Cisco ACS for Unix authentication
My company is looking for a single sign on for all the windows and unix servers mainly for admins. I was wondering if Cisco ACS will work for this.
Basically the authentication will be all for the servers and routers ofcourse. I am thinking if I specifies windows AD in ACS config, Can I get the unix boxes to get authenticated against Radius?
Any help will be appreciated.
Manny
Hi,
Authentication of unix servers via ACS over radius protocol can be achiveable,check out the below link client end configuration needs to be done for radius authentication
Hope that helps out your query !!
http://www.ibm.com/developerworks/library/l-radius/
Regards
Ganesh.H
Similar Messages
-
Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance failed
Hi,
I've got a problem with Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance.
ACS4.2 has been configured to use both internal and external database. It's been working fine for a couple or years.
Recently we bought a Cisco 4710 ACE appliance. When I use ACS4.2 internal username and password to login the Cisco 4710 ACE appliance, I have no problem. I can also see the passed authentication log on ACS4.2. However, if I use AD username and password, I couldn't login in. The message is "Login incorrect". I checked the failed attempts log on the ACS4.2, there was no log regarding the failed attempt. My AD username and password works fine on all other cisco routers and switches.
I've posted my AAA configuration of the 4710 ACE below. ACE is running on the latest version A4(1.1). Please help.
tacacs-server key 7 "xxxxxxxxxxxxx"
aaa group server tacacs+ tac_admin
server xx.xx.xx.xx
aaa authentication login default group tac_admin local
aaa authentication login console group tac_admin local
aaa accounting default group tac_adminHi,
Since the ACS is receiving the request.
Could you please ensure that In ACE on every context (including Admin and other) you have following strings:
tacacs-server host x.x.x.x key 7 "xxx"
aaa group server tacacs+ tac_admin
server x.x.x.x
aaa authentication login default group tac_admin local
aaa authentication login console group tac_admin local
aaa accounting default group x.x.x.x
On ACS side for group named "Network Administrators" you should configure in TACACS settting:
1. Shell (exec) enable
2. Privilege level 15
3. Custom attributes:
shell:Admin*Admin default-domain
if you have additional context add next line
shell:mycontext*Admin default-domain
After loging to ACE and issuing sh users command you should see following
User Context Line Login Time (Location) Role Domain(s)
*adm-x Admin pts/0 Sep 21 12:24 (x.x.x.x) Admin default-domain
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you fee your query is resolved. Do rate helpful posts. -
Using Cisco ACS for Solaris login authentication
Hi all
I am planning to authenticate ssh logins to Solaris 8/9 systems using PAM and radius (while radius is considered the primary solution, tacacs+ could be used, too). The radius/tacacs+ server is provided by a Cisco ACS.
Can anybody out there confirm that the combination "Solaris & PAM & radius/tacacs+ & Cisco ACS" is correctly doing this authentication stuff? Is there anything to specially consider?
Thanks, DavidHard to comment with any certainty but provided the client implementation of RADIUS is sound AND the authentication protocol is one that ACS supports, eg PAP, CHAP, MSCHAP, LEAP, EAP (PEAP/FAST/TLS/GTC/MSCHAP) then should be fine.
-
Configure cisco wlc for rsa authentication
Hi,
I wanted to find out if it is possible to authenticate wireless networks using rsa. Currently we have a cisco wlc 2504, rsa authentication manager 7.1
Do we require a cisco ACS device to make this work. Please advise.
ThanksYes it is possible. The below is the list of items which you require to configure RSA authentication on WLC
•1. RSA Authentication Manager 6.1
•2. RSA Authentication Agent 6.1 for Microsoft Windows
•3. Cisco Secure ACS 4.0(1) Build 27
Note: The RADIUS server that is included can be used in place of the Cisco ACS. See the RADIUS documentation that was included with the RSA Authentication Manager on how to configure the server.
•4. Cisco WLCs and Lightweight Access Points for Release 4.0 (version 4.0.155.0)
For more information you can go through this link:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a008090399a.shtml -
Hello
I am looking to deploy a NAC device in our office and currently have an ACS server that handles wireless authentication.
I would like to know if the ACS is capable of authenticating users on a LAN with both 802.1x and device detection (such as MAC address and ID)?
If I can do the latter how do you set that up on an ACS?
Thanks in advance
PaulSo my answer is correct ...
ACS is an authentication server. It can authenticate devices.
NAC Profiler, that is now replaced with ISE Profiling Engine, analyzes real-time the behavior of devices to identify them. ACS will use that as a device database.
If using ISE, you only need ISE, it profiles and authenticates as well (it combines ACS+Profiler+other services).
