Combining radius with tacacs+ with secure acs
Hi all,
I'm looking forward to implementing dot1x with secure acs but I also want to keep tacacs+ for command authorization (basically I also want to restrict what commands users can access). Can this be done?
Thanks. Someone recommended having 2 servers (one for tacacs+ and one for radius) but because of the huge cost with secureacs that isn't feasible for us.
Similar Messages
-
How do i configure ACS so that when a user telnets to a switch/router and they pass credentials...they are authenticated and dropped straight into enable mode and dont have to enter an enable password. Im using a windows external user database.
TIAHi Shaun,
A double post deserves a double answer.
You could have found that one yourself, but here is the URL:
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008009465c.shtml#t2
To find it, I did a search with the following attributes: "privileged mode radius ACS"
Regards,
Leo -
With Cisco Secure ACS For Windows TACACS+, authentication fails with AD
I am setting up a Cisco Secure ACS 4.2 server to act as a TACACS server for Switches and Routers I am using Windows 2003 server for the ACS,
and a Windows 2003 Active Directory server. The AD server is fine, as it is used for many other things.
I have set up ACS as defined nit he installation guide, including all the steps in the 'Member Server' section of the install guide
when using AD as an external database (i.e. setting up the services to run with a domain admin account, setting up a machine called 'CISCO'
on the domain etc).
I've set the unknown user policy to use the Windows database if the internal database doesn;t contain the user details.
If I add a user to the internal database, the authentication goes through fine, with an entry in the 'Passed Authentications' log,
02/24/2010,05:07:03,Authen failed,eXXXX,Network Administrators(NDG) ,X.X.X.X,(Default),Internal error,,(geting error message as INternal Error)
I've scoured google etc, and just cannot come up with any reason why this should be happening.
I've followed all the install guides to the letter. I need to get this up and running as soon as possible,
so am looking forward to finding out if anyone can help me with this one!
THanks and regards
SharanHi Jesse,
Thasts a great answer and Soution.
My previous version was 4.2 and it was installed on 64 bit machine hence getting internal Error.
After this answer i have upgraded it to ACS4.2.1 and its started working fine
Thanks very much for the help
Dipu -
Cisco Secure ACS 4.2 with Oracle
hi there...
Our campus using WisM (WS-SVC-WISM-1-K9) as wireless controller , Cisco 1130 access point and Cisco Secure ACS 4.2 Solution Engine 1113 Appliance as radius server. For username and password, ACS will export the data from Oracle database(production DB).
The problem that we are facing right now is password that store in oracle database is in encrypted format. Base feedback from our database administrator, the encryption is done by oracle - application layer and cannot be decrypt back. In Oracle they call it "Oracle Stored Procedures"
My questions :
1- Can Cisco Secure ACS 4.2 work with Oracle 10G or 11G?
2- Is there any option to tackle the encrypted password? Can ACS handle the "Oracle Stored Procedures" function?
Please advice.
ThanksMicrosoft SQL Server and Case-Sensitive Passwords
If you want your passwords to be case sensitive and are using Microsoft SQL Server as your ODBC-compliant relational database, configure your SQL Server to accommodate this feature. If your users are authenticating by using PPP via PAP or Telnet login, the password might not be case sensitive, depending on how you set the case-sensitivity option on the SQL Server. For example, an Oracle database will default to case sensitive, whereas Microsoft SQL Server defaults to case insensitive. However, in the case of CHAP/ARAP, the password is case sensitive if you configured the CHAP stored procedure.
For example, with Telnet or PAP authentication, the passwords cisco or CISCO or CiScO will all work if you configure the SQL Server to be case insensitive.
For CHAP/ARAP, the passwords cisco or CISCO or CiScO are not the same, regardless of whether the SQL Server is configured for case-sensitive passwords.
Sample Routine for Generating a PAP Authentication SQL Procedure
The following example routine creates a procedure named CSNTAuthUserPap in Microsoft SQL Server, the default procedure that ACS uses for PAP authentication. Table and column names that could vary for your database schema appear in variable text. For your convenience, the ACS product CD includes a stub routine for creating a procedure in SQL Server or Oracle. For more information about data type definitions, procedure parameters, and procedure results, see ODBC Database.
