HTTP authentication via ACS TACACS+.

Similar Messages

• AP Authentication via ACS.

  Hi All,
  Just a basic question regarding MAC based authenitcation of AP with ACS.
  The scenario is - If I have a ACS installed and I want all my Cisco 3502 APs to be authenticated on MAC basis via ACS. I know that AP mac is used as a username and password at ACS so that whenever we plugin the new AP in the network, it gets authenticated via ACS first and if the AP is authorised to be used in network then only it gets the IP address from DHCP.
  My question is - What will happen, if the AP is connected in local mode on a remote location and the WLC, ACS & DHCP are in Datacenter. The traffic coming from remote location will pass through the Remote-site router and during that pass, it will remove the source mac address of AP and put the router interface MAC address as source, so how will the ACS authenticate the AP in that case.
  When working in a LAN I know its possible, but how will it work over the WAN.
  Pls. suggest ASAP.
  Thanks in Advance.
  Regards
  Harish

  Harish:
  As you may know that traffic between WLC and APs is encapsulated in CAPWAP tunnel.
  The information insdie the CAPWAP should tell the WLC what MAC address the AP uses.
  CAPWAP RFC metniones that you can do AP authorization by two ways:
  - with certificates
  - with PSK.
  The standards does no imply what the PSK should be, however, Cisco seems to use it to be the mac address of the AP when the ap authorization is enabled. RFC recommends to use mac address of AP as PSK.
  2.4.4.4.  PSK Usage
     When DTLS uses PSK Ciphersuites, the ServerKeyExchange message MUST
     contain the "PSK identity hint" field and the ClientKeyExchange
     message MUST contain the "PSK identity" field.  These fields are used
     to help the WTP select the appropriate PSK for use with the AC, and
     then indicate to the AC which key is being used.  When PSKs are
     provisioned to WTPs and ACs, both the PSK Hint and PSK Identity for
     the key MUST be specified.
     The PSK Hint SHOULD uniquely identify the AC and the PSK Identity
     SHOULD uniquely identify the WTP.  It is RECOMMENDED that these hints
     and identities be the ASCII HEX-formatted MAC addresses of the
     respective devices, since each pairwise combination of WTP and AC
     SHOULD have a unique PSK.  The PSK Hint and Identity SHOULD be
     sufficient to perform authorization, as simply having knowledge of a
     PSK does not necessarily imply authorization.
     If a single PSK is being used for multiple devices on a CAPWAP
     network, which is NOT RECOMMENDED, the PSK Hint and Identity can no
     longer be a MAC address, so appropriate hints and identities SHOULD
     be selected to identify the group of devices to which the PSK is
     provisioned
  you may spend more time reading the CAPWAP RFC if you are interested
  CAPWAP RFC: http://www.ietf.org/rfc/rfc5415.txt
  Hope this answers your concern.
  Amjad

• 3rd party authentication before ACS (TACACS+) auth

  Dear experts,
  I've been struggling to find out information on 3rd party authentication integration to the ACS. I know that ACS can use external databases, but this is not what I'm looking for.
  I have someone, who wishes to use ACS for user authentication and at the same time develop real single sign-on to their corporate infrastructure. I have the product that can deliver this Single Sign-On, but thus far I've been able to reduce Sign-Ons to two (ACS and then Single Sign-On).
  What I would like to know is, that can I implement a third party authentication _before_ ACS authentication. In this scenario the 3rd party authentication server would be the first point of contact. After successfully receiving the user credentials from the user, the authentication server would forward this inforamtion to ACS. So is there any kind of descriptions / API documentation on how to implement this? If this is possible, my customer could get real single sign-on to multitude of Intranet services and continue utilizing the ACS investment.

