ACS with dot1x

Hi all, i am trying to collect infos for a future ACS network management and i have some questions that i can´t find answers.
It is possible to authenticate users in the wired interfaces and redirect them to diferent VLANs based on their attributes?
If any Cisco member have any type of usefull document with configs for ACS plus NAC Apliances (Profiler/Collector) to manage authentications on a switched LAN, i would apreciate sharing.
(I´ve searched alot, but all info are a litle dispersed and i can´t mount the puzzle)
Best Regards,

Hi.
http://www.cisco.com/en/US/products/sw/secursw/ps2086/prod_configuration_examples_list.html
Read specially the topic 'Wired Dot1x Version 1.05 Configuration Guide'
Complication arises mostly on installing certificate to enable PEAP or TLS which are the authentication method you need for dot1x to authenticate using external database i.e. AD

Similar Messages

  • ISE with dot1x and Posture deployment in pararrel with certain users

    Hi,
    We want to deploy ISE in sequencial order, meaning that I will initially have all users authenticate/authorized with dot1x/MAB etc, then only on certain locations or users to have posture condition validation/verification while others not.
    Can someone please advise whether this approach is possible, as far I understand, once you have posture policies in place as authorization rule it will hit all the users. This may be possible where you can match the switch or the location as a seperate condition, but if all users are spread/mixed we just need to find a simple way how to do it or whether it is not possible..?

    We have modified the attached policy on rule 04 and 05 (from top) and add a new condition Device locationEqual "Switch1".According to this rule any user connected to Switch1 only do the posture and same user PCconnect any other switch (other than switch1), it should do only the dot1x/MAB (rule 1-3). But in our case user PC connect any other switch than switch1, it hit the ISE default policy(not included in this attachement) and also it pop-ups the NAC agent and do the posturing. Questions-why the PC/user is not hitting rule 1-3 and goes to default rule-why the PC/user is doing posture where there's no posture rule hitting.
    Hi,
    First of all, I would assume you configured the PC for machine or user authentication.
    So, when a user connects to the network using other switch but not switch1, it will get 2 hits:
    1. Computer authentication - this PC is part of Domain Computers
    2. Default rule - because you configured (domain) user authentication for dot1x requests that are received only from switch1!
    You haven't specified a rule for domain users alone (with no location condition) and with no posture.
    You have to add something like this:
    1. dot1x + Domain PC
    2. dot1x + Domain User + location + preposture
    3. dot1x + Domain User + location + posture compliant
    4. dot1x + Domain User (and no posture condition)
    To answer your second question, event though you 've excepted a certain user from posture, if NAC Agent is installed, it will popup and it will say that you're compliant, so practically it isn't doing posture
    (http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_pos_pol.html)
    Generating a Posture Requirement The run-time services requests for the posture requirement for the  endpoint by looking up at the role to which the user belongs to and the  operating system on the client. If you do not have a policy associated  with the role, then the run-time services communicate to the NAC Agent  with an empty requirement. If you have a policy associated with the  role, then the run-time services run through the posture policies  through one or more requirements associated with the policies and for  each requirement through one or more conditions.
    If you want to rollout for posture, you could use exception rules (check the top section of authorization rules) or you could do only posture audit for your rules so that everyone can get network access event though they're not compliant.

  • 2 ACS with 2 CRA

    Hi All,
    We have installed 2 ACS with two CRA installed in AD1 & AD2.
    The problem is when the CRA1 which is installed in AD1 is active everything working fine with both the ACS.
    But when the CRA1 is down & CRA2 is up which is installed in AD2 the authentication fails.
    Can anyone help in this regard? I have the logs if required I can upload the same.
    Thanks in advance
    Sachi

