ASA enable authentication for AD user by ACS TACACS fails

Similar Messages

• Enable authentication for ASA

  hi,
  Im working on AAA authentication for an ASA (ASA 8.0(3) version) box thorough a TACACS+ server in ACS (4.2 version). The setup im working on includes several users in 3 classes: senior (privilege level 15), junior (privilege level 7) and monitoring (privilege level 0), user authentication and command authorization is working fine, however im having problems with enable authentication.
  When an user of junior class try to authenticate the enable password the authentication fails, according to the ACS's log "Tacacs+ enable privilege too low", however the privilege level in ACS for this class is set to level 7. Checking with a sniffer i have find out that the TACACS+ message for authentication sent by ASA is setting the privilege level as level 15, as you can see in the attached screenshot. Of course if the ASA is trying to authenticate enable for a level 15, the authentication will fail according to user's current level.I have local authentication configured in the ASA and it works fine including enable authentication.
  Anyone have had any issue with this or have any idea how resolve this issue?
  thanks all for your replies.

  Seems like you might be hitting bug CSCsh66748.
  Hope you have tried "enable " command to enter enable mode for specific users.
  BTW why are you using different privileges for enable when you already have command authorization in place.
  Regards
  Rohit

• AAA authentication for networking devices using ACS 4.1 SE

  Hi!!!
  I want to perform AAA authentication for networking devices using ACS 4.1 SE.
  I do have Cisco 4500, 6500,2960, 3750, 3560, ASA, CSMARS, routers (2821) etc in my network. I want to have radius based authentication for the same.
  I want telnet, ssh has,console attempt to be verified by radius server & if ACS goes down then it will be via local enable passwordf.
  For all users i need to have different privilege levels based upon which access will be granted.
  could u plz send me the config that is required to be done in the active devices as well as ACS!!!!

  Pradeep,
  Are you planning MAC authentication for some users while using EAP for others?
  For MAC authentication, just use the following in your AP.
  aaa authentication login mac_methods group radius
  In your AP, select the radius server for mac authentication. You must have already defined your ACS as a radius server.
  In your SSID configuration, under client authentication settings,
  check "open authentication" and also select "MAC Authentication" from the drop-down list.
  If you want both MAC or EAP, then select "MAC Authentication or EAP" from the dropdown.
  Define the mac address as the username and password in ACS. Make sure the format of the mac is without any spaces.
  You will not need to change anything in XP.
  NOTE: XP normally does not require user authentication if machine has already authenticated but it might behave differently. If it does, I can let you know the registry settings to force the behaviour change.
  HTH

• How to Enable Authentication to Selected Users

  1. How to enable SAP and AD authentication only for selected users in infoview login page ?
  2. How to disable(remove) enterprise options in down arrow selection in infoview login page for some users?
  We have to make some changes in web.xml?
  Can anyone help me out.
  Thanks!
  Milton

  You have to enable authentication for your application.
  However, for the public pages, you disable this by setting the page's security attribute Authentication to "Page is public".

• Enable save for all users in rich client document defaultly for all users

  Hi,
  Is there a option to enable save for all users in a rich client document defaultly for all users across the company. As the users who are creating reports are forgetting to check the box before sending the rich client document to others. Kindly let me know if you have any suggestions on this.
  Thanks,
  Karthik

  I'd suggest that is is where your BO folder structure comes in. You can export from Rich Client to any folder that you have permissions to access - some sort of collaboration folder system would potentially be better and more secure than sending unsecured reports via email. If your IT security team found out that you were removing document security, I doubt they'd be impressed!
  You can't do the default save for all users, simple as that (it's bad practice anyway, which is probably why you can't). While it's not the answer that you want to hear, it is the correct one.

