ACS with Sidewinder G2
I am trying to implement Radius (using ACS v3.2) on Secure Computing's Sidewinder G2. It appears I need a VSA (vendor specific attribute) to make it work properly. I have tried it with Radius (IETF) but no luck. Any suggestions on how I might go about this ? Or is this even possible ?
If G2 Sidewinder firewall vendor has/require vendor specific attributes to be sent by authentication server, then we would require the VSA definition from the vendor.
On the other hand I have seen it working (basic authentication)with Radius IETF.
Regards,
~JG
Do rate helpful posts
Similar Messages
-
Hi All,
We have installed 2 ACS with two CRA installed in AD1 & AD2.
The problem is when the CRA1 which is installed in AD1 is active everything working fine with both the ACS.
But when the CRA1 is down & CRA2 is up which is installed in AD2 the authentication fails.
Can anyone help in this regard? I have the logs if required I can upload the same.
Thanks in advance
SachiMost likely this is a permission issue.
CSWinAgent 08/06/2008 12:45:52 A 0048 3860 NTLIB: Attempting Windows authentication for user s.shetty
CSWinAgent 08/06/2008 12:45:52 A 0048 3860 NTLIB: Windows authentication FAILED (error 6L)
CSWinAgent 08/06/2008 12:45:52 A 0436 3860 RPC: NT_MSCHAPAuthenticateUser reply sent
CSWinAgent 08/06/2008 12:46:16 A 0371 3860 RPC: NT_MSCHAPAuthenticateUser received
CSWinAgent 08/06/2008 12:46:16 A 0048 3860 NTLIB: Attempting Windows authentication for user s.shetty
CSWinAgent 08/06/2008 12:46:16 A 0048 3860 NTLIB: Windows authentication FAILED (error 6L)
The accounting running remote agent service do not have admin rights . Make sure that account should have special priv like act as a part of OS and logon as service in ur sec policy.
If you are already using admin account to run it then try using local system.
Regards,
~JG -
What is required to replace ACS with ISE in simple terms?
I am looking to basically authenticate wired and wireless access against the local/AD) user database via Cisco kit
I am thinking all I need is the BASE (perpetual) license rather than the advanced/wireless licenses
Is there a limit to how many devices or users the base can deal with in its simplest form.
I would also like to be able to push out a splash screen for wireless users during authentication. Can this be done just with the ISE Base License alone for a wireless solution (via WLC with LWAPS or Autonomous APs)
thanks
daveyes you can authenticate the user using the ISE and but you need a advance license if you want to use both wire and wireless here is small table to help you understand the license requirements also the max. devices support depends on the type of deployment and with advance feature you have the abilitity of profiling and posturing which provide very good control for admins in the network
Software Packages
Options
Base
Capabilities: Basic network access and guest access
Network deployment support: Wired, wireless, and VPN
License prerequisite: None
Perpetual license
Licenses are available for 100, 250, 500, 1000, 1500, 2500, 3500, 5000, 10,000, 25,000, 50,000, and 100,000 endpoints
Advanced
Capabilities: Profiler and feed service, posture, MDM integration, automated endpoint onboarding, and Security Group Access (SGA)
Network deployment support: Wired, wireless, and VPN
License prerequisite: Base license
Term license: 1, 3- and 5-year terms
Licenses are available for 100, 250, 500, 1000, 1500, 2500, 3500, 5000, 10,000, 25,000, 50,000, and 100,000 endpoints
Wireless
Capabilities: Basic network access, guest access, profiler, posture, and SGA
Network deployment support: Wireless
License prerequisite: None
Term license: 1, 3- and 5-year terms
Licenses are available for 100, 250, 500, 1000, 1500, 2500, 3500, 5000, 10,000, 25,000, 50,000, and 100,000 endpoints
Wireless Upgrade
Capabilities: Basic network access, guest access, profiler, posture, and SGA
Network deployment support: Wired, wireless, and VPN
License prerequisite: Wireless license
Term license: 1, 3- and 5-year terms
Upgrade licenses are available for 100, 250, 500, 1000, 1500, 2500, 3500, 5000, 10,000, 25,000, 50,000, and 100,000 endpoints
***Do rate Hekofuls posts*** -
Hi, Is it possible to use ACS with mySQL database?
regards
SteffenDepends on what you mean.
