Authenticating, Authorizing VPN user with AAA
Hello,
I have ACS1113(4.2) solution Engine and ASA 5550 which have been integrated with ACS. I need to authenticate and authorize the VPN users form ACS.
Also I need to have different access for different group in ACS
please help me in this.
Thanks
Ritesh
Hi,
I am finding one problem. Well I have done the configurations in ASA for Authentication through ACS but when attempt to autehnticate through user then i get autehentication message. here is the command configure in ASA and debug msg
Command:
aaa-server ACSCHN protocol radius
aaa-server ACSCHN (WAN) host 10.132.15.26
key _____
aaa authentication telnet console ACSCHN LOCAL
aaa authentication enable console ACSCHN LOCAL
Debug Msg:
Initiating authentication to primary server (Svr Grp: ACSCHN)
AAA FSM: In AAA_BindServer
AAA_BindServer: Using server:
AAA FSM: In AAA_SendMsg
User: wipro
Resp:
In localauth_ioctl
Local authentication of user wipro
callback_aaa_task: status = -1, msg =
AAA FSM: In aaa_backend_callback
aaa_backend_callback: Handle = 868, pAcb = 1a3363f8
aaa_backend_callback: Error: sorry
AAA task: aaa_process_msg(185f00e8) received message type 1
AAA FSM: In AAA_ProcSvrResp
Back End response:
Authentication Status: -1 (REJECT)
AAA FSM: In AAA_NextFunction
AAA_NextFunction: i_fsm_state = IFSM_PRIM_AUTHENTICATE, auth_status = REJECT
AAA_NextFunction: authen svr = ACSCHN, author svr = , user pol = , tunn pol =
AAA_NextFunction: New i_fsm_state = IFSM_DONE,
AAA FSM: In AAA_ProcessFinal
AAA FSM: In AAA_Callback
user attributes:
None
user policy attributes:
None
tunnel policy attributes:
None
Auth Status = REJECT
aaai_internal_cb: handle is 868, pAcb is 1a3363f8, pAcb->tq.tqh_first is 1841ce20
AAA API: In aaa_close
AAA task: aaa_process_msg(185f00e8) received message type 3
In aaai_close_session (868)
Please help why it authenticated with internal server not with ACS server.
Regards
Ritesh
Similar Messages
-
Remote Access VPN Users with CX Active Authentication.
I have ASA 5515 with CX for webfiltering , also have enabled remote access vpn . All my inside users are able to get active and passive authentication correctly . But for remote access VPN users , they are redirected to ASA external ip and CX authentication port 9000 but a blank page comes in and there is no prompt for authentication. I wasnt doing split tunneling , but now i have excluded ASA WAN ip from the tunnel and still have the same issue.
The CX version we have is 9.3.1.1Have you excluded the VPN traffic from being NATed when traffic is going between clients?
Please post a full sanitised configuration of the router so we can check it for configuration issues.
Please remember to select a correct answer and rate helpful posts -
How to restrict a VPN user with a specific anyconnect profile?
I need to assign to anyconnect users different profiles. This is done easily with IPSec, with the group policy configured in the client. With anyconnect I have two options:
- Allow the user to select the connect profile: The problem here is the user can select any profile and connect with the rules and permissions configured in this profile. I do not how to force one specific profile for each user.
- Use the DefaultWebVPNGroup as connection profile for everybody combined with DAP. This what I am doing now. Everybody connect with the default anyconnect profile and I use DAP to assign each user the network ACL's, Bookmarks, etc. The problem here is that I can not use other options that are included in the profiles or in the policies, like split tunneling or user authentication method.
I have seen some answers about this point but none of them is clear enough. I am using ASA 5540 with 8.4(6) and Windows IAS radius.
Thanks.Thanks Elias. This works. Easy to configure. When I connect using the client it takes de group policy from the radius attribute 25 and apply it.
Just one little problem. This doesn't work with bookmarks when the user connect with WebVPN. In the logs I can see the connection taking the correct group policy but the bookmarks from that policy are not applied. Any idea? -
Authentication of portal users with uid on oid/ldap
All works fine with authenticating users created on DAS that have
dn: cn=%LDAP_USER%,cn=users,dc=edmunds,dc=com
When I migrated user to portal schema, the auth fails. The portal schema has user dn string
uid=%LDAP_USER%, ou=people, dc=edmunds, dc=com
I got this dn string from export to ldif file. The portal user can log in to DAS.
