Using ACS for Cisco Prime authentication

Similar Messages

• ACS for 802.1x Authentication using RSA Tokens and Microsoft PEAP

  Has anyone been able to configure 802.1x authentication on Windows XP machines using RSA tokens using Cisco ACS as the RADIUS server?
  I have come up with bunch of incompatibilities between the offered support e.g.
  1. Microsoft PEAP does not support anything but smartcard/certificate or MSCHAP2.
  2. Cisco support PEAP and inside it MSCHAP2 or EAP-GTC
  We tried using RSA provided EAP client both the EAP security and EAP-OTP options within Microsoft PEAP but ACS rejects that as "EAP type not configured"
  I know it works with third party EAP software like Juniper Odyssey client and the Cisco Aegis Client but we need to make it work with the native Windows XP EAP client.

  Hi,
  We have tried to do the exact same setup as you and we also failed.
  When we tried to authenticate the user with PEAP-MSCHAPv2 (WinXP native) ACS gives "external DB password invalid", and does not even try (!) to send the login to the RSA server. No traffic is seen between RSA and ACS.
  MS-PEAP relies on hashing the password with MS-CHAPv2 encoding. This is not reversible. RSA, on the other hand, does not require hashing of the password due to the one time nature of it. So they (RSA) don't.
  When we authenticate using e.g. a 3rd party Dell-client, we can successfully authenticate using either PEAP-GTC (Cisco peap), EAP-FAST and EAP-FAST-GTC.
  A list with EAP protocols supported by the RSA is in attach.
  Also below is the link which says the MS-PEAP is NOT supported with the RSA, please check the
  table "EAP Authentication Protocol and User Database Compatibility "
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/o.htm#wp792699
  What we are trying to do now in the project is leaving the AP authentication open and try to authenticate it using RADIUS through a firewall or Cisco router authentication proxy.

• User Name and Password for Cisco Prime Infrastructure 2.1

  Hi all:
  I am stuck at the login page of Cisco Prime Infrastructure 2.1.
  I have tried using the user name root and its password (when log in with root at Vsphere Client) and also the login user name "before" get into the appliance infrastructure, all cannot work.
  Anybody knows what is the default username or password or any way to set the username and password for this Cisco Prime Infrastructure 2.1 website?
  Thanks!
  tangsuan

  Hi Tangsuan,
  Following is the documented procedure for password recovery..
  In order to modify the GUI root user password, you will need to login to the NCS CLI
  as an admin user, and enter the command
  "ncs password root password <new password>" (without the quotes)
  This should set the web interface root user password :
  http://www.cisco.com/en/US/docs/wireless/ncs/1.1/configuration/guide/manag.html#wp1268889
  If you have lost your CLI password , try the default logging that is  ,
  CLI user is admin and not root, so please try logging in as admin with
  the password that was set during setup. If that does not work , you need
  the install disk that came with the appliance to recover that password.
  Follow these steps:
  Recovering a Lost Admin Password
  If you lose or forget the admin password for NCS appliance, follow these steps.
  Step 1 Reboot the NCS appliance with the ISO DVD inserted. The Cisco Prime Network Control
  System Welcome screen appears:
  ISOLINUX 3.11 2005-09-02  Copyright (C) 1994-2005 H. Peter Anvin
               Welcome to Cisco Prime Network Control System
  To boot from hard disk, press <Enter>.
  Available boot options:
     [1] Network Control System Installation (Keyboard/Monitor)
     [2] Network Control System Installation (Serial Console)
     [3] Recover administrator password. (Keyboard/Monitor)
     [4] Recover administrator password. (Serial Console)
  <Enter> Boot existing OS from Hard Disk.
  Enter boot option and press <return>.
  boot:
  Step 2 Select the desired recovery option, 3 or 4, depending on how you
  are connected to the appliance and then follow the prompts.
  Thanks-
  Afroz
  ***Ratings Encourages Contributors ****

• Questioned status in Fault Management for Cisco Prime 4.2

  Hi all,
  Need help in Cisco Prime 4.2. My device is stuck in Questioned state in Fault Management. The device though can be pinged from the server. Actually, I can already manage the device and have archived its configuration. Problem is, on Fault Monitoring Device Administration, its on Questioned state even though I already tried to rediscover the device several times.
  Do I need to configure something on the server like put in the IP address and hostname of the device in the host file of Windows Server 2008?
  Thanks in advance for your help!

