ANM 4.2 - RBAC using Tacacs+ and ACS5.1

Similar Messages

• FWSM: AAA authentication using TACACS and local authorization

  Hi All,
  In our setup, we are are having FWSMs running version 3.2.22 and users are authenticating using TACACS (running cisco ACS). We would like to give restricted access ( some show commands ) to couple of users to all devices. We do not want to use TACACS for command authorization.
  We have created users on TACACS and  not allowed "enable" access to them. I have also given those show commands locally on the firewall with privilege level 1. and enabled aaa authorization LOCAL
  Now , those users can successfully login to devices and execute those show commands from priv level 1 except "sh access-list".  I have specifically mentioned this
  "privilege show level 1 mode exec command access-list"  in the config.
  Is there anything i am missing or is there any other way of doing it?
  Thanks.

  You cannot do what you are trying to do. For (default login you need to use the first policy matched.
  you can diversify telnet/ssh with http by  creating different aaa groups.
  But still you will be loging in for telnet users (all of them) using one method.
  I hope it is clear.
  PK

• Emulating RBAC using FIM Service and Portal

  Hi!
  I am trying to create a simple RBAC using standard objects of FIM Service. So i am associating type "Set" with role, expanding it with multivalue reference attribute "ListOfPermissions". I want to achieve the next behavior: when user dynamically
  join to the set the MPR is executing custom workflow that adds this user to the members of according permission object. Rather simple, BUT is there a way not to specify MPR for every set manualy, but specify it ones with next logic for example: when someone
  join to any set with IsRole flag set to 1 the MPR is executed and etc... as described above? The straight-line methods have not yielded results.
  Need any help, thanks in advance!

  is there a way (...) to specify it ones with next logic for example: when someone join to any set with IsRole flag set to 1 the MPR is executed and etc... as described above?
  Yes, there is - you have to create a Set that have members of other sets inside it. Let's say "Master Set". So you can create MPR that runs a MasterWorkflow after entering Master Set.
  But here is some tricky part - if you have multiple sets with IsRole flag and each set gives different roles assignment, in workflow you have to check where user belongs (to which set) and based on that calculate his membership.
  So I am not really sure if it would be easier. Even if it would look cleaner in FIM Portal, it would be harder to check what gone wrong in case of any failure. And it would be harder to add new roles/sets as you would have to rebuild such workflow.
  If you found my post helpful, please give it a Helpful vote. If it answered your question, remember to mark it as an Answer.

• ACS 5.3, ASA using TACACS+ forces to PAP?

  As the title says I'm trying to have an ASA (8.2.3) auth against an ACS 5.3 using TACACS+.  It only works if I have PAP enabled on the ACS.  Obviously this concerns me.  I've found the following reference in the configuration guides:
  TACACS+ Server Support
  The ASA supports TACACS+ authentication with ASCII, PAP, CHAP, and MS-CHAPv1.
  I can't figure out how to make the ASA use MS-CHAPv1 though.  Seems like it should be pretty simple.
  Incidentally I was having the same problem with VPN auth's using RADIUS but I was able to fix that by enabling the password management option which is only available in CHAPv2.  Seems that option isn't available under TACACS+.
  Any suggestions?

  As far as I am aware the asa will only use PAP to authenticate console exec logins. I wish it used chap-v2.
  Sent from Cisco Technical Support iPhone App

