ACS with Vasco

Similar Messages

• 2 ACS with 2 CRA

  Hi All,
  We have installed 2 ACS with two CRA installed in AD1 & AD2.
  The problem is when the CRA1 which is installed in AD1 is active everything working fine with both the ACS.
  But when the CRA1 is down & CRA2 is up which is installed in AD2 the authentication fails.
  Can anyone help in this regard? I have the logs if required I can upload the same.
  Thanks in advance
  Sachi

  Most likely this is a permission issue.
  CSWinAgent 08/06/2008 12:45:52 A 0048 3860 NTLIB: Attempting Windows authentication for user s.shetty
  CSWinAgent 08/06/2008 12:45:52 A 0048 3860 NTLIB: Windows authentication FAILED (error 6L)
  CSWinAgent 08/06/2008 12:45:52 A 0436 3860 RPC: NT_MSCHAPAuthenticateUser reply sent
  CSWinAgent 08/06/2008 12:46:16 A 0371 3860 RPC: NT_MSCHAPAuthenticateUser received
  CSWinAgent 08/06/2008 12:46:16 A 0048 3860 NTLIB: Attempting Windows authentication for user s.shetty
  CSWinAgent 08/06/2008 12:46:16 A 0048 3860 NTLIB: Windows authentication FAILED (error 6L)
  The accounting running remote agent service do not have admin rights . Make sure that account should have special priv like act as a part of OS and logon as service in ur sec policy.
  If you are already using admin account to run it then try using local system.
  Regards,
  ~JG

• Replacing ACS with ISE

  What is required to replace ACS with ISE in simple terms?
  I am looking to basically authenticate wired and wireless access against the local/AD) user database via Cisco kit
  I am thinking all I need is the BASE (perpetual) license rather than the advanced/wireless licenses
  Is there a limit to how many devices or users the base can deal with in its simplest form.
  I would also like to be able to push out a splash screen for wireless users during authentication. Can this be done just with the ISE Base License alone for a wireless solution (via WLC with LWAPS or Autonomous APs)
  thanks 
  dave

  yes you can authenticate the user using the ISE and but you need a advance license if you want to use both wire and wireless here is small table to help you understand the license requirements also the max. devices support depends on the type of deployment and with advance feature you have the abilitity of profiling and posturing which provide very good control for admins in the network
  Software Packages
  Options
  Base
  Capabilities: Basic network access and guest access
  Network deployment support: Wired, wireless, and VPN
  License prerequisite: None
  Perpetual license
  Licenses are available for 100, 250, 500, 1000, 1500, 2500, 3500, 5000, 10,000, 25,000, 50,000, and 100,000 endpoints
  Advanced
  Capabilities: Profiler and feed service, posture, MDM integration, automated endpoint onboarding, and Security Group Access (SGA)
  Network deployment support: Wired, wireless, and VPN
  License prerequisite: Base license
  Term license: 1, 3- and 5-year terms
  Licenses are available for 100, 250, 500, 1000, 1500, 2500, 3500, 5000, 10,000, 25,000, 50,000, and 100,000 endpoints
  Wireless
  Capabilities: Basic network access, guest access, profiler, posture, and SGA
  Network deployment support: Wireless
  License prerequisite: None
  Term license: 1, 3- and 5-year terms
  Licenses are available for 100, 250, 500, 1000, 1500, 2500, 3500, 5000, 10,000, 25,000, 50,000, and 100,000 endpoints
  Wireless Upgrade
  Capabilities: Basic network access, guest access, profiler, posture, and SGA
  Network deployment support: Wired, wireless, and VPN
  License prerequisite: Wireless license
  Term license: 1, 3- and 5-year terms
  Upgrade licenses are available for 100, 250, 500, 1000, 1500, 2500, 3500, 5000, 10,000, 25,000, 50,000, and 100,000 endpoints
  ***Do rate Hekofuls posts***

• ACS with MySQL

  Hi, Is it possible to use ACS with mySQL database?
  regards
  Steffen

  Depends on what you mean.
  The ODBC Authenticator (that is authenticate users against an external ODBC datasource) should work fine with mySQL. There is a white paper I wrote still kicking about on CCO somewhere if you search for it.
  If you mean can you use mySQL for ACSs own internal database.. then no you cant.
  Darran

• Integrating ACS with DC

  Hi All,
  I am trying to integrate ACS with the DC, can anyone please try to get me the Document to follow,
  Thanks.

  Hi Abdul
  Check my response (last post) in following conversation.
  http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=AAA&CommCmd=MB?cmd=display_location&location=.2cbe94a0
  Regards

• ACS with Tivoli Identity Manager

  Has anyone implemented ACS with ITIM? It was press released almost a year ago and I cannot find any technical documentation to find out how it integrates. What I need to find out is: Does the ACS server use ITIM as a external database for user auth? Or do both products need to backend into the same LDAP dir for user/pass info?

  Yes, we have. ITIM has develped an ITIM ACS agent for Cisco ACS integration. The ITIM ACS Agent is installed on the ACS server and it communicates with Cisco ACS application through Cisco ACS available API. Through the ITIM agent, TIM can creat, delete and modify ACS user's account. No, Cisco ACS server can not use ITIM database as an external for user auth.

• Integration of ACS with two different Domain in different forest

  Hi
  We have two Domain Controllers in two different forests. One forest is X.IN and other is Y. In X.IN forest we have a tree called PPP.IN.
  Is it possible to integrate ACS with both PPP.IN and Y? Please confirm ASAP.
  Thanks
  Ritesh

  It is possible in ACS 4.2 to do machine and user authentication over cross forest trusts. See Resolved Caveats here:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/release/notes/ACS42_RN.html
  HTH
  Jeremy

• Nameidentifier claims is no longer in the token issued by Access Control Service(ACS) with newly created ACS

  Hi,
  In our existing ACS, when we add a new relying party with that associate with rule as bellow:
  input claim type as
  htp://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
  and output claim type as
  htp://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
  When I used the ACS created previously, for token I received, I have
  Received claims with existing ACS:
  htp://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier:           testoem2,
  htp://schemas.xmlsoap.org/ws/2005/05/identity/claims/name:             TESTOEM2-MS,
  htp://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider:                htps://wp8partnerservicesv1-tst.accesscontrol.windows.net/
  but for the new ACS namespace, when I configure it exactly the same way, I receive
  htp://schemas.xmlsoap.org/ws/2005/05/identity/claims/name:             TestOem2-MS,
  htp://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider:                htps://zackpartnerservice1-tst.accesscontrol.windows.net/'
  The nameidentifier claim is no longer in the token.
  Does anyone from Azure ACS team know what change in ACS might have cause this issue and how do I config the ACS so that I can get nameidentifier claim in the token too?
  since my account is not verified, I use h_ttp instead of http in my question.
  thank you,
  Zach

  Greetings, Zach!
  Please refer to this:
  https://msdn.microsoft.com/en-us/library/hh446535.aspx
  The article elaborates how federated identity works with ACS.
  Thank you,
  Arvind

• Using ACS with PIX/ASA

  Hi there,
  We have an implementation of Cisco Secure ACS 4.1.4 using RSA SecurID as its authentication source to provide role-based access control and command level authorisation.
  We have succesfully deployed this our routers/switches, and are now looking at configuring Cisco PIX/ASA devices to use ACS and have stubbled across issues.
  Config on PIX/ASA (note we actually have 4 ACS servers defined for resilience etc):
  aaa-server XXXXX protocol tacacs+
  accounting-mode simultaneous
  reactivation-mode depletion deadtime 1
  max-failed-attempts 1
  aaa-server XXXXX inside host <SERVER>
  key <SECRET>
  timeout 5
  aaa authentication telnet console XXXXX LOCAL
  aaa authentication enable console XXXXX LOCAL
  aaa authentication ssh console XXXXX LOCAL
  aaa authentication http console XXXXX LOCAL
  aaa authentication serial console XXXXX LOCAL
  aaa accounting command XXXXX
  aaa accounting telnet console XXXXX
  aaa accounting ssh console XXXXX
  aaa accounting enable console XXXXX
  aaa accounting serial console XXXXX
  aaa authorization command XXXXX LOCAL
  Problems:
  Enter PASSCODE is NOT displayed on first attempt to logon to the PIX/ASA because it does not attempt to communicate with ACS until username/pass is sent.
  Username with null password (e.g. CR) will correctly then display Enter PASSCODE prompt received from ACS.
  PIX/ASA does not attempt to authenticate against all configured TACACS+ servers in one go, instead it tries each sequentially per authentication attempt….e.g.
  1st Attempt = Server 1
  2nd Attempt = Server 2
  3rd Attempt = Server 3
  4th Attempt = Server 4
  This means that in total failure of ACS users will have to attempt authentication N+1 times before failing to LOCAL credentials depending on number of servers configured, this seems to be from setting "depletion deadtime 1" however the alternative is worse:
  With “depletion timed” configured, by the time the user has attempted authentication to servers 2,3 and 4 the hard coded 30 second timeout has likely elapsed and the first server has been re-enabled by the PIX for authentication attempts, as such it will never fail to local authentication locking the user out of the device, the PIX itself does warn of this with the following error:
  “WARNING: Fallback authentication is configured, but reactivation mode is set to
  timed. Multiple aaa servers may prevent the appliance from ever invoking the fallback auth
  mechanism.”
  The next issue is that of accounting.....AAA Accounting does not record “SHOW” commands or session accounting records (start/stop) or “ENABLE".
  The final issue is ASDM. We can login to ASDM successfully using ACS/RSA SecurID, however when a change is made to the configuration ASDM repeatedly sends the users logon credentials multiple times.
  As RSA SecurID token can only be used once this fails and locks the account.
  Any ideas on how to make two of Ciscos leading security products work together better?

  Just re-reading the PIX/ASA 7.2 command reference guide below:
  http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/crt_72.pdf
  It appears some of the above are known issues.
  PASSCODE issue, page 2-17 states:
  We recommend that you use the same username and password in the local database as the
  AAA server because the security appliance prompt does not give any indication which method is being used.
  Failure to LOCAL, page 2-42 states:
  You can have up to 15 server groups in single mode or 4 server groups per context in multiple mode. Each group can have up to 16 servers in single mode or 4 servers in multiple mode. When a user logs in, the servers are accessed one at a time starting with the first server you specify in the configuration, until a server responds.
  AAA Accounting, page 2-2 states:
  To send accounting messages to the TACACS+ accounting server when you enter any command other than show commands at the CLI, use the aaa accounting command command in global configuration mode.
  ASDM issue, page 2-17 states:
  HTTP management authentication does not support the SDI protocol for AAA server group
  So looks like all my issues are known "features" of PIX/ASA integration with ACS, any ideas of how to achieve a "slicker" integration?
  Is there a roadmap to improve this with later versions of the OS?
  Will the PIX/ASA code ever properly support the same features as IOS?
  Would it be better to look at using something like CSM instead of ASDM?

• Cisco ACS with External DB - EAP-TLS

  Hi Guys,
  I understand how the EAP-TLS exchange works (I think), but If I have a client (wireless or wired) that is using EAP-TLS with an ACS, can I confirm the following.
  Let say both user and computer certs are employed:
  1. Both Client and ACS perform check with each others certs to ensure they are know to each other. The eap-tls exchange.
  2a. At some stage and I am assuming before the eap-tls success message is sent back to the client, the ACS has to check if either the username or computer name is in the AD database?
  2b. Wot is the paramater that is checked against the AD database?
  I read here that it can be : http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/peap_tls.html#wp999517
  Client Certificates
  Client Certificates are used to positively identify the user in EAP-TLS. They have no role in building the TLS tunnel and are not used for encryption. Positive identification is accomplished by one of three means:
  CN (or Name)Comparison-Compares the CN in the certificate with the username in the database. More information on this comparison type is included in the description of the Subject field of the certificate.
  SAN Comparison-Compares the SAN in the certificate with the username in the database. This is only supported as of ACS 3.2. More information on this comparison type is included in the description of the Subject Alternative Name field of the certificate.
  Binary Comparison-Compares the certificate with a binary copy of the certificate stored in the database (only AD and LDAP can do this). If you use certificate binary comparison, you must store the user certificate in a binary format. Also, for generic LDAP and Active Directory, the attribute that stores the certificate must be the standard LDAP attribute named "usercertificate".
  3. With the above, if options 1 or 2 are used (CN or SAN comparison), I assume this is just a check between a value pulled out of the CERT by the ACS and checked with AD, is that correct? With option 3, does the ACS perform a full compaison of the certificate between what the client has and a "client stored cert" on the AD DB?
  Please can someone help me with these points.
  I am so lost in this stuff :)) I think.
  Many thx and many kind regards,
  Ken

