LMS Authentication with ACS 5.1
Hi, I am using LMS authentication via ACS. I am able to login to LMS successfully with ACS user name and password but I can not execute most of the task it says you are not authorised. do i need to anything in LMS except enabling login module to tacacs...
Let me know if I missed something.
Thanks
Ninja
Integration with ACS 5.1 is not yet supported. You can do authentication only with ACS 5.0, and 5.1 should work, but you will not be able to use full AAA integration. Disable AAA mode, and set the login module to be TACACS+. Point that to your 5.1 server, and you should be able to login, and run tasks in LMS. However, you will still need to create local accounts in LMS for all of your users to do the authorization piece.
Similar Messages
-
EAP-TLS authentication with ACS 5.2
Hi all,
I have question on EAP-TLS with ACS 5.2.
If I would like to implement the EAP-TLS with Microsoft CA, how will the machine and user authentication take place?
Understand that the cert are required on both client and server end, but is this certificate ties to the machine or ties to individual user?
If ties to user, and I have a shared PC which login by few users, is that mean every user account will have their own certificates?
And every individual user will have to manually get the cert from CA? is there any other method as my environment has more than 3000 PCs.
And also if it ties to user, all user can get their cert from CA with their AD login name and password, if they bring in their own device and try to get the cert from CA, they will be able to successfully install the cert into their device right?
Hope you guys can help on this. THanks.Yes, you can configure:
machine authentication only
user authentication only
Machine and user authentication.
Machine or user authentication
So machine authentication only is quite common scenarion. Correct, as long as machine is a part of a domain, you will be authenticated via machine authentication.
PEAP-based machine authentication uses PEAP (EAP-MS-CHAPv2) and the password for the computer established automatically when it was added to the Microsoft Windows domain. The computer sends its name as the username and the format is:
host/computer.domain
If the machine is a valid machine in the domain then during the boot process, once the HAL is loaded, the system begins loading device drivers to support the various hardware devices configured on the client in question. After loading the device drivers, the network interface is initialized. At this point, machine start getting ip address and once it done, the user may have access to most of the network.
Regards,
Jatin -
802.1x authentication with ACS 4.1 for MAC OSX
Hi,
I simply wanted to know if it's possible to have 802.1x authentication with MAC OSx on ACS Plateform 4.1?
If yes, what pre-required on ACS and MAC OSx? Methods of authentification which are recommended ?
I'm sorry, but i don't find documents which show validated test on 802.1x implementation method on ACS 4.1 with MAC OSx supplicant.
Thanks in advance
Best regards
ThanksYes, Refer to the below DOC
http://support.apple.com/kb/HT2717
Port settings and ACS configuration remain the same as you do it for windows based clients -
APC (UPS) RADIUS authentication with ACS 5.X
I am trying to do RADIUS authentication for APC (UPS) using ACS 5.2 Appliance. It is working fine with ACS 4.2, but unfortunately not with ACS 5.2. I tried creating RADIUS VSA (Vendor Specific Attributes) for APC in ACS 5.2.
According to the APC dictionary file
VENDOR APC 318
# Attributes
ATTRIBUTE APC-Service-Type 1 integer APC
ATTRIBUTE APC-Outlets 2 string APC
VALUE APC-Service-Type Admin 1
VALUE APC-Service-Type Device 2
VALUE APC-Service-Type ReadOnly 3
# For devices with outlet users only
VALUE APC-Service-Type Outlet 4
I have added the attributes in blue(attached), how do I add the VALUE's (shown red) in ACS 5.2? What else should I do to get this working?
The hit count on the ACS shows that it is getting authentication request from the APC appliance.
Thanks in advance.Hi,
I am working on the same issue and i manage to login (using Ldap A/D backend authentication). When using the standard Radius attribute Service-Type (1 for read-only and 6 for admin) i manage to get this working. I am however trying to use the APC VSAs (as above) without any success. The objective is to have outlet management for specific users, admin or read-only others. Did u manage to get this working and how?
./G -
Hi!
I'm having trouble setting up Machine Authentication and User Authentication on ACS v5.1 using WinXP SP3 (or SP2) as supplicant.
This is the goal:
On wireless (preferably on wired too) networks, get the WinXP to machine authenticate against AD using certificates so the machine is possible to reach via for example ping, and it can also get GPO Updates.
Then, when the user actually logs in, I need User Authentication, so we can run startup scripts, map the Home Directory and so on.