• Error when trying to access the RBAC User editor and Message tracking

  Hi,
  I am getting an error when trying to access the RBAC User editor and Message tracking on the Web Mgmt interface. I verified that the admin account trying to access is in the Organization Management group and has the correct Role Assignment Policy applied.
  I searched through this thread below and saw that matching the msExchRoleLink and msExchUserLink attributes fixed the issue. 
  https://social.technet.microsoft.com/Forums/exchange/en-US/fc568cc6-8691-4127-b70b-bcc82f9b1f7f/first-2010-cas-server-no-administrator-rights-emc-permissions-gone?forum=exchange2010
  However I have another environment where this is not the case and works just fine; the msExchUserLink attribute has a value of CN=Organization Management,OU=Microsoft Exchange Security Groups,DC=Domain,DC=Local which is different as per the issue outlined in
  the above thread so I am not convinced that this will work and also don’t want to blindly edit something in adsiedit without being sure.
  I then checked the event logs on the server and saw the below error logged;
  Current user: 'Domain/Server Services Accounts/administrator'
  Request for URL 'https://server.domain.com/ecp/default.aspx?p=AdminDeliveryReports&exsvurl=1' failed with the following error:
  System.Web.HttpUnhandledException: Exception of type 'System.Web.HttpUnhandledException' was thrown. ---> Microsoft.Exchange.Management.ControlPanel.UrlNotFoundOrNoAccessException: The page may not be available or you might not have permission to open the
  page. Please contact your administrator for the required credentials. For new credentials to take effect, you have to close this window and log on again.
     at Microsoft.Exchange.Management.ControlPanel._Default.CreateNavTree()
     at Microsoft.Exchange.Management.ControlPanel._Default.OnLoad(EventArgs e)
     at System.Web.UI.Control.LoadRecursive()
     at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
     --- End of inner exception stack trace ---
     at System.Web.UI.Page.HandleError(Exception e)
     at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
     at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
     at System.Web.UI.Page.ProcessRequest()
     at System.Web.UI.Page.ProcessRequest(HttpContext context)
     at ASP.default_aspx.ProcessRequest(HttpContext context)
     at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
     at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
  Microsoft.Exchange.Management.ControlPanel.UrlNotFoundOrNoAccessException: The page may not be available or you might not have permission to open the page. Please contact your administrator for the required credentials. For new credentials to take effect, you
  have to close this window and log on again.
     at Microsoft.Exchange.Management.ControlPanel._Default.CreateNavTree()
     at Microsoft.Exchange.Management.ControlPanel._Default.OnLoad(EventArgs e)
     at System.Web.UI.Control.LoadRecursive()
     at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
  I then had a look at the IIS permissions for ecp and owa. The account did not have permissions so I added them there but still got the same error. I’ve also tried all of the above with a newly-created account but still got the same issue.
  Any ideas as to what the above event log is specifically referring to?

  Hi,
  From your description, I would like to clarify the following thing:
  If you want to search message tracking logs, the account you use should be a member of the role groups below:
  Organization Management role group, Records Management role group, Recipient Management role group.
  Hope this can be helpful to you.
  Best regards,
  Amy Wang
  TechNet Community Support

• Cisco ISE with TACACS+ and RADIUS both?

  Hello,
  I am initiating wired authentication on an existing network using Cisco ISE. I have been studying the requirements for this. I know I have to turn on RADIUS on the Cisco switches on the network. The switches on the network are already programmed for TACACS+. Does anybody know if they can both operate on the same network at the same time?
  Bob

