Migrate WPA2 to ACS RADIUS

Similar Messages

• FWSM user and administrator multi-contexts authentication under ACS radius

  Hi,
  I’m preparing the setup of an ACS radius server for FWSM-related authentication operations.
  FWSMs will be in release 2.2, inserted in Catalyst 6500 (MSFC – IOS), in routed mode, in multi-switch active / standby setup, with multiple contexts configured.
  User and administrator access management will be performed thanks to a radius ACS server.
  I intend to install ACS onto an armored windows 2000 server SP4 , using a local database.
  PDM 4.0 is needed in order to manage multiple-contexts on FWSMs.
  Are there any points I should be aware about such a configuration, especially regarding the user and administrator authentication access management setup ?
  The fact is that administrators will have to be defined and restricted to their own context, without privileges onto other contexts. Do you have feedback about such a setup or relevant information to point to me ?
  Many thanks in advance for your attention.
  Best regards,
  Arnaud

  Each of the contexts will behave like individual firewalls for your purposes here. So, they each get a AAA config, and you could put them into their own groups for access control. Protect the Admin context especially well, it controls system resources for the others. Depending on how many FWSMs you have, you may want to look into the Pix MC, which is similar to PDM, but works for multiple FWSMs. It is a part of CiscoWorks VMS.
  -Paul

• What's the migration path from ACS v3.3 to ACS v5.1?

  It's a standalone appliance 1112 running on ACS v3.3, how to migrate to another standalone appliance 1120 with ACS v5.1?
  Does CISCO have any documents about this?
  I remember I used to read an article about how to build a temp ACS v4.2 windows to help this kind of migration, could anyone help to send the doc link to me?

  Your basic assumption is correct. There needs to be a two stage process where first migrate to ACS 4.2 on Windows and then from there perform migration to ACS 5.0/5.1.
  When ordering ACS 5.0/ACS 5.1 the disk set includes all the software required to perform this upgrade.
  Going from from 4.2 to ACS 5.0/5.1 is migration; not upgrade; since need this reads a subset of the data items from ACS 4.2 and creates them on ACS 5.0/ACS5.1. This includes the bulk objects such as devices and internal users. However, the policy configuration on ACS 5.1 needs to be performed manually since follows a very different concept.
  The migration guide can be found at: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/migration/guide/Migration_Book.html

• Cisco 1140AP using WPA2-enterprise with radius

  All,
  I am trying to configure an1140 AP to use WPA2-enterprise & radius. Ultimately I want to be able to connect to the SSID using my active directory credentials. I would like the AP to send authentication requests to our Network Policy Server. Here is a copy of the config; any help is appreciated.
  version 12.4
  no service pad
  aaa new-model
  aaa group server radius rad_eap
  server 172.16.16.101 auth-port 1812 acct-port 1813
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa group server radius rad_eap1
  aaa authentication login myLogin local
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authentication dot1x rad_eap group radius
  aaa authorization exec default local
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  dot11 syslog
  dot11 ssid ITWireless
     authentication open eap rad_eap
     authentication key-management wpa version 2
     guest-mode
  username admin password 7 XXXXXXXXXXXXXXXXXXXXX
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption mode ciphers aes-ccm
  ssid ITWireless
  antenna gain 0
  interface Dot11Radio1
  no ip address
  no ip route-cache
  encryption mode ciphers aes-ccm
  ssid ITWireless
  interface BVI1
  ip address 172.16.42.21 255.255.0.0
  no ip route-cache
  ip default-gateway 172.16.16.198
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip radius source-interface BVI1
  radius-server attribute 32 include-in-access-req format %h
  radius-server host 172.16.16.101 auth-port 1812 acct-port 1813 key 7 1427321938572903
  radius-server vsa send accounting
  bridge 1 route ip

  I did see those screenshots however that settings screen comes from selecting the Configure button next to the Authentication Method in the User Authentication section under Users.  In each of your screenshots, the RADIUS Server ID number is 1 so I would also ensure that I've configured RADIUS Server ID 1 which can only be configured by going to Users -> RADIUS Servers.
  All that said, I did see that your tests succeeded and I also don't understand the point of having RADIUS settings on the other screens and then having RADIUS ID info.  My thinking is that you would be able to configure RADIUS once in the Users -> RADIUS Servers screen and then select the RADIUS Server ID in all the remaining screens without having to enter the RADIUS info over and over again.  It would also think that you could skip the Users -> RADIUS Server screen and enter the RADIUS information over and over again and it should work...just like you set it up originally.  However, based on past experience of programmatic errors, I would recommend configuring the RADIUS Server ID 1 under Users -> RADIUS Servers if you haven't already...just in case. 
  Shawn Eftink
  CCNA/CCDA
  Please rate all helpful posts and mark correct answers to assist others searching for solutions in the community.

