Rendering a Cisco ACS page is broken in Firefox 15
Since updating to Firefox 15, a page inside my Cisco ACS appliance does not render: Access Policies > Access Services > Default Network Access > Authorization.
The page has historically taken 15-20 seconds to fully load its contents, and the page now renders as if Firefox 15 got sick of waiting and just displayed what content it had. Is this a problem with rendering the page or perhaps did the value of a timer get changed in Firefox 15?
The Cisco appliance is not public-facing, so I am happy to do a screen-sharing session with a Mozilla engineer if it would help troubleshoot. Thanks.
Still broken in 16... Great, now I have to run a version that is 2 versions old.
Similar Messages
-
Juniper SSG and Cisco ACS v5.x Configuration
I searched for a long time unsuccessfully trying to find a resolution to my SSG320M and Cisco ACS v5.x TACACS dilemma. I finally got it working in my network, so I'm posting the resolution here in case anyone else is looking.
Configure the Juniper (CLI)
1. Add the Cisco ACS and TACACS+ configuration
set auth-server CiscoACSv5 id 1
set auth-server CiscoACSv5 server-name 192.168.1.100
set auth-server CiscoACSv5 account-type admin
set auth-server CiscoACSv5 type tacacs
set auth-server CiscoACSv5 tacacs secret CiscoACSv5
set auth-server CiscoACSv5 tacacs port 49
set admin auth server CiscoACSv5
set admin auth remote primary
set admin auth remote root
set admin privilege get-external
Configure the Cisco ACS v5.x (GUI)
1. Navigate to Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles
Create the Juniper Shell Profile.
Click the [Create] button at the bottom of the page
Select the General tab
Name: Juniper
Description: Custom Attributes for Juniper SSG320M
Select the Custom Attributes tab
Add the vsys attribute:
Attribute: vsys
Requirement: Manadatory
Value: root
Click the [Add^] button above the Attribute field
Add the privilege attribute:
Attribute: privilege
Requirement: Manadatory
Value: root
Note: you can also use 'read-write' but then local admin doesn't work correctly
Click the [Add^] button above the Attribute field
Click the [Submit] button at the bottom of the page
2. Navigate to Access Policies > Access Services > Default Device Admin > Authorization
Create the Juniper Authorization Policy and filter by Device IP Address.
Click the [Customize] button at the bottom Right of the page
Under Customize Conditions, select Device IP Address from the left window
Click the [>] button to add it
Click the [OK] button to close the window
Click the [Create] button at the bottom of the page to create a new rule
Under General, name the new rule Juniper, and ensure it is Enabled
Under Conditions, check the box next to Device IP Address
Enter the ip address of the Juniper (192.168.1.100)
Under Results, click the [Select] button next to the Shell Profile field
Select 'Juniper' and click the [OK] button
Under Results, click the [Select] button below the Command Sets (if used) field
Select 'Permit All' and ensure all other boxes are UNCHECKED
Click the [OK] button to close the window
Click the [OK] button at the bottom of the page to close the window
Check the box next to the Juniper policy, then move the policy to the top of the list
Click the [Save Changes] button at the bottom of the page
3. Login to the Juniper CLI and GUI, and attempt to change something to verify privilege level.Cisco Prime LMS is not designed to manage appliances like the ACS. ACS is not on the LMS supported device list and I would doubt that it would be as LMS's functions are mostly not applicable to the appliance or software running on it.
You can use ACS as an authentication source for LMS, but authorization is still role-based according to the local accounts on the LMS server. -
Unable to generate reports in Cisco ACS 4.2
Hi All,
I have configured AAA on Firewall & i am successfully able to login into it using ACS username & password but unable to generate Accounting & Administration logs. Whenever i check either of these logs it shows me blank page. Below is the AAA config on Firewall.
