Cat3560 and AAA Authenticatin

Hello guys,
I tried to configure the CAT3560 Switch with IAS Windows 2003 AD authentication without success. Is it possible at all??
If so, do I have to use Standard RADIUS in the Win 2003 IAS or Vendor specific type. I was looking in Internet and got some opinions this is not possible.
However I am looking for a way to authenticate all admins that touch the devices in AD 2003. Any help would be highly apriciated.
Regards,

Hi,
Please see the attached doc. It should help you in achieving your goal.
Regards,
~JG
Do rate helpful posts

Similar Messages

  • 3rd party Certificate and AAA Authentication

    I am using a cisco asa5520 and i have set up remote access vpn with an AnyConnect connection profile.
    In the connection profile i have set up that users should authenticate using both certificate and AAA.
    Due to a high security requirement, the user certificate is issued from a 3rd party.
    This is working fine and the user now need a valid certificate and a username/password to authenticate successfully.
    I added the CA certificate as a associated trustpoint on the ASA box to get the certificate verification working.
    Problem:
    If Jane and Joe both have a valid certificate AND a valid username/password, Jane could authenticate using a combo of Joes certificate, and Janes username/password. Both are valid (isolated), but i only want jane to be able to authenticate with her username/password and her personal certificate.
    I got an idea that i could put the Serial Number of the users certificate on the user object in AD (on the users department field or something like that) and check if this value match during authentication.
    So, to sum things up, i want to compare the Serial Number (SER) field of the users certificate with a field on the user object in AD during authentication. As far as i can see the user would need a valid certificate and a valid username/password to authenticate. The user would also be authenticated only if the serial field match the value on the user object in AD.
    I am happy for any help that could point me in the right direction on how to accomplish this.
    Best regards,
    Kenneth

    I actually got a better idea, and i think this will work great!
    One of the guys at work pointed out that the sAMAAccountName is still used in many areas even though it is called pre-windows 2000.
    After some trying and failing i got the idea that should try to change the "Naming Attribute(s)" on the defined AAA (ldap) server under "AAA server groups".
    So i change the Naming attribute to "department", and put in the certificate serial number. I changed the connection profile and specified that it should use the "SER" value from the certificate as username. After that i tried to log in, and voila:
    [123] LDAP Search:
            Base DN = [dc=Testlab,dc=local]
            Filter  = [department=xxxx-xxxx-xxxxxxxxx]
            Scope   = [SUBTREE]
    [123] User DN = [CN=Peter Pan,OU=Wonderland,DC=testlab,DC=local]
    The ldap debug is clear, the ldap query during authentication is now searching for the user using the department field, and looking for the value of the serial number from my certificate.
    I wasnt quite happy about using the "department" field and i took a look at the user object looking for a more suitable attribute. To my surprise the user has got a "serialNumber" attribute, and it can hold multiple values. I changed the "Naming Attribute(s)" from "department" to "serialNumber" and added the serial number from the certificat to the "serialNumber" attribute on the user object:
    [138] LDAP Search:
            Base DN = [dc=Testlab,dc=local]
            Filter  = [serialNumber=xxxx-xxxx-xxxxxxxxx]
            Scope   = [SUBTREE]
    [138] User DN = [CN=Peter Pan,OU=Wonderland,DC=testlab,DC=local]
    Worked like a charm!
    I will settle for this solution, i cant see any issues regarding security, and it will be a breeze to admin. I will make a tool now so i can search for users in AD and update/view this attribute on the user objects.
    Thank you for the input Marcin

  • Can anyone recommend a good document for Cisco IDS and AAA

    I need some basic tutorial for Cisco IDS and AAA. can anyone recommend any document for it?
    thanks

    The Cisco IDS/IPS senors do not perform any AAA functions. You can not validate a user/password externally.