    Most likely this is a permission issue.
    CSWinAgent 08/06/2008 12:45:52 A 0048 3860 NTLIB: Attempting Windows authentication for user s.shetty
    CSWinAgent 08/06/2008 12:45:52 A 0048 3860 NTLIB: Windows authentication FAILED (error 6L)
    CSWinAgent 08/06/2008 12:45:52 A 0436 3860 RPC: NT_MSCHAPAuthenticateUser reply sent
    CSWinAgent 08/06/2008 12:46:16 A 0371 3860 RPC: NT_MSCHAPAuthenticateUser received
    CSWinAgent 08/06/2008 12:46:16 A 0048 3860 NTLIB: Attempting Windows authentication for user s.shetty
    CSWinAgent 08/06/2008 12:46:16 A 0048 3860 NTLIB: Windows authentication FAILED (error 6L)
    The accounting running remote agent service do not have admin rights . Make sure that account should have special priv like act as a part of OS and logon as service in ur sec policy.
    If you are already using admin account to run it then try using local system.
    Regards,
    ~JG

  • Cisco CE500 with dot1x issue

    Hi,
    I have a Cisco Switch CE500 and I need to function reliably dot1X. I used the "Network Assistant" and It did not work, dropped all ports connected to PCs that have the certificate. I have a network of switches running Cisco 2950/2960 with dot1x working properly. I access to http "exec mode" of the CE500 and I do comparing the text configuration between the CE500 and 2960, I edited the settings so that CE500 are the same text of 2960 but did not work.
    I have the profile for the switch in my RADIUS Server. In the CE500 I have the ip address of the RADIUS, key, AAA RADIUS, "aaa new-model"
    If, I eliminate the switch profile for the RADIUS, It logs me the device don't have profile for AAA.
    Attached example files
    ce500.txt ---- don't work
    2960.txt ------ it´s working well
    Help me please!

    in my case the tip from another tread helped me out. The tip was to set on the 2008 NPS in the Connection Policy the Rádius standart Attribut Framed MTU to less than 1400.
    In my case that made the deal !
    Reiner

  • Replacing ACS with ISE

    What is required to replace ACS with ISE in simple terms?
    I am looking to basically authenticate wired and wireless access against the local/AD) user database via Cisco kit
    I am thinking all I need is the BASE (perpetual) license rather than the advanced/wireless licenses
    Is there a limit to how many devices or users the base can deal with in its simplest form.
    I would also like to be able to push out a splash screen for wireless users during authentication. Can this be done just with the ISE Base License alone for a wireless solution (via WLC with LWAPS or Autonomous APs)
    thanks 
    dave

    yes you can authenticate the user using the ISE and but you need a advance license if you want to use both wire and wireless here is small table to help you understand the license requirements also the max. devices support depends on the type of deployment and with advance feature you have the abilitity of profiling and posturing which provide very good control for admins in the network
    Software Packages
    Options
    Base
    Capabilities: Basic network access and guest access
    Network deployment support: Wired, wireless, and VPN
    License prerequisite: None
    Perpetual license
    Licenses are available for 100, 250, 500, 1000, 1500, 2500, 3500, 5000, 10,000, 25,000, 50,000, and 100,000 endpoints
    Advanced
    Capabilities: Profiler and feed service, posture, MDM integration, automated endpoint onboarding, and Security Group Access (SGA)
    Network deployment support: Wired, wireless, and VPN
    License prerequisite: Base license
    Term license: 1, 3- and 5-year terms
    Licenses are available for 100, 250, 500, 1000, 1500, 2500, 3500, 5000, 10,000, 25,000, 50,000, and 100,000 endpoints
    Wireless
    Capabilities: Basic network access, guest access, profiler, posture, and SGA
    Network deployment support: Wireless
    License prerequisite: None
    Term license: 1, 3- and 5-year terms
    Licenses are available for 100, 250, 500, 1000, 1500, 2500, 3500, 5000, 10,000, 25,000, 50,000, and 100,000 endpoints
    Wireless Upgrade
    Capabilities: Basic network access, guest access, profiler, posture, and SGA
    Network deployment support: Wired, wireless, and VPN
    License prerequisite: Wireless license
    Term license: 1, 3- and 5-year terms
    Upgrade licenses are available for 100, 250, 500, 1000, 1500, 2500, 3500, 5000, 10,000, 25,000, 50,000, and 100,000 endpoints
    ***Do rate Hekofuls posts***

  • ACS with MySQL

    Hi, Is it possible to use ACS with mySQL database?
    regards
    Steffen

    Depends on what you mean.
    The ODBC Authenticator (that is authenticate users against an external ODBC datasource) should work fine with mySQL. There is a white paper I wrote still kicking about on CCO somewhere if you search for it.
    If you mean can you use mySQL for ACSs own internal database.. then no you cant.
    Darran

  • Integrating ACS with DC

    Hi All,
    I am trying to integrate ACS with the DC, can anyone please try to get me the Document to follow,
    Thanks.

    Hi Abdul
    Check my response (last post) in following conversation.
    http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=AAA&CommCmd=MB?cmd=display_location&location=.2cbe94a0
    Regards

  • ACS with Tivoli Identity Manager

    Has anyone implemented ACS with ITIM? It was press released almost a year ago and I cannot find any technical documentation to find out how it integrates. What I need to find out is: Does the ACS server use ITIM as a external database for user auth? Or do both products need to backend into the same LDAP dir for user/pass info?

    Yes, we have. ITIM has develped an ITIM ACS agent for Cisco ACS integration. The ITIM ACS Agent is installed on the ACS server and it communicates with Cisco ACS application through Cisco ACS available API. Through the ITIM agent, TIM can creat, delete and modify ACS user's account. No, Cisco ACS server can not use ITIM database as an external for user auth.

  • Integration of ACS with two different Domain in different forest

    Hi
    We have two Domain Controllers in two different forests. One forest is X.IN and other is Y. In X.IN forest we have a tree called PPP.IN.
    Is it possible to integrate ACS with both PPP.IN and Y? Please confirm ASAP.
    Thanks
    Ritesh

    It is possible in ACS 4.2 to do machine and user authentication over cross forest trusts. See Resolved Caveats here:
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/release/notes/ACS42_RN.html
    HTH
    Jeremy

  • 802.1x(ACS) with avaya phones

    Hi All ,
    We are implementing wired dot1x for our wired users with EAP-TLS. When I am connecting laptop it is getting authenticated and it is working fine. For Voip(Avaya) we are using MAB .When we connect VOIP , after 30 seconds ACS is giving Access-accept(auth success) . But Voip is stuck up in Bad router state and VOIP is not working. If I connect the laptop behind the voip it is getting authenticated and it is working fine eventhough voip is stuck up.
    Is there a way we can reduce 802.1x auth timings , so that VOIP can register succesfully?
    The switch interface config is ,
    authentication event fail action next-method
    authentication host-mode multi-auth
    authentication order dot1x mab
    authetication priority dot1x mab
    authentication port-control auto
    mab
    dot1x pae authenticator
    dot1x timeout tx-period 10
    Thanks,
    Vijay

    Hi,
    i am using AVAYA as well in production. They support 802.1X.
    Configure Voice VLAN on each Port.
    Let ACS send the radius attribute device-traffic-class=voice under
    Policy Elements/Authorization and Permissions/Network Access/Authorization Profiles VOICE VLAN
     and select Permission to join static.
    A good guide: IP Telephony for 802.1X Design Guide
    http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html
    Regards Horst

  • ACS + Wired dot1x machine authentication

    Hi,
    I am trying to setup wired machine based authentication. I have followed this guide
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00805e7a18.shtml#req
    However I simply get the same error all the time on ACS.
    Invalid message authenticator in EAP request
    Switch config;
    interface GigabitEthernet0/46
    switchport access vlan 20
    switchport mode access
    media-type rj45
    dot1x pae authenticator
    dot1x port-control auto
    dot1x reauthentication
    dot1x guest-vlan 20
    i am trying to setup group matching to perform vlan assignment however I am just entering under the unknown user policy at the min with no vlan assignment setup.
    Anyone shed any light on this, all I want to do is authenticate a machine via certificates issue a vlan id based on the machine name and AD group matching. No user authentication this can be done via the PDC.
    Purely using machine auth.
    Cheers
    Scott

