Import Steel Belted Radius users to ACS

Is there a method to import SBR (local) users into ACS?  Perhaps via some intermediate tool?  The SBR exports will contain one-way-hashed passwords, so the question is really whether there is any method to import ACS users with these?

Hi Tarik
That's very helpful, but one problem is that the authenticating devices are specialised hardware on which the users cannot change their passwords - it has to be done by local administration staff who have the necessary tools.  So the question is whether there is any mechanism to use an exported file from Steel Belted Radius, including hashed passwords, which can be imported into ACS?
The passwords are stored directly in the SBR server.  I've just had a look at what it's capable of exporting, and it seems I can get the data out in XML format, which I can then manipulate, of course.  However, the issue is that the passwords are not exported in plain text.  If the password is stored as a hash on the SBR server, you get an MD5 hash in the XML file.  If it is stored in "plain text" in the SBR server then the XML export shows the password in encrypted form. 

Similar Messages

  • Nexus 5K and 7K RADIUS Authorization with Steel Belted RADIUS

    I am attempting to provide very basic authorization via Steel Belted RADIUS for a Nexus deployment.
    Here is the code from the Nexus:
    radius-server host [server]  key [key]
    radius-server host [server]  key [key]
    ip radius source-interface mgmt0
    aaa group server radius GEN_AAA
        server [server]
        server [server]
        use-vrf management
        source-interface mgmt0
    aaa authentication login default group GEN_AAA
    aaa authentication login console group GEN_AAA
    aaa accounting default group GEN_AAA
    aaa authentication login error-enable
    On the Steel Belted RADIUS server the client is setup as a basic IOS 11.1 or later (Nexus is not an option).  The group setup for the relevant user group has a return code of:
    shell:roles*"network-admin"
    shell:priv-lvl=15
    When I authenticate from a Catalyst 6509 with IOS 12.2 the authorization based on the shell:priv-lvl works fine.  Only those users in the 'special' group have admin (lvl 15) access.
    With the Nexus gear I authenticate fine but the RADIUS user is always put in the network-operator role (default) regardless of the 'special' group shell:roles*"network-admin" return code defined.
    In other words it seems to work fine for IOS devices (Catalyst 6500 and 3750E so far) but not at all for Nexus gear.  Unfortunately I am not in a position to suggest and implement ACS or another AAA server that supports TACACS.
    Is there any way to pull this off with SBR?
    Any help is much appreciated.

    Hello Nusrat,
    I appreciate the pointer.  If I was using TACACS for AAA, authorization sets would be a consideration.  However, authorization is not permitted when using RADIUS for AAA on the Nexus platform.
    In any case I was able to resolve the issue with the assistance of the customer and their support contact at Juniper.  For the VSA feature to begin working a change to the INI file and a restart of the SBR services was required.  Placing the desired group of users in the network-admin group is functioning as desired.
    NOTE:
    In addition to the configuration in the original post the following should be added to stop any 'standard' users defined on the SBR server from logging in with network-operator privileges:
    no aaa user default-role
    If no role is provided from the RADIUS server via the Cisco-AVPAIR VSA (ex. Cisco-AVPAIR = shell:roles*network-admin) by default a Nexus box places the user in the network-operator role.  This role has complete read access on the system allowing, among other things, a read view of the configuration.  The above command stops any role mapping resulting in non-configured users / groups on the RADIUS box not being able to log in period.

  • Cisco wlc and steel belted radius

    we have cisco wlc controller  that have  two ssid  one for user and one for guest
    we need the  user in ssid 1 take user name and password from  user group in active directory through steel belted radiu
    please send to me any integrated guide between cisco wlc and steel belted radius
    regards

    Hi                                                      Mohammad,
    I am unaware of a specific Steel Belted RADIUS intrgration guide for the WLCs, however the configuration process on the controller will be the same:
    Cisco WLC Configuration Guide 7.0 - Configuring RADIUS:
    http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70sol.html#wp1388328
    You may wish to contact your RADIUS vendor for additional configuration steps on the server.
    Best,
    Drew

  • Aironet 350 AP's with Funk's Steel Belted Radius Server

    I have heard that the Aironet AP's don't play nice with Funk's Steel Belted Radius Server. Has anyone had an experience with these products or anything you have heard about this problem would be good to know. I have a customer that already has Funk's Software and doesn't want to change if he doesn't have to. Thanks David Beaver

    I have used FUNK's beta code with LEAP support with no problems. The only issue we had and still do, is that we can't use the RADIUS server to authenticate against an LDAP server. I believe that they are working on that also.