  • VPN Client and AAA services on a Cisco ISR Router

    Hi, my name is Jim, and I was just promoted as a trainer for the company I work for.  Part of my new challenge is understanding how the configuration files in both my Terminal Services/VPN Router and Core Router work, so for many of you, these questions are going to seem very fundamental, but please help, I am an instructor in training.  I hold a CCNA, CCNA-Wireless, and a CCSI cert, but I have little working experience in building and maintaining a lab....hence the need for this inquiry.
    So to my questions. In our lab environment, we have a router that acts as our terminal services router and VPN router.  Each laptop that connects to the lab has the Cisco VPN client loaded onto it, as well as my laptop that I teach from.  My questions are these:
    1.  What parts of the AAA output of the running configuration tell me how to configure the VPN clients on my laptops?
    2.  I am using crypto key generate RSA at 1024 bits on the VPN/TS router, so does that tell me how to configure some part of the client?
    3.  In our lab, we are going to use a direct connection to an AP to get connected to the network, and how will the absence of an Internet connection affect the settings on the VPN client, or will they?
    4.  Are there helpful articles I can read that will answer some or all of these questions? 
    Thanks in advance,
    Jim

    Hi Jim,
    congratulations
    Assuming a basic setup, your router will have something like this:
    crypto isakmp client configuration group MyGroup
      key cisco123
    So on the client, you configure it to use MyGroup as the group name, and cisco123 as the (group) password.
    I'm not sure I understand your question #3 and what you mean by "AP" (Access Point? So WiFi?). In any case you don't need Internet access per se, as long as you have network (IP) connectivity between the host running the vpnclient and the VPN router.
    Does this help?
    Herbert

  • Mobility Anchor and AAA Overide VLAN Assignment

    Hello,
    I read some document 2 years ago that dynamic VLAN assignment was not possible with Anchored WLANs. Please I would like to know if this is now possible. The network setup would be as follows:
    1. Foreign and Anchor WLC (5508) with single SSID for both guest and internal users
    2. Cisco ISE 1.2 performing AAA override with VLAN tag based on AD group. Guest will go to VLAN for guest after web authentication.
    Please a speedy response would be helpful.

    Hi grabonlee,
    We have been running an anchor with VLAN override for out Guest services. Works well. VLAN needs to be defined on both the anchor and foreign. We are running 7.6.120 code.

  • ISE and AAA configuration

    Hi Guys,
    I am using ISE only one server as primary and as cisco says it has functionality of (ACS+ NAC). I  want to enable AAA services on the  ISE box rightnow.
    I used the ACS earlier and want to configure the same functions on it.
    Authentication of devices from ISE when remote login to router/switches/firewalls.
    Authorization of commands form ISE based on user login
    Accounting of command and login and logout details of user.
    I have very basic knowledge in ISE but i used ACS througly.
    Please Help  in the above issue.
    Thanks in Advance
    Regards

    Can you give any link where is shows TACACS is not supported.
    You find that amongst others in the Q&A:
    http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/qa_c67-658591.html
    Can you tell where need to enable these settings for AAA services.
    That's a quite complex thing ... Best you start with the ISE policies:
    http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_authz_polprfls.html
    Then look at the ACS migration-tool:
    http://www.cisco.com/en/US/docs/security/ise/1.0.4/migration_guide/ise104_mig_book.html
    But don't expect that the tool will migrate your ACS-policies in a usefull way ... There is much handwork involved to end with a good ISE-policy.

  • AnyConnect SSL-client Certificate AND AAA RADIUS

    Hi All,
    I'm trying to setup Anyconnect VPN Phone feature. I have the license, and I have been able to get the phone to authenticate / register etc with a username / password.
    I want to use the cert on the phone, use the CN as the username and just verify that against my ACS server via RADIUS.... Easier said than done. The ASA is grabbing the Username, but for the life of me, i can't get it to send the username over to the RADIUS server. I have enabled all sorts of aaa and radius debugging and just get no output at all...
    Here are some relevant log messages I'm getting:
    Starting SSL handshake with client outside:72.91.xx.xx/42501 for TLSv1 session
    Certificate was successfully validated. serial number: 5C7DB8EB000000xxxxxx, subject name:  cn=CP-7942G-SEP002155551BD7,ou=EVVBU,o=Cisco Systems Inc..
    Certificate chain was successfully validated with warning, revocation status was not checked.
    Tunnel group search using certificate maps failed for peer certificate:  serial number: 5C7DB8EB000000xxxxxx, subject name:  cn=CP-7942G-SEP002155551BD7,ou=EVVBU,o=Cisco Systems Inc., issuer_name:  cn=Cisco Manufacturing CA,o=Cisco Systems.
    Device completed SSL handshake with client outside:72.91.xx.xx/42501
    Group SSLClientProfile: Authenticating ssl-client connection from  72.91.14.42 with username, CP-7942G-SEP002155551BD7, from client  certificate
    Teardown TCP connection 35754 for outside:72.91.xx.xx/42501 to  identity:173.227.xxx.xxx/443 duration 0:00:05 bytes 5473 TCP Reset by  appliance
    Relevant Config:
    tunnel-group SSLClientProfile type remote-access
    tunnel-group SSLClientProfile general-attributes
    authentication-server-group RADIUS
    default-group-policy GroupPolicy1
    tunnel-group SSLClientProfile webvpn-attributes
    authentication aaa certificate
    radius-reject-message
    pre-fill-username ssl-client
    group-alias SSLClientProfile enable
    group-url https://URL enable
    group-policy GroupPolicy1 internal
    group-policy GroupPolicy1 attributes
    wins-server none
    dns-server value <ip1> <ip2>
    vpn-tunnel-protocol ssl-client
    default-domain value xxxxxxxx
    address-pools value VPNPOOL
    aaa-server RADIUS protocol radius
    aaa-server RADIUS (inside) host 192.168.102.242
    key *****
    aaa-server RADIUS (inside) host 192.168.240.242
    key *****
    ASA version 8.4
    What am I doing wrong? It will not send the request to the AAA server, very much frustating me...