We are using HTMLdb 1.6 and I used
LDAP Host[LDAP Test Tool] at /htmldb/f?p=4000:802 to test the parameters.
How to make this uid dn work with AppEx?
Thanks.Kenny,
I would forget about using the is_member function for authentication until you achieve what you need directly with dbms_ldap. You can experiment with an anonymous block in SQL*Plus starting with this sample code until you can get the simple_bind_s to work with your parameters:set serveroutput on
declare
l_retval pls_integer;
l_retval2 pls_integer;
l_session dbms_ldap.session;
l_ldap_host varchar2(256);
l_ldap_port varchar2(256);
l_ldap_user varchar2(256) := 'FIRSTNAME_LASTNAME'; -- enter username in this format
l_ldap_passwd varchar2(256) := 'PASSWORD'; -- enter password
l_ldap_base varchar2(256);
begin
l_retval := -1;
dbms_ldap.use_exception := TRUE;
l_ldap_host := 'ldap-host.some-domain.com';
l_ldap_port := '389';
l_ldap_user := 'cn='||l_ldap_user||',l=amer,dc=oracle,dc=com';
l_session := dbms_ldap.init( l_ldap_host, l_ldap_port );
l_retval := dbms_ldap.simple_bind_s( l_session, l_ldap_user, l_ldap_passwd );
dbms_output.put_line( 'Return value: ' || l_retval );
l_retval2 := dbms_ldap.unbind_s( l_session );
exception when others
then
dbms_output.put_line (rpad('ldap session ',25,' ') || ': ' ||
rawtohex(substr(l_session,1,8)) || '(returned from init)');
dbms_output.put_line( 'error: ' || sqlerrm||' '||sqlcode );
dbms_output.put_line( 'user: ' || l_ldap_user );
dbms_output.put_line( 'host: ' || l_ldap_host );
dbms_output.put_line( 'port: ' || l_ldap_port );
l_retval := dbms_ldap.unbind_s( l_session );
end;
/Scott -
Fixed ip for vpn user- aaa authenticated
Hi all,
i am using asa 5520 as my vpn box. All vpn users login to vpn box associated with a aaa server. The authenticaltion takes place on aaa server. If i use local database for user login, i can assign fixed static ip to the user via its vpn properties. But now i am using aaa for authentication and i want to assign fixed statix IP for some users. How can i do this?with local aaa authentication
go to the user atributes
like username vpnuser attributes
vpn-framed-ip-address 192.168.50.1 255.255.255.255
this will give that ip to that user
if u are useing cisco ACS
under the user setting
go to :
Assign static IP address-If a specific IP address should be used for this user, click this option and type the IP address in the text box. The IP address assignment in User Setup overrides the IP address assignment in Group Setup
and the following link give step-by step intstruction to configure cisco ACS AAA
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008007e6a6.html
good luck
please, if helpful Rate -
ASA , Cisco VPN client with RADIUS authentication
Hi,
I have configured ASA for Cisco VPN client with RADIUS authentication using Windows 2003 IAS.
All seems to be working I get connected and authenticated. However even I use user name and password from Active Directory when connecting with Cisco VPN client I still have to provide these credentials once again when accessing domain resources.
Should it work like this? Would it be possible to configure ASA/IAS/VPN client in such a way so I enter user name/password just once when connecting and getting access to domain resources straight away?
Thank you.
Kind regards,
AlexHi Alex,
It is working as it should.
You can enable the vpn client to start vpn before logon. That way you login to vpn and then logon to the domain. However, you are still entering credentials twice ( vpn and domain) but you have access to domain resources and profiles.
thanks
John -
WCS Lobby Ambassador with AAA Authentication
We are using WCS 7.0.164.0. I configured a user as local lobby ambassador with special defaults and also with a special guest login logo. If I use this user to create guest accounts everything is alright. Now I want to change the authentication to radius, so I export the cisco lobby ambassador attributes to the radius server and extend these network policies. Now I can login as user, authenticated from the radius server and I create guest accounts in the same way as before with local login, BUT !!! Our special guest login logo isn't shown and there is now way to upload or configure this special logo. Is there a way to configure these options for users authenticated with AAA ? Thanks for any Help Bernhard
Hi Bernhard,
I used following doc-link: http://www.cisco.com/en/US/customer/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml
The trick I used is to configure same username on tacacs+ and local, but different passwords.
local-user: configure your special attributes like logo
tacacs+: configure the authentication and group
local-user password is not the same like tacacs+ password.
