ACS with RSA for privilege level 'enable' authentication

Similar Messages

• TMG with RSA for OWA on the same URL as EAS

  Hi
  We have a requirement to use RSA authentication for external OWA users on Exchange 2010.  Exchange ActiveSync users will not be affected and will authenticate normally.  We currently have OWA, EAS and Autodiscover on the same URL mail.company.com.
  I have installed TMG on a server with 1 NIC on our DMZ.  I have set up 3 listeners, one for OWA with RSA, one for EAS and one for Autodiscover.  The problem is the OWA/RSA listener can't share the same IP as the others (I get an 'overlap' error
  message) so I have had to add a 2nd IP address to the server NIC to solve that.  All looks OK on TMG except now I have the problem that all the traffic is coming into our firewall on one URL and has to be NATted to only one of the 2 IP addresses.
  Do I need to have separate external URL's for OWA and EAS/Autodiscover so that they can be NATted to different IP addresses and hence different listeners?  Is there an easier way to split the traffic?
  Thanks

  Hi,
  The following part in the thread below might help.
  Quote:
  We have a firewall in front of the TMG that we are using static NATs. So I would have to create another static NAT for the IP i just added to my external NIC for ActiveSync.
  Create two external DNS entries. One for owa.domain.com and one for activesync.domain.com and point them to their respective IPs.
  For more information:
  http://social.technet.microsoft.com/Forums/en-US/119c0a10-b475-449f-b2ea-15fe260e89ce/publishing-exchange-2010-owa-with-rsa-secureid-authentication-and-active-sync?forum=Forefrontedgegeneral
  Best Regards,
  Joyce
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Tree with checkbox for each level

  1. I have a tree an I want to add a check box to every node. I saw this fonctionality with Java and with a lot of programs (install with choises). I don't know if this is possible with FORMS. If not how knows a solution for this problem ?
  2. My tree is based to a SELECT and I want to add a parent for my tree
  and I don't know how to do it. The problem is this : the value for each node from the first level IS NULL.
  Thanks
  Bye

  I need this functionality because I have to select data's from a tree with 3 or 4 levels (like in the install software when we select to install only what we need).
  There is a lot of information and it's difficult to display all of it in the screen.

• Vrf aware dmvpn with ipsec profile breaks while enabling authentication in EIGRP named mode

  Hi Friends,
  I build a vrf aware dmvpn using IPSec profile and I got the DMVPN and IPSec crypto as UP and able to do advertise using EIGRP.
  But the crypto and DMVPN breaks while I enabled the authentication in EIGRP named mode.
  Once i remove the authentication, it works fine.
  Any advice, how to solve this issue ? Any crypto commands need to add to make this work ?
  Regards
  Riyas Rasheed

  Hi,
  I attached the config I did, till I apply the authentication in EIGRP,
  once I applied the below config, the dmvpn will break
  ""router eigrp EIGRP
  add ipv4 autonom 45678
  af-interface tu0
  authentication mode hmac-sha256 KEY""
  See any more configs I need to add in the crypto to make the dmvpn  up.
  Thanks

• ACS 5.3 Integration With RSA

  Hi People,
  I have Integrated the ACS 5.3 with AD.
  Now my next goal is to Integrate ACS with RSA in such a way that all my Cisco devices should use the username and password from the AD.
  The enable privilege level should come from the RSA Token OTP.
  Is it possible to do such a thing with ACS 5.3???
  If so how could i do it???
  Thanks,
  Manoj

  I think that can try and make a rule in the identity policy based on the Service attribute in the TACACS+ dictionary
  (this is not tested and based on my recollection so would need your verification)
  1) Create a custom condition for the service attribute in TACACS+ dictionary
  Policy Elements > Session Conditions > Custom
  Create: Dictionary: TACACS+ ; Attribute:Service
  2) Utilize in a rule in Device Admin identity policy
  Access Policies > Access Services > Default Device Admin > Identity
  Sselect a rule based
  Customize based on condition in 1
  Create a rule for when Service is "Enable". Select identity source as RSA in this case

• I still have this "SHA1 with RSA" problem in Java (Sun, are you listening?)