if exists (select * from sysobjects where id = object_id (`dbo.CSNTAuthUserPap') and
sysstat & 0xf = 4)drop procedure dbo.CSNTAuthUserPap
GO
CREATE PROCEDURE CSNTAuthUserPap
@username varchar(64), @pass varchar(255)
AS
SET NOCOUNT ON
IF EXISTS( SELECT username
FROM users
WHERE username = @username
AND csntpassword = @pass )
SELECT 0,csntgroup,csntacctinfo,"No Error"
FROM users
WHERE username = @username
ELSE
SELECT 3,0,"odbc","ODBC Authen Error"
GO
GRANT EXECUTE ON dbo.CSNTAuthUserPap TO ciscosecure
GO
Sample Routine for Generating an SQL CHAP Authentication Procedure
The following example routine creates in Microsoft SQL Server a procedure named CSNTExtractUserClearTextPw, the default procedure that ACS uses for CHAP/MS-CHAP/ARAP authentication. Table and column names that could vary for your database schema appear in variable text. For more information about data type definitions, procedure parameters, and procedure results, see ODBC Database.
if exists (select * from sysobjects where id = object_id(`dbo.CSNTExtractUserClearTextPw')
and sysstat & 0xf = 4) drop procedure dbo.CSNTExtractUserClearTextPw
GO
CREATE PROCEDURE CSNTExtractUserClearTextPw
@username varchar(64)
AS
SET NOCOUNT ON
IF EXISTS( SELECT username
FROM users
WHERE username = @username )
SELECT 0,csntgroup,csntacctinfo,"No Error",csntpassword
FROM users
WHERE username = @username
ELSE
SELECT 3,0,"odbc","ODBC Authen Error"
GO
GRANT EXECUTE ON dbo.CSNTExtractUserClearTextPw TO ciscosecure
GO
Sample Routine for Generating an EAP-TLS Authentication Procedure
The following example routine creates in Microsoft SQL Server a procedure named CSNTFindUser, the default procedure that ACS uses for EAP-TLS authentication. Table and column names that could vary for your database schema appear in variable text. For more information about data type definitions, procedure parameters, and procedure results, see ODBC Database.
if exists (select * from sysobjects where id = object_id(`dbo.CSNTFindUser') and
sysstat & 0xf = 4) drop procedure dbo.CSNTFindUser
GO
CREATE PROCEDURE CSNTFindUser
@username varchar(64)
AS
SET NOCOUNT ON
IF EXISTS( SELECT username
FROM users
WHERE username = @username )
SELECT 0,csntgroup,csntacctinfo,"No Error"
FROM users
WHERE username = @username
ELSE
SELECT 3,0,"odbc","ODBC Authen Error"
GO
GRANT EXECUTE ON dbo.CSNTFindUser TO ciscosecure
GO
Reference:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/d.html#wp355420 -
Cisco Secure ACS with UCP assistance and enable password
I am running Cisco Secure ACS version 4.2 running on a
Standalone Windows 2003 Enterprise 2003with the lastest
windows service pack and update. Secure ACS is running
fine and I can authenticate with Cisco routers and
switches. The Windows 2003 server is also running Microsoft
IIS Server. In other words, the IIS server and Cisco
Secure ACS is running on the same windows 2003 server.
I am trying to get Cisco User-Changeable password to work
with Cisco Secure ACS. I followed the release notes lines
by lines and the work around provided below:
Also server require more privileges for the internal windows user that runs CSusercgi.exe.
The name of the windows user that runs UCP is IUSR_<machine_name>.
Workaround steps:
1) Install UCP 4 on a machine that runs IIS server.
2) Open IIS manager
3) Locate Default Web Site
4) Double click on the virtual name 'securecgi-bin'
5) Right click on CSusercgi.exe and choose Properties
6) Choose 'File Security' tab
7) Choose 'Edit' in 'Authentication and access control' area
8) Change username from IUSR_<machine_name> to 'Administrator' and enter his
password (make sure that 'Integrated Windows authentication' is checked)
I still can NOT get this to work. I got this error:
It says:
The page cannot be found
The page you are looking for might have been removed,
had its name changed, or is temporarily unavailable.
HTTP Error 404 - File or directory not found.
Internet Information Services (IIS)
I modified everything in the Windows 2003 to be "ALLOWED" by
EVERYONE. In other words, there are NO security on the windows 2003.
It is still NOT working.
The other question I have is that can Cisco UCP allow user
to change his/her enable password?
Can someone help? Thanks.Yes bastien,
Thank you.
But one thing more i want to know that in its Redundant AAA server, when i try to open IIS 6.0 window 2003; it prompts for Username and Password.
I've given it several time; also going through Administrator account with administrative credentials but it always failed.
Any suggestions/solution/?
This time many thanks in advance.
Regards
Mehdi Raza -
Hello Everybody,
I am working with Cisco Secure ACS 4.2 and it is integrated with Active Directory at a Windows 2008 R2 functional level, user accounts that are set with lockout parameters (3 incorrect attempts) are locked out prematurely after the user enters the wrong credentials just once, the integration is done via LDAP.