  Hello Robert,
  I believe NO, they both won't work together as both TACACS and Radius are different technologies.
  It's just because that TACACS encrypts the whole message and Radius just the password, so I believe it won't work.
  For your reference, I am sharing the link for the difference between TACACS and Radius.
  http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml
  Moreover, Please review the information as well.
  Compare TACACS+ and RADIUS
  These sections compare several features of TACACS+ and RADIUS.
  UDP and TCP
  RADIUS uses UDP while TACACS+ uses TCP. TCP offers several advantages over UDP. TCP offers a connection-oriented transport, while UDP offers best-effort delivery. RADIUS requires additional programmable variables such as re-transmit attempts and time-outs to compensate for best-effort transport, but it lacks the level of built-in support that a
  TCP transport offers:
  TCP usage provides a separate acknowledgment that a request has been received, within (approximately) a network round-trip time (RTT), regardless of how loaded and slow the backend authentication mechanism (a TCP acknowledgment) might be.
  TCP provides immediate indication of a crashed, or not running, server by a reset (RST). You can determine when a server crashes and returns to service if you use long-lived TCP connections. UDP cannot tell the difference between a server that is down, a slow server, and a non-existent server.
  Using TCP keepalives, server crashes can be detected out-of-band with actual requests. Connections to multiple servers can be maintained simultaneously, and you only need to send messages to the ones that are known to be up and running.
  TCP is more scalable and adapts to growing, as well as congested, networks.
  Packet Encryption
  RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Other information, such as username, authorized services, and accounting, can be captured by a third party.
  TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the header is a field that indicates whether the body is encrypted or not. For debugging purposes, it is useful to have the body of the packets unencrypted. However, during normal operation, the body of the packet is fully encrypted for more secure communications.
  Authentication and Authorization
  RADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS server to the client contain authorization information. This makes it difficult to decouple authentication and authorization.
  TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication solutions that can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. After a NAS authenticates on a Kerberos server, it requests authorization information from a TACACS+ server without having to re-authenticate. The NAS informs the TACACS+ server that it has successfully authenticated on a Kerberos server, and the server then provides authorization information.
  During a session, if additional authorization checking is needed, the access server checks with a TACACS+ server to determine if the user is granted permission to use a particular command. This provides greater control over the commands that can be executed on the access server while decoupling from the authentication mechanism.
  Multiprotocol Support
  RADIUS does not support these protocols:
  AppleTalk Remote Access (ARA) protocol
  NetBIOS Frame Protocol Control protocol
  Novell Asynchronous Services Interface (NASI)
  X.25 PAD connection
  TACACS+ offers multiprotocol support.
  Router Management
  RADIUS does not allow users to control which commands can be executed on a router and which cannot. Therefore, RADIUS is not as useful for router management or as flexible for terminal services.
  TACACS+ provides two methods to control the authorization of router commands on a per-user or per-group basis. The first method is to assign privilege levels to commands and have the router verify with the TACACS+ server whether or not the user is authorized at the specified privilege level. The second method is to explicitly specify in the TACACS+ server, on a per-user or per-group basis, the commands that are allowed.
  Interoperability
  Due to various interpretations of the RADIUS Request for Comments (RFCs), compliance with the RADIUS RFCs does not guarantee interoperability. Even though several vendors implement RADIUS clients, this does not mean they are interoperable. Cisco implements most RADIUS attributes and consistently adds more. If customers use only the standard RADIUS attributes in their servers, they can interoperate between several vendors as long as these vendors implement the same attributes. However, many vendors implement extensions that are proprietary attributes. If a customer uses one of these vendor-specific extended attributes, interoperability is not possible.
  Traffic
  Due to the previously cited differences between TACACS+ and RADIUS, the amount of traffic generated between the client and server differs. These examples illustrate the traffic between the client and server for TACACS+ and RADIUS when used for router management with authentication, exec authorization, command authorization (which RADIUS cannot do), exec accounting, and command accounting (which RADIUS cannot do).

• About 802.1x port authentication using TACACS+

  Hi
  I have some question. Please help me. Thanks.
  Question1. May I use that 802.1x port authentication using TACACS+
  Question2. Is it true? TACACS+ will not work with 802.1x because EAP is not supported in TACACS+, and there are no plans to get EAP over TACACS+.
  Any help would be greatly appreciated.
  Thanks.

  Thanks to you.
  Where to find the documents about Tacacs+ doesn't support EAP?
  I cast more time and I cannot find the documents.
  Please help me....
  Thanks.

• Nexus, command authorization using TACACS.

  Hello.
  Can someone provide a sample configuration to use Cisco Secure ACS 4.2 to enable command authorization using TACACS.
  Thanks.
  Regards.
  Andrea

  Hi Andrea,
  We've moved onto ACS 5.3 now - but we had our Nexus 5520's running against our old ACS 4.2 before that - so I've picked out the relevant bits of the config below:
  username admin password role network-admin ; local admin user
  feature tacacs+ ; enable the tacacs feature
  tacacs-server host key ; define key for tacacs server
  aaa group server tacacs+ tacacs ; create group called 'tacacs'
      server ;define tacacs server IP
      use-vrf management ; tell it to use the default 'management' vrf to send the tacacs requests
      source-interface mgmt0 ; ...and send them from the mgmt interface
  aaa authentication login default group tacacs ; use tacacs for login auth
  aaa authentication login console group tacacs  ; use tacacs for console login auth
  aaa authorization config-commands default group tacacs local  ; use tacacs for config command authorization
  aaa authorization commands default group tacacs local  ; use tacacs for normal command authorization
  aaa accounting default group tacacs ; send accounting records to tacacs
  Hope that works for you!
  (That can change a bit when you move to ACS 5.x - as we've chosen not to do complex command auth (using shell profiles only) so instead you pass back the nexus role to the 5k - and it does the command auth (network-admin vs network-operator) based on that - so you just don't configure aaa command authorization on the 5k)
  Rob...