• ASA to ACS Radius - restrict by group

  Hi Everyone, this may not be the correct forum for this, but since it relates to the ASA...
  So we currently use RADIUS to authenticate users accessing our AnyConnect access... the thing is, with everything working, we want to restrict the access to only members of a specified AD group, "VPN Users". 
  So, I'm trying to figure out whether that restriction goes into the RADIUS on ACS or whether there is a setting in the ASA to restrict it...
  Can someone point me in the right direction?  (And no, I don't want to change to LDAP authentication).
  Ken

  I guess this should be possible with a feature called NAP,( network access profiles). Here you can define which database to use for any specific request. We can filter request on the basis of attributes sent in the authentication request.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/NAPs.html
  Regards,
  ~JG

• Migrating a Cisco ACS Database

  Hi,
  Can there be any potential problems, if we want to migrate an existing Cisco ACS Database to a different physical Server (Keeping the same IP information etc) ?
  We were running Cisco ACS evaluation version for Cisco NAC (CTA) and now want to make it production while moving it to a different server.
  Regards \\ Naman

  Hi,
  I'm not an expert for the ACS but when you look into System configuration you will find the feature 'Database Replication'. With an eval version you should be able to test this feature.
  Cheers,

• ACS Radius + Peap + MSChapV2

  I am using a wireless setup
  Aironet 1100, ACS 4.0, 3rd party Client adapter
  I am able to connect to my wireless network by keying in username&pass created on the ACS user setup. Also by using a self signed certificate from the ACS.
  Doubts: In ACS logs - Radius accounting is empty.
  Failed attempts.csv shows "Authen failed, EAP-TLS or PEAP authentication failed during SSL handshake"
  But i am able to authenticate my users successfully into the wireless network. What went wrong?

  Hi
  Try enabling the Passed Authentications report and see whats in there. It could be that the failure is perhaps purely transient and rectified by a subsequent attempt.
  For example a re-key authentication requires SSL state on the ACS, it could be that the supplicant and ACS have to revert to performing a full authentication.
  Im guessing but it is entirely possible to have entries in the failed attempts and still get access.
  Darran

• Question in ACS radius ports and how test connectivity between router

  hi all
  im asking here about default ports used in cisco acs for radius protocol
  is it 1812 and 1813 ???
  or there is another ports ??
  Q2-
  how to test connectivity between ACS "server aaa"  and the router "client aaa " ??????
  Q3-
  can anyone give me simple config on router for radius protocol to connect acs based on radius protocol ?
  regards

  The default authentictaion port is 1812 and the default accounting port is 1813.
  Here's an example config-
  aaa new-model
  aaa group server radius ACME-RADIUS
  server-private 192.168.1.5 auth-port 1812 acct-port 1813 key SeCrEtPaSsWoRd
  aaa authentication login default local
  aaa authentication login ACME-AAA group ACME-RADIUS local
  aaa accounting send stop-record authentication failure
  aaa accounting exec default start-stop group ACME-RADIUS
  line vty 0 4
  login authentication ACME-AAA
  You can test with-
  test aaa group radius server 192.168.1.5 mmessier St@nleyCup
  where mmessier is your username and the password is St@nleyCup

• ACS Radius Question about Request Authenticator Field

  Hi, I did a little bit reading about Radius to understand more in deepth
  if I understand correctly the Request-Authenticator-Field in the Radius-Request Packet is just a random number and has nothing to do with the configured shared secret on AAA-Client.
  That would mean that ACS does not check the shared secret in an incoming request.
  So in case of CHAP Authentication the password in the request is not encrypted with the shared secret, ACS can successfully check the credentials from the request , though the shared secret between ACS and AAA-client does not match and will send a Radius Accept packet
  The Response-Authenticator-Field in the Radius-Accept Packet is a MD5 over (Code+ID+Length+RequestAuth+Attributes+SharedSecret)
  So if the the shared secret does not match the AAA-Client will recongize this and will not grant access.
  Is that true so far.
  I always thougth that shared secret must match, otherwise the ACS will not accept any radius-request?
  Thx
  hubert