• Enabling calendaring for a user or group not working

  Am having an issue getting ical server/sharing and webcalandars working. Think it is all related.
  First a description of my server environs. One xserve acting as OD master, fileserver, vpn, DNS and DHCP server as well. Second xserve acting as DNS, mail, web and ical server. Second server is OD replica.
  DNS is working. All OD functions including kerberos are working. Mail and webmail are working as well.
  The hostname in iCal Server Admin settings is the FQDN of my second xserve. icalxserve.domain.com. I can start iCal. Then I get this error in the logs:
  twistedcaldav.directory.appleopendirectory.OpenDirectoryInitError: Open Directory has no /Computers records with a virtual hostname: icalxserve.domain.com
  Remember this server is a OD replica. It is listed in the Computers pane under Workgroup Manager and its name is server.domain.com$. All the computers have $ at the end so I assume this is normal. All services are set for access from all users in Server Admin -> server -> Access. In Server Admin Web -> Sites -> (default site highlighted) Web Services webmail, wiki and blog and web calendaring are all checked as well. I have also tried to enable wiki and blog and web calendar for groups in Workgroup Manager. The only choices in the pop up are none and wiki host for domain.com. Strange.
  I cannot enable calendaring for any user. I check the Enable calendaring box under Advanced in the Accounts pane in Workgroup Manager and no server is listed in the pop up menu. It only reads No calendar host selected without any other choices. It should show me icalxserve.domain.com.
  When I goto http://icalxserve.domain.com site I get the default homepage and webmail works. If I click on the Groups button I see the 2 groups I have enabled services for. But when I click on the groupname I get the following error page:
  Not Found
  404: No group with that name (thomas) hosted on this server
  Not sure what to do next. OD doesn't seem to be working like I would expect. Any advice would be greatly appreciated.
  Thanks in advance.
  Please note I am posting this late on Sunday night and have jury duty tomorrow. I will obviously try to check back as soon as I can but maybe not until Monday night. Thanks again.

  Hi
  +"I don't see this option. Am I doing doing something wrong?"+
  Your Rider seems to indicate 10.6? If you're not seeing this option in WorkGroup Manager I'm guessing you're using 10.6 Server? In which case you've posted in the wrong forum with a question that's not applicable anymore. Apple removed those options in 10.6. Another possibility is you're trying to manage a 10.5 Server using 10.6 Server Admin Tools and it's giving unpredictable results? The Server Administration Applications cab behave oddly if you're trying use a newer version on an older server. You should use the version of the Tools that came with the Server.
  The 10.6 iCal Server Admin Manual is here:
  http://manuals.info.apple.com/enUS/iCalServerv10.6.pdf
  Tony

• Can't enable calendaring for some users in WGM

  10.5.6 server
  OD set up and working fine
  I'm trying to get going with iCal server for the first time
  The 3 accounts that I initially enabled for calendaring seem to work fine, but now I can't add any more. If I enable calendaring for a user in WGM and save the record, if I go to another record and then back to the one I changed, I see that calendaring is disabled for that user.
  It continues to work for the initial 3 users.
  iCal server error log did have some messages about "Record disabled due to conflict: <OpenDirectoryRecord..........."
  I read on another post that this indicates a problem with duplicate UIDs/GIDs
  I found one each UID ad GID that were both duplicated in local and LDAP records, so I changed those in WGM. On top of that I found that groups "Open Director Users" and "Open Directory Administrators" had the same GIDs in both local and LDAP domains, but guessed that I had better leave these alone. There are no other duplicate UIDs or GIDs.
  Stop and start iCal server.
  Problem remains.
  Any ideas please?
  Many thanks......

  Dear All,
  I have the same problem, i can't active the 'web calendaring' for groups and for users, the checkbox 'enable calendaring' don't stay checked if i close and open the workgroup manager...
  Someone has a solution?

• OCS 2007 Enabling Federation for all users globally

  I've set up federation in OCS 2007 and it's working. The problem now is I need to make enable it en mass for my users.
  I've searched all properties and can't find where I enable it for all users. The setting I'm looking for is equivalent to going in the users properties > Other Settings [configure] > and checking Enable Federation and Enable Remote access.
  I'd hate to go through 300+ users to check this. Does anyone know where I can set this globally?
  Thanks.

  What are the odds of that...answered my own question.
  I right clicked the users folder > configure users and it walked me through checking those options.
  Hope it saves someone some time :)

• AAA Radius Authentication for Remote VPN With ACS Server Across L2L VPN

  Hi,
  I have an ASA running fine on the network which provide L2L tunnel to remote site and provide Remote VPN for remote access users.
  Currently, there is a need for the users to authenticate against an ACS server that located across the L2L VPN tunnel.
  The topology is just simple with 2 interfaces on the ASA, inside and outside, and a default route pointing to the ISP IP Address.
  I can ping the IP address of the ACS Server (which located at the remote site, IP addr: 10.10.10.56) from the ASA:
  ping inside 10.10.10.56
  However when I configure the ASA for the AAA group with commands:
  aaa-server ACSAuth protocol radius
  aaa-server ACSAuth host (inside) 10.10.10.56 key AcsSecret123
  Then when I do the show run, here is the result:
  aaa-server ACSAuth protocol radius
  aaa-server host 10.10.10.56
  key AcsSecret123
  From what I thought is, with this running config, traffic is not directed to the L2L VPN tunnel
  (seems to be directed to the default gateway due to the default route information) which cause failure to do the AAA authentication.
  Does anybody ever implement such this thing and whether is it possible? And if yes, how should be the config?
  Your help will be really appreciated!
  Thanks.
  Best Regards,
  Jo

  AAA is designed to enable you to dynamically configure the type of authentication and authorization you want on a per-line (per-user) or per-service (for example, IP, IPX, or VPDN) basis. You define the type of authentication and authorization you want by creating method lists, then applying those method lists to specific services or interfaces.
  http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/schaaa.html

• 802.1x EAP-TLS for wired users with ACS 5.5

  Hi All,
  We are configuring a new setup for wired users authentication with 802.1x(EAP-TLS). ACS 5.5 we are using as authentication server.
  We have added the root CA(internal) certificate and certifcate for ACS signed by CA. Now We want to check the authentication is working or not . I hope both root CA and identity certifcate also we need to install in the laptops. But I am not sure how to download the certifcates for client machine manually from CA.
  Kindly suggest on how to get certificates for clients both manually as well as automatically?
  Thanks,
  Vijay

  Hi Vijay,
     for the Wired 802.1x (EAP-TLS) you need to have following certificates:
  On ACS--- Root CA, Intermediate CA, Server Certificate
  On Client-- Root CA, Intermediate CA, User certificate(In case of user authentication) OR Machine certificae(In case of Machine authentication)
   I am not sure which third party certificate are you using, If its in house Microsoft or any other certificate server then you need download the client certificate from the server itself. 
  In case of Microsoft, There will be a template for user certificate. You can select it and create user certificate
  This one is an old document, But has steps to configure Machine certificate for the user, You can see the steps to download user certificate if its Microsoft server:
  http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-server-windows/43722-acs-eap.html#wc-2
  In case You are using the third party certificate serevr , Then you need to check with them on how to download the user certificate
  Cheers
  Minakshi(rate the helpful post)

• RADIUS Authentication for Guest users

  Hi,
  I currently use a 4402 WLC located in our DMZ to authenticate Guest users - local authentication is in place.  I would not like to setup RADIUS authentication via a Cisco NAC server.  In order not to affect current guest users, I created a new WLAN and configured with RADIUS server details under WLANs->Edit->Security.  I can associate to new WLAN and obtain a DHCP address no problem, but when I browse to an external website, I do not get prompted for authentication from the RADIUS server.  I don't see any auth requests hitting our firewal, so am assuming the problem is with the WLC config.
  Can anyone provide any details of what config is required?
  Security Policy - Web-Auth
  Security-> L2 - None
  Security-> L3 - Authentication
  Security-> AAA Servers - Auth and Acc server set
  Many thanks
  Liam

  your setup sounds pretty okay. have you got local user accounts set up on the WLC for the test WLAN? if you do, check to see that the priority order for web authentication for the test WLAN prefers the AAA account. you will have to do it directly on your controller as i do not think you have that option in WCS.
  hope that helps

• Enable Notification for any users scheduling reports

  Hi all!
  How can I enable the "Notification" option for any user allowed to schedule a report within BOXI R 3.1 FP 1.7.
  As administrator, the option is available within the scheduling.
  As normal user I don't have any notification option visible. I can only send reports or messages as email.
  Thanks for any hints,
  ciao Hakan

  Hi all!
  How can I enable the "Notification" option for any user allowed to schedule a report within BOXI R 3.1 FP 1.7.
  As administrator, the option is available within the scheduling.
  As normal user I don't have any notification option visible. I can only send reports or messages as email.
  Thanks for any hints,
  ciao Hakan

• HT4783 I know air drop is enabled on this iMac, but it's not appearing in the finder window on my user account.  Is there a way to enable it for my user account?

  I'm on an imac running mountain lion.  I know it has air drop on it, but it's not showing up in the finder window for my user account.  How can I get it to show up on my user account?  And yes, I do have administrator rights.

  Which os are you using on your computer? 

• What are steps configure Certificate based authentication for Wireless clients with ACS 5.3?

  I need to autheticate my clients connecting via wireless.
  clients have user certificate installed on them, i need help configuring the ACS to do the authentication.
  can some one please help me with the steps.
  Thanks

  Two primary steps
  - define the trust certificates needed to verify the clients user certificates
  Users and Identity Stores > Certificate Authorities
  - change result of identity policy to select a certificate authorization profile. If have the defautl config
  Access Policies > Access Services > Default Network Access > Identity
  by default can select the "CN Username" as a result

• Radius authentication for wifi users

  Hi all,
  I have a aeronet 1250 access point and i have a windows 2003  radius server configured to authenticate users.
  I need to configure the access point for radius authentication .
  Can anyone please help me to configure the access point .
  thanks in advance ,
  Selva

  See here for configuration examples, look for the autonomous examples:
  http://www.cisco.com/en/US/products/ps6087/prod_configuration_examples_list.html
  Thanks
  Chris