What you seem to be uncomfortable with is the way the Profiling works, I would suggest you to read Profiler or ISE documentation to know more about it.
It identifies a device through his behavior. Then it authorizes the mac address. You are forced to trust on a mac address basis because the system is made for non-802.1x devices so you can't "talk" to the device or assign it any ID or whatever.
However, it's not a static list of mac address. The mac address is allowed only if it's online and it corresponds to an allowed type of device.
It can for example differentiate a phone, from an XBOX, from a laptop by looking at the fields of the DHCP request of the device, etc ... it can also do polling on the switch to check for CDP information etc ... -
Cisco ACS 5.2 authentication against multiple LDAP servers
Hi Folks,
I have a wireless network that uses ACS 5.2 to handle authentication. The ACS is integrated with an Active Directory LDAP server (my_ldap) and is working correctly at the moment. The authentication flow looks like this:
- User tries to associate to WLAN
- Authentication request is sent to ACS
- Service selection rule chooses an access-policy (wireless_access_policy)
- wireless_access_policy is configured to use my_ldap as identity source.
A sister company is about to move into our offices, and will need access to the same WLAN. Users in the sister company are members of a separate AD domain (sister_company_ldap). I would like to modify the wireless_access_policy so that when it receives an authentication request it will query both my_ldap and sister_company_ldap, and return a passed authentication if either attempt is successful. Is this possible?Assuming you're already authenticating using your AD binding and AD1 as your identity source, you can add a further LDAP server as another identity source and add this to your identity store sequence in your access policy to authenticate against both.
You can also add multiple LDAP servers and add them both to the identity store sequence (if you're not using AD1). -
Two standalone ACS for TACacs authentication
Dear All,
I am having a network consists of some 30 routers and I have 2 ACS 5.3 appliances.
I am planing to configure the acs (a,b) boxes in the standalone mode .
and i want to configure both the acs as the TACACS server in all my routers
with ACS A as the primary in some routers and ACS B as the primary in some routers.
and there is no configuration sync between the ACS boxes.
Does this setup will have any issue in authentication in case if any of the acs fails ....
thanks in advance ...
SelvaThere will be no issue, unless the configuration is not same. My personal opinion distributed deployment is the best method if you are planning to keep more than one ACS with in a domain.
-
ACs For Windows 4.1.(1) build 23
Hi.
We´ve got two Windows 2003 Server R2 machines, with installed Cisco ACS For Windows 4.1.(1) Build 23 used for RADIUS users authentication and now days we´re trying to deploy now a TACACS+ configuration to the network device manage now from those ACSs, TACACS+ Accounting tab works fine, but the Accounting administration records or logs are updated but when I click on the TACACS+ Administration Tab the showed log files are empty, I knew about a bug in the 4.1 versión, the question is?
Can I fix the issue if I upgrade or install only the 4.1.1.23-5 patch?
It´ll be enough?
Many thanks.Hi.
We´ve got two Windows 2003 Server R2 machines, with installed Cisco ACS For Windows 4.1.(1) Build 23 used for RADIUS users authentication and now days we´re trying to deploy now a TACACS+ configuration to the network device manage now from those ACSs, TACACS+ Accounting tab works fine, but the Accounting administration records or logs are updated but when I click on the TACACS+ Administration Tab the showed log files are empty, I knew about a bug in the 4.1 versión, the question is?
Can I fix the issue if I upgrade or install only the 4.1.1.23-5 patch?
It´ll be enough?
Many thanks. -
Using Active Directory and ACS for Concentrator 3000 VPN
Has anyone gone down the path of using Cisco ACS for network access control AND authenticating it with their W2K Active Directory for VPN 3000 concentrators? I did some research on Google, Cisco web, and this group, I did not find a definite answer on the best practice for the architecture and design, can anyone share your experience how you approached this?
Below is my understanding, I appeciate any help to piece some or all the below together
(1) The end state is once a VPN user is successfully authenticated, it is assigned to certain network access privilege based on its group's policy. How to accomplish this?
(2) AD stores a central user database for user authentication. Each user may belong to one or more groups on the AD; ACS is reponsible for network access control for the specific groups and enforces these controls to the users via the concentrators.
(3) Concentrator is the NAS, and ACS is the RADIUS server
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800949b4.shtml
(4) Concentrator can link to the AD as an external database: http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_1/gs/gs3mgr.htm
(5) A single "Tunnel Group" is created on the concentrator
(6) Mulpile Groups, per corporate infosec policies are created on the AD
(7) Mulpile Groups, per corporate infosec policies are also created on ACS, need to match with what're in the AD
TIA.In order to restrict access for a specific AD group to specific SSID this is what you need to perform.