I wonder if anybody has any idea why this is happening, because when I connect to a Cisco device or VPN, and type my password wrongly, on the Active Directory I get extra bad password counts.
Thanks in advance and regards....Hello Scott,
Thanks for your answer. However we checked the ACS logs and it shows that we entered bad credentials just once, but in the Active Directory our account sometimes is blocked because we get at least 2 and sometimes 3 failures. This problem is only presented when we authenticate Cisco devices or through VPN, in normal circumstances, when users enter bad credentials on their computers, it works fine.
Thanks and regards... -
Can't auth to Nortels networks devices using RADIUS with ACS 5.1
Hi,
I've got a problem with the ACS 5.1 RADIUS Authentication for Nortel network devices (Baystack 470, ERS 5530 5510, Passport 8606).
After configuring RADIUS on these device (primary serv, secondary serv, secret key, port...) and adding them to my ACS Servers.
I can't manage to login using RADIUS and i get the following message.
"Permission denied, please try again" or "No response from RADIUS server"(?) (depending on the device type)
But in my ACS View, I can see : "Authentication succeeded."
I've also checked the RADIUS frames, the "Access-Request" and "Access-Accept" are correctly transmitted.
I've got no problems with RADIUS Auth using other brand devices
Is there any known issues with Nortels devices using Cisco ACS 5.1 with RADIUS Authentication ?
Regards.Are you sure that setting up a compound condition will help ?
To me, the RADIUS Nortel VSA are used for Authorization,and my problem is about Authentication (usually for a simple authentication, we stay in the IETF RADIUS Standards ? no ?)
Also, does setting this condition will change the Access-Accept packets sent by the ACS to the device ?
Here is my steps in the ACS View
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15004 Matched rule
15012 Selected Access Service - Default Network Access
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - Internal Users
24210 Looking up User in Internal Users IDStore - radius
24212 Found User in Internal Users IDStore
22037 Authentication Passed
Evaluating Group Mapping Policy
Evaluating Exception Authorization Policy
15042 No rule was matched
Evaluating Authorization Policy
15006 Matched Default Rule
15016 Selected Authorization Profile - Permit Access
11002 Returned RADIUS Access-Accept
So I think the ACS does its job -
Using TACACS+ auth from ACS 5.1.0.44 to ACE. Having Issues with Shell (Exec)
So I am trying to get TACACS+ auth to work for my ACE.
The command string that I have on the ACE is as follows:
tacacs-server host 172.16.101.4 key 7 XXXYYYZZZ timeout 15
aaa group server tacacs+ tacacs+
server 172.16.101.4
aaa authentication login default group tacacs+ local
aaa authentication login console local
aaa accounting default group tacacs+ local
But to finish getting this enabled I need to create some sort of shell (exec) string in the ACS that tells the ACE what permission level to allocate.
I do not know how to do this on the ACS 5.1.0.44.
Anyone know?
TAC made a good suggestion but the command path doesn't seem to line up with my version of ACS.
Thanks for your reply. About this question:
shell:<Context>*<Role> <Domain>
What I meant is that you need to check the following couple of things on
your ACS server in order to have AAA Tacacs users to login into the
ACE over the context with superuser ritghts.
Group setup ‑> users ‑> TACACS + Settings ‑> enable Shell(exec)
‑> enable Custom attributes ‑> right below this part you need to
use the following sintax to link the ACE context that this user
has access to.
For example:
shell:<Context>*<Role> <Domain>
shell:Admin*Admin default‑domain
Where this user will have access to the Admin context with the role
admin using the 'default‑domain'Wilfred,
What you will have to do on your version of ACS is modify the shell profile that your admins are hitting for other IOS devices or you can create another shell profile under Policy Elements -> Device Administration ->
Once you get into this shell profile select the Custom Attributes tab and put in the following fields close to the bottom of the screen, from the example you provided type shell:Admin for the attribute field and then default-domain for the value field, and make sure you select this requirement as optional, if you select mandatory and other IOS devices use this same shell profile you will force this av pair to these devices also which will impact the priv levels that then need for authentication.
After you add this attribute, save your changes and then test, also make sure that your Aceess Policy is calling this shell profile under the authorization profile for default device admin.
Thanks,
Tarik Admani -
How to Assign Privilege Levels with CiscoSecure ACS TACACS+
how to assign privilege level to a user in secure ACS TACACS+ user exist in external database
Regards,
BilalHi Bilal,
Bring users/groups in at level 15
1. Go to user or group setup in ACS
2. Drop down to "TACACS+ Settings"
3. Place a check in "Shell (Exec)"
4. Place a check in "Privilege level" and enter "15" in the adjacent field
Regards,
~JG
Do rate helpful posts -
Secure-ACS: Special RADIUS-Attributes for Enterasys E7
Hi,
we were running a pretty old version of the Cisco Secure ACS for AAA our network devices.