  I posted this (in bold) a few days ago:
  I obtained a CSR from GoDaddy. The only cipher suite GoDaddy supports is "SHA1 with RSA", which is not in the list of Java 1.6.0_01 supported ciphers.
  Can I get "SHA1 with RSA" for Java somewhere?
  Should I revoke my CSR from GoDaddy and get a CSR from somebody who can provide me with a Java-supported cipher?
  If the answer to the above question is "yes", to whom should I go for the CSR?
  Thanks.
  It was suggested that I try another certificate provider. I tried Thawte. Here is the response I got from Thawte (in bold):
  Unfortunately all Certificate Authorities will have their certificates on SHA1
  with RSA as that is the latest in encryption technology. We have a product
  that you can use to sign your Java files, which is called the JavaSoft code
  signing certificate.
  For the setup that you are attempting, our SSL certificates will not work. I recommend
  that you attempt to update the Java version that you are using in order to ascertain
  if this will resolve the issue that you are experiencing.
  I am running JRE 1.6.0_01. That is the latest version of Java, to my knowledge. And yet it does not support "SHA1 with RSA".
  What can I do to get Java to support "SHA1 with RSA".
  Thanks.

  Blimey, everybody is crazy?
  Can I suggest you post this issue to the java-security mailing list. You will definitely get a response from Sun there. [email protected]:
  http://archives.java.sun.com/archives/java-security.html

• PRIVILEGE LEVELS FOR ACS WITH AD DATABASE

  How do I configure two separate privilige levels for two groups. These groups exist in the AD database i.e. my ACS (Pri & Backup) are looking in AD for authentication.

  Hi ,
  If you are using TACACS ,
  Bring users/groups in at level needed
  1. Go to user or group setup in ACS
  2. Drop down to "TACACS+ Settings"
  3. Place a check in "Shell (Exec)"
  4. Place a check in "Privilege level" and enter " priv "(1 to 15) in the adjacent field
  If you are using RADIUS,
  aaa new-model
  aaa authentication login default group radius local
  aaa authorization exec default group radius local
  radius-server host X.X.X.X key XXXX
  Following is the configuration required in the Radius Server
  The AV pair in the ACS -->group setup--> IETF RADIUS Attributes
  [006] Service-Type = Login
  /* Following is for getting the user straight in privledge mode */ to set priv 15
  The AV pair in Cisco IOS/PIX RADIUS Attributes
  [009\001] cisco-av-pair = shell:priv-lvl=15
  For more information on above commands, please refer to the following link :-
  http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsec
  ur_c/fsaaa/index.htm
  Please try the above and let me know if this helps.
  Thanks

• RSA SecurID authentication and privilege level

  Hello,
  I'm new working with Cisco ACS, learning by seat of pants; most of the documentation on Cisco's website is fairly cryptic and does not use many pictures. Therefore,I would appreciate some help setting up privileges. We have ACS v5.2 which I have set up using RSA SecurID and appears to be working correctly. However, I'm having problems with the privilege level when I access a router it lands me in user mode. I'm trying to set up a administrator group for the routers and switches to have each member dropped in privilege level 15, exec mode but I'm having difficulty doing this.
  Unfortunately, I'm unable to find any real useful information in reference to setting up RSA SecurID. It seems more of the information is geared around radius servers. Any help would be greatly appreciated. Thank you much!

  Hello.
  Remember AAA means authentication, authorization and accounting. In your case you authenticate with RSA , but you authorize with ACS policies. For TACACS+ and traditional IOS from routers and switches you can use a ACS policy element called "shell profile" which you can use to specify some attributes like privilege level. Then you can use the "shell profile" to create an authorization policy.
  I'm attaching some screenshots. In this example I'm using AD instead of RSA because I don't have a RSA available. Please rate if it helps.