I have set up a Windows Sertificate server, and the client (WinXP) are recieving both machine and user certificates just fine.
I have also managed to set up so Machine Authenticaton works, by setting up a policy rule that checks on certificate only:
"Certificate Dictionary:Common Name contains .admin.testdomain.lan"
But to achieve that, I had to set EAP Type in WinXP to Smart Card or other Certificate, and then no PEAP authentication occurs, which I assume I need for User Authentication? Or is that possible by using Certificates too?
I just don't know how to do this, so is there a detailed guide out there for this? I would assume that this is something that all administrators using wireless and WinXP would like to achieve.
Thank you.Hello again.
I found out how to do this now..
What I needed to do was to add a new Certificate Authentication Profile that checks against Subject Alternative Name, because that was the only thing I could find that was the same in both user certificate and machine certificate.
After adding that profile to the Identity Store Sequences, and making tthe appropriate rule in the policy, it works.
You must also remember to change the AuthMode option in Windows XP Registry to "1".
What I really wanted to do was to use the "Was Machine Authenticated" condition in the policies, but I have never gotten that conditon to work, unfortunately.
That would have plugged a few security holes for me. -
Problem with work group bridge authentication with ACS 5.x
EAP-TLS authentication for workgoup brdige fails.
Folloing is the log on ACS
Authentication failed 12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain
12811 Extracted TLS Certificate message containing client certificate.
12814 Prepared TLS Alert message.12817 TLS handshake failed.
12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain
12507 EAP-TLS authentication failed12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
11504 Prepared EAP-Failure11003 Returned RADIUS Access-RejectI have seen this issue before, the AP is present an old PAC and doesnt update until after you reboot. You can open a wireless TAC case and they will get you the right image as to when this was fixed. As a workaround you can extend the lifetime of the PAC in your authentication settings for EAP-FAST.
Thanks,
Sent from Cisco Technical Support iPad App -
Netflow Generation Appliance (NGA-3240) and authentication with ACS
I would like to configure this appliance to use ACS authentication. Right now I use local authentication, but would prefer ACS instead.
Both the WebUI and the console are using this local method and I would much prefer it to use ACS instead.
I get the following prompts:
[email protected]# ip http tacacs+ enable <ACS IP ADDRESS> en-secret-key <KEY>
Failed to enable Tacacs+Update...
[email protected]# ip http tacacs+ enable
Secret key:
Repeat secret key:
Successfully enabled Tacacs+
The problem, I'm faced with now is that after entering the above the WebUI is still not accessible. -
Using Multiple AD domains with ACS
Hi,
Is it possible to use multiple domains for authentication with ACS? I need to use AAA to authenticate remote users into a centralised location but the users will be from different domains and I was hoping to use a single applicance to cater for all domains. Can this be achieved using LDAP? I understand that ACS can only be part of one AD domain.....
In essence I am hoping that I will be able to authenticate the user based on their domain\credentials.
Thanks in advance
JasonHi Javier,
I understand that ACS can only join a single AD domain - but can it use LDAP to authenticate users from different AD domains - I don't want to have to established trusts between different domains.
Kind regards
Jason -
SSID To Group Mapping With ACS 5.1
Hi ;
I am trying to implement PEAP authentication with ACS 5.1 and PEAP is working fine. I have two SSID's with peap authentication and i have two groups in AD. I need to map one ssid with one group and another SSID with the other group.
I implemented the same with ACS 4.2 (Screenshot attached) . Now the requirement is to implement the same concept in ACS 5.1. Could you please help me on this.If you go under Access Policies and Service Selection Rules and check you hit count( you may need to refresh if you just tried connecting) see if the rule is incrementing.
If that rule has a condition tied to that SSID, it should only increment when that SSID sends traffic. If users credentials are working, thats a separate issue.
For the Access service you created, that your selection rule feeds, check the following
Identity will be set to internal users
Authorization you will need to have hit custom and selected "Identity Group" as a selector" Then when you make the rule, check that box and set it to your Staff Group. Set the default at the bottom of the page to Deny Access. -
LMS PRIME 4.2 integrating with ACS 4.2
Hello,
i would like to integrate new lms prime 4.2 with acs.4.2 . .. !!
is there document or user guide for this version of lms?
Thanks in advance.
MarwanIN LMS 4.2 there is nothing which is known as Integration (like LMS 3.x), since it added feature RBAC.
