Combining radius with tacacs+ with secure acs

Similar Messages

• AAA with Secure ACS

  How do i configure ACS so that when a user telnets to a switch/router and they pass credentials...they are authenticated and dropped straight into enable mode and dont have to enter an enable password. Im using a windows external user database.
  TIA

  Hi Shaun,
  A double post deserves a double answer.
  You could have found that one yourself, but here is the URL:
  http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008009465c.shtml#t2
  To find it, I did a search with the following attributes: "privileged mode radius ACS"
  Regards,
  Leo

• With Cisco Secure ACS For Windows TACACS+, authentication fails with AD

    I am setting up a Cisco Secure ACS 4.2 server to act as a TACACS server for Switches and Routers  I am using Windows 2003 server for the ACS,
  and a Windows 2003 Active Directory server.  The AD server is fine, as it is used for many other things.
  I have set up ACS as defined nit he installation guide, including all the steps in the 'Member Server' section of the install guide
  when using AD as an external database (i.e. setting up the services to run with a domain admin account, setting up a machine called 'CISCO'
  on the domain etc).
  I've set the unknown user policy to use the Windows database if the internal database doesn;t contain the user details.
  If I add a user to the internal database, the authentication goes through fine, with an entry in the 'Passed Authentications' log,
  02/24/2010,05:07:03,Authen failed,eXXXX,Network Administrators(NDG) ,X.X.X.X,(Default),Internal error,,(geting error message as INternal Error)
  I've scoured google etc, and just cannot come up with any reason why this should be happening.
    I've followed all the install guides to the letter.  I need to get this up and running as soon as possible,
  so am looking forward to finding out if anyone can help me with this one!
  THanks and regards
  Sharan

  Hi  Jesse,
  Thasts a great answer and Soution.
  My previous version was 4.2 and it was installed on 64 bit machine hence getting internal Error.
  After this answer i have upgraded it to ACS4.2.1 and its started working fine
  Thanks very much for the help
  Dipu

• Cisco Secure ACS 4.2 with Oracle

  hi there...
  Our campus using WisM (WS-SVC-WISM-1-K9) as wireless controller , Cisco  1130 access point and Cisco Secure ACS 4.2 Solution Engine 1113  Appliance as radius server. For username and password, ACS will export the data from Oracle database(production DB).
  The problem that we are facing right now is password that store in oracle database is in  encrypted format. Base feedback from our database administrator, the  encryption is done by oracle - application layer and cannot be decrypt  back. In Oracle they call it "Oracle Stored Procedures"
  My questions :
  1- Can Cisco Secure ACS 4.2 work with Oracle 10G or 11G?
  2- Is there any option to tackle the encrypted password? Can ACS handle the "Oracle Stored Procedures" function?
  Please advice.
  Thanks