  Hi ,
  Is this happenning for just one particular device or for all of them ?
  If for a particular device  then Are you using SNMPv2 or SNMPv3 on your device ?
  Disable the Windows Firewall and ANTI-Virus on the serevr and Rediscover the device again.
  Thanks
  Afroz

• Using CVP on Cisco Prime Assurance 10.5

  Hello guys,
  I'm trying to add CVP 8.5 to be monitored by Cisco Prime Collab. Assurance 10.5, and after added the IP and SNMP RO, it shows that the SNMP credentials does not match.
  Is everyone else getting this issue on this new version?
  Thanks in advance

  I have two instances of CVP -- one in Production and another in TEST.  The Production one I have had working with CUOM via SNMP for a while. In testing Prime I was setting up the TEST environment and found I couldn't add the SNMP string to any devices as non were listed in OAMP, but I was able to copy the SNMPD file (it actually is SNMPD.conf but Windows assumes that it is of type "Speed Dial" and hides the extension -- even if you have show extensions turned on in Windows Explorer) from my working Production environment to TEST and it worked.
  However, I now am stuck at failing the HTTP authentication -- is this the CVP OAMP user? Local Windows account?
  Thanks,
  Mark

• Using ACS for command authorization

  I've setup my ASA for this and it works as it should, the restricted user can only run the commands I put into the command set in ACS.
  However this is fine on telnet/SSH but when using ASDM the restricted account has level 15 access and is able to change things.
  Can you use ACS to give a view only account on an ASA when using ASDM?

  thanks for the reply, I actually resolved it by watching the logs and seeing what ASDM needed, in the end had to add permit to the session command and also permit write net
  this worked and gives the restricted user view only access to the config etc and also view only in ASDM.

• Can we have silent installation for Cisco prime service catalog (CCP)?

  HI,
  I want to install Cisco prime service catalog(newscale) in silent mode, which version supports this feature.
  And also please provide any related docs.
  Thanks in Advance
  Srini.

  sotoh,
  I am using puppet(configuration mangement tools) which manages several nodes.
  so i want to install CIAC on many  nodes with same configuration with reusable silent install using puppet manifest files.

• Changing server for Cisco Prime LMS 4.2 installation

  Hi,
  I am planning to install Cisco Prime LMS 4.2 with 50 device license on a temporary server. My question is:
  Can we install Cisco Prime LMS 4.2 on Server A, applied the license for 50 devices, and then several months later we uninstall LMS on Server A, reinstall it on Server B, and applied the same license for 50 users?
  Is it possible and legal to do that? I am worry if the LMS license is binding to the first server's MAC address.
  Thanks in advance.

  also :vmversion 4.1 and 5.1 both checked, hdd 256, scsi , memory 8 gig,

• How to find useful MIBs for Cisco Devices?

  Hi,
  I am setting up a new Monitoring System (CA Netvoyant). It has some default Cisco monitoring capabilities ( I believe these are soem standard MIBs).  I am wondering how can I add more useful Cisco MIBs for the devices I have in my network. There are thousands of MIBs and it looks like it is not easy at all to find the useful ones.
  For example the MIBs that can give you Emergency and up to warning level information, cpu, memory, interface errors, module failures (in case of Cat 6500), FWSM, BGP, VPN tunnel status notifications. Is there a list of useful MIBs for each device type, like Cat 6500, ASA5540, Cat 3750-E etc depending on IOS Image?
  Any help in setting up the SNMP monitoring system would be really helpful.
  Thanks

  If there is a MIB for it, most SNMP Capable Management servers can poll them.
  This can be such as FHRP states, Routing Peers, ASA Failover status, Seriel numbers for inventory purposes.
  The potential is almost endless, it just depends what you should monitor to ensure you are in the know when your network hiccups.
  Here is a link to the IOS MIB Viewre    
  http://tools.cisco.com/ITDIT/MIBS/MainServlet
  CCNP, CCIP, CCDP, CCNA: Security/Wireless
  Blog: http://ccie-or-null.net/

• Using Cisco ACS for Solaris login authentication

  Hi all
  I am planning to authenticate ssh logins to Solaris 8/9 systems using PAM and radius (while radius is considered the primary solution, tacacs+ could be used, too). The radius/tacacs+ server is provided by a Cisco ACS.
  Can anybody out there confirm that the combination "Solaris & PAM & radius/tacacs+ & Cisco ACS" is correctly doing this authentication stuff? Is there anything to specially consider?
  Thanks, David

  Hard to comment with any certainty but provided the client implementation of RADIUS is sound AND the authentication protocol is one that ACS supports, eg PAP, CHAP, MSCHAP, LEAP, EAP (PEAP/FAST/TLS/GTC/MSCHAP) then should be fine.

• With Cisco Secure ACS For Windows TACACS+, authentication fails with AD

    I am setting up a Cisco Secure ACS 4.2 server to act as a TACACS server for Switches and Routers  I am using Windows 2003 server for the ACS,
  and a Windows 2003 Active Directory server.  The AD server is fine, as it is used for many other things.
  I have set up ACS as defined nit he installation guide, including all the steps in the 'Member Server' section of the install guide
  when using AD as an external database (i.e. setting up the services to run with a domain admin account, setting up a machine called 'CISCO'
  on the domain etc).
  I've set the unknown user policy to use the Windows database if the internal database doesn;t contain the user details.
  If I add a user to the internal database, the authentication goes through fine, with an entry in the 'Passed Authentications' log,
  02/24/2010,05:07:03,Authen failed,eXXXX,Network Administrators(NDG) ,X.X.X.X,(Default),Internal error,,(geting error message as INternal Error)
  I've scoured google etc, and just cannot come up with any reason why this should be happening.
    I've followed all the install guides to the letter.  I need to get this up and running as soon as possible,
  so am looking forward to finding out if anyone can help me with this one!
  THanks and regards
  Sharan

