ACS with dot1x
Hi all, i am trying to collect infos for a future ACS network management and i have some questions that i can´t find answers.
It is possible to authenticate users in the wired interfaces and redirect them to diferent VLANs based on their attributes?
If any Cisco member have any type of usefull document with configs for ACS plus NAC Apliances (Profiler/Collector) to manage authentications on a switched LAN, i would apreciate sharing.
(I´ve searched alot, but all info are a litle dispersed and i can´t mount the puzzle)
Best Regards,
Hi.
http://www.cisco.com/en/US/products/sw/secursw/ps2086/prod_configuration_examples_list.html
Read specially the topic 'Wired Dot1x Version 1.05 Configuration Guide'
Complication arises mostly on installing certificate to enable PEAP or TLS which are the authentication method you need for dot1x to authenticate using external database i.e. AD
Similar Messages
-
ISE with dot1x and Posture deployment in pararrel with certain users
Hi,
We want to deploy ISE in sequencial order, meaning that I will initially have all users authenticate/authorized with dot1x/MAB etc, then only on certain locations or users to have posture condition validation/verification while others not.
Can someone please advise whether this approach is possible, as far I understand, once you have posture policies in place as authorization rule it will hit all the users. This may be possible where you can match the switch or the location as a seperate condition, but if all users are spread/mixed we just need to find a simple way how to do it or whether it is not possible..?We have modified the attached policy on rule 04 and 05 (from top) and add a new condition Device locationEqual "Switch1".According to this rule any user connected to Switch1 only do the posture and same user PCconnect any other switch (other than switch1), it should do only the dot1x/MAB (rule 1-3). But in our case user PC connect any other switch than switch1, it hit the ISE default policy(not included in this attachement) and also it pop-ups the NAC agent and do the posturing. Questions-why the PC/user is not hitting rule 1-3 and goes to default rule-why the PC/user is doing posture where there's no posture rule hitting.
Hi,
First of all, I would assume you configured the PC for machine or user authentication.
So, when a user connects to the network using other switch but not switch1, it will get 2 hits:
1. Computer authentication - this PC is part of Domain Computers
2. Default rule - because you configured (domain) user authentication for dot1x requests that are received only from switch1!
You haven't specified a rule for domain users alone (with no location condition) and with no posture.
You have to add something like this:
1. dot1x + Domain PC
2. dot1x + Domain User + location + preposture
3. dot1x + Domain User + location + posture compliant
4. dot1x + Domain User (and no posture condition)
To answer your second question, event though you 've excepted a certain user from posture, if NAC Agent is installed, it will popup and it will say that you're compliant, so practically it isn't doing posture
(http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_pos_pol.html)
Generating a Posture Requirement The run-time services requests for the posture requirement for the endpoint by looking up at the role to which the user belongs to and the operating system on the client. If you do not have a policy associated with the role, then the run-time services communicate to the NAC Agent with an empty requirement. If you have a policy associated with the role, then the run-time services run through the posture policies through one or more requirements associated with the policies and for each requirement through one or more conditions.
If you want to rollout for posture, you could use exception rules (check the top section of authorization rules) or you could do only posture audit for your rules so that everyone can get network access event though they're not compliant. -
Hi All,
We have installed 2 ACS with two CRA installed in AD1 & AD2.
The problem is when the CRA1 which is installed in AD1 is active everything working fine with both the ACS.
But when the CRA1 is down & CRA2 is up which is installed in AD2 the authentication fails.
Can anyone help in this regard? I have the logs if required I can upload the same.
Thanks in advance
SachiMost likely this is a permission issue.
CSWinAgent 08/06/2008 12:45:52 A 0048 3860 NTLIB: Attempting Windows authentication for user s.shetty
CSWinAgent 08/06/2008 12:45:52 A 0048 3860 NTLIB: Windows authentication FAILED (error 6L)
CSWinAgent 08/06/2008 12:45:52 A 0436 3860 RPC: NT_MSCHAPAuthenticateUser reply sent
CSWinAgent 08/06/2008 12:46:16 A 0371 3860 RPC: NT_MSCHAPAuthenticateUser received
CSWinAgent 08/06/2008 12:46:16 A 0048 3860 NTLIB: Attempting Windows authentication for user s.shetty
CSWinAgent 08/06/2008 12:46:16 A 0048 3860 NTLIB: Windows authentication FAILED (error 6L)
The accounting running remote agent service do not have admin rights . Make sure that account should have special priv like act as a part of OS and logon as service in ur sec policy.