• Username with privilege level 15 bypass enable

  Hi experts,
  I guess I never really understand the authentication process on Cisco routers and devices lol. Anyway I want users with privilege level 15 to be put in the enable mode right away after login without having to type in "enable" command and enable password. Users with other privilege levels will still be put in the EXEC mode.
  AAA has to be enabled because I'm using it for 802.1x as well.
  The privilege level eventually will be assigned by Radius server but right now the user is created locally on the switch. Right now I have:
  aaa new-model
  username admin privilege 15 secret 5 $1$2bdl$VIp53G4/zpo4f9aHh.t5v0
  username cisco secret 5 $1$NGdD$ehTUzwappJFMxgA7tM/YW.
  line vty 0 5
  access-class 100 in
  exec-timeout 30 0
  logging synchronous
  transport input ssh
  And it's not working lol. No matter I log in with "admin" or "cisco" I'm put in EXEC mode... What do I have to do to achieve this?
  Thanks!

  Hi,
  The with default keyword authorization will get applied on all the lines i.e. CONSOLE, VTY, AUX.
  In case you want it for users who are trying to login to via ssh or telnet use the following:
  EXEC AUTHORIZATION
  Router
  router(config)#aaa authorization exec TEL GRoup radius local
  router(config)#line vty 0 15
  router(config-line)#authorization exec TEL
  ACS
  Interface configuration
  Check  user & group for cisco av-pair.
  User setup à cisco ios/pix 6.x radius attributes àcisco av-pair [ shell:priv-lvl=15]
  OR
  Group setup à ios/pix 6.x radius attributes à shell:priv-lvl=15
  In case of radius if exec authorization is enabled  and if have not specified any privilege level in the ACS server. Then user will fall under the privilege level 1 and if enable authentication is enabled  or enable password is defined  on the router then we can go to enable mode by typing en or en
  Regards,
  Anisha
  P.S.: please mark this thread as resolved if you think your query is answered.

• Enabling Privilege Levels when ACS is Down

  Hi,
  I have a requirement to fall back to local accounts when ACS is down. These accounts will have specific privilege levels. I have two local users - adminro and adminrw.
  adminro is read only and will have a privilege level of 7.
  adminrw is a full access account with a priv level of 15.
  I can login with adminro when ACS is down, but when I attempt to enable using "enable 7" I receive the following ouput:
  PPD-ELPUF5/pri/act> en 7
  Enabling to privilege levels is not allowed when configured for
  AAA authentication. Use 'enable' only.
  If I login using "enable", my read only account now has full configuration access which is not desireable.
  My AAA configuration is as follows:
  aaa authentication ssh console ADMIN LOCAL
  aaa authentication enable console ADMIN LOCAL
  aaa authentication http console ADMIN LOCAL
  aaa authentication telnet console ADMIN LOCAL
  aaa authentication serial console ADMIN LOCAL
  aaa authorization command ADMIN LOCAL
  aaa accounting ssh console ADMIN
  aaa accounting command privilege 15 ADMIN
  aaa accounting enable console ADMIN
  aaa accounting serial console ADMIN
  aaa accounting telnet console ADMIN
  aaa authorization exec authentication-server
  username adminro password <REMOVED> encrypted privilege 7
  username adminrw password <REMOVED> encrypted privilege 15
  enable password <REMOVED> level 7 encrypted
  enable password <REMOVED> encrypted
  Is there anyway to enable the user or automatically elevate the user to privilege 7 post login like you can with a router? I cannot have the adminro account to be able to run configuration commands on the device. Running ASA version 8.2(3).
  Thanks!