• Tacacs+ and dynamic vlans

  Hi,
  Is there a good howto or tutorial that shows what settings are required to have dynamic vlan functionality . Using tacacs+ 802.1x/peap I can get a domain user authenticated but I don't follow how the vlan setup / switching should be done. I want all users that fail domain authentication to be put in vlan xxx and if the user does authenticate to be put into vlan yyy (I am using 802.1x PEAP and server side cert only). I am using ACS v3.3, W2k-AD, winXP supplicant , cat5000. Thx in adv.

  Yes, you can get the proper documentation at " target="_blank">www.cisco.com/techsupport--------> Products --------> Security ----------> select appropriately to go to Tacacs and click on view all.

• WAAS Authentication using TACACS+

  Hi,
  I am trying to use TACACS as the primary method of authentication. The thing is that I configured in WAAS the values required (security word, primary server and secondary server). Also, in Authentication Method I chose TACACS as primary and local as the secondary.
  After that I logged in to the WAAS using my TACACS account and I could enter, but the Navigation Pane is empty. It seems like my account doesn't have permissions to change config, but it is level 15 in TACACS ( I used to change config in Sw and routers).
  I dont know if I am missing a step to config this feature either on the WAAS or the ACS.
  Thanks,

  TACACS really only provides a single "A"  Authentication.
  Are you allowed or not....
  in order to provide Authorization, you need to still create the account in CM. and provide a role and domain in the user config.
  Leave the Local user check box "unchecked" if you plane to use TACACS to Authenticate.
  Im sure there is a way to provide authorization through complex custom attributes but it achieves the same goal via CM. once authenticated.

• Logging directly into enable mode on a PIX using TACACS

  I have setup TACACS authentication on a PIX running 6.3(3). I can authenticate using TACACS just fine, but do not get put directly into enable mode. The ACS server is setup to do so, it works for routers and switches, but not the PIX box. If I put the "aaa authentication enable console TACACS" in the config I must enter the enable command and use the same password I logged in with to get into enable mode. Without the command, I have to use the configured enable secret password to get into the enable mode.
  Does anyone know it there is a way to configure the PIX to log someone directly into enable mode via TACACS?
  Thanks in advance

  Hi,
  PIX does not support exec authorization. Hence user cannot login to level 15 directly.
  Regards,
  Vivek

• Connecting to UCS6120 from Fabric Manager using TACACS

  Standalone Fabric Manager 5.0(4a)
  UCS 1.4(3s)
  I have to log into Fabric Manager using TACACS with SNMPv3 (company network security restriction).
  I launch Fabric Manger using my TACACS account which connects to all the switches in my two fabrics using the same credentials.
  I can connect to all MDS9513, MDS9222i, IBM Bladechassis FC switch modules and all NX5020 switches in the fabrics. Fabric Manager cannot connect to any of the eight UCS6120 switches in the fabrics, returning a status of Unknow User or Password(Server,Client).
  This, I understand, requires the creation of a specific SNMP user, which is fine. However as I am logged into Fabric Manager using a single TACACS account, I cannot supply alternate credentials to a subset of switches in the fabric.
  Is there a work around for this to enable management of the 6120s in FM? or am I missing something.
  Thanks
  Mike Taylor

  Fabric Manager uses the same credentials to access all systems,  these credentials will need to be valid on the UCS platform as well.  Create a local SNMP user on UCS and check.  This needs to be different from any non-snmp authentication accounts on UCS.
  Note that FM cannot manage UCS.  You will be able to view into UCS but not make changes. May not be an issue if UCSM is running end host mode.  To make any changes, you will need to use the UCSM GUI or CLI or other tool for administration.
  Thank You,
  Dan Laden
  PDI Helpdesk
  http://www.cisco.com/go/pdihelpdesk

• Using TACACS+ auth from ACS 5.1.0.44 to ACE. Having Issues with Shell (Exec)

