Cisco ACS check for AD

Similar Messages

• RSA SecurID and Cisco ACS integration for user(s) with enable mode

  I thought I had this problem figured out but I guess not.
  I have a Cisco 2621 router with IOS 12.2(15)T17. Behind the
  router is a Gentoo linux, RSA SecurID 6.1 and Cisco ACS 3.2.
  I use tacacs+ authentication for logging into the Cisco router
  such as telnet and ssh. In the ACS I use "external user databases"
  for authentication which proxy the request from the ACS over
  to the RSA SecurID Server. I installed RSA Agents with
  sdconf.rec file on the Cisco ACS server. I renamed "user group 1"
  to be "RSA_SecurID" group. In the "External user databases" and
  "database configurations" I assign SecurID to this "RSA_SecurID"
  group.
  Everything is working fine. In the "User Setup" I can see dynamic
  user test1, test2,...testn listed in there as "dynamic users". In
  other words, I can telnet into the router with my two-factor
  SecurID.
  The problem is that if test1 wants to go into "enable" mode with
  SecurID login, I have to go into "test1" user setting and select
  "TACACS+Enable Password" and choose "Use external database password".
  After that, test1 can go into enable mode with his/her SecurID
  credential.
  Well, this works fine if I have a few users. The problem is that
  I have about 100 users that I need to do this. The solution is
  clearly not scalable. Is there a setting from group level that
  I can do this?
  Any ACS "experts" want to help me out here? Thanks.

  That is not what I want. I want user "test1" to be able to do this:
  C
  Username: test1
  Enter PASSCODE:
  C2960>en
  Enter PASSCODE:
  C2960#
  In other words, test1 user has to type in his/her RSA token password to get
  into exec mode. After that, he/she has to use the RSA token password to
  get into enable mode. Each user can get into "enable" mode with his/her
  RSA token mode.
  The way you descripbed, it seemed like anyone in this group can go directly
  into enable mode without password. This is not what I have in mind.
  Any other ideas? Thanks.

• Cisco ACS questions for new deployment

  Hi all, I am designing a new Cisco ACS deployment to handle AAA services for all our network devices. I have read the user guides and I understand the different deployment scenario's. However, what i could not find in the user guide, were answers to the questions below...
  Number of AAA clients, using command authorisation, that a single ACS server can handle?
  Does a Large Add-On license (for more than 500 nodes) need to be purchased for every ACS server, or does one license cover the whole deployment?
  How is AAA load-balancing performed? Does each AAA server need to be defined individually on every Network device? Or is there some intelligence build in to the AAA servers so that they can distribute the load themselves? Or can a load balancer be used like you can with Cisco ISE PSN nodes?
  Thanks
  Mario

  Supported number of clients depends on License for example
  The base license is required for all deployed software instances and for all appliances. The base license enables you to use all ACS functions except license-controlled features, and it enables standard centralized reporting features.
  The base license:
  Is required for all primary and secondary ACS instances.
  Is required for all appliances.
  Supports deployments that have a maximum of 500 NADs.
  The following are the types of base licenses:
  Permanent—Does not have an expiration date. Supports deployments that have a maximum of 500 NADs.
  Evaluation—Expires 90 days from the time the license is issued. Supports deployments that have a maximum of 50 NADs.

• Cisco LMS - Check for multiple words?

  Can anyvbody help me out with a Cisco LMS query.
  I'm doing a complaince check for snmp-server location
  +snmp-server location [#.*#]
  But I assume as I've got mulitple words which may vary it shows as not present in the complaince check even though it's in the config.
  e.g. snmp-server location Martin's house in the middle of Scotland
  I think [#.*#] stands for a missing string but not for multiple words, can anyone help me out with what I could use for multiple words?
  Thanks in advance
  Martin

  I could solve the monitoring issue with snmp context configuration. I had to map each OSPF process to a snmp community. So i could retrieve data for each OPSF process. My issue now is how to add multiple communities to an LMS controlled device.
  As far as i know, LMS support only one RO community per device.
  regards
  alex

• Cisco ACS Server . Download Evaluation Version For Testing.

  Hello.
  I want to try to install ACS server for windows to check how this is working with Microsoft AD. Does anyone know where i can download an evaluation version of Cisco ACS Server for Windows ?

  Hello Michael-
  The ACS version for Windows is no longer available. The product is EOL/EOS:
  http://www.cisco.com/c/en/us/products/collateral/security/secure-access-control-server-windows/end_of_life_notice_c51-664639.html
  The product was replaced with a Linux based version (5.x) and it is a lot easier of a product to install and manage. 
  If you want to evaluate the product I would recommend that you contact your local Cisco partner:
  https://tools.cisco.com/WWChannels/LOCATR/openBasicSearch.do
  Thank you for rating helpful posts!

• How to hide line console parameters through Cisco ACS

  Hi,
  Can any one of you please help me in the following scenario ?
  I want to hide the line console, line aux and line vty configuration parameters of the cisco devices based on user level privillages through Cisco ACS. For example, if a user logs into the devices with privilege level 7, then he should not be able to see the line paramenters on the cisco devices for which he had privilege level 7 access.
  Can you please help me out how to achieve this?? Your help in this regard is highly appriciated.
  Thanks

  This thing is possible with local authorization on IOS device. With ACS this is not possible.
  In acs you can set what all commands a specific user can issue. That feature is called command authorization.
  For show run you need to give priv 15. ACS works in a different way if you compare it with setting up local priv lvls on router/switch.
  Best way to set it up is to give all user priv lvl 15 and then define what all commands user can execute.
  Note : Having priv 15 does not mean that user will able to issue all commands.
  We will set up command authorization on acs to have control on users.
  This is how your config should look,
  aaa authentication login default group tacacs+ local
  aaa authorization exec default group tacacs+ if-authenticated
  aaa authorization commands 1 default group tacacs+ if-authenticated
  aaa authorization commands 15 default group tacacs+ if-authenticated
  aaa authorization config-commands
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  Regards,
  ~JG
  Do rate helpful posts

• Cisco ACS 4.1 Windows License Key Question

  How do I obtain the license key for my Cisco ACS Server for Windows software v4.1?

  For acs windows, there is no license key. You need to purchase the acs software.
  During installation, it does not ask for any key.
  Regards,
  ~JG
  Do rate helpful posts

• [Cisco ACS] 11036 The Message-Authenticator RADIUS attribute is invalid

  Hi,
  I got many Cisco AP which are linked to 2 Cisco WLC.
  On each WLC, I configured a primary and a secondary RADIUS Server.
  RADIUS servers are Cisco ACS 5.2.0.26 (patch 10)
  Primary and secondary ACS configurations are synchronized.
  There are no problem between primary WLC and Cisco ACS (primary and secondary).
  When secondary WLC requests primary Cisco ACS, I get this error "11036 The Message-Authenticator RADIUS attribute is invalid"
  Secondary WLC automatically contacts secondary Cisco ACS and it works fine.
  Cisco ACS description for this error: "This maybe because of mismatched Shared Secrets."
  The two Cisco ACS are synchronized so I should have same error on them...
  Why does primary ACS generate this error?
  Thanks for your help,
  Patrick

  Tarik Admani wrote:Amjad,That is a good observation, shouldnt 7.3 (which recently released) help put these types of issues to rest? I hear that the configuration can now be replicated from one controller to the next in a failover setup.Thanks,Tarik Admani
  *Please rate helpful posts*
  Yes. That is a good point.
  With 7.3 you can use high availability (HA) between two WLCs and you can configure only one WLC (the primary) and all the configuraiotn can be replicated and synched to the other WLC (the secondary).
  The two WLCs in the HA must be on same subnet though. Otherwise hot-standby HA between WLCs can't be used.
  Rating useful replies is more useful than saying "Thank you"

• Cisco ACS Server Tacacs Based on LDAP AND Source IP Possible???

  Hi All,
  I have used Cisco ACS tacacs for authentication based on Active Directory. Is it possible to use Active Directory as a criteria for authentication AND source IP?
  For example, if someone wants to log in to a certain device... they must have correct credentials AND their IP must be sourcing from the acceptable subnet range.
  Thanks!

  I see your point. This will depend if the user's IP is provided in the authentication request, if this information is provided then you can use the feature called "End Station Filter". This feature is used as a Condition in the Access Policy to deny or allow access. Below are the steps:
  1. Create a End Station Filter, here configure the user's IP
  2. Customize your Conditions under Access Policies/Authorization to use End Station Filter
  3. Define your rule with the required result

• Cisco ACS for Unix authentication

  My company is looking for a single sign on for all the windows and unix servers mainly for admins. I was wondering if Cisco ACS will work for this.
  Basically the authentication will be all for the servers and routers ofcourse. I am thinking if I specifies windows AD in ACS config,  Can I get the unix boxes to get authenticated against Radius?
  Any help will be appreciated.
  Manny

  Hi,
  Authentication of unix servers  via ACS over radius protocol can be achiveable,check out the below link client end configuration needs to be done for radius authentication
  Hope that helps out your query !!
  http://www.ibm.com/developerworks/library/l-radius/
  Regards
  Ganesh.H

