Authenticating, Authorizing VPN user with AAA

Similar Messages

• Remote Access VPN Users with CX Active Authentication.

  I have ASA 5515 with CX for webfiltering , also have enabled remote access vpn . All my inside users are able to get active and passive authentication correctly . But for remote access VPN users , they are redirected to ASA external ip and CX authentication port 9000 but a blank page comes in and there is no prompt for authentication. I wasnt doing split tunneling , but now i have excluded ASA WAN ip from the tunnel and still have the same issue.
  The CX version we have is 9.3.1.1

  Have you excluded the VPN traffic from being NATed when traffic is going between clients?
  Please post a full sanitised configuration of the router so we can check it for configuration issues.
  Please remember to select a correct answer and rate helpful posts

• How to restrict a VPN user with a specific anyconnect profile?

  I need to assign to anyconnect users different profiles. This is done easily with IPSec, with the group policy configured in the client. With anyconnect I have two options:
  - Allow the user to select the connect profile: The problem here is the user can select any profile and connect with the rules and permissions configured in this profile. I do not how to force one specific profile for each user.
  - Use  the DefaultWebVPNGroup as connection profile for everybody combined with DAP. This what I am doing now. Everybody connect with the default anyconnect profile and I use DAP to assign each user the network ACL's, Bookmarks, etc. The problem here is that I can not use other options that are included in the profiles or in the policies, like split tunneling or user authentication method.
  I have seen some answers about this point but none of them is clear enough. I am using ASA 5540 with 8.4(6) and Windows IAS radius.
  Thanks.

  Thanks Elias. This works. Easy to configure. When I connect using the client it takes de group policy from the radius attribute 25 and apply it.
  Just one little problem. This doesn't work with bookmarks when the user connect with WebVPN. In the logs I can see the connection taking the correct group policy but the bookmarks from that policy are not applied. Any idea?

• Authentication of portal users with uid on oid/ldap

  All works fine with authenticating users created on DAS that have
  dn: cn=%LDAP_USER%,cn=users,dc=edmunds,dc=com
  When I migrated user to portal schema, the auth fails. The portal schema has user dn string
  uid=%LDAP_USER%, ou=people, dc=edmunds, dc=com
  I got this dn string from export to ldif file. The portal user can log in to DAS.
  We are using HTMLdb 1.6 and I used
  LDAP Host[LDAP Test Tool] at /htmldb/f?p=4000:802 to test the parameters.
  How to make this uid dn work with AppEx?
  Thanks.

  Kenny,
  I would forget about using the is_member function for authentication until you achieve what you need directly with dbms_ldap. You can experiment with an anonymous block in SQL*Plus starting with this sample code until you can get the simple_bind_s to work with your parameters:set serveroutput on
  declare
      l_retval      pls_integer;
      l_retval2      pls_integer;
      l_session     dbms_ldap.session;
      l_ldap_host   varchar2(256);
      l_ldap_port   varchar2(256);
      l_ldap_user   varchar2(256) := 'FIRSTNAME_LASTNAME'; -- enter username in this format
      l_ldap_passwd varchar2(256) := 'PASSWORD';           -- enter password
      l_ldap_base   varchar2(256);
  begin
      l_retval                := -1;
      dbms_ldap.use_exception := TRUE;
      l_ldap_host               := 'ldap-host.some-domain.com';
      l_ldap_port               := '389';
      l_ldap_user               := 'cn='||l_ldap_user||',l=amer,dc=oracle,dc=com';
      l_session := dbms_ldap.init( l_ldap_host, l_ldap_port );
      l_retval  := dbms_ldap.simple_bind_s( l_session, l_ldap_user, l_ldap_passwd );
      dbms_output.put_line( 'Return value: ' || l_retval );
      l_retval2  := dbms_ldap.unbind_s( l_session );
      exception when others                                                                                                  
       then 
            dbms_output.put_line (rpad('ldap session ',25,' ')  || ': ' ||
                 rawtohex(substr(l_session,1,8)) ||     '(returned from init)');
            dbms_output.put_line( 'error: ' || sqlerrm||' '||sqlcode );
            dbms_output.put_line( 'user: ' || l_ldap_user );                                                        
            dbms_output.put_line( 'host: ' || l_ldap_host );
            dbms_output.put_line( 'port: ' || l_ldap_port ); 
            l_retval  := dbms_ldap.unbind_s( l_session );
  end;
  /Scott

• Fixed ip for vpn user- aaa authenticated

  Hi all,
  i am using asa 5520 as my vpn box. All vpn users login to vpn box associated with a aaa server. The authenticaltion takes place on aaa server. If i use local database for user login, i can assign fixed static ip to the user via its vpn properties. But now i am using aaa for authentication and i want to assign fixed statix IP for some users. How can i do this?