  Here is a document on Monitoring and Reporting Tool Integration into Network Admission Control.
  http://www.cisco.com/en/US/netsol/ns466/networking_solutions_white_paper0900aecd801dee49.shtml

• HTTP authentication via reverse proxy

  Hi,
  I've taken a dig around the interface for the 4.0.4 web proxy and in the documentation but haven't come up with much so far.
  What I want to do is configure a reverse proxy so that it feeds the HTTP authentication credentials into the server when we reverse from the proxy to it.
  i.e.
  user --> revproxy --> (http_details) --> webserver
  The user wont enter these, they'll be somehow if possible, be configured into the reverse proxy so it knows what HTTP realm string to match to a target host and feed the credentials into it.
  Is this possible?

  Since it is just a matter of adding Authorization header, it is possible.
  look around for other discussions for adding headers.

• Digest http authentication via CalDAV with non-ASCII login

  When I creating new CalDAV calendar with login that contains non-ASCII characters, iCal calendar doesn't sent Authorization header in a request package.
  When I use ascii login http request contains header like:
  Authorization: Digest username="Art", realm="TeamWox", nonce="DFEBA3CD93184f389CAAAE84F1E0177D", uri="/caldav", response="511573b614eff34270e7b99b4b8a7b9b", cnonce="1b3aae2d7cd48bfa8aceadc62ff56006", nc=00000001, qop="auth"\r\n
  If I add non-ASCII charcters I didn't receive it.
  Can You explain this, please?

  Digest autification send information in UTF-8.
  When I analyze packages with WireShark I see that for example Windows WebDAV sends this text in UTF-8 encoding, and all characters were sended correctly regardless of language.
  iCal just doesn't send Authorization header if characters no in ASCII (0-127).

• LMS Authentication with ACS 5.1

  Hi, I am using LMS authentication via ACS. I am able to login to LMS successfully with ACS user name and password but I can not execute most of the task it says you are not authorised. do i need to anything in LMS except enabling login module to tacacs...
  Let me know if I missed something.
  Thanks
  Ninja

  Integration with ACS 5.1 is not yet supported.  You can do authentication only with ACS 5.0, and 5.1 should work, but you will not be able to use full AAA integration.  Disable AAA mode, and set the login module to be TACACS+.  Point that to your 5.1 server, and you should be able to login, and run tasks in LMS.  However, you will still need to create local accounts in LMS for all of your users to do the authorization piece.

• ANM device importing and config sync - user name authenticatiing via ACS

  Good day,
  We have the following issue:
  Switches and ACE modules imported into ANM 3.2. Additional modules added and tried to import. Failed. Tried to sync and recieved the following message for Admin context:
  - Failed to import ACE configuration: Device discovery failed: cannot find the serial number.
  All other contexts also fail to sync.
  Thought this may be due fact that the user Id used for import is and AD account and this authenticates via ACS to AD and this has expired and changed since original import. Deleted chassis and re-impoted with same user Id and new password and all works fine.
  Have checked the links below, however, I don't beleive these will resolve the issue:
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/application_networking_manager/3.1/user/guide/UG_manage_devices.html#wp1094120
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/application_networking_manager/3.1/user/guide/UG_manage_devices.html#wp1393377
  I beleive this is occuring due the fact that we are authenticating via ACS to AD for all devices (switches and ACE modules) as well as ANM.
  So is the only solution here to create a static user account in ACS and add to relevent NDG's for switches and ACE modules?
  Also would we have to have the password never expire as I don't see a way to change/configure this password within ANM apart from when the devices are initially imported?
  Any input would be greatly appreciated.
  Thanking you in advance.
  Paul
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}

  Dears
  kindly your help  when i'm trying to import ACE Module i got the following massege .
  - Failed to import ACE configuration: Device discovery failed: cannot find the serial number.
  does any body have a resolutoin for this error ?.
  BR

• Select AVC profile on WLC based via ACS

  Hi there
  I just saw the AVC feature in WLC version 7.4.100.0 and wonder, if there is a possibility to select a AVC profile per user, based on it's RADIUS authentication via ACS.
  For example:
  - A user in group teacher can access youtube on SSID A
  - A user in group student can not access youtube on SSID A
  Thanks a lot in advance and best regards
  Dominic

