Cisco ACS 4.2 and Radius authentication?

Similar Messages

• User authentication in Cisco ACS by adding external RADIUS database

  Hi,
  I would like to configure the below setup:
  End user client (Cisco Any connect/VPN client) -> ASA 5500 (AAA client) -> ACS server -> External RADIUS database.
  Here ACS server would send the authentication requests to External RADIUS server.So, i have added the external user database (RADIUS token server) in
  ACS under External databases.I have added AAA client in Network configuration (selected authenticate using RADIUS(VPN 3000/ASA/PIX 7.0) from the drop down.
  Here how do i make ASA recognize that it has to send the request to ACS server. Normally when you use ACS as RADIUS server you can add an AAA server in ASA and test it.But here we are using an external RADIUS server which has been configured in ACS, so how do i make ASA to send the requests to ACS server?
  Any help on this would be really grateful to me.
  Thanks and Regards,
  Rahul.

  Thanks Ajay,
  As you said nothing needs to be done on ASA side, if we are using an external user database for authentication.
  Im a newbie to ACS and this is the first time i'm trying to perform a two factor authenticaton in Cisco ACS using external user database.
  By two factor authentication i mean, username + password serves as first factor (validated by RADIUS server), username + security code (validated by RADIUS server) serves as second factor.So, during user authentication i enter only username in username field and in "password" field i enter both "password + security code". Our RADIUS server has already been configured with AD as user store, so we dont have to specify AD details in ACS. I have done the following in ACS to perform this two factor authentication.
  -> In external user databases, i have added a external RADIUS token server.
  -> In unknown user policy , i have added the external data base that i configured in ACS into the selected databases list.
  -> under network configuration, i have added the Cisco ASA as AAA client (authenticate using RADIUS (Cisco VPN 3000/ASA/PIX 7.x+)).
  Just to check whether user authentication is successful, i launched the ACS webVPN using https://IP:2002, it asked me to enter username and password. So, i entered username and in password field i entered "password + security code". But, the page throws an error saying "login failed...Try again".I cant find any logs in external RADIUS server.
  Here is what i found in "Failed attempts" logs under Reports and activities.
  Date,Time,Message-Type,User-Name,Group-Name,Caller-ID,Network Access Profile Name,Authen-Failure-Code,Author-Failure-Code,Author-Data,NAS-Port,NAS-IP-Address,Filter Information,PEAP/EAP-FAST-Clear-Name,EAP Type,EAP Type Name,Reason,Access Device,Network Device Group
  02/28/2012,00:31:52,Unknown NAS,,,,(Unknown),,,,,10.204.124.71,,,,,,,
  02/28/2012,00:41:33,Unknown NAS,,,,(Unknown),,,,,10.204.124.71,,,,,,,
  02/28/2012,00:42:18,Unknown NAS,,,,(Unknown),,,,,10.204.124.71,,,,,,,
  Filtering is not applied.
  Date
  Time
  Message-Type
  User-Name
  Group-Name
  Caller-ID
  Network Access Profile Name
  Authen-Failure-Code
  Author-Failure-Code
  Author-Data
  NAS-Port
  NAS-IP-Address
  Filter Information
  PEAP/EAP-FAST-Clear-Name
  EAP Type
  EAP Type Name
  Reason
  Access Device
  Network Device Group
  02/28/2012
  00:42:18
  Unknown NAS
  (Unknown)
  10.204.124.71
  02/28/2012
  00:41:33
  Unknown NAS
  (Unknown)
  10.204.124.71
  02/28/2012
  00:31:52
  Unknown NAS
  Am i missing any thing in configuration side with respect to ACS?
  Thanks

• ACS 4.0.2 Radius Authentication Setup

  Dear Experts,
  I am having ACS 4.0.2 in my network, which I want to use for 802.1x Radius Authentication for Clients on PEAP-MSCHAPv2 methodology.
  As per the documentation " EAP Authentication with RADIUS Server",  Doc ID: 44844
  I have configured Network Configuration and populated AAA client IP range and Secret Key.
  Question1:
  Under Authenticate Using option, there are various RADIUS flavors available for selection. For a Non Cisco AAA client, should I select RADIUS IETF?
  Question 2:
  In the above snap shot, It has an option called Global Authentication Setup, where we can setup EAP configuration. Under PEAP subsection there is an option to "Allow EAP-MSCHAPv2" check box.
  After checking that, is a restart required to the ACS Server? Would it cause any disruptions to the existing services on the ACS?
  Kindly help as it is not mentioned in the documentation available with me.
  Regards,
  Karthik

