Command Authotization on Pix 6.3 and ACS v3.3

Similar Messages

• ISE and ACS?

  Is there any reason why we would need an ACS and ISE, as my understanding is the ISE alone would be sufficient?
  We are looking to deploy a wireless network supporting a mixture of corperate device and BYOD.
  Corperate users would be required to be Authenticated via AD which I believe the ISE can support.
  Other users would be Authenticated via the ISE portal.
  Kind Regards
  Stewart 

  Keep in mind that ISE doesn't do TACACS+, so you can't use it for standard management access and command authorization of Cisco devices as with ACS.

• Wireless Virtual LAN - SSID and ACS User Mapping

  Hi Everybody
  We have the following senario:
  - WLC 4402 and ACS 3.3
  - 2 SSID's , One for Emploies - one for gests
  - All users are (guest and emploies) are authentication against the ACS Server.
  We would like to only permit Guest users to use the Guest SSID.
  I've been reading the Wireless Virtual LAN Deployment Guide :
  http://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/wvlan_an.pdf
  and have tried to use methode 1.
  - RADIUS-based SSID access control:
  "Upon successful 802.1X or MAC address authentication, the RADIUS server
  passes back the allowed SSID list for the WLAN user to the access point or bridge. If the user used an SSID on the allowed SSID list, then the user is allowed to associate to the WLAN. Otherwise, the user is disassociated from the access point or bridge."
  "This is configured by enableling the ?[026/009/001] cisco-av-pair? option. On the ACS Server
  - Enable and configure Cisco IOS/PIX RADIUS Attribute,
  009\001 cisco-av-pair
  - Example: ssid=LEAP_WEP"
  I've tried this, but regardless of wich SSID the user(-group) has configured, it sill can access all SSID's?
  Does anyone have any idea of what I'm doing wrong?
  Does this setting only apply to Accesspoint, or is it also valid for the WLC 44xx series?
  Greetings
  Jarle

  Hi I'm sorry but this still does not help.
  We have now upgraded ACS to version 4.0 and I'm still having the same problems.
  This is what i have configured:
  WLC:
  - WLAN
  - SSID : Public
  - WLAN id = 3
  - L2 Security : 802.1x
  - Interface Name : GuestVLAN
  - Controller - Interface
  - management - Untagged
  - GuestVLAN - VLAN 112
  - Security
  - RADIUS Servers
  When authenticating a Guest(belonging to the proper group in acs) - the right VLAN is used, IP Adresses from DHCP is recieved, and the Guest can access internet.
  Switch:
  - Port connected to WLC uses Trunking.
  - Guests are connected to VLAN 112 and "native VLAN" is used to connect the Private Users.
  ACS:
  - AAA Client is the WLC, Authenticating using Cisco Airespace
  - Guest Users are member of Group 11
  - Private Users are member of Group 1
  Group 11
  - Use Per Group NAR to only allow WLAN Access
  - Cisco Airespace RADIUS Attributes
  x 14179\001 - Aire-WLAN-ID = 3
  - Cisco IOS / PIX RADIUS Attributes
  x 009\001 Ciso-av-pair = "ssid=Public"
  - IETF Radius Attributes
  x 006 Service Type = Login
  x 007 Framed-Prot = ppp
  x 064 Tunnel-Type = VLAN
  x 065 Tunnel-Medium-tye = 802.1x
  x 081 Tunnel-Private-Group-ID = 112
  Group (default Group)
  - Cisco Airespace RADIUS
  x 14179\001 Aire-WLAN-ID = 1
  - Cisco IOS/PIX Radius Attrib
  x 009\001 Cisco-av-pair = "ssid=Private"
  - IETF RADIUS
  x 008 Service-type = Login
  x 064 Tunnel-Type = VLAN
  x 065 Tunnel-Medium-tye = 802.1x
  x 081 Tunnel-Private-Group-ID = 1
  Do you have any idea of what i should change?
  Greetings
  Jarle

• WLC4402 and ACS receives double authentication request with MS client

  I have a 4402 wlc, ACS 3.3 and we use Microsoft client with WPA-TKIP/MSChapv2.
  We hardly connect to the WLAN, but after 10 minutes we are disconnected.
  We are migrating from LEAP to PEAP, so we create two profiles in the WLC.
  LEAP connects good, but PEAP fails.
  In the ACS log I can see a double authentication request.
  Any idea?

  but that doesen't solve the problem on the ACS right?! On the ACS I have to configure the device with the ip address and the EAP type (ex. "Cisco Aironet" for LEAP or "Cisco IOS/PIX" for PEAP), and how do that?
  Thanks for your feedback

