LMS Authentication with ACS 5.1

Hi, I am using LMS authentication via ACS. I am able to login to LMS successfully with ACS user name and password but I can not execute most of the task it says you are not authorised. do i need to anything in LMS except enabling login module to tacacs...
Let me know if I missed something.
Thanks
Ninja

Integration with ACS 5.1 is not yet supported.  You can do authentication only with ACS 5.0, and 5.1 should work, but you will not be able to use full AAA integration.  Disable AAA mode, and set the login module to be TACACS+.  Point that to your 5.1 server, and you should be able to login, and run tasks in LMS.  However, you will still need to create local accounts in LMS for all of your users to do the authorization piece.

Similar Messages

  • EAP-TLS authentication with ACS 5.2

    Hi all,
    I have question on EAP-TLS with ACS 5.2.
    If I would like to implement the EAP-TLS with Microsoft CA, how will the machine and user authentication take place?
    Understand that the cert are required on both client and server end, but is this certificate ties to the machine or ties to individual user?
    If ties to user, and I have a shared PC which login by few users, is that mean every user account will have their own certificates?
    And every individual user will have to manually get the cert from CA? is there any other method as my environment has more than 3000 PCs.
    And also if it ties to user, all user can get their cert from CA with their AD login name and password, if they bring in their own device and try to get the cert from CA, they will be able to successfully install the cert into their device right?
    Hope you guys can help on this. THanks.

    Yes, you can configure:
    machine authentication only
    user authentication only
    Machine and user authentication.
    Machine or user authentication
    So machine authentication only is quite common scenarion. Correct, as long as machine is a part of a domain, you will be authenticated via machine authentication.
    PEAP-based machine authentication uses PEAP (EAP-MS-CHAPv2) and the password for the computer established automatically when it was added to the Microsoft Windows domain. The computer sends its name as the username and the format is:
    host/computer.domain
    If the machine is a valid machine in the domain then during the boot process, once the HAL is loaded, the system begins loading device drivers to support the various hardware devices configured on the client in question. After loading the device drivers, the network interface is initialized. At this point, machine start getting ip address and once it done, the user may have access to most of the network.
    Regards,
    Jatin

  • 802.1x authentication with ACS 4.1 for MAC OSX

    Hi,
    I simply wanted to know if it's possible to have 802.1x authentication with MAC OSx on ACS Plateform 4.1?
    If yes, what pre-required on ACS and MAC OSx? Methods of authentification which are recommended ?
    I'm sorry, but i don't find documents which show validated test on 802.1x implementation method on ACS 4.1 with MAC OSx supplicant.
    Thanks in advance
    Best regards
    Thanks

    Yes, Refer to the below DOC
    http://support.apple.com/kb/HT2717
    Port settings and ACS configuration remain the same as you do it for windows based clients

  • APC (UPS) RADIUS authentication with ACS 5.X

    I am trying to do RADIUS authentication for APC (UPS) using ACS 5.2 Appliance. It is working fine with ACS 4.2, but unfortunately not with ACS 5.2. I tried creating RADIUS VSA (Vendor Specific Attributes) for APC in ACS 5.2.
    According to the APC dictionary file
    VENDOR APC 318
    # Attributes
    ATTRIBUTE APC-Service-Type 1 integer APC
    ATTRIBUTE APC-Outlets 2 string APC
    VALUE APC-Service-Type Admin 1
    VALUE APC-Service-Type Device 2
    VALUE APC-Service-Type ReadOnly 3
    # For devices with outlet users only
    VALUE APC-Service-Type Outlet 4
    I have added the attributes in blue(attached), how do I add the VALUE's (shown red) in ACS 5.2? What else should I do to get this working?
    The hit count on the ACS shows that it is getting authentication request from the APC appliance.
    Thanks in advance.

    Hi,
    I am working on the same issue and i manage to login (using Ldap A/D backend authentication). When using the standard Radius attribute Service-Type (1 for read-only and 6 for admin) i manage to get this working. I am however trying to use the APC VSAs (as above) without any success. The objective is to have outlet management for specific users, admin or read-only others. Did u manage to get this working and how?
    ./G

  • Machine Authentication and User Authentication with ACS v5.1... how?

