SG300-28 RADIUS login

Similar Messages

• SG300-28 RADIUS accounting firmware 1.0.0.27 and 1.1.2.0

  Hi,
  I am using the CISCO SG300-28 with firmware version 1.0.0.27. I enabled RADIUS authentication and accounting. Authentication is working but there are no accounting requests/replys (Accounting on, accounting off, accoun ting start, accounting stop) when running RADIUS in debug mode. I also did a packetcapture and there are no accounting packets.
  So i updated the firmware image up to version 1.1.2.0.
  When I now want to configure accounting in RADIUS settings then there isn't any option to set an accounting port.
  Ich checked the data sheet of the switch and it says that accounting is supported:
  ===============================================
  802.1X: RADIUS authentication and accounting, MD5  hash; guest VLAN; unauthenticated VLAN, single/multiple host mode and  single/multiple sessions
  http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps10898/data_sheet_c78-610061.html
  ===============================================
  I did a second packet capture with the new firmware image and there are still no accounting packets.
  The RADIUS server is configured correct for accounting because when using another NAS like a WLAN-AP with DD-WRT accounting is workings. It is working with pfsense Captive Portal (an open source firewall and routing solution with a hotspot portal).
  Thank you for your feedback!
  Alexander Wilke

  Hi,
  I made some more tests with the switch and the different image versions. I did the following:
  Image 1.0.0.27
  [1.0.0.27.cap]: packetcapture (uncut to show you that I didn't cut something) between SG300-28 and freeradius 2.1.12
  [Image-version-1.0.0.27.jpg]: Screenshot of the active image
  [radius-1.0.0.27.jpg]: screenshot of the GUI which shows authentication and accounting
  Image 1.1.2.0
  [1.1.2.0.cap]: packetcapture (uncut to show you that I didn't cut something) between SG300-28 and freeradius 2.1.12
  [Image-version-1.1.2.0.jpg]: Screenshot of the active image
  [radius-1.1.2.0.jpg]: screenshot of the GUI which shows authentication without accounting
  excerpt of radiusd.conf (interfaces):
  listen {
          type = auth
          ipaddr = 192.168.0.22
          port = 1812
  listen {
          type = acct
          ipaddr = 192.168.0.22
          port = 1813
  clients.conf
  client "CISCO" {
      ipaddr = 192.168.0.19
      proto = udp
      secret = pfsense
      require_message_authenticator = no
      max_connections = 16
      shortname = CISCO
      nastype = other
      #login = !root
      #password = someadminpas
      #virtual_server = home1
      #coa_server = coa
  users file:
  "myuser" Cleartext-Password := "mypass"
      Tunnel-Type = VLAN,
      Tunnel-Medium-Type = IEEE-802,
      Tunnel-Private-Group-ID = "10"

• Limiting Concurrent RADIUS Logins - Windows NPS or Aerohive

  Has anyone overcome the challenge of only allowing a specific number of devices to connect to the network via Windows NPS (2012) or Aerohive settings? I've seen a bunch about folks' attempts to get it to work, but nothing on successful methods/configuration. Is there an attribute that can get passed back to the client indicating whether or not the login is allowed based on already active sessions, or something similar?
  This topic first appeared in the Spiceworks Community

  Hi Dennis,
  >>Do we just use PEAP with a cert minted by our own in-house CA?
  Yes. Just build the Enterprise CA in your intranet. All domain-joined will trust this CA by default.
  >> Or, can we not even bother w PEAP and just use another auth method?
  Yes. We can use MSCHAPv2. But PEAP is more secure than MSCHAPv2.
  Besides, here is a checklist about how to use NPS to secure wireless network,
  Checklist: Configure NPS for Secure Wireless Access
  http://technet.microsoft.com/en-us/library/cc771696(v=WS.10).aspx
  Best Regards.
  Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• ASA 5505 VPN Group Policies (RADIUS) and tunnel group

  I have a single ASA firewall protecting a small private developing network, and I need it in order to access remotely to two distinct network spaces both of wich are VLAN tagged: 1 is LAN and 3 is management. Each net has its own IP address space and DNS server.
  I'd like to set up Anyconnect to land on lan 1, and SSL VPN in order to see the IPMI and management websites sitting on VLAN 3. In order to make things "safer" I have found a free OTP solution, OpenOTP, and I decided to implement it on a virtual machine, setting up a radius bridge to allow user authentication for VPN. I can pass wichever attribute I'd like to using this radius bridge (for example "Class" or "Group-Policy" or whatever is included in the radius dictionaries). 
  Actually all I need is quite simple. I have to segregate my remote users in 2 groups, one for Anyconnect, and one for SSL based on the radius response from authentication. (I don't need authorization nor accounting) I'm no Cisco Pro, what I've learnt is based on direct "on the field" experience.
  I'm using two radius users for testing right now, one is called "kaisaron78" associated to a group policy "RemoteAC" and a second one called "manintra" associated to a group policy called "SSLPolicy". "kaisaron78" after logging in should only see the Anyconnect "deployment portal", while "manintra" should see the webvpn portal populated with the links specified in the URL list "Management_List". However, no matter what I do, I only see the default "clean" webvpn page. This is an example of "sh vpn-sessiondb webvpn" for both users..
  Session Type: WebVPN
  Username     : kaisaron78             Index        : 1
  Public IP    : 172.16.0.3
  Protocol     : Clientless
  License      : AnyConnect Premium
  Encryption   : Clientless: (1)RC4     Hashing      : Clientless: (1)SHA1
  Bytes Tx     : 518483                 Bytes Rx     : 37549
  Group Policy : RemoteAC               Tunnel Group : DefaultWEBVPNGroup
  Login Time   : 10:59:33 CEDT Mon Aug 18 2014
  Duration     : 0h:00m:23s
  Inactivity   : 0h:00m:00s
  VLAN Mapping : N/A                    VLAN         : none
  Audt Sess ID : c0a801fa0000100053f1c075
  Security Grp : none
  Asa5505# sh vpn-sessiondb webvpn
  Session Type: WebVPN
  Username     : manintra               Index        : 2
  Public IP    : 172.16.0.3
  Protocol     : Clientless
  License      : AnyConnect Premium
  Encryption   : Clientless: (1)RC4     Hashing      : Clientless: (1)SHA1
  Bytes Tx     : 238914                 Bytes Rx     : 10736
  Group Policy : SSLPolicy              Tunnel Group : DefaultWEBVPNGroup
  Login Time   : 11:01:02 CEDT Mon Aug 18 2014
  Duration     : 0h:00m:05s
  Inactivity   : 0h:00m:00s
  VLAN Mapping : N/A                    VLAN         : none
  Audt Sess ID : c0a801fa0000200053f1c0ce
  Security Grp : none
  As you can see, it seems like the policies are assigned correctly by radius attribute Group-Policy. However, for example you'll notice no vlan mapping, even if I have declared them explicit in group policies themselves. This is the webvpn section of the CLI script I used to setup remote access.
  ! ADDRESS POOLS AND NAT
  names
  ip local pool AnyConnect_Pool 192.168.10.1-192.168.10.20 mask 255.255.255.0
  object network NETWORK_OBJ_192.168.10.0_27
   subnet 192.168.10.0 255.255.255.224
  access-list Split_Tunnel_Anyconnect standard permit 192.168.1.0 255.255.255.0
  nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.10.0_27 NETWORK_OBJ_192.168.10.0_27 no-proxy-arp route-lookup
  ! RADIUS SETUP
  aaa-server OpenOTP protocol radius
  aaa-server OpenOTP (inside) host 192.168.1.8
   key ******
   authentication-port 1812
   accounting-port 1814
   radius-common-pw ******
   acl-netmask-convert auto-detect
  webvpn
   port 10443
   enable outside
   dtls port 10443
   anyconnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 1
   anyconnect profiles AnyConnect_Profile_client_profile disk0:/AnyConnect_Profile_client_profile.xml
   anyconnect enable
  ! LOCAL POLICIES
  group-policy SSLPolicy internal
  group-policy SSLPolicy attributes
   vpn-tunnel-protocol ssl-clientless
   vlan 3
   dns-server value 10.5.1.5
   default-domain value management.local
   webvpn
    url-list value Management_List
  group-policy RemoteAC internal
  group-policy RemoteAC attributes
   vpn-tunnel-protocol ikev2 ssl-client
   vlan 1
   address-pools value AnyConnect_Pool
   dns-server value 192.168.1.4
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value Split_Tunnel_Anyconnect
   default-domain value home.local
   webvpn
    anyconnect profiles value AnyConnect_Profile_client_profile type user
  group-policy SSLLockdown internal
  group-policy SSLLockdown attributes
    vpn-simultaneous-logins 0
  ! DEFAULT TUNNEL
  tunnel-group DefaultRAGroup general-attributes
   authentication-server-group OpenOTP
  tunnel-group DefaultWEBVPNGroup general-attributes
   authentication-server-group OpenOTP
  tunnel-group VPN_Tunnel type remote-access
  tunnel-group VPN_Tunnel general-attributes
   authentication-server-group OpenOTP
   default-group-policy SSLLockdown
  !END
  I had to set up DefaultWEBVPNGroup and RAGroup that way otherwise I couldn't authenticate using radius (login failed every time). Seems like in ASDM the VPN_Tunnel isn't assigned to AnyConnect nor to Clientless VPN client profiles. Do I have to disable both default tunnel groups and set VPN_Tunnel as default on both connections in ASDM ? I know I'm doing something wrong but I can't see where the problem is. I'm struggling since may the 2nd on this, and I really need to finish setting this up ASAP!!!!
  Any help will be more than appreciated.
  Cesare Giuliani

  Ok, it makes sense.
  Last question then I'll try and report any success / failure. In this Cisco webpage, http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/ref_extserver.html#wp1661512 there's a list of supported radius attributes. Actually I'm using number 25 Group-Policy, in order to get the correct group policy assigned to users. I see, in that list an attribute 146 Tunnel-Group-Name. Will it work out for the purpose you explained in the previous post ? I mean, if I set up two tunnel groups instead of 1, 1 for anyconnect with its own alias and its own url, and 1 for SSL VPN again with its own alias and url, do you think that using that attribute will place my users logging in into the correct tunnel group ?
  Thank you again for your precious and kind help, and for your patience as well!
  Cesare Giuliani

• Problem with a lot of logins per user

  We are using 2 (4 controllers) WiSM version 5.2.178.0 Controllers with WPA2/CCKM 802.1x EAP-MSCHAPv2 using freeradius v2 and eDirecvtory as backend.
  About 500 1142 AP:s and 2400 clients.
  The clients are running unmanaged Windows 7.
  Clients are authenticating about 10- 20 times in a minute.
  This causes heavy load on the Radius/eDirectory servers.
  The clients having Atheros AT9285 wifi card without CCX support.
  Our users also complains about having to reconnect frequently.
  Any ideas how to reduce radius logins?
  Henrik Hartelius
  *Sep 14 16:37:59.825: c4:46:19:61:57:58 Unable to compute a valid PMKID from dot1x PMK cache for mobile c4:46:19:61:57:58
  *Sep 14 16:37:59.825: c4:46:19:61:57:58 Found an entry in the global PMK cache for station c4:46:19:61:57:58
  *Sep 14 16:37:59.825: CCKM: AA (6)
  *Sep 14 16:37:59.825:      [0000] fc fb fb d8 7a a0
  *Sep 14 16:37:59.825: CCKM: SPA (6)
  *Sep 14 16:37:59.825:      [0000] c4 46 19 61 57 58
  *Sep 14 16:37:59.825: CCKM: AA (6)
  *Sep 14 16:37:59.825:      [0000] fc fb fb d8 7a a0
  *Sep 14 16:37:59.825: CCKM: SPA (6)
  *Sep 14 16:37:59.825:      [0000] c4 46 19 61 57 58
  *Sep 14 16:37:59.825: c4:46:19:61:57:58 Unable to compute a valid PMKID from global PMK cache for mobile c4:46:19:61:57:58
  *Sep 14 16:37:59.825: c4:46:19:61:57:58 85.188.98.23 RUN (20) Change state to START (0) last state RUN (20)
  *Sep 14 16:37:59.825: c4:46:19:61:57:58 85.188.98.23 START (0) Initializing policy
  *Sep 14 16:37:59.825: c4:46:19:61:57:58 85.188.98.23 START (0) Change state to AUTHCHECK (2) last state RUN (20)
  *Sep 14 16:37:59.825: c4:46:19:61:57:58 85.188.98.23 AUTHCHECK (2) Change state to 8021X_REQD (3) last state RUN (20)
  *Sep 14 16:37:59.825: c4:46:19:61:57:58 85.188.98.23 8021X_REQD (3) Plumbed mobile LWAPP rule on AP fc:fb:fb:d8:7a:a0 vapId 6 apVapId 1
  *Sep 14 16:37:59.825: c4:46:19:61:57:58 apfPemAddUser2 (apf_policy.c:210) Changing state for mobile c4:46:19:61:57:58 on AP fc:fb:fb:d8:7a:a0 from Associated to Associated

  If the client does not use CCX, then you should not be using CCKM as the keying method, you should use 802.1x.  But from what I am seeing, the client is not sending a valid PMK, so we can't fast roam them, they have to do a full AAA authenticaiton.  My other normal suggestion would be to check for updated drivers but as they are "unmanaged, this may not be feasible

• VPN access to a Watchguard firewall using Radius credentials

  Good morning, I have an Ipod Touch 4G that I would like to use to connect to our Watchguard firewall using the built in VPN client and pptp 
  I am the person onsite that manages the Watchguard firewall(s) (x553 with 10.2.12 firmware) , which are setup for pptp vpn access using Windows Radius servers.  The users use their Active Directory credentials to make the VPN connections.
  I have several macs at home, including an iMac and Mac mini and both of them can easily make VPN connections to the Watchguard firewall using pptp VPN access with Radius credentials.  T
  The setup I have been trying on the ipod Touch 4g is using the dns name for the firewall (published in Network Solutions DNS).  I have also tried the outside address of each firewall.  For the account, since we are using a Radius connection into Active Directory, I put my login in the format of domain\username .  RSA SecurID is On, the Encryption level is set to Auto and Send all traffic is off.
  In my testing so far, the Ipod Touch starts the connection, starts authenticating to Radius and fails.  If I turned off RSA SecurID, no authentication is attempted, so it looks like this needs to stay turned on.  It doesn't seem to matter is Send all traffic is off or on.  Having it off is preferable as I don't want to send all Internet traffic through the firewall when connected via VPN.
  So, I basically duped the setup of the VPN on the Ipod Touch based on my setup that's working on the Mac Mini and Imacs at home.  But VPN on the iPod Touch 4g with the latest version of IOS is not working.
  Does anyone have this kind of configuration working on the iPod Touch 4g or know if this is a shortcoming of this version of the Ipod or IoS?
  Thanks,
  Leo

  I fixed my vpn connection on the iPod Touch.  This is what works for Radius login to a Watchguard firewall:
  Server (DNS name or ip address).
  Account domainname\username
  RSA SecurIT off
  Encryption level Auto
  Send All Traffic off.
  Leo

• 2003 server van & radius

  Is it possible to have a windows 2003 computer to use the NetWare 6.5 radius
  for it's van authentication? I have tried to get this to work but I get the
  following error from the Radius screen:
  [2004-12-21 05:52:18 PM] Access Rejected
  10.1.1.138, wtg, RADIUS error (-803)
  I have downloaded the NTRadPing Test Utility from the cool tools site and I
  am able to authenticate just fine using it. Am I just missing something
  simple? Any help is appreciated.
  Waylon Grange
  Network Administrator
  Snow, Christensen & Martineau
  10 Exchange Place, Eleventh Floor
  Salt Lake City, UT 84101
  (801) 322-9237
  [email protected]

  I'm not sure what you mean by "van authentication." What you're asking might
  be possible, but it depends on the type of authentication you're trying to
  do. Novell RADIUS supports both the PAP and CHAP authentication protocols,
  but does not support MS-CHAP or EAP. EAP is typically used by 802.1x
  devices. CHAP can be used in place of MS-CHAP in most situations, unless
  doing PPTP.
  Error -803 is "RADIUS attribute not found." This means that you're probably
  trying to do an MS-CHAP or EAP authentication. The RADIUS server cannot find
  a PAP or CHAP attribute in the access-request packet and therefore returns
  this error. If you can, configure the entity sending the RADIUS packets to
  do either a PAP or CHAP authentication. Note that if you decide to use CHAP,
  then you will will need to configure the Simple Password method in your
  RADIUS login policy.
  >>> Waylon Grange<[email protected]> 12/27/2004 10:10 AM >>>
  Is it possible to have a windows 2003 computer to use the NetWare 6.5
  radius
  for it's van authentication? I have tried to get this to work but I get the
  following error from the Radius screen:
  [2004-12-21 05:52:18 PM] Access Rejected
  10.1.1.138, wtg, RADIUS error (-803)
  I have downloaded the NTRadPing Test Utility from the cool tools site and I
  am able to authenticate just fine using it. Am I just missing something
  simple? Any help is appreciated.
  Waylon Grange
  Network Administrator
  Snow, Christensen & Martineau
  10 Exchange Place, Eleventh Floor
  Salt Lake City, UT 84101
  (801) 322-9237
  [email protected]

• Basic Administration Radius configuration on the PIX using 6.2

  I am looking for a real basic Radius login configuration for the PIX running 6.2. I just want to be able to have the Radius Server (Steel-Belted) authenticate and account for administrators that access the PIX for doing changes.
  Thanks for any help in this issue.
  Scott

  Here is how I did it in our Cisco 520 PIX firewalls:
  aaa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ max-failed-attempts 3
  aaa-server TACACS+ deadtime 10
  aaa-server RADIUS protocol radius
  aaa-server RADIUS max-failed-attempts 3
  aaa-server RADIUS deadtime 0
  aaa-server RADIUS (inside) host radius_server_ip radius_secret_key timeout 5
  aaa-server LOCAL protocol local
  aaa authentication enable console RADIUS LOCAL
  aaa authentication http console RADIUS LOCAL
  aaa authentication ssh console RADIUS LOCAL
  aaa authentication telnet console RADIUS LOCAL
  username admin password very_secret_password encrypted privilege 15
  Of course, replace radius_server_ip with your own and radius_secret_key with a real one.
  In the RADIUS server (I'm using IAS built-in in Windows 2000/2003 servers) I just defined a policy to allow only the group "Domain Admins" and added the firewall as clients with their own ip address and secret key.
  Don't forget to add a username and a password, should your RADIUS server become unavailable, that will be your last resort to get in the PIX.
  Catalin.

• Adding Local User Account Alongside RADIUS

  Greetings!
  Currently every Cisco device authenticates with a RADIUS server we have on campus. I'm trying to add a local user account onto our switches and routers so that if the RADIUS server is unavailable or the switch looses connection we are able to use another login to access what we need. However when I add aaa authorization and authentication commands (no default) I think the switch cannot identify what is a RADIUS login and what is a local login. Depending on how we move commands around local will work and RADIUS will not, or RADIUS will work and local will not. Any suggestions on how to get both to work at the same time?
  Thanks!
  -Noah

  Perhaps I do not have a correct understanding of what you are asking. But let me explain a little and if that does not address your issue then perhaps you can provide some clarification.
  You can not have Radius and the local account work at the same time - at least not in the sense that you can login and enter either one and expect it to work. What you can do (and what most people do) is to define one as primary (usually Radius) and one as backup (usually local account). Then when you attempt to login the device will attempt to use Radius, and if the Radius server is not available then it will use the local account.
  If that does not clarify your issue then please help us understand better what your issue is.
  HTH
  Rick

• Switch AAA login authntication issue

  dear all ,
  I have had strange problem since yesterday ,I have got two cisco 4500 core switches clustered,have been configured for aaa radius login authentication(  IAS server). Since yesterday all of sudden , i have problem accessing one switch out of two .Both switches are same model and configured exactly same way .But since yesterday i can only login to one and when i try to login to Core switch1, i get to username and password prompt , when i put my username and password i get ,
  User Access Verification
  Username: MyUsername
  Password:********
  Line has invalid autocommand " ppp negotiate"
  Connection to host lost.
  In my Radius logs, i see that authentication is successful.
  i dont know what has caused this problem , the only thing i did was added a route commnd on both switches yesterday  which has nothing to do with AAA config to cause this problem.I cant login to switch to see any logs in switch .
  Help on this would be greatly appreciated.
  Regards

  How do you connect to the switch via teminal server or ssh/telnet?
  If using terminal server, please check the related line configuration on your terminal server to see if there is any different between working and non-working switches.
  If the same user ID can login to the other switch without problem, I would suggest you to check your IAS server. Did you try to remove / re-add the problem switch back in IAS?

• Integrating RADIUS authentication with JAAS ???

  Hi,
  I have username/password JAAS authentication in my application.
  Now I have to support RADIUS authentication on top of the existing username/password authenticaiton.
  I am in the process of defining a login module for RADIUS.
  Is there any opensource login module existing for RADIUS ??
  After defining the RADIUS login module where to configure the multiple authentication policies ??
  Thanks,
  Dyanesh.

  This sample configuration shows how to set up a remote access VPN connection between a Cisco VPN Client (4.x for Windows) and the PIX 500 Series Security Appliance 7.x using a Cisco Secure Access Control Server (ACS version 3.2) for extended authentication (Xauth).
  http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008080f2d1.shtml

• How many iMacs can I connect on TC via wifi?

  Hey,
  For school where I am working we use a time capsule with 12 iMacs. Two of them can't contact the airport of TC. All the others do! I tried to replace the TC a better place: no result!
  Thanks a lot,
  filip

  Can you split the load between 2.4ghz and 5ghz.. do it deliberately.. ie take the TC wireless off auto channel and set it yourself. Give a different name to 5ghz so you set the whole network, wireless channel and band and which computers join to which band. I would also suggest any computer updated rather than clean installed to Mountain Lion could be messed up wireless drivers.. are you using a radius login names?

• Automatic registration of the mac adress on wlc

  Hi evrybody,
  At this moment, I'm working with an WLC 5508 and the authentication is done with Freeradius,till now every thing is working correctly, when I entered my radius login the connexion was successful; if I exceed the timeout session for expample 300 seconde (it was configured on  WLAN tab => advanced tab => Enable session timeout)
  but my goal is:
  to login for the first time on the wlc portal and after that I want that the controller be able to save my mac address and don't ask me to login another time => automatic connexion
  There is also another possibility which is: to renew the request each year for example.
  Thanks for any suggestion 

  Hello Sali, to register MAC addresses you need an advanced Radius server like PacketFence (which uses FreeRadius) or like Cisco ISE.
  I guess you want to autodetect and auto register the MAC addresses of your wireless endpoints for a couple of weeks only (to give time to all endpoints to register) ad after that you will only permit access to those MAC addresses already registered, is that right ?
  You can do that with both Cisco ISE and PacketFence, but since you tell me you already use FreeRadius, then I think it makes more sense to use PacketFence.
  I have lots of experience with Cisco ISE. Now I'm testing PacketFence with a Cisco switch, next week I will test PacketFence with a Cisco WLC.
  Insieme is the creator of PacketFence, if you need support you can contact them. They have several videos in youtube, like these :
  http://www.youtube.com/watch?v=PrUjf0_s49Q
  http://www.youtube.com/watch?v=MpBgnwp1qLI
  Please rate if this is helpful.

• Network Policy Server Event ID 6272 not being forwarded to Event Collector.

  Hi there
  I have configured an Event Subscription to collect events from 2 DCs that run RADIUS for network switches. It appears the events are being forwarded okay, I am getting the Security events (Logon and Logoff) on the event collector PC. However I am not getting
  any of the Network Policy Server security events (specifically Event IDs 6272), to centrally audit RADIUS logins to switches.
  The subscription is collector initiated, and I have added Network Service to the Event Log Readers Group. Is there something I am missing in the setup requirements for these events to be forwarded?
  Thank you,
  Kind regards
  Hylton

  Hi Gabriel101,
  Could you offer us more information about your environment, such as what edition server you are using, whether your AD and NPS role on the same server, whether your NPS working
  properly now, whether you can receive others security auditing.
  The related KB:
  NPS Local Log File Status
  http://technet.microsoft.com/en-us/library/cc735386(v=ws.10).aspx
  Event ID 6272 — NPS Authentication Status
  http://technet.microsoft.com/en-us/library/cc735388(v=ws.10).aspx
  I’m glad to be of help to you!
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Using ACS as a web authentication server

  I have an ACS I use for Tacacs and Radius, and was wondering if I could use it to authenticate a web site for logins. I have an internal site that runs on Windows, but may move to Linux, and would like to have the techs use their Tacacs/Radius logins for the web site as well.

  In Apache you can specify the authentication parameters in the virtual host configuration