Forward authenticatie with ACS 3.3

Similar Messages

• WPA2 enterprise, Can not authenticate with ACS

  Hi, I am setting up WPA2 enterprise for wireless users with PEAP authentication, but can not get authentication server to authenticate them, and failed reason is generic "EAP-TLS or PEAP authentication failed during SSL handshake"
  The AP I am using is 1240AG running 12.3(8)JA, Radius server is ACS 4.0, I don't have any problem to get dot1x with PEAP authentication working for wired access, and I have almost identical client side configuration for wired and wireless user.
  From ACS's point of view, it should not be aware of any difference between wired and wireless user, but ACS log shows otherwise:
  1)AP is connected to a cat4k switch, I suppose AP should be the authenticator for wireless users, but ACS "failed attempts" log for attempted wireless user shows that the NAS IP is cat4k in stead of AP, why?
  2)I am using the same laptop for both wireless/wired testing, ACS "failed attempts" log shows that for wired user, it correctly interpreted cached domain\login name, but for failed wireless user, the user-name field is totally different, yet debug on AP clearly shows that correct domain\login has been received by AP.
  Debug output on AP is attached, hope experts here can quickly identify the problem.

  Got it working by adding radius server configuration under GUI generated configuration:
  aaa group server radius your-AAA-group-name
  server your-radius-server#1-IPaddress auth-port 1645 acct-port 1646

• Cannot authenticate with ACS because of USERNAME Length

  Dear Experts,
  I'm using Cisco ACS (Radius and TACACS+) to authenticate network devices in my network for administration, everything works great except one of the devices accepts usernames of 8 characters length only so when I change the authentication method of this device to use TACACS+ and I enter my username which exceeds 8 characters, only the first 8 goes to ACS and since it doesnt exist in the users database it will reject the authentication.
  My username: 1234567890
  when I authenticate using TACACS+, I can see 12345678 only...
  Any suggestions please? for an example is it possible to add a rule if ACS sees username "12345678" it adds "90" then check the password and authenticate?
  Thanks for the help in advance...
  Amro

  Network Configuration Prompts : http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-5/release/notes/acs_55_rn.html#61858
  Prompt
  Default
  Conditions
  Description
  Username
  admin
  The name of the first administrative user. You can accept the default or enter a new username.
  Must be from 3 to 8 characters and must be alphanumeric (A-Z, a-z, 0-9).
  Enter the username.

• Using Multiple AD domains with ACS

  Hi,
  Is it possible to use multiple domains for authentication with ACS? I need to use AAA to authenticate remote users into a centralised location but the users will be from different domains and I was hoping to use a single applicance to cater for all domains. Can this be achieved using LDAP? I understand that ACS can only be part of one AD domain.....
  In essence I am hoping that I will be able to authenticate the user based on their domain\credentials.
  Thanks in advance
  Jason

  Hi Javier,
  I understand that ACS can only join a single AD domain - but can it use LDAP to authenticate users from different AD domains - I don't want to have to established trusts between different domains.
  Kind regards
  Jason

• Implementing max user sessions settings for TACACS with ACS 5.3

  I'm a little confused about the configuration of max user sessions for device administration with TACACS.
  When I've changed the configutration of unlimited sessions for a value in Access Policies > Max User Session Policy > Max Session User Settings
  I think this value could limit the maximum number of sessions for each user, but instead this value limit in a global meaning all of my sessions.
  For example: I need to limit the session for my users in 2.
  user1 = Max 2 sessions
  user2 = Max 2 sessions
  user3 = Max 2 sessions
  Whe i Put the value of 2 in Max Session User Settings
  user1 + user2 + user3 = Max 2 sessions
  This is a limitation of ACS 5.3 or my configuration needs something aditional.

  Luis,
  Are you saying that when you authenticate with user1 and user 2 that user3 isnt able to get access?
  Do you have tacacs accounting enabled on the network access device?
  Also what do you have configured for the group settings? If there is a maximum group setting and all the users are a member of the same group then the lesser of the two will be enforced. So if the group max sessions is set to 1 then the all users in that group will have a max session of 1.
  Here is some reference material.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/access_policies.html#wp1162177
  Thanks,
  Tarik Admani

• Dynamic VLAN assignment issue with ACS & WLC

  I have configured an ACS (v4.2) & a WLC 4402 (5.2.193.0) according to the document listed at: http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
  When I attempt to authenticate a user in the ACS local user database, I receive an auth failure.  I have enabled debugging in the WLC's CLI and I see that I get an authentication failure from the ACS.  Upon reviewing the ACS's 'failed attempts' log, I see the username I attempt to authenticare with but it reports 'CN user unknown' even though this user is the local database.
  During troubleshooting, I discovered that if I modify the AAA client for the WLC and change it to 'Cisco Aironet' rather than 'Cisco Airespace', authentication works perfectly, the proper user is authenticated to the local database and I am able to connect to the SSID.  The only issue is that because I'm now using Aironet instead of Airespace, the IETF attributes 064, 065, and 081 (VLAN, 802, and the VLAN ID respectively) do not properly assign the VLAN that the user needs to be on.
  Am I missing something?