  Well I don't know if this will come in the future for ACS or ISE, but in order for this to work also in other radius servers, it would have to be a new radius standard attribute others have to implement and also the WLC would have to be able to see that attribute. So if its anytime soon, well.... Maybe not:)
  Sent from Cisco Technical Support iPhone App

• ASA enable authentication for AD user by ACS TACACS fails

  In order to authorize command on ASA8.x for different users, I have to put 'aaa authentication enable console TACACS' into ASA configuration, and in ACS - user setup - TACACS+ enable password - Use separate password, I set an enable password.
  It works fine for ACS local users, they are able to get into priv EXEC mode by entering 'enable' command and use my pre-set password, however, the password doesn't work for AD user.
  So, how to setup enable authorization for AD user?
  Or is there a way to drop a user directly into level 15 on ASA just like it on router?
  below is the debug info.(I'm sure the password is the one I set in ACS)
  LABASA1(config)# AAA API: In aaa_open
  AAA session opened: handle = 884
  AAA API: In aaa_process_async
  aaa_process_async: sending AAA_MSG_PROCESS
  AAA task: aaa_process_msg(d45bd5c8) received message type 0
  AAA FSM: In AAA_StartAAATransaction
  AAA FSM: In AAA_InitTransaction
  Initiating authentication to primary server (Svr Grp: TACACS)
  AAA FSM: In AAA_BindServer
  AAA_BindServer: Using server: 192.168.1.221
  AAA FSM: In AAA_SendMsg
  User: fostco\user1
  Resp:
  callback_aaa_task: status = -1, msg =
  AAA FSM: In aaa_backend_callback
  aaa_backend_callback: Handle = 884, pAcb = d5b193e0
  aaa_backend_callback: Error:
  Incorrect password.
  AAA task: aaa_process_msg(d45bd5c8) received message type 1
  AAA FSM: In AAA_ProcSvrResp
  Back End response:
  Authentication Status: -1 (REJECT)
  AAA FSM: In AAA_NextFunction
  AAA_NextFunction: i_fsm_state = IFSM_PRIM_AUTHENTICATE, auth_status = REJECT
  AAA_NextFunction: authen svr = TACACS, author svr = <none>, user pol = , tunn pol =
  AAA_NextFunction: New i_fsm_state = IFSM_DONE,
  AAA FSM: In AAA_ProcessFinal
  AAA FSM: In AAA_Callback
  user attributes:
  None
  user policy attributes:
  None
  tunnel policy attributes:
  None
  Auth Status = REJECT
  aaai_internal_cb: handle is 884, pAcb is d5b193e0, pAcb->tq.tqh_first is d441d1d8
  AAA API: In aaa_close
  AAA task: aaa_process_msg(d45bd5c8) received message type 3
  In aaai_close_session (884)

  I have run into a similar situation. I just want to authenticate via TACACS to enable mode in an ssh session. After using the "aaa authentication enable console TACACS LOCAL" command on the ASA, the ACS server rejects the password.
  I have tried everything I can think of on the ACS as far as "TACACS+ enable password" using both a windows database or a separate password, and PIX/ASA command sets. I cannot go into enable mode unless I set the ASA to LOCAL authentication, which just uses the globally defined enable password.