  • Adding RADIUS VSAs on ACS 3.2 SE

    I have tried to add a VSA to enable a Packeteer to authenticate using RADIUS on the ACS.
    Using RDBMS synchronization to import the csv file below.
    SequenceId,Priority,GroupName,Action,ValueName ,Value1,Value2,Value3
    1,1,External,163,26,access=look,2334,1
    The group name is 'External', Action is 163 which corresponds to ADD_RADIUS_ATTR.
    From RDBMS Sychronization Import Definitions (http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs32/user/ag.htm#wp35130)
    To add a vendor-specific attribute (VSA), set VN = "26" and use V2 and V3 as follows:
    •V2 = IETF vendor ID (which in this case is 2334)
    •V3 = VSA attribute ID (1)
    •V1 = In this case 'access=look'
    After a couple of attempts I got the format correct but when I try and import the file I don't get an "INFO" message in the "Reports" section of the ACS indicating that the process was successful. I don't get any message at all, WARNING, ERROR or INFO.
    From the FTP server I can confirm that the file was transferred.
    What I should get is an INFO message similar to:
    08/30/2004 16:27:50 INFO Sync complete: 1 transaction(s) 0 parse error(s) 0 process error(s)
    Any ideas as to what is wrong would be much appreciated.
    Cheers,
    Aylmer.

    HI you need to import the RADIUS VSA for PAcketeer from their site.
    The link to the steps as shown below is ( might require u to subscribe & login)
    https://packeteer.custhelp.com/cgi-bin/packeteer.cfg/php/enduser/std_adp.php?p_faqid=399&p_created=1046793530&p_sid=gszcDFBh&p_lva=&p_sp=cF9zcmNoPTEmcF9zb3J0X2J5PWRmbHQmcF9ncmlkc29ydD0mcF9yb3dfY250PTImcF9wcm9kcz0wJnBfY2F0cz0wJnBfcHY9JnBfY3Y9JnBfc2VhcmNoX3R5cGU9YW5zd2Vycy5zZWFyY2hfZm5sJnBfcGFnZT0xJnBfc2VhcmNoX3RleHQ9YWNz&p_li=&p_topview=1
    IN any case the same content is copied below:-
    Also the stpes on how to do them is listed here
    Create a User Defined Vendor
    First, you need to create a User Defined Vendor.
    1. Create a text file (packet.ini) and enter the following:
    [User Defined Vendor]
    Name=Packeteer
    IETF Code=2334
    VSA 1=Packeteer-AVPair
    [Packeteer-AVPair]
    Type=STRING
    Profile=OUT
    2. Name the file packet.ini.
    Add the Vendor to the Database
    Next, you need to add the above vendor to the database.
    1. Go to the command prompt, and change the directory to the Cisco Secure utils directory (typically C:\Program Files\CiscoSecure ACS v3.0\Utils).
    2. The instructions below install the vendor into User Defined slot 0. If you have other vendors, you need to change this number to a free slot. To see a list of slots and their assignments, use the csutil -listudv command. For example:
    C:\Program Files\CiscoSecure ACS v3.0\Utils>csutil -listudv
    CSUtil v3.0(2.5), Copyright 1997-2002, Cisco Systems Inc
    UDV 0 - Unassigned
    UDV 1 - Unassigned
    UDV 2 - Unassigned
    UDV 3 - Unassigned
    UDV 4 - Unassigned
    UDV 5 - Unassigned
    UDV 6 - Unassigned
    UDV 7 - Unassigned
    UDV 8 - Unassigned
    UDV 9 - Unassigned
    3. Run csutil -addudv to and add Packeteer to UDV (User Defined Vendor) slot 0 or the next
    open slot.
    C:\Program Files\CiscoSecure ACS v3.0\Utils>csutil -addudv 0 c:\temp\packet.ini
    CSUtil v3.0(2.5), Copyright 1997-2002, Cisco Systems Inc
    Adding or removing vendors requires ACS services to be re-started.
    Please make sure regedit is not running as it can prevent registry
    backup/restore operations
    Are you sure you want to proceed? (y/n)y
    Parsing [c:\temp\packet.ini] for addition at UDV slot [0]
    Stopping any running services
    Creating backup of current config
    Adding Vendor [Packeteer] added as [RADIUS (Packeteer)]
    Adding VSA [Packeteer-AVPair]
    Done
    Checking new configuration...
    New configuration OK
    Re-starting stopped services
    Verify that Packeteer was added.
    C:\Program Files\CiscoSecure ACS v3.0\Utils>
    C:\Program Files\CiscoSecure ACS v3.0\Utils>csutil -listudv
    CSUtil v3.0(2.5), Copyright 1997-2002, Cisco Systems Inc
    UDV 0 - RADIUS (Packeteer)
    UDV 1 - Unassigned
    UDV 2 - Unassigned
    UDV 3 - Unassigned
    UDV 4 - Unassigned
    UDV 5 - Unassigned
    UDV 6 - Unassigned
    UDV 7 - Unassigned
    UDV 8 - Unassigned
    UDV 9 - Unassigned
    4. Return to ACS Admin and select Network Configuration.
    From the main screen select Network Configurtion and add the PacketShaper by supplying the AAA client Hostname, IP address: , Key. Scroll through the Authenticate Using choices and select RADIUS (Packeteer).
    5. From the main screen select User Setup and enter a user name for a Touch or Look access user to the Packet Shaper. Supply the PAP/CHAP password. Leave other fields at defaults and scroll to the bottom
    of the form. Be sure the Packeteer-AVPair box is selected and supply either
    "access=touch" or "access=look" in the available entry space.

  • Failed to authenticate user to ACS 5.1 with LDAP as external identity storage

    Hi ,  I have an ACS and Open-LDAP server running on my company network.
    Now, I 'm setting up a new linksys WAP-54G and choose WPA2-Enterprise option with ACS as the radius server.
    first thing first, I created new internal user on ACS, and trying to join the wireless network from my computer. I made it....
    then, I'm moving on external entity (LDAP Server). I've set up the LDAP configuration and identity sequence, also select it on access service.  but when I tried to authenticate from my computer, an error was occurred. I received : 
    the following error 22056 Subject not found in the applicable identity store (s)
    Wonder 'bout this thing, I set up a cisco 1841 router to become AAA client. and surprisingly... it works !!!
    so, is there any problem to authenticate from windows platform to ACS (pointing to LDAP) ?  
    any suggestion ?
    thanks

      This is the log when using windows 7 as authentication client (Failed) :
    Steps
    11001  Received RADIUS  Access-Request
    11017  RADIUS created a new session
    Evaluating Service Selection Policy
    15004  Matched rule
    15012  Selected Access Service - Default Network  Access
    11507  Extracted  EAP-Response/Identity
    12500  Prepared EAP-Request proposing EAP-TLS with  challenge
    11006  Returned RADIUS  Access-Challenge
    11001  Received RADIUS  Access-Request
    11018  RADIUS is re-using an existing  session
    12301  Extracted EAP-Response/NAK requesting to use  PEAP instead
    12300  Prepared EAP-Request proposing PEAP with  challenge
    11006  Returned RADIUS  Access-Challenge
    11001  Received RADIUS  Access-Request
    11018  RADIUS is re-using an existing  session
    12302  Extracted EAP-Response containing PEAP  challenge-response and accepting PEAP as negotiated
    12318  Successfully negotiated PEAP version  0
    12800  Extracted first TLS record; TLS handshake  started.
    12805  Extracted TLS ClientHello  message.
    12806  Prepared TLS ServerHello  message.
    12807  Prepared TLS Certificate  message.
    12810  Prepared TLS ServerDone  message.
    12305  Prepared EAP-Request with another PEAP  challenge
    11006  Returned RADIUS  Access-Challenge
    11001  Received RADIUS  Access-Request
    11018  RADIUS is re-using an existing  session
    12304  Extracted EAP-Response containing PEAP  challenge-response
    12318  Successfully negotiated PEAP version  0
    12812  Extracted TLS ClientKeyExchange  message.
    12804  Extracted TLS Finished  message.
    12801  Prepared TLS ChangeCipherSpec  message.
    12802  Prepared TLS Finished  message.
    12816  TLS handshake succeeded.
    12310  PEAP full handshake finished  successfully
    12305  Prepared EAP-Request with another PEAP  challenge
    11006  Returned RADIUS  Access-Challenge
    11001  Received RADIUS  Access-Request
    11018  RADIUS is re-using an existing  session
    12304  Extracted EAP-Response containing PEAP  challenge-response
    12313  PEAP inner method started
    11521  Prepared EAP-Request/Identity for inner EAP  method
    12305  Prepared EAP-Request with another PEAP  challenge
    11006  Returned RADIUS  Access-Challenge
    11001  Received RADIUS  Access-Request
    11018  RADIUS is re-using an existing  session
    12304  Extracted EAP-Response containing PEAP  challenge-response
    11522  Extracted EAP-Response/Identity for inner  EAP method
    11806  Prepared EAP-Request for inner method  proposing EAP-MSCHAP with challenge
    12305  Prepared EAP-Request with another PEAP  challenge
    11006  Returned RADIUS  Access-Challenge
    11001  Received RADIUS  Access-Request
    11018  RADIUS is re-using an existing  session
    12304  Extracted EAP-Response containing PEAP  challenge-response
    11808  Extracted EAP-Response containing EAP-MSCHAP  challenge-response for inner method and accepting EAP-MSCHAP as  negotiated
    Evaluating Identity Policy
    15006  Matched Default Rule
    15013  Selected Identity Store -
