Device authorisation on ACS
Hi All, Can any one help me on Device authentication on ACS server. I have WI-FI setup with some lighteight access point & Wireless controller (WiSM). Now I want to controll device access like PDA can have limited access to network over wireless where as laptop users have unlimited access to network..I have configured single SSID & multiple vlans with the help of ACS 4.1.I can not configure another SSID on controller.Even I can not configure different user ID for PDA users, they want to use Windows User ID on laptop as well as on PDA. So I dont have option to controll PDA & Laptops on user id & ssid basis. Is there any other way to controll these devices on ACS or wireless controller so that I can controll the devices's access.
Thanks
Hi,
That is quite interesting....
What I can think of right now is to use NAP.
Filter the authentication request based on MAC address, calling station ID, that will come in Access Request.
PDA's (if of a particular manufacturer) will have some similarity in MAC address as compared to Laptops.
Which, you can filter based on Advanced Filtering option.
And once that request comes under the defined NAP, for for RAC, and configure radius attribute 64, 65 and 81, to make PDA's go into different VLAN's as compared to Laptops.
Logically it should work, if I understand this correctly :)
Worth a try.
Please share the results, if you decide to go for it.
Regards,
Prem
Similar Messages
-
Can Cisco Device Manager Support ACS Authentication?
Background:
My company has approximately 500+ devices all across the country (mainly 2801's, 2924's, 2950's, and 2960's) and approx 3 people that have a real idea of how to configure the devices, and 2 or 3 that have a general clue about how to do it. I am in the process of moving all of these devices to use ACS authentication for signing into the device. While I am doing this I am establishing a strong password for the secret password to provide as a backup.
Problem:
My supervisor would like the cisco device manager to be available to the people that don't have the in depth cli experience. However in my testing, it will only accept the strong password for its authentication, and does not try the ACS server for authentication. Is this possible?Hi,
Actually, there is a difference as from where the authentication is picked from for HTTP authentication,
With HTTP v1 server, same method list is picked, that is used by VTY lines.
With HTTP v1.1 server, but before the integration of fix for bug CSCeb82510, the method list defined for console is checked.
After the fix of the above mentioned bug, we have some different sent of commands that we can use.
I would suggest you to give this a try,
aaa authentication login CONSOLEandHTTP tacacs+ local
aaa authorization exec CONSOLEandHTTP if-authenticated
ip http authentication aaa
line con 0
login authentication CONSOLEandHTTP
authorization exec CONSOLEandHTTP
For detail please refer,
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008069bdc5.shtml
Regards,
Prem -
I have deauthorised all my computers in the store and after that authorise a new phone. Now i only have 1 devices authorised out of 5. But when i sync, it keep prompt the message ask me to authorize my computer.
Please help me.You import them as you would with any digital camera.
Import photos and videos from your iPhone, iPad, or iPod ... -
I had 5 devices authorised so i de authorised all. how do i Authorize iMac. iTunes match heading disappeared from under iTunes store.
Use the iTunes Store menu > Authorize this computer.
-
2 devices authorised but 'can't authorise more than 5' message appears
I need to authorise a replacement computer - de-authorised and re-authorised 2 devices but the computer tells me 5 are authorised and you can't de-authorise more than once a year - any ideas?
One computer using multiple iTunes Store authorizations - http://support.apple.com/kb/HT1206 - "If the number there is higher than the number of computers that you have authorized, it is possible that one or more of your computers is using multiple authorizations."
If the above doesn't work because you are up against a deauthorization limit you will have to contact Apple.
iTunes Customer Service Contact - http://www.apple.com/support/itunes/contact.html > Get iTunes support via Express Lane > iTunes > iTunes Store -
I connected my device and digital editions asked if I wanted to authorise the device. After several minutes my server went down. When I restarted, the device wasn't authorised but Digital Editions no longer recognised it as a new device.What do I need to do to get the device auhtorised?
ThanksThe device is a Binatone KidzStar ereader. It doesn't a[[ear in the supported ist, but as ADE tried to athorise it whr=en I first plugged it in, I think it must be possible to authorise the device aqnd this would have been done if my server hadn't gone down.
The authorising screen was displayed and the green profress bar had moved about a quater f of the way across the screen when the sever went down.There was no error message but when I plug the device in , it doesn't appear on the left side opf the ADE screen,. and ADE deoes not offer to authorise it., I have tried deleting the Digital editions fiolder as you suggest, but this hasn't wo9rked ADE simply recreates the folder.Looks like I'm stuffed> -
Devices Behind Firewall ACS 4.0 Local
All,
I just read a post labeled "ACS 4.0 Behind Firewall" and it talked about opening ports 2004 to 5000 to access the ACS server that is behind the firewall. My question is does this same port range apply if you are trying to access and authenticate to a device that is behind a firewall. When I try to access one of my devices that is behind the firewall I can't authenticate through the ACS box so I end up using the local username and password. Can anyone tell me what ports I have to open on the firewall to allow the authetication to go back to the ACS server. ThanksHi,
TACACS+ authentication service between Network devices and AAA Server is running on TCP 49. The 2004-5000 port range is only applicable if you need to access ACS Server (for management purposes) from outside/internet. In your case, if you need to access your devices behind firewall from external network, what you need is map your internal network devices with public IP, and open ddesired service port, e.g SSH (tcp 22) on your Firewall outside interface ACL to allow incoming access.
