Implementing ACS - PEAP

Similar Messages

• WLC + ACS + PEAP + Groups

  Hello.
  Can somebody tell me, how can i configure for radius's client attach fixed group?
  I have 5 client's - and everyone must use for access only one group?
  Some body know - can i do it theoretically and if i could - maybe you know usefull link?
  Thank you.

  It is a little tricky especially if you have users in AD in multiple groups.... Here is a link that will get you started.
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml

• Getting XP Clients to trust ACS Self sign Cert

  Hi,
  I'm implementing ACS 4.0 to provide PEAP Security on a customers WLAN. I'd like to use the Self signed certificate feature within ACS, because it's easy to use and I don't want to 'play' with the customers Servers to install CA unless I really have to (deniability!!).
  My question is, how do I get the XP Clients to trust the certificate installed on the ACS when the 'Authenticate Server' option is enabled on the PEAP client?
  Due to the range of client adapters on the network and the only common factor being that they all run XP SP2, I plan to use the 'wireless zero configuration' option on those clients.
  I presume I have to tick the relevent CA box on the Client trust list, but how do I get the cert to appear in that trust list?
  Regards all,
  Dan

  Thanks for your reply,
  I need to validate the server certificate to strengthen against 'man in the middle' attacks. But I'm struggling to figure out how to trust the SSC from the ACS.
  There must be a way of adding that CA to the Clients Certificate Trust List?
  This network will be the subject of a Pen test when it's finished and I need to make it as secure as possible.
  I Know EAP-TLS is stronger, but Certificates on all the clients is too cumbersome to manage. (Customers point of view).
  At least using this method (if implemented properly), The customer only has to maintain the Server cert every year.
  Regards,
  Dan

• PEAP - NT Domain Denial Of Service Attack

  I'm looking for some feedback on the following percieved issue.
  Assumptions:
  1) A PEAP implementation where PEAP authentication is configured to use a static NT user/pass combination as credentials.
  2) The ACS has an unknown user policy to check the NT Domain
  3) Your NT Domain security Policy locks accounts after 5 failed attempted logings
  Queation:
  Given that PEAP does not enforce client side verification and that any XP SP1 (perhaps the CISCO ACU depending on configuration) client can attempt a PEAP login. If a client maliciously attacks by entering wrong passwords they could create a Denial Of Service (legitimate users will be locked out) attack against the NT Domain
  Thoughts?

  PEAP does not provide credential caching. Any logins to Windows NT file systems will be separate and subsequent to PEAP login.
  PEAP supports silent session resume (upon RADIUS session timeout) when only the first phase of PEAP is executed. In the second phase, the previous authentication state is reused. Hence, users will not be required to re-authenticate until the PEAP session timeout expires. The duration time of the PEAP session timeout is configurable from Cisco Secure ACS graphical user interface (GUI).
  You can find more information in this URL:
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_qanda_item09186a008010018c

• PEAP wireless authentication

  Has anyone successfully implemented a PEAP wireless solution? I have PAEP authentication working with a client using Cisco ACS 3.1 and authenticating with OTP (SecureID). Everything works great, except that when the user logins into windows 2000 the first time after booting up the pc, they are logging in with a cached account. This is due to the fact that the cisco interface in which you enter your username and passcode does not appear untill after logging into windows. Is there a way to authenticate the wireless network conneciton before logging into the windows domain?

  I am also having the same issues with PEAP not authenticating prior to domain authentication. LEAP works correctly but I told I need the added security of the SSL tunnel (the EAP-TLS part of PEAP). If PEAP authentication cannot occur before domain authentication, it there a way to make it authenticate imidiately afterwards. It seems the client sits associated to the AP and never tries to authenticate till traffic is passed. This presents a bad user expirence.
  I am running a AP1100 with Aironet 350 PCMCIA cards, and Secure ACS as the authentication server.
  Thanks
  CS

• ACS replication issue on VMware ESX 3.5

  I have just installed ACS 4.2 on two VMware hosts. I've configured database replication but it won't work. The error message is "shared secret mismatch". This error message occurs if a NAT device is in the path (which it isn't in this case) or if the tcp header is otherwise changed during transmission. I'm wondering if VMware is adding something to the TCP header. Has anyone come across this problem before or has anyone successfully implemented ACS replication when both hosts are on VMware?
  Thanks.