  Hi Nicholas,
  pls see attached a packet-capture from 6 Radius-request of a AAA-Client (small Radius-Test-SW) and the answer from ACS
  1 PAP wrong key correct Password -> ACS logs failed auth
  2 PAP correct key correct Password -> ACS logs success auth
  3 CHAP wrong key correct Password -> ACS logs success auth
  4 CHAP correct key correct Password -> ACS logs success auth
  5 CHAP wrong key wrong Password -> ACS logs failed auth
  6 CHAP correct key wrong Password -> ACS logs failed auth

• Microsoft Radius Server vs ACS/Radius

  Hi,
  Is there any differences between Microsoft Radius Server and the Radius in ACS.
  Thanks
  Ali

  I have used both with pretty good success. The one thing I do not like about ACS is the fact that a user can only belong to one group. The documentation for ACS is pretty good and configuring ACS is pretty simple. I was able to import my AP's from a file which was nice since I had around 100 to setup/install. That was really quick and simple.
  The isn't a lot of documentation around for configuring IAS with Cisco Wireless equipment, but there are hints in these forums if you search. I had IAS configured to assign VLANS to certain wireless users (actually groups) and it works fine. There were a few bugs (differences between VxWorks and IOS) that have been corrected I believe. If you run into problems make sure your AP's software is up to date.
  Aside from the fact that a user can belong to only one group, I like ACS. I haven't had much time to finish my configuration as far as Wireless goes, but so far things have been pretty simple to configure.
  If you have any more questions feel free to ask...
  Don Hickey

• ACS radius for Juniper Swtich/Router

  Hi there
  i try to configure a juniper ex4200-48t's radius service on ACS5.2 to authorize ACS internal user to admin it
  i have read and search related article
  such as
  http://forums.juniper.net/t5/ScreenOS-Firewalls-NOT-SRX/Juniper-SSG-and-Cisco-ACS-v5-x/m-p/127033
  which is a tutorial of  radius for Juniper Netscreen device
  i following those step for my Juniper SW and failed too.
  is there any difference attribute and value between Juniper Netscreen and Switch  ? 
  what should i setup into custom attribute of shell profile of Device administrotor of ACS5.2
  thanks so much  

  any reply ?

• Disconnect dialup connections after 1 hour - ACS (Radius)

  Hello All,
  I need to disconnect dialup users after 1 hour - limit session. Using ACS 3.3 RADIUS config. Looking at the RADIUS attribute [027] Session-Timeout to do this. ACS documentation indicates this does not support PPP sessions. However this link http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a0080094671.shtml#hw
  indicates it can.. I am goint to test but thought I'd put it here in case anyone has this working.

  Tested and working fine :-)

• ACS RADIUS Certificate Access Workflow

  Hello Friends, I've been trying to deploy a ACS solution that includes Radius, connection with an AD database and Certificate-Based Access to the network but the documentation that I have found is very very vague and is getting a little bit complex for me to deploy it. I wonder if there's a guide or a better organize documentation about the diferent scenarios of configuration for the ACS solution. At least a workflow configuration document that has secuenced steps. Thanks in advance for your help.
  PD: If any of you is involved with Cisco documentation I hope it serves as a suggestion and recommendation.
  Atte. Jonás.

  Hi Jonas,
  Please take a look into this doc:
  https://supportforums.cisco.com/docs/DOC-13545.
  It is a step-by-step guide to configure ACS for dot1x, installing certs on the ACs and integration with AD.
  Regarding the Certificate based authnetication, there you need to be more specific on what EAP type you intend to use.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• ACS Radius key return

  Does the Cisoc ACS return the MS-MPPE-SND-KEY and MS-MPPE-RCV-KEY by default? I have a gateway that says this is required. If not where is this changed in the ACS server?

  It doesn't return them by default.
  After adding in your NAS as a "Radius (Cisco IOS/PIX)" device, go under Interface Configuration - Radius (Microsoft) and check the attributes you want, either on a Group and/or User basis. Then go under the group or the user, scroll down to where the attributes appear and check them so that they're returned.

• WLC + ACS (RADIUS) + MS-AD

  Hi!
  I have been looking around if there is a way to authenticate users against a MS-AD database from a non-controlled wireless client.
  My design includes a WLC 4400, an ACS 5.4 and MS-AD 2003.
  The goal is to connect a client without any special configuration (in the client); the SSID will be visible so I just want to join the network and after the negotiation, it should prompts me a username and password for the Microsoft Database.
  I have read there are limitations setting this up just with WLC and MS-AD, thats why I want to use Radius (ACS) so I can establish a trust communication between both the ACS and MS-AD. But so far, I just found documentation where they modify the native supplicant to validate a CA and force mschapv2.
  Thanks in advance for any help.

  Check out the doc below
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml