Import Steel Belted Radius users to ACS
Is there a method to import SBR (local) users into ACS? Perhaps via some intermediate tool? The SBR exports will contain one-way-hashed passwords, so the question is really whether there is any method to import ACS users with these?
Hi Tarik
That's very helpful, but one problem is that the authenticating devices are specialised hardware on which the users cannot change their passwords - it has to be done by local administration staff who have the necessary tools. So the question is whether there is any mechanism to use an exported file from Steel Belted Radius, including hashed passwords, which can be imported into ACS?
The passwords are stored directly in the SBR server. I've just had a look at what it's capable of exporting, and it seems I can get the data out in XML format, which I can then manipulate, of course. However, the issue is that the passwords are not exported in plain text. If the password is stored as a hash on the SBR server, you get an MD5 hash in the XML file. If it is stored in "plain text" in the SBR server then the XML export shows the password in encrypted form.
Similar Messages
-
Nexus 5K and 7K RADIUS Authorization with Steel Belted RADIUS
I am attempting to provide very basic authorization via Steel Belted RADIUS for a Nexus deployment.
Here is the code from the Nexus:
radius-server host [server] key [key]
radius-server host [server] key [key]
ip radius source-interface mgmt0
aaa group server radius GEN_AAA
server [server]
server [server]
use-vrf management
source-interface mgmt0
aaa authentication login default group GEN_AAA
aaa authentication login console group GEN_AAA
aaa accounting default group GEN_AAA
aaa authentication login error-enable
On the Steel Belted RADIUS server the client is setup as a basic IOS 11.1 or later (Nexus is not an option). The group setup for the relevant user group has a return code of:
shell:roles*"network-admin"
shell:priv-lvl=15
When I authenticate from a Catalyst 6509 with IOS 12.2 the authorization based on the shell:priv-lvl works fine. Only those users in the 'special' group have admin (lvl 15) access.
With the Nexus gear I authenticate fine but the RADIUS user is always put in the network-operator role (default) regardless of the 'special' group shell:roles*"network-admin" return code defined.
In other words it seems to work fine for IOS devices (Catalyst 6500 and 3750E so far) but not at all for Nexus gear. Unfortunately I am not in a position to suggest and implement ACS or another AAA server that supports TACACS.
Is there any way to pull this off with SBR?
Any help is much appreciated.Hello Nusrat,
I appreciate the pointer. If I was using TACACS for AAA, authorization sets would be a consideration. However, authorization is not permitted when using RADIUS for AAA on the Nexus platform.
In any case I was able to resolve the issue with the assistance of the customer and their support contact at Juniper. For the VSA feature to begin working a change to the INI file and a restart of the SBR services was required. Placing the desired group of users in the network-admin group is functioning as desired.
NOTE:
In addition to the configuration in the original post the following should be added to stop any 'standard' users defined on the SBR server from logging in with network-operator privileges:
no aaa user default-role
If no role is provided from the RADIUS server via the Cisco-AVPAIR VSA (ex. Cisco-AVPAIR = shell:roles*network-admin) by default a Nexus box places the user in the network-operator role. This role has complete read access on the system allowing, among other things, a read view of the configuration. The above command stops any role mapping resulting in non-configured users / groups on the RADIUS box not being able to log in period. -
Cisco wlc and steel belted radius
we have cisco wlc controller that have two ssid one for user and one for guest
we need the user in ssid 1 take user name and password from user group in active directory through steel belted radiu
please send to me any integrated guide between cisco wlc and steel belted radius
regardsHi Mohammad,
I am unaware of a specific Steel Belted RADIUS intrgration guide for the WLCs, however the configuration process on the controller will be the same:
Cisco WLC Configuration Guide 7.0 - Configuring RADIUS:
http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70sol.html#wp1388328
You may wish to contact your RADIUS vendor for additional configuration steps on the server.