  Hi,
  I see that you are getting "shared secret mismatch error" under database replication logs. Just wanted to inform you that this is not because of nat'ed device. This happens when we have different keys for AAA servers on primary and secondary ACS.
  The primary server must be configured as an AAA server and must have a key.
  The secondary server must have the primary server configured as an AAA
  server and its key for the primary server must match the primary servers own
  key. The shared secret key should be same on the both the ACS's.
  I am sending you one link for Setting Up Replication for Cisco Secure ACS, I
  am sure this example with screen shots gives you better understanding.
  Please visit the below suggested ULR:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration
  _example09186a00800e518a.shtml
  If that doesn't resolve the issue, please let me know if you see any server with this ip address 127.0.0.1.
  HTH
  JK
  -Plz rate helpful posts-

• Can ACS support multiple Active Directory Domains for 802.1x EAP-TLS?

  Hi
  I'm looking to implement ACS 5.2 using 802.1X, we have two seperate AD domains.
  Now.. this is the tricky part...
  A single switch will need to support both ADs, so if a machine in AD1 is connected, it will be authenticated to the ACS using AD1 and applied to VLAN1, while a machine that is in AD2 will be authenticated to AD2 and applied to VLAN 2.
  I'm looking at machine authentication, not user authentication, so I assume that I will need to import two certs from each AD.
  Can any expert please let me know if they think that this will be possible please??
  Many thanks

  Yes ACS can support multiple AD domains but you will have to configure one as your AD domain and the other as an LDAP database and this will work since you are planning to use eap-tls.
  The question I have is which version of ACS are you using? If you are using ACS 5.x then you can setup and identity store sequence so if the user is not found you can move to the next store and this will prevent you from installing two certificates on every machine.
  You can then setup an authorization rule for the seperate containers on where the workstations are located (this is assuming machine authentication is being used) for the AD database or the LDAP database and then assign the vlan based off that.
  Thanks and I hope this helps!
  Tarik Admani

• Best Practice for ACS 5.2 Policy

  Hi All,
  I am wondering if there is some sort of best practice guideline to implement ACS? I mean like how we are going to group device, or how the "if then" policy should be structured. Please help..
  Regards,

  Prima,
  The ACS is entirely flexible in the way you to choose to implement it and it is based on your network specificiations. Some networks have site specific Administrators in which they will choose to implement their tacacs policies to permit access to devices in their regions, so they choose to assign a location to a network device.
  Some customers have restrictions in which Adminstrators have access to which devices...so when you choose to group devices based on routers, switches, firewalls, or SAN devices you can choose to implement your policies as such.
  Moving to the user side, some customers have a tiered structure in access levels, contractors, network-operators, admins and superadmins, so you can create policies and shell profiles to grant access to devices based on the user along with which group they are trying to access and finally what commands they are allowed to run.
  Based on your scenario above i assumed TACACS, you can choose to implement radius in the same fashion but more customers base this off of what users are allowed to have certain access...guests (internet only), management (vpn access with higher privs)....etc.
  Thanks,
  Tarik Admani

• ACS support Kerberos User Database?

  Hi,
  I've a customer currently having kerberos user database. I proposed to him to implement ACS to enable 802.1x on wireless client. Can ACS support or integrate with Kerberos User Database? If yes, any user guide which list out the steps on doing so?
  I searched through Cisco website but failed to find any info related to the integration of ACS with Kerberos User Database.
  Thank.
  Delon

  For network users who are authenticated by a Windows user database, Cisco Secure ACS supports user-changeable passwords upon password expiration. You can enable this feature in the MS-CHAP Settings and Windows EAP Settings tables on the Windows User Database Configuration page in the External User Databases section.

• ACS with Tivoli Identity Manager

  Has anyone implemented ACS with ITIM? It was press released almost a year ago and I cannot find any technical documentation to find out how it integrates. What I need to find out is: Does the ACS server use ITIM as a external database for user auth? Or do both products need to backend into the same LDAP dir for user/pass info?