  Hi  Jesse,
  Thasts a great answer and Soution.
  My previous version was 4.2 and it was installed on 64 bit machine hence getting internal Error.
  After this answer i have upgraded it to ACS4.2.1 and its started working fine
  Thanks very much for the help
  Dipu

• Privilege mode authentication using Tacacs for Cisco Routers

  I am trying to set up a test environment where I need to be able to be asked for both a username and password while entering enable mode from exec mode on a cisco IOS router. I was told the only way to do that is through Tacacs. But I've not seen any such configuration options on Tacacs in order to set it up right. Has someone ever did a setup like this before. I would appreciate any help on this. Thanks. 

  version 12.3
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  service compress-config
  hostname 2621-3
  boot-start-marker
  boot system flash c2600-i-mz.123-26.bin
  boot-end-marker
  logging buffered 5001 debugging
  no logging console
  no logging monitor
  enable password cisco
  memory-size iomem 10
  clock timezone CST -7
  clock summer-time CST recurring
  aaa new-model
  aaa authentication login default local
  aaa authentication enable default group tacacs+
  aaa authorization exec default group tacacs+ local
  aaa session-id common
  ip subnet-zero
  ip cef
  no ip domain lookup
  ip domain name int.voyence.com
  ip name-server 192.168.21.5
  !key chain jetef
  key 10
    key-string c1sco
  modemcap entry ZOOM
  modemcap entry ZOOM
  username jeff password 0 jeff
  tacacs-server host 192.168.21.230 key cisco
  tacacs-server host 10.6.230.32
  tacacs-server directed-request
  tacacs-server key dakey
  line con 0
  exec-timeout 15 0
  logging synchronous
  speed 115200
  line aux 0
  exec-timeout 15 0
  password 7 104D000A0618
  logging synchronous
  modem InOut
  modem autoconfigure discovery
  terminal-type monitor
  transport input all
  stopbits 1
  flowcontrol hardware
  line vty 0 4
  exec-timeout 15 0
  password cisco
  private
  logging synchronous

• Using ACS for VLAN assignment

  Hi Guys, I have been looking at the use of Cisco ACS server for VLAN assignment. So far I have searched through a number of threads and no found what I am looking for specifically so here it goes.
  1) When the RADIUS attributes have been configured in ACS (64, 65 + 81), and in my case I have them in the group configuration. For the VLANs to be assigned to the various users at their ports will every VLAN name in the RADIUS settings have to in the switches which are used for access?
  2) Is there a limit to the number of VLANs that can be assigned by the RADIUS(IETF) portion of ACS or would it be better to use RADIUS(IOS/PIX)? I am thinking of about 15 VLANS.
  I am using a Catalyst 4500 (IOS supervisor) and 2950s and 2970s at the closets.
  Thanks for any help...
  Kelvin

  Access Control Lists..I am thinking it is better to apply the ACLs at the closet (access) switches where I can specify the servers that should be reached by the hosts my test VLAN and deny those which they should not.
  I used a named extended ACL for my tests however, it did not go well. With the ACL below applied I cannot reach anything including the server I actually want to reach. My intention was to allow the hosts in the test VLAN 172.16.12.0/24 to reach 2 particular servers and their gateway however with the list applied I cannot reach anything at all. The setup is one 2950 connected to a 4507 the 2 VLANs I am working with are trunked to the 2950 and dhcp is running. I have IP routing enable on the 4507 and it is the server for the VTP domain.
  ip access-list extended guest
  permit ip 172.16.12.0 255.255.255.0 host 172.16.12.1
  permit ip 172.16.12.0 255.255.255.0 host 172.16.2.254
  permit udp 172.16.12.0 255.255.255.0 host 172.16.2.245 eq 53
  deny ip any any
  Any advice on how I can restrict the hosts which will be on this VLAN from accessing the rest of the network?

• Using ACS as a web authentication server

  I have an ACS I use for Tacacs and Radius, and was wondering if I could use it to authenticate a web site for logins. I have an internal site that runs on Windows, but may move to Linux, and would like to have the techs use their Tacacs/Radius logins for the web site as well.

  In Apache you can specify the authentication parameters in the virtual host configuration

• Using ACS for change control

  I'd like to set up ACS server (integrated with Windows Active Directory) for router and switch so that all network administrator could use their active directory account to access network devices… and all activities will be logged on to ACS server. Currently we are sharing local administrative(on router and switch) account and I don’t have the visibility of who is doing what. The idea is to have more tight change control.
  I'd like to have security group set up in Active Directory and have all the network admins within, and have them to use their network account to log into routers and switches. Is this possible?

  Thank you, in that case I have some more questions(if you don't mind) to ask about your instruction.
  1. I only have RADIUS server(ACS 3.3). Do I need to purchase additional TACACS+ to accomplish this? or you just want me to add additional TACACS+/RADIUS attributes enabled per user?
  2. Is it possible to map 'Security Group' object instead of individual user?
  3. Please send me a sample CLI configuration for router(or switch).
  Thank you very much for your help.