If you are already using admin account to run it then try using local system.
Regards,
~JG -
Hi,
I have a Cisco Switch CE500 and I need to function reliably dot1X. I used the "Network Assistant" and It did not work, dropped all ports connected to PCs that have the certificate. I have a network of switches running Cisco 2950/2960 with dot1x working properly. I access to http "exec mode" of the CE500 and I do comparing the text configuration between the CE500 and 2960, I edited the settings so that CE500 are the same text of 2960 but did not work.
I have the profile for the switch in my RADIUS Server. In the CE500 I have the ip address of the RADIUS, key, AAA RADIUS, "aaa new-model"
If, I eliminate the switch profile for the RADIUS, It logs me the device don't have profile for AAA.
Attached example files
ce500.txt ---- don't work
2960.txt ------ it´s working well
Help me please!in my case the tip from another tread helped me out. The tip was to set on the 2008 NPS in the Connection Policy the Rádius standart Attribut Framed MTU to less than 1400.
In my case that made the deal !
Reiner -
What is required to replace ACS with ISE in simple terms?
I am looking to basically authenticate wired and wireless access against the local/AD) user database via Cisco kit
I am thinking all I need is the BASE (perpetual) license rather than the advanced/wireless licenses
Is there a limit to how many devices or users the base can deal with in its simplest form.
I would also like to be able to push out a splash screen for wireless users during authentication. Can this be done just with the ISE Base License alone for a wireless solution (via WLC with LWAPS or Autonomous APs)
thanks
daveyes you can authenticate the user using the ISE and but you need a advance license if you want to use both wire and wireless here is small table to help you understand the license requirements also the max. devices support depends on the type of deployment and with advance feature you have the abilitity of profiling and posturing which provide very good control for admins in the network
Software Packages
Options
Base
Capabilities: Basic network access and guest access
Network deployment support: Wired, wireless, and VPN
License prerequisite: None
Perpetual license
Licenses are available for 100, 250, 500, 1000, 1500, 2500, 3500, 5000, 10,000, 25,000, 50,000, and 100,000 endpoints
Advanced
Capabilities: Profiler and feed service, posture, MDM integration, automated endpoint onboarding, and Security Group Access (SGA)
Network deployment support: Wired, wireless, and VPN
License prerequisite: Base license
Term license: 1, 3- and 5-year terms
Licenses are available for 100, 250, 500, 1000, 1500, 2500, 3500, 5000, 10,000, 25,000, 50,000, and 100,000 endpoints
Wireless
Capabilities: Basic network access, guest access, profiler, posture, and SGA
Network deployment support: Wireless
License prerequisite: None
Term license: 1, 3- and 5-year terms
Licenses are available for 100, 250, 500, 1000, 1500, 2500, 3500, 5000, 10,000, 25,000, 50,000, and 100,000 endpoints
Wireless Upgrade
Capabilities: Basic network access, guest access, profiler, posture, and SGA
Network deployment support: Wired, wireless, and VPN
License prerequisite: Wireless license
Term license: 1, 3- and 5-year terms
Upgrade licenses are available for 100, 250, 500, 1000, 1500, 2500, 3500, 5000, 10,000, 25,000, 50,000, and 100,000 endpoints
***Do rate Hekofuls posts*** -
Hi, Is it possible to use ACS with mySQL database?
regards
SteffenDepends on what you mean.
The ODBC Authenticator (that is authenticate users against an external ODBC datasource) should work fine with mySQL. There is a white paper I wrote still kicking about on CCO somewhere if you search for it.
If you mean can you use mySQL for ACSs own internal database.. then no you cant.
Darran -
Hi All,
I am trying to integrate ACS with the DC, can anyone please try to get me the Document to follow,
Thanks.Hi Abdul
Check my response (last post) in following conversation.
http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=AAA&CommCmd=MB?cmd=display_location&location=.2cbe94a0
Regards -
ACS with Tivoli Identity Manager
Has anyone implemented ACS with ITIM? It was press released almost a year ago and I cannot find any technical documentation to find out how it integrates. What I need to find out is: Does the ACS server use ITIM as a external database for user auth? Or do both products need to backend into the same LDAP dir for user/pass info?
Yes, we have. ITIM has develped an ITIM ACS agent for Cisco ACS integration. The ITIM ACS Agent is installed on the ACS server and it communicates with Cisco ACS application through Cisco ACS available API. Through the ITIM agent, TIM can creat, delete and modify ACS user's account. No, Cisco ACS server can not use ITIM database as an external for user auth.
