Using ACS with Ironport?

Similar Messages

• Using ACS with PIX/ASA

  Hi there,
  We have an implementation of Cisco Secure ACS 4.1.4 using RSA SecurID as its authentication source to provide role-based access control and command level authorisation.
  We have succesfully deployed this our routers/switches, and are now looking at configuring Cisco PIX/ASA devices to use ACS and have stubbled across issues.
  Config on PIX/ASA (note we actually have 4 ACS servers defined for resilience etc):
  aaa-server XXXXX protocol tacacs+
  accounting-mode simultaneous
  reactivation-mode depletion deadtime 1
  max-failed-attempts 1
  aaa-server XXXXX inside host <SERVER>
  key <SECRET>
  timeout 5
  aaa authentication telnet console XXXXX LOCAL
  aaa authentication enable console XXXXX LOCAL
  aaa authentication ssh console XXXXX LOCAL
  aaa authentication http console XXXXX LOCAL
  aaa authentication serial console XXXXX LOCAL
  aaa accounting command XXXXX
  aaa accounting telnet console XXXXX
  aaa accounting ssh console XXXXX
  aaa accounting enable console XXXXX
  aaa accounting serial console XXXXX
  aaa authorization command XXXXX LOCAL
  Problems:
  Enter PASSCODE is NOT displayed on first attempt to logon to the PIX/ASA because it does not attempt to communicate with ACS until username/pass is sent.
  Username with null password (e.g. CR) will correctly then display Enter PASSCODE prompt received from ACS.
  PIX/ASA does not attempt to authenticate against all configured TACACS+ servers in one go, instead it tries each sequentially per authentication attempt….e.g.
  1st Attempt = Server 1
  2nd Attempt = Server 2
  3rd Attempt = Server 3
  4th Attempt = Server 4
  This means that in total failure of ACS users will have to attempt authentication N+1 times before failing to LOCAL credentials depending on number of servers configured, this seems to be from setting "depletion deadtime 1" however the alternative is worse:
  With “depletion timed” configured, by the time the user has attempted authentication to servers 2,3 and 4 the hard coded 30 second timeout has likely elapsed and the first server has been re-enabled by the PIX for authentication attempts, as such it will never fail to local authentication locking the user out of the device, the PIX itself does warn of this with the following error:
  “WARNING: Fallback authentication is configured, but reactivation mode is set to
  timed. Multiple aaa servers may prevent the appliance from ever invoking the fallback auth
  mechanism.”
  The next issue is that of accounting.....AAA Accounting does not record “SHOW” commands or session accounting records (start/stop) or “ENABLE".
  The final issue is ASDM. We can login to ASDM successfully using ACS/RSA SecurID, however when a change is made to the configuration ASDM repeatedly sends the users logon credentials multiple times.
  As RSA SecurID token can only be used once this fails and locks the account.
  Any ideas on how to make two of Ciscos leading security products work together better?

  Just re-reading the PIX/ASA 7.2 command reference guide below:
  http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/crt_72.pdf
  It appears some of the above are known issues.
  PASSCODE issue, page 2-17 states:
  We recommend that you use the same username and password in the local database as the
  AAA server because the security appliance prompt does not give any indication which method is being used.
  Failure to LOCAL, page 2-42 states:
  You can have up to 15 server groups in single mode or 4 server groups per context in multiple mode. Each group can have up to 16 servers in single mode or 4 servers in multiple mode. When a user logs in, the servers are accessed one at a time starting with the first server you specify in the configuration, until a server responds.
  AAA Accounting, page 2-2 states:
  To send accounting messages to the TACACS+ accounting server when you enter any command other than show commands at the CLI, use the aaa accounting command command in global configuration mode.
  ASDM issue, page 2-17 states:
  HTTP management authentication does not support the SDI protocol for AAA server group
  So looks like all my issues are known "features" of PIX/ASA integration with ACS, any ideas of how to achieve a "slicker" integration?
  Is there a roadmap to improve this with later versions of the OS?
  Will the PIX/ASA code ever properly support the same features as IOS?
  Would it be better to look at using something like CSM instead of ASDM?

• ACS with MySQL

  Hi, Is it possible to use ACS with mySQL database?
  regards
  Steffen

  Depends on what you mean.
  The ODBC Authenticator (that is authenticate users against an external ODBC datasource) should work fine with mySQL. There is a white paper I wrote still kicking about on CCO somewhere if you search for it.
  If you mean can you use mySQL for ACSs own internal database.. then no you cant.
  Darran

• ACS with Dynamic VLAN which protocol to use ??