  Hello,
  As per the ASCII and HEXA settings concern you might want to ignore those fields and leave them as they are by default.
  As per the "Bad request from NAS" and "Invalid message authenticator in EAP request" it is 99% of the times a Shared Secret Mismatch.
  Under the ACS Interface Configuration > Advanced Options > Is the Network Device Groups option enabled? If yes, please check the Shared Secret Key at the NDG level where the device was created. Remember the NDG Shared Secret takes precedence over the one configured on the AAA Client entry itself.
  Attaching an Example:
  AAA client with Shared Secret as "Cisco123":
  NDG Entry (which allocates AAA clients) with Shared Secret as "cisco"
  In order to check the NDG Shared Secret go to Network Configuration > Click the appropriate NDG > Scroll to the bottom and click on Edit Properties.:

• VPN 3000 and Radius authentication/authorization

  hello.
  I have to configure RADIUS authentication
  with a VPN 3000 concentrator.
  I'm completely new with this product
  (the concentrator).
  It seems that, if I want to perform authentication
  of username and password with Radius, then I also have to download the entire VPN configuration from the same Radius, using the attibute set loaded with the appropriate dictionary.
  am I rigth with this supposition?
  I mean: should be possible to authenticate only an username and password externally on RADIUS, while continuing to mantain the user (or group) VPN configuration locally in the concentrator?
  thank you.
  Davide

  No, downloading the entire VPN configuration from the RADIUS server is not necessary. If you are new to configuring VPN's on concentrators or the Concentrator iself, having a look at the support page will be agood idea. It is accessible at http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Hardware:Cisco_VPN_3000_Concentrator

• BBSM and RADIUS Authenticated Session Limits

  I have setup a BBSM System with RADIUS authentication, the authentication traffic is passed to a seperate RSA Box to authenticate user using fobs and everything works fine.
  My question is how do I limited the time a user can have a onnection to the BBSM without having to re-authentication

  If you are using the 'Access Code' pageset, when the 'Stop Date and Time' of the Access
  Code is reached, all currently connected users who have used that Access Code, are
  disconnected.
  When you define an Access Code, you define a 'Start Date and Time' and a 'Stop Date and
  Time' for the Access Code. All users who have Connected by using that Access Code will be disconnected when that Date/Time is reached.
  Please refer to
  http://www.cisco.com/en/US/products/sw/netmgtsw/ps533/products_user_guide_ch
  apter09186a0080192294.html#1038530
  for more information on Access Codes.
  HTH,
  -Joe

• EAP Chaining with Cisco ACS 5.x and the Cisco Anyconnect NAM Client

  Hi Guys,
  Whilst I’m well aware of the limitations of the built in the windows Wireless 802.1x supplicant. Is there a way, using the NAM client to authenticate both a computer and a user simultaneously, when used for authentication to wireless networks?
  As has been posted many times before on this forum, this isn’t possible due to windows not authenticating with the 'computer account' whilst the user is logged in, but with the NAM client it seems possible to do both user and computer authentication based on the options it gives you with EAP-Fast and 'EAP Chaining'.
  Can anyone validate this is possible? I have the design guide for exactly this for Cisco ISE but i need it to work on ACS (5.x).
  Thanks in advance.
  SteveH

  Bobby, I ran into the same issue with the "15015 Could not find ID Store" issue.  It turned out to be an issue with communication between the ACS and AD.  It looked like AD was connected successfully, but until I rebooted ACS, I kept getting the same error.  It was like it couldn't see the AD security groups even though it could scan the AD tree successfully.
  So, try rebooting ACS if you haven't already and see if that resolves the error.

• Cisco ISE with TACACS+ and RADIUS both?

