x0001)
OSDDriverClient
5/6/2014 4:03:45 PM
612 (0x0264) SCOPEID_4AA3EF76-E8E6-4FC3-8E79-00F39F7D1CB5/DRIVER_C01B80DA1C014302CC793357FF0F1C0486554D11_0E4046FEF6FF1BC7776A060DF1B19003E0B5640936488E08E61C41D47A8B26C2 (SMS Driver Rank = 0x0001)
OSDDriverClient
5/6/2014 4:03:45 PM
612 (0x0264) Driver "Hyper-V Heartbeat" has already been installed.
OSDDriverClient
5/6/2014 4:03:45 PM
612 (0x0264) Failed to find a suitable device driver for device 'Microsoft System Management BIOS Driver'.
OSDDriverClient
5/6/2014 4:03:45 PM
612 (0x0264) Failed to find a suitable device driver for device 'CD-ROM Drive'.
OSDDriverClient
5/6/2014 4:03:45 PM 612 (0x0264)
Exiting with return code 0x00000000
OSDDriverClient
5/6/2014 4:03:45 PM
612 (0x0264)
In advance: Sorry...Hi,
0xc0000359 for storvsc.sys
Looks like Hyper-v Storage Controller driver issue.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance failed
Hi,
I've got a problem with Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance.
ACS4.2 has been configured to use both internal and external database. It's been working fine for a couple or years.
Recently we bought a Cisco 4710 ACE appliance. When I use ACS4.2 internal username and password to login the Cisco 4710 ACE appliance, I have no problem. I can also see the passed authentication log on ACS4.2. However, if I use AD username and password, I couldn't login in. The message is "Login incorrect". I checked the failed attempts log on the ACS4.2, there was no log regarding the failed attempt. My AD username and password works fine on all other cisco routers and switches.
I've posted my AAA configuration of the 4710 ACE below. ACE is running on the latest version A4(1.1). Please help.
tacacs-server key 7 "xxxxxxxxxxxxx"
aaa group server tacacs+ tac_admin
server xx.xx.xx.xx
aaa authentication login default group tac_admin local
aaa authentication login console group tac_admin local
aaa accounting default group tac_adminHi,
Since the ACS is receiving the request.
Could you please ensure that In ACE on every context (including Admin and other) you have following strings:
tacacs-server host x.x.x.x key 7 "xxx"
aaa group server tacacs+ tac_admin
server x.x.x.x
aaa authentication login default group tac_admin local
aaa authentication login console group tac_admin local
aaa accounting default group x.x.x.x
On ACS side for group named "Network Administrators" you should configure in TACACS settting:
1. Shell (exec) enable
2. Privilege level 15
3. Custom attributes:
shell:Admin*Admin default-domain
if you have additional context add next line
shell:mycontext*Admin default-domain
After loging to ACE and issuing sh users command you should see following
User Context Line Login Time (Location) Role Domain(s)
*adm-x Admin pts/0 Sep 21 12:24 (x.x.x.x) Admin default-domain
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you fee your query is resolved. Do rate helpful posts. -
802.1x between Switch 3750 and ACS 4.2 Authentication faild --need help
I configured the Switch 3750 and ACS for 802.1x authentication.
when I used the windows as the 802.1x client, it prompted "click here to enter user name and pasword for the network " as normal.
The problem is that after I entered username and password (i am sure i enter the identical username and password as in ACS) the authentication failed,
What is the most possibly problem?
Thx in advance!!!
The configuration is Sw3750 is:
aaa new-model
aaa authentication login default local
aaa authentication enable default line
aaa authentication dot1x default group radius
aaa authorization network default group radius
dot1x system-auth-control
interface GigabitEthernet1/0/18
description Link to test 802.1x
switchport access vlan 119
switchport mode access
dot1x pae authenticator
dot1x port-control auto
spanning-tree portfast
radius-server host 10.1.1.333 auth-port 1645 acct-port 1646
radius-server source-ports 1645-1646
radius-server key keepopen0
In the ACS:
Network Configuration -->aaa client ip address: 10.1.119.1(the vlan 119's ip address), shared secret: keepopen0
user setup -->real name:test1, password: test1.