Best,
Drew -
Aironet 350 AP's with Funk's Steel Belted Radius Server
I have heard that the Aironet AP's don't play nice with Funk's Steel Belted Radius Server. Has anyone had an experience with these products or anything you have heard about this problem would be good to know. I have a customer that already has Funk's Software and doesn't want to change if he doesn't have to. Thanks David Beaver
I have used FUNK's beta code with LEAP support with no problems. The only issue we had and still do, is that we can't use the RADIUS server to authenticate against an LDAP server. I believe that they are working on that also.
-
Adding RADIUS VSAs on ACS 3.2 SE
I have tried to add a VSA to enable a Packeteer to authenticate using RADIUS on the ACS.
Using RDBMS synchronization to import the csv file below.
SequenceId,Priority,GroupName,Action,ValueName ,Value1,Value2,Value3
1,1,External,163,26,access=look,2334,1
The group name is 'External', Action is 163 which corresponds to ADD_RADIUS_ATTR.
From RDBMS Sychronization Import Definitions (http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs32/user/ag.htm#wp35130)
To add a vendor-specific attribute (VSA), set VN = "26" and use V2 and V3 as follows:
V2 = IETF vendor ID (which in this case is 2334)
V3 = VSA attribute ID (1)
V1 = In this case 'access=look'
After a couple of attempts I got the format correct but when I try and import the file I don't get an "INFO" message in the "Reports" section of the ACS indicating that the process was successful. I don't get any message at all, WARNING, ERROR or INFO.
From the FTP server I can confirm that the file was transferred.
What I should get is an INFO message similar to:
08/30/2004 16:27:50 INFO Sync complete: 1 transaction(s) 0 parse error(s) 0 process error(s)
Any ideas as to what is wrong would be much appreciated.
Cheers,
Aylmer.HI you need to import the RADIUS VSA for PAcketeer from their site.
The link to the steps as shown below is ( might require u to subscribe & login)
https://packeteer.custhelp.com/cgi-bin/packeteer.cfg/php/enduser/std_adp.php?p_faqid=399&p_created=1046793530&p_sid=gszcDFBh&p_lva=&p_sp=cF9zcmNoPTEmcF9zb3J0X2J5PWRmbHQmcF9ncmlkc29ydD0mcF9yb3dfY250PTImcF9wcm9kcz0wJnBfY2F0cz0wJnBfcHY9JnBfY3Y9JnBfc2VhcmNoX3R5cGU9YW5zd2Vycy5zZWFyY2hfZm5sJnBfcGFnZT0xJnBfc2VhcmNoX3RleHQ9YWNz&p_li=&p_topview=1
IN any case the same content is copied below:-
Also the stpes on how to do them is listed here
Create a User Defined Vendor
First, you need to create a User Defined Vendor.
1. Create a text file (packet.ini) and enter the following:
[User Defined Vendor]
Name=Packeteer
IETF Code=2334
VSA 1=Packeteer-AVPair
[Packeteer-AVPair]
Type=STRING
Profile=OUT
2. Name the file packet.ini.
Add the Vendor to the Database
Next, you need to add the above vendor to the database.
1. Go to the command prompt, and change the directory to the Cisco Secure utils directory (typically C:\Program Files\CiscoSecure ACS v3.0\Utils).
2. The instructions below install the vendor into User Defined slot 0. If you have other vendors, you need to change this number to a free slot. To see a list of slots and their assignments, use the csutil -listudv command. For example:
C:\Program Files\CiscoSecure ACS v3.0\Utils>csutil -listudv
CSUtil v3.0(2.5), Copyright 1997-2002, Cisco Systems Inc
UDV 0 - Unassigned
UDV 1 - Unassigned
UDV 2 - Unassigned
UDV 3 - Unassigned
UDV 4 - Unassigned
UDV 5 - Unassigned
UDV 6 - Unassigned
UDV 7 - Unassigned
UDV 8 - Unassigned
UDV 9 - Unassigned
3. Run csutil -addudv to and add Packeteer to UDV (User Defined Vendor) slot 0 or the next
open slot.
C:\Program Files\CiscoSecure ACS v3.0\Utils>csutil -addudv 0 c:\temp\packet.ini
CSUtil v3.0(2.5), Copyright 1997-2002, Cisco Systems Inc
Adding or removing vendors requires ACS services to be re-started.
