CiscoSecure ACS v4.2 - block users with number of unsuccessful auth retries

Similar Messages

• ACS appliance 3.3 - user with mulptile static IPs

  Hi,
  currently we are using ACS Unix. There it os possible to assign static IPs to a user based on the radius dictonary.
  e.g.
  NAS1- Ascent Max uses dictionary Ascend gets 10.1.1.1
  NAS2- VPN 3000 uses IETF gets 10.1.2.1
  Any ideas how this could be resolved on an ACS appliance?
  Regards, Celio

  Following installation and initial configuration, see the User Guide for Cisco Secure ACS Solution Engine Version 3.3 for information on how to use a browser and the HTML interface to fully configure your Cisco Secure ACS Solution Engine to provide the AAA services you want from this installation.
  http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_installation_guide_chapter09186a0080235f77.html

• ACS 5.5 External User with Internal Attribute

  Hi Guys,
  i'm wondering, if i using LDAP for external authentication, can i use the internal identity attribute?
  for example :
  i create an user X , his password type is LDAP, but the identity group is "Group 1"
  can i define rules
  Idenitty Group in "Group 1" permit access ?
  or i need to do group mapping first?
  Thanks,
  Regards,

  It is possible to define an internal user whose password is taken from an external store.
  In internal user definition select "Password Type" to be the LDAP database and then define the rest of the user definition, including identity groups, as desired

• CiscoSecure ACS 3.3 and MS Active Directory ?

  We just got and installed CiscoSecure ACS 3.3 on a domain controller for our MS active directory domain.
  ACS seems to work with AD in the sense that it uses the usernames and passwords contained in AD for users. However I noticed it does not seem to popluate ACS with the users, instead you have to go in to ACS and add each user with the username from AD, and then just tell it to use the windows database for password authentication.
  Is this correct or am I missing something in my setup that is preventing users from being populated in ACS?
  Also, can you not use AD groups for ACS permissions? For example one of the things we are doing is defining certain groups for access to routers, switches and firewall commands. I have been able to do this manually in ACS by defining a group and setting the permissions as well as the command authorization set. However it does not seem very practical to have to go in manually to ACS to add a user to an ACS group. I thought since ACS works with active directory it would also use AD groups. So we could assign a user to a group in AD and it would then utilize the defined ACS permissions for that group.

  I think you are a victim of the AD Aware as opposed to AD Integrated. CiscoSecure is AD Aware, it can use the AD database for Password authentication (a very simple implementation of single sign-on). But the local database is used for everything else. From my point of view this is a good thing.
  If the AD Admin, Network Admin and Security officer are all the same person, then I agree with you.
  From your message you seem to be using ACS to secure your Cisco devices (routers/switches), I would not want people who manage AD to be able to give network device access to anyone they choose. Nore do I trust AD admins to understand network security. Normally the network people are very small subset of IT organization, so this should not be a big problem. Also, the real component that you are using to secure the devices is TACACS+ (hopefully) or RADIUS because the devices are not AD Aware themselves.
  If you need for every user that is in AD to be a user in ACS, there is import/export support for both for inital setup, after that it is up to you to keep the databases synchronized. You can do this with routine import/exports, but I advise against it.
  If you are using ACS to manage a Dial or IPSec environment, I agree this is a pain, but do you really want everyone to be able to dial-in or VPN into your network without coming to you for access? Don't you want to be able to disable/expire peoples access for devices and remote access without calling the AD admin?
  For the kind of things you want, you need an AD Integrated product like Exchange or you can try some of the vendors at listed at http://www.microsoft.com/windows2000/partners/adall.asp
  FYI - This is my understanding of the product, I'm sure there are a lot of people out there that know more then me, so feel free to correct me.

• 802.1x RADIUS authentication problem with Cat 2950 to CiscoSecure ACS 3.3

  I wondered if anyone can help or shed any light on the following problem.
  I am getting an authentication error when doing a RADIUS authentication to CiscoSecure ACS 3.3 running on a Windows 2003 server, the authentication request is coming from a Catalyst 2950 switch which is doing 802.1x for Windows XP clients. This problem only happens when the XP client connects to 2950 switches, Cat 3550s and 3560s work fine.
  The Cat2950 is running 12.1.20 (EA1) which is more or less the latest IOS.
  The error I get from ACS 3.3 is "Invalid message authenticator in EAP request" when the 2950 tries to authenticate an XP client for 802.1x to the ACS server using RADIUS.
  Doing a RADIUS and 802.1x debug on the 2950 I see a message about 'Unknown EAP type', I am using PEAP on the XP client doing EAP-MS-CHAPv2 authentication, the same XP client authenticates fine with 3550 and 3560 switches problem only affects 2950s. Can anyone confirm the 2950 supports EAP-MS-CHAPv2?
  I have checked and re-checked the shared secret and it definitely matches on 2950 and ACS.
  One thing I noticed in the RADIUS debug is the 2950 sends 18 bytes for attribute 79 when the RFC defines attribute 79 should be 3 bytes or less, I don't know if this is related to the problem or is correct behaviour.