Attached is the debug informationWhat do you see in acs failed attempts?
-
802.1X for wired environments using Radius/ACS for Dynamic Vlan Assignment
Currently Being Moderated
802.1X for wired environments using Radius/ACS for Dynamic Vlan Assignment
Could someone please provide me with a simplest set of configuration steps to fire up Radius in ACS and 802.1X for dynamic vlan assignment. The objective is to roll out NAC L2 OOB using the 802.1X method for dymamic vlan assignments.
If possible show:
1. ACS/Radius Configurations.
2. End User Switch Configurations
Variables:
Switch A
MAC Address aaaa.bbbb.cccc Vlan 10
bbbb.cccc.dddd Vlan 20
Also, if someone posts the Pros and Cons of using Radius/ACS/802.1X for Dynamic Vlan Assignments.
Other technology sets that can be used for Dynamic Vlan assignment EXCEPT from deprecated/obsolete VMPS.
Thanks in advance. .Hi Guys,
Hmmm, well if your just looking for Mac based authentication the good news is that is very easy. Just set create your Radius server, ACS, FreeRadius, Steelbelted radius etc. Then create user with the name of the Mac address, in other words if the mac address is 0012.0021.1122 the the name would be 001200211122 and the password would be the mac address. Then you set the vlan and tunnel stuff, like so tunnel-Type would be vlan, Tunnel-medium would be 802 and Tunnel-Private-Group-ID is the name of the vlan(not the vlan number)
So for the Cisco ACS 4.x you would create a user as specified above, fill in all the password boxes with MAC address, I believe the mac has to be all lower case in the name and the password. Then check the Separate(Chap/MS-Chap/ARAP) box. Then you pick the group the machine belongs to, the group is the part that defines what vlan it is on.
Before you create the user, create the group with info I wrote above and in addition specify the Service-Type as Authenticate Only.
Freeradius is a bit harder to configure the specifics and I am just now testing a freeradius server so I do not know the process for Machine authentication.
If, however, you are trying to authenticate a user that gets a bit trickier and is not so straight forward. -
Using Active Directory and ACS for Concentrator 3000 VPN
Has anyone gone down the path of using Cisco ACS for network access control AND authenticating it with their W2K Active Directory for VPN 3000 concentrators? I did some research on Google, Cisco web, and this group, I did not find a definite answer on the best practice for the architecture and design, can anyone share your experience how you approached this?
Below is my understanding, I appeciate any help to piece some or all the below together
(1) The end state is once a VPN user is successfully authenticated, it is assigned to certain network access privilege based on its group's policy. How to accomplish this?
(2) AD stores a central user database for user authentication. Each user may belong to one or more groups on the AD; ACS is reponsible for network access control for the specific groups and enforces these controls to the users via the concentrators.
(3) Concentrator is the NAS, and ACS is the RADIUS server
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800949b4.shtml
(4) Concentrator can link to the AD as an external database: http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_1/gs/gs3mgr.htm
(5) A single "Tunnel Group" is created on the concentrator
(6) Mulpile Groups, per corporate infosec policies are created on the AD
(7) Mulpile Groups, per corporate infosec policies are also created on ACS, need to match with what're in the AD
TIA.In order to restrict access for a specific AD group to specific SSID this is what you need to perform.
When the WLC sends an authentication request to the ACS, it will include the SSID that the user is connecting to, in the attribute Calling-Station-Id(31). We can use this information to create multiple rules in ACS 5.x in order to take actions based on the information contained in the attribute.
Under the Users and Indetity Stores > click on Directory Groups > select > check the group name you want to add and hit ok. Save the changes.
We just need to create a DNIS rule that includes the name of the SSID and use it as a condition in any rule that we create for authentication. The * is required because the attribute not only contains the SSID but also a MAC address so the * is use as a regular expression.
Now go to access-policies > default-network access > identity should be AD1.