Unfortunately the server crashed an we had to install and set it up with a new server.
Using TACACS+ for our Cisco devices works fine.
We have a couple of switches made by a vendor called Nexans, which only support RADIUS - this works fine too.
Furthermore we still have some Enterasys E7 and with those RADIUS doesn't work at all.
Sniffering the packets, everything looks good.
With the old server it worked well.
Does anybody know if there are special configurations (e.g. attributes) when configuring an ACS for Enterasys RADIUS-Clients?
Thanks,
RolfWe have this configuration and works fine with our network and associate in a good manner also the policy which we have configured it on Enterasys in this way
Filter-Id===>
Enterasys:version=1:mgmt=su:policy=Administrator
After we make the update to ACS 5, the "ASA" consider this filter-id as access-list so it consider the field after the filter-id as the name of the acl, and diconnect the VPN connection.
Could soneone help me to resolve that. -
ASA - logging via radius with group name passed.
Hi,
I'm trying to setup ASA5520 with Radius to authenticate users with group
privileges.
Useing Radius with ASA to authenticate users is quite simple. When I try
to pass from asa tunnel-group name (with group-policy and attributes
attached) there is a problem that ASA dosn't pass any group name to
radius.
Is there any way to overcome it?
What I want to do is to apply different policies to username depending
with what tunnel-group name he logs in to webvpn. I assume one user may
be member of different groups.
br
MarcinIt's possible.
Differentiate your privileges and restrictions based off of group-policy, not the tunnel-group. Keep your default WebVPN tunnel-group, and do not specify a default group policy for this tunnel-group.
Create separate group-policies that differentiate what links different groups of users should be presented with. If you're using ACS, link your Cisco Secure Groups to groups in Active Directory (or other method of directory services). The Cisco Secure Groups should then be configured to pass specific RADIUS attributes, such as the "Class" attribute #25. ACS will then tell the ASA to place the user (from Active Directory) into a specific group-policy, which you can then limit URL's shown with the url-list command.
Long winded, I know...any questions, please ask. -
Tacacs not authenticating in secure ACS
My network has a Secure ACS ver 5.30.40 and client 3750 IOS 12.2(44)SE5
aaa new-model
aaa authentication login default local group tacacs+
aaa authentication enable default group tacacs+ enable
aaa authentication console
aaa authentication exec default group tacacs+ local
aaa accounting command 15 default start-stop tacacs+
tacacs-server host X.X.X.X
tacacs-server directed-request
tacacs-server key X.X.X.X:
When a user attempts to login and access deny is returned.I do not have a good understanding of the problem described by the original poster. There are multiple authentication methods configured and it is not clear which of them the user might be using. Lacking any specific information I will assume that this is the authentication method in question
aaa authentication login default local group tacacs+
And there is something unusual about this configuration. It specifies the primary authentication method as local with tacacs as the backup method. The more usual configuration would look like this
aaa authentication login default group tacacs+ local
I also find the description of the problem confusing. The original poster says that access deny is returned which sounds like he is seeing tacacs activity. But if I am correct about the authentication method being used then local authentication is the primary method. Perhaps the original poster can provide some clarification.
HTH
Rick -
Aaa network access restrictions with secure authen (asa device)
Hi all,
I've been reading a lot about how to configure the cut-through-proxy to allow certain network traffic only after being authenticated. The procedures seem pretty straightforward when using plain telnet or ftp (works pretty good).
However, doing so securely seems to be a bit more "fuzzy".
I don't like the idea of authenticating users over clear text telnet or ftp, and https has its own issues (weird timeouts that i can't seem to figure out).
Is it not possible to simply log in to the ASA (or whatever) device securely (ssh?), to authenticate and authorize other network traffic?
I see people talking about ssh not being proxy-able. I do not want to "proxy" the ssh connection, i just want to tell the ASA:
"Hey, this is me, allow me this (acl) traffic when i'm coming from this IP address, for X minutes or untill i log off again. Please.".
Sounds simple to me. :-)
Perhaps i'm looking at the wrong thing? Perhaps i do not need the cut-through-proxy for this?
I've been looking at articles like this:
https://supportforums.cisco.com/docs/DOC-14842
And some of Cisco's ASA AAA articles, like this:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_fwaaa.html
They all pretty much seems to do what i want, except that they seem to want to "proxy" my traffic for some reason, and authenticate me in clear-text.
