Cisco ACS Server Tacacs Based on LDAP AND Source IP Possible???
Hi All,
I have used Cisco ACS tacacs for authentication based on Active Directory. Is it possible to use Active Directory as a criteria for authentication AND source IP?
For example, if someone wants to log in to a certain device... they must have correct credentials AND their IP must be sourcing from the acceptable subnet range.
Thanks!
I see your point. This will depend if the user's IP is provided in the authentication request, if this information is provided then you can use the feature called "End Station Filter". This feature is used as a Condition in the Access Policy to deny or allow access. Below are the steps:
1. Create a End Station Filter, here configure the user's IP
2. Customize your Conditions under Access Policies/Authorization to use End Station Filter
3. Define your rule with the required result
Similar Messages
-
Hi
I have at present a Cisco ACS server 3.3. I want to upgrade the server to latest version and also cluster it with another one so that we could have a redundant infrastructure as if one fails the other one takes over ..
CAn you provide a suitable solution for this ?
ThanksHi,
The Latest version is ACS 4.1. You can upgrade from 3.3.3 build 11 directly to 4.1.
Then you can install another ACS 4.1 on different machine and setup replication between these two. This way you will have to make changes only on one ACS and the secondary will automatically get updated.
Once these two are set, you can define both of these server as Radius/Tacacs server on the devices and there would be a redundancy.
Regards,
Vivek -
Cisco ACS Server . Download Evaluation Version For Testing.
Hello.
I want to try to install ACS server for windows to check how this is working with Microsoft AD. Does anyone know where i can download an evaluation version of Cisco ACS Server for Windows ?Hello Michael-
The ACS version for Windows is no longer available. The product is EOL/EOS:
http://www.cisco.com/c/en/us/products/collateral/security/secure-access-control-server-windows/end_of_life_notice_c51-664639.html
The product was replaced with a Linux based version (5.x) and it is a lot easier of a product to install and manage.
If you want to evaluate the product I would recommend that you contact your local Cisco partner:
https://tools.cisco.com/WWChannels/LOCATR/openBasicSearch.do
Thank you for rating helpful posts! -
Limitations of Cisco ACS server
I want to ask about limitations of Cisco ACS server 3.3 .
I use ACS server for Radius authentication, and has a limit 80 authentications per second. But at peak time i need 150-200 authentications per second. Is this a software limitaion or changed due to hardware performance?
Can i also solve this problem with a High Availability configuration.Hi
ACS performance is a very complex issue and depends largely on
1) auth protocol (anything eap is SLOW)
2) backend (anything external is SLOW)
3) server CPU
We did some performance tests a few years ago and could get up to 1000 auths/sec for MSCHAP against internal DB.
AD authentication/group mapping can take several seconds to complete.
ACSs big problem is limited concurrency when authentication time is high. There are some bottlenecks that effectively limit the number of concurrent authentications to 20. This is the max number of tcp/ip connections between CSRadius/CSTacacs and CSAuth. Inside CSRadius there are 50 dedicated authentication threads multiplexing requests over the 20 tcp/ip connections to CSauth. Messages to CSauth are blocking - so 20 simultaneous authentications that took 1 second would cap performance to 20 auths/sec.
EAP-TLS and now EAP-FAST are really really slow becase they send multiple rounds over RADIUS using challenge/response marshalled between the device and the 802.1x supplicant.
Putting ACS onto a quad CPU server wont reduce back-end external db latency or increase concurrency.
The only way to increase performance is to add more servers... and then you'll also have to get into load balancing :(
IMHO Cisco needs to make a low cost "ACS on a blade" and have one in each device. Have the config pushed down from a central database.
Darran -
Cisco ACS server 5.1 console login
I have ACS server 5.1 virtual appliance. It is functioning properly in terms of performing its radius and tacacs responsibilities. However, I cannot login via the local console or via ssh no matter which username and password I try. I have tried every local username on the ACS server as well as creating new ones with new passwords as superadmin but no success. It always returns back a "Login incorrect" message. I can use all of these same accounts to login to the web interface without failure. Does anyone have any ideas on what the problem is? What am I missing?