Please make sure regedit is not running as it can prevent registry
backup/restore operations
Are you sure you want to proceed? (y/n)y
Parsing [c:\temp\packet.ini] for addition at UDV slot [0]
Stopping any running services
Creating backup of current config
Adding Vendor [Packeteer] added as [RADIUS (Packeteer)]
Adding VSA [Packeteer-AVPair]
Done
Checking new configuration...
New configuration OK
Re-starting stopped services
Verify that Packeteer was added.
C:\Program Files\CiscoSecure ACS v3.0\Utils>
C:\Program Files\CiscoSecure ACS v3.0\Utils>csutil -listudv
CSUtil v3.0(2.5), Copyright 1997-2002, Cisco Systems Inc
UDV 0 - RADIUS (Packeteer)
UDV 1 - Unassigned
UDV 2 - Unassigned
UDV 3 - Unassigned
UDV 4 - Unassigned
UDV 5 - Unassigned
UDV 6 - Unassigned
UDV 7 - Unassigned
UDV 8 - Unassigned
UDV 9 - Unassigned
4. Return to ACS Admin and select Network Configuration.
From the main screen select Network Configurtion and add the PacketShaper by supplying the AAA client Hostname, IP address: , Key. Scroll through the Authenticate Using choices and select RADIUS (Packeteer).
5. From the main screen select User Setup and enter a user name for a Touch or Look access user to the Packet Shaper. Supply the PAP/CHAP password. Leave other fields at defaults and scroll to the bottom
of the form. Be sure the Packeteer-AVPair box is selected and supply either
"access=touch" or "access=look" in the available entry space. -
Failed to authenticate user to ACS 5.1 with LDAP as external identity storage
Hi , I have an ACS and Open-LDAP server running on my company network.
Now, I 'm setting up a new linksys WAP-54G and choose WPA2-Enterprise option with ACS as the radius server.
first thing first, I created new internal user on ACS, and trying to join the wireless network from my computer. I made it....
then, I'm moving on external entity (LDAP Server). I've set up the LDAP configuration and identity sequence, also select it on access service. but when I tried to authenticate from my computer, an error was occurred. I received :
the following error 22056 Subject not found in the applicable identity store (s)
Wonder 'bout this thing, I set up a cisco 1841 router to become AAA client. and surprisingly... it works !!!
so, is there any problem to authenticate from windows platform to ACS (pointing to LDAP) ?
any suggestion ?
thanksThis is the log when using windows 7 as authentication client (Failed) :
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15004 Matched rule
15012 Selected Access Service - Default Network Access
11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12301 Extracted EAP-Response/NAK requesting to use PEAP instead
12300 Prepared EAP-Request proposing PEAP with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318 Successfully negotiated PEAP version 0
12800 Extracted first TLS record; TLS handshake started.
12805 Extracted TLS ClientHello message.
12806 Prepared TLS ServerHello message.
12807 Prepared TLS Certificate message.
12810 Prepared TLS ServerDone message.
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12318 Successfully negotiated PEAP version 0
12812 Extracted TLS ClientKeyExchange message.
12804 Extracted TLS Finished message.
12801 Prepared TLS ChangeCipherSpec message.
12802 Prepared TLS Finished message.
12816 TLS handshake succeeded.
12310 PEAP full handshake finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12313 PEAP inner method started
11521 Prepared EAP-Request/Identity for inner EAP method
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11522 Extracted EAP-Response/Identity for inner EAP method