  Yes, we have. ITIM has develped an ITIM ACS agent for Cisco ACS integration. The ITIM ACS Agent is installed on the ACS server and it communicates with Cisco ACS application through Cisco ACS available API. Through the ITIM agent, TIM can creat, delete and modify ACS user's account. No, Cisco ACS server can not use ITIM database as an external for user auth.

• How we can do SWAP VIP with multiple ACS configuration?

  Hi,
  We are using Azure ACS in our application, Also we have used customized ACS page as login form. now whenever we are deploying it to staging, settings available in customized ACS page works fine. but when we switch it to production then web config and
  login page settings are not changing. How we can change it or is there any other to implement ACS?
  Thanks & Regards
  Sachin Jain

  After implementing approach defined in
  http://www.cloudidentity.com/blog/2011/05/31/EDIT-AND-APPLY-NEW-WIF-S-CONFIG-SETTINGS-IN-YOUR-WINDOWS-AZURE-WEBROLE-WITHOUT-REDEPLOYING/, I was unable to modify the web config. May be I missed some part or Azure is not allowing it. So
  I modified it little bit and it worked with following steps:
  Step1) Here I am assuming that you have created staging environment in Azure portal and also you have configured it in Azure ACS. I have used Azure ACS customized Login page and asp.net MVC form authentication. First we will modify our code
  to read the settings from service configuration file and we will add the Staging GUID url and actual production URL into web config, under Audience URI section. Finally it will be uploaded to Azure portal into staging environment. In the Azure management
  portal, we will change the login url settings from configuration tab then save it. Finally we will SWAP both the environments. while browsing application during VIP swap you might get Cryptographic exception which you also need to handle.
  Step2) Whenever you download the customized login page from ACS portal then you will find script tag as shown below:
  <script src="https://xxxxxxx.accesscontrol.windows.net:443/v2/metadata/IdentityProviders.js?protocol=wsfederation&amp;realm=http%3a%2f%2f127.0.0.1%3a81%2f&amp;reply_to=http%3a%2f%2f127.0.0.1%3a81%2f&amp;context=&amp;request_id=&amp;version=1.0&amp;callback=ShowSigninPage"type="text/javascript"></script>
  Step3) Now replace the above code with the following code snippet and here we are trying to pick the login url from service configuration file:
  <script src="@ViewBag.LoginURL" type="text/javascript"></script>
  Step4) Now go to your controller and try to read the login url settings from service configuration file as shown below:
  ViewBag.LoginURL = RoleEnvironment.GetConfigurationSettingValue("LoginURL");
  Step5) Now open the service definition file and add setting for LoginUrl under configurationSettings tag as shown below:
  <ConfigurationSettings>
  <Setting name="LoginUrl" />
  </ConfigurationSettings>
  Step6) Open the Service configuration file and add the value for login url as shown below:
  <ConfigurationSettings>
  <Setting name="LoginUrl" value="https://xxxxxx.accesscontrol.windows.net:443/v2/metadata/IdentityProviders.js?protocol=wsfederation&amp;realm=http%3a%2f%2fStaginGUID.cloudapp.net%3a81%2f&amp;reply_to=http%3a%2f%2fStaginGUID.cloudapp.net%3a81%2f&amp;context=&amp;request_id=&amp;version=1.0&amp;callback=ShowSigninPage" />
  </ConfigurationSettings>
  Step7) you can get Login Url value from Azure ACS Integration tab which provides the above url. While copying the URL replace & with "&amp;" otherwise you will get build error.
  Step8) Now add the staging Guid Url and actual production url in web config file under <AudienceURI> section as shown below:
  <audienceUris>
  <add value="http://Production.cloudapp.net/" />
  <add value="http://StagingGUID.cloudapp.net/" />
  </audienceUris>
  Step9) Publish the application to staging environment and test it. After testing go to configuration tab in azure portal and change the login url with the production URL. (Do not modify the URL or do not change & with &amp;)
  <script src="https://xxxxxxx.accesscontrol.windows.net:443/v2/metadata/IdentityProviders.js?protocol=wsfederation&amp;realm=http%3a%2f%2fProduction.cloudapp.net%2f&amp;reply_to=http%3a%2f%2fProduction.cloudapp.net%2f&amp;context=&amp;request_id=&amp;version=1.0&amp;callback=ShowSigninPage"type="text/javascript"></script>
  Step10) Save the changes and Swap the environment. Now if you get cryptographic exception then you should handle it.
  • Either change the machine key and explicitly define it into web config.
  • Catch the exception and logout the user from application and not from windows live id, so that user can be forced to work on new version of application by using following code in Global.asax file:
  protected void Application_Error(object sender, EventArgs e)
  var error = Server.GetLastError();
  var cryptoEx = error as CryptographicException;
  if (cryptoEx != null)
  FederatedAuthentication.WSFederationAuthenticationModule.SignOut();
  Server.ClearError();