    PRogress....
    I changed the authentication to Certificate ONLY and set authorization to be RADIUS... now it's sending the request to my ACS server. Next question: What's the password that's being sent? Is it blank? I've tried the phone's whole username, tried the MAC and tried just the SEP part. No Dice. Thoughts?

  • WLC and AAA - one SSID and more VLANs

    hi,
    i have an ACS 4.1, AP1242, WLC4404 and Catalyst 3750, and an Win2003 DHCP Server
    Switch Interface Config:
    interface Vlan10
    ip address 10.70.170.1 255.255.255.0
    ip helper-address 192.168.12.10
    interface Vlan20
    ip address 10.70.171.1 255.255.255.0
    ip helper-address 192.168.12.10
    at the WLC i have configured one SSID with
    - Allow AAA Override
    - Layer2 Sec: [WPA1,TKIP+WPA2,AES]
    - ACS 4.1 AAA
    - Key Management: 802.1x
    one SSID mapped to the management interface. and 2 VLANS with different interfaces:
    VLAN-ID1: 10
    Interface-1:
    IP Address 10.70.170.2
    Netmask 255.255.255.0
    Gateway 10.70.170.1
    DHCP: 192.168.12.10
    VLAN-ID2: 20
    Interface-2:
    IP Address 10.70.171.2
    Netmask 255.255.255.0
    Gateway 10.70.171.1
    DHCP: 192.168.12.10
    at the acs i have 2 users and two groups. Group1-User1 and Group2-User2 with the aaa attributes to change the vlan on login.
    [006] Service-Type: Authenticate only
    [064] Tunnel-Type: VLAN
    [065] Tunnel-Medium-Type: 802
    [081] Tunnel-Private-Group-ID: <VLAN-ID-1> or <VLAN-ID-2>
    my problem is, that the user will authenticate successfully, and also the Vlan and Interface assignment is correct,
    but the ip-address that the user will get is always the IP-Range from Interface2 (VLAN20). So when the USER2 authenticates, he get the VLAN2,
    and the right interface and the right IP Adress and the communication is right.
    but the USER1 gets the interface1 and VLAN10, but the IP from Interface2 (VLAN20).
    what can it be?
    thx

    FYI - If you're using ACS v4.1, you can also achieve this using the Airespace Attributes, by specifying the WLC interface name in the appropriate section.

  • WLC 5508 and AAA accounting

    Hello,
    Does anyone know if a WLC 5508 can tie into AAA accounting in order to enable departmental chargeback for WLAN services ?  (keep track of usage by department, and charge accordingly)

    Thank you Nick.  (It think you have answered another post of mine)
    I feel like all I do is ask ask ask, I need to start answering ?'s ....maybe after a couple hundred posts will I know enough to be helpful

  • WLC 5508 and AAA server

    Hello all,
    Quick question (couldn't find answer on google).
    Can the Cisco Wireless LAN Controller model 5508 act as an AAA server, or does that require a separate device/server/appliance?
    My initial answer to this question was yes, if running in local EAP mode...
    Anybody?

    Thank you both.  I love this forum   I am working as an intern with my current company; but no stranger to IT.  The pay is humbling, but I am learning fast and this forum has really helped accelerate my learning.  I thought having a CCNA along would get me the good job, but nothing beats experience.
    Thanks again!