11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store -
22043 Current Identity Store does not support the authentication method; Skipping it.
24210 Looking up User in Internal Users IDStore - xxxxx
24216 The user is not found in the internal users identity store.
22016 Identity sequence completed iterating the IDStores
22056 Subject not found in the applicable identity store(s).
22058 The advanced option that is configured for an unknown user is used.
22061 The 'Reject' advanced option is configured in case of a failed authentication request.
11815 Inner EAP-MSCHAP authentication failed
11520 Prepared EAP-Failure for inner EAP method
22028 Authentication failed and the advanced options are ignored.
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12307 PEAP authentication failed
11504 Prepared EAP-Failure
11003 Returned RADIUS Access-Reject
This is the log when using 1841 router as authentication client (succeded) :
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
11049 Settings of RADIUS default network will be used
Evaluating Service Selection Policy
15004 Matched rule
15012 Selected Access Service - Default Network Access
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - LDAPyyyy
24031 Sending request to primary LDAP server
24015 Authenticating user against LDAP Server
24022 User authentication succeeded
22037 Authentication Passed
22023 Proceed to attribute retrieval
22038 Skipping the next IDStore for attribute retrieval because it is the one we authenticated against
24210 Looking up User in Internal Users IDStore - xxxxx
24216 The user is not found in the internal users identity store.
22016 Identity sequence completed iterating the IDStores
Evaluating Group Mapping Policy
Evaluating Exception Authorization Policy
15042 No rule was matched
Evaluating Authorization Policy
15006 Matched Default Rule
15016 Selected Authorization Profile - Permit Access
11002 Returned RADIUS Access-Accept
I realized that Windows is using PEAP-MSCHAPv2 while Router is using PAP-ASCII as it's protocol.
so now, why PEAP-MSCHAPv2 can't authenticate to LDAP ?
is there anything I can do to make it work ? -
Authenticate windows users via ACS
Hi,
Expert insight required for Cisco ACS, Is it possible to authentication windows user via ACS & apply ACL policies over network devices.
I would appreciate valued inputs.
Regards,Yes, it's possible to authenticate windows users via ACS and push DACL via radius.
Seems you are looking for DACL. Here is a document that can help you to understand the same
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a9eddc.shtml#user
Let me know if you need any further help.
Jatin Katyal
- Do rate helpful posts - -
Set-up Radius Server to ACS 4.2 and AD server
Hi Guys,
I would like to ask help from you on how to set-up Radius server in ACS 4.2 (step-by-step guide or link), wireless client will be authenticated via Active Directory when connecting to our Wireless AP so it means that our Wireless AP is added as client to Radius server.
Thanks in advance!
regards,
GagamboyHi Colin
thanks for your answer, we had the this setting correct. I was able to solve the problem yesterday, we had some faults in the AD mapping.
I didn't know that when I select more AD groups for one ACS group in one step, that the user / host has to be in every of these AD groups (AND conjunction).
Now I only added one AD group for my ACS group and it works. The error message "AD user restriction" was not very helpful for finding this fault ;-)
Regards
Dominic -
Export and import change document for user master data
Dear Gurus,
I have two queries on change document for user master data:
1. Are there any approaches to export and import change document for user master data?
We often do system copy from PRD to QAS for UAT and troubleshooting. Before system copy we export the user master data from QAS and then import after the copy process. We would like to keep the change document for user master data on QAS from being refreshed from PRD for security reason.
2. Change document for Role change in QAS
When the role is created or modified in DEV and then transported to QAS, the role change document doen't include this change log. The role change document in QAS only records those role changes directly made in QAS.
Could you advise this is by SAP design or are there any approaches to record this transported role change in the role change document in QAS?
Thanks
YBY1. Perhaps you want to consider a system copy to a "virtual system" for UAT?
2. Changes in QAS (as with PROD as well) will give you the delta. They should ideally be clean... You need to check the source system.
Another option is to generate the profiles in the target system. But for that your config has to be sqeaky clean and in sync, including very well maintained and sync'ed Su24 data.
Cheers,
Julius -
Using the Import utility from other users and going to a different schema
I has a user today with rights
Insert into XXXX.TABLE values(); Works just fine for another schema's table which has select,insert,update,delete.
We tried to utiile the import utility from OTHER USERS
Insert failed ORA-00942
Do you want ot ignore all errors
Even though we have rights to the schema under OTHER USERS.
When connected as the owner it works fine.I've be trying to find a work-around to this issue & found this old post -- I'm having the same problem.
I'm using Oracle 11g and SD 2.1.1.64.
I have user A with a table that grants select,insert,update, and delete privs to user B. Logging into user B I, of course, can do inserts, deletes, etc. on the the table in user A's schema.