  Using TACACS+ auth from ACS 5.1.0.44 to ACE. Having Issues with Shell (Exec)
  So I am trying to get TACACS+ auth to work for my ACE.
  The command string that I have on the ACE is as follows:
  tacacs-server host 172.16.101.4 key 7 XXXYYYZZZ timeout 15
  aaa group server tacacs+ tacacs+
    server 172.16.101.4
  aaa authentication login default group tacacs+ local
  aaa authentication login console local
  aaa accounting default group tacacs+ local
  But to finish getting this enabled I need to create some sort of shell (exec) string in the ACS that tells the ACE what permission level to allocate.
  I do not know how to do this on the ACS 5.1.0.44.
  Anyone know?
  TAC made a good suggestion but the command path doesn't seem to line up with my version of ACS.
  Thanks for your reply. About this question:
  shell:<Context>*<Role> <Domain>
  What I meant is that you need to check the following couple of things on
  your ACS server in order to have AAA Tacacs users to login into the
  ACE over the context with superuser ritghts.
  Group setup ‑> users ‑> TACACS + Settings ‑> enable Shell(exec)
  ‑> enable Custom attributes ‑> right below this part you need to
  use the following sintax to link the ACE context that this user
  has access to.
  For example:
  shell:<Context>*<Role> <Domain>
  shell:Admin*Admin default‑domain
  Where this user will have access to the Admin context with the role
  admin using the 'default‑domain'

  Wilfred,
  What you will have to do on your version of ACS is modify the shell profile that your admins are hitting for other IOS devices or you can create another shell profile under Policy Elements -> Device Administration ->
  Once you get into this shell profile select the Custom Attributes tab and put in the following fields close to the bottom of the screen, from the example you provided type shell:Admin for the attribute field and then default-domain for the value field, and make sure you select this requirement as optional, if you select mandatory and other IOS devices use this same shell profile you will force this av pair to these devices also which will impact the priv levels that then need for authentication.
  After you add this attribute, save your changes and then test, also make sure that your Aceess Policy is calling this shell profile under the authorization profile for default device admin.
  Thanks,
  Tarik Admani

• Problems getting TACACS and SNTP to cork on CSS11500

  Hi,
  I have a problem with TACACS and SNTP on a pair of CSS11501s and a pair of CSS11503s
  I have configured a TACACS server and an SNTP server which are accessable out the management interface. There is a route to these devices out the management interface. They aren't pingable but if I span the management port and sniff it I can see the ICMP requests leaviong th interface if I try to ping any of them. The problem is that the device sends no SNTP packets to the server and it never sends any packets to TACACS server on the management or any of the other ports - it's as if both services are somehow disabled. I did some debugging as per doc 27000 on CCO and I do get the message "SECURITY-7: Security Manager sending error 7 reply to xyz" which the doc suggests is a key mistmatch, but I don't think it can be as the device isn't even trying to connect to the TACACS server on port 49.
  Am I missing something obvious?
  I've pasted the relevant parts of the config below
  Thanks in advance,
  Dom
  lab-fe-2# show run
  !Generated on 11/20/2009 09:40:18
  !Active version: sg0820303
  configure
  !*************************** GLOBAL ***************************
    sntp primary-server 10.52.240.1 version 3
    sntp secondary-server 10.52.240.2 version 3
    virtual authentication primary tacacs
    virtual authentication secondary local
    tacacs-server key xxxxxxxxxxxxx
    tacacs-server 10.52.255.201 49
    ip management route 10.52.240.0 255.255.240.0 10.55.2.252
    ip route 0.0.0.0 0.0.0.0 10.55.3.254 1
  !************************* INTERFACE *************************
  interface e1
    bridge vlan 2503
    phy 100Mbits-FD
  interface e2
    bridge vlan 2004
    phy 100Mbits-FD
  interface Ethernet-Mgmt
    phy 10Mbits-FD
  !************************** CIRCUIT **************************
  lab-fe-2# show boot
  !************************ BOOT CONFIG ************************
    ip address 10.55.2.245
    subnet mask 255.255.255.0
    primary boot-file sg0820303
    primary boot-type boot-via-disk
    gateway address 10.55.2.252
  lab-fe-2#
  lab-fe-2# show tacacs-server
  Per-Server Status:
  IP/Port              State   Primary        Authen.      Author.      Account
  10.52.255.201:49     Dead    No                   0            0            0
  Totals:                                           0            0            0
  Per-Server Configuration:
  IP/Port              Key              Server Timeout        Server Frequency
  10.52.255.201:49     Not Configured   None                  None
  Global Configuration Parameters:
  Global Timeout:                5
  Global KAL Frequency:          5
  Global Key:                    Configured
  Authorize Config Commands:     No
  Authorize Non-Config Commands: No
  Account Config Commands:       No
  Account Non-Config Commands:   No
  Send Full Command:             Yes
  end of buffer.
  lab-fe-2#
  lab-fe-2#
  lab-fe-2#
  lab-fe-2#