• Cisco ISE 1.2 and Cisco ACS 5.4 patch 6 and support for snmp version 3

  does anyone know if cisco ISE version 1.2 patch 8 and Cisco ACS 5.4 patch 6 support snmp version 3?
  ciscoISE/admin(config)# snmp-server ?
    community  Set community string
    contact    Text for mib object sysContact
    host       Specify hosts to receive SNMP notifications
    location   Text for mib object sysLocation
  ciscoISE/admin(config)# snmp-server
  Ciscoacs/admin(config)# snmp-server ?
    community  Set community string
    contact    Text for mib object sysContact
    host       Specify hosts to receive SNMP notifications
    location   Text for mib object sysLocation
  Ciscoacs/admin(config)# snmp-server

  No support SNMP v3 on ISE v1.2 and 1.3 except for profilling
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/cli_ref_guide/ise_cli/ise_cli_app_a.html#12768
   http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/cli_ref_guide/b_ise_CLIReferenceGuide/b_ise_CLIReferenceGuide_chapter_0100.html#ID-1364-00000d30

• Configure Nexus 7k for TACACS in Cisco ACS

  Hi,
  Please advise on how to configure Cisco Nexus 7k for TACACS to authenticate in Cisco ACS. Our Cisco ACS is getting users from the Active
  Directory.
  Please advise if the below config are acceptable:
  feature tacacs+
  tacacs-server key KEY
  tacacs-server timeout 20
  tacacs-server host 1.1.1.1 key KEY
  aaa group server tacacs+ TEST
      server 1.1.1.1
      use-vrf management
      source-interface mgmt0
  tacacs-server directed-request
  aaa authentication login default group TEST
  aaa authentication login console none
  aaa authorization commands default group TEST
  aaa accounting default group TEST
  aaa authentication login error-enable

  Hi,
  What OS version are u using on your servers?
  Craig

• Cisco acs 4.2 for bandwidth management

  hi sir ,
  I have a problem with my cisco acs 4.2. I have a cisco asa 5510 which is AAA client for my acs 4.2 . I want to limit bandwidth per user ,
  I have tested different radius attribute , but they didnt work ,
  How can i configure this feature ?
  best regards

  Jatin,
  Currently we're using TACACS+ for authentication.  We
  Here's a description of the requirement for 2 factor authentication:
  Id - NET0431
  Vulnerability
  Discussion
  AAA network security services provide the primary framework through which a network administrator can set up access control on
  network points of entry or network access servers, which is usually the function of a router or access server. Authentication identifies a
  user; authorization determines what that user can do; and accounting monitors the network usage. Without AAA, unauthorized users
  may gain access and possibly control of the routers. If the router network is compromised, large portions of the network could be
  incapacitated with only a few commands.Default Finding
  Details
  AAA server does not redirect/call to a two-factor authentication server.
  NET Authentication Access
  Procedure: The implementation varies and a thorough review is necessary. Have the SA review and discuss their
  implementation. A typical AAA process includes the network system redirecting user access requests either directly to an
  ACE/Server or to a CiscoSecure ACS (TACACS+) server which redirects the 'authentication' request to the ACE/Server for
  strong authentication via user tokens (keyfobs). During the review have the SA point out the calls from the TACACS+ or Radius
  servers to the authentication server performing the two-factor requirement
  From my understanding ACS can meet this requirement, I just need some ideas or case studies to see how it how implemented.
  Stephanie

• Using Cisco ACS for Solaris login authentication

  Hi all
  I am planning to authenticate ssh logins to Solaris 8/9 systems using PAM and radius (while radius is considered the primary solution, tacacs+ could be used, too). The radius/tacacs+ server is provided by a Cisco ACS.
  Can anybody out there confirm that the combination "Solaris & PAM & radius/tacacs+ & Cisco ACS" is correctly doing this authentication stuff? Is there anything to specially consider?
  Thanks, David

  Hard to comment with any certainty but provided the client implementation of RADIUS is sound AND the authentication protocol is one that ACS supports, eg PAP, CHAP, MSCHAP, LEAP, EAP (PEAP/FAST/TLS/GTC/MSCHAP) then should be fine.

• Windows Update for Cisco ACS appliance

  Due to the recent security alert from Windows I wish to make sure my systems are updated, but the cisco ACS appiance (cisco 1113) runs a specialized version of win2k with console access disabled. Is there any way get the windows critical security updates, and do I need to?

  If the patch is necessary on acs appliance then they will be releasing it soon.
  As of now we can't apply any windows patch on appliance.