  I determined that a NAP was blocking my authentication using Airespace and can successfully authenticate with both Aironet and Airespace now.  I also reviewed the debug output of both types of connections and I can see the proper attributes coming through, but the wireless clients just won't assign to the right VLAN interface.
  I've reviewed all of the configuration settings per the document about 40 or 50 times now and I am certain I'm not missing anything.  I do indeed have override enabled but the configured interface 'management' is still the one the user is assigned to every time, even in the client connection details under the monitor tab.  ARGH!!

• WLC 4402-50 with ACS 3.3

  Hi,
  We want to use ACS to authenticate an ssh or http connection to a WLC 4403-50 4.2.99 using TACACS+. On our ACS 4.2 test server it works fine. Configured identically on an ACS 3.3 appliance we are not able to log in although we do see a successful login in the Passed Authentications report withing ACS.
  Is there an incompatability between the WLC 4402-50 with ACS 3.3?
  thanks
  Bob

  The Cisco Secure Access Control Server (ACS) provides authentication, authorization, and accounting (AAA) services for users of the wireless network.
  It is also possible to employ a WLC controller strategy that uses an N+1 approach. When using N+1 architecture, each WLC is configured with a WLC that is designated as a backup WLC in the event of a failure. This controller is not used until there is a failure event upon which all APs using the failed controller switch to the backup WLC. This cost-effective approach provides a high level of availability in the event of a single WLC failure scenario.

• MARS 5.2.7 integration with ACS 4.1

  Hello
  I cannot find any documentation I can follow to integrate MARS with ACS. I mean I want to use ACS to authenticate user in MARS.
  Any of you know if MARS 5.2.7 has this feature? If yes can please give some info where to find docs?
  Thank you really much
  Best regards Antonello.

  HI ,
  LMS 4.0 no longer integrates with ACS the way that LMS 3.x did.  You  can still use ACS for authentication in LMS 4.0, but for authorization,  each user must have a local account in LMS, and the roles will be  assigned using LMS 4.0's new RBAC.  Users are defined under Admin >  System > User Management > Local User Setup, and roles are defined  under Admin > System > User Management > Role Management  Setup.
  By default, if a user does not have an account in LMS, they will receive the Help Desk role
  Please check the below link:
  http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.2/user/guide/admin/security.html#wp1100379
  Thanks-
  Afroz
  [Do rate the useful post]

• 802.1x with ACS and Windows AD

  Hi
  Im trying to setup 802.1x with ACS 5.2 but am struggling as its very differnet to ACS 4.2.
  I have setup the ACS to be the domain and think i have setup up the External Idnetity Store, however when i try to authenticate a pc using authentication Medthod 'PEAP (EAP-MSCHAPv2), i get a failure reason '22056 Subject not found in the applicable identity store'
  Marco

  Hi Marco,
  i guess you've missed a mapping configuration in the Access Policy Section.
  Create a Access Service name it AS-802.1x select User Select Service Type and select Network Access. Select the Policy Structure Identity and Authorization. Select PEAP as allowed Protocol. Click Finish
  You'll see the new service click Identity.
  Select the identity source you've created then save.
  Click on authorization
  Select a default authorization rule permit access and save.
  Create a Service Access Rule name it 802.1x
  Select Protocol Radius as Condition and as Compound Condition select RADIUS-IETF:Service-Type match Framed then select the service you created before.
  then you can try again.
  regards
  alex

• 802.1x and Windows Domain Controller with ACS

  Wow, I am having a tough time getting my ACS and the Domain controller to work with 802.1x PEAP. Can somebody explane to me how to set up the domain controller (Active directry) to get a PEAP cert? Some other questions. If I am using PEAP and 802.1x how does my computer get a cert. from the CA if the port is disabled by 802.1x? And How do I set up my domain controller to work with ACS to authenticate users. I have been beating my self to death to figure this out. Any help would be ausome. I am really stuck on trying to make this work.
  Thanks a ton in advance
  Justin

  I as a Cisco customer would like to see answers to our questions based on some real world experience or something you've noticed in a lab environment.
  By simply posting links is not very helpful. The reason most of us come to this site and post our questions, is because we already went to the Cisco website and found the explanation to be vague. In the future, please post answers to our question, intead of referring us to a link.
  Thank you,
  John...

• Tacacs+ problem with ACS 5.2

  I am new with ACS server 5.2 can someone please help me before I bang my head on the wall. I have configured the ACS server 5.2 but still cannot authenticate users. The router can ping the ACS server. With debugging I got the following error message:
  Switch#
  6d07h: TAC+: Using default tacacs server-group "tacacs+" list.
  6d07h: TAC+: Opening TCP/IP to 110.7.111.8/49 timeout=5
  6d07h: TAC+: TCP/IP open to 110.7.111.8/49 failed -- Connection timed out; remote host not responding
  6d07h: TAC+: Opening TCP/IP to 110.7.111.7/49 timeout=5
  6d07h: TAC+: TCP/IP open to 110.7.111.7/49 failed -- Connection timed out; remote host not responding
  6d07h: TAC+: send AUTHEN/START packet ver=192 id=3004581909
  6d07h: TAC+: Using default tacacs server-group "tacacs+" list.
  6d07h: TAC+: Opening TCP/IP to 110.7.111.8/49 timeout=5
  6d07h: TAC+: TCP/IP open to 110.7.111.8/49 failed -- Connection timed out; remote host not responding
  6d07h: TAC+: Opening TCP/IP to 110.7.111.7/49 timeout=5
  6d07h: TAC+: TCP/IP open to 110.7.111.7/49 failed -- Connection timed out; remote host not responding
  Your kind help will be highly appreciated.