  I have got to the bottom of this, It looks like the CSS cannot authenticate users using a TACACS server
  over the management interface unless the TACACS server is located on the same subnet as the management interface;
  The Ethernet management port provides a connection to the CSS that allows you to perform CSS management functions. The Ethernet management port supports management functions such as secure remote login through SSH, remote login through Telnet, file transfer through active FTP, SNMP queries, HTTPS access to the Device Management user interface, SNTP, DNS, ICMP redirects, RADIUS, syslog, CDP, TACACs, and CSS configuration changes through XML.
  Note When using static routes for managing the CSS from subnets beyond the management LAN, the Ethernet management port supports the management applications listed above, except CDP, DNS, SNTP, and TACACs. For more information on static routes, see the "Configuring Static Routes for the Ethernet Management Port" section.
  I'm going to have to configure NAT on the Management port's gateway device so the CSS thinks the TACACS server is on the same subnet.
  The confusing thing about this is that this is documented up to version 7.40, but it's not mentioned in the documentation for 7.5, 8.1 or 8.2 and neither is it mentioned that it is supported in the release notes of any of those versions.
  Cheers, Dom   

• How to configure management authentication on IAP using Tacacs Server?

  Requirement:
  Instant access points come with default username and password i.e  admin/admin.  This does not go long way, as the IAP start finding their place in campus and corporate networks.
  With many administrators managing and monitoring the clustered IAP networks, TACACS or Active Directory based authentication is more useful.
  Solution:
  Keep this in view, IAP development teams have integrated TACACS and Radius based management authentication. 
  Configuration:
  Follow the below steps to configure radius authentication in IAP:
  Login to IAP web interface
  Select "System" from the main menu and then click on "Admin" tab
  Under local authentication, select as "Authentication Server"
  Under the "Auth Server 1" Select "New Server"
  Filling the name, IP address and shared key for Tacacs server and click OK.
  Verification
  Logout of the IAP web interface and try logging in using the username and password on TACACS server.

  I was having troubles with this as well when a customer had an older Aruba Controller and 2 Access Points. We went with a couple IAP-205s and needed LDAP integration. Using the above configuration there were some additional items needed. I found that I needed the DISPLAY NAME of the admin for the Admin-DN. I had created a user with the first name Aruba and the last name LDAP. This made the DISPLAY NAME "Aruba LDAP". This is what needs to be in the CN= for the Admin-DN.I also found there is a difference in using the CN= and OU=Currently our admin account is in the Users group which is a “Container”. Our actual user accounts are stored in an Orginizational Unit with sub OUs as well. So the Admin-DN needed the CN=Users and the Base-DN needed the OU=MyUserOU.For the windows machines I had to download and install the Aruba GTC Shim because the customer was previously using GTC and they were not going to a RADIUS server at the moment. My Android phone and IPHONE did not need any additional addins for the authentication.  The windows laptop I am using I needed to manually create a wireless profile with… Security Tab >“Choose a network authentication method:”Microsoft: Protected EAP (PEAP)Settings >Select “Trusted Root Certification Authorities”GeoTrust Global CASelect Authentication Method:EAP-Token (This is the Aruba GTC Shim) This allowed me to use my domain login credentialsUsernamePasswordDomain (This is blank because the Base-DN already has this, if anything is put in here the authentication fails)