  PPD-ELPUF5/pri/act# sh curpriv
  Username : adminro
  Current privilege level : 7
  Current Mode/s : P_PRIV
  Server Group:    ADMIN
  Server Protocol: tacacs+
  Server Address:  1.150.1.80
  Server port:     49
  Server status:   FAILED, Server disabled at 15:02:37 EDT Wed Oct 12 2011
  Number of pending requests              0
  Average round trip time                 2ms
  Number of authentication requests       38
  Number of authorization requests        373
  Number of accounting requests           149
  Number of retransmissions               0
  Number of accepts                       307
  Number of rejects                       19
  Number of challenges                    0
  Number of malformed responses           0
  Number of bad authenticators            0
  Number of timeouts                      234
  Number of unrecognized responses        0
  PPD-ELPUF5/pri/act(config)# name 1.1.1.1 TEST description TEST CHANGE
  PPD-ELPUF5/pri/act(config)# sh run name
  name 1.1.1.1 TEST description TEST CHANGE
  As you can see above, my user was able to perform a change even though it should not be allowed.
  PPD-ELPUF5/pri/act(config)# sh run privilege
  privilege cmd level 7 mode exec command show
  privilege cmd level 7 mode exec command ping
  privilege cmd level 7 mode exec command traceroute

• Setting privilege level for logging into ASA through ACS

  Hi!,
  In my environment i implemented AAA for logging into switches, routers, asa etc through ACS which is being configured TACACS+.
  I have set different privilege levels like readonly, readwrite etc into ACS. There are working fine when i try to login into switch or router.
  But in ASA i am unable to restrict the privilege levels of different users.
  Can someone plz guide me with ASA & ACS setting to solve this issue!!!!!

  Hi!!
  I tried this option. It is working fine with routers & switches. But for ASA privilege access it is not functioning.
  I created 3 profiles in "Shared Profiles" & added 1 of them in Group setting & added users to this group with mentioning group authentication. This way i am able to control access to the switches & routers with proper privilege. But the same way when i tried to impolement ASA it's not happening.
  Can u plz check it out...

• Default Privilege Level for ASA users authenticated by Radius or TACACS when using ASDM

  Hello,
  I'm trying to figure out what the default privilege level is for users that are authenticated to the ASA via a remote authentication server when using the ASDM.
  the command "aaa authentication http console TACACS+ LOCAL" is used in the ASA config.
  The remote server is NOT setting any privilege levels for users.  There are also no aaa authorization commands present in the config.
  So what privilege level do the users receive when they login with the ASDM?  I'm being told that the users receive admin access which includes config write, reboot, and debug.  But I cannot find any documentation stating hte default level.
  Please advise.  And providing links to cisco documentation would be great too.
  Thanks,
  Brendan

  Hi Berendan,
  Hope the below exerpt from document clarifies your query. also i have provided the link to refer.
  About Authorization
  Authorization controls access per user after users authenticate. You can configure the security appliance to authorize the following items:
  •Management commands
  •Network access
  •VPN access
  Authorization controls the services and commands available to each authenticated user. Were you not to enable authorization, authentication alone would provide the same access to services for all authenticated users.
  If you need the control that authorization provides, you can configure a broad authentication rule, and then have a detailed authorization configuration. For example, you authenticate inside users who attempt to access any server on the outside network and then limit the outside servers that a particular user can access using authorization.
  The security appliance caches the first 16 authorization requests per user, so if the user accesses the same services during the current authentication session, the security appliance does not resend the request to the authorization server.
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/asdm60/user/guide/usrguide/aaasetup.html
  Regards
  Karthik

• Is ASA integration with ISE and RSA for 2 factor authentication a valid/tested design

  Hi,
  Customer currently uses ASA to directly integrate with RSA kind of solution to provide 2 factor authentication mechanism for VPN user access.  We're considering to introduce ISE to this picture, and to offload posture analysis from ASA to ISE.  And the flow we're thinking is to have ASA interface to ISE and ISE interface to RSA and AD backend infrastructure.  And we still need the 2 factor authentication to work, i.e., customer gets a SMS code in addition to its login username and password.  I'm wondering if ASA/ISE/RSA/AD integrated solution (and with 2 factor authentication to work) is a tested solution or Cisco validate design?  Any potential issue may break the flow?
  Thanks in advance for any input!
  Tina