    Hi!
    I'm having trouble setting up Machine Authentication and User Authentication on ACS v5.1 using WinXP SP3 (or SP2) as supplicant.
    This is the goal:
    On wireless (preferably on wired too) networks, get the WinXP to machine authenticate against AD using certificates so the machine is possible to reach via for example ping, and it can also get GPO Updates.
    Then, when the user actually logs in, I need User Authentication, so we can run startup scripts, map the Home Directory and so on.
    I have set up a Windows Sertificate server, and the client (WinXP) are recieving both machine and user certificates just fine.
    I have also managed to set up so Machine Authenticaton works, by setting up a policy rule that checks on certificate only:
    "Certificate Dictionary:Common Name contains .admin.testdomain.lan"
    But to achieve that, I had to set EAP Type in WinXP to Smart Card or other Certificate, and then no PEAP authentication occurs, which I assume I need for User Authentication? Or is that possible by using Certificates too?
    I just don't know how to do this, so is there a detailed guide out there for this? I would assume that this is something that all administrators using wireless and WinXP would like to achieve.
    Thank you.

    Hello again.
    I found out how to do this now..
    What I needed to do was to add a new Certificate Authentication Profile that checks against Subject Alternative Name, because that was the only thing I could find that was the same in both user certificate and machine certificate.
    After adding that profile to the Identity Store Sequences, and making tthe appropriate rule in the policy, it works.
    You must also remember to change the AuthMode option in Windows XP Registry to "1".
    What I really wanted to do was to use the "Was Machine Authenticated" condition in the policies, but I have never gotten that conditon to work, unfortunately.
    That would have plugged a few security holes for me.

  • Problem with work group bridge authentication with ACS 5.x

    EAP-TLS authentication for workgoup brdige fails.
    Folloing is the log on ACS
    Authentication failed 12514 EAP-TLS failed  SSL/TLS handshake because of an unknown CA in the client certificates chain
    12811 Extracted TLS Certificate message containing client certificate.
    12814 Prepared TLS Alert message.12817 TLS handshake failed.
    12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain
    12507 EAP-TLS authentication failed12505 Prepared EAP-Request with another EAP-TLS challenge
    11006 Returned RADIUS Access-Challenge
    11001 Received RADIUS Access-Request
    11018 RADIUS is re-using an existing session
    12504 Extracted EAP-Response containing EAP-TLS challenge-response
    11504 Prepared EAP-Failure11003 Returned RADIUS Access-Reject

    I have seen this issue before, the AP is present an old PAC and doesnt update until after you reboot. You can open a wireless TAC case and they will get you the right image as to when this was fixed. As a workaround you can extend the lifetime of the PAC in your authentication settings for EAP-FAST.
    Thanks,
    Sent from Cisco Technical Support iPad App

  • Netflow Generation Appliance (NGA-3240) and authentication with ACS

    I would like to configure this appliance to use ACS authentication.  Right now I use local authentication, but would prefer ACS instead. 
    Both the WebUI and the console are using this local method and I would much prefer it to use ACS instead.
    I get the following prompts:
    [email protected]# ip http tacacs+ enable <ACS IP ADDRESS> en-secret-key <KEY>
    Failed to enable Tacacs+

    Update...
         [email protected]# ip http tacacs+ enable
         Secret key:
         Repeat secret key:
         Successfully enabled Tacacs+
    The problem, I'm faced with now is that after entering the above the WebUI is still not accessible.

  • Using Multiple AD domains with ACS

    Hi,
    Is it possible to use multiple domains for authentication with ACS? I need to use AAA to authenticate remote users into a centralised location but the users will be from different domains and I was hoping to use a single applicance to cater for all domains. Can this be achieved using LDAP? I understand that ACS can only be part of one AD domain.....
    In essence I am hoping that I will be able to authenticate the user based on their domain\credentials.
    Thanks in advance
    Jason

    Hi Javier,
    I understand that ACS can only join a single AD domain - but can it use LDAP to authenticate users from different AD domains - I don't want to have to established trusts between different domains.
    Kind regards
    Jason

  • SSID To Group Mapping With ACS 5.1

    Hi ;
               I am trying to implement PEAP authentication with ACS 5.1 and PEAP is working fine. I have two SSID's with peap authentication and i have two groups in AD. I need to map one ssid with one group and another SSID with the other group.
    I implemented the same with ACS 4.2 (Screenshot attached) .  Now the requirement is to implement the same concept in ACS 5.1.  Could you please help me on this.

    If you go under Access Policies and Service Selection Rules and check  you hit count( you may need to refresh if you just tried connecting) see  if the rule is incrementing.
    If that rule has a condition tied to that SSID, it should only increment when that SSID sends traffic.  If users credentials are working, thats a separate issue.
    For the Access service you created, that your selection rule feeds, check the following
    Identity will be set to internal users
    Authorization you will need to have hit custom and selected "Identity Group" as a selector"  Then when you make the rule, check that box and set it to your Staff Group.  Set the default at the bottom of the page to Deny Access.