I have installed Cisco ACS 4.2 on windows 2003 server.
aaa-server test protocol tacacs+
aaa-server test (inside) host X.X.X.X
key **********
no aaa authentication http console AAA LOCAL
aaa authentication http console test LOCAL
no aaa authentication ssh console AAA LOCAL
aaa authentication ssh console test LOCAL
aaa authentication telnet console test LOCAL
aaa authentication enable console test LOCAL
aaa accounting enable console test
aaa accounting ssh console test
aaa accounting telnet console test
aaa accounting command test
Awaiting for soln.
Thanks in advance.
Regards,
Amit.I had the same experience. I even reinstalled Remote Desktop on Leopard, which caused all the passwords and machines I had registered were hosed and I could build up the user/password database again.
Look in your console log. If you see something like:
Feb 12 10:55:22 dhcp46 [0x0-0x1a01a].com.apple.RemoteDesktopAgent[660]: IpcMemoryCreate: shmget(key=5433001, size=1466368, 03600) failed: Cannot allocate memory
It means that the postgresql database that is started for collection this information can startup. It will try several times, and then fail. The way to fix this
-Apple supplies their postgresql with some sensible memory settings for the trivial task they are asking postgresql to do
-increase the memory settings from the complete system. In Leopard you do that by creating a file called /etc/sysctl.conf
and add something like this:
kern.sysv.shmmax=167772160
kern.sysv.shmmin=1
kern.sysv.shmmni=32
kern.sysv.shmseg=8
kern.sysv.shmall=65536
See also:
http://forum.servoy.com/viewtopic.php?p=47461 -
Domain controller configuration in Cisco ACS 4.2
Hi all,
We are having a long pending ticket one of our customer has raised with us.
Problem is related to cisco ACS version 4.2.
Customer has raised a concern that while authenticating with the ACS requests are reaching to Secondary domain controller instead of Primary domain controller.
We do not have the access of the physical server, but our server team have.
We do have the Gui page access by http://<ACS IP>:2002
In our ACS external data base is configured with the domain name, there is no IP related information for the Domain controller. I think that can be confiured in physical server. In short, we are having windows server and running ACS software on top of that.
How can we proove this to the customer that requests for Network device authentication is going to Primary domain controller and not to the secondary domain controller.
Please help us out. We tried before with Server team and given some command like %logonserver% and was indicating Primary domain controller IP. Is there any other way to prove this.
Regards,
Kalpesh ModiThe logs receiving is not in proper format .unable to understand the details in logs .Please find the below example
"Feb 20 12:48:40 ACS0 CSCOacs_Passed_Authentications: 0000412469 3 0 2012-02-20 12:48:40.225 +04:00 0188387558 5200 NOTICE Passed-Authentication: Authentication succeeded, ACSVersion=acs-5.2.0.26-B.3075, ConfigVersionId=868, Device IP Address=x.x.x.x, UserName=frad.cole, Protocol=Radius, RequestLatency=24, NetworkDeviceName=dxb-palmj-pop-s93-bds1a, User-Name=frad.cole, NAS-IP-Address=x.x.x.x, NAS-Port=0, Service-Type=Administrative, Framed-Protocol=X.75 Synchronous, Framed-IP-Address=x.x.x.x, Login-IP-Host=x.x.x.x, NAS-Identifier=Dxb-PalmJ-POP-S93-BDS-1A, NAS-Port-Type=-1, NAS-Port-Id=slot=0\;subslot=0\;port=0\;vlanid=0, AcsSessionID=OACS0/109447559/11612656, AuthenticationIdentityStore=AD1, AuthenticationMethod=PAP_ASCII, SelectedAccessService=Radius Rules, SelectedAuthorizationProfiles=JUNIPER-Activation-Ent, SelectedAuthorizationProfiles=Radius-CiscoAVPair-lvl-1, IdentityGroup=IdentityGroup:All Groups:Migrated_Group:Enterprise-Activation, Step=11001 "
Is there any other setting to get the logs in proper fromat .
Do we need to change the "Facility Code:Local 6" to some other values .
Kindly advice . -
User authentication in Cisco ACS by adding external RADIUS database
Hi,
I would like to configure the below setup:
End user client (Cisco Any connect/VPN client) -> ASA 5500 (AAA client) -> ACS server -> External RADIUS database.
Here ACS server would send the authentication requests to External RADIUS server.So, i have added the external user database (RADIUS token server) in
ACS under External databases.I have added AAA client in Network configuration (selected authenticate using RADIUS(VPN 3000/ASA/PIX 7.0) from the drop down.
Here how do i make ASA recognize that it has to send the request to ACS server. Normally when you use ACS as RADIUS server you can add an AAA server in ASA and test it.But here we are using an external RADIUS server which has been configured in ACS, so how do i make ASA to send the requests to ACS server?
Any help on this would be really grateful to me.
Thanks and Regards,
Rahul.Thanks Ajay,
As you said nothing needs to be done on ASA side, if we are using an external user database for authentication.
Im a newbie to ACS and this is the first time i'm trying to perform a two factor authenticaton in Cisco ACS using external user database.
By two factor authentication i mean, username + password serves as first factor (validated by RADIUS server), username + security code (validated by RADIUS server) serves as second factor.So, during user authentication i enter only username in username field and in "password" field i enter both "password + security code". Our RADIUS server has already been configured with AD as user store, so we dont have to specify AD details in ACS. I have done the following in ACS to perform this two factor authentication.
-> In external user databases, i have added a external RADIUS token server.
-> In unknown user policy , i have added the external data base that i configured in ACS into the selected databases list.
-> under network configuration, i have added the Cisco ASA as AAA client (authenticate using RADIUS (Cisco VPN 3000/ASA/PIX 7.x+)).
Just to check whether user authentication is successful, i launched the ACS webVPN using https://IP:2002, it asked me to enter username and password. So, i entered username and in password field i entered "password + security code". But, the page throws an error saying "login failed...Try again".I cant find any logs in external RADIUS server.
Here is what i found in "Failed attempts" logs under Reports and activities.
Date,Time,Message-Type,User-Name,Group-Name,Caller-ID,Network Access Profile Name,Authen-Failure-Code,Author-Failure-Code,Author-Data,NAS-Port,NAS-IP-Address,Filter Information,PEAP/EAP-FAST-Clear-Name,EAP Type,EAP Type Name,Reason,Access Device,Network Device Group
02/28/2012,00:31:52,Unknown NAS,,,,(Unknown),,,,,10.204.124.71,,,,,,,
02/28/2012,00:41:33,Unknown NAS,,,,(Unknown),,,,,10.204.124.71,,,,,,,
02/28/2012,00:42:18,Unknown NAS,,,,(Unknown),,,,,10.204.124.71,,,,,,,
Filtering is not applied.
Date
Time
Message-Type
User-Name
Group-Name
Caller-ID
Network Access Profile Name
Authen-Failure-Code
Author-Failure-Code
Author-Data
NAS-Port
NAS-IP-Address
Filter Information
PEAP/EAP-FAST-Clear-Name
EAP Type
EAP Type Name
Reason
Access Device
Network Device Group
02/28/2012
00:42:18
Unknown NAS
(Unknown)
10.204.124.71
02/28/2012
00:41:33
Unknown NAS
(Unknown)
10.204.124.71
02/28/2012
00:31:52
Unknown NAS
Am i missing any thing in configuration side with respect to ACS?
Thanks -
issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login
issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login
-
hi,
I'm trying to setup a VPN solution, connecting to a 800 series router and authenticating off a Cisco ACS tacacs server.
I've basically followed the suggested config at http://www.cisco.com/en/US/customer/tech/tk59/technologies_configuration_example09186a00800a393b.shtml and the setup works fine if I use local authentication, but as soon as I switch to using TACACS the client authentication fails.
Debugging tacacs on the router i can see the requests being sent to the server, and the replies coming back - the login detail are definitely correct so I'm guessing that TACACS isn't authorising me to use VPN or IPSEC or something. But there is nothing in the ACS logs to suggest why I'm not getting through - no failed attempts are shown.