When the WLC sends an authentication request to the ACS, it will include the SSID that the user is connecting to, in the attribute Calling-Station-Id(31). We can use this information to create multiple rules in ACS 5.x in order to take actions based on the information contained in the attribute.
Under the Users and Indetity Stores > click on Directory Groups > select > check the group name you want to add and hit ok. Save the changes.
We just need to create a DNIS rule that includes the name of the SSID and use it as a condition in any rule that we create for authentication. The * is required because the attribute not only contains the SSID but also a MAC address so the * is use as a regular expression.
Now go to access-policies > default-network access > identity should be AD1.
Go to authorization > click on customize > move the AD1:ExternalGroups and end-station filter attribute on the right side and hit ok.
After that slect the appropriate ad group for teachers and end-station filter.
Save changes.
Jatin Katyal
- Do rate helpful posts - -
Is it possible to setup an IPS sensor's IDM console or CLI to check ACS for user authentication rather than use local accounts on the sensor? Or is this something only the cisco works software can do?
thank you,
BillNow Possible with IPS Version 7.0(4)E4 but only Radius Authentication.
Thanks. -
Integrating Cisco ACS and Cisco NAC Manager - Downloadable ACL
Hi There
I have Cisco NAC setup in my environment. These are all working fine. The users will get themselves authenticated via Cisco NAC Manager. The Cisco NAC Manager talks to the Cisco ACS for the user database portion. These are all working fine. I would like to enable Downloadable ACL. I have tried using the CISCO-AV-PAIR method and creating a downloadable ACL entry in Shared Components, but nothing works. It's either I'm doing it wrongly or this setup of mine doesn't support downloadable ACL? Please kindly advice.
Regards,
Ram
+6-012-2918870Hi,
That is not possible.
You cannot push ACLs into the NAC manager.
If you are doing Radius authentication from NAC manager, what you can do is to create Roles on the NAC manager, and on those roles you define traffic policies.
Using Radius attributes you can then map users to Roles.
Please take a look into this:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_auth.html#wp1158789.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
DSEE 6.0 and Unix authentication
Hello,
Anybody configured an account for Unix auth. using LDAP? If you can share the steps needed, I will really appreciate it. Looked through the admin guide and did not come across any section on how to setup an account for Unix authentication? How do I add "shadowAccount" and "posixAccount" object class to a user?
I am using java web console and DSCC web interface. Is command line my only option? I hope not, because what good is the web interface if you can not add/delete objectClass*.
Appreciate any tips or pointers on this topic.Yes it's true posixAccount & shadowAccount are in the schema.
The issue is around being able to apply them using DSCC. Pre version 6.0 there was a directory editor/command console which had a tab for unix properties for each user which was both useful & sensible. This made it a relatively quick & simple job for somebody to set up / manage user accounts.
DSCC should be an improvement on previous products & possibly is, so quite rightly people expect to be able to configure it to do what they could before. In previous versions, once configured, you had no need to see the command line again. If I have to supply an ldif file every time I want to add users then I have to question the purpose of DSCC.
We've established that the objectclasses exist in the schema & can be added manually in DSCC or as SolarisSAinPA suggests using ldapaddent on the command line.
For those of us who would like to use & understand DSCC does anyone out there know how to add these objectclasses so that they are inherited by 'person' 'people' or organizational units ? Surely there must be somebody at Sun who can supply an example.
Chouse -
Using ACS for Cisco Prime authentication
I'd like to use our Tacacs server running ACS to be the authentication method for user accounts in Prime, but don't even know where to start with this..
Any pointers?The configuration on the Prime Infrastructure side is minimal: define the authentication server Prime is to use and select a mode for Prime Infrastructure to use with it.
Administration > AAA > TACACS+ Servers > add tacacs server.
Administration > AAA > AAA Mode Settings > tacacs+ and enable fallback to local.
The bulk of the configuration is on the authentication server side, particularly indefining groups, services and authorization tasks. This is covered in the "Performing Administrative Tasks" chapter of the Prime Infrastructure Configuration Guide, starting with the topic "Configuring ACS 5.x"
http://www.cisco.com/en/US/docs/wireless/prime_infrastructure/1.3/configuration/guide/admin.html#wp1595935
"Configuring ACS 4.x"
http://www.cisco.com/en/US/docs/wireless/prime_infrastructure/1.3/configuration/guide/admin.html#wp1625896
https://supportforums.cisco.com/docs/DOC-17909
In case it doesn't work, please get the logs from the ACS reports and monirtoring for tacacs authentication and error message while accessing cisco prime.
