CS-MARS user authentication using Cisco ACS

Hi,
I would like CS-MARS (Web Interface) user authenticaiton to be done by Cisco ACS Server. Please let me know, either it is possible or not? And if possible then reply how to configure it.
Thanks and Regards,
Ahmed Shahzad.

Similar Messages

User authentication in Cisco ACS by adding external RADIUS database

Hi,
I would like to configure the below setup:
End user client (Cisco Any connect/VPN client) -> ASA 5500 (AAA client) -> ACS server -> External RADIUS database.
Here ACS server would send the authentication requests to External RADIUS server.So, i have added the external user database (RADIUS token server) in
ACS under External databases.I have added AAA client in Network configuration (selected authenticate using RADIUS(VPN 3000/ASA/PIX 7.0) from the drop down.
Here how do i make ASA recognize that it has to send the request to ACS server. Normally when you use ACS as RADIUS server you can add an AAA server in ASA and test it.But here we are using an external RADIUS server which has been configured in ACS, so how do i make ASA to send the requests to ACS server?
Any help on this would be really grateful to me.
Thanks and Regards,
Rahul.

Thanks Ajay,
As you said nothing needs to be done on ASA side, if we are using an external user database for authentication.
Im a newbie to ACS and this is the first time i'm trying to perform a two factor authenticaton in Cisco ACS using external user database.
By two factor authentication i mean, username + password serves as first factor (validated by RADIUS server), username + security code (validated by RADIUS server) serves as second factor.So, during user authentication i enter only username in username field and in "password" field i enter both "password + security code". Our RADIUS server has already been configured with AD as user store, so we dont have to specify AD details in ACS. I have done the following in ACS to perform this two factor authentication.
-> In external user databases, i have added a external RADIUS token server.
-> In unknown user policy , i have added the external data base that i configured in ACS into the selected databases list.
-> under network configuration, i have added the Cisco ASA as AAA client (authenticate using RADIUS (Cisco VPN 3000/ASA/PIX 7.x+)).
Just to check whether user authentication is successful, i launched the ACS webVPN using https://IP:2002, it asked me to enter username and password. So, i entered username and in password field i entered "password + security code". But, the page throws an error saying "login failed...Try again".I cant find any logs in external RADIUS server.
Here is what i found in "Failed attempts" logs under Reports and activities.
Date,Time,Message-Type,User-Name,Group-Name,Caller-ID,Network Access Profile Name,Authen-Failure-Code,Author-Failure-Code,Author-Data,NAS-Port,NAS-IP-Address,Filter Information,PEAP/EAP-FAST-Clear-Name,EAP Type,EAP Type Name,Reason,Access Device,Network Device Group
02/28/2012,00:31:52,Unknown NAS,,,,(Unknown),,,,,10.204.124.71,,,,,,,
02/28/2012,00:41:33,Unknown NAS,,,,(Unknown),,,,,10.204.124.71,,,,,,,
02/28/2012,00:42:18,Unknown NAS,,,,(Unknown),,,,,10.204.124.71,,,,,,,
Filtering is not applied.
Date
Time
Message-Type
User-Name
Group-Name
Caller-ID
Network Access Profile Name
Authen-Failure-Code
Author-Failure-Code
Author-Data
NAS-Port
NAS-IP-Address
Filter Information
PEAP/EAP-FAST-Clear-Name
EAP Type
EAP Type Name
Reason
Access Device
Network Device Group
02/28/2012
00:42:18
Unknown NAS
(Unknown)
10.204.124.71
02/28/2012
00:41:33
Unknown NAS
(Unknown)
10.204.124.71
02/28/2012
00:31:52
Unknown NAS
Am i missing any thing in configuration side with respect to ACS?
Thanks

Please help me configure authentic connection with Caller ID via ISDN 30B+D using Cisco ACS

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
Hi all
I have set up a dial up connection between to PC's at remote site and center. It using ISDN 30B+D which is configured on Router 3845. Currently I have configured authentic connection with username and password using Cisco ACS. To enhance the security configuration I want to authenticate both the phone number which dialup with Cisco ACS. And currently I have not done this. Please help me solve this problem.
Thanks so much
Longn

1) I deleted bridge-utils, netcfg
2) I edited /etc/hostapd/hostapd.conf:
interface=wlan0
#bridge=br0
edited /etc/dnsmasq.conf:
interface=wlan0
dhcp-range=192.168.0.2,192.168.0.255,255.255.255.0,24h
and edited /etc/rc.local:
ifconfig wlan0 192.168.0.1 netmask 255.255.255.0
ifconfig wlan0 up
3) I added in autostart these daemons: hostapd, dnsmasq and iptables.
Profit!

