Select AVC profile on WLC based via ACS

Similar Messages

• Anyconnect VPN-Authentication multiple profiles via ACS

  Hi,
  I'm currently facing the issue, that I need to migrate a customer VPN-structure from VPN-client to the new Anyconnect.
  There is an ASA5515 and they have ACS with local users and AD-Integration.
  The problem: The old system used different profiles with PSK, so every external partner who had a VPN connection got it's own profile, which was secured by the IKEv1 PSK. The credentials for externals are saved locally on ACS. Also there is a profile for the normal employees, which authenticate via AD or RSA. The guys who implemented this did it the easy way, means when a user connects, the whole user-table is checked (AD, local, RSA). So if an external would have the .pcf from an internal user, it would be possible for him to connect to internal resources. There was no profile-to-usergroup binding.
  I should now implement a new ASA with Anyconnect and also keep up the different profiles. But in this case the problem is - there is no PSK any more. So if a smart guy changes the group in his XML-profile to e.g. "Internal", it would authenticate and grant access to all resources, since the internal pool isn't restricted by ACL's, but the externals are. 
  I'm looking for a guide, how to set up different policies on the ACS, which look up the user only in the one group, depending on the profile he connected. As far as I understand, I must somehow define already on the FW which group or policy it should look up. How can I achieve this? 
  What do I need e.g. for 10 different profiles?
  - 10  groups on ACS?
  - 1 Access-Policy? (Network Access) -> with 10 different Authorization Policy rules? 
  - Anything else?
  Where do I define the policy to use in Anyconnect?
  Thanks in advance!
  BR

  I've done a similar deployment where all authentication/authorization and accounting was pointed from ASA to ACS.
  There are multiple layers to your question. 
  First of all, you have ACS, hopefully 5.x which gives you a nice policy driven authentication and authorization schema. 
  1st layer - setup group-alias and group-urls for specific users on ASA. 
  2nd layer - on ACS decides where those connection should be authenticated/authorized against (go to AD, RSA, local DB). ASA passess tunnel group name in authentication calls to ACS. 
  3rd layer - group-lock feature ensures that user can only have access to resources if they are in a specific group. 

• AP Authentication via ACS.

  Hi All,
  Just a basic question regarding MAC based authenitcation of AP with ACS.
  The scenario is - If I have a ACS installed and I want all my Cisco 3502 APs to be authenticated on MAC basis via ACS. I know that AP mac is used as a username and password at ACS so that whenever we plugin the new AP in the network, it gets authenticated via ACS first and if the AP is authorised to be used in network then only it gets the IP address from DHCP.
  My question is - What will happen, if the AP is connected in local mode on a remote location and the WLC, ACS & DHCP are in Datacenter. The traffic coming from remote location will pass through the Remote-site router and during that pass, it will remove the source mac address of AP and put the router interface MAC address as source, so how will the ACS authenticate the AP in that case.
  When working in a LAN I know its possible, but how will it work over the WAN.
  Pls. suggest ASAP.
  Thanks in Advance.
  Regards
  Harish

  Harish:
  As you may know that traffic between WLC and APs is encapsulated in CAPWAP tunnel.
  The information insdie the CAPWAP should tell the WLC what MAC address the AP uses.
  CAPWAP RFC metniones that you can do AP authorization by two ways:
  - with certificates
  - with PSK.
  The standards does no imply what the PSK should be, however, Cisco seems to use it to be the mac address of the AP when the ap authorization is enabled. RFC recommends to use mac address of AP as PSK.
  2.4.4.4.  PSK Usage
     When DTLS uses PSK Ciphersuites, the ServerKeyExchange message MUST
     contain the "PSK identity hint" field and the ClientKeyExchange
     message MUST contain the "PSK identity" field.  These fields are used
     to help the WTP select the appropriate PSK for use with the AC, and
     then indicate to the AC which key is being used.  When PSKs are
     provisioned to WTPs and ACs, both the PSK Hint and PSK Identity for
     the key MUST be specified.
     The PSK Hint SHOULD uniquely identify the AC and the PSK Identity
     SHOULD uniquely identify the WTP.  It is RECOMMENDED that these hints
     and identities be the ASCII HEX-formatted MAC addresses of the
     respective devices, since each pairwise combination of WTP and AC
     SHOULD have a unique PSK.  The PSK Hint and Identity SHOULD be
     sufficient to perform authorization, as simply having knowledge of a
     PSK does not necessarily imply authorization.
     If a single PSK is being used for multiple devices on a CAPWAP
     network, which is NOT RECOMMENDED, the PSK Hint and Identity can no
     longer be a MAC address, so appropriate hints and identities SHOULD
     be selected to identify the group of devices to which the PSK is
     provisioned
  you may spend more time reading the CAPWAP RFC if you are interested
  CAPWAP RFC: http://www.ietf.org/rfc/rfc5415.txt
  Hope this answers your concern.
  Amjad