Jatin Katyal
- Do rate helpful posts - -
Cisco ACS 4.2.1.15 for Windows and Network Access Profiles
We are attempting to configure ACS 4.2.1.15 on Windows Server 2008 Member Server. Initially I only have the need to authenticate Network Admins for device administration and authenticate Windows AD groups using PEAP authentication. The general problem that I am having is that if I configure a Cisco 1200 Access Point for PEAP and also setup The Access Point for Radius authentication pointed to the ACS server it always maps to the the first Network Access Profile and rather than it trying the second it will error sayiing some condition is not met depending on what changes I make. Can someone tell me what the criteria that is used to determine what NAP is used? According to the manual if all 4 criteria are not met then the Profile will not apply.
I am using one ACS group that is mapped to an AD group for Wireless Access and a Second ACS group mapped to an AD group that includes the Net Admins. This group mapping appers to be working as the user group name seems to mapped correctly in the logs. In short I have tried only configuring the Wireless NAP to only Allow EAP authentication using PEAP EAP-MSCHAPv2 and the Netadmins profile to include all protocols. Bascially what happens is if I have the Wireless NAP first it works fine for PEAP authentication on Wireless but if I try to administer the access point and provide credentials I get a message in the failed log that the authentication profile is not allowed in this Network Access Profile. Why does this not just go onto the next Network Access profile?
I am familiar with version 3.2 but it does not seem to work the same.
Any help would be appreciated on what I am missing.
ThanksHi Surenda,
Thanks for your reply. Nop, there is no WLC yet, but the WLC will be installed shortly.
Thanks,
Jean Paul -
RSA SecurID and Cisco ACS integration for user(s) with enable mode
I thought I had this problem figured out but I guess not.
I have a Cisco 2621 router with IOS 12.2(15)T17. Behind the
router is a Gentoo linux, RSA SecurID 6.1 and Cisco ACS 3.2.
I use tacacs+ authentication for logging into the Cisco router
such as telnet and ssh. In the ACS I use "external user databases"
for authentication which proxy the request from the ACS over
to the RSA SecurID Server. I installed RSA Agents with
sdconf.rec file on the Cisco ACS server. I renamed "user group 1"
to be "RSA_SecurID" group. In the "External user databases" and
"database configurations" I assign SecurID to this "RSA_SecurID"
group.
Everything is working fine. In the "User Setup" I can see dynamic
user test1, test2,...testn listed in there as "dynamic users". In
other words, I can telnet into the router with my two-factor
SecurID.
The problem is that if test1 wants to go into "enable" mode with
SecurID login, I have to go into "test1" user setting and select
"TACACS+Enable Password" and choose "Use external database password".
After that, test1 can go into enable mode with his/her SecurID
credential.
Well, this works fine if I have a few users. The problem is that
I have about 100 users that I need to do this. The solution is
clearly not scalable. Is there a setting from group level that
I can do this?
Any ACS "experts" want to help me out here? Thanks.That is not what I want. I want user "test1" to be able to do this:
C
Username: test1
Enter PASSCODE:
C2960>en
Enter PASSCODE:
C2960#
In other words, test1 user has to type in his/her RSA token password to get
into exec mode. After that, he/she has to use the RSA token password to
get into enable mode. Each user can get into "enable" mode with his/her
RSA token mode.
The way you descripbed, it seemed like anyone in this group can go directly
into enable mode without password. This is not what I have in mind.
Any other ideas? Thanks.
Maybe you are looking for
-
Hello! I have a very annoying problem with my MSI 648 MAX board. The computer freezes and reboots when i put in another DIMM in it. I have two identical TwinMos 256mb PC3200 DDR modules. They both work fine when they arent used together. When i put i
-
Thunderbolt Versus Mini Display Cable
I want to extend the Thunderbolt cable on the back of my display to my new Mac Pro. Apple only sells a male to male Thunderbolt cable and they do not sell a Thunderbolt to Thunderbolt connector. C2G sells a mini display cable that they claim is the
-
Black bar on left will not go away and covers slides
WHen we use keynote a black vertical see through bar appeared on left covering the slides. This bar will not disappear and we can't access the individual slides anymore. CAn anyone help please. THanks
-
How Do You Change the Look & Feel of a JFileChooser Dialog?
I set the L&F of my JFrame to the Metal L&F. I thought it would automatically change the L&F of the JFileChoosers I included in my program but my JFileChoosers still have the Windows L&F. How could I change the L&F of my JFileChoosers to correspond t
-
Question related to business area
hello , can u tel me what is business area and why we assign it with sales area....