  • RSA tokens and AAA

    I have an RSA ACE sever and would liek to sue it for console port and VTY port access....DOES AAA support this and if so, what does the config look like...I have done it witH ACS, but would like to try it just going directly to the RSA securID server..and letting the server pop the login...and then I juts poke in my PAsscode and Token PIN...anyone done this yet....

    Very simple:
    1- install RSA Server on host A,
    2- install ACS server on host B,
    3- create an agent host on host A with host B
    ip address,
    4- copy the sdconf.rec file over to %Windows\system32 directory of host B,
    5- install RSA agent software on host B,
    6- create RSA user in host A,
    7- use the RSA test utility on host B to test
    authentication from host B over to host A,
    8, configure ACS to use RSA SecurID. Read
    the instruction on cisco web site, in the
    External database,
    9- run log monitor on host A RSA server,
    10- try to log into a router,
    11- enter the username create in step 6,
    you should see that you will be able to
    authenticate with RSA securID and ACS
    integration.
    Last but not least, if you use TACACS, you
    will NOT be able to use Next-PIN mode on
    RSA Server. Next-PIN mode only works with
    Radius.
    Easy right?

  • ASA in MultiContext mode and AAA

    Hi
    have two firewalls (ASA5540, ver8.2); one configured in multi mode (called A) and second configured in single mode (called B).
    Have Cisco ACS setup to perform AAA for both firewalls. Both (A,B) can authenticate using ACS (tacacs+) no problem. Local cauthorization is setup as fallback if ACS does not work.
    For firewall A (single mode) the ACS can perform authentication, authorization and accounting. Have setup a readonly and full access groups in ACS to provide readonly (only limited show commands available) and full access (read write) to firewalls. This works very well.
    Firewall B (in multimode) can provide authentication and accounting OK (not alll accounting info but some login messages are available), but cannot provide authorization. Simple, that option is not available in ASDM (user setup/AAA) and only LOCAL is available for authorization.
    Entering from CLI "aaa authorization command TACACS-ACS LOCAL" on firewall B, the message back say that only tacacs+ and local methods are available.
    Entering "aaa authorization command tacacs+ local" on firewall B, the message back say that local method is not defined but tacacs+ argument does not bring any errors.
    Bellow are commands entered in firewall A and are working fine:
    aaa-server RADIUS-ACS protocol radius
    aaa-server RADIUS-ACS (inside) host 1.1.1.2
    key xxxxx
    aaa-server TACACS-ACS protocol tacacs+
    aaa-server TACACS-ACS (inside) host 1.1.1.2
    key xxxxx
    aaa authentication ssh console TACACS-ACS LOCAL
    aaa authentication http console TACACS-ACS LOCAL
    aaa authentication enable console RADIUS-ACS LOCAL
    aaa authorization command TACACS-ACS LOCAL
    aaa accounting ssh console RADIUS-ACS
    aaa accounting command TACACS-ACS
    aaa accounting telnet console RADIUS-ACS
    Questions: is multimode firewall behive different then singel mode when it comes to AAA?
    If it does, how to setup AAA on multicontext firewall? Thur system, admin or individual contexts?
    What command(s) are missing from bellow to make multicontext authorized by AAA?
    i am trying to avoid entering autheorization commands and levels on every context individually.
    Constructive feedback appreciated.
    Regards,

    Hello,
    I guess you will have to configure the AAA configuration on individual contexts.
    The following link throws some light on the same.
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml
    It says:
    The system execution space does not support any  AAA commands, but you can configure its own enable password, as well as  usernames in the local database to provide individual logins.
    Hope this helps.
    Regards,
    Anisha
    P.S.: Please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