  Hi,
  I have an update for this quite broad question.
  I have now came a bit further on the path.
  Now the needed Radius Access Attribute are available in ISE after adding them in
  "Policy Elements" -> "Dictionaris" -> "System" -> "Radius" -> "Cisco-VPN3000".
  I added both the attribute 146 Tunnel-Group-Name which I realy need to achive what I want(select diffrent OTP-backends depending on Tunnel Group in ASA) and the other new attribute 150 Client-Type which could be intresting to look at as well.
  Here the "Diagnostics Tools" -> "Generel tools" -> "TCP Dump" and Wireshare helped me understand how this worked.
  With that I could really see the attributes in the radius access requests going in to the ASA.
  Now looking at a request in "Radius Authentication details" I have
  Other Attributes:
  ConfigVersionId=29,Device Port=1025,DestinationPort=1812,RadiusPacketType=AccessRequest,Protocol=Radius,CVPN3000/ASA/PIX7.x-Tunnel-Group-Name=SMHI-TG-RA-ISESMS,CVPN3000/ASA/PIX7.x-Client-Type=,CPMSessionID=ac100865000006294FD60A7F,.....
  Ok, the tunnel group name attribute seems to be understood correct, but Client-Type just say =, no value for that.
  That is strange, I must have defined that wrong(?), but lets leave that for now, I do not really need it for the moment being.
  So now when I have this Tunnel-Group-Name attribute available I want to use it in my Rule-Based Authentication Policy.
  Problem now is that as soon as I in an expression add a criteria containing Cisco-VPN3000:CVPN3000/ASA/PIX7.x-Tunnel-Group-Name matches .* (just anything), then that row does not match any more. It still work matching against NAS-IP and other attributes.
  What could it be I have missed?
  Best regards
  /Mattias

• Privilege level with ACS

  I am trying to configure a group of users to get read only access onto our equipement ( switches and routers) and specifically show run or show start. i set the command set to permit those 2 commands and i created a rule for that group but it does work as desired.
  any ideas?  Thank you.

  There are a couple of ways that you can accomplish what you are looking to do.  What you need to remember is that when showing the running-config you can only see what you have authorization to configure so just allowing a RO user to execute the show run command isn't going to show them much.
  One thing you could do is to lower the privilege level required to run the "show configuration" command.  The command is "privilege exec level 1 show configuration" and would need to be applied to all your devices.  This would allow privilege level 1 users to view the startup-config but not the running-config.
  Since you are running ACS another solution would be to create a rule to permit these RO users to login and actually authorize at level 15 which by default allows one to configure everything (remember to be able see it in the running-config you must be authorized to configure it).  Then create a limited command set that only allows the commands they need to use.
  Hope this helps,
  Greg

• User privilege level for configuration backup with PI 1.2

  We have more than 50 devices handling by PI 1.2 (testing) I like to know how to do configuration archiving with user who doesn't have write privilege.
  I tried like this.
  username john privilege 6 password cisco
  privilege exec level 6 show running-config
  (result) show run --> blank
    I tried this user with one of switch in PI 1.2. It did not do configuration backup
  username inout password inout
  username inout privilege 15 autocommand show running-config
  (result) once logged in, it automatically showed running-config. However when I tried with PI 1.2 with this user (inout). I couldn't do configuration back.
  reference
  http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800949d5.shtml
  so, my question is this. what is the solution for me to create certain user with read-only privilege while PI 1.2 is able to do configuration archiving ?
  thanks in advance

  7.4 MSE code will in fact require an update of Prime 1.2 to 1.3.0.20-
  It's pretty easy though and your licenses will still work from the Prime Infra side.
  Here's a link to upgrade PI to 1.3
  http://www.cisco.com/en/US/partner/docs/net_mgmt/prime/infrastructure/1.3/release/notes/cpi_rn_13.html#wp73605
  I personally would go ahead with the upgrade of both:::