JTo log in to CLI, use the administrator user account (and the corresponding password) that you created during the setup process.
Accessing ACS CLI
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/command/reference/cli_use.html#wp1096003
Please be aware that the credentials used to login to the ACS CLI are entirely different than those used to authenticate at the ACS GUI screen and have absolutely nothing to do with credentials specified elsewhere in the network (such as on an Active Directory server).
In case you do not remember your CLI credentials (please note that these credentials are case sensitive), you can insert the ACS 5.x disc and follow the instructions for resetting the default administrator password. This will set the username to administrator and password to default. After, you should be able to create a new username and password through the ACS CLI.
For further reading on using the ACS command line interface, please refer to the link below:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/command/reference/cli_use.html#wpxref48407
Regards,
Jatin
Do rate helpful posts- -
Is CISCO ACS server same as RADIUS server?
Please advise.
if not, wats the difference between them?The ACS server suite includes a RADIUS service (and TACACS+).
http://www.cisco.com/en/US/products/sw/secursw/ps5338/index.html
Good Luck
Scott -
10.6.6 Server Combo Update Crashes LDAP and Kerberos Services
Just updated apple server from 10.6.4 to 10.6.6 with combo server overnight.
Everything was working fine under 10.6.4
All users can no longer authenticate to server via mail or ldap logins
LDAP and Kerberos Services stopped.
Will downgrade from an open directory master to standalone then back to master again and post status...I think there is something with LDAP on 10.6.6
I was forced to make clean install in combo from 10.6.0 to 10.6.6 and today LDAP crashed.
It seems to be an issue on ldap ACL.
Message was edited by: Xalio -
Cisco ACS 5.2 (esx 4 vm) and Monitoring and Reports failure
I am evaling the Cisco ACS 5.2 Virtual Appliance on ESX4 and everything is working fine except for the "Monitoring and Reports" no matter what browser I try, it just keeps loading new tabs of the welcome screen, in the case of some browser versions it does this and does not stop.
I have tried the following browsers on Win7 Pro: IE 8, Firefox 4, Firefox 3, Chrome 12.
I have tried the following browsers on MacOS 10.6: FireFox 4, Safari 5.0.5
In Safari 5.0.5 it calls up one new window, but doesn't load anything in the right hand frame.
This is a fresh install, with an eval license. I am rather annoyed that it doesn't work out of the box, especially when there was not documentation that mentioned that anything needed to be setup for this to work after initial install, unless I missed something.
I installed the VM with the base 5.0.26 ISO and then applied patches 5.0.26-1 through 5.0.26-5.
Can anyone provide any help on this?I am evaling the Cisco ACS 5.2 Virtual Appliance on ESX4 and everything is working fine except for the "Monitoring and Reports" no matter what browser I try, it just keeps loading new tabs of the welcome screen, in the case of some browser versions it does this and does not stop.
I have tried the following browsers on Win7 Pro: IE 8, Firefox 4, Firefox 3, Chrome 12.
I have tried the following browsers on MacOS 10.6: FireFox 4, Safari 5.0.5
In Safari 5.0.5 it calls up one new window, but doesn't load anything in the right hand frame.
This is a fresh install, with an eval license. I am rather annoyed that it doesn't work out of the box, especially when there was not documentation that mentioned that anything needed to be setup for this to work after initial install, unless I missed something.
I installed the VM with the base 5.0.26 ISO and then applied patches 5.0.26-1 through 5.0.26-5.
Can anyone provide any help on this? -
RSA SecurID and Cisco ACS integration for user(s) with enable mode
I thought I had this problem figured out but I guess not.
I have a Cisco 2621 router with IOS 12.2(15)T17. Behind the
router is a Gentoo linux, RSA SecurID 6.1 and Cisco ACS 3.2.
I use tacacs+ authentication for logging into the Cisco router
such as telnet and ssh. In the ACS I use "external user databases"
for authentication which proxy the request from the ACS over
to the RSA SecurID Server. I installed RSA Agents with
sdconf.rec file on the Cisco ACS server. I renamed "user group 1"
to be "RSA_SecurID" group. In the "External user databases" and
"database configurations" I assign SecurID to this "RSA_SecurID"
group.