-
Integration of ACS with two different Domain in different forest
Hi
We have two Domain Controllers in two different forests. One forest is X.IN and other is Y. In X.IN forest we have a tree called PPP.IN.
Is it possible to integrate ACS with both PPP.IN and Y? Please confirm ASAP.
Thanks
RiteshIt is possible in ACS 4.2 to do machine and user authentication over cross forest trusts. See Resolved Caveats here:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/release/notes/ACS42_RN.html
HTH
Jeremy -
802.1x(ACS) with avaya phones
Hi All ,
We are implementing wired dot1x for our wired users with EAP-TLS. When I am connecting laptop it is getting authenticated and it is working fine. For Voip(Avaya) we are using MAB .When we connect VOIP , after 30 seconds ACS is giving Access-accept(auth success) . But Voip is stuck up in Bad router state and VOIP is not working. If I connect the laptop behind the voip it is getting authenticated and it is working fine eventhough voip is stuck up.
Is there a way we can reduce 802.1x auth timings , so that VOIP can register succesfully?
The switch interface config is ,
authentication event fail action next-method
authentication host-mode multi-auth
authentication order dot1x mab
authetication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
Thanks,
VijayHi,
i am using AVAYA as well in production. They support 802.1X.
Configure Voice VLAN on each Port.
Let ACS send the radius attribute device-traffic-class=voice under
Policy Elements/Authorization and Permissions/Network Access/Authorization Profiles VOICE VLAN
and select Permission to join static.
A good guide: IP Telephony for 802.1X Design Guide
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html
Regards Horst -
ACS + Wired dot1x machine authentication
Hi,
I am trying to setup wired machine based authentication. I have followed this guide
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00805e7a18.shtml#req
However I simply get the same error all the time on ACS.
Invalid message authenticator in EAP request
Switch config;
interface GigabitEthernet0/46
switchport access vlan 20
switchport mode access
media-type rj45
dot1x pae authenticator
dot1x port-control auto
dot1x reauthentication
dot1x guest-vlan 20
i am trying to setup group matching to perform vlan assignment however I am just entering under the unknown user policy at the min with no vlan assignment setup.
Anyone shed any light on this, all I want to do is authenticate a machine via certificates issue a vlan id based on the machine name and AD group matching. No user authentication this can be done via the PDC.
Purely using machine auth.
Cheers
ScottHi Guys,
The plot thickens, I can authenticate via user 802.1x and I can also authenticate the machine against my existing 4.1 ACS server however when using the new server 4.2 I get the external DB authentication failure??
Thanks for your help.
Scott -
Hi,
In our existing ACS, when we add a new relying party with that associate with rule as bellow:
input claim type as
htp://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
and output claim type as
htp://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
When I used the ACS created previously, for token I received, I have
Received claims with existing ACS:
htp://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier: testoem2,
htp://schemas.xmlsoap.org/ws/2005/05/identity/claims/name: TESTOEM2-MS,
htp://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider: htps://wp8partnerservicesv1-tst.accesscontrol.windows.net/
but for the new ACS namespace, when I configure it exactly the same way, I receive
htp://schemas.xmlsoap.org/ws/2005/05/identity/claims/name: TestOem2-MS,
htp://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider: htps://zackpartnerservice1-tst.accesscontrol.windows.net/'
The nameidentifier claim is no longer in the token.
Does anyone from Azure ACS team know what change in ACS might have cause this issue and how do I config the ACS so that I can get nameidentifier claim in the token too?
since my account is not verified, I use h_ttp instead of http in my question.
thank you,
ZachGreetings, Zach!
Please refer to this:
https://msdn.microsoft.com/en-us/library/hh446535.aspx
The article elaborates how federated identity works with ACS.
Thank you,
Arvind -
Hi there,
We have an implementation of Cisco Secure ACS 4.1.4 using RSA SecurID as its authentication source to provide role-based access control and command level authorisation.
We have succesfully deployed this our routers/switches, and are now looking at configuring Cisco PIX/ASA devices to use ACS and have stubbled across issues.