  with local aaa authentication
  go to the user atributes
  like username vpnuser attributes
  vpn-framed-ip-address 192.168.50.1 255.255.255.255
  this will give that ip to that user
  if u are useing cisco ACS
  under the user setting
  go to :
  Assign static IP address-If a specific IP address should be used for this user, click this option and type the IP address in the text box. The IP address assignment in User Setup overrides the IP address assignment in Group Setup
  and the following link give step-by step intstruction to configure cisco ACS AAA
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008007e6a6.html
  good luck
  please, if helpful Rate

• ASA , Cisco VPN client with RADIUS authentication

  Hi,
  I have configured ASA for Cisco VPN client with RADIUS authentication using Windows 2003 IAS.
  All seems to be working I get connected and authenticated. However even I use user name and password from Active Directory when connecting with Cisco VPN client I still have to provide these credentials once again when accessing domain resources.
  Should it work like this? Would it be possible to configure ASA/IAS/VPN client in such a way so I enter user name/password just once when connecting and getting access to domain resources straight away?
  Thank you.
  Kind regards,
  Alex

  Hi Alex,
  It is working as it should.
  You can enable the vpn client to start vpn before logon. That way you login to vpn and then logon to the domain. However, you are still entering credentials twice ( vpn and domain) but you have access to domain resources and profiles.
  thanks
  John

• WCS Lobby Ambassador with AAA Authentication

  We are using WCS 7.0.164.0. I configured a user as local lobby ambassador with special defaults and also with a special guest login logo. If I use this user to create guest accounts everything is alright. Now I want to change the authentication to radius, so I export the cisco lobby ambassador attributes to the radius server and extend these network policies. Now I can login as user, authenticated from the radius server and I create guest accounts in the same way as before with local login, BUT !!! Our special guest login logo isn't shown and there is now way to upload or configure this special logo. Is there a way to configure these options for users authenticated with AAA ? Thanks for any Help  Bernhard

  Hi Bernhard,
  I used following doc-link: http://www.cisco.com/en/US/customer/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml
  The trick I used is to configure same username on tacacs+ and local, but different passwords.
  local-user: configure your special attributes like logo
  tacacs+: configure the authentication and group
  local-user password is not the same like tacacs+ password.
  I configured Authentication in WCS section: Administration > AAA > AAA Mode Settings
  Enable fallback to local == on auth failure or no server response
  Maybe if you deselect Enable fallback to local you can only authenticate to tacacs+. But now I can authenticate with local user/password and tacacs+ user/password.
  Attributes for tacacs+ or radius server can be exported in WCS section: Administration > AAA > All Groups; Export Task List
  Attributes for tacacs+ server:
  virtual-domain0=root
  role0=LobbyAmbassador
  task0=Configure Guest Users
  task1=Lobby Ambassador User Preferences
  Attributes for Radius (I never tried radius):
  Wireless-WCS:role0=LobbyAmbassador
  Wireless-WCS:task0=Configure Guest Users
  Wireless-WCS:task1=Lobby Ambassador User Preferences
  ==> I think also virtual-domain can be set.

• Need MBAM 2.5 Helpdesk and selfservice sites to open for authenticated users with no password prompt

  I Need MBAM 2.5 Helpdesk and self service sites to open for authenticated users with no password prompt. I just cant seem to get this to work. The account used in the application pool has its SPN registered and delegation set. I can use that account to login
  to the sites but am prompted for a password. That said anyone I add into the helpdesk users group cannot negotiate the sites. Only the account I have set in the application pool can. I want domain authenticated users that have been added to the MBAM Help Desk
  Users group to negotiate the site with NO password challenge at all.
  tconners

  This generally means that your SPN is not set up correctly.  Let's say the web server you installed the SSP on is lance.contoso.com and your app pool creds are corp\lance.  You should set an SPN similar to setspn -s http/lance.contoso.com
  corp\lance.  In your browser, you should now be able to access the SSP without prompts.  However, if you still get prompted, generally that means that your local intranet zone in IE does not have an entry for *.contoso.com.  Since you are entering
  an FQDN in your browser, IE interprets the "." to mean "on the internet" which breaks Kerberos authentication.  By adding *.contoso.com to your local intranet zone, you are telling it that lance.contoso.com is on the intranet, so use
  Kerberos.
  I can confirm, that I have exact configuration and I always get the password promt for the very first time. We have 2 server (1xIIS and 1xSQL) infrastructure in production with SPN set like it should and I get the password prompt.