  • LMS PRIME 4.2 integrating with ACS 4.2

    Hello,
    i would like to integrate new lms prime 4.2 with acs.4.2 . .. !!
    is there document or user guide for this version of lms?
    Thanks in advance.
    Marwan

    IN LMS 4.2 there is nothing which is known as Integration (like LMS 3.x), since it added feature RBAC.
    Now ACS can just be used as PAM to have ciscoworks authenticated for Tacacs+ or Radius. After the auth is done, you should have a authorization set in LMS locally for user, else it will be given a default HELP DESK access.
    For more details check :
    Authentication Using Login Modules - Overview
    -Thanks

  • Problem Authentcation CiscoWorks LMS 4.1 with ACS 5.3

    Dear
    i have a problem authenticating cisco LMS user through ACS 5 whenever tries  to run a DCR Job  verification it fails to telnet , however it used to work with the pervious ACS 4 but after upgrade , it seems to be a problem , and when i tries to login with this specific user with third party terminal it works fine.
    here is logg in the ACS monitor
    Failure Reason > Authentication Failure Code Lookup
    Failure Reason :
    13031 TACACS+ authentication request missing user Password
    Generated on:March 12, 2013 7:09:37 PM AST
    Description
    The TACACS+ authentication request did not provide a user Password
    Resolution Steps
    The  device is sending a TACACS+ authentication request that is missing  information needed by ACS. Check the device to verify that it is working  properly and has up-to-date software

    I'm running the latest version of both, and it's running fine for me.  You may have to change your TacacsPromts.ini file to include the right prompts.  I think it's:
    [TELNET]
    USERNAME_PROMPT=
    PASSWORD_PROMPT=
    You'll have to put in your own prompts, though.   Whatever your prompts are, is what goes afterward.
    If my prompt is Myspecialprompt: and pass is Myspecialpassword:, I'd use
    [TELNET]
    USERNAME_PROMPT=Myspecialprompt:
    PASSWORD_PROMPT=Myspecialpassword:
    If you have more devices with different prompts, just use a comma after the colon.  Btw, you don't need the credentials in there, just the custom prompts.

  • LMS 3.2 integration with ACS 5.1

    Hi
    Is it
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin-top:0cm;
    mso-para-margin-right:0cm;
    mso-para-margin-bottom:10.0pt;
    mso-para-margin-left:0cm;
    line-height:115%;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;
    mso-fareast-language:EN-US;}
    possible to integrate LMS 3.2 with ACS 5.1? I know it works with ACS 4.X, but I can't get it to work with ACS 5.1.
    Here is a link to how to do it with ACS 4.X:
    http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/prod_white_paper0900aecd80613f62.html
    Regards
    Reidar

    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin-top:0cm;
    mso-para-margin-right:0cm;
    mso-para-margin-bottom:10.0pt;
    mso-para-margin-left:0cm;
    line-height:115%;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    Thanks Reidar.... hmm very strange. I really wish an expert would respond to this thread as it will help a lot of people who might be planning to deploy these versions and they can help put this matter to rest once and for all. Not sure why LMS 3.2 will not support ACS 5.1 and it might help to know when it will (updates etc). Kindly let me know if you get any further information. My deployment is so large that setting a local username and password on all the devices is not an option unfortunately .......

  • Cisco Works LMS R3.1 with ACS R5.1

    I search on internet about the AAA integration between LMS R3.1 y ACS R5.1, and all the information that I found it's related to ACS R4.1. It's possible to integrate with ACS R5.1.
    Regards and thanks in advanced
    Luis Martinez

    Nael,
    Sorry to batter you, but I was trying to migrate my Cisco Works LMS R3.1 to R3.2 and from the support page of CISCO I just can donwload the following version LMS R3.2.1 (LMS R3.2 service pack 1). I tried to install that version but i got an error that saids "LMS R3.2.1 needs LMS R3.2 installed on the server"
    Could you please tell me where can I download the complete and initial LMS R3.2.
    Thanks in advanced for your kindly help.
    Luis Martinez

  • MARS 5.2.7 integration with ACS 4.1

    Hello
    I cannot find any documentation I can follow to integrate MARS with ACS. I mean I want to use ACS to authenticate user in MARS.
    Any of you know if MARS 5.2.7 has this feature? If yes can please give some info where to find docs?
    Thank you really much
    Best regards Antonello.