  Hello,
  Which Protocol do I need to use, for providing dynamic VLAN to my desktop machines?
  As in ACS 4.0 if I use local database of ACS then users successfully get the dynamic VLAN & as soon I use AD database while integration it with ACS ,the authentication fails!!
  Please help.

  Hi,
  Thanks for the reply. I am using EAP-MD5.
  However, the problem is if I am using ACS solution Engine local database, users are getting dynamic VLAN after authentication.
  But when I use AD as user database, the authentication fails. Even strange thing is that if I use AD database to log in to any Cisco Router then the authentication is working fine.
  Even I am struggling with TAC also from last week in two different cases! However, they are unable to help! I found TAC has limited resource for ACS.
  So please suggest what to do as on Cisco site, I found lots of stuff for Wireless but I have only the desktops (no wireless).
  So will the mention below URL be of any help?
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00805e7a18.shtml
  Thanks in advance
  Vijay

• Problem when try to use ACSE+ Windows AD to authenticate two kind of WLAN c

  I met a problem when try to use ACSE+ Windows AD to authenticate two kind of WLAN clients:
  1. Background:
  We have two WLAN: staff and student, both of them will use PEAP-MSCHAPv2, ACSE will be the Radius server, it will use Windows AD's user database. In AD, they create two groups: staff and student. The testing account for staff is staff1, the testing account for student is student1.
  2. Problem:
  If student1 try to associate to staff WLAN, since both staff and student WLAN using the same authentication method, the auth request will be send to AD user database, since student1 is a valid user account in AD, then it will pass the authentication, then it will join the staff WLAN. How to prevent this happen?
  3. Potential solution and its limitation:
  1) Use group mapping in ACSE(Dynamic VLAN Assignment with WLCs based on ACS to Active Directory Group Mapping), but ACS can only support group mapping for those groups that have no more than 500 users. But the student group will definitely exceed 500 users, how to solve it?
  2) Use methods like “Restrict WLAN Access based on SSID with WLC and Cisco Secure ACS”: Configure DNIS with ssid name in NAR of ACSE, but since DNIS/NAR is only configurable in ACSE, don't know if AD support it or not, is there any options in AD like DNIS/NAR in ACSE?
  Thanks for any suggestions!

  I think the documentation for ACS states:
  ACS can only support group mapping for users who belong to 500 or fewer Windows groups
  I read that as, If a user belongs to >500 Windows Group, ACS can't map it. The group can have over 500 users, its just those users can't belong to more than 500 groups.

• How do I restrict access to 4 devices using ACS

  Currenlty in our ACS we have Group A configured to have access to all network devices-f with ull privilege level 15 access to all devies
  We are now trying to implement 4 new users, however we only want them
  to have access to 4 devices-routers (4 IP addresses)-and only have
  basic level 1 functions in the router
  Is this done under Network Access Filter or Network Access Group?
  Do I need to create a new group or can I somehow implent that into

  I'm using ACS v 4.2 on windows server-TACACS
  Under NAF I have configured the IP's of the server I want them to access under Selected Items
  Under NAR I have permitted calling point
  with the NAF and  *  *
  Under the Group Settings
  Network Access Restrictions (NAR)
    Shared Network Access Restrictions
  Only Allow network access when
  All selected NARs result in permi
  all selected NARs result in permit..with the NAR i just configured in the selected NAR list

• 2 ACS with 2 CRA

  Hi All,
  We have installed 2 ACS with two CRA installed in AD1 & AD2.
  The problem is when the CRA1 which is installed in AD1 is active everything working fine with both the ACS.
  But when the CRA1 is down & CRA2 is up which is installed in AD2 the authentication fails.
  Can anyone help in this regard? I have the logs if required I can upload the same.
  Thanks in advance
  Sachi