Config on PIX/ASA (note we actually have 4 ACS servers defined for resilience etc):
aaa-server XXXXX protocol tacacs+
accounting-mode simultaneous
reactivation-mode depletion deadtime 1
max-failed-attempts 1
aaa-server XXXXX inside host <SERVER>
key <SECRET>
timeout 5
aaa authentication telnet console XXXXX LOCAL
aaa authentication enable console XXXXX LOCAL
aaa authentication ssh console XXXXX LOCAL
aaa authentication http console XXXXX LOCAL
aaa authentication serial console XXXXX LOCAL
aaa accounting command XXXXX
aaa accounting telnet console XXXXX
aaa accounting ssh console XXXXX
aaa accounting enable console XXXXX
aaa accounting serial console XXXXX
aaa authorization command XXXXX LOCAL
Problems:
Enter PASSCODE is NOT displayed on first attempt to logon to the PIX/ASA because it does not attempt to communicate with ACS until username/pass is sent.
Username with null password (e.g. CR) will correctly then display Enter PASSCODE prompt received from ACS.
PIX/ASA does not attempt to authenticate against all configured TACACS+ servers in one go, instead it tries each sequentially per authentication attemptâ¦.e.g.
1st Attempt = Server 1
2nd Attempt = Server 2
3rd Attempt = Server 3
4th Attempt = Server 4
This means that in total failure of ACS users will have to attempt authentication N+1 times before failing to LOCAL credentials depending on number of servers configured, this seems to be from setting "depletion deadtime 1" however the alternative is worse:
With âdepletion timedâ configured, by the time the user has attempted authentication to servers 2,3 and 4 the hard coded 30 second timeout has likely elapsed and the first server has been re-enabled by the PIX for authentication attempts, as such it will never fail to local authentication locking the user out of the device, the PIX itself does warn of this with the following error:
âWARNING: Fallback authentication is configured, but reactivation mode is set to
timed. Multiple aaa servers may prevent the appliance from ever invoking the fallback auth
mechanism.â
The next issue is that of accounting.....AAA Accounting does not record âSHOWâ commands or session accounting records (start/stop) or âENABLE".
The final issue is ASDM. We can login to ASDM successfully using ACS/RSA SecurID, however when a change is made to the configuration ASDM repeatedly sends the users logon credentials multiple times.
As RSA SecurID token can only be used once this fails and locks the account.
Any ideas on how to make two of Ciscos leading security products work together better?Just re-reading the PIX/ASA 7.2 command reference guide below:
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/crt_72.pdf
It appears some of the above are known issues.
PASSCODE issue, page 2-17 states:
We recommend that you use the same username and password in the local database as the
AAA server because the security appliance prompt does not give any indication which method is being used.
Failure to LOCAL, page 2-42 states:
You can have up to 15 server groups in single mode or 4 server groups per context in multiple mode. Each group can have up to 16 servers in single mode or 4 servers in multiple mode. When a user logs in, the servers are accessed one at a time starting with the first server you specify in the configuration, until a server responds.
AAA Accounting, page 2-2 states:
To send accounting messages to the TACACS+ accounting server when you enter any command other than show commands at the CLI, use the aaa accounting command command in global configuration mode.
ASDM issue, page 2-17 states:
HTTP management authentication does not support the SDI protocol for AAA server group
So looks like all my issues are known "features" of PIX/ASA integration with ACS, any ideas of how to achieve a "slicker" integration?
Is there a roadmap to improve this with later versions of the OS?
Will the PIX/ASA code ever properly support the same features as IOS?
Would it be better to look at using something like CSM instead of ASDM? -
Cisco ACS with External DB - EAP-TLS
Hi Guys,
I understand how the EAP-TLS exchange works (I think), but If I have a client (wireless or wired) that is using EAP-TLS with an ACS, can I confirm the following.
Let say both user and computer certs are employed:
1. Both Client and ACS perform check with each others certs to ensure they are know to each other. The eap-tls exchange.
2a. At some stage and I am assuming before the eap-tls success message is sent back to the client, the ACS has to check if either the username or computer name is in the AD database?
2b. Wot is the paramater that is checked against the AD database?
I read here that it can be : http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/peap_tls.html#wp999517
Client Certificates
Client Certificates are used to positively identify the user in EAP-TLS. They have no role in building the TLS tunnel and are not used for encryption. Positive identification is accomplished by one of three means:
CN (or Name)Comparison-Compares the CN in the certificate with the username in the database. More information on this comparison type is included in the description of the Subject field of the certificate.
SAN Comparison-Compares the SAN in the certificate with the username in the database. This is only supported as of ACS 3.2. More information on this comparison type is included in the description of the Subject Alternative Name field of the certificate.