For your internal devices, you need to have appropriate AAA configuration that point to ACS (e.g TACACS+). In your ACS, set these devices as AAA Client, and configured appropriate IP, secret key and using TACACS+.
Before you test ssh access from internet/external network, test your SSH access locally. It must be successful to get AAA to authenticate your SSH connection request.
http://www.cisco.com/en/US/partner/products/sw/secursw/ps2086/products_user_guide_chapter09186a008052e996.html
Hope this helps.
Rgds,
AK -
How do I change my device authorisation details in Adobe Digital Editions?
I recently changed my email and have updated my Adobe ID but Adobe Digital Editions still holds the old ID and doesn't seem to give me an option to change. There are no instructions or FAQ's about the issue - only how to set an ID etc up. The only thing I've thought is to delete ADE from my computer and reload it, but I don't want to lose the books I have on there already....
CheersDo you want to de-authorize your ADE and Authorize back with your new account?
To De-authorize:
Go to Library view mode
Press Ctrl+Shift+D
To Authorize:
Press Ctrl+Shift+U
To know more about ADE and other shortcuts , download Getting Started with Adobe Digital Editions
Note: If you De-authorize and account and authorize again with a different account, you can't read the book already downloaded with the older account. You can also have a look at, http://www.datalogics.com/pdf/doc/acs/JointAccountGuide.pdf . -
Remove a device from Cisco ACS Appliance v 4.2
I am trying to remove a device that was added.
I know I have to do this via RBDMS synchonization since the device name is over 32 characters long.
I cannot seem to find my example or the action codes to delete this device.
If the device name is deviceabcde.all-equipment.mine.com. I know it is not 32 characters, but removal via sync'ing will be the same.
Any help would be appreciated.
dwaneYou can try using the Device and Credentials Repository command line interface (dcrcli). Instructions for its use care located here.
If the issue is with the Fault tool (also known as DFM) then please see this thread about re-initializing the DFM databases. -
Can someone help with device authorisation for adobe digital editions?
This may not be the right forum, I could not find one for Adobe Digital Editions.
As you can see in the attached image the activation server is not responding. I tried with another email address, same problem. Have reset password on both accounts and still doesn't work.http://forums.adobe.com/community/adobe_digital_editions
-
ACS not authorising Security Manager devices
Hi I have a setup ACS 4.1 CS-Manager 3.2.2
I have intergrated the CS-Manager into ACS with no problems.
However when I try to add devices into the CS-Manager I get the message "The Device is not in the Cisco Secure ACS"
I have one wildcard entry encompassing all devices and the CS-Manager (TACACS+ (cisco IOS))
I am wondering if CS-Manager is not liking the wildcards.
Unfortunatley as we have 500 or so production devices already using this entry I am not in a position to remove it to test my theory at present.
Any one know if Wildcards are supported for authorising CS-Manager devices?
Regards
ColinColin
Assumption: you have CSM's common services integrated correctly into ACS, first with a admin account in acs with full rights and second with the system identity user and pass in the ACS server with full rights as a user (not admin portal) and during the setup of AAA in CS you used the [tick box] to push out the authorization categories from CS into ACS.
Assumption: you have a super admin group in ACS setup that has full rights to CSM authorization categories that was pushed into ACS from Common Services when you first setup AAA in CS. And you have setup a user that is part of that the ACS super admin group.
Three things to check.
1. Under ACS, click the 'Share Profile Components' buttom, check that Common services has pushed out the Authorization categories into ACS, you should see CSM and auto update modules. Drill down into the CSM and check to see which authorization category gives the most access, should be 'System Administrator', make sure that all the tick boxes in this profile is all ticked with no gray or shaded boxes.
2. The user account your logging into CSM is part of the ACS super user group that you created. Check the ACS super user group is correctly matching the CS-manager authorization categories. i.e make sure that you have matched the group that you checked in my previous point, 'System Administrator' or what ever group you created that gave full rights.
3. Finally, you must have the device listed in your network device groups in ACS. Remembering that CSM will check against the ACS's NDG lists and WILL also matches against a FQDN, so if you added domain information into a device in CSM then the device listed in ACS will need to be the FQDN, if its not, then remove the domain name info from CSM and test. (EDIT: This might have been fixed in 3.2.2 not 100% sure but it broke my network in 3.1). I'm going to take a wild stab in the dark and say that the wild card might be failing you because it doesnt match between CSM host name and domain name sections to the ACS host name.
Dale
Oh one final test you can try, log into the end device manually using telnet or ssh using the system identity user and pass. Just double check that the account gets access to the device via tacacs and that you can perform enable access type functions using this account. -
How to authorise single Ereader device with several Adobe IDs?