  Hi, I am new with 802.1x, and was hoping that someone would help with these queries:
  1. How is a certificate requested without being allowed on a network that is not authenticated with 802.1x. I had to first connect to an active network, retrieve a certificate with the proper username and password, and then physically connect to the port on the 2950 switch which was enabled to do 802.1x
  2. My config is as below:
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authenication login default group radius
  dot1x system-auth-control
  interface f0/1
  switchport mode access
  dot1x port-control auto
  end
  I able to login using the radius server, so radius is working (on ports other than f1/0). However when connecting to f1/0, the port on the 2950 remains blocked.
  3. The certificate is issued by the ca server, is viewable via Internet explorer,and is issued to the correct username which is on the active directory.
  I even tried using local authenication with 802.1x, this did not work
  4. If I have a certificate, will this automatically give me access to the 802.1x port?
  5. I have windows 2000, and authenication is set to 'Smart Card or other certificate.
  Am I missing anything?
  Any advise will be greatly appreciated
  Chris

• Blocking clients with repeating failed attempts in ACS 5.4

  Hi
  I use my ACS to authenticate clients from both LNS ans wireless.
  There are always users with wrong configuration that repeat the authentication process and fail thousands time and 'hammer' the ACS servers.
  Is there a way to block repeated failed attempts?
  Thanks!
  Naor.

  Hi, and thanks for the quick reply! Few questions:
  That will prevent clients from re-authenticating for 15 minutes?
  If so, how client will be able to roam on campus? that requires re-authentication...
  Naor.

• OBIEE 11g  Initialization Block problem with WLS User

  Hello,
  a brief description of my environment:
  - I have one machine with all OBIEE 11.1.1.6.2 components (build 120604.0813 BP1 64bit) and Oracle Database 11gR2;
  - In a separate machine I have the OID - Oracle Internet Directory where I have all business users with access to OBI Presentation Services;
  - In Weblogic Console I created a user named "weblogic" and this one is the administrator of all BI environment, this user is member of BIAdministrator and Administrators group, also this user is used to perform the communication between Fusion Middleware and Weblogic;
  - In weblogic Console I created a second user named "init_test" and he have the BIAuthor Role like the users that come from OID;
  - I have no problem logging in with all users OID and weblogic.
  Problem:
  - I created a simple Initalization Block and a variable to contain the result of the follow sql: SELECT region FROM adm_test_region WHERE city='Lisboa'
  - Initialization Blocks for Session variables are not working for "weblogic" user. For all other users everything is working as expected (users from OID and "init_test").
  Question:
  - There is any restriction in terms of Initialization Blocks for Session variables regarding the user that is linking Oracle Fusion Middleware with Oracle Weblogic?
  Thank you in advance,

  950780 wrote:
  Hello,
  a brief description of my environment:
  - I have one machine with all OBIEE 11.1.1.6.2 components (build 120604.0813 BP1 64bit) and Oracle Database 11gR2;
  - In a separate machine I have the OID - Oracle Internet Directory where I have all business users with access to OBI Presentation Services;
  - In Weblogic Console I created a user named "weblogic" and this one is the administrator of all BI environment, this user is member of BIAdministrator and Administrators group, also this user is used to perform the communication between Fusion Middleware and Weblogic;
  - In weblogic Console I created a second user named "init_test" and he have the BIAuthor Role like the users that come from OID;
  - I have no problem logging in with all users OID and weblogic.
  Problem:
  - I created a simple Initalization Block and a variable to contain the result of the follow sql: SELECT region FROM adm_test_region WHERE city='Lisboa'
  - Initialization Blocks for Session variables are not working for "weblogic" user. For all other users everything is working as expected (users from OID and "init_test").
  Question:
  - There is any restriction in terms of Initialization Blocks for Session variables regarding the user that is linking Oracle Fusion Middleware with Oracle Weblogic?
  Thank you in advance,When you say they are not working:
  1) You are using the session variables in a data filter in the RPD and for weblogic, the filter does not get applied?
  2) When trying to display the value of the sessoin variable in an analysis query, it errors out saying no value?
  As a BI Administrator, no data filters gets applied to the reports from the RPD unless you explicitly add them in the front end to the reports.
  You can also open the RPD in online mode, and go to sessions and kill everything, login using weblogic and monitor the sessions to see if a session is being created and the list of variables getting intilialized upon weblogic's entry into analytics.
  Thanks,
  -Amith.