    Hi Guys,
    The plot thickens, I can authenticate via user 802.1x and I can also authenticate the machine against my existing 4.1 ACS server however when using the new server 4.2 I get the external DB authentication failure??
    Thanks for your help.
    Scott

  • Nameidentifier claims is no longer in the token issued by Access Control Service(ACS) with newly created ACS

    Hi,
    In our existing ACS, when we add a new relying party with that associate with rule as bellow:
    input claim type as
    htp://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
    and output claim type as
    htp://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    When I used the ACS created previously, for token I received, I have
    Received claims with existing ACS:
    htp://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier:           testoem2,
    htp://schemas.xmlsoap.org/ws/2005/05/identity/claims/name:             TESTOEM2-MS,
    htp://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider:                htps://wp8partnerservicesv1-tst.accesscontrol.windows.net/
    but for the new ACS namespace, when I configure it exactly the same way, I receive
    htp://schemas.xmlsoap.org/ws/2005/05/identity/claims/name:             TestOem2-MS,
    htp://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider:                htps://zackpartnerservice1-tst.accesscontrol.windows.net/'
    The nameidentifier claim is no longer in the token.
    Does anyone from Azure ACS team know what change in ACS might have cause this issue and how do I config the ACS so that I can get nameidentifier claim in the token too?
    since my account is not verified, I use h_ttp instead of http in my question.
    thank you,
    Zach

    Greetings, Zach!
    Please refer to this:
    https://msdn.microsoft.com/en-us/library/hh446535.aspx
    The article elaborates how federated identity works with ACS.
    Thank you,
    Arvind

  • Using ACS with PIX/ASA

    Hi there,
    We have an implementation of Cisco Secure ACS 4.1.4 using RSA SecurID as its authentication source to provide role-based access control and command level authorisation.
    We have succesfully deployed this our routers/switches, and are now looking at configuring Cisco PIX/ASA devices to use ACS and have stubbled across issues.
    Config on PIX/ASA (note we actually have 4 ACS servers defined for resilience etc):
    aaa-server XXXXX protocol tacacs+
    accounting-mode simultaneous
    reactivation-mode depletion deadtime 1
    max-failed-attempts 1
    aaa-server XXXXX inside host <SERVER>
    key <SECRET>
    timeout 5
    aaa authentication telnet console XXXXX LOCAL
    aaa authentication enable console XXXXX LOCAL
    aaa authentication ssh console XXXXX LOCAL
    aaa authentication http console XXXXX LOCAL
    aaa authentication serial console XXXXX LOCAL
    aaa accounting command XXXXX
    aaa accounting telnet console XXXXX
    aaa accounting ssh console XXXXX
    aaa accounting enable console XXXXX
    aaa accounting serial console XXXXX
    aaa authorization command XXXXX LOCAL
    Problems:
    Enter PASSCODE is NOT displayed on first attempt to logon to the PIX/ASA because it does not attempt to communicate with ACS until username/pass is sent.
    Username with null password (e.g. CR) will correctly then display Enter PASSCODE prompt received from ACS.
    PIX/ASA does not attempt to authenticate against all configured TACACS+ servers in one go, instead it tries each sequentially per authentication attempt….e.g.
    1st Attempt = Server 1
    2nd Attempt = Server 2
    3rd Attempt = Server 3
    4th Attempt = Server 4
    This means that in total failure of ACS users will have to attempt authentication N+1 times before failing to LOCAL credentials depending on number of servers configured, this seems to be from setting "depletion deadtime 1" however the alternative is worse:
    With “depletion timed” configured, by the time the user has attempted authentication to servers 2,3 and 4 the hard coded 30 second timeout has likely elapsed and the first server has been re-enabled by the PIX for authentication attempts, as such it will never fail to local authentication locking the user out of the device, the PIX itself does warn of this with the following error:
    “WARNING: Fallback authentication is configured, but reactivation mode is set to
    timed. Multiple aaa servers may prevent the appliance from ever invoking the fallback auth
    mechanism.”
    The next issue is that of accounting.....AAA Accounting does not record “SHOW” commands or session accounting records (start/stop) or “ENABLE".
    The final issue is ASDM. We can login to ASDM successfully using ACS/RSA SecurID, however when a change is made to the configuration ASDM repeatedly sends the users logon credentials multiple times.
    As RSA SecurID token can only be used once this fails and locks the account.
    Any ideas on how to make two of Ciscos leading security products work together better?