I configured Authentication in WCS section: Administration > AAA > AAA Mode Settings
Enable fallback to local == on auth failure or no server response
Maybe if you deselect Enable fallback to local you can only authenticate to tacacs+. But now I can authenticate with local user/password and tacacs+ user/password.
Attributes for tacacs+ or radius server can be exported in WCS section: Administration > AAA > All Groups; Export Task List
Attributes for tacacs+ server:
virtual-domain0=root
role0=LobbyAmbassador
task0=Configure Guest Users
task1=Lobby Ambassador User Preferences
Attributes for Radius (I never tried radius):
Wireless-WCS:role0=LobbyAmbassador
Wireless-WCS:task0=Configure Guest Users
Wireless-WCS:task1=Lobby Ambassador User Preferences
==> I think also virtual-domain can be set. -
I Need MBAM 2.5 Helpdesk and self service sites to open for authenticated users with no password prompt. I just cant seem to get this to work. The account used in the application pool has its SPN registered and delegation set. I can use that account to login
to the sites but am prompted for a password. That said anyone I add into the helpdesk users group cannot negotiate the sites. Only the account I have set in the application pool can. I want domain authenticated users that have been added to the MBAM Help Desk
Users group to negotiate the site with NO password challenge at all.
tconnersThis generally means that your SPN is not set up correctly. Let's say the web server you installed the SSP on is lance.contoso.com and your app pool creds are corp\lance. You should set an SPN similar to setspn -s http/lance.contoso.com
corp\lance. In your browser, you should now be able to access the SSP without prompts. However, if you still get prompted, generally that means that your local intranet zone in IE does not have an entry for *.contoso.com. Since you are entering
an FQDN in your browser, IE interprets the "." to mean "on the internet" which breaks Kerberos authentication. By adding *.contoso.com to your local intranet zone, you are telling it that lance.contoso.com is on the intranet, so use
Kerberos.
I can confirm, that I have exact configuration and I always get the password promt for the very first time. We have 2 server (1xIIS and 1xSQL) infrastructure in production with SPN set like it should and I get the password prompt. -
Problem authenticating Wireless users with peap
Good afternoon,
I am currently trying to authenticate wireless users using PEAP and an external RADIUS server. The problem is when I try to authenticate I get this error :
AAA/AUTHEN/PPP : Pick method list 'Permanent Local'
DOT11-7-AUTH_FAILED : Station ... Authentication failed
It shouldn't use local authentication, but the aaa server I configured.
I looked on the internet but didn't find a working solution.
Does anyone know why it is not working ?
Here is my running configuration :
Current configuration : 4276 bytes
! Last configuration change at 00:45:40 UTC Mon Mar 1 1993
! NVRAM config last updated at 16:38:23 UTC Thu Jul 24 2014
! NVRAM config last updated at 16:38:23 UTC Thu Jul 24 2014
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ap
logging rate-limit console 9
enable secret 5 $1$QVC3$dIVAarlXOo52rN3ceZm1k0
aaa new-model
aaa group server radius rad_eap
server 192.168.2.2 auth-port 1812 acct-port 1813
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
no ip routing
no ip cef
dot11 syslog
dot11 ssid test
authentication open eap eap_list
authentication key-management wpa version 2
guest-mode
eap profile peap
method peap
crypto pki token default removal timeout 0
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers aes-ccm
ssid test
antenna gain 0
stbc
beamform ofdm
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
antenna gain 0
no dfs band block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
dot1x pae authenticator
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface BVI1
ip address 192.168.3.10 255.255.255.0
no ip route-cache
ip default-gateway IP
ip forward-protocol nd
ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.2.2 auth-port 1812 acct-port 1813 key 7 140441081E501F0B7D
radius-server vsa send accounting
bridge 1 route ip
line con 0
line vty 0 4
transport input all
end
Thank youI haven't setup autonomous APs before but I think I might see the problem. You are defining an authentication list called "eap_methods" but you never call for it in your SSID settings. Instead there you call a list named "eap_list" In addition, I think you might be missing one more command. So perhaps try this:
dot11 ssid test
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa version 2
guest-mode
Hope this helps!