Autheticating useing Cisco ACS 4.2 integrated with Active Directory 2003

How do i check that users are Autheticated useing Cisco ACS 4.2 integrated with Active Directory 2003, any one help me in this thanks

You can't actually see the user's membership from ACS. All you can do, create group-mapping under external database >> group mapping section. This would give you an option to map external (AD) group with an Internal group.The group memberrship need to be modified under Active Directory.
Once user is succussfully authenticated and learned as a dynamic user in ACS user setup database, it would be mapped with an ACS internal group based on group mapping we did.
Let me know if you have any doubts.
Regards,
Jatin

Netscreen firewall authentication by Cisco ACS

Since Netscreen firewall only supports RADIUS authentication, is Cisco ACS server able to support it? If yes, which version and where can I find more info about it?

If it supports RADIUS then ACS should be able to support it.
I belive the latest version of ACS is V6.33, you can download a trial version from this site.
All the information you require should be here:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/index.html
HTH
PJD

Using Cisco ACS for Solaris login authentication

Hi all
I am planning to authenticate ssh logins to Solaris 8/9 systems using PAM and radius (while radius is considered the primary solution, tacacs+ could be used, too). The radius/tacacs+ server is provided by a Cisco ACS.
Can anybody out there confirm that the combination "Solaris & PAM & radius/tacacs+ & Cisco ACS" is correctly doing this authentication stuff? Is there anything to specially consider?
Thanks, David

Hard to comment with any certainty but provided the client implementation of RADIUS is sound AND the authentication protocol is one that ACS supports, eg PAP, CHAP, MSCHAP, LEAP, EAP (PEAP/FAST/TLS/GTC/MSCHAP) then should be fine.

What is the option client certificate for user authentication used for?

Hi All,
I have to work on a FTPS - XI -SAP scenario.
I can see an option for client certificate for user authentication when security is enabled for the FTP adapter. what exactly is this option used for?
P.S: I went through sap help but couldnt quite understand.

Thanks a lot Mark.
So for a FTPS -> XI -> SAP scenario the following settings are required.
1. I have to create a certificate in Visual Admin for the XI server , send a csr to a CA and get it signed by them, and i have to add this to the ssl_service view.
2. I have to hand over the public key to the FTPS server & this key will be used for encryption of the file
the above 2 steps are mandatory.
If i choose to use the client certificate option , i have to get the client certificate from the FTPS server and add it into the TrustedCAs list. This certificate is just to imply that the client is what it claims to be.
Will this certificate be used for encryption?
To make it clear let me put it this way. The certificate created in the XI Server is used for encryption and also for ascertaining that the its what it claims to be.
The clients certificate option is used only to make sure that the client is what its claiming to be & this is not used for encryption?

User Authentication using Servlet and JSp

Hi,
I am developing a web app where i need to implement user Authentication to allow members to view and upload files on a certain directory say /data
For this i am using a servlet as a controller which then forwads request to other jsps/servlets based on user response. I tried using servlet mapping in web.xml so that all browser requests would be directed to controller servlet and would branch from there on. However the problem all RequestDispatcher.forward() requests redirected to the servlet putting it in a loop.
Is there another way to achieve this. (Apart from using form-based Basic Authentication).
I am using Resin 1.2.8 servlet/jsp container.
Any response as soon as possible would be appreciated.
Thanks,
Kushagra

RequestDispatcher.forward() cause the HTTP request to be sent through the request processing flow as if the original request for the resource being forwarded to.
It seems the servlet mapping you are talking about in web.xml should be made more specific. i.e. the mapping should be such that only your so called controller servlet will match up.
You might want to specify the mapping for the controller servlet to be noticeably/effectively different from the mapping for other servlets and JSPs.

Use Cisco ACS to verify MAC address for VPN User

Question: I want to have the MAC address of a machine checked when the user is logging into VPN Client.
For example:
User opens VPN client-->Clicks connect-->types in User/Pass which gets passed to ACS (part of what should be sent is the MAC address)---> ACS responds with a yes/no on user/pass and whether the MAC address is right)

Hi Pete,
I have found out in some of my testings that If a PC doesnot genareate any kind of traffic and is totally ideal and once the MAC-address table ages out, it doesnot show its MAC untill the PC generates some kind of traffic.I guess this is what you must be seeing.
I have oberved one more thing that If I connect a fully booted PC which not generating any traffic to a switch port it doesnot learn its Mac-address untill its generates the traffic. This is what my obeservations is and that what I believe in most of the cases.
i dont know whether that answer your question or not but it could be something closer. I think there will be some who can put some more ligth on this.
regards,
-amit singh

Preventing mac osx users from using cisco vpn

Hi,
I have setup ASA to act as our vpn server with radius as my authentication server. Users use the cisco vpn client utility to vpn in which has the .pcf file. This .pcf file has the group password, name and so on. Some users went online and found websites to decrypt the group password and have used that on their local macs to vpn in.
That irritates me and i want to know how i can prevent them from logging on. Are there any ways to block by os type within ASA?
Please help!!
thanks

thanks i set it up to get 2 syslog messages: 713120 and 713904.
<165>Feb 09 2012 06:48:56: %ASA-5-713120: Group = vpnaccess-xyz123, Username = xyzcompany\jdoe, IP = 10.10.10.10, PHASE 2 COMPLETED (msgid=xxxxxx).
Which is good, now i know who is connected to my vpn and i get an alert, but i also want to know they type of OS they are using. When i do a lookup of syslog message id: 713904, that is suppose to give me the OS type (ex: winnt mac ox and so on), but i am not getting that.
Any reason why i dont get an alert from message id 713904, but i get one from 713120.
thanks

802.1x Authentication using Cisco Phone LSC and IAS 2003

I'm trying to authenticate Cisco 7975 phones using the LSC and Microsoft IAS 2003.
The CA was generated from the IAS server (Domain Controller) and was imported and used to generate the LSC that have now been deployed to the phones.
Does anyone know how to configure the IAS server to authenticate the phones?