Is it technically possible in Adobe's DRM system to connect a single epub ebook reader with several Adobe Digital Editions IDs?
The background of my question is following: I got an ADE account and a laptop computer and Ereader authorised with that account. My wife got an ADE account of her own and her computer and her own Ereader authorised with her account. So both of us got 4 more devices to be authorised with if I understand the system right.
What I have in mind is to authorise my wife's Ereader with my ADE account, too, in order to be able to transfer DRM protected epub ebooks that I purchased under my account to her Ereader. But I'm afraid to overwright the original authorisation on her Ereader by authorising it with my Adobe ID and therefore restrain from fiddling with the device authorisation.
Any advise by Adobe or someone else in the community? I was not able to find any useful advise in various forums.
Many thanks for help!
Best regards,
Martin D.No.
========= -
ACS best practices for device config
Can anybody tell me what the best practice is in regards to device setup in ACS?
Specifically, is it better to specify each device individually or is it ok to allow whole subnets access to access, therefore allowing all devices in those subnets access to ACS for AAA.Find My iPad is not a fully reliable way to secure data on a corporate iPad. The service is too easy to defeat and block you from wiping the data. You can, however, make settings that will make it much more difficult for someone to get data from your company iPads and iPhones even if they can defeat the Find My iPad connection. I'd suggest you read these Apple documents:
http://www.apple.com/ipad/business/docs/iOS_Security.pdf
http://www.apple.com/ipad/business/docs/iOS_MDM.pdf
They'll give you an overview of how to secure your devices.
Regards. -
ACS File Operation Bulk Upload (Device limit?)
Hi
I was trying to upload about 250 devices to my ACS server using the file operations option.
I downloaded the template added the devices but when I try the add the 250 devices only 15 would
add at any one time. Why? Does anyone know what the problem might be?
I've modified the template many times to see if the template was the issue however every time it's
limited to 15 devices.
I've already uploaded the devices manually but for future users and myself I'm wondering if anyone knows
the what the reason could be.
Cheers,
PaulThere is no built in limit and have seen this working with many more than 15 devices;but cannot say what your issue was without seeing the file you used
One thing you could try is doing an export and can then see file format/contents for all devices -
Can't auth to Nortels networks devices using RADIUS with ACS 5.1
Hi,
I've got a problem with the ACS 5.1 RADIUS Authentication for Nortel network devices (Baystack 470, ERS 5530 5510, Passport 8606).
After configuring RADIUS on these device (primary serv, secondary serv, secret key, port...) and adding them to my ACS Servers.
I can't manage to login using RADIUS and i get the following message.
"Permission denied, please try again" or "No response from RADIUS server"(?) (depending on the device type)
But in my ACS View, I can see : "Authentication succeeded."
I've also checked the RADIUS frames, the "Access-Request" and "Access-Accept" are correctly transmitted.
I've got no problems with RADIUS Auth using other brand devices
Is there any known issues with Nortels devices using Cisco ACS 5.1 with RADIUS Authentication ?
Regards.Are you sure that setting up a compound condition will help ?
To me, the RADIUS Nortel VSA are used for Authorization,and my problem is about Authentication (usually for a simple authentication, we stay in the IETF RADIUS Standards ? no ?)
Also, does setting this condition will change the Access-Accept packets sent by the ACS to the device ?
Here is my steps in the ACS View
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15004 Matched rule
15012 Selected Access Service - Default Network Access
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - Internal Users
24210 Looking up User in Internal Users IDStore - radius
24212 Found User in Internal Users IDStore
22037 Authentication Passed
Evaluating Group Mapping Policy
Evaluating Exception Authorization Policy
15042 No rule was matched
Evaluating Authorization Policy
15006 Matched Default Rule
15016 Selected Authorization Profile - Permit Access
11002 Returned RADIUS Access-Accept
So I think the ACS does its job
Maybe you are looking for
-
I copied a lot of photos from an iphone to a DVD using a Windows 7 laptop, now I cannot access those photos on the DVD. HELP! In Windows Exlporer I can see the data on the disk in the details but when I click on it nothing appears as if there is noth
-
Backup startup external drives, disk utility, dmgs
Dear All, I am trying to backup my Mac Mini to a Firewire drive with an image file (dmg) using Disk Utility. But I get this error: "Unable to create dmg. Resource busy." That is due to my startup disk being my Mini which I'd like to backup. So I've t
-
I downloaded the icloud software on my computer in order to sync calenders and contacts using Windows 2007, but I keep getting an error message when trying to sync my icloud and Outlook calendars. I downloaded it for the first time a month ago and
-
I'm helping a friend set up a brand new iMac. He has his ipad synced with windows itunes on his pc but we want to sync with the new mac. When we try to sync it tells us we have to erase the ipad and sync with his new itunes library...we don't want t
-
"Sound Check" - Setting 1 volume level burning multiple tracks-iTunes7.1.1
Hi, I've tried to get one playback level after burning many tracks onto 1 CD. I found the Sound Check option under Preferences/Advanced/Burning; but, I still get one or more tracks still out of level with others (a shock to one's hearing on playback)