Now ACS can just be used as PAM to have ciscoworks authenticated for Tacacs+ or Radius. After the auth is done, you should have a authorization set in LMS locally for user, else it will be given a default HELP DESK access.
For more details check :
Authentication Using Login Modules - Overview
-Thanks -
Problem Authentcation CiscoWorks LMS 4.1 with ACS 5.3
Dear
i have a problem authenticating cisco LMS user through ACS 5 whenever tries to run a DCR Job verification it fails to telnet , however it used to work with the pervious ACS 4 but after upgrade , it seems to be a problem , and when i tries to login with this specific user with third party terminal it works fine.
here is logg in the ACS monitor
Failure Reason > Authentication Failure Code Lookup
Failure Reason :
13031 TACACS+ authentication request missing user Password
Generated on:March 12, 2013 7:09:37 PM AST
Description
The TACACS+ authentication request did not provide a user Password
Resolution Steps
The device is sending a TACACS+ authentication request that is missing information needed by ACS. Check the device to verify that it is working properly and has up-to-date softwareI'm running the latest version of both, and it's running fine for me. You may have to change your TacacsPromts.ini file to include the right prompts. I think it's:
[TELNET]
USERNAME_PROMPT=
PASSWORD_PROMPT=
You'll have to put in your own prompts, though. Whatever your prompts are, is what goes afterward.
If my prompt is Myspecialprompt: and pass is Myspecialpassword:, I'd use
[TELNET]
USERNAME_PROMPT=Myspecialprompt:
PASSWORD_PROMPT=Myspecialpassword:
If you have more devices with different prompts, just use a comma after the colon. Btw, you don't need the credentials in there, just the custom prompts. -
LMS 3.2 integration with ACS 5.1
Hi
Is it
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;
mso-fareast-language:EN-US;}
possible to integrate LMS 3.2 with ACS 5.1? I know it works with ACS 4.X, but I can't get it to work with ACS 5.1.
Here is a link to how to do it with ACS 4.X:
http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/prod_white_paper0900aecd80613f62.html
Regards
Reidar/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
Thanks Reidar.... hmm very strange. I really wish an expert would respond to this thread as it will help a lot of people who might be planning to deploy these versions and they can help put this matter to rest once and for all. Not sure why LMS 3.2 will not support ACS 5.1 and it might help to know when it will (updates etc). Kindly let me know if you get any further information. My deployment is so large that setting a local username and password on all the devices is not an option unfortunately ....... -
Cisco Works LMS R3.1 with ACS R5.1
I search on internet about the AAA integration between LMS R3.1 y ACS R5.1, and all the information that I found it's related to ACS R4.1. It's possible to integrate with ACS R5.1.
Regards and thanks in advanced
Luis MartinezNael,
Sorry to batter you, but I was trying to migrate my Cisco Works LMS R3.1 to R3.2 and from the support page of CISCO I just can donwload the following version LMS R3.2.1 (LMS R3.2 service pack 1). I tried to install that version but i got an error that saids "LMS R3.2.1 needs LMS R3.2 installed on the server"
Could you please tell me where can I download the complete and initial LMS R3.2.
Thanks in advanced for your kindly help.
Luis Martinez -
MARS 5.2.7 integration with ACS 4.1
Hello
I cannot find any documentation I can follow to integrate MARS with ACS. I mean I want to use ACS to authenticate user in MARS.
Any of you know if MARS 5.2.7 has this feature? If yes can please give some info where to find docs?
Thank you really much
Best regards Antonello.HI ,
LMS 4.0 no longer integrates with ACS the way that LMS 3.x did. You can still use ACS for authentication in LMS 4.0, but for authorization, each user must have a local account in LMS, and the roles will be assigned using LMS 4.0's new RBAC. Users are defined under Admin > System > User Management > Local User Setup, and roles are defined under Admin > System > User Management > Role Management Setup.
By default, if a user does not have an account in LMS, they will receive the Help Desk role
Please check the below link:
http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.2/user/guide/admin/security.html#wp1100379
Thanks-
Afroz
[Do rate the useful post] -
Not Working-central web-authentication with a switch and Identity Service Engine
on the followup the document "Configuration example : central web-authentication with a switch and Identity Service Engine" by Nicolas Darchis, since the redirection on the switch is not working, i'm asking for your help...