  Did you add the switch as AAA client in ACS box? Make sure you use the correct switch IP when adding it in ACS.
  YOu can go to "monitoring and Report" on ACS to check the log to see what happened.

• AAA authenticate to ACS Server

  I am trying to get my cisco switches to authenticate to our ACS server through TACAS but I am running into a problem when I try to put in the secret key.
  Below is an output
  aaa new-model
  aaa group server tacacs+ VTY
  server 10.1.10.99
  server-private 10.1.10.99 key BrAqaq4h
  ip tacacs source-interface Vlan99
  aaa authentication login VTY group VTY local
  aaa authorization exec VTY group tacacs+ if-authenticated
  aaa accounting commands 1 default start-stop group VTY
  aaa accounting commands 15 default start-stop group VTY
  aaa session-id common
  Whenever I try to make the server-private key 7 BrAqaq4h I get the error
  server-private 10.1.10.99 key 7 BrAqaq4h
  %Invalid encrypted key: BrAqaq4h
  I don't know if this is the reason I cannot authenticate with AD but on the server ACS that is the key it has under every other device that is working.
  aaa new-model
  aaa group server tacacs+ VTY
  server 10.1.10.99
  server-private 10.1.10.99 key 7 0529142E304D5F5D11
  ip tacacs source-interface Vlan99
  aaa authentication login VTY group VTY local
  aaa authorization exec VTY group tacacs+ if-authenticated
  aaa accounting commands 1 default start-stop group VTY
  aaa accounting commands 15 default start-stop group VTY
  aaa session-id common
  The last output is a device where I can authenticate correctly.  Does anyone have any ideas as to why this doesn't work?  The vty settings on both devices are the same.
  line vty 0 4
  privilege level 15
  logging synchronous
  login authentication VTY
  transport input all

  Hi Jeff,
  If you use the command, "server-private key 7 " command, then the string that is entered is considered to be encrypted text. If no number or 0 is entered, the string that is entered is considered to be plain text.
  So if you are planning to enter your shared secret in plain text, try using the command "server-private key 0 " or "server-private key ".
  If after entering the shared secret in plain text (using the 0 or no number) and if you are facing issue in authentication, then check the failed attempts logs in the tacacs+ server which should give you the hint of the issue.

• Juniper SSG TACACS+ Integration with ACS 5

  Hi,
  I'm working on TACACS+ integration on Juniper SSG firewall with ACS 5, but failed login on the SSG. After checked the log on ACS, it passed the authentication. Do I need to import any dictionary file on the ACS 5 first?
  Please advice,
  Cheers,
  Ryan

  I was able to config SSG authenticate using RADIUS.  In order to work with RADIUS, I have to create RADIUS dictionary using netscreen dictionary found @ Juniper.  Attach the dictionary.
  I'm not sure how to import, but I create the dictionary manually.

• Windows Server 2008 R2: Server unable to authenticate with Domain Controller

  Hello, I was wondering what could be the reason for this error if it is certain that there was no other computer on the network using the same name:
  This computer could not authenticate with<Domain-controller>, a Windows domain controller for domain <Domain-name>, and therefore this computer might deny logon requests. This
  inability to authenticate might be caused by another computer on the same network using the same name or the password for this computer account is not recognized. 
  What would cause the machine account pw to be 'not recognized'?

  You can track changes in AD by enabling AD Auditing: https://technet.microsoft.com/en-us/library/cc731764%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
  As reading the logs is usually a complicated and time consuming task, it is recommended to use a third party tool for auditing. The one I usually recommend is Lepide Auditor - Active Directory: http://www.lepide.com/lepideauditor/active-directory.html
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• URL is not change after successful authenticate with ISE 1.1.1

  Hi,
  I have setup Cisco Identity Service Engine (1.1.1) with Wireless LAN Controller (7.2.110)
  Everything is complete unless the URL redirect. My guest client can join the Guest SSID and also can authenticate to ISE.
  But after they success to authenticate with ISE, the URL in the browser doesn't change to the pre-configure. It still be something like https://ise-ip:8443/guestportal/redir.html . Anyway the content in the browser is changed to the URL that being configured such as http://www.google.com/
  How can I do with this situation cause everything is working fine but only the browser URL that is not change to the preconfigure one.
  Thanks,
  Pongsatorn

  Hi,
  This is the user experience when using central web authentication:
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080ba6514.shtml#final
  Here is the process when you use local web authentication:
  http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_guest_pol.html#wp1295223
  Hope this helps,
  Tarik Admani
  *Please rate helpful posts*