The ODBC Authenticator (that is authenticate users against an external ODBC datasource) should work fine with mySQL. There is a white paper I wrote still kicking about on CCO somewhere if you search for it.
If you mean can you use mySQL for ACSs own internal database.. then no you cant.
Darran -
Hi All,
I am trying to integrate ACS with the DC, can anyone please try to get me the Document to follow,
Thanks.Hi Abdul
Check my response (last post) in following conversation.
http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=AAA&CommCmd=MB?cmd=display_location&location=.2cbe94a0
Regards -
ACS with Tivoli Identity Manager
Has anyone implemented ACS with ITIM? It was press released almost a year ago and I cannot find any technical documentation to find out how it integrates. What I need to find out is: Does the ACS server use ITIM as a external database for user auth? Or do both products need to backend into the same LDAP dir for user/pass info?
Yes, we have. ITIM has develped an ITIM ACS agent for Cisco ACS integration. The ITIM ACS Agent is installed on the ACS server and it communicates with Cisco ACS application through Cisco ACS available API. Through the ITIM agent, TIM can creat, delete and modify ACS user's account. No, Cisco ACS server can not use ITIM database as an external for user auth.
-
Integration of ACS with two different Domain in different forest
Hi
We have two Domain Controllers in two different forests. One forest is X.IN and other is Y. In X.IN forest we have a tree called PPP.IN.
Is it possible to integrate ACS with both PPP.IN and Y? Please confirm ASAP.
Thanks
RiteshIt is possible in ACS 4.2 to do machine and user authentication over cross forest trusts. See Resolved Caveats here:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/release/notes/ACS42_RN.html
HTH
Jeremy -
Hi,
In our existing ACS, when we add a new relying party with that associate with rule as bellow:
input claim type as
htp://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
and output claim type as
htp://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
When I used the ACS created previously, for token I received, I have
Received claims with existing ACS:
htp://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier: testoem2,
htp://schemas.xmlsoap.org/ws/2005/05/identity/claims/name: TESTOEM2-MS,
htp://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider: htps://wp8partnerservicesv1-tst.accesscontrol.windows.net/
but for the new ACS namespace, when I configure it exactly the same way, I receive
htp://schemas.xmlsoap.org/ws/2005/05/identity/claims/name: TestOem2-MS,
htp://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider: htps://zackpartnerservice1-tst.accesscontrol.windows.net/'
The nameidentifier claim is no longer in the token.
Does anyone from Azure ACS team know what change in ACS might have cause this issue and how do I config the ACS so that I can get nameidentifier claim in the token too?
since my account is not verified, I use h_ttp instead of http in my question.
thank you,
ZachGreetings, Zach!
Please refer to this:
https://msdn.microsoft.com/en-us/library/hh446535.aspx
The article elaborates how federated identity works with ACS.
Thank you,
Arvind -
Hi there,
We have an implementation of Cisco Secure ACS 4.1.4 using RSA SecurID as its authentication source to provide role-based access control and command level authorisation.
We have succesfully deployed this our routers/switches, and are now looking at configuring Cisco PIX/ASA devices to use ACS and have stubbled across issues.
Config on PIX/ASA (note we actually have 4 ACS servers defined for resilience etc):
aaa-server XXXXX protocol tacacs+
accounting-mode simultaneous
reactivation-mode depletion deadtime 1
max-failed-attempts 1
aaa-server XXXXX inside host <SERVER>
key <SECRET>
timeout 5
aaa authentication telnet console XXXXX LOCAL
aaa authentication enable console XXXXX LOCAL
aaa authentication ssh console XXXXX LOCAL
aaa authentication http console XXXXX LOCAL
aaa authentication serial console XXXXX LOCAL
aaa accounting command XXXXX
aaa accounting telnet console XXXXX
aaa accounting ssh console XXXXX
aaa accounting enable console XXXXX
aaa accounting serial console XXXXX
aaa authorization command XXXXX LOCAL
Problems:
Enter PASSCODE is NOT displayed on first attempt to logon to the PIX/ASA because it does not attempt to communicate with ACS until username/pass is sent.
Username with null password (e.g. CR) will correctly then display Enter PASSCODE prompt received from ACS.
PIX/ASA does not attempt to authenticate against all configured TACACS+ servers in one go, instead it tries each sequentially per authentication attemptâ¦.e.g.