• NCS TACACS accounting via ACS

  If I choose to authenticate NCS users through Cisco ACS (5.4 in this instance) via TACACS, do I still have the ability to do accounting to track what changes they have made?  I'm not getting anything in the TACACS accounting reports and I don't see anywhere to configure TACACS for accounting within NCS gui like I can on a WLC.  I know that NCS has an internal audit trail but if a users account is both a local account on NCS as well as an account being authenticated through ACS does the Audit trail on NCS for that local user still contain the information about changes the user made?  I ask because it looks like it does but I want to make sure I'm not going mad.  Here is my example:
  Local account username:  NCS_Admin2
  AD account via TACACS username:  NCS_Admin2
  Audit trail for the NCS_Admin2 account on NCS looks like changes are being logged to NCS even though the user is logging in with their AD credentials via TACACS.
  I know that is probably as clear as mud.
  Thanks.
  Todd

  User is authenticated with TACACS
  NCS_Admin2
  NCS.customerdomain.local
  2013-Mar-05, 10:18:30 EST
  2013-Mar-05, 11:22:36 EST
  TACACS+
  Admin 

• Ip http authentication aaa login-authentication doesnt work

  I have "ip tacacs source-interface Vlan1 " in my config because without it enabled I cant ssh in with tacacs. However, with that line in the config, I cant access via https unless I have the line "ip http authentication local"

  For http access , the user should have privilege level 15. This is how you enable it on acs.
  Bring users/groups in at level 15
  1. Go to user or group setup in ACS
  2. Drop down to "TACACS+ Settings"
  3. Place a check in "Shell (Exec)"
  4. Place a check in "Privilege level" and enter "15" in the adjacent field
  Regards,
  ~JG
  Do rate helpful posts

• EAP-TLS Vista Machine Authentication to ACS integrated to non AD LDAP

  Hello all,
  I've been working on a scenario with ACS 4.2 (trial) for Proof of Concept to a customer of ACS's abilities.
  His intended network plan is to use Vista Laptops doing Machine authentication only towards a ACS server integrated with a non-microsoft LDAP server. The mechanism of choice is EAP-TLS.
  We've set up the PKI on the right places and it is all up. We do manage to get a user certificate on the PC, authenticate via ACS to the LDAP repository, and everything is good.
  The problem that we are facing is when we want to move to do machine authentication, the behaviour is inconsistent. I'll explain:
  When the first authentication is done, the EAP-Identity requests are always prepended with a "host/". What we see is that the CN of a certificate is TEST, and the Identity request appears as host/TEST. This is no problem to LDAP, as we can get rid of the "host/" part to do the user matching and in fact it does match. After TLS handshake (certificates are ok), ACS tries to check CSDB (the internal ACS db) and afterwards it will follow the unknown user policy and query LDAP.
  All of this appears to be successful the first time.
  If we disassociate the machine, the problems start. The accounting STOP message is never sent.
  Any new authentication will fail with a message that CS user is invalid. The AUTH log shows that ACS will never try again to check LDAP, and invalidates the user right after CSDB check. In fact if we do see the reports for RADIUS, the authenticated user is host/TEST, but if we check the dynamic users, only TEST appears. Even disabling caching for dynamic users the problem remains.
  Does anyone have an idea on how to proceed? If it was possible to handle the machine authentication without the "host/" part, that would be great, as it works.
  My guess is that ACS is getting confused with the host/, as I'm seeing its AUTH logs and I do see some messages like UDB_HOST_DB_FAILURE, after UDB_USER_INVALID.
  IF someone can give me a pointer on how to make this work, or if I'm hitting a bug in ACS.
  Thanks
  Gustavo

  Assuming you're using the stock XP wifi client.
  When running XPSP3, you need to set two things:
  1) force one registry setting.
  According to
  http://technet.microsoft.com/en-us/library/cc755892%28WS.10%29.aspx#w2k3tr_wir_tools_uzps
  You need to force usage of machine cert-store certificate:
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]
  "AuthMode"=dword:00000002
  2) add the ACS certificate signing CA to the specific SSID profile "trusted CA".
  - show available wireless networks
  - change advanced settings
  - wireless networks tab
  - select your SSID, and then hit the "properties" button
  - select authentication tab, and then hit "properties" button
  - search for your signing CA, and check the box.
  I did with a not-so-simple autoIT script, using the "native wifi functions" addon.
  Unfortunately I'm not allowed to share the script outside the company, but I'll be more than happy to review yours.
  please cross reference to
  https://supportforums.cisco.com/message/3280232
  for a better description of the whole setup.
  Ivan

• How to do .1x port based network access authentication through ACS

  How to do .1x port based network access authentication through ACS.