Binary Comparison-Compares the certificate with a binary copy of the certificate stored in the database (only AD and LDAP can do this). If you use certificate binary comparison, you must store the user certificate in a binary format. Also, for generic LDAP and Active Directory, the attribute that stores the certificate must be the standard LDAP attribute named "usercertificate".
3. With the above, if options 1 or 2 are used (CN or SAN comparison), I assume this is just a check between a value pulled out of the CERT by the ACS and checked with AD, is that correct? With option 3, does the ACS perform a full compaison of the certificate between what the client has and a "client stored cert" on the AD DB?
Please can someone help me with these points.
I am so lost in this stuff :)) I think.
Many thx and many kind regards,
Kenonly TLS *handshake* is completed/succcessful, but because user authentication fails,
CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read client key exchange A
CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read certificate verify A
CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read finished A
CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 write change cipher spec A
CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 write finished A
CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 flush data
CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSL negotiation finished successfully
EAP: EAP-TLS: Handshake succeeded
EAP: EAP-TLS: Authenticated handshake
EAP: EAP-TLS: Using CN from certificate as identity for authentication
EAP: EAP state: action = authenticate, username = 'jatin', user identity = 'jatin'
pvAuthenticateUser: authenticate 'jatin' against CSDB
pvCopySession: setting session group ID to 0.
pvCheckUnknownUserPolicy: session group ID is 0, calling pvAuthenticateUser.
pvAuthenticateUser: authenticate 'jatin' against Windows Database
External DB [NTAuthenDLL.dll]: Creating Domain cache
External DB [NTAuthenDLL.dll]: Loading Domain Cache
External DB [NTAuthenDLL.dll]: No UPN Suffixes Found
External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust dwacs.com, [Error = 1355]
External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust enigma.com, [Error = 1355]
External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust acsteam.com, [Error = 1355]
External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust vikram.com, [Error = 1355]
External DB [NTAuthenDLL.dll]: Domain cache loaded
External DB [NTAuthenDLL.dll]: Could not find user jatin [0x00005012]
External DB [NTAuthenDLL.dll]: User jatin was not found
pvCheckUnknownUserPolicy: setting session group ID to 0.
Unknown User 'jatin' was not authenticated
So the EAP-Failure(Radius Access-Reject( is sent, not EAP-Success(Radius Access-Accept).
And any port/point wont be allowed to pass traffic unless the NAS device gets an EAP-Success(Radius Accept) for the user.
HTH
Regards,
Prem -
ACS with patch L 6 and Name column issue
Has anyone experienced the following?
My customer has used the migrate tool to migrate users from the ACS 4.2 to 5.3. He has also applied the patch level 6. However under the Identity Groups listed names (the Name column)- from some - to half of the name is missing [e.g lets say the name contains the following information: “Dimension Data”], after migrating only “Dimensi” to be seen. He then removed the Patch Level 6 and reapplied with no success. Any advice or do I need to run to the TAC ••J
Thanks a lot
Lancellot WendelHi Tarik,
thanks for the reply,
with reg to the question
"If you remove patch 6 and then migrate, does it work?"
No it did not work either, well I guess I have to open a TAC case for this.
thanks in advnace
regards,
lancellot
Maybe you are looking for
-
Regarding ReCreating Catalog in SQL Server 2005 which was existing in SQL Server 2000
Hello I was using SQL SERVER 2000 ... In one table I've created FULL TEXT SEARCHING ( Full text catalog along with full text indexing) Now we had to install our db in SQL SERVER 2005 standard edition. But while taking script it gave me two lines like
-
A question about CLASSPATH and Package
The configuration of my computer is: Windows98, C:\j2sdk1.4.0 Which in Autoexec.bat are included like this: path=C:\j2sdk1.4.0\bin set CLASSPATH=C:\j2sdk1.4.0\lib Then I make a new directory named t in C:\j2sdk1.4.0\lib, where there is a compiled fil
-
Create a java.util.Map in JNI
hello all, Can anyone tell me how to create & use Java Maps in my C++ code... I've used java.util.Vector, it works fine. I work on a Sun Fire V440 machine. regards, gautam.
-
Is there a way to remove just the metaread access permission that I have in a specific filter using the maxl? Regards, Rafael Melo
-
VZ iphone: Data plans? wifi?
What are the available plans from Verizon? I thought I saw an unlimited data plan for $30 per month. Is that on top of the phone plan? How much would that be? How does the data plan work? If I go to a fancy website, or if someone sends a large image