HI Saad,
Check this link to get info about EAP Types:
http://www.networkworld.com/article/2223672/access-control/which-eap-types-do-you-need-for-which-identity-projects.html
I will prefer to use EAP-TLS because of the security.in This type you need certificate on both side(Client and Server), also you can add AD to authenticate user.
Regards
Dont forget to rate helpful posts

Best way Of providing user authentication using ADF security...

Hi,
I have a web application . I want to implement to ADF security to the application.. What is the best approach of doing this? I have the user information in the database tables along with the roles and other information. I want to these tables for authorization ?
What is the best approach to do this? It would be great if u could help ..
I ma using 11g release 2
Thanks in advance.
Rakesh

Hi,
Thanks for the quick response.
I have been looking at the post but i found one of the forum post in which the person was saying the SQLAuthentication doesnt work ..
"Be wary when using ADF Security (OPSS) with a SQLAuthenticator.
This is feedback I got in SR 3-4124753004 :
"If the you want to use DB as the identity store, then the supported way is to buy OVD server license and configure DB adapter in OVD and then configure an OVD authenticator in Weblogic. SQLAuthenticator will not be used as identity store. And, we do not recommend to use LibOVD for DB identity store. OVD server is the recommended and supported way."
related bugs are :
- bug 13876651, "FMW CONTROL SHOULD NOT ALLOW MANAGING USERS GROUPS FROM SQL AUTHENTICATOR"
- enhancement request 12864498, "OPSS : ADDMEMBERSTOAPPLICATIONROLE : THE SEARCH FOR ROLE FAILED"
related forum threads are :
- "ADF Security : identity store : tables in a SQL database"
- "OPSS : addMembersToApplicationRole : The search for role failed"
regards
Jan Vervecken"
Is this true?
Rakesh

SAP CRM 5.2 user authentication using active directory

hi,
we have a need to authenticate users logging in SAP CRM 5.2 based on active directory user name and password.
scenario is such that users should be able to use their window's logon credentials for logging into SAP CRM 5.2
any ideas or pointers will be appreciated
thank you.

RH,
Actually you can do this, but you need a third party product like SECUDE, or other provider to accomplish this without using the portal. I think even with the portal it still might require some type of plugin or work.
You basically have to setup your CRM system to accept SAP logon tickets, and then the authenticating system needs to an issue an SAP Logon ticket.
So yes it can be done, but requires more software than what is delivered with your SAP system.
Take care,
Stephen

Office 365 Basic end user authentication using API without using powershell

I have an Office 365 username and password. I need to authenticate the credentials without using powershell. I mean by using REST API. I was able to authenticate the admin user using client id and secret along with their username and password.
All I need is to authenticate an end user using his username and password using graph api or any REST api.

So you probably need to ask in the dedicated O365 forum:
http://community.office365.com/en-us/f/default.aspx
Or maybe an Azure AD forum ?
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

Cisco ACS 5.4 + Anyconnect 3.1 NAM with 802.1x, problem with changing ACS Radius user password

Dear all,
Presently, we are testing 802.1x using Cisco ACS 5.4 and Cisco Anyconnect v3.1 as 802.1x supplicant. We have created predefined NAM profiles (with Cisco Profile Editor) and applied as default in on our test machine. We are using PEAP (MsCHAPv2) and ACS local user credentials for authenticating process. We have noticed that, when we try to authenticate the network with predefined profile (network profile has Administrator Network privileges) and Windows user on test machine has no Admin privileges we are not able to change ACS user password (checked "Change password on next login" in the ACS user profile). In the Monitoring and Report View we get Failure Reason "24203 User need to change password" but no popup window apears in Anyconnect. When we change Windows local user privileges to Admin or create Anyconnect network profile localy (privileges User Network) then, we are able to finish the process.
Have you ever been facing the problem described above. Is it Anyconnect bug? How can we fix it?
Best regards,
Piotr

If this happens with all machines then if a microsoft guy can look the app logs/privileges. It seems the app is requesting privilege that it is not authorized to and that's why the propmt window fails to appear. If we know what that privilege is we can probably fix it. If that privilege is not even required for smooth work Cisco need probably to fix this behavior.
I am sorry if I am not able to help but I am not using the anyconnect for production.
Regards,
Amjad
Rating useful replies is more useful than saying "Thank you"

CS-MARS user authentication using Cisco ACS

Similar Messages

Maybe you are looking for