1st Attempt = Server 1
2nd Attempt = Server 2
3rd Attempt = Server 3
4th Attempt = Server 4
This means that in total failure of ACS users will have to attempt authentication N+1 times before failing to LOCAL credentials depending on number of servers configured, this seems to be from setting "depletion deadtime 1" however the alternative is worse:
With âdepletion timedâ configured, by the time the user has attempted authentication to servers 2,3 and 4 the hard coded 30 second timeout has likely elapsed and the first server has been re-enabled by the PIX for authentication attempts, as such it will never fail to local authentication locking the user out of the device, the PIX itself does warn of this with the following error:
âWARNING: Fallback authentication is configured, but reactivation mode is set to
timed. Multiple aaa servers may prevent the appliance from ever invoking the fallback auth
mechanism.â
The next issue is that of accounting.....AAA Accounting does not record âSHOWâ commands or session accounting records (start/stop) or âENABLE".
The final issue is ASDM. We can login to ASDM successfully using ACS/RSA SecurID, however when a change is made to the configuration ASDM repeatedly sends the users logon credentials multiple times.
As RSA SecurID token can only be used once this fails and locks the account.
Any ideas on how to make two of Ciscos leading security products work together better?Just re-reading the PIX/ASA 7.2 command reference guide below:
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/crt_72.pdf
It appears some of the above are known issues.
PASSCODE issue, page 2-17 states:
We recommend that you use the same username and password in the local database as the
AAA server because the security appliance prompt does not give any indication which method is being used.
Failure to LOCAL, page 2-42 states:
You can have up to 15 server groups in single mode or 4 server groups per context in multiple mode. Each group can have up to 16 servers in single mode or 4 servers in multiple mode. When a user logs in, the servers are accessed one at a time starting with the first server you specify in the configuration, until a server responds.
AAA Accounting, page 2-2 states:
To send accounting messages to the TACACS+ accounting server when you enter any command other than show commands at the CLI, use the aaa accounting command command in global configuration mode.
ASDM issue, page 2-17 states:
HTTP management authentication does not support the SDI protocol for AAA server group
So looks like all my issues are known "features" of PIX/ASA integration with ACS, any ideas of how to achieve a "slicker" integration?
Is there a roadmap to improve this with later versions of the OS?
Will the PIX/ASA code ever properly support the same features as IOS?
Would it be better to look at using something like CSM instead of ASDM? -
Cisco ACS with External DB - EAP-TLS
Hi Guys,
I understand how the EAP-TLS exchange works (I think), but If I have a client (wireless or wired) that is using EAP-TLS with an ACS, can I confirm the following.
Let say both user and computer certs are employed:
1. Both Client and ACS perform check with each others certs to ensure they are know to each other. The eap-tls exchange.
2a. At some stage and I am assuming before the eap-tls success message is sent back to the client, the ACS has to check if either the username or computer name is in the AD database?
2b. Wot is the paramater that is checked against the AD database?
I read here that it can be : http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/peap_tls.html#wp999517
Client Certificates
Client Certificates are used to positively identify the user in EAP-TLS. They have no role in building the TLS tunnel and are not used for encryption. Positive identification is accomplished by one of three means:
CN (or Name)Comparison-Compares the CN in the certificate with the username in the database. More information on this comparison type is included in the description of the Subject field of the certificate.
SAN Comparison-Compares the SAN in the certificate with the username in the database. This is only supported as of ACS 3.2. More information on this comparison type is included in the description of the Subject Alternative Name field of the certificate.
Binary Comparison-Compares the certificate with a binary copy of the certificate stored in the database (only AD and LDAP can do this). If you use certificate binary comparison, you must store the user certificate in a binary format. Also, for generic LDAP and Active Directory, the attribute that stores the certificate must be the standard LDAP attribute named "usercertificate".
3. With the above, if options 1 or 2 are used (CN or SAN comparison), I assume this is just a check between a value pulled out of the CERT by the ACS and checked with AD, is that correct? With option 3, does the ACS perform a full compaison of the certificate between what the client has and a "client stored cert" on the AD DB?
Please can someone help me with these points.
I am so lost in this stuff :)) I think.