    22043  Current Identity Store does not support the  authentication method; Skipping it.
    24210  Looking up User in Internal Users IDStore -  xxxxx
    24216  The user is not found in the internal users  identity store.
    22016  Identity sequence completed iterating the  IDStores
    22056  Subject not found in the applicable identity  store(s).
    22058  The advanced option that is configured for  an unknown user is used.
    22061  The 'Reject' advanced option is configured  in case of a failed authentication request.
    11815  Inner EAP-MSCHAP authentication  failed
    11520  Prepared EAP-Failure for inner EAP  method
    22028  Authentication failed and the advanced  options are ignored.
    12305  Prepared EAP-Request with another PEAP  challenge
    11006  Returned RADIUS  Access-Challenge
    11001  Received RADIUS  Access-Request
    11018  RADIUS is re-using an existing  session
    12304  Extracted EAP-Response containing PEAP  challenge-response
    12307  PEAP authentication failed
    11504  Prepared EAP-Failure
    11003  Returned RADIUS Access-Reject
    This is the log when using 1841 router as authentication client (succeded)  :
    Steps
    11001  Received RADIUS  Access-Request
    11017  RADIUS created a new session
    11049  Settings of RADIUS default network will be  used
    Evaluating Service Selection Policy
    15004  Matched rule
    15012  Selected Access Service - Default Network  Access
    Evaluating Identity Policy
    15006  Matched Default Rule
    15013  Selected Identity Store -  LDAPyyyy
    24031  Sending request to primary LDAP  server
    24015  Authenticating user against LDAP  Server
    24022  User authentication  succeeded
    22037  Authentication Passed
    22023  Proceed to attribute  retrieval
    22038  Skipping the next IDStore for attribute  retrieval because it is the one we authenticated against
    24210  Looking up User in Internal Users IDStore -   xxxxx
    24216  The user is not found in the internal users  identity store.
    22016  Identity sequence completed iterating the  IDStores
    Evaluating Group Mapping Policy
    Evaluating Exception Authorization  Policy
    15042  No rule was matched
    Evaluating Authorization Policy
    15006  Matched Default Rule
    15016  Selected Authorization Profile - Permit  Access
    11002  Returned RADIUS Access-Accept
    I realized that Windows is using PEAP-MSCHAPv2 while Router is using PAP-ASCII as it's protocol.
    so now, why PEAP-MSCHAPv2 can't authenticate to LDAP ?
    is there anything I can do to make it work ?

  • Authenticate windows users via ACS

    Hi,
    Expert insight required for Cisco ACS, Is it possible to authentication windows user via ACS & apply ACL policies over network devices.
    I would appreciate valued inputs.
    Regards,

    Yes, it's possible to authenticate windows users via ACS and push DACL via radius.
    Seems you are looking for DACL. Here is a document that can help you to understand the same
    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a9eddc.shtml#user
    Let me know if you need any further help.
    Jatin Katyal
    - Do rate helpful posts -

  • Set-up Radius Server to ACS 4.2 and AD server

    Hi Guys,
    I would like to ask help from you on how to set-up Radius server in ACS 4.2  (step-by-step guide or link), wireless client will be authenticated via Active Directory when connecting to our Wireless AP so it means that our Wireless AP is added as client to Radius server.
    Thanks in advance!
    regards,
    Gagamboy

    Hi Colin
    thanks for your answer, we had the this setting correct. I was able to solve the problem yesterday, we had some faults in the AD mapping.
    I didn't know that when I select more AD groups for one ACS group in one step, that the user / host has to be in every of these AD groups (AND conjunction).
    Now I only added one AD group for my ACS group and it works. The error message "AD user restriction" was not very helpful for finding this fault ;-)
    Regards
    Dominic