Do i have any other options? Like logging on directly to the device to do the authentication?
Using fixed or named access lists or even downloadable access lists doesn't really matter, i would just like a secure way of activating those access lists.
I'm currently investigating my options, like using a VPN client or script some acl injection, but that just sounds so disturbing.
Thanks a lot.
/Sune T.I have never done it with Cisco ACS so I can not offer much support on this.
However, I've done it many times on Cisco Freeware TACACS+ and it is very easy.
1- in Cisco Freeware tacacs, include "max-session = 1" under either the user
profile or group file definition.
2- in the router itself, you need to enable "ip finger". This will allow the
TACACS+ server to querry the router everytime there is a new attempt to loggin.
If you already have a session to the router, TACACS+ server will see this and
reject a new session for that same user. If the login ID is different than what
is already connected to the router, it will then be accepted:
C7140#who
Line User Host(s) Idle Location
0 con 0 idle 11w2d
* 2 vty 0 cciesec idle 00:00:00 192.168.15.9
Interface User Mode Idle Peer Address
C7140#
Now if user "cciesec" tries to login again through another session, it will
be rejected by the TACACS server:
[root@LinuxES-lab1 root]# finger @192.168.15.1
Line User Host(s) Idle Location
0 con 0 idle 11w2d
2 vty 0 cciesec idle 00:04:00 192.168.15.9
* 3 vty 1 idle 00:00:00 192.168.128.100
Interface User Mode Idle Peer Address
[root@LinuxES-lab1 root]#
Easy right? -
Extended SOAP Scenario with Security
Hi All,
Could anyone send me the step by step procedure for "Extended SOAP Scenario with Security"?
Regards,
Sai.Hello,
Please use the search option on SDN.
There are no step by step guides as such and you will have to combine multiple different activities to achieve this, including set up of Server SSL on XI and then set up of the SOAP adapter to use the certificates.
Refer to the guides on SDN for these.
Regards
Bhavesh -
Problems with New ACS 5.4 install
I have a fresh install of an ACS 5.4 virtual appliance. This ACS instance will only be used for TACACS+ AAA for network device administration. It is up and running on the network. I have time, timezone, NTP and DNS configured. ACS admin accounts and logging are configured. I created an internal user, a network device, a network device group, an internal identity group, a shell profile, and command set. It is joined to the Enterprise Active directory domain, and a couple of AD groups have been selected for use in policies.
The default network device is enabled and configured with a TACACS secret. I have a lab router configured and pointed at ACS and I can SSH to it with the ACS internal user.
The problem is: I can’t create any rules for any policies. If I try to add a rule (or edit a default rule) to the “Service Selection Rules” or “Default Device Admin” or Identity, group mapping or authorization, all I get is a popup with the message “Resource not found or Internal Server error”. If I click “customize” anywhere I just get empty selection/transfer boxes. If I try to change to a single result policy from compound rules I get a “System failure – your changes were not saved” message. I have installed this twice now with the same results.
This is my first experience with ACS. I’ve gotten through most of the configuration guide but I don’t know ACS well enough to know if I’m missing something incredibly obvious, or whether it’s just broken.Which version of browser are you using? I am guessing you are using a later version of firefox.
If so there are two options
- use ie8 or ie9 in compatibility mode
- install patch 1 for ACS 5.4. This includes fixes for issues with later versions of firefox. I think relevant CDETS is:
CSCud33106: ACS5: Pages do not display correct when using FireFox version 16
Maybe you are looking for
-
Hi Experts, In FBL1N line items the TDS amount is showing but for few line items the amount is not reflecting . when i open the document no in fb03 the document is showing the TDS tax amount. I have already check the layout of the vendor line item
-
VBAK-GSBER modifiable in VA01, VA02
Good afternoon experts We have a requirement in our company to make VBAK-GSBER a modiable one? As per checking, with out any SO variant, it is in display mode. Is it really in display mode? I have read that it is configured via Business Area Account
-
How can I save an edited converted file?
How can I save an edited converted (from PDF) file?
-
OMBplus not starting from Programs
Dear All, I have Installed Oracle Database 11g R1 which has Oracle Warehouse Builder 11g R1 installed. When I try to run the OMB Plus from Start Programs--> Oracle DB 11g Home1--> Warehouse Builder-->OMB Plus (OMBPlus.bat). A command prompt like scre
-
Transform not working? CP v5.5
Hello. I am inserting a Text Caption, using the HaloBlue style. I want to be able to resize the caption box but using the anchors doesn't work. I can't adjust it. So, I tried using the Transform option. I took off the "Contraint Proportion" and tried