Everything is working fine. In the "User Setup" I can see dynamic
user test1, test2,...testn listed in there as "dynamic users". In
other words, I can telnet into the router with my two-factor
SecurID.
The problem is that if test1 wants to go into "enable" mode with
SecurID login, I have to go into "test1" user setting and select
"TACACS+Enable Password" and choose "Use external database password".
After that, test1 can go into enable mode with his/her SecurID
credential.
Well, this works fine if I have a few users. The problem is that
I have about 100 users that I need to do this. The solution is
clearly not scalable. Is there a setting from group level that
I can do this?
Any ACS "experts" want to help me out here? Thanks.That is not what I want. I want user "test1" to be able to do this:
C
Username: test1
Enter PASSCODE:
C2960>en
Enter PASSCODE:
C2960#
In other words, test1 user has to type in his/her RSA token password to get
into exec mode. After that, he/she has to use the RSA token password to
get into enable mode. Each user can get into "enable" mode with his/her
RSA token mode.
The way you descripbed, it seemed like anyone in this group can go directly
into enable mode without password. This is not what I have in mind.
Any other ideas? Thanks. -
Cisco ACS (TACACS+) - AAA failure on WLC
Setting up TACACS+ between Cisco ACS and 4402 WLC using the below configuration guide.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml#add-authorizserv
Authenication is failing on the WLC. Currently getting the below error message on the Cisco ACS server (Reports and activity > failed attempts)
Message Type: Author Failed
Author-Failure-Code: Service denied
Author-Data: service=ciscowlc protocol=common
Anybody have any idea to resolve this problem.
Thanks,
ColmHi,
The document you referred is correct.
What version of WLC are you running?
Check this one:
CSCsk21007 WLC requires tacacs authentication when configuration change ccess Control
HTH
Regards,
JK
Plz rate helpful posts- -
How do I create a default account with an ACS Server
Has anyone seen this. I have an ACS Solution engine appliance with Several devices using it for authentication and accounting. It all seems to work great.
When I add a new device (router or switch) i noticed that it will let me login via the acs based authentication even before i even setup the aaa-client account for this device in the acs appliance. I do have the tacacs key and all the appropriate information on the router or switch but i dont have an entry for it in the acs appliance yet. This has puzzled me Where is this default account setup. I have another ACS server (Windows Based) It seems to have a completely different behavior when it encounters an unconfigured AAA-client compared to the ACS Appliance. Can anyone tell me how to configure the ACS server to do the same and where these configuration options exist?
This really concerns me from a security perspective.Hmm, ACS should not (by default) accept traffic from any old device.
Could it be you have a wild-card IP Addr in your ACS network config somewhere that accidentally includes the new device?
Or possibly a DNS name (instead of an IP Addr) that resolves to the address of the new device?
Try changing the shared secret in the device - you should find you get errors in the Failed Attempts Log.
Also check the Passed Authenications report as this included the ACS network config device name in the Access-Device column. -
Linksys WAP54G connecting to CISCO ACS via LEAP
I understand that Linksys WAP54G support WPA and 802.1x authentication. Will a cisco compatible client card get connected to the WAP54G via LEAP authentication to a Cisco ACS server ?
Connection scenario:-
Cisco compatible client card <-WPA/LEAP-> WAP54G <-WPA/LEAP-> Cisco ACS3.1
Pls advise if such setting is feasible.
TksThis is really a question for Linksys support. The Cisco wireless BU has no involvement with the Linksy's product line. They operate as a totally separate wholly own subsidiary of Cisco.
As for LEAP, no, to my knowledge the Linksys AP does not support LEAP, which is not tested or part of the WPA certification program. To my knowledge the ONLY APs that support LEAP are Cisco Aironet APs.
If the Linksys supports WPA-Enterprise, then any client that supports WPA-Enterprise should work using EAP-TLS. The Cisco ACS server supports EAP-TLS.