Many thx and many kind regards,
Kenonly TLS *handshake* is completed/succcessful, but because user authentication fails,
CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read client key exchange A
CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read certificate verify A
CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read finished A
CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 write change cipher spec A
CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 write finished A
CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 flush data
CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSL negotiation finished successfully
EAP: EAP-TLS: Handshake succeeded
EAP: EAP-TLS: Authenticated handshake
EAP: EAP-TLS: Using CN from certificate as identity for authentication
EAP: EAP state: action = authenticate, username = 'jatin', user identity = 'jatin'
pvAuthenticateUser: authenticate 'jatin' against CSDB
pvCopySession: setting session group ID to 0.
pvCheckUnknownUserPolicy: session group ID is 0, calling pvAuthenticateUser.
pvAuthenticateUser: authenticate 'jatin' against Windows Database
External DB [NTAuthenDLL.dll]: Creating Domain cache
External DB [NTAuthenDLL.dll]: Loading Domain Cache
External DB [NTAuthenDLL.dll]: No UPN Suffixes Found
External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust dwacs.com, [Error = 1355]
External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust enigma.com, [Error = 1355]
External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust acsteam.com, [Error = 1355]
External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust vikram.com, [Error = 1355]
External DB [NTAuthenDLL.dll]: Domain cache loaded
External DB [NTAuthenDLL.dll]: Could not find user jatin [0x00005012]
External DB [NTAuthenDLL.dll]: User jatin was not found
pvCheckUnknownUserPolicy: setting session group ID to 0.
Unknown User 'jatin' was not authenticated
So the EAP-Failure(Radius Access-Reject( is sent, not EAP-Success(Radius Access-Accept).
And any port/point wont be allowed to pass traffic unless the NAS device gets an EAP-Success(Radius Accept) for the user.
HTH
Regards,
Prem -
ACS with patch L 6 and Name column issue
Has anyone experienced the following?
My customer has used the migrate tool to migrate users from the ACS 4.2 to 5.3. He has also applied the patch level 6. However under the Identity Groups listed names (the Name column)- from some - to half of the name is missing [e.g lets say the name contains the following information: “Dimension Data”], after migrating only “Dimensi” to be seen. He then removed the Patch Level 6 and reapplied with no success. Any advice or do I need to run to the TAC ••J
Thanks a lot
Lancellot WendelHi Tarik,
thanks for the reply,
with reg to the question
"If you remove patch 6 and then migrate, does it work?"
No it did not work either, well I guess I have to open a TAC case for this.
thanks in advnace
regards,
lancellot -
Register Secondary ACS with Primary ACS 5.4 patch 6 and getting error
Scenario #1:
prodacs1 and prodacs2 version 5.4 patch 6 with IP address of 10.1.1.1/24 and 10.1.1.2/24, respectively.
Both prodacs1 and prodacs2 are running on VMWare ESXi 5.1. Both are sync'ed with Active Directory
and authenticate users to manage Cisco routers and switches without any issues. prodacs1 is the Primary
and prodacs2 is the Secondary. BOTH prodacs1 and prodacs2 USE THE SAME LICENSE. Both prodacs1 and
prodacs2 are resolved in DNS for both forward and reverse lookup. In this production environment, everything is working as expected.
Scenario #2: NEW deployment in the lab
labdacs1 and labacs2 version 5.4 patch 6 with IP address of 192.168.1.1/24 and 192.168.1.2/24, respectively.
Both labacs1 and labacs2 are running on VMWare ESXi 5.1. Both are sync'ed with Active Directory. BOTH
labacs1 and labacs2 USE THE SAME LICENSE as scenario #1. Both labacs1 and labacs2 are resolved in DNS for both
forward and reverse lookup.
However, when I tried to add labacs2 into labacs1 so that labacs2 is the secondary and labacs1 to be the
primary. From labacs2 interface: System Administration >Operations >Local Operations >Deployment Operations,
I enter the hostname/IP address, username/password of labacs1, then I click on "Register with Primary", I get
this message:
This System Failure occurred: server cannot be added to the deployment.
Server has same License ID as server labacs1 that already exists in the deployment.
Your changes have not been saved.Click OK to return to the list page.
Why is not working? Furthermore, why is it working in one environment but not the other with the same
idetical ACS version & patch. Work in production environment but not other.
Anyone has run into this before? how do you fix this?What type of license are you using in first deployment?
There are 2 type of licenses
Base license - Install a unique base license for each of the ACS secondary servers in the deployment.