    Just re-reading the PIX/ASA 7.2 command reference guide below:
    http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/crt_72.pdf
    It appears some of the above are known issues.
    PASSCODE issue, page 2-17 states:
    We recommend that you use the same username and password in the local database as the
    AAA server because the security appliance prompt does not give any indication which method is being used.
    Failure to LOCAL, page 2-42 states:
    You can have up to 15 server groups in single mode or 4 server groups per context in multiple mode. Each group can have up to 16 servers in single mode or 4 servers in multiple mode. When a user logs in, the servers are accessed one at a time starting with the first server you specify in the configuration, until a server responds.
    AAA Accounting, page 2-2 states:
    To send accounting messages to the TACACS+ accounting server when you enter any command other than show commands at the CLI, use the aaa accounting command command in global configuration mode.
    ASDM issue, page 2-17 states:
    HTTP management authentication does not support the SDI protocol for AAA server group
    So looks like all my issues are known "features" of PIX/ASA integration with ACS, any ideas of how to achieve a "slicker" integration?
    Is there a roadmap to improve this with later versions of the OS?
    Will the PIX/ASA code ever properly support the same features as IOS?
    Would it be better to look at using something like CSM instead of ASDM?

  • Cisco ACS with External DB - EAP-TLS

    Hi Guys,
    I understand how the EAP-TLS exchange works (I think), but If I have a client (wireless or wired) that is using EAP-TLS with an ACS, can I confirm the following.
    Let say both user and computer certs are employed:
    1. Both Client and ACS perform check with each others certs to ensure they are know to each other. The eap-tls exchange.
    2a. At some stage and I am assuming before the eap-tls success message is sent back to the client, the ACS has to check if either the username or computer name is in the AD database?
    2b. Wot is the paramater that is checked against the AD database?
    I read here that it can be : http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/peap_tls.html#wp999517
    Client Certificates
    Client Certificates are used to positively identify the user in EAP-TLS. They have no role in building the TLS tunnel and are not used for encryption. Positive identification is accomplished by one of three means:
    CN (or Name)Comparison-Compares the CN in the certificate with the username in the database. More information on this comparison type is included in the description of the Subject field of the certificate.
    SAN Comparison-Compares the SAN in the certificate with the username in the database. This is only supported as of ACS 3.2. More information on this comparison type is included in the description of the Subject Alternative Name field of the certificate.
    Binary Comparison-Compares the certificate with a binary copy of the certificate stored in the database (only AD and LDAP can do this). If you use certificate binary comparison, you must store the user certificate in a binary format. Also, for generic LDAP and Active Directory, the attribute that stores the certificate must be the standard LDAP attribute named "usercertificate".
    3. With the above, if options 1 or 2 are used (CN or SAN comparison), I assume this is just a check between a value pulled out of the CERT by the ACS and checked with AD, is that correct? With option 3, does the ACS perform a full compaison of the certificate between what the client has and a "client stored cert" on the AD DB?
    Please can someone help me with these points.
    I am so lost in this stuff :)) I think.
    Many thx and many kind regards,
    Ken