  Hello,
  I am initiating wired authentication on an existing network using Cisco ISE. I have been studying the requirements for this. I know I have to turn on RADIUS on the Cisco switches on the network. The switches on the network are already programmed for TACACS+. Does anybody know if they can both operate on the same network at the same time?
  Bob

  Hello Robert,
  I believe NO, they both won't work together as both TACACS and Radius are different technologies.
  It's just because that TACACS encrypts the whole message and Radius just the password, so I believe it won't work.
  For your reference, I am sharing the link for the difference between TACACS and Radius.
  http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml
  Moreover, Please review the information as well.
  Compare TACACS+ and RADIUS
  These sections compare several features of TACACS+ and RADIUS.
  UDP and TCP
  RADIUS uses UDP while TACACS+ uses TCP. TCP offers several advantages over UDP. TCP offers a connection-oriented transport, while UDP offers best-effort delivery. RADIUS requires additional programmable variables such as re-transmit attempts and time-outs to compensate for best-effort transport, but it lacks the level of built-in support that a
  TCP transport offers:
  TCP usage provides a separate acknowledgment that a request has been received, within (approximately) a network round-trip time (RTT), regardless of how loaded and slow the backend authentication mechanism (a TCP acknowledgment) might be.
  TCP provides immediate indication of a crashed, or not running, server by a reset (RST). You can determine when a server crashes and returns to service if you use long-lived TCP connections. UDP cannot tell the difference between a server that is down, a slow server, and a non-existent server.
  Using TCP keepalives, server crashes can be detected out-of-band with actual requests. Connections to multiple servers can be maintained simultaneously, and you only need to send messages to the ones that are known to be up and running.
  TCP is more scalable and adapts to growing, as well as congested, networks.
  Packet Encryption
  RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Other information, such as username, authorized services, and accounting, can be captured by a third party.
  TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the header is a field that indicates whether the body is encrypted or not. For debugging purposes, it is useful to have the body of the packets unencrypted. However, during normal operation, the body of the packet is fully encrypted for more secure communications.
  Authentication and Authorization
  RADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS server to the client contain authorization information. This makes it difficult to decouple authentication and authorization.
  TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication solutions that can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. After a NAS authenticates on a Kerberos server, it requests authorization information from a TACACS+ server without having to re-authenticate. The NAS informs the TACACS+ server that it has successfully authenticated on a Kerberos server, and the server then provides authorization information.
  During a session, if additional authorization checking is needed, the access server checks with a TACACS+ server to determine if the user is granted permission to use a particular command. This provides greater control over the commands that can be executed on the access server while decoupling from the authentication mechanism.
  Multiprotocol Support
  RADIUS does not support these protocols:
  AppleTalk Remote Access (ARA) protocol
  NetBIOS Frame Protocol Control protocol
  Novell Asynchronous Services Interface (NASI)
  X.25 PAD connection
  TACACS+ offers multiprotocol support.
  Router Management
  RADIUS does not allow users to control which commands can be executed on a router and which cannot. Therefore, RADIUS is not as useful for router management or as flexible for terminal services.
  TACACS+ provides two methods to control the authorization of router commands on a per-user or per-group basis. The first method is to assign privilege levels to commands and have the router verify with the TACACS+ server whether or not the user is authorized at the specified privilege level. The second method is to explicitly specify in the TACACS+ server, on a per-user or per-group basis, the commands that are allowed.
  Interoperability
  Due to various interpretations of the RADIUS Request for Comments (RFCs), compliance with the RADIUS RFCs does not guarantee interoperability. Even though several vendors implement RADIUS clients, this does not mean they are interoperable. Cisco implements most RADIUS attributes and consistently adds more. If customers use only the standard RADIUS attributes in their servers, they can interoperate between several vendors as long as these vendors implement the same attributes. However, many vendors implement extensions that are proprietary attributes. If a customer uses one of these vendor-specific extended attributes, interoperability is not possible.
  Traffic
  Due to the previously cited differences between TACACS+ and RADIUS, the amount of traffic generated between the client and server differs. These examples illustrate the traffic between the client and server for TACACS+ and RADIUS when used for router management with authentication, exec authorization, command authorization (which RADIUS cannot do), exec accounting, and command accounting (which RADIUS cannot do).