Large Deployment add-on license - It allows a deployment to support more than 500 network devices. Only one Large Deployment license is required per deployment, as it is shared by all instances
Please check what type of license are you running in your deployment.
In order to fix issue in your 2nd deployment you need reset-application config on your secondary, install the new unique base license (based on show udi) and register it to primary node to get the configuration replicated.
Regards,
Jatin Katyal
**Do rate helpful posts** -
Hi,
I was wondering - is there any way when configuring ACS for Radius Proxy into Vasco that particular usernames in Vasco can be mapped to ones in ACS in order to apply attributes to only certain people?
My understanding so far is that if ACS cannot find the username in its local database it will back it off into an external database if configured, such as Vasco. However i need different group policies applied to particular users by using attributes.
Thanks in advance for your help!
AndyHi Andy,
To enable per-user group mapping, configure the external user database to return authentication responses that contain the Cisco IOS/PIX RADIUS attribute 1, [009\001] cisco-av-pair with the following value:
ACS:CiscoSecure-Group-Id = N
where N is the CiscoSecure ACS group number (0 through 499) to which CiscoSecure ACS should assign the user. For example, if Radius Token Server authenticated a user and included the following value for the Cisco IOS/PIX RADIUS attribute 1, [009\001] cisco-av-pair: ACS:CiscoSecure-Group-Id = 37
CiscoSecure ACS assigns the user to group 37 and applies authorization associated with group 37.
Hope this helps,
somishra -
ACS with VPN Concentrator : IP address attribution
Hello,
I need to know if it is possible for ACS to attribute an IP address to the VPN Clients connected to a VPN Concentrator, with XAUTH, instead of the VPN Concentrator,and if yes : how can I do, what is the procedure ? With the attribute Framed IP Address ? Does it work ?
Thanks !
Patriceyes it can be done at works very well under the radius attributes uses the:
[014] Login-IP-Host
NAS Specifies
User Specifies
Other
Check other and then add the ip address that you want to assigned -
802.1x(ACS) with avaya phones
Hi All ,
We are implementing wired dot1x for our wired users with EAP-TLS. When I am connecting laptop it is getting authenticated and it is working fine. For Voip(Avaya) we are using MAB .When we connect VOIP , after 30 seconds ACS is giving Access-accept(auth success) . But Voip is stuck up in Bad router state and VOIP is not working. If I connect the laptop behind the voip it is getting authenticated and it is working fine eventhough voip is stuck up.
Is there a way we can reduce 802.1x auth timings , so that VOIP can register succesfully?
The switch interface config is ,
authentication event fail action next-method
authentication host-mode multi-auth
authentication order dot1x mab
authetication priority dot1x mab
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 10
Thanks,
VijayHi,
i am using AVAYA as well in production. They support 802.1X.
Configure Voice VLAN on each Port.
Let ACS send the radius attribute device-traffic-class=voice under
Policy Elements/Authorization and Permissions/Network Access/Authorization Profiles VOICE VLAN
and select Permission to join static.
A good guide: IP Telephony for 802.1X Design Guide
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html
Regards Horst
Maybe you are looking for
-
How can I print directly from my iPad to my new Primax 3260 printer when I have no computer? Do I need a portable one to one Router for the wiFi connection. My Internet is through Telstra 3G system.
-
DV6500 Physical Memory Limitation to 3gb
Hi All, My DV6500 Entertainment PC came with Windows Vista 32-bit preinstalled which limited my usable memory from 4gb to 3gb. I recently upgraded to Windows Home Premium 32-bit which I believe has a physical memory limitation of 4gb (http://msdn.mic
-
Getting operation bindings in constructor of managed bean
Hi, Jdeveloper version - 11.1.1.5.0 I have a request scoped managed bean public class getOperationBindingBean { private RichCommandButton button; public getOperationBindingBean() { BindingContainer bindings = getBindings(); Op
-
Storage tab screw-up - What's up?
OK - so here's the thing... until I did the latest Java update, my Storage tab was pretty accurate. It showed that I had about 177GB of Audio files (true). Now it seems as if all those audio files are being included in "Other" - here's a screenshot o
-
Saving Landscape File with PDFCreator but opens in Portrait
When I save a file in landscape it opens in portrait. any help? i am using pdfcreator