• Dynamically changing the select list in an LOV based on the login user

  We have a field in a form which is a combobox.The form is to be linked to different profiles of users.Based on the logged in user we would like to restrict the select list in the LOV.ie user1 should see a LOV which is different from that seen by user2.Is this possible.If so how can this be done?Kindly reply.
  Thanks & Regds,
  Jayanthi

  Thanks for ur reply.But my problem is that i have a table having details of some products which includes spareparts also(Name,id,price etc).In my form i have the combobox field which should have a list of these products which the user can select.Now depending on the user's profile he should see only his related products(One profile of users should view only the products but not the spares while the other should view only spares.)The details of both the products and spares are in the same table.we have a criteria to differentiate between the products and the spares.The LOV should display at run time, either products or spares depending on his profile as he logs in. Hope u understood my problem.
  Regds,
  Jayanthi
  Hello Jayanthi,
  I had a similar situation in my last project.
  While you can solve this by modifying your query, this will always come around as may be later some other criteria to restrict based on User/His Role/Something else. Hence I fixed it at design level itself. Though I can't give my situation I can tell you the solution applying my logic.
  Altering your Product Table and adding one more database Column say Product_Category and updating the table with Product Category =1 for Products and 2 for Spares. You can extend this further for other types.
  Create a new Table say User_Groups that will have
  Group_id
  Group_Name
  User_Id columns and will contain all the User ids inserted groupwise.
  Create one last Table Group_Product_Map
  That will have
  Group_id
  Category_id
  This will store each Group_Id followed by Category_id of Products to which these group members will have access to.
  Now write a database function getCategory( p_User) which will query User_Groups table to get Group_Id
  and further query Group_Product_Map Table based on group_id to get Category_Id.
  This function will return category_id.
  Huh!
  So your LOV will have a query as select *(or whatever) from Product where category_id = getCategory(portal30.wwctx_api.get_user)
  Hope this helps
  Madhav

• Identify source of AVC traffic on WLC

  Howdy All,
  We have recently enabled AVC on our WLC 5508 running 7.6.120.0.  We noticed networking-gnutella and put in a profile to drop its traffic.  The traffic is continuing to be listed though for some reason.
  1. Will dropped traffic still be shown in the Application Stats?
  2. If the traffic is actually not being dropped, is there a way to determine its source?  I checked the standard gnutella ports on our upstream ASA, but have had no hits.
  Thanks!
  Alan

  Dieter,
  Traffic marked as "PT In Progress" happens for the following reasons:
  1. The TCP connection was already established before being redirected to the WAE.
  2. A TCP connection marked as pass-through was idle for more than 10 seconds, then began passing traffic again.
  In both cases, the traffic is classified as "PT In Progress".
  Zach

• Is there a way I can 'select all' for downloading purchase files via family sharing instead of selecting each file or folder one at a time?

  Is there a way I can 'select all' for downloading purchase files via family sharing instead of selecting each file or folder one at a time?

  or home sharing

• Unable to activate Client Profile within Client-Based Groupware Integration

  Experts - Please help us!
  We are trying to activate a new Client Profile wiithin Client Based Groupware Integration. We are receiving an error message that 
  "Multiple profiles not allowed for same role, country, language combination."
  We believe we are receiving this message because there was an incomplete profile already saved in this table. We can not move forward without completing that record, however it is not editable for us.
  Has anyone run into this problem before? Any ideas how we can move forward? I would appreciate any information anyone is able to provide.
  Thank you!
  Jami Shircel

  I have one idea If you want to do this for your future records then you should create a specific transaction type meant only for GWI and assign it to groupware spro settings and that transaction type should not be used from SAP CRM WebUI. In this way all the appointment/task created in Outlook have that special TType and can be differentiated from others. Will that be of any use ?
  Rgds,
  Shobhit

• Script to select files in a folder based on extension

  Does anyone have a script that would select files in a folder based on extension, then move the files somewhere else?

  Hi Kagey and welcome!
  You have to be completely accurate about the path. If your hard disk is called "Macintosh HD", then it's
  every file of folder "Macintosh HD:Applications:FileMaker Pro 6 Folder" whose name extension = "tab"
  You can generalise this for other users if you can't be sure about the name of their hard disk:
  set apps_folder to path to applications folder as string
  set fmp_folder to apps_folder & "FileMaker Pro 6 Folder"
  tell application "finder" to get every file of folder fmp_folder whose name extension = "tab"
  HTH
  H
  PS - well done in the footy

• How to select a Tab in a TabPane via API

  I am trying to figure out how to select a Tab in my TabPane via the API. In the javadoc for the Tab it says to use the TabPane.selectedTab, there is no selectedTab property that I can find. Also on the tab there is a selectedProperty but it is read only.
  So how do you change the selected tab via the API?