Thank you for rating helpful posts! -
Authentication an admin user on AP1200 with Cisco Secure
Hello,
I am trying to configure a Radius authentication for an administrator logging on an AP1200 via HTTP. On the Cisco Secure ACS server I can see that the authentication was successful and with a trace I can see also the 'Radius Pass' answer coming back to the AP1200.
Unfortunately the administrators gets no access to the AP1200 Web page, and the login windows still ask for username/password. The log of the AP1200 does not give any error message.
The software versions are following:
AP1200 version 12.02A (the last one non-IOS available)
CiscoSecure ACS v2.6 for Windows 2000/NT
Release 2.6(3) Build 2
The return packet 'Radius Pass' answer coming back to the AP1200 is the following:
0000: 00 0b 46 aa a0 e8 00 a0 8e 77 de 75 08 00 45 00 |..F......w.u..E.|
0010: 00 36 0b 70 00 00 7b 11 8b 0e ac 13 58 fd ac 12 |.6.p..{.....X...|
0020: f8 15 06 6d 06 fd 00 22 05 f3*02 2b 00 1a 95 ad |...m..."...+....|
0030: c4 60 e7 21 54 67 2a 60 0e 79 da b1 8f a6 08 06 |.`.!g*`.y......|
0040: ff ff ff ff |....|
I suspect that the the last ff ff ff ff (255.255.255.255) shall be equal to the IP address of the AP1200 which was send within the initial Radius request packet.
Thanks in advance for your answerI had a similar problem with the 350 series. I receieved the following information that resolved my issues.
Using RADIUS, You need to use cisco AV-Pair attribute for admin users with following syntex
aironet:admin-capability=write+ident+admin+firmware
Here is the procedure for the admin user you to define the Cisco AV pair Attributes .
a) On acs select the interface configuration and go to the advance option ,
selct "per-user Tacacs/ radius attribute " click on submit .
b)On ACS , Select network configuration ,
1) check if you have configuration >> Radio ( IOS /PIX available ) on the ACS
if not add NAS type Radius IOS/PIX , note that this needed for IOS / PIX attribute
2) After adding IOS/PIX device , select interface configuration >>Radius ( IOS / PIX )
Enable [026/009/001] "cisco av-pair" option , again make sure that you enable
at user and group level click on submit
3) Add a user ( User setup >> ADD/EDIT ) to restrict administrator access control
1) enable and configure cisco 09\001 cisco av-pair using
aironet:admin-capability=write+ident+admin+firmware
http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo_350/accsspts/ap350scg/ap350ch8.htm#1073082 -
Presenting users with authentication menu
Hi,
I have a need to present the users with the option to either authenticate with LDAP or RADIUS. All the users go through a gateway. The only way I understand to do this is to prepend "&authlevel=0" at the end of the URL. I am wondering if there is a way to have the gateway do this automatically.
The user would enter: https://host.domain.com and this would present the user with the authentication menu for the selected modules.
We are using JES 2003Q4 (portal 6.2).
any help would be appreciated,
wiggamHmm, the authentication method can be choosen using "module, e.g.
input type="hidden" name="module" value="LDAP"
in the login form.
You could put a dropdownbox there or something like that.
hth Chris -
User with VPN Connections cannot connect to our Oracle Database
Hi Everyone,
I am facing a problem today with our Production Database.
User with our branches using VPN connection cannot connect to our Oracle Database.
As per checking the alert log, I saw this message
Fatal NI connect error 12170.
VERSION INFORMATION:
TNS for Linux: Version 11.2.0.3.0 - Production
Oracle Bequeath NT Protocol Adapter for Linux: Version 11.2.0.3.0 - Production
TCP/IP NT Protocol Adapter for Linux: Version 11.2.0.3.0 - Production
Time: 13-AUG-2013 13:08:42
Tracing not turned on.
