Radius & Tacacs

Similar Messages

• How to stop Radius/Tacacs service in ACS 5.2 ?

  Hi, is there a way to stop the Radius/Tacacs service in ACS 5.2 from the GUI ?

  There will be a more convoluted way to do it. Say for example want to do for RADIUS
  - define an access service that should take all RADIUS request
  - for identity policy authenticate against internal database and set the Advanced Option for "If user not found" to drop the request
  This should silently drop all RADIUS requests
  Can be done similarly for TACACS+

• Where is radius/tacacs communication taking place

  hello,
  if iam logging in to a domain, and my domain is configured for an authentication to an ACS, where is the radius/tacacs communication taking place?
  - is it from client to ACS
  - or is it from domain to ACS

  Depending on what device you are authenticating against - normally it would be client->Device->ACS->Domain
  HTH>

• Configuring Cisco ACS 5.1 with Juniper Netscreen Firewall wit Radius & Tacacs+

  Hello,
  Can anybody tell me the step-by-step configuration of Cisco ACS 5.1, to configured it with Juniper Netscreen Firewall for radius & tacacs+ authentication and authorization?
  I am able to configure this with Cisco ACS 4.2 with customise VSA file but can't understand how to configure it on ACS 5.1.
  Thanks in Advance.

  Hi Eduardo,
  Can you tell me how to map ACS 4.2?
  service=junos-exec
  local-user-name=Engineering
  Into the new "shell profiles" on ACS 5.2? How do I verify these attributes are passed onto ACS 5.2? I don't have access to a sniffer or tap nor do I have writes on this box. I have to instruct our systems folks to investigate. It has been a back and forth battle.
  Also, I'd like to see where I'd map this on ACS 5.2.  Keep in mind in both cases I have a JUNOS config mapping to a login user Engineer and operations respectively.
  local-user-name=opertions
  allow-commands=((^ping *)|(^mtrace *)|(^traceroute *)|(^monitor *))
  deny-commands= ((^start *)|(^file delete *)|(^file rename *)|(^request *)|(^set cli restart-on-upgrade *)|(^set cli prompt *)|(^set chassis *)|(^set date *)|(^test *)|(^clear *)|(^op *))

• Simultaneous Radius & TACACS+ Support on WLC

  I currently have my controller configured in my Cisco Secure ACS (ver 3.3) as a Radius NAS.
  This is for the wireless clients authenticate using PEAP.
  Now I would like to setup my controller to use TACACS+ for management. I see where to configure it on the controller which looks straight forward.
  However, I am not sure what to do on the ACS. If a controller is already configured for Radius how can I configure it to also support TACACS+? I don't see an option to have it support both. I can't add the same controller in twice either.
  Any suggestions/recommendations are appreciated.
  I'm wondering if my only option is to setup management using Radius too.

  Thank you. That worked. I created one group called controllers-tacacs and listed each of my controllers and selected TACACS+ for authentication type.
  However, I still can't get the controller to use TACACS+ for management. I added in the ACS information using port 49 under the security->tacacs-> authentication menu option. It does not have the option to pick network user or management like the radius authentication menu does. So I just enter in all the valid data shared secret, port, enabled, etc. I used the same shared secret as the controller-tacacs group I created on the ACS.
  However, the controller does not use tacacs+ for management logins. I still have to use the local mgmt users account.
  Anyone have any ideas.

• Software to test RADIUS/TACACS authentication to ACS server

  Hi experts,
  Is anyone aware of a software that will test RADIUS and/or TACACS authentication to an ACS server from a PC? Same as what you can do on the Cisco VPN concentrator from the page Configuration | System | Servers | Authentication | Test Screen.
  Thanks in advance!

  If you look in the ACS utils folder you'll see radtest and tactest.exe
  These can be used to generate test packets. If you install ACS on another PC you can fire requests from that other PC too.
  I think Vasco (token card vendor) had a really nice GUI based RADIUS client too.
  Darran

• How to set UCS Locales using Radius/Tacacs+ Attributes

  I know how to set a remotely authenticated/authorized users Role using the Radius av-pairs with UCS.
  What Radius attribute/av-pair syntax is needed to set the users Locale within UCS?
  I have tried shell:roles="role@locales" and shell:locales="locale name" with no success.

  Something else to note:
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  Configuring locales to the user roles are not valid as these are global-system users:
  -          aaa
  -          admin
  -          operations
  Locales can be configured only with following user roles:
  -          Network
  -          Server-equipment
  -          Server-profile
  -          Server-security
  -          Storage

• Configure PIX to use both TACACS and RADIUS for VPN

  PIX 506E using ver 6.3: Whenever I add the command "crypto map mymap client authentication PARTNERAUTH" it removes the current TACACS+ client authentication. I need to have both until I've finished testing the radius server. Can I add an additional crypto map designation command to accomodate and use both the current TACACS+ (ACS) and RADIUS?

  Hi,
  Unfortunately what you want to do cannot be done on the pix, let's say that you have
  multiple vpn groups on your firewall, as soon as you apply the following command:
  crypto map mymap client authentication partnerauth
  where parnerauth can a radius, tacacs, tacacs+ or an ACS server:
  aaa-server partnerauth protocol radius
  aaa-server partnerauth (inside) host 172.18.124.196 cisco123
  As soon as you use "crypto map mymap client authentication partnerauth" the authentication
  is applied globally on the crytpmap, thus affecting all the vpn groups configured.
  You can have multiple vpn groups running on your firewall (dynamic crypto maps) but you
  need to associate them to a static crypto map ( crypto dynamic-map dynmap 10 set
  transform-set myset).
  You can only have 1 crypto map applied to one interface, when you apply this line:
  "crypto map mymap client authentication partnerauth"
  The authentication is applied to ALL the clients, we cannot separate the extended
  authentication based on the vpn group or ip address.
  Please rate if that helps !
  Regards,
  ~JG

• Upgrade ACS V3.2 - V4.0 Tacacs/Radius Key Query

  Hi All
  I am in the process of upgrading my ACS server from V3.2 to V4.0
  I have a Production Server which will be replaced by the New Production Server and A Test Server for upgrading the ACS Database.
  I have successfully upgraded from V3.2 to V3.3 then to V4.0 on my test server.
  My original plan was to upgrade the database with my Test Server and Restore it to my New Production Server.
  just copy the new V4.0 database to the New Production Server and change the ip address to the old servers address.
  However looking through the database there are sections which are hardcode with the test servers hostname.
  This has forced me to rethink my original plan and to use the original servers hostname.
  This also got me thinking what else is hardcoded in the database.
  My question is - When I installed V3.2 on my test server
  Under the Tacacs+ or Radius Key section - do I need to put the same key as the original V3.2 database or will this key change when I come to restore the original database on the test server ?
  I am just concerned that my radius/tacacs clients will not authenticate with the new server when it is put in to production with the new V4.0 database.
  Thanks in Advanced

  Hi,
  The "hard-coded" things will change automatically once the database is restored on the new server.
  The only thing which you woul dneed to take care of is the change in Ip address such that the clients send the request to the right ACS.
  Regards,
  Vivek

• WPA2-Enterprise + EAP (PEAP) and 802.1x to authenticate to RADIUS server NPS

  I need to connect my iPhone and my iPad to the corporate wireless network using WPA2-Enterprise and 802.1x to authenticate against a RADIUS server with my corporate user. What is the procedure to configure the clients? Certificates is not necessary on the client. Radius server is a NPS of Microsoft and the WLC is a 5508 of Cisco.
  thanks !!!

  WPA and WPA2 are all actually interim protocols that are used until the standardization of IEEE 802.11i standard. Wi-fi appliance decided that ratification and standardization of 802.11i standards will take more time. So, they came up with WPA.
  Now, WPA2 is advanced version of WPA. WPA2 uses AES as encryption algorithm. Whereas, WPA use TKIP as encryption mode which in turn uses RC4 encryption algorithm.
  WPA and WPA2 are actually are of 2 types respectively.
  WPA/WPA2-PSK - This is mainly for small offices. This uses Pre-Shared Key for authentication.
  WPA/WPA2 -Enterprise - This uses a RADIUS Server for authentication. This is an extension to 802.1x authentication. But this uses stronger encryption scheme(WPA uses RC4 and WPA2 uses AES).
  Any authentication mechanism that involves a separation authentication server for authentication like ACS server is called 802.1x authentication.
  EAP stands for Extensible Authentication Protocol. It refers to the type or method of 802.1x Authentication by the RADIUS/Tacacs server. A RADIUS server can authenticate a wireless client with various EAP methods.
  LEAP is one type of EAP. It uses username and password for authenticating wireless clients. LEAP is cisco proprietory.
  There are also EAP types which uses other user credentials like Certificates, SIM etc for authentcation.
  The following document might clarify your doubts.
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_q_and_a_item09186a00805e8297.shtml

• ACS5.3 - VMWARE Version - TACACS+ response latency greater than 3 seconds

  Need your help to close this error .. is this due to server process delay ?
  Cisco Secure ACS - Alarm Notification
  Severity: Information
  Alarm Name
  TAFE ACS - PROCESS STATUS
  Cause/Trigger
  Alarm caused by TAFE ACS - PROCESS STATUS threshold
  Alarm Details
  Alarm details are not available
  Generated On
  2014-09-08 14:14:00.0
  Name:
  TAFE ACS - PROCESS STATUS
  Description:
  RADIUS/TACACS+ response latency greater than 3 seconds

  Hello,
  You can customize the threshold values with help of the following cisco docs:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.0/user/guide/monit_report.html#wp1053255
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/viewer_monitoring.html#wp1099583

• Using Cisco ACS for Solaris login authentication

  Hi all
  I am planning to authenticate ssh logins to Solaris 8/9 systems using PAM and radius (while radius is considered the primary solution, tacacs+ could be used, too). The radius/tacacs+ server is provided by a Cisco ACS.
  Can anybody out there confirm that the combination "Solaris & PAM & radius/tacacs+ & Cisco ACS" is correctly doing this authentication stuff? Is there anything to specially consider?
  Thanks, David

  Hard to comment with any certainty but provided the client implementation of RADIUS is sound AND the authentication protocol is one that ACS supports, eg PAP, CHAP, MSCHAP, LEAP, EAP (PEAP/FAST/TLS/GTC/MSCHAP) then should be fine.

• Cisco MDS 9513/9509 LDAP/AD Auth via SSH & Fabric Manager

  Hello Folks,
  I am trying to look for working config with LDAP auth over SSH. I know how to use them over TACACS+ & Radius. But due to other internal issue, currently I am trying to get the Cisco MDS to directly auth using LDAP/AD. Also, I see no option of LDAP/AD in FM(Fabric Manager), but just TACACS+, Radius, LocalFM and MDS. Do using MDS uses default auth(ie whatever AAA authentication is configured for ? or local DB on the switch).  Does the new DCNM supports LDAP/AD auth on the GUI ?
  Larger goal is SSH(CLI) & FM(GUI) using the same LDAP/AD auth. I understand the snmp-server user issue. But once I have SSH working over LDAP/AD I can figure that out to..
  Here's what I need to ensure when using LDAP/AD auth
  1) What is the exact config for this LDAP/AD auth
  2) How do I ensure that network-admin & network-opertor roles are assigned when certain AD Groups Logins in Like ADMIN-AD-GROUP , OPERATOR-AD-GROUP --> trying to login to the switch
  3) Also using SSL port for LDAP, do details are encrypted over the network.
  4) Do I need to use the PASSWORD in paintext when BINDING the BaseDN ?, can it be an encrypted password.
  Appreciate any info on this. Thanks for your time.

  As of DCNM 6.1 (aka - Fabric Manager Server) we support LDAP authentication adding to existing Radius, TACACS+, local and switch authentications.  You can upgrade from Fabric Manager 5.0 to DCNM 5.2 to DCNM 6.1 if you like to keep current performance, events, config data alive.  We do recommend fresh install as we don't know what state your server dabatabase might be in.  Including some links for you to help out with deployment and best practices (see release notes).
  Resources:
  Main Website:
  http://www.cisco.com/go/dcnm
  How To Video Series:  http://www.cisco.com/en/US/prod/netmgtsw/ps6505/ps9369/cisco_dc_nm_video_library.html
  Install and Licensing Guide:
  http://www.cisco.com/en/US/products/ps9369/prod_installation_guides_list.html
  Evaluation Licenses: http://tools.cisco.com/SWIFT/LicensingUI/Home?FormId=65
  Download Linux and Windows Executables: http://www.cisco.com/cisco/pub/software/portal/select.html?&i=!m&mdfid=281722751
  Data Sheets: http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6505/ps9369/data_sheet_c78-639737.html
  Install Guide: http://www.cisco.com/en/US/products/ps9369/prod_installation_guides_list.html
  Configure Guide:  http://www.cisco.com/en/US/products/ps9369/products_installation_and_configuration_guides_list.html
  API Programming Guide:
  http://www.cisco.com/en/US/products/ps9369/products_programming_reference_guides_list.html
  Reference Guide: http://www.cisco.com/en/US/products/ps9369/prod_technical_reference_list.html
  Release Notes: http://www.cisco.com/en/US/products/ps9369/tsd_products_support_general_information.html

• 2 Factor Authentication for Anyconnect VPN using ISE

  We are planning to implement dual factor authentication for Anyconnect VPN.
  The end users will be authenticated using domain name in machine certificates and username password with
  ISE used as radius server.
  We have the following approaches to achieve this :-
  1. Use primary and secondary authentication with user credentials as primary authentication
  and CN field of the certificate as secondary authentication.However this option prompts users for password for
  both the fields while we want the machine certificate to authenticate itself without a password.
  2. Second approach is to authenticate using user credentials and authorize the user to access the network if
  the machine certificate has a domain name in CN field which we are able to validate from the AD using
  Dynamic Access Policy.
  We are looking forward for discussions on the above approaches and are open to any other
  solution.

  Hi Umahar,
  Not sure I understood correct. You would like to authenticate the user using machine certificate for anyconnect and want to extract CN attribute the client's certificate and send it to the ISE server for further authenticate with AD. And also you don't want an additional password prompt to be produced to the user.
  If my understanding is correct. Then user would get a prompt for the password atleast because in the machine certificate there won't be password, but to authenticate with RADIUS/TACACS , we need both username and password. So how will the user gets authenticated without password.
  If you are looking a way to just see if the user is present under AD, not exactly and authentication then this might not be possible.

• Anyconnect ASA 5510

  Hi people
  I have configured Anyconnect access with split tunneling and I can connect with the username and password but the problem is: I can't connect to the two hosts I have given in my split tunneling. When I connect to anyconnect I get the IP address which I specified in the Pool but still can't connect to the hosts. Another qustion is how to tell ASA that only this IP address 10.54.112.90 should access the via Anyconnect?
  I am new to ASA world so please bare with my questions if you think it's stupid.

  Since you are able to connect but not able to access resources mentioned in split tunneling after connecting with VPN thus it should be either a NAT or ACL issue or may be inspection if its only ping that is not working.
  If you can post your configuration then I can check it for you else you can follow the link mentioned below to verify your configuration as a sample for Anyconnect with split tunneling:
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080975e83.shtml
  Regarding the second question, it is not quite clear however if you are looking that how can we assign a specific address to a VPN user everytime then you can configure the same in username attributes or you can assign it via a a third party authentication server like Radius/ TACACS if you have any.
  Hope that helps.
  Regards,
  Anuj