  Hi,
  Its...
  tabPane.getSelectionModel().select(index)You also have other options on the selectionmodel.
  Cheers,
  Nuwanda

• 802.1x with AD support via ACS 4

  Hello ,
  I have been trying to configure 802.1x Authentication on a test switch . Authentication will be provided by the ACS server . This worked when I had the client setup for EAP-MD5 and had local user accounts on the ACS server . However this is impractical if we were to deploy this on a large scale. How can i configure 802.1X authentication to occur via the ACS with the ACS looking at the AD database . The trouble is AD does not support EAP-MD5. It supports PEAP but the problem I am having is "EAP-TLS or PEAP authentication failed during SSL handshake "
  Has anyone here setup 802.1x with AD integration via ACS 4.0 . Please help.
  Thanks.
  Karthik

  Hi Karthik,
  The SSL handshake will fail in our experience for any of the following reasons:
  - The supplicant cannot access the private key corresponding to it's certificate - check that the system a/c has pemissions over the private key found in c:\documents and settings\all users\application data\microsoft\crypto\rsa\machine keys
  - The ACS sever does not trust the Root Certificate for the PKI that issued the supplicants certificate - Is the Supplicants Root CA present in the ACS Certificate Trust List?
  - CRL checking is enabled and the CRL has expired or is inaccessible
  If you up the logging levels to full and examine the csauth log closely you should get more detail as to the reason
  Hope that helps
  Andy

• Multiple AVC Profile for each SSID

  Hello,
  I know there is limitation on the number of ACLs in each AVC profile, but is there a way to build multiple profiles and link it to the same SSID?
  thanks,

  Hi Sandeep,
  thanks for your reply, I think Cisco should consider allowing provisioning multiple profile for each SSID as the number of applications that needs block are exceeding each profile..
  I do have Guest SSID and I want to block everything using AVC, due to it's limitation, this cannot be achieved.
  Thanks,

• Can't get Lightroom Color Management to select custom profiles

  I can't get Lightroom Color Management to select custom profiles.
  - I select "other" in Profile,
  - a pop-up box shows me numerous profiles to choose from
  - I select a profile and the selection is highlighted
  - I press "OK" and the pop-up box disappears
  - but if I go back to the "Profile" selection line, only "Managed by Printer" is available.
  What's wrong here?
  Is the inability to select a profile the reason that prints from Lightroom look way to dark when I print them?
  Vick

  Oh, I'm on Windows, XP with SP2.
  The profiles are in C:\WINDOWS\system32\spool\drivers\color
  I used the .exe that was provided by Epson for installing the drivers.
  Nothing fancy, nothing different.
  For Lightroom, I installed it off CD, and got the 1.3.1 update off their Adobe site.
  Any clues there, to solve the puzzle?
  Vick

• System Migration Assistant select a profile

  I am using the ThinkVantage System Migration Assistant 6.0 to migrate my data from my old lenovo laptop to a new lenovo laptop.  On the Current Laptop (Laptop being used) I am able to select what profile I want to transfer.  However on the Target Laptop (New Laptop) I am not able to select what profile to transfer the data to.  Is there anyway to select what profile I can transfer the data to on the new laptop?

  Hi
  Welcome To Lenovo Community
  You may also refer below link which will guide you through the deployment
  http://support.lenovo.com/en_US/product-and-parts/detail.page?LegacyDocID=MIGR-73571
  http://support.lenovo.com/en_US/detail.page?LegacyDocID=MIGR-50889
  Hope This Helps
  Cheers!!!

• Authenticate windows users via ACS

  Hi,
  Expert insight required for Cisco ACS, Is it possible to authentication windows user via ACS & apply ACL policies over network devices.
  I would appreciate valued inputs.
  Regards,

  Yes, it's possible to authenticate windows users via ACS and push DACL via radius.
  Seems you are looking for DACL. Here is a document that can help you to understand the same
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a9eddc.shtml#user
  Let me know if you need any further help.
  Jatin Katyal
  - Do rate helpful posts -

• ANM device importing and config sync - user name authenticatiing via ACS

  Good day,
  We have the following issue:
  Switches and ACE modules imported into ANM 3.2. Additional modules added and tried to import. Failed. Tried to sync and recieved the following message for Admin context:
  - Failed to import ACE configuration: Device discovery failed: cannot find the serial number.
  All other contexts also fail to sync.
  Thought this may be due fact that the user Id used for import is and AD account and this authenticates via ACS to AD and this has expired and changed since original import. Deleted chassis and re-impoted with same user Id and new password and all works fine.
  Have checked the links below, however, I don't beleive these will resolve the issue:
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/application_networking_manager/3.1/user/guide/UG_manage_devices.html#wp1094120
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/application_networking_manager/3.1/user/guide/UG_manage_devices.html#wp1393377
  I beleive this is occuring due the fact that we are authenticating via ACS to AD for all devices (switches and ACE modules) as well as ANM.
  So is the only solution here to create a static user account in ACS and add to relevent NDG's for switches and ACE modules?
  Also would we have to have the password never expire as I don't see a way to change/configure this password within ANM apart from when the devices are initially imported?
  Any input would be greatly appreciated.
  Thanking you in advance.
  Paul
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}

  Dears
  kindly your help  when i'm trying to import ACE Module i got the following massege .
  - Failed to import ACE configuration: Device discovery failed: cannot find the serial number.
  does any body have a resolutoin for this error ?.
  BR