• Problem authenticating Wireless users with peap

  Good afternoon,
  I am currently trying to authenticate wireless users using PEAP and an external RADIUS server. The problem is when I try to authenticate I get this error :
  AAA/AUTHEN/PPP : Pick method list 'Permanent Local'
  DOT11-7-AUTH_FAILED : Station ... Authentication failed
  It shouldn't use local authentication, but the aaa server I configured.
  I looked on the internet but didn't find a working solution.
  Does anyone know why it is not working ?
  Here is my running configuration :
  Current configuration : 4276 bytes
  ! Last configuration change at 00:45:40 UTC Mon Mar 1 1993
  ! NVRAM config last updated at 16:38:23 UTC Thu Jul 24 2014
  ! NVRAM config last updated at 16:38:23 UTC Thu Jul 24 2014
  version 15.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname ap
  logging rate-limit console 9
  enable secret 5 $1$QVC3$dIVAarlXOo52rN3ceZm1k0
  aaa new-model
  aaa group server radius rad_eap
   server 192.168.2.2 auth-port 1812 acct-port 1813
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authorization exec default local
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  no ip routing
  no ip cef
  dot11 syslog
  dot11 ssid test
     authentication open eap eap_list
     authentication key-management wpa version 2
     guest-mode
  eap profile peap
   method peap
  crypto pki token default removal timeout 0
  bridge irb
  interface Dot11Radio0
   no ip address
   no ip route-cache
   encryption mode ciphers aes-ccm
   ssid test
   antenna gain 0
   stbc
   beamform ofdm
   station-role root
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 spanning-disabled
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
  interface Dot11Radio1
   no ip address
   no ip route-cache
   shutdown
   antenna gain 0
   no dfs band block
   channel dfs
   station-role root
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 spanning-disabled
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
  interface GigabitEthernet0
   no ip address
   no ip route-cache
   duplex auto
   speed auto
   dot1x pae authenticator
   bridge-group 1
   bridge-group 1 spanning-disabled
   no bridge-group 1 source-learning
  interface BVI1
   ip address 192.168.3.10 255.255.255.0
   no ip route-cache
  ip default-gateway IP
  ip forward-protocol nd
  ip http server
  ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip radius source-interface BVI1
  radius-server attribute 32 include-in-access-req format %h
  radius-server host 192.168.2.2 auth-port 1812 acct-port 1813 key 7 140441081E501F0B7D
  radius-server vsa send accounting
  bridge 1 route ip
  line con 0
  line vty 0 4
   transport input all
  end
  Thank you

  I haven't setup autonomous APs before but I think I might see the problem. You are defining an authentication list called "eap_methods" but you never call for it in your SSID settings. Instead there you call a list named "eap_list" In addition, I think you might be missing one more command. So perhaps try this:
  dot11 ssid test
  authentication open eap eap_methods
  authentication network-eap eap_methods
  authentication key-management wpa version 2
  guest-mode
  Hope this helps!
  Thank you for rating helpful posts!

• Authentication an admin user on AP1200 with Cisco Secure

  Hello,
  I am trying to configure a Radius authentication for an administrator logging on an AP1200 via HTTP. On the Cisco Secure ACS server I can see that the authentication was successful and with a trace I can see also the 'Radius Pass' answer coming back to the AP1200.
  Unfortunately the administrators gets no access to the AP1200 Web page, and the login windows still ask for username/password. The log of the AP1200 does not give any error message.
  The software versions are following:
  AP1200 version 12.02A (the last one non-IOS available)
  CiscoSecure ACS v2.6 for Windows 2000/NT
  Release 2.6(3) Build 2
  The return packet 'Radius Pass' answer coming back to the AP1200 is the following:
  0000: 00 0b 46 aa a0 e8 00 a0 8e 77 de 75 08 00 45 00 |..F......w.u..E.|
  0010: 00 36 0b 70 00 00 7b 11 8b 0e ac 13 58 fd ac 12 |.6.p..{.....X...|
  0020: f8 15 06 6d 06 fd 00 22 05 f3*02 2b 00 1a 95 ad |...m..."...+....|
  0030: c4 60 e7 21 54 67 2a 60 0e 79 da b1 8f a6 08 06 |.`.!g*`.y......|
  0040: ff ff ff ff |....|
  I suspect that the the last ff ff ff ff (255.255.255.255) shall be equal to the IP address of the AP1200 which was send within the initial Radius request packet.
  Thanks in advance for your answer

  I had a similar problem with the 350 series. I receieved the following information that resolved my issues.
  Using RADIUS, You need to use cisco AV-Pair attribute for admin users with following syntex
  aironet:admin-capability=write+ident+admin+firmware
  Here is the procedure for the admin user you to define the Cisco AV pair Attributes .
  a) On acs select the interface configuration and go to the advance option ,
  selct "per-user Tacacs/ radius attribute " click on submit .
  b)On ACS , Select network configuration ,
  1) check if you have configuration >> Radio ( IOS /PIX available ) on the ACS
  if not add NAS type Radius IOS/PIX , note that this needed for IOS / PIX attribute
  2) After adding IOS/PIX device , select interface configuration >>Radius ( IOS / PIX )
  Enable [026/009/001] "cisco av-pair" option , again make sure that you enable
  at user and group level click on submit
  3) Add a user ( User setup >> ADD/EDIT ) to restrict administrator access control
  1) enable and configure cisco 09\001 cisco av-pair using
  aironet:admin-capability=write+ident+admin+firmware
  http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo_350/accsspts/ap350scg/ap350ch8.htm#1073082