• AAA, Tacacs+ and ACS

  I'm trying to use ACS (v4.1) to authenticate admin to our Cisco switches and also restrict access to particluar commands for particular users, I've done a lot of research on this but can't find a complete doucment that goes through it step by step.
  What I have so far on the switch is
  enable secret 5 removed
  username admin privilege 15 password 7 removed
  aaa authentication login default group tacacs+ local
  aaa authentication enable default group tacacs+ enable
  aaa authorization exec default group tacacs+ local if-authenticated
  aaa authorization commands 1 default group tacacs+ if-authenticated
  aaa authorization commands 15 default group tacacs+ if-authenticated
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  The local admin logins in perfectly fine when the switch is not connected to the network.
  When I connect the switch to the network and login using my AD credentials it works a treat.
  When I try an login with a local ACS accout for testing which has Max Privilege for any AAA Client Level 1, Tacacs+ Settings Shell(exec) is ticked as is Privilege level and that's set at 1 also it logins in fine but when I try to go into exec mode it fails with errors below
  % Error in authentication.
  .Oct 25 14:19:20.288: %SYS-5-PRIV_AUTH_FAIL: Authentication to privilege level 15 failed by test on console
  I don't want test to go into exec mode as level 15 I want it to go in as level 1 or some other level other than 15 so I can control what commands it has access to through ACS.
  I'm at a loss to know why this isn't work so any help would be much appreciated.
  Thanks
  Jon

  The problem you are facing and the error you're seeing on ACS "max session exceeded" seems 2 different issues. I read that you don't wana try this with Max privilege and privilege level set to 15. However, if you want to restrict user to few commands on any IOS, that can't be done like this.
  You need to have command authorization enabled on the switch and command set on the ACS > shell command authorization. This is pretty common feature that we use day in day out.
  Yo need to set privilege level to 15 because we are using exec authorization on the switch and then follow this document.
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  You would see few examples of read-only access and read-write access.
  You may also let me know what all command you would like to allow for read-only access.
  Please feel free to let me know if you need any further assistance.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• We are trying to implement a process so that any document that needs to be printed through our Java application will be printed as PDF using Adobe Reader. For which, We created and execute the below command line to call Adobe Reader and print the PDF on a

  We are trying to implement a process so that any document that needs to be printed through our Java application will be printed as PDF using Adobe Reader. For which, We created and execute the below command line to call Adobe Reader and print the PDF on a printer."C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AcroRd32.exe" /T "\\<Application Server>\Report\<TEST.PDF>" "<Printer Name>". Current Situation: The above command line parameter when executed is working as expected in a User's Workspace. When executed in a command line on the Application Server is working as expected. But, the same is not working while executing it from Deployed environment.Software being used: 1. Adobe 11.0 enterprise version. 2. Webshpere Application Server 8.5.5.2. Please let us know if there is a way to enable trace logs in Adobe Reader to further diagnose this issue.

  This is the Acrobat.com forum.  Your question will have a much better chance being addressed in the Acrobat SDK forum.

• Questions regarding using the .monitor command to retur a animated image and we would like feedback to a designed webpage that is monitoring a 5kW windturbine:)

  I'm embedding a front panel image in an existing HTML dokument. I would like to use the command .monitor in the URL together with the refresh command so the VI automatic will reload every 20 secund. This actual work, but simultaneous I want to have the possibility to refresh manually so I don't have to wait 20 sec before new values is shown in the display. Is this possible to do?
  Another question: Since the real time display updates 1-2 times a secund the command .monitor is used to get a animated picture of the Real Time Display.
  There are several ways to add animation on to web pages. The techniques used h
  ere are the �server push� and �client pull�which makes the browser repeatedly reloads a changing inline image to provide crude animated sequences. This is not the most efficient way as this result�s in an image being re-transmitted for each frame of the animation. The command .monitor with the attribute refresh and lifespan in the URL trigger this �server push� and �client pull� techniques.
  I use this automatic refresh uploading of the display so that it each time shows different values, is this called crude animation?Then I'm wondering what I'm suppose to use the command lifespan to?I can't see the use of it in my display.....?
  link to the webpage so you can have a look at the display:
  http://134.7.139.176/.monitor?Real%20Time%20Performance.vi&refresh=20
  This is a project that I'm working together with another Norwegian friend. WE are very happy for feedback on our web page and displays go to: http://www.ece.curtin.edu.au/~peersena/ if you would like to view itThanks

  Annis,
  One of the other things to keep in mind is that the generation of an image does take some computing power so having the generation and the acquistion on the same machine is not always ideal. If you're using the machine that is publishing the front panel just to collect data it's not so much of an issue.
  If you really want to monitor in "Real-Time" using Remote Panels (requies LabVIEW 6.1) is your best option. This posting has more information on using Remote Panels and links to some live examples:
  http://exchange.ni.com/servlet/ProcessRequest?RHIVEID=101&RPAGEID=135&HOID=506500000008000000C0660000&UCATEGORY_0=_49_%24_6_&UCATEGORY_S=0&USEARCHCONTEXT_TIER_0=0&USEARCHCONTEXT_TIER_S=0&USEARCHCONTEXT_QUESTION_0=web+control&USEARCHCONTEXT_QUESTION_S=0
  Remote panels makes it possible to control the application remotely as well.
  With .monitor the only way I've been able to manually refresh is to "Shift+Refresh" on the browser.
  Regards,
  Kamran

• What is the new key command to re-record a track- and delete the old one?