Tns error struct:
ns main err code: 12535
TNS-12535: TNS:operation timed out
ns secondary err code: 12560
nt main err code: 505
TNS-00505: Operation timed out
nt secondary err code: 110
nt OS err code: 0
Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.100.131)(PORT=1137))
We are using Oracle 11gR2 Database running OEL 6
Kindly help us to solve this.
Thank youHi Dude,
My firewall is disable in my db host.
I also check the firewall on client end and it is also disabled.
I also talk to my Network Administrator for adjustment in Router and Firewall to allow port 1521 to accept connection but still unsuccessful.
What seems to be the problem ? -
Authenticating Unix users with LEAP
Scenario : WLAN (AP350 V11.21) with LEAP authentication against an ACS V3.0 server (on W2K). Pre-existing Unix users with traditional Unix-crypted passwords. Usernames with their associated encrypted passwords are successfully imported on ACS database with the csutil utility.
Authorization fails because LEAP uses a derivative of CHAP/MS-CHAP and it needs the plain password on the ACS side.
WLANs are increasingly used on places like educational campuses where Unix is widely deployed. Has anyone found a solution to authenticate Unix users with LEAP?
Thanks in advanceI know it's It's not supported yet. When PEAP is added to Aironet and ACS, this problem will go away. I believe that is happening in ACS 3.1 and some future version of the Aironet software.
An ugly workaround would be to setup User Changeable Passwords. You'd inform people with UNIX accounts that they have an ACS account created, but that wireless will not work for them until they use a LAN-based system to log in and change their ACS password. You could give them the option of using the same password, of course. -
Kerberos Authentication - more than one user with same sAMAccountName
I am configuring Kerberos Authentication on SAP AS Java. The single-domain SSO is done and working. Now I need to configure multiple domains in a domain forest. How to resolve issue regarding multiple users with same account ID (same sAMAccountName) under different domains?
We thought about using the userprincipalname, but decided against it once we had the realization that if SPNego failed for any reason, and the user had to logon manually, they would not know their userprincipalname. This was a wise decision, as SPNego does fail for a variety of reasons. The most common is that there appears to be a 1-2 day timeout of the Kerberos ticket, and if a user leaves their computer on for that long, it will challenge them to logon manually.
Andrew Castillo -
Authentication for easy vpn users using windows ad and xauth on pix firewa
Hii
We need to authenticate the VPN client users from windows as pix as the network device where all vpn configuration done
Need the accounting for those vpn users.
Thanks
Manish GaurPlease guide meManish,
Which version of the pix os are you running 6.x.x or 7.x.x. If your using 6 your have to use radius. Follow this guide for radius:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml
For the actual pix configuration its easiest to run through the vpn wizard in PDM (PIX Device Manager)
The radius guide should work for 7.0 if you run the ADSM Wizard for the vpn portion.
Patrick
Please rate any posts that are helpful.
Maybe you are looking for
-
Tracing Multiple Logins on the Same Account
Okay, so this is an issue that I think needs to be dealt with. I get the feeling that my skype account is being used from another computer. This is evidenced by many of my contacts attempting to contact me while I am offline, stating that I appeared
-
HI All, There is a requirement to popuate the Header text of a sales order, When the item -VBAP-POSNR for example : item 20,50,70 has beyond deliver date then I have to populate the header text as - 'Item 20,50,70 has beyond deliver date'. For this
-
Organizing iPhoto videos in iMovie?
My videos in iPhoto (Taken with a regular camera) show up in iMovie under "iPhoto videos". I have several single videos all in separate iMovie rows in the event Libraty screen, even though they were taken seconds apart form each other. Is there some
-
Returned Value from a POP-UP LOV
Hi, I have a tabular form and i am running into problems when i make use of the POP-UP LOV column type. Basically i have a license and my users have to be able to add conditions to their licence. There are too many conditions for the users to choose
-
Citrix error: Reports are opened in filtering window
Hi friends, I am getting a wierd error when i am using Citrix connection to open the reports. There are no errors if I open the reports otherwise. when I enter the filtering values and click transfer, the report is opened in the same window as filter