  only TLS *handshake* is completed/succcessful, but because user authentication fails,
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read client key exchange A
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read certificate verify A
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read finished A
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 write change cipher spec A
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 write finished A
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 flush data
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSL negotiation finished successfully
  EAP: EAP-TLS: Handshake succeeded
  EAP: EAP-TLS: Authenticated handshake
  EAP: EAP-TLS: Using CN from certificate as identity for authentication
  EAP: EAP state: action = authenticate, username = 'jatin', user identity = 'jatin'
  pvAuthenticateUser: authenticate 'jatin' against CSDB
  pvCopySession: setting session group ID to 0.
  pvCheckUnknownUserPolicy: session group ID is 0, calling pvAuthenticateUser.
  pvAuthenticateUser: authenticate 'jatin' against Windows Database
  External DB [NTAuthenDLL.dll]: Creating Domain cache
  External DB [NTAuthenDLL.dll]: Loading Domain Cache
  External DB [NTAuthenDLL.dll]: No UPN Suffixes Found
  External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust dwacs.com, [Error = 1355]
  External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust enigma.com, [Error = 1355]
  External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust acsteam.com, [Error = 1355]
  External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust vikram.com, [Error = 1355]
  External DB [NTAuthenDLL.dll]: Domain cache loaded
  External DB [NTAuthenDLL.dll]: Could not find user jatin [0x00005012]
  External DB [NTAuthenDLL.dll]: User jatin was not found
  pvCheckUnknownUserPolicy: setting session group ID to 0.
  Unknown User 'jatin' was not authenticated
  So the EAP-Failure(Radius Access-Reject( is sent, not EAP-Success(Radius Access-Accept).
  And any port/point wont be allowed to pass traffic unless the NAS device gets an EAP-Success(Radius Accept) for the user.
  HTH
  Regards,
  Prem

• ACS with patch L 6 and Name column issue

  Has anyone experienced the following?
  My customer has used the migrate tool to migrate users from the ACS 4.2 to 5.3. He has also applied the patch level 6. However under the Identity Groups listed names (the Name column)- from some - to half of the name is missing [e.g lets say the name contains the following information: “Dimension Data”], after migrating only “Dimensi” to be seen.  He then removed the Patch Level 6 and reapplied with no success. Any advice or do I need to run to the TAC ••J
  Thanks a lot
  Lancellot Wendel

  Hi Tarik,
  thanks for the reply,
  with reg to the question
  "If you remove patch 6 and then migrate, does it work?"
  No it did not work either, well I guess I have to open a TAC case for this.
  thanks in advnace
  regards,
  lancellot

• Register Secondary ACS with Primary ACS 5.4 patch 6 and getting error

  Scenario #1:
  prodacs1 and prodacs2 version 5.4 patch 6 with IP address of 10.1.1.1/24 and 10.1.1.2/24, respectively.  
  Both prodacs1 and prodacs2 are running on VMWare ESXi 5.1.  Both are sync'ed with Active Directory
  and authenticate users to manage Cisco routers and switches without any issues.  prodacs1 is the Primary
  and prodacs2 is the Secondary.  BOTH prodacs1 and prodacs2 USE THE SAME LICENSE.  Both prodacs1 and
  prodacs2 are resolved in DNS for both forward and reverse lookup.  In this production environment, everything is working as expected.
  Scenario #2:  NEW deployment in the lab
  labdacs1 and labacs2 version 5.4 patch 6 with IP address of 192.168.1.1/24 and 192.168.1.2/24, respectively.  
  Both labacs1 and labacs2 are running on VMWare ESXi 5.1.  Both are sync'ed with Active Directory.  BOTH
  labacs1 and labacs2 USE THE SAME LICENSE as scenario #1.  Both labacs1 and labacs2 are resolved in DNS for both
  forward and reverse lookup.
  However, when I tried to add labacs2 into labacs1 so that labacs2 is the secondary and labacs1 to be the
  primary.  From labacs2 interface: System Administration >Operations >Local Operations >Deployment Operations,
  I enter the hostname/IP address, username/password of labacs1, then I click on "Register with Primary", I get
  this message:
  This System Failure occurred:  server cannot be added to the deployment.
  Server has same License ID as server labacs1 that already exists in the deployment.
  Your changes have not been saved.Click OK to return to the list page.
  Why is not working?  Furthermore, why is it working in one environment but not the other with the same
  idetical ACS version & patch.  Work in production environment but not other.
  Anyone has run into this before?  how do you fix this?

  What type of license are you using in first deployment?
  There are 2 type of licenses 
  Base license - Install a unique base license for each of the ACS secondary servers in the deployment.
  Large Deployment add-on license - It allows a deployment to support more than 500 network devices. Only one Large Deployment license is required per deployment, as it is shared by all instances
  Please check what type of license are you running in your deployment.
  In order to fix issue in your 2nd deployment you need reset-application config on your secondary, install the new unique base license (based on show udi) and register it to primary node to get the configuration replicated.
  Regards,
  Jatin Katyal
  **Do rate helpful posts**

• Cisco WLC 2500 - 802.1x with Vasco Radius SMS OTP

  Hello folks,
  I have what seems to be a complex implementation with many things that need to be done on a customers network and I wanted to be pointed in the right direction.
  The current scenario is such, the customer has a Cisco WLC 2500 device that has 3 access points(these are in the same AP group) connected to it. There is one SSID that I will call PRODUCTION here that some domain users use to connect to the local network. The customer has requested to have a GUEST SSID added to the WLC where guest users will connect to and recieve a SMS OTP for authentication.
  Correct me if I am wrong, but I will obviously need to segment the SSIDs to have them running on different subnets to ensure that guest users do not have access to the production network once they authenticate. In order to do this I will need to configure Dynamic VLAN assignment for the Cisco WLC and connect it to a 802.1x port on the switch.
  Now what is not clear is I am not interested in authenticating the users that connect via "Production SSID" and want to bypass authentication for those users and have them assigned to the default vlan (or maybe perhaps have them authenticate via LDAP on the AD), however I want to force the "GUEST" SSID users to authenticate so that they may recieve an SMS OTP (reason for this is to force guests to register their phone numbers to use the internet so that Illegal activity may be tracked).
  1)So would it be possible to bypass authentication(or authenticate them via LDAP) for the PRODUCTION SSID as only domain users would know the SSID password to log on and have them by default assigned to the production subnet (default vlan) but force the GUEST SSID users to another VLAN via 802.1x sms otp?
  2)*Important* Another issue that is not clear is will I be able to directly configure AAA Radius settings on the Cisco WLC to directly authenticate with the VASCO Radius OTP and recieve a challenge-response(required for OTP) during authentication? As I have seen from Ciscos Dynamic VLAN assignment docuementation (http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml) additional IETF Radius Perimeters are used such as Tunnel-Private-Group-ID etc are used which I can't seem to configure on the Vasco.
  I do beileve this is a great project in helping me understand the INs and OUTs of CISCO WLC as well as Wireless NAC, If anyone could enlighten me and point me in the right direction I would be forever in debt. Much appreciated.
  Best Regards
  Sinan Barghouthi - JNCIA-FWV , JNCIA-IDP , CCA-NS , TCSM-8.0

  On your WLAN you can enable AES and TKIP. Just know that some clients mau have issue when they see both TKIP and AES. Ive had pretty good success with this in the past. Dont forget, you also need to enable WMM allowed to get N rates.
  But you will need to configure AES on the client as well to support N rates.
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• ACS with VPN Concentrator : IP address attribution

  Hello,
  I need to know if it is possible for ACS to attribute an IP address to the VPN Clients connected to a VPN Concentrator, with XAUTH, instead of the VPN Concentrator,and if yes : how can I do, what is the procedure ? With the attribute Framed IP Address ? Does it work ?
  Thanks !
  Patrice

  yes it can be done at works very well under the radius attributes uses the:
  [014] Login-IP-Host
  NAS Specifies
  User Specifies
  Other
  Check other and then add the ip address that you want to assigned

• 802.1x(ACS) with avaya phones

  Hi All ,
  We are implementing wired dot1x for our wired users with EAP-TLS. When I am connecting laptop it is getting authenticated and it is working fine. For Voip(Avaya) we are using MAB .When we connect VOIP , after 30 seconds ACS is giving Access-accept(auth success) . But Voip is stuck up in Bad router state and VOIP is not working. If I connect the laptop behind the voip it is getting authenticated and it is working fine eventhough voip is stuck up.
  Is there a way we can reduce 802.1x auth timings , so that VOIP can register succesfully?
  The switch interface config is ,
  authentication event fail action next-method
  authentication host-mode multi-auth
  authentication order dot1x mab
  authetication priority dot1x mab
  authentication port-control auto
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 10
  Thanks,
  Vijay

  Hi,
  i am using AVAYA as well in production. They support 802.1X.
  Configure Voice VLAN on each Port.
  Let ACS send the radius attribute device-traffic-class=voice under
  Policy Elements/Authorization and Permissions/Network Access/Authorization Profiles VOICE VLAN
   and select Permission to join static.
  A good guide: IP Telephony for 802.1X Design Guide
  http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html
  Regards Horst