One word of caution. Early CCX cards do not necessarily support WPA. The CCX specification and certification were out before WPA was released. You will need to check with the actual vendor of the card to verify WPA compatibility.;
Also there are two types of WPA. WPA-Personal, which supports only the WPA encryption, and the keys are handles by a Pre-shared Key input system (no radius server) and WPA-Enterprise, which is certified using WPA encryption an 802.1x EAP-TLS radius server (in fact using Microsoft and Funk Software servers). make sure that the Linksys supports WPA-enterprise, or it may not support 802.1x.
Bruce Alexander, Cisco -
CS-MARS user authentication using Cisco ACS
Hi,
I would like CS-MARS (Web Interface) user authenticaiton to be done by Cisco ACS Server. Please let me know, either it is possible or not? And if possible then reply how to configure it.
Thanks and Regards,
Ahmed Shahzad.Hi,
I would like CS-MARS (Web Interface) user authenticaiton to be done by Cisco ACS Server. Please let me know, either it is possible or not? And if possible then reply how to configure it.
Thanks and Regards,
Ahmed Shahzad. -
Cisco ACS / Trend Micro Office / Cisco Trust Agent
We currently utilize Cisco ACS Server and Trend Micro OfficeScan and would like to deploy Cisco Trust Agent 2.0 on a few laptops. Has anyone been involved with such a deployment? If so, any suggestions, documentation, suggestions?
Thanks,CTR uses the admin shares to connect to a windows server.
Depending on how you configured it: It will try a nmap fingerprint scan, use static OS mappings or perform a level 2 scan by using the admin shares.
If you are using it through firewalls, the fingerprinting does not work properly.
You will also notice that since version 2.0.3 there hasn't been any new agents developed for it. Also 2.0.5 started to upgrade all port scans etc whereas before it didn't.
I would look to speaking to your cisco account team about the next version of Cisco IPS instead. -
Hi,
I have ACS 3.3 version and i have seen the it has network admission control feature in it. I have cisco switches 3750G and windows servers 2003. Currently i am running machine/user authentication over EAP-PEAP and it seems running ok in my network. I have now a new requirement. we want to authorize the machine only when the machine has latest antivirus running on it. we have symantic antivirus on our machines.
I am new to network admission control and don't know much.
Can i do it with cisco ACS server? is we have to buy any equipment/software to accomplish this? your help in this matter will be highly appriciated.
RegardsThis is called NAC framework, and as far as I know this might be possible but you might find some limitations, see the following link for guides:
http://www.cisco.com/en/US/netsol/ns617/networking_solutions_sub_solution_home.html
On the other hand the current NAC solution "Cisco Clean Access" Will allow you to play with it as desired, see:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/product_data_sheet0900aecd802da1b5.html
hth
Ivan
Maybe you are looking for
-
[b][Solved][/b]Setting Text item property in pl/sql editor
Hello, I'm using Oracle 9i both as Ids and database This is what I'm having- 2 data blocks 1st is database block and 2nd is control block. database block named EMP is associated with EMP table and Control block named CTRLB have 2 item 1st is a text i
-
Adobe Bridge CC no transparency?
i know im not crazy lol, this was a feature on cs5 and cs 5.5, i had the abillity to see anything that has transperancy or alphas on videos and pictures in the thumbnails and when i click to preview it, but now i cant see anything at all, just blackn
-
HI, I have bought the ox s lion software from apple as a download some time ago and I have had no problems using it. However, I'm now trying to install it on another mac I have, but I cannot find the software on the original system. I have looked in
-
OK I'm Stupid. Volume Help, Please
When connecting to most CD players, etc., I get little to no vol. on most songs. Thanks in advance for the help.
-
Tax code in A/R Invoice drops when the Ware House Code is changed
Hello All, I am Using SAP Business One 2005A PL12 with Canadian Settings. When I add an Item in the A/R Invoice, it comes with a default TAXCODE, but when i change the ware house code the Taxcode drops, Can any one tell me why is this so? Thanks in a