• ACS, NAP And Advanced Filtering

  We have already implemented ACS applicance 4.1 integrated with AD.
  But configuring NAP we faced the following problem - we want to use Advanved Filtering in NAP and filter users by users' membership in AD Security Groups.
  are there any way to do it? if yes please tell me what attribute can be used for this.
  Thank you,

  If the NAP is configured with
  1. A Network Access Filter with a specific network access filter (not any)
  2. Advanced Filtering rule that states "User-name contains host/"
  The NAP is not matched when machine authentication occurs.
  If the NAP is configured with
  1. A Network Access Filter with "any"
  2. Advanced Filtering rule that states "User-name contains host/"
  The NAP is matched when machine authentication occurs.
  After ACS installation "advanced filtering" lists include just IETF attributes.
  If you happen to use other vendors (known to ACS) like Ascend, then usially
  we need:
  = define AAA client with RADIUS(Ascend) as a dictionaly
  = goto "Interface configuration" -> RADIUS(Ascend) and select attributes
  which you are going to use in group profiles.
  Above steps are enough for these additional atttibutes to be added
  to "advanced filtering" list as well. This is how it is supposed to work.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/ae.html

• ACS Engine Failover Deployment

  Hello,
  I want reference guide for implementing ACS Engine Failover Deployment, I could not find any scenario for deploying Failover.
  Thanks

  This is due to this bug ,
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?caller=pluginredirector&method=fetchBugDetails&bugId=CSCso39795
  Regards,
  ~JG
  Do rate helpful posts

• Best security settings for Outdoor P2P with 1300 Bridges

  Hello
  I would like to hear from you otu there what are the best security setting for a P2P bridge outdoor link with two 1310 bridges. (with/without external Radius).
  any input is very welcome
  Oliver

  From one standpoint, best security is achieved by powering the bridges off. You need to balance risk versus reward for any security decisions: How much security do you need, and how much work are you willing to put into it?
  WPA-PSK is a pretty good solution for non-Radius implementations. PEAP, or LEAP with long nonsense passwords, are pretty good solutions for sites with AAA services. Another option is point-to-point VPN terminating on routers adjacent to your bridges.
  Another option is not bothering with any security at all other than restricting your bridges from associating with anything besides each other. It just depends on what you need and how you want to get there.

• Restrict Opportunity access from other Org Unit Sales agent

  Hello,
  My Scenario is, there is different Organisation Units and Sales agents are assigned to those Org units. Now the issue is, Sales agent from one Org unit is looking into the opportunity of other Org unit. As the sales agents have their own targets and competition, one should not see the Opportunities of other Org unit.
  How can we achieve this ?
     a ) Can we achieve this through PFCG roles, if so how ?
     b) I heard about the concept of Access control engine, which is usefull in this kind of scenario's. but again we need to implement ACS here, which I dont have ides.
  Please suggest me the best method to achieve this. Also provide me step by step procedure also to achieve this.
  Thanks,
  MD.

  Hi, madhusudan444.
  Yes, you can achieve this by PFCG.  Authorization objects CRM_ORD_LP or CRM_ORD_OE will help you.
  For more information, please, follow to this link:
  http://help.sap.com/saphelp_crm70/helpdata/EN/48/a44236ceb873e8e10000000a42189b/frameset.htm
  I would not recommend using ACE in this issue, because ACE is abap. Your issue can achieve by standard procedure.