When I use the import data feature to load data from a CSV file I can't get it to work while logged into user B. It does work fine if logged into user A. It looks like the issue may be that it doesn't put the schema prefix of "A." on the insert statements.
Has anyone found a way to get around this issue yet? -
Is it possible to export and import the roles and users tables?
Hi,
is there any possibility to export and import the role and user definitions?
We have a SAP MDM repository with a lot of roles and users and also with a lot of changes.
And now I'm searching for a fast and efficient way of managing the roles and users.
Thanks and Regards, MelanieHi Melanie,
There is no export/import functionality for roles and users. The only way to manage these in an automated way would be to write a program that uses the Java or ABAP APIs. Both APIs expose functionality to create, update and delete roles and users.
Hope this helps,
Richard -
Import txt file into user dictionary
How to import text file into user dictionary through javascript? I can manually import txt file into user dictionary thru "Edit=>Spelling=>User dictionary...". But I don't know how to do it using javascript. Please advise.
Advice? See in some version of the object-model reference under userDictionary. There you'll find a method called addWord(), which looks promising.
Peter -
Repercussions of importing more than 50 users?
Does anyone know what the repercussions are of importing more than 50 users in the workgroup mode?
I have about 250 users to import so that they can use the iCal service, and upon importing my 51st, I was warned that the recommended maximum of imported users is 50.
Thanks!Right, I'm not sure how many users it can import at a time, but I went one by one, all the way up to 200.
After that, it simply would not add any more, as well as displaying a message that it can't write to the directory. I have confirmed with Apple support that 200 is the limit by design. -
How to monitor Radius services on ACS 5.4
Hi All,
I want to monitor Radius services of ACS 5.4, In case of failure any radius service on ACS.
ACS should send alert to Syslogs or email notification
Is there any way to monitor Radius services ? Anyone have any idea how to monitor.
Regards.Hi Narinder,
I dont think so there is any particular way you can do that, Because ACS 5.x doesnt have any particluar Radius service.
The services which are available and can be viewed through CLI and GUI are following:
Database
Management (ACS management subsystem)
Ntpd
Runtime (ACS runtime subsystem)
View-alertmanager
View-collector
View-database
View-jobmanager
View-logprocessor
htt https://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-ususer/guide/acsuserguide/viewer_sys_ops.html#pgfId-1052845
Cheers
Minakshi -
Add user in ACS with limited access
Dear
I have low experiance with cisco ACS
So kindly i need help to add user to The ACS which has limited access to my network Switches ( As Show only not to change configuration )
Also how to take backup for the ACS Database
Thanks,Hi,
Search about command authorization in the AAA section, you'll get ample information about it, i.e., on how to configure network devices so that you can allow certain users on ACS to have limited and certain user to have full access.
About taking a backup, that is pretty simple.
System Configuration > ACS Backup > Backup Now.
And you have a latest backup from ACS.
Regards,
Prem
Maybe you are looking for
-
I have a late 2008 MacBook I cant get to send sound to my TV when I try to watch movies. I have bought the HDMI cable and audio connectors but still no sound. What am I doing wrong?
-
What is the role of Business Objects in BPC
Dear Experts, A quick question. Why has SAP changed expanded form of BPC - from Business Planning & Consolidation to Businessobjects Planning and Consolidation. Is this just a re-branding excercise or is BPC using Business Objects components for repo
-
Flash Player Security error when publishing HTML files
I am new to the Captivate world and am just in love with the features - but I have been having a very difficult time publishing my "movies". I have 8 files that are all called upon in one movie (like a table of contents). I have abandon the though of
-
Imac runs slower and disk drive no longer supported
I am not tech savvy. I am writing this for help. My 2009 imac has been upgraded each year. Now that I have Yosemite, things run slower. I thought keeping current was a good thing, but now I realize it might not be. Also, why has apple discontinued
-
Boot Camp users using XP via Boot Camp - Can you install Open Type Fonts?
Have any of the Boot Camp 2.1 users that have been using Windows XP via Boot Camp been able to install Open Type Fonts, i.e. fonts that are sold by Adobe? I have now tried this on two new MacBook Pros, and I have tried three different retail versions