Any ideas?here is some debug from the router:
Feb 24 12:28:58.973 UTC: TPLUS: processing authentication start request id 129
Feb 24 12:28:58.973 UTC: TPLUS: Authentication start packet created for 129(vpngroup)
Feb 24 12:28:58.973 UTC: TPLUS: Using server 10.10.10.10
Feb 24 12:28:58.973 UTC: TPLUS(00000081)/0/NB_WAIT/823A9F04: Started 5 sec timeout
Feb 24 12:28:58.989 UTC: TPLUS(00000081)/0/NB_WAIT: socket event 2
Feb 24 12:28:58.989 UTC: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
Feb 24 12:28:58.989 UTC: T+: session_id 1729330768 (0x67137E50), dlen 16 (0x10)
Feb 24 12:28:58.989 UTC: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
Feb 24 12:28:58.989 UTC: T+: svc:LOGIN user_len:8 port_len:0 (0x0) raddr_len:0 (0x0) data_len:0
Feb 24 12:28:58.989 UTC: T+: user: vpntest
Feb 24 12:28:58.989 UTC: T+: port:
Feb 24 12:28:58.989 UTC: T+: rem_addr:
Feb 24 12:28:58.989 UTC: T+: data:
Feb 24 12:28:58.989 UTC: T+: End Packet
Feb 24 12:28:58.989 UTC: TPLUS(00000081)/0/NB_WAIT: wrote entire 28 bytes request
Feb 24 12:28:58.993 UTC: TPLUS(00000081)/0/READ: socket event 1
Feb 24 12:28:58.993 UTC: TPLUS(00000081)/0/READ: Would block while reading
Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: socket event 1
Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: read entire 12 header bytes (expect 16 bytes data)
Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: socket event 1
Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: read entire 28 bytes response
Feb 24 12:28:59.009 UTC: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
Feb 24 12:28:59.009 UTC: T+: session_id 1729330768 (0x67137E50), dlen 16 (0x10)
Feb 24 12:28:59.009 UTC: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
Feb 24 12:28:59.009 UTC: T+: msg: Password:
Feb 24 12:28:59.009 UTC: T+: data:
Feb 24 12:28:59.009 UTC: T+: End Packet
s9990-cr#
Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/823A9F04: Processing the reply packet
Feb 24 12:28:59.009 UTC: TPLUS: Received authen response status GET_PASSWORD (8)
"AUTHEN/REPLY status:5" is a permanent fail according to the TACACS RFC
In the VPN Client log it say "User does not provide any authentication data"
So to summarise:
-Same ACS server\router\username combination works fine for telnet access.
-VPN works fine with local authentication.
-No login failures showing in the ACS logs. -
Problem with Firefox rendering using a jspx page
Hello, your help will be very important for me, so please read this :
this is the code of my jspx page :
<?xml version="1.0" encoding="iso-8859-1" standalone="yes" ?>
<jsp:root xmlns:jsp="http://java.sun.com/JSP/Page" version="1.2"
xmlns:f="http://java.sun.com/jsf/core"
xmlns:h="http://java.sun.com/jsf/html"
xmlns:af="http://xmlns.oracle.com/adf/faces"
xmlns:afh="http://xmlns.oracle.com/adf/faces/html">
<jsp:directive.page contentType="text/html;charset=utf-8" />
<f:view locale="#{locale.locale}">
<!-- Load localized messages -->
<f:loadBundle var="bundle" basename="localizedMessages" />
<!-- Main document element -->
<af:document title="#{bundle.account_bucket_title}">
<af:panelBorder>
<f:facet name="top">
<af:panelGroup>
<!-- Top bar -->
<jsp:directive.include file="includes/header.jspf" />
<!-- Top menu -->
<jsp:directive.include file="includes/MenuTop.jspf" />
</af:panelGroup>
</f:facet>
<f:facet name="bottom">
<af:panelGroup inlineStyle="position: relative; bottom:0px">
<!-- Bottom menu -->
<jsp:directive.include file="includes/MenuBottom.jspf" />
</af:panelGroup>
</f:facet>
<!--bucket details-->
<af:panelGroup layout="vertical"
inlineStyle="overflow:auto; height=88%; position:relative">
<af:objectSpacer width="100" height="20" />
<af:panelHeader text="#{bundle.account_bucket_title}" size="0" />
<af:objectSpacer width="100" height="20" />
<af:table emptyText="#{bundle.account_bucket_no_items}" var="item"
value="" width="100%">
<af:column sortable="true"
headerText="#{bundle.account_bucket_bundle_table_col1}"
headerNoWrap="true" formatType="text">
<af:outputText value="" />
</af:column>
<af:column sortable="true"
headerText="#{bundle.account_bucket_bundle_table_col2}"
headerNoWrap="true" formatType="text">
<af:outputText value="" />
</af:column>
<af:column sortable="true"
headerText="#{bundle.account_bucket_bundle_table_col3}"
headerNoWrap="true" formatType="text">
<af:table emptyText="#{bundle.account_bucket_bucket_no_item}"
var="item" value="" width="100%">
<af:column sortable="true"
headerText="#{bundle.account_bucket_bucket_table_col1}"
headerNoWrap="true" formatType="text">
<af:outputText value="" />
</af:column>
<af:column sortable="true"
headerText="#{bundle.account_bucket_bucket_table_col2}"
headerNoWrap="true" formatType="text">
<af:outputText value="" />
</af:column>
<af:column sortable="true"
headerText="#{bundle.account_bucket_bucket_table_col3}"
headerNoWrap="true" formatType="text">
<af:outputText value="" />
</af:column>
<af:column sortable="true"
headerText="#{bundle.account_bucket_bucket_table_col4}"
headerNoWrap="true" formatType="text">
<af:outputText value="" />
</af:column>
<af:column sortable="true"
headerText="#{bundle.account_bucket_bucket_table_col5}"
headerNoWrap="true" formatType="icon">
<af:commandButton
text="#{bundle.account_bucket_bucket_adjustment_btn}"
action="" />
</af:column>
</af:table>
</af:column>
</af:table>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
<af:objectSeparator></af:objectSeparator>
</af:panelGroup>
</af:panelBorder>
</af:document>
</f:view>
</jsp:root>
When i use IE there is no problem, an iFrame is generated and the bucket detais are rendered into it.
The problem is with Firefox, the is an iFrame in the HTML code, but there is no rendering of it : why ?
it seems that iFrames are well-rendered with FireFox and i don't no how to change my page to render it good with both FireFox and IE
Please tell me a solution, something to change with my ADF tags ?...
Sincerely,
edward.i found solution for the problem that i use the following code to include JavaScript file
i found that the problem occurred when i use the following code to include JavaScript file
<script type="text/javascript" src="javascriptfile.js"/>
also if i included 2 JavaScript files only one file is included at runtime
but when i used the following code to include JavaScript files
<afh:script source="javascriptfile.js"/>
the two problems were solved (the problem of LOV and the problem of including multiple /js files)
i don't know if it is a bug in the ADF or i made a mistake in the previous way
any way thanks to you all for helping me -
I just upgrade to versions 18.0.1. I am suing Window 7 64 bit.
Now I while I am viewing a page I suddenly receive the error massage "Oops! This page appears broken. DNS Error - Server cannot be found."
I can use the back arrow key to bring the paper back.
If I have several tabs open, I can watch one tab after another change from the page name, It doesn't seem to matter who page it is, Yahoo, Washington Post, NBCNews,I am not a techie. I keep 15-20 to tabs open at a time for reference while working. When I upgraded to this version, all my tabs were closed and my history was erased. I still have not recovered from that loss. I do not want to have this repeated!
If I was using pdfforge extension (what ever that is) before the upgrade, why is it venomous now?
Besides this issue, since upgrading I suddenly starting having the audio from commercials being played from tabs that are not active (open). I now have to leave my audio muted.
I expected assistance from Firefox not some unknown individual ( iamjayakumars) who for all I know is a troll trying to get me to do something to expose my computer to attack.
I allowed Firefox to collect data they needed from my computer when I submitted the question.
Fix the bug in your program! I have used Firefox since it came out. I am within a hairs width of switching browser. The only thing holding me with Firefox is my bookmarks. If I figure out how to export them, I am gone.
FIX YOUR BROWSER!!! -
Cisco ISE 1.2 and Cisco ACS 5.4 patch 6 and support for snmp version 3
does anyone know if cisco ISE version 1.2 patch 8 and Cisco ACS 5.4 patch 6 support snmp version 3?
ciscoISE/admin(config)# snmp-server ?
community Set community string
contact Text for mib object sysContact
host Specify hosts to receive SNMP notifications
location Text for mib object sysLocation
ciscoISE/admin(config)# snmp-server
Ciscoacs/admin(config)# snmp-server ?
community Set community string
contact Text for mib object sysContact
host Specify hosts to receive SNMP notifications
location Text for mib object sysLocation
Ciscoacs/admin(config)# snmp-serverNo support SNMP v3 on ISE v1.2 and 1.3 except for profilling
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/cli_ref_guide/ise_cli/ise_cli_app_a.html#12768
http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/cli_ref_guide/b_ise_CLIReferenceGuide/b_ise_CLIReferenceGuide_chapter_0100.html#ID-1364-00000d30 -
Linksys WAP54G connecting to CISCO ACS via LEAP
I understand that Linksys WAP54G support WPA and 802.1x authentication. Will a cisco compatible client card get connected to the WAP54G via LEAP authentication to a Cisco ACS server ?
Connection scenario:-
Cisco compatible client card <-WPA/LEAP-> WAP54G <-WPA/LEAP-> Cisco ACS3.1
Pls advise if such setting is feasible.
TksThis is really a question for Linksys support. The Cisco wireless BU has no involvement with the Linksy's product line. They operate as a totally separate wholly own subsidiary of Cisco.
As for LEAP, no, to my knowledge the Linksys AP does not support LEAP, which is not tested or part of the WPA certification program. To my knowledge the ONLY APs that support LEAP are Cisco Aironet APs.
If the Linksys supports WPA-Enterprise, then any client that supports WPA-Enterprise should work using EAP-TLS. The Cisco ACS server supports EAP-TLS.
One word of caution. Early CCX cards do not necessarily support WPA. The CCX specification and certification were out before WPA was released. You will need to check with the actual vendor of the card to verify WPA compatibility.;
Also there are two types of WPA. WPA-Personal, which supports only the WPA encryption, and the keys are handles by a Pre-shared Key input system (no radius server) and WPA-Enterprise, which is certified using WPA encryption an 802.1x EAP-TLS radius server (in fact using Microsoft and Funk Software servers). make sure that the Linksys supports WPA-enterprise, or it may not support 802.1x.
Bruce Alexander, Cisco -
Using Cisco ACS for Solaris login authentication
Hi all
I am planning to authenticate ssh logins to Solaris 8/9 systems using PAM and radius (while radius is considered the primary solution, tacacs+ could be used, too). The radius/tacacs+ server is provided by a Cisco ACS.
Can anybody out there confirm that the combination "Solaris & PAM & radius/tacacs+ & Cisco ACS" is correctly doing this authentication stuff? Is there anything to specially consider?
Thanks, DavidHard to comment with any certainty but provided the client implementation of RADIUS is sound AND the authentication protocol is one that ACS supports, eg PAP, CHAP, MSCHAP, LEAP, EAP (PEAP/FAST/TLS/GTC/MSCHAP) then should be fine.
-
CS-MARS user authentication using Cisco ACS
Hi,
I would like CS-MARS (Web Interface) user authenticaiton to be done by Cisco ACS Server. Please let me know, either it is possible or not? And if possible then reply how to configure it.
Thanks and Regards,
Ahmed Shahzad.Hi,
I would like CS-MARS (Web Interface) user authenticaiton to be done by Cisco ACS Server. Please let me know, either it is possible or not? And if possible then reply how to configure it.
Thanks and Regards,
Ahmed Shahzad. -
RSA SecurID and Cisco ACS integration for user(s) with enable mode
I thought I had this problem figured out but I guess not.