• Presenting users with authentication menu

  Hi,
  I have a need to present the users with the option to either authenticate with LDAP or RADIUS. All the users go through a gateway. The only way I understand to do this is to prepend "&authlevel=0" at the end of the URL. I am wondering if there is a way to have the gateway do this automatically.
  The user would enter: https://host.domain.com and this would present the user with the authentication menu for the selected modules.
  We are using JES 2003Q4 (portal 6.2).
  any help would be appreciated,
  wiggam

  Hmm, the authentication method can be choosen using "module, e.g.
  input type="hidden" name="module" value="LDAP"
  in the login form.
  You could put a dropdownbox there or something like that.
  hth Chris

• User with VPN Connections cannot connect to our Oracle Database

  Hi Everyone,
  I am facing a problem today with our Production Database.
  User with our branches using VPN connection cannot connect to our Oracle Database.
  As per checking the alert log, I saw this message
  Fatal NI connect error 12170.
    VERSION INFORMATION:
    TNS for Linux: Version 11.2.0.3.0 - Production
    Oracle Bequeath NT Protocol Adapter for Linux: Version 11.2.0.3.0 - Production
    TCP/IP NT Protocol Adapter for Linux: Version 11.2.0.3.0 - Production
    Time: 13-AUG-2013 13:08:42
    Tracing not turned on.
    Tns error struct:
      ns main err code: 12535
  TNS-12535: TNS:operation timed out
      ns secondary err code: 12560
      nt main err code: 505
  TNS-00505: Operation timed out
      nt secondary err code: 110
      nt OS err code: 0
    Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.100.131)(PORT=1137))
  We are using Oracle 11gR2 Database running OEL 6
  Kindly help us to solve this.
  Thank you

  Hi Dude,
  My firewall is disable in my db host.
  I also check the firewall on client end and it is also disabled.
  I also talk to my Network Administrator for adjustment in Router and Firewall to allow port 1521 to accept connection but still unsuccessful.
  What seems to be the problem ?

• Authenticating Unix users with LEAP

  Scenario : WLAN (AP350 V11.21) with LEAP authentication against an ACS V3.0 server (on W2K). Pre-existing Unix users with traditional Unix-crypted passwords. Usernames with their associated encrypted passwords are successfully imported on ACS database with the csutil utility.
  Authorization fails because LEAP uses a derivative of CHAP/MS-CHAP and it needs the plain password on the ACS side.
  WLANs are increasingly used on places like educational campuses where Unix is widely deployed. Has anyone found a solution to authenticate Unix users with LEAP?
  Thanks in advance

  I know it's It's not supported yet. When PEAP is added to Aironet and ACS, this problem will go away. I believe that is happening in ACS 3.1 and some future version of the Aironet software.
  An ugly workaround would be to setup User Changeable Passwords. You'd inform people with UNIX accounts that they have an ACS account created, but that wireless will not work for them until they use a LAN-based system to log in and change their ACS password. You could give them the option of using the same password, of course.

• Kerberos Authentication - more than one user with same sAMAccountName

  I am configuring Kerberos Authentication on SAP AS Java. The single-domain SSO is done and working. Now I need to configure multiple domains in a domain forest. How to resolve issue regarding multiple users with same account ID (same sAMAccountName) under different domains?

  We thought about using the userprincipalname, but decided against it once we had the realization that if SPNego failed for any reason, and the user had to logon manually, they would not know their userprincipalname.  This was a wise decision, as SPNego does fail for a variety of reasons.  The most common is that there appears to be a 1-2 day timeout of the Kerberos ticket, and if a user leaves their computer on for that long, it will challenge them to logon manually.
  Andrew Castillo

• Authentication for easy vpn users using windows ad and xauth on pix firewa

  Hii
  We need to authenticate the VPN client users from windows as pix as the network device where all vpn configuration done
  Need the accounting for those vpn users.
  Thanks
  Manish GaurPlease guide me

  Manish,
  Which version of the pix os are you running 6.x.x or 7.x.x. If your using 6 your have to use radius. Follow this guide for radius:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml
  For the actual pix configuration its easiest to run through the vpn wizard in PDM (PIX Device Manager)
  The radius guide should work for 7.0 if you run the ADSM Wizard for the vpn portion.
  Patrick
  Please rate any posts that are helpful.