I'm using ISE Version : 1.0.4.573 and WS-C2960-24PC-L w/software 12.2(55)SE1 and image C2960-LANBASEK9-M for the access.
The interface configuration looks like this:
interface FastEthernet0/24
switchport access vlan 6
switchport mode access
switchport voice vlan 20
ip access-group webauth in
authentication event fail action next-method
authentication event server dead action authorize
authentication event server alive action reinitialize
authentication order mab
authentication priority mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
spanning-tree portfast
end
The ACL's
Extended IP access list webauth
10 permit ip any any
Extended IP access list redirect
10 deny ip any host 172.22.2.38
20 permit tcp any any eq www
30 permit tcp any any eq 443
The ISE side configuration I follow it step by step...
When I conect the XP client, e see the following Autenthication session...
swlx0x0x#show authentication sessions interface fastEthernet 0/24
Interface: FastEthernet0/24
MAC Address: 0015.c549.5c99
IP Address: 172.22.3.184
User-Name: 00-15-C5-49-5C-99
Status: Authz Success
Domain: DATA
Oper host mode: single-host
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
URL Redirect ACL: redirect
URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC16011F000000490AC1A9E2
Acct Session ID: 0x00000077
Handle: 0xB7000049
Runnable methods list:
Method State
mab Authc Success
But there is no redirection, and I get the the following message on switch console:
756005: Mar 28 11:40:30: epm-redirect:IP=172.22.3.184: No redirection policy for this host
756006: Mar 28 11:40:30: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
I have to mention I'm using an http proxy on port 8080...
Any Ideas on what is going wrong?
Regards
NunoOK, so I upgraded the IOS to version
SW Version: 12.2(55)SE5, SW Image: C2960-LANBASEK9-M
I tweak with ACL's to the following:
Extended IP access list redirect
10 permit ip any any (13 matches)
and created a DACL that is downloaded along with the authentication
Extended IP access list xACSACLx-IP-redirect-4f743d58 (per-user)
10 permit ip any any
I can see the epm session
swlx0x0x#show epm session ip 172.22.3.74
Admission feature: DOT1X
ACS ACL: xACSACLx-IP-redirect-4f743d58
URL Redirect ACL: redirect
URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
And authentication
swlx0x0x#show authentication sessions interface fastEthernet 0/24
Interface: FastEthernet0/24
MAC Address: 0015.c549.5c99
IP Address: 172.22.3.74
User-Name: 00-15-C5-49-5C-99
Status: Authz Success
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
ACS ACL: xACSACLx-IP-redirect-4f743d58
URL Redirect ACL: redirect
URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
Session timeout: N/A
Idle timeout: N/A
Common Session ID: AC16011F000000160042BD98
Acct Session ID: 0x0000001B
Handle: 0x90000016
Runnable methods list:
Method State
mab Authc Success
on the logging, I get the following messages...
017857: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
017858: Mar 29 11:27:04: epm-redirect:epm_redirect_cache_gen_hash: IP=172.22.3.74 Hash=271
017859: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: CacheEntryGet Success
017860: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: Ingress packet on [idb= FastEthernet0/24] matched with [acl=redirect]
017861: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Enqueue the packet with if_input=FastEthernet0/24
017862: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_process ...
017863: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Not an HTTP(s) packet
What I'm I missing?
Maybe you are looking for
-
ERROR: - ID21108 While Importing Keystore from Third Party
Hello, I am attempting to import a third party keystore in to an SAP PI 7.1 Java instance using the URL below as the process for importing. While attempting to import I am receiving the error below. I am currently running using the unlimited local_po
-
Executable Jar: Could not find the main class. Program will exit.
I have a jar which contins the class Main.class. Following details are specified in the Manifest file. Manifest-Version: 1.0 Main-Class: Main However, when I double click the jar file, I get the error... Could not find the main class. Program will ex
-
I have 512MB ram, windows 7, 300gb+ free space, CS3 Worked but i updated to CS6 now it just gives this http://prntscr.com/c0j52 error same with Bridge, i paid money for this now help.... :@
-
Sales Order Creation In Background
Hello, Iam trying to create a Sales Order , Delivery and PGI using a Background Job and It always fails when it run by a background Job. When I run it in Foreground it runs Perfectly. Iam using BDC Sessions to create all these..But I cudnt figure out
-
Is it possible to get images automatically into text captions while simulation recording?
Is it possible to get images automatically into text captions while simulation recording?