  Microsoft SQL Server and Case-Sensitive Passwords
  If you want your passwords to be case sensitive and are using Microsoft SQL Server as your ODBC-compliant relational database, configure your SQL Server to accommodate this feature. If your users are authenticating by using PPP via PAP or Telnet login, the password might not be case sensitive, depending on how you set the case-sensitivity option on the SQL Server. For example, an Oracle database will default to case sensitive, whereas Microsoft SQL Server defaults to case insensitive. However, in the case of CHAP/ARAP, the password is case sensitive if you configured the CHAP stored procedure.
  For example, with Telnet or PAP authentication, the passwords cisco or CISCO or CiScO will all work if you configure the SQL Server to be case insensitive.
  For CHAP/ARAP, the passwords cisco or CISCO or CiScO are not the same, regardless of whether the SQL Server is configured for case-sensitive passwords.
  Sample Routine for Generating a PAP Authentication SQL Procedure
  The following example routine creates a procedure named CSNTAuthUserPap in Microsoft SQL Server, the default procedure that ACS uses for PAP authentication. Table and column names that could vary for your database schema appear in variable text. For your convenience, the ACS product CD includes a stub routine for creating a procedure in SQL Server or Oracle. For more information about data type definitions, procedure parameters, and procedure results, see ODBC Database.
                           if exists (select * from sysobjects where id = object_id (`dbo.CSNTAuthUserPap') and
                           sysstat & 0xf = 4)drop procedure dbo.CSNTAuthUserPap
                           GO
                           CREATE PROCEDURE CSNTAuthUserPap
                           @username varchar(64), @pass varchar(255)
                           AS
                           SET NOCOUNT ON
                           IF EXISTS( SELECT  username
                           FROM  users
                           WHERE  username  = @username
                           AND  csntpassword  = @pass )
                           SELECT 0,csntgroup,csntacctinfo,"No Error"
                           FROM  users
                           WHERE  username  = @username
                           ELSE
                           SELECT 3,0,"odbc","ODBC Authen Error"
                           GO
                           GRANT EXECUTE ON dbo.CSNTAuthUserPap TO ciscosecure
                           GO
  Sample Routine for Generating an SQL CHAP Authentication Procedure
  The following example routine creates in Microsoft SQL Server a procedure named CSNTExtractUserClearTextPw, the default procedure that ACS uses for CHAP/MS-CHAP/ARAP authentication. Table and column names that could vary for your database schema appear in variable text. For more information about data type definitions, procedure parameters, and procedure results, see ODBC Database.
                           if exists (select * from sysobjects where id = object_id(`dbo.CSNTExtractUserClearTextPw') 
                           and sysstat & 0xf = 4) drop procedure dbo.CSNTExtractUserClearTextPw
                           GO
                           CREATE PROCEDURE CSNTExtractUserClearTextPw
                           @username varchar(64)
                           AS
                           SET NOCOUNT ON
                           IF EXISTS( SELECT  username
                           FROM  users
                           WHERE  username  = @username )
                           SELECT 0,csntgroup,csntacctinfo,"No Error",csntpassword
                           FROM  users
                           WHERE  username  = @username
                           ELSE
                           SELECT 3,0,"odbc","ODBC Authen Error"
                           GO
                           GRANT EXECUTE ON dbo.CSNTExtractUserClearTextPw TO ciscosecure
                           GO
  Sample Routine for Generating an EAP-TLS Authentication Procedure
  The following example routine creates in Microsoft SQL Server a procedure named CSNTFindUser, the default procedure that ACS uses for EAP-TLS authentication. Table and column names that could vary for your database schema appear in variable text. For more information about data type definitions, procedure parameters, and procedure results, see ODBC Database.
                           if exists (select * from sysobjects where id = object_id(`dbo.CSNTFindUser') and 
                           sysstat & 0xf = 4) drop procedure dbo.CSNTFindUser
                           GO
                           CREATE PROCEDURE CSNTFindUser
                           @username varchar(64)
                           AS
                           SET NOCOUNT ON
                           IF EXISTS( SELECT  username
                           FROM  users
                           WHERE  username  = @username )
                           SELECT 0,csntgroup,csntacctinfo,"No Error"
                           FROM  users
                           WHERE  username  = @username
                           ELSE
                           SELECT 3,0,"odbc","ODBC Authen Error"
                           GO
                           GRANT EXECUTE ON dbo.CSNTFindUser TO ciscosecure
                           GO
  Reference:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/d.html#wp355420

• Cisco Secure ACS with UCP assistance and enable password

  I am running Cisco Secure ACS version 4.2 running on a
  Standalone Windows 2003 Enterprise 2003with the lastest
  windows service pack and update. Secure ACS is running
  fine and I can authenticate with Cisco routers and
  switches. The Windows 2003 server is also running Microsoft
  IIS Server. In other words, the IIS server and Cisco
  Secure ACS is running on the same windows 2003 server.
  I am trying to get Cisco User-Changeable password to work
  with Cisco Secure ACS. I followed the release notes lines
  by lines and the work around provided below:
  Also server require more privileges for the internal windows user that runs CSusercgi.exe.
  The name of the windows user that runs UCP is IUSR_<machine_name>.
  Workaround steps:
  1) Install UCP 4 on a machine that runs IIS server.
  2) Open IIS manager
  3) Locate Default Web Site
  4) Double click on the virtual name 'securecgi-bin'
  5) Right click on CSusercgi.exe and choose Properties
  6) Choose 'File Security' tab
  7) Choose 'Edit' in 'Authentication and access control' area
  8) Change username from IUSR_<machine_name> to 'Administrator' and enter his
  password (make sure that 'Integrated Windows authentication' is checked)
  I still can NOT get this to work. I got this error:
  It says:
  The page cannot be found
  The page you are looking for might have been removed,
  had its name changed, or is temporarily unavailable.
  HTTP Error 404 - File or directory not found.
  Internet Information Services (IIS)
  I modified everything in the Windows 2003 to be "ALLOWED" by
  EVERYONE. In other words, there are NO security on the windows 2003.
  It is still NOT working.
  The other question I have is that can Cisco UCP allow user
  to change his/her enable password?
  Can someone help? Thanks.

  Yes bastien,
  Thank you.
  But one thing more i want to know that in its Redundant AAA server, when i try to open IIS 6.0 window 2003; it prompts for Username and Password.
  I've given it several time; also going through Administrator account with administrative credentials but it always failed.
  Any suggestions/solution/?
  This time many thanks in advance.
  Regards
  Mehdi Raza

• With Cisco Secure ACS 4.2 User accounts gets locked at first instance of wrong credentials even if configured for 3 attempts

  Hello Everybody,
  I am working with Cisco Secure ACS 4.2 and it is integrated with Active Directory at a Windows 2008 R2 functional level, user accounts that are set with lockout parameters (3 incorrect attempts) are locked out prematurely after the user enters the wrong credentials just once, the integration is done via LDAP.
  I wonder if anybody has any idea why this is happening, because when I connect to a Cisco device or VPN, and type my password wrongly, on the Active Directory I get extra bad password counts.
  Thanks in advance and regards....

  Hello Scott,
  Thanks for your answer. However we checked the ACS logs and it shows that we entered bad credentials just once, but in the Active Directory our account sometimes is blocked because we get at least 2 and sometimes 3 failures. This problem is only presented when we authenticate Cisco devices or through VPN, in normal circumstances, when users enter bad credentials on their computers, it works fine.
  Thanks and regards...

• Can't auth to Nortels networks devices using RADIUS with ACS 5.1

  Hi,
  I've got a problem with the ACS 5.1 RADIUS Authentication for Nortel network devices (Baystack 470, ERS 5530 5510, Passport 8606).
  After configuring RADIUS on these device (primary serv, secondary serv, secret key, port...) and adding them to my ACS Servers.
  I can't manage to login using RADIUS and i get the following message.
  "Permission denied, please try again" or "No response from RADIUS server"(?) (depending on the device type)
  But in my ACS View, I can see : "Authentication succeeded."
  I've also checked the RADIUS frames, the "Access-Request" and "Access-Accept" are correctly transmitted.
  I've got no problems with RADIUS Auth using other brand devices
  Is there any known issues with Nortels devices using Cisco ACS 5.1 with RADIUS  Authentication ?
  Regards.

  Are you sure that setting up a compound condition will help ?
  To me, the RADIUS Nortel VSA are used for Authorization,and my problem is about Authentication (usually for a simple authentication, we stay in the IETF RADIUS Standards ? no ?)
  Also, does setting this condition will change the Access-Accept packets sent by the ACS to the device ?
  Here is my steps in the ACS View
  11001  Received RADIUS  Access-Request
  11017  RADIUS created a new  session
  Evaluating Service Selection  Policy
  15004  Matched rule
  15012  Selected Access  Service - Default Network Access
  Evaluating Identity Policy
  15006  Matched Default Rule
  15013  Selected Identity  Store - Internal Users
  24210  Looking up User in  Internal Users IDStore - radius
  24212  Found User in Internal  Users IDStore
  22037  Authentication Passed
  Evaluating Group Mapping  Policy
  Evaluating Exception  Authorization Policy
  15042  No rule was matched
  Evaluating Authorization  Policy
  15006  Matched Default Rule
  15016  Selected Authorization  Profile - Permit Access
  11002  Returned RADIUS  Access-Accept
  So I think the ACS does its job

• Using TACACS+ auth from ACS 5.1.0.44 to ACE. Having Issues with Shell (Exec)

  Using TACACS+ auth from ACS 5.1.0.44 to ACE. Having Issues with Shell (Exec)
  So I am trying to get TACACS+ auth to work for my ACE.
  The command string that I have on the ACE is as follows:
  tacacs-server host 172.16.101.4 key 7 XXXYYYZZZ timeout 15
  aaa group server tacacs+ tacacs+
    server 172.16.101.4
  aaa authentication login default group tacacs+ local
  aaa authentication login console local
  aaa accounting default group tacacs+ local
  But to finish getting this enabled I need to create some sort of shell (exec) string in the ACS that tells the ACE what permission level to allocate.
  I do not know how to do this on the ACS 5.1.0.44.
  Anyone know?
  TAC made a good suggestion but the command path doesn't seem to line up with my version of ACS.
  Thanks for your reply. About this question:
  shell:<Context>*<Role> <Domain>
  What I meant is that you need to check the following couple of things on
  your ACS server in order to have AAA Tacacs users to login into the
  ACE over the context with superuser ritghts.
  Group setup ‑> users ‑> TACACS + Settings ‑> enable Shell(exec)
  ‑> enable Custom attributes ‑> right below this part you need to
  use the following sintax to link the ACE context that this user
  has access to.
  For example:
  shell:<Context>*<Role> <Domain>
  shell:Admin*Admin default‑domain
  Where this user will have access to the Admin context with the role
  admin using the 'default‑domain'

  Wilfred,
  What you will have to do on your version of ACS is modify the shell profile that your admins are hitting for other IOS devices or you can create another shell profile under Policy Elements -> Device Administration ->
  Once you get into this shell profile select the Custom Attributes tab and put in the following fields close to the bottom of the screen, from the example you provided type shell:Admin for the attribute field and then default-domain for the value field, and make sure you select this requirement as optional, if you select mandatory and other IOS devices use this same shell profile you will force this av pair to these devices also which will impact the priv levels that then need for authentication.
  After you add this attribute, save your changes and then test, also make sure that your Aceess Policy is calling this shell profile under the authorization profile for default device admin.
  Thanks,
  Tarik Admani

• How to Assign Privilege Levels with CiscoSecure ACS TACACS+

  how to assign privilege level to a user in secure ACS TACACS+ user exist in external database
  Regards,
  Bilal

  Hi Bilal,
  Bring users/groups in at level 15
      1.  Go to user or group setup in ACS
      2.  Drop down to "TACACS+ Settings"
      3.  Place a check in "Shell (Exec)"
      4.  Place a check in "Privilege level" and enter "15" in the adjacent field
  Regards,
  ~JG
  Do rate helpful posts

• Secure-ACS: Special RADIUS-Attributes for Enterasys E7

  Hi,
  we were running a pretty old version of the  Cisco Secure ACS for AAA our network devices.
  Unfortunately the  server crashed an we had to install and set it up with a new server.
  Using  TACACS+ for our Cisco devices works fine.
  We have a couple of  switches made by a vendor called Nexans, which only support RADIUS -  this works fine too.
  Furthermore we still have some Enterasys E7  and with those RADIUS doesn't work at all.
  Sniffering the packets,  everything looks good.
  With the old server it worked well.
  Does  anybody know if there are special configurations (e.g. attributes) when  configuring an ACS for Enterasys RADIUS-Clients?
  Thanks,
  Rolf

  We have this configuration and works fine with our network and associate in a good manner also the policy which we have configured it on Enterasys in this way
  Filter-Id===>
  Enterasys:version=1:mgmt=su:policy=Administrator
  After we make the update to ACS 5, the "ASA" consider this filter-id as access-list so it consider the field after the filter-id as the name of the acl, and diconnect the VPN connection.
  Could soneone help me to resolve that.

• ASA - logging via radius with group name passed.

  Hi,
  I'm trying to setup ASA5520 with Radius to authenticate users with group
  privileges.
  Useing Radius with ASA to authenticate users is quite simple. When I try
  to pass from asa tunnel-group name (with group-policy and attributes
  attached) there is a problem that ASA dosn't pass any group name to
  radius.
  Is there any way to overcome it?
  What I want to do is to apply different policies to username depending
  with what tunnel-group name he logs in to webvpn. I assume one user may
  be member of different groups.
  br
  Marcin

  It's possible.
  Differentiate your privileges and restrictions based off of group-policy, not the tunnel-group. Keep your default WebVPN tunnel-group, and do not specify a default group policy for this tunnel-group.
  Create separate group-policies that differentiate what links different groups of users should be presented with. If you're using ACS, link your Cisco Secure Groups to groups in Active Directory (or other method of directory services). The Cisco Secure Groups should then be configured to pass specific RADIUS attributes, such as the "Class" attribute #25. ACS will then tell the ASA to place the user (from Active Directory) into a specific group-policy, which you can then limit URL's shown with the url-list command.
  Long winded, I know...any questions, please ask.

• Tacacs not authenticating in secure ACS

  My network has a Secure ACS ver 5.30.40 and client 3750 IOS 12.2(44)SE5
  aaa new-model
  aaa authentication login default local group tacacs+
  aaa authentication enable default group tacacs+ enable
  aaa authentication console
  aaa authentication exec default group tacacs+ local
  aaa accounting command 15 default start-stop tacacs+
  tacacs-server host X.X.X.X
  tacacs-server directed-request
  tacacs-server key X.X.X.X:
  When a user attempts to login and access deny is returned.

  I do not have a good understanding of the problem described by the original poster. There are multiple authentication methods configured and it is not clear which of them the user might be using. Lacking any specific information I will assume that this is the authentication method in question
  aaa authentication login default local group tacacs+
  And there is something unusual about this configuration. It specifies the primary authentication method as local with tacacs as the backup method. The more usual configuration would look like this
  aaa authentication login default  group tacacs+ local
  I also find the description of the problem confusing. The original poster says that access deny is returned which sounds like he is seeing tacacs activity. But if I am correct about the authentication method being used then local authentication is the primary method. Perhaps the original poster can provide some clarification.
  HTH
  Rick

• Aaa network access restrictions with secure authen (asa device)

  Hi all,
  I've been reading a lot about how to configure the cut-through-proxy to allow certain network traffic only after being authenticated. The procedures seem pretty straightforward when using plain telnet or ftp (works pretty good).
  However, doing so securely seems to be a bit more "fuzzy".
  I don't like the idea of authenticating users over clear text telnet or ftp, and https has its own issues (weird timeouts that i can't seem to figure out).
  Is it not possible to simply log in to the ASA (or whatever) device securely (ssh?), to authenticate and authorize other network traffic?
  I see people talking about ssh not being proxy-able. I do not want to "proxy" the ssh connection, i just want to tell the ASA:
  "Hey, this is me, allow me this (acl) traffic when i'm coming from this IP address, for X minutes or untill i log off again. Please.".
  Sounds simple to me. :-)
  Perhaps i'm looking at the wrong thing? Perhaps i do not need the cut-through-proxy for this?
  I've been looking at articles like this:
  https://supportforums.cisco.com/docs/DOC-14842
  And some of Cisco's ASA AAA articles, like this:
  http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_fwaaa.html
  They all pretty much seems to do what i want, except that they seem to want to "proxy" my traffic for some reason, and authenticate me in clear-text.
  Do i have any other options? Like logging on directly to the device to do the authentication?
  Using fixed or named access lists or even downloadable access lists doesn't really matter, i would just like a secure way of activating those access lists.
  I'm currently investigating my options, like using a VPN client or script some acl injection, but that just sounds so disturbing.
  Thanks a lot.
  /Sune T.

  I have never done it with Cisco ACS so I can not offer much support on this.
  However, I've done it many times on Cisco Freeware TACACS+ and it is very easy.
  1- in Cisco Freeware tacacs, include "max-session = 1" under either the user
  profile or group file definition.
  2- in the router itself, you need to enable "ip finger". This will allow the
  TACACS+ server to querry the router everytime there is a new attempt to loggin.
  If you already have a session to the router, TACACS+ server will see this and
  reject a new session for that same user. If the login ID is different than what
  is already connected to the router, it will then be accepted:
  C7140#who
  Line User Host(s) Idle Location
  0 con 0 idle 11w2d
  * 2 vty 0 cciesec idle 00:00:00 192.168.15.9
  Interface User Mode Idle Peer Address
  C7140#
  Now if user "cciesec" tries to login again through another session, it will
  be rejected by the TACACS server:
  [root@LinuxES-lab1 root]# finger @192.168.15.1
  Line User Host(s) Idle Location
  0 con 0 idle 11w2d
  2 vty 0 cciesec idle 00:04:00 192.168.15.9
  * 3 vty 1 idle 00:00:00 192.168.128.100
  Interface User Mode Idle Peer Address
  [root@LinuxES-lab1 root]#
  Easy right?

• Extended SOAP Scenario with Security

  Hi All,
  Could anyone send me the step by step procedure for "Extended SOAP Scenario with Security"?
  Regards,
  Sai.

  Hello,
  Please use the search option on SDN.
  There are no step by step guides as such and you will have to combine multiple different activities to achieve this, including set up of Server SSL on XI and then set up of the SOAP adapter to use the certificates.
  Refer to the guides on SDN for these.
  Regards
  Bhavesh

• Problems with New ACS 5.4 install

  I have a fresh install of an ACS 5.4 virtual  appliance. This ACS instance will only be used for TACACS+ AAA for network  device administration. It is up and running on the network. I have time,  timezone, NTP and DNS configured. ACS admin accounts  and logging are configured. I created an internal user, a network  device, a network device group, an internal identity group, a shell  profile, and command set. It is joined to the Enterprise Active  directory domain, and a couple of AD groups have been selected  for use in policies.
  The default network device is enabled and  configured with a TACACS secret. I have a lab router configured and  pointed at ACS and I can SSH to it with the ACS internal user.
  The problem is: I can’t create any rules for any  policies. If I try to add a rule (or edit a default rule) to the “Service Selection Rules” or  “Default Device Admin” or Identity, group mapping or authorization, all I  get is a popup with the message “Resource not  found or Internal  Server error”. If I click “customize” anywhere I  just get empty selection/transfer boxes. If I try to change to a single  result policy from compound rules I get a “System failure – your changes  were not saved” message.  I have installed  this twice now with the same results.
  This is my first experience with ACS. I’ve gotten  through most of the configuration guide but I don’t know ACS well enough  to know if I’m missing something incredibly obvious, or whether it’s  just broken.

  Which version of browser are you using? I am guessing you are using a later version of firefox.
  If so there are two options
  - use ie8 or ie9 in compatibility mode
  - install patch 1 for ACS 5.4. This includes fixes for issues with later versions of firefox. I think relevant CDETS is:
  CSCud33106: ACS5: Pages do not display correct when using FireFox version 16