    only TLS *handshake* is completed/succcessful, but because user authentication fails,
    CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read client key exchange A
    CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read certificate verify A
    CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read finished A
    CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 write change cipher spec A
    CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 write finished A
    CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 flush data
    CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSL negotiation finished successfully
    EAP: EAP-TLS: Handshake succeeded
    EAP: EAP-TLS: Authenticated handshake
    EAP: EAP-TLS: Using CN from certificate as identity for authentication
    EAP: EAP state: action = authenticate, username = 'jatin', user identity = 'jatin'
    pvAuthenticateUser: authenticate 'jatin' against CSDB
    pvCopySession: setting session group ID to 0.
    pvCheckUnknownUserPolicy: session group ID is 0, calling pvAuthenticateUser.
    pvAuthenticateUser: authenticate 'jatin' against Windows Database
    External DB [NTAuthenDLL.dll]: Creating Domain cache
    External DB [NTAuthenDLL.dll]: Loading Domain Cache
    External DB [NTAuthenDLL.dll]: No UPN Suffixes Found
    External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust dwacs.com, [Error = 1355]
    External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust enigma.com, [Error = 1355]
    External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust acsteam.com, [Error = 1355]
    External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust vikram.com, [Error = 1355]
    External DB [NTAuthenDLL.dll]: Domain cache loaded
    External DB [NTAuthenDLL.dll]: Could not find user jatin [0x00005012]
    External DB [NTAuthenDLL.dll]: User jatin was not found
    pvCheckUnknownUserPolicy: setting session group ID to 0.
    Unknown User 'jatin' was not authenticated
    So the EAP-Failure(Radius Access-Reject( is sent, not EAP-Success(Radius Access-Accept).
    And any port/point wont be allowed to pass traffic unless the NAS device gets an EAP-Success(Radius Accept) for the user.
    HTH
    Regards,
    Prem

  • ACS with patch L 6 and Name column issue

    Has anyone experienced the following?
    My customer has used the migrate tool to migrate users from the ACS 4.2 to 5.3. He has also applied the patch level 6. However under the Identity Groups listed names (the Name column)- from some - to half of the name is missing [e.g lets say the name contains the following information: “Dimension Data”], after migrating only “Dimensi” to be seen.  He then removed the Patch Level 6 and reapplied with no success. Any advice or do I need to run to the TAC ••J
    Thanks a lot
    Lancellot Wendel

    Hi Tarik,
    thanks for the reply,
    with reg to the question
    "If you remove patch 6 and then migrate, does it work?"
    No it did not work either, well I guess I have to open a TAC case for this.
    thanks in advnace
    regards,
    lancellot

Maybe you are looking for

  • Regarding ReCreating Catalog in SQL Server 2005 which was existing in SQL Server 2000

    Hello I was using SQL SERVER 2000 ... In one table I've created FULL TEXT SEARCHING ( Full text catalog along with full text indexing) Now we had to install our db in SQL SERVER 2005 standard edition. But while taking script it gave me two lines like

  • A question about CLASSPATH and Package

    The configuration of my computer is: Windows98, C:\j2sdk1.4.0 Which in Autoexec.bat are included like this: path=C:\j2sdk1.4.0\bin set CLASSPATH=C:\j2sdk1.4.0\lib Then I make a new directory named t in C:\j2sdk1.4.0\lib, where there is a compiled fil

  • Create a java.util.Map in JNI

    hello all, Can anyone tell me how to create & use Java Maps in my C++ code... I've used java.util.Vector, it works fine. I work on a Sun Fire V440 machine. regards, gautam.

  • Filters Essbase - Maxl

    Is there a way to remove just the metaread access permission that I have in a specific filter using the maxl? Regards, Rafael Melo

  • VZ iphone: Data plans?  wifi?

    What are the available plans from Verizon? I thought I saw an unlimited data plan for $30 per month. Is that on top of the phone plan? How much would that be? How does the data plan work? If I go to a fancy website, or if someone sends a large image