Go to authorization > click on customize > move the AD1:ExternalGroups and end-station filter attribute on the right side and hit ok.
After that slect the appropriate ad group for teachers and end-station filter.
Save changes.
Jatin Katyal
- Do rate helpful posts - -
Adding WCS server in ACS for AAA
Hi,
I tried to add WCS into ACS server and I have done the all the required configuration but still WCS is unable to authenticate thro ACS. There is no passed or failed auth report on ACS for WCS users. Can you guide me on how to fix it?
Thanks,
HassanCurious... Did you load the WCS attributes from WCS to ACS?
Example
role0=SuperUsers
task0=Users and Groups
task1=Audit Trails
task2=TACACS+ Servers
task3=RADIUS Servers
task4=Logging
task5=License Center
task6=Scheduled Tasks and Data Collection
task7=User Preferences
task8=System Settings
task9=Diagnostic Information
task10=View Alerts and Events
task11=Email Notification
task12=Delete and Clear Alerts
task13=Pick and Unpick Alerts
task14=Configure Controllers
task15=Configure Templates
task16=Configure Config Groups
task17=Configure Access Points
task18=Configure Access Point Templates
task19=Configure Choke Points
task20=Monitor Controllers
task21=Monitor Access Points
task22=Monitor Clients
task23=Monitor Tags
task24=Monitor Security
task25=Monitor Chokepoints
task26=Mesh Reports
task27=Client Reports
task28=Performance Reports
task29=Security Reports
task30=Location Server Management
task31=View Location Notifications
task32=Maps Read Only
task33=Maps Read Write
task34=Client Location
task35=Rogue Location
task36=Planning Mode
task37=Ack and Unack Alerts
task38=Migration Templates
task39=Configure Spectrum Experts
task40=Monitor Spectrum Experts
task41=Virtual Domain Management
task42=High Availability Configuration
task43=Health Monitor Details
task44=Configure WIPS Profiles
task45=Global SSID Groups
task46=Configure Lightweight Access Point Templates
task47=Configure Autonomous Access Point Templates
task48=Scheduled Configuration Tasks
task49=Configure Location Sensors
task50=Configure ACS View Servers
task51=Auto Provisioning
task52=Monitor Location Sensors
task53=RRM Dashboard
task54=Compliance Assistance Reports
task55=Voice Audit Report
task56=Config Audit Dashboard
task57=Handover Server Management
task58=Monitor Handover Server
task59=Configure Ethernet Switch Ports
task60=Configure Ethernet Switches
task61=Monitor Interferers
task62=Device Reports
task63=Network Summary Reports
task64=Compliance Reports
task65=CleanAir Reports
task66=Report Launch Pad
task67=Run Reports List
task68=Saved Reports List
task69=Report Run History
task70=Automated Feedback
task71=TAC Case Attachment Tool
Maybe you are looking for
-
Satellite A135-S4527 - Drivers needed & Function Keys do not work
Hello, I have a Satellite A135-S4527. But, when I got this computer it was without a recovery disk / Vista Reinstall Disk and the Vista OS that was installed was a bloated mess - it was highly used by a individual of lesser intellect. Anyway, I decid
-
How can I submit a httprequest in javascript
I would like to submit the url like that : "ReportController?action=logout" in javascript, how can I do that? Because I have implemented a logout menthod for windows onbeforeunload event, which means when user close brower, the logout action will be
-
HT1320 how do i reset an ipod classic?
My ipod Classic has frozen. no matter what buttons i press it has no effect. Any suggestions please?
-
Updater runs each time I start Photoshop
I'm using Photoshop CS2 and recently installed it on my new Vista system. During normal use, I log in to Windows as a non-administrator, as recommended for security purposes. Each time I launch Photoshop, it wants to check for updates, and asks for a
-
Newbie Question - DVD Authoring
I am brand new to the Mac and DVD authoring, but so far love it and won't go back to a PC!!! I have approx. 150+ 8mm/Hi8/Digital 8 tapes to edit and create DVDs from. Do I need to keep the original analog or digital tapes for future projects? The rea