  • Export and import change document for user master data

    Dear Gurus,
    I have two queries on change document for user master data:
    1. Are there any approaches to export and import change document for user master data?
    We often do system copy from PRD to QAS for UAT and troubleshooting. Before system copy we export the user master data from QAS and then import after the copy process. We would like to keep the change document for user master data on QAS from being refreshed from PRD for security reason.
    2. Change document for Role change in QAS
    When the role is created or modified in DEV and then transported to QAS, the role change document doen't include this change log. The role change document in QAS only records those role changes directly made in QAS.
    Could you advise this is by SAP design or are there any approaches to record this transported role change  in the role change document in QAS?
    Thanks
    YBY

    1. Perhaps you want to consider a system copy to a "virtual system" for UAT?
    2. Changes in QAS (as with PROD as well) will give you the delta. They should ideally be clean... You need to check the source system.
    Another option is to generate the profiles in the target system. But for that your config has to be sqeaky clean and in sync, including very well maintained and sync'ed Su24 data.
    Cheers,
    Julius

  • Using the Import utility from other users and going to a different schema

    I has a user today with rights
    Insert into XXXX.TABLE values(); Works just fine for another schema's table which has select,insert,update,delete.
    We tried to utiile the import utility from OTHER USERS
    Insert failed ORA-00942
    Do you want ot ignore all errors
    Even though we have rights to the schema under OTHER USERS.
    When connected as the owner it works fine.

    I've be trying to find a work-around to this issue & found this old post -- I'm having the same problem.
    I'm using Oracle 11g and SD 2.1.1.64.
    I have user A with a table that grants select,insert,update, and delete privs to user B. Logging into user B I, of course, can do inserts, deletes, etc. on the the table in user A's schema.
    When I use the import data feature to load data from a CSV file I can't get it to work while logged into user B. It does work fine if logged into user A. It looks like the issue may be that it doesn't put the schema prefix of "A." on the insert statements.
    Has anyone found a way to get around this issue yet?

  • Is it possible to export and import the roles and users tables?

    Hi,
    is there any possibility to export and import the role and user definitions?
    We have a SAP MDM repository with a lot of roles and users and also with a lot of changes.
    And now I'm searching for a fast and efficient way of managing the roles and users.
    Thanks and Regards, Melanie

    Hi Melanie,
    There is no export/import functionality for roles and users.  The only way to manage these in an automated way would be to write a program that uses the Java or ABAP APIs.  Both APIs expose functionality to create, update and delete roles and users.
    Hope this helps,
    Richard

  • Import txt file into user dictionary

    How to import text file into user dictionary through javascript? I can manually import txt file into user dictionary thru "Edit=>Spelling=>User dictionary...". But I don't know how to do it using javascript. Please advise.

    Advice? See in some version of the object-model reference under userDictionary. There you'll find a method called addWord(), which looks promising.
    Peter

  • Repercussions of importing more than 50 users?

    Does anyone know what the repercussions are of importing more than 50 users in the workgroup mode?
    I have about 250 users to import so that they can use the iCal service, and upon importing my 51st, I was warned that the recommended maximum of imported users is 50.
    Thanks!

    Right, I'm not sure how many users it can import at a time, but I went one by one, all the way up to 200.
    After that, it simply would not add any more, as well as displaying a message that it can't write to the directory. I have confirmed with Apple support that 200 is the limit by design.

  • How to monitor Radius services on ACS 5.4

    Hi All,
    I want to monitor  Radius services of ACS 5.4,  In case of failure any radius service on ACS.
    ACS should send alert to Syslogs  or email notification
    Is there any way to monitor Radius services ? Anyone have any idea how to monitor.
    Regards.

    Hi Narinder,
       I dont think so there is any particular way you can do that, Because ACS 5.x doesnt have any particluar Radius service.
    The services which are available and can be viewed through CLI and GUI are following:
    Database
    Management (ACS management subsystem)
    Ntpd
    Runtime (ACS runtime subsystem)
    View-alertmanager
    View-collector
    View-database
    View-jobmanager
    View-logprocessor
    htt    https://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-ususer/guide/acsuserguide/viewer_sys_ops.html#pgfId-1052845
    Cheers 
    Minakshi

  • Add user in ACS with limited access

    Dear
    I have low experiance with cisco ACS
    So kindly i need help to add user to The ACS which has limited access to my network Switches ( As Show only not to change configuration )
    Also how to take backup for the ACS Database
    Thanks,

    Hi,
    Search about command authorization in the AAA section, you'll get ample information about it, i.e., on how to configure network devices so that you can allow certain users on ACS to have limited and certain user to have full access.
    About taking a backup, that is pretty simple.
    System Configuration > ACS Backup > Backup Now.
    And you have a latest backup from ACS.
    Regards,
    Prem

Maybe you are looking for