  • ACE and AAA (TACACS) part 2

    Hi there,
    i have configuerd my acs with an custom attribute : shell:Admin=Admin. AAA with the ACE works fine... But now i can't login into my switches :-( i got the massage authorization failed. Here is the aaa debug from the switch :
    Jul 12 13:41:38.433 UTC: AAA: parse name=tty2 idb type=-1 tty=-1
    Jul 12 13:41:38.441 UTC: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
    Jul 12 13:41:38.441 UTC: AAA/MEMORY: create_user (0x16E1F28) user='NULL' ruser='NULL' ds0=0 port='tty2' rem_addr='*******' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
    Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): Port='tty2' list='' service=EXEC
    Jul 12 13:41:44.590 UTC: AAA/AUTHOR/EXEC: tty2 (945064986) user='*******'
    Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): send AV service=shell
    Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): send AV cmd*
    Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): found list "default"
    Jul 12 13:41:44.590 UTC: tty2 AAA/AUTHOR/EXEC (945064986): Method=tacacs+ (tacacs+)
    Jul 12 13:41:44.590 UTC: AAA/AUTHOR/TAC+: (945064986): user=*******
    Jul 12 13:41:44.590 UTC: AAA/AUTHOR/TAC+: (945064986): send AV service=shell
    Jul 12 13:41:44.590 UTC: AAA/AUTHOR/TAC+: (945064986): send AV cmd*
    Jul 12 13:41:44.799 UTC: AAA/AUTHOR (945064986): Post authorization status = PASS_ADD
    Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV service=shell
    Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV cmd*
    Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV priv-lvl=15
    Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Processing AV shell:Admin=Admin
    Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: received unknown mandatory AV: shell:Admin=Admin
    Jul 12 13:41:44.799 UTC: AAA/AUTHOR/EXEC: Authorization FAILED
    Jul 12 13:41:46.804 UTC: AAA/MEMORY: free_user (0x16E1F28) user='*******' ruser='NULL' port='tty2' rem_addr='*******' authen_type=AS
    Any idea what's wrong ??
    Best regards Dirk

    Hi ,
    i've got the following info from a user here in the forum :
    http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_guide_chapter09186a0080686bbb.html#wp1519045
    [quote]
    The user profile attribute serves an important configuration function configuration for a TACACS+ server group. If the user profile attribute is not obtained from the server during authentication, or if the profile is obtained from the server but the context name(s) in the profile do not match the context in which the user is trying to log in, the default role (Network-Monitor) and default domain (default-domain) will be assigned to the user provided the authentication is successful.
    [quote end]
    In this way i configured the ACS...
    Be carefull with the attribute... because if you set it in the way the documentation describes you will not authorized at other devices using tacacs+.
    You have to set the attribute in this way :
    shell:* it's working for both switches / ACE
    shell:= this works only for the ACE
    Then the attribute is marked as optional and only the ACE cares about it.
    Regards Dirk

  • Flex and aaa override

    Hi!
    The current desing of network needed the follow:
    All branch must have single corporate SSID. Users in branch must be split by functionality in different vlans.
    Corporate SSID must be switched local.
    Does is flex connect with AAA override have ability to mapped one SSID to multiple vlans?
    I can't get confirmation of this from documentation. All examples explain how to map single ssid
    to single_vlan
    Thanks for answers!

    Yes, you can use AAA Override to assign the VLAN in FlexConnect Mode.  Below is a link to the Configuration guide.
    http://www.cisco.com/en/US/docs/wireless/controller/7.3/configuration/guide/b_wlc-cg_chapter_01110.html#d174972e3765a1635
    HTH,
    Steve
    Please remember to rate useful posts, and mark questions as answered

  • Wism and aaa server communication

    Hi 
    How a wism  talking to aaa server .? The wism will talk on behalf of the user ? 
    What i mean if there is an acl on the interface vlan ( switch) , Do we need to allow the aaa server in the access list ? 
    Thanks 

    Yes you should AAA server on the ACL. Client data reaches in a CAPWAP tunnel between AP and WLC from where it is sent to wired network, so communication is done by WLC on behalf of client.
    Usually, high level topology is like this :
    -Thanks
    Vinod
    **Encourage Contributors. RATE Them.**

Maybe you are looking for

  • How to get the context name for a proxied servlet container

    I have been using tags to build links for applications that use Tomcat and I was wondering if tags that detect the host url can be used if the servet container is behind a proxy. For example let's say that the Tomcat context is called app_under_test

  • Clearing document with payment block

    Hi All, Need to ask, I have an invoice from MIRO -> payment block is = R I also have down payment -> payment block is = A When I do partial clearing using F-44 the system won't block me from clearing those documents. My question is... if those docume

  • Printing on paper

    i want print text on a normal paper how can i make this ??

  • Reverse function for Logic X

    I'm trying to use the reverse function for an audio file. when I open the audio file editor, there is no "Functions" pull down menu. how do I find it? thanks!

  • SSD in old MacBook Pro (MacBookPro5,3) - worry about NVIDIA controller issue?

    Hi! I have the old MacbookPro5,3 - (Core2Duo 2,66 GHz with 8GB RAM), so a SSD would really make it go for another year og two. I do realize that I will not benefit of the full speed of the SSD because the machines max speed is SATA2/3GB/s: That's no