  It used to be the - (minus) button on logic pro 7. I haven't been able to find it in the new one. or in the pdf manual. Anybody know of hand?
  thank you

  Open the Key Command window. Choose any command. Hit the learn button and type in the command. A message will appear telling you what the command is already assigned to. Then you can change it.

• [svn] 1978: Bug: vendors. properties file which is used in vendor specific login commands was not being read properly and as a result some login related error messages were not being displayed correctly .

  Revision: 1978
  Author: [email protected]
  Date: 2008-06-06 08:05:34 -0700 (Fri, 06 Jun 2008)
  Log Message:
  Bug: vendors.properties file which is used in vendor specific login commands was not being read properly and as a result some login related error messages were not being displayed correctly.
  QA: Yes - we need automated tests to make sure that errors.properties and vendors.properties in BlazeDS/LCDS are loaded properly.
  Doc: No
  Modified Paths:
  blazeds/branches/3.0.x/modules/common/src/java/flex/messaging/util/PropertyStringResource Loader.java
  blazeds/branches/3.0.x/modules/opt/src/jrun/flex/messaging/security/JRunLoginCommand.java
  blazeds/branches/3.0.x/modules/opt/src/tomcat/flex/messaging/security/TomcatLoginCommand. java

  I have a lot of grief with this version of Windows Media Player.
  It is very buggy and frustrating to use.
  I have my Music library on a QNAP NAS, which is as reliable as they come.
  System notifications make it not save changes.  It also does not do a good job of interpreting albums and artists from folders.  Changes to track names are not saved, nor are tracks moved to other albums, renamed albums, changes to genre, artist
  or date.  It separates and merges albums/tracks without sense or reason.  Some changes I've made up to 4 times, then closed WMP and re-started my machine to check if it has/hasn't saved the changes.  Often it has not.
  This is the first time I've used WMP in this capacity, and I do not recommend it.
  New service pack please.

• Dynamic VLAN assignment with WLC and ACS for

  Currently, using our autonomous APs and ACS, our users get separate VLANs per building based on their security level (students or staff). Basically, the student VLAN in one building is different from that of the student VLANs in other buildings on campus. Currently, we do this by filling the Tunnel-Private-Group-ID IETF RADIUS attribute with the VLAN name. This all works because each individual AP can map VLAN names to different VLANs like this:
  dot11 vlan-name STUDENT vlan 2903
  dot11 vlan-name FACSTAF vlan 2905
  As we are working on our WiSM deployment, we see that the document below shows how to do the dynamic VLAN assignment on our WLAN controllers:
  http://www.cisco.com/en/US/customer/products/sw/secursw/ps2086/products_configuration_example09186a00808c9bd1.shtml
  However, we haven't figured out if it's possible to still provide our users with different VLANs for each building they're in.
  With the instructions above, it looks like ACS uses a Cisco RADIUS Attribute to indicate the Air-Interface-Name, mapping an ACS/AD group to a single WLC interface which can only have one VLAN/subnet associated with it.
  Does anybody know if what we're trying to accomplish is possible, or if we're really stuck with only one VLAN/subnet per mapped ACS group?

  We only have the one WiSM for all of campus, so it's handling everything. This Cisco docs do indicate how to put differnet users in different Vlans, but we don't currently see a way to also put them in different subnets per building.
  This being the case, any suggestions on how best to handle more than a Class C subnet's worth of users? Should we just subnet larger than Class C, or is there a more elegant way of handling this?

• 802.1x between Switch 3750 and ACS 4.2 Authentication faild --need help

  I configured the Switch 3750 and ACS for 802.1x authentication.
  when I used the windows as the 802.1x client, it prompted "click here to enter user name and pasword for the network " as normal.
  The problem is that after I entered username and password (i am sure i enter the identical username and password as in ACS) the authentication failed,
  What is the most possibly problem?
  Thx in advance!!!
  The configuration is Sw3750 is:
  aaa new-model
  aaa authentication login default local
  aaa authentication enable default line
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  dot1x system-auth-control
  interface GigabitEthernet1/0/18
  description Link to test 802.1x
  switchport access vlan 119
  switchport mode access
  dot1x pae authenticator
  dot1x port-control auto
  spanning-tree portfast
  radius-server host 10.1.1.333 auth-port 1645 acct-port 1646
  radius-server source-ports 1645-1646
  radius-server key keepopen0
  In the ACS:
  Network Configuration -->aaa client ip address: 10.1.119.1(the vlan 119's ip address), shared secret: keepopen0
  user setup -->real name:test1, password: test1.
  Attached is the debug information

  What do you see in acs failed attempts?

• Incompatibility issue - WLC 5508 and ACS 5.4

  Hi,
  This is my scenario:
  Cisco WLC 5508 firmware 7.4.110.20 and ACS 5.4, two WLAN eap/tls, many client  can't connect to WLAN and on ACS i receive the following error:
  Authentication failed : 11051 RADIUS packet contains invalid state attribute
  workaround:
  1 -Check the network device or AAA Client for hardware problems.
  2-known RADIUS compatibility issues.
  3-Check the network that connects the device to ACS for hardware problems
  there are some incompatibility issue between WLC and ACS ? the compatibility matrix document for wireless imposes the 7.5 firmware for WLC.
  What do you think is possibile ?

  Are there any other errors shown in the details of the failed authentication?
  We may need to look at service logs in debug mode, opening a TAC case would be the best way to go about this.
  Javier Henderson
  Cisco Systems

• Using Active Directory and ACS for Concentrator 3000 VPN

  Has anyone gone down the path of using Cisco ACS for network access control AND authenticating it with their W2K Active Directory for VPN 3000 concentrators? I did some research on Google, Cisco web, and this group, I did not find a definite answer on the best practice for the architecture and design, can anyone share your experience how you approached this?
  Below is my understanding, I appeciate any help to piece some or all the below together
  (1) The end state is once a VPN user is successfully authenticated, it is assigned to certain network access privilege based on its group's policy. How to accomplish this?
  (2) AD stores a central user database for user authentication. Each user may belong to one or more groups on the AD; ACS is reponsible for network access control for the specific groups and enforces these controls to the users via the concentrators.
  (3) Concentrator is the NAS, and ACS is the RADIUS server
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800949b4.shtml
  (4) Concentrator can link to the AD as an external database: http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_1/gs/gs3mgr.htm
  (5) A single "Tunnel Group" is created on the concentrator
  (6) Mulpile Groups, per corporate infosec policies are created on the AD
  (7) Mulpile Groups, per corporate infosec policies are also created on ACS, need to match with what're in the AD
  TIA.

  In order to restrict access for a specific AD group to specific SSID this is what you need to perform.
  When the WLC sends an authentication request to the  ACS, it will include  the SSID that the user is connecting to, in the  attribute  Calling-Station-Id(31). We can use this information to create  multiple  rules in ACS 5.x in order to take actions based on the  information  contained in the attribute.
  Under the  Users and Indetity Stores > click on Directory Groups > select  > check the group name you want to add and hit ok. Save the changes.
  We  just need to  create a DNIS rule that includes the name of the SSID and  use it as a  condition in any rule that we create for authentication.  The * is  required because the attribute not only contains the SSID but  also a MAC  address so the * is use as a regular expression.
  Now go to access-policies > default-network access > identity should be AD1.
  Go  to authorization > click on customize > move the  AD1:ExternalGroups and end-station filter attribute on the right side  and hit ok.
  After that slect the appropriate ad group for teachers and end-station filter.
  Save changes.
  Jatin Katyal
  - Do rate helpful posts -

• Send command to modem using serial port and capture the response in the labview

  hello.
  I am doing my shool project.
  I want to send command to modem using serial port and get the response in the labview.
  When i run my program and enter"AT", only messy code will be displayed.
  can anyone help me? thanks 

  Dora0512 wrote:
  Thanks for you all. My partner got it already.
  I am doing send sms part.
  Can anyone tell me why my program is not so steadily?
  It means this program can run. But somtimes I cannot receive sms. sometimes can
  Basically, it is not well-written from both a LabVIEW and a communications point of view.  Unfortunately, I can't elaborate because today is an exrtremely busy day at work.  I'm hoping this bump will prompt someone to help you with your problem.  If you could also provide us with the programmer's guide or the manual for your equipment, that would be extremely helpful.
  Bill
  (Mid-Level minion.)
  My support system ensures that I don't look totally incompetent.
  Proud to say that I've progressed beyond knowing just enough to be dangerous. I now know enough to know that I have no clue about anything at all.

• Command accounting in PIX

  Hi:
  I want to use something like "command accountig" in pix 525; I mean I want to know what commands was executed or typed by administrator.
  Somebody knows if it is possible in PIX? My pix version is 6.3.3.
  Thank you.

  I could find the following information for ver 6.2. I guess it is applicable to 6.3 too. http://www.cisco.com/warp/public/110/pix_command.shtml#accounting Basically, actual command accounting is not available. However, you can generate some sort of a record using syslog.