• How can i see number of T code which to assinged to perticular user with di

  Dear All,
  How can i see number of T code which to assinged to perticular user with discription.
  Which report i have to be execute with T code.
  reply me.
  Thanks,
  Regards,
  sachin

  Hi
  Try transaction S_BCE_68001426, or repor RSUSR010 (The Same)
  Regards
  Morten Nielsen

• 'Could not find user' with EAP-TLS in ACS

  Hi all,
  we are running ACS 4.2(1) Build 15 on a Win2003 member server and use the ACS for EAP-TLS with certificates (Microsoft-PKI) for WLAN authentication (WLC 4402, 6.0 and 4.2). We are using both machine and user authentication.
  Sometimes machine authentications fail with following message in AUTH.log:
  AUTH 11/01/2010 09:11:28 E 1395 1904 0x31cb External DB [NTAuthenDLL.dll]: Could not find user host/<xxxxxxxx>.com (0x5012)
  But some minutes/hours later the same machine can authenticate successful. Other machines never have this problem, no problems at all with user authentications.
  Does anyone have an idea where I can proceed with troubleshooting? I haven't found any related messages in server event logs. Are there any other logs where I can find reasons for these problems that are occuring only sometimes?
  Thanks
  Kai

  AUTH.log and RDS.log are two log file you need to look into on ACS side. Make sure the log level is set to "Full"
  You might need to check the log on AD side to see why it could not find this host.
  Comparing the logs between the working and non-working cases might be helpful.

• If someone blocked my cell number can i still send text msg with my hotmail?

  If someone blocked my cell number can i still send text msg with my hotmail?

  Ask your wireless provider.  None of what you describe has to do with the phone itself.

• For iphone users with att, can you block incoming texts all together? After paying $20 for data i dont want to pay as i go/pay more for texts

  For iphone users with att, can you block incoming texts all together? After paying $20 for data i dont want to pay as i go/pay more for texts

  SMS is exchanged over the same network as calls - no data involved.
  MMS requires data.
  iMessage requires the same as email - internet access via an available wi-fi network or via your carrier's cellular data network.
  You can disable SMS/MMS altogther with your account by requesting this with AT&T. You can turn iMessage off unless your iPhone is connected to an available wi-fi network.

• Determining active wireless users with ACS

  Is there a way to determine how many active wireless users are on the network by checking ACS? Currently our users need to re-authenticate periodically (about every 15 minutes), however, ACS shows no logged in users. There should at least be one -- ME!

  We should be looking for something like this on the AP:
  aaa group server radius rad_acct
  server auth-port XXXX acct-port XXXX
  aaa accounting network acct_methods start-stop group rad_acct

• Is there solution to block user to adopt a Purchase Requsition to PO twice

  Hi All,
  Please advice. How can we block user to adopt a PR twice. In other words, let say  user A have a PR number 3xxxxxxx then user A adopt this PR no to PO and get PO no 5xxxxxxx with status hold because of an error. In the next day another user B adopt the same PR no to PO and get another PO no 5xxxxxxx1 .
  My question is ...
  is there any solution / bapi to block another user to adopt the same PR when a PO already created even the status in held.
  Thank you.
  Nies

  their is no standard process for hold PO you have to do it by enhansment take help from ABAP guy
  regards

• How can l block users from backing dating transactions

  1. How can l block users from back dating transactions in SAP B1. It was discovered that, in production dept there is this allowance given to them to keep producing for the previous month in the new month; this according to line staff is to enable them meet up their monthly target, after a meeting with the management it was resolved to block that right of backdation of enteries. how can l  correct  this.
  2. How can l change the decimal places backward in the general settings of administration of SAP B1( iniatially it was set to be 5 under Quantity now want to correct it to 3 how do l go about this).
  Joel

  Joel,
  By forum rule, one question for one thread.  I will answer you the second:  If you are using 2007 version, the option to decrease decimal place is not available.  Check this thread to know more:
  Re: REDUCE NUMBER OF DECIMAL PLACES
  Also note: this forum is just for B1 system administration.  Please post it on the main forum.
  Thanks,
  Gordon

• CiscoSecure ACS v2.4 for Windows NT Upgrade

  We still have two ancient instances of CiscoSecure ACS v2.4 for Windows NT running on our network. ACS1 (primary) and ACS2 (secondary). I would like to upgrade these, not only because of how old they are but because of an issue trying to replicate the user and group database from ACS1 to ACS2. When trying to replicate the user and group database the logs say it's successful but the databases don't match. ACS2 is missing some of the users that are in ACS1. I have successfully replicated the interface database. But for whatever reason, the user and group database will not replicate.
  First, is there any other way I can get the user and group database copied from ACS1 to ACS2? Other than using the built in database replication tool?
  Second, is there any way I can get these upgraded? I read that the recommended upgrade path is 2.4->2.6->3.0->3.2. But Cisco no longer has version 2.6 available for download. I really would like to upgrade rather than starting from scratch.
  Thanks!

  ACS 2.4 - wow! That hasn't been sold for over 11 years. (reference)
  Think about it - would you want to try to upgrade Windows 98 to Windows 7? That's about an equivalent span of software product timeline.
  The current product is so different that even if you could upgrade it would not be advisable to do so. While painful, it would be much better option to make a clean break with the old and move onto a current platform (e.g ACS 5.3).