• Cisco ACS 5.1 and MAC address identification/quarantining

  A client is rolling out ACS 5.1, with the eventual intent of customization network access based on Active Directory credentials (user/group, etc) – ACL’s and VLAN restrictions will be implemented as part of a “2nd phase” deployment.   For NOW, all they want is the ability to isolate devices connecting to the network by MAC address, meaning: if it’s a recognized MAC address (corporate asset), then allow full access through the port.  If it’s NOT a recognized MAC address (non-corporate asset), then place it in the guest network/VLAN.
  I’m familiar with ACS operation, configuration of policies and authorization rules, and MAC Authentication Bypass (for devices that should not have to authenticate to gain access).  What I don’t know for sure (and haven’t yet been able to find), is if ACS has the ability to react simply to the MAC address and quarantine that host into a guest network.
  Please confirm, and as always, reference links/docs are appreciated.

  Hi,
  The goal you want to achieve is possible but not with MAB.
  What you want can easily be done if you do machine authentication rather then MAB.
  With machine authentication you can have something called Machine Access Restriction, which mean that both machine and user authentication has to be done, for the user to have access to the network.
  In this scenario, whenever a user tries to log in via dot1x, the ACS checks the machine on which the user is logging in, and the user authentication is only successfull if the machine authentication was successfull.
  For this to work you have to register the machines in the domain as well as the users.
  Machines that do not exist on the domain, will fail machine authentication, and no user will be allowed to login in that machine.
  To configure this on the ACS you simply have to go to the Authorization part of the Access Policy, clic "Customize" and add the "Condition" "Was machine authenticated", as I show in the image below:
  Then, you create a new Rule and this Condition will be available:
  On the client side you need to make sure that they do dot1x machines authentication.
  This allows you a very fast way of securing both machines and users, so that only trusted machines (that exist in the domain) are allowed on the network and users can only access network by logging in from a trusted machine.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• How to add a switch to acs for login and ads authentication

  Hi all
  I want to add my switch so that it authenticates to my acs for login auth, I have done the switch end, using radius, also added the switch on the acs, how do I force the acs to use windows auth for this login?  do i just go under the network config where the device is and tick the box saying use windows database for authentication, and then do a group mapping ?
  cheers

  Hi,
  Easiest way is to download the table eg into an Excel table (if possible) or text table. Drop the table from the database. Build your table with the new key field. Build the database table again and fill it.
  You can do it also over the database into a new table. Drop the old one. Build the enhanced one and fill it. Afterwards drop your (temporary) table.
  Maybe there are other ways, but this works.
  Success,
  Rob

• Is CISCO ACS server same as RADIUS server?

  Please advise.
  if not, wats the difference between them?

  The ACS server suite includes a RADIUS service (and TACACS+).
  http://www.cisco.com/en/US/products/sw/secursw/ps5338/index.html
  Good Luck
  Scott

• Cisco ACS v4.2 and WAAS CM

  I have been mulling over this issue on and off for some time now.  I have an ACS server which i am using to authenticate both the AE units and the central manager.  TACACS+ works perfectly with regards to authenticating via the CLI, but i am having trouble with getting the web GUI access to that same group in the ACS server.  I am running 4.1.5c on the WAAS CM.
       I have read through the configuration documents and have made a user group named exactly as it is on the ACS server, and have assigned that group an admin role and privileges over all of my units including the CM.  So far i have enabled these options in my TACACS+ settings:
  shell(exec)
  Privilege level (assigned to 15)
  I am assuming that i have to add a web command under "Unmatched Cisco IOS commands," but I cannot find any documentation as to which arguments i need to pass to it.
  If anyone could help me with this i would appreciate it.

  Have you created individual user accounts in the Central Manager that match the user ID on you ACs system?  If the user does not have an account in the CM under Admin>AAA>Users then they will probalby get logged in to the CM but will have no privileges.

• ACS 5.4 and machine authentication

  Hi,
  I am installing ACS 5.4 for WiFI user and using EAP-TLS/ certificate based authentication.
  I have Authorization profile created as shown in attachement.
  Under authorization profile i have selcted "Was Machine Authenticated=True"Condition.
  Somehow clients are not able to connect. When I looked at logs on ACS it shows that the requests are not matching this rule bu default rule.
  As soon as I disable this condition, user gets connected
  I have already selected "Enable Machine Authentication" under AD & "Process host Lookup" in allowed protocol.
  Any Suggesions?
  Regards,
  Shivaji

  Shivaji,
  The purpose of the "wasmachineauthenticated" attribute is for user authentication, this is your typical "chicken or the egg" scenario since machine authentication needs to be performed without this attribute for successful authentication.
  When successful machine authentication occurs there is a MAR cache within ACS uses to track the mac address of the device. In your case you are forcing ACS to look for a "WasMachineAuthenticated" during the initial machine authentication which will not succeed.
  In my experience it is best to set this in environments where users' can only authenticate through registered workstations (typically machines that are joined to AD), so when a user attempts to use their 802.1x credentials on a smart phone or non-registered asset, they get denied since the device does not have machine credentials to join the network.
  I hope this bring some clarification to Edward's recommendation.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Cisco ACS 4.2 and Windows 2008 R2 CA

  Has anyone been successfully in getting a cert off of a 2008 R2 CA and imported correct in to ACS 4.2?  I've had and have seen other have the problem with creating a web server certificate from R2 (1024 bit) and putting it in ACS 4.2 only to have HTTPS/SSL no longer work correctly.  I haven't even tested the intended purpose of the cert (EAP-TLS) yet, so who knows if that works.  I've also seen through searching where some one was able to take a 2003 CA web server template and put it into R2 and it work, but I know longer have 2003 available?  Any ideas?
  Thanks,
  Raun

  I have seen issues where the template on the R2 boxes are using elliptical curve cryptography, basically if the template has a '#" charcter in it is what I think causes this process to be used. Try to use a template that doesnt have this in the front and then try to generate a cert against the template you created.
  Here is a snip of the guide that I am forwarding you:
  Determining Whether to Implement Cryptography Next Generation Algorithms
  For Windows Server 2008–based version 3 certificate  templates, the option exists to configure advanced cryptographic  algorithms such as elliptic curve cryptography (ECC). Before configuring  these settings, ensure that the operating systems and applications  deployed in your environment can support these cryptographic algorithms.
  http://technet.microsoft.com/en-us/library/cc731705%28v=ws.10%29.aspx
  Screenshots in another article:
  http://technet.microsoft.com/en-us/library/cc725621%28v=ws.10%29.aspx
  Thanks,
  Tarik Admani

• Using Cisco ACS for Solaris login authentication

  Hi all
  I am planning to authenticate ssh logins to Solaris 8/9 systems using PAM and radius (while radius is considered the primary solution, tacacs+ could be used, too). The radius/tacacs+ server is provided by a Cisco ACS.
  Can anybody out there confirm that the combination "Solaris & PAM & radius/tacacs+ & Cisco ACS" is correctly doing this authentication stuff? Is there anything to specially consider?
  Thanks, David

  Hard to comment with any certainty but provided the client implementation of RADIUS is sound AND the authentication protocol is one that ACS supports, eg PAP, CHAP, MSCHAP, LEAP, EAP (PEAP/FAST/TLS/GTC/MSCHAP) then should be fine.

• Cisco ACS 5.4 + Anyconnect 3.1 NAM with 802.1x, problem with changing ACS Radius user password

  Dear all,
  Presently, we are testing 802.1x using Cisco ACS 5.4 and Cisco Anyconnect v3.1 as 802.1x supplicant. We have created predefined NAM profiles (with Cisco Profile Editor) and applied as default in on our test machine. We are using PEAP (MsCHAPv2) and ACS local user credentials for authenticating process. We have noticed that, when we try to authenticate the network with predefined profile (network profile has Administrator Network privileges) and Windows user on test machine has no Admin privileges we are not able to change ACS user password (checked "Change password on next login" in the ACS user profile). In the Monitoring and Report View we get Failure Reason "24203 User need to change password"  but no popup window apears in Anyconnect. When we change Windows local user privileges to Admin or create Anyconnect network profile localy (privileges User Network) then, we are able to finish the process.
  Have you ever been facing the problem described above. Is it Anyconnect bug? How can we fix it?
  Best regards,
  Piotr

  If this happens with all machines then if a microsoft guy can look the app logs/privileges. It seems the app is requesting privilege that it is not authorized to and that's why the propmt window fails to appear. If we know what that privilege is we can probably fix it. If that privilege is not even required for smooth work Cisco need probably to fix this behavior.
  I am sorry if I am not able to help but I am not using the anyconnect for production.
  Regards,
  Amjad
  Rating useful replies is more useful than saying "Thank you"