  Hi,
  802.1x can authenticate hosts either through the username/password or either via the MAC address of the clients (PC's, Printers etc.). This process is called Agentless Network Access which can be done through Mac Auth Bypass.
  In this process the 802.1x switchport would send the MAC address of the connected PC to the radius server for authentication. If the radius server has the MAC address in it's database, the authentication would be successful and the PC would be granted network access.
  To check the configuration on the ACS 4.x, you can go to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/noagent.html
  To check the configuration on an ACS 5.x, you can go to http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-2/user/guide/acsuserguide/common_scenarios.html#wp1053005
  Regards,
  Kush

• Authenticate windows users via ACS

  Hi,
  Expert insight required for Cisco ACS, Is it possible to authentication windows user via ACS & apply ACL policies over network devices.
  I would appreciate valued inputs.
  Regards,

  Yes, it's possible to authenticate windows users via ACS and push DACL via radius.
  Seems you are looking for DACL. Here is a document that can help you to understand the same
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a9eddc.shtml#user
  Let me know if you need any further help.
  Jatin Katyal
  - Do rate helpful posts -

• Video behind http authentication does not play in Safari on iOS8.

  Videos (quicktime and probably others) that are sitting behind http authenticated sites do not play properly in IOS8. This is true even with the new 8.0.2. When clicking on the mov file, Safari starts the integrated player (the player with the play button), but nothing plays and you can't press the play button.
  Since I have access to the Apache web server that serves up the video, I can see what's happening on the backend. I see that Safari or the iOS video player Safari starts up fails to pass the authentication credentials to the server. I see a bunch of http 401 error messages (failed authentication) in the logs. When moving the same video to a not authenticated site, iOS8 does the right thing.
  iOS7 (and before) and Safari on OSX does the right thing on authenticated sites. It authenticates properly with the server and plays the video.
  Chrome on iOS8 also doesn't work either. Safari and Chrome use different versions of webkit, so I'm assuming its the video player that the browsers call on that's not passing the authentication off to the web server when making the http request.
  Anyone else run into this problem or have a workaround? I reported this as a bug, but Apple hasn't acknowledged it yet.

  I also have the same Exact Problem, only your explanition appears more technical and understandable. This problem appears more severe on YouTube.com videos and alike, however it is also severly choppy and problematic on other sites. Surprisingly Live Broadcast videos work better than not Live videos, however this is not something I'd like when my data isn't throttled yet. I crosstested it to see if there is any issues on my iPhone 4S (iOS 6, last version) and Galaxy S4 (Android Kit Kat, last version on S4) and there is no issues on those devices so it is an iOS 8(+0.1/0.2) and iOS 8.1 problem and I am 100% confident about it. 
  I do think it is the video player's problem with Websites and Webstreaming. There is no problems playing music videos on my device's storage. I didn't get that many error messages but it just doesn't play properly on Safari and Chrome, like what you are experiencing too. I may go ahead and report it too because it is gotten to a point where it is annoying to watch videos. It is not just an over 4G (+ or - LTE) only issue, it is also via Wifi even so it is a tad better. I can't tolerate playing a video 15 seconds in, have to wait 15 more seconds for it to play, it plays to 0:35 then I have to wait 15 more seconds. Even a 240p video, it does it so, it is clearly not a tolerable bug. I don't have a work around so far (tried everything from reset to wipe the phone and reinstall all the apps). 
  My Device is an iPhone 6+ with iOS 8.1 (yes, it is not just exclusive to the iPhone 5S. I assume it also effects the iPhone 6 based on technical specifications).