    HI ,
    LMS 4.0 no longer integrates with ACS the way that LMS 3.x did.  You  can still use ACS for authentication in LMS 4.0, but for authorization,  each user must have a local account in LMS, and the roles will be  assigned using LMS 4.0's new RBAC.  Users are defined under Admin >  System > User Management > Local User Setup, and roles are defined  under Admin > System > User Management > Role Management  Setup.
    By default, if a user does not have an account in LMS, they will receive the Help Desk role
    Please check the below link:
    http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.2/user/guide/admin/security.html#wp1100379
    Thanks-
    Afroz
    [Do rate the useful post]

  • Not Working-central web-authentication with a switch and Identity Service Engine

    on the followup the document "Configuration example : central web-authentication with a switch and Identity Service Engine" by Nicolas Darchis, since the redirection on the switch is not working, i'm asking for your help...
    I'm using ISE Version : 1.0.4.573 and WS-C2960-24PC-L w/software 12.2(55)SE1 and image C2960-LANBASEK9-M for the access.
    The interface configuration looks like this:
    interface FastEthernet0/24
    switchport access vlan 6
    switchport mode access
    switchport voice vlan 20
    ip access-group webauth in
    authentication event fail action next-method
    authentication event server dead action authorize
    authentication event server alive action reinitialize
    authentication order mab
    authentication priority mab
    authentication port-control auto
    authentication periodic
    authentication timer reauthenticate server
    authentication violation restrict
    mab
    spanning-tree portfast
    end
    The ACL's
    Extended IP access list webauth
        10 permit ip any any
    Extended IP access list redirect
        10 deny ip any host 172.22.2.38
        20 permit tcp any any eq www
        30 permit tcp any any eq 443
    The ISE side configuration I follow it step by step...
    When I conect the XP client, e see the following Autenthication session...
    swlx0x0x#show authentication sessions interface fastEthernet 0/24
               Interface:  FastEthernet0/24
              MAC Address:  0015.c549.5c99
               IP Address:  172.22.3.184
                User-Name:  00-15-C5-49-5C-99
                   Status:  Authz Success
                   Domain:  DATA
           Oper host mode:  single-host
         Oper control dir:  both
            Authorized By:  Authentication Server
               Vlan Group:  N/A
         URL Redirect ACL:  redirect
             URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
          Session timeout:  N/A
             Idle timeout:  N/A
        Common Session ID:  AC16011F000000490AC1A9E2
          Acct Session ID:  0x00000077
                   Handle:  0xB7000049
    Runnable methods list:
           Method   State
           mab      Authc Success
    But there is no redirection, and I get the the following message on switch console:
    756005: Mar 28 11:40:30: epm-redirect:IP=172.22.3.184: No redirection policy for this host
    756006: Mar 28 11:40:30: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
    I have to mention I'm using an http proxy on port 8080...
    Any Ideas on what is going wrong?
    Regards
    Nuno

    OK, so I upgraded the IOS to version
    SW Version: 12.2(55)SE5, SW Image: C2960-LANBASEK9-M
    I tweak with ACL's to the following:
    Extended IP access list redirect
        10 permit ip any any (13 matches)
    and created a DACL that is downloaded along with the authentication
    Extended IP access list xACSACLx-IP-redirect-4f743d58 (per-user)
        10 permit ip any any
    I can see the epm session
    swlx0x0x#show epm session ip 172.22.3.74
         Admission feature:  DOT1X
         ACS ACL:  xACSACLx-IP-redirect-4f743d58
         URL Redirect ACL:  redirect
         URL Redirect:  https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
    And authentication
    swlx0x0x#show authentication sessions interface fastEthernet 0/24
         Interface:  FastEthernet0/24
         MAC Address:  0015.c549.5c99
         IP Address:  172.22.3.74
         User-Name:  00-15-C5-49-5C-99
         Status:  Authz Success
         Domain:  DATA
         Oper host mode:  multi-auth
         Oper control dir:  both
         Authorized By:  Authentication Server
         Vlan Group:  N/A
         ACS ACL:  xACSACLx-IP-redirect-4f743d58
         URL Redirect ACL:  redirect
         URL Redirect:  https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
         Session timeout:  N/A
         Idle timeout:  N/A
         Common Session ID:  AC16011F000000160042BD98
         Acct Session ID:  0x0000001B
         Handle:  0x90000016
         Runnable methods list:
         Method   State
         mab      Authc Success
    on the logging, I get the following messages...
    017857: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
    017858: Mar 29 11:27:04: epm-redirect:epm_redirect_cache_gen_hash: IP=172.22.3.74 Hash=271
    017859: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: CacheEntryGet Success
    017860: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: Ingress packet on [idb= FastEthernet0/24] matched with [acl=redirect]
    017861: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Enqueue the packet with if_input=FastEthernet0/24
    017862: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_process ...
    017863: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Not an HTTP(s) packet
    What I'm I missing?

Maybe you are looking for