I have a Cisco 2621 router with IOS 12.2(15)T17. Behind the
router is a Gentoo linux, RSA SecurID 6.1 and Cisco ACS 3.2.
I use tacacs+ authentication for logging into the Cisco router
such as telnet and ssh. In the ACS I use "external user databases"
for authentication which proxy the request from the ACS over
to the RSA SecurID Server. I installed RSA Agents with
sdconf.rec file on the Cisco ACS server. I renamed "user group 1"
to be "RSA_SecurID" group. In the "External user databases" and
"database configurations" I assign SecurID to this "RSA_SecurID"
group.
Everything is working fine. In the "User Setup" I can see dynamic
user test1, test2,...testn listed in there as "dynamic users". In
other words, I can telnet into the router with my two-factor
SecurID.
The problem is that if test1 wants to go into "enable" mode with
SecurID login, I have to go into "test1" user setting and select
"TACACS+Enable Password" and choose "Use external database password".
After that, test1 can go into enable mode with his/her SecurID
credential.
Well, this works fine if I have a few users. The problem is that
I have about 100 users that I need to do this. The solution is
clearly not scalable. Is there a setting from group level that
I can do this?
Any ACS "experts" want to help me out here? Thanks.That is not what I want. I want user "test1" to be able to do this:
C
Username: test1
Enter PASSCODE:
C2960>en
Enter PASSCODE:
C2960#
In other words, test1 user has to type in his/her RSA token password to get
into exec mode. After that, he/she has to use the RSA token password to
get into enable mode. Each user can get into "enable" mode with his/her
RSA token mode.
The way you descripbed, it seemed like anyone in this group can go directly
into enable mode without password. This is not what I have in mind.
Any other ideas? Thanks. -
How to hide line console parameters through Cisco ACS
Hi,
Can any one of you please help me in the following scenario ?
I want to hide the line console, line aux and line vty configuration parameters of the cisco devices based on user level privillages through Cisco ACS. For example, if a user logs into the devices with privilege level 7, then he should not be able to see the line paramenters on the cisco devices for which he had privilege level 7 access.
Can you please help me out how to achieve this?? Your help in this regard is highly appriciated.
ThanksThis thing is possible with local authorization on IOS device. With ACS this is not possible.
In acs you can set what all commands a specific user can issue. That feature is called command authorization.
For show run you need to give priv 15. ACS works in a different way if you compare it with setting up local priv lvls on router/switch.
Best way to set it up is to give all user priv lvl 15 and then define what all commands user can execute.
Note : Having priv 15 does not mean that user will able to issue all commands.
We will set up command authorization on acs to have control on users.
This is how your config should look,
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization config-commands
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
Regards,
~JG
Do rate helpful posts
Maybe you are looking for
-
Computer wont recognize 10GB Ipod Gen 3 - Please Help
Alright, Im not an idiot and I read every post related to this subject. I reviewed each of the following links and did everything they told me to do: http://docs.info.apple.com/article.html?artnum=305136 http://docs.info.apple.com/article.html?artnum
-
I have a nano and I put too many songs on. The IPOD automatically created a generic playlist with most of my songs scrambled in it. I mistakenly deleted this generic playlist and then unchecked many of my songs hoping I would have freed up some space
-
EDI Message Type for Credit Memo inbound message
Hi Experts , We have ECC6.04. We configured Incoming vendor invoice idoc ( Message Type - INVOIC, Basic type - INVOIC02) which is working fine. We also have Credir Memo incoming message ( Message Type - GSVERF , Basic type - GSVERF03 , Processing
-
Trouble making a seemless slideshow
so heres the deal. I need to make a slideshow with holders that call images from an external source. (this is so clients can update the slide show by replacing these images, and not tinkering with the flash file). I have about 6 holders set up in the
-
I am using a static lov which has a code and description. I select an entry from this lov and it's code is stored in a table. I now want to create a chart on the contents of this table, but need to translate the code stored in the table to the descri