  Most likely this is a permission issue.
  CSWinAgent 08/06/2008 12:45:52 A 0048 3860 NTLIB: Attempting Windows authentication for user s.shetty
  CSWinAgent 08/06/2008 12:45:52 A 0048 3860 NTLIB: Windows authentication FAILED (error 6L)
  CSWinAgent 08/06/2008 12:45:52 A 0436 3860 RPC: NT_MSCHAPAuthenticateUser reply sent
  CSWinAgent 08/06/2008 12:46:16 A 0371 3860 RPC: NT_MSCHAPAuthenticateUser received
  CSWinAgent 08/06/2008 12:46:16 A 0048 3860 NTLIB: Attempting Windows authentication for user s.shetty
  CSWinAgent 08/06/2008 12:46:16 A 0048 3860 NTLIB: Windows authentication FAILED (error 6L)
  The accounting running remote agent service do not have admin rights . Make sure that account should have special priv like act as a part of OS and logon as service in ur sec policy.
  If you are already using admin account to run it then try using local system.
  Regards,
  ~JG

• 802.1x dynamic vlan assignment using ACS 4.2

  Hi
  we have 10 switches 2960 configured with 802.1x authentication against ACS server 4.2.
  we have 2 vlans configured on the switches for administrator and endusers. the end user vlan id is 10 and the administartor vlan is is 100.
  we need to apply the following scenario, if the enduser PC - that is connected to vlan 10 - has an issue and the administrator will login to the PC with the administrator account to fix that issue, the switch should dynamically reconfigure the port with the administrator vlan ( 100 ) .
  is the above scenario doable using dot1x with the ACS server?
  waiting your replies
  Mohamed

  Hi,
  I have the following scenario
  2 bulidings with multiple floor
  Each floor should be in different VLAN.
  The network should be authenticated with 802.1x and each switch port should be assigned with dynamic VLAN from ACS.
  Each
  user should be able to connect and roam around between any building.
  when ever a user is connecting his laptop to any floor, he should be
  made part of that respective vlan. It is not requred to have the same
  IP rage to be allocated, but the dynamic VLAN should be based on the
  switch port location.
  Can
  I configure ACS in such a way that, the ACS will allocate dynamic VLAN
  for every 802.1x authentication  based on the Network Device Group.
  Please refer the attached diagram
  Hi,
  Check out the below link for your requirement for dynamic vlan assignement using ACS
  http://www.ciscosystems.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
  Hope to Help !!
  Ganesh.H
  Remember to rate the helpful post

• 802.1x Dynamic Vlan assignment using ACS

  Hi,
  I have the following scenario
  2 bulidings with multiple floor
  Each floor should be in different VLAN.
  The network should be authenticated with 802.1x and each switch port should be assigned with dynamic VLAN from ACS.
  Each user should be able to connect and roam around between any building. when ever a user is connecting his laptop to any floor, he should be made part of that respective vlan. It is not requred to have the same IP rage to be allocated, but the dynamic VLAN should be based on the switch port location.
  Can I configure ACS in such a way that, the ACS will allocate dynamic VLAN for every 802.1x authentication  based on the Network Device Group. Please refer the attached diagram

  Hi,
  I have the following scenario
  2 bulidings with multiple floor
  Each floor should be in different VLAN.
  The network should be authenticated with 802.1x and each switch port should be assigned with dynamic VLAN from ACS.
  Each
  user should be able to connect and roam around between any building.
  when ever a user is connecting his laptop to any floor, he should be
  made part of that respective vlan. It is not requred to have the same
  IP rage to be allocated, but the dynamic VLAN should be based on the
  switch port location.
  Can
  I configure ACS in such a way that, the ACS will allocate dynamic VLAN
  for every 802.1x authentication  based on the Network Device Group.
  Please refer the attached diagram
  Hi,
  Check out the below link for your requirement for dynamic vlan assignement using ACS
  http://www.ciscosystems.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
  Hope to Help !!
  Ganesh.H
  Remember to rate the helpful post

• ACS with Sidewinder G2

  I am trying to implement Radius (using ACS v3.2) on Secure Computing's Sidewinder G2. It appears I need a VSA (vendor specific attribute) to make it work properly. I have tried it with Radius (IETF) but no luck. Any suggestions on how I might go about this ? Or is this even possible ?

  If G2 Sidewinder firewall vendor has/require vendor specific attributes to be sent by authentication server, then we would require the VSA definition from the vendor.
  On the other hand I have seen it working (basic authentication)with Radius IETF.
  Regards,
  ~JG
  Do rate helpful posts

• ACS with Checkpoint

  Hi,
  We have a Checkpoint Firewall using ACS for authentication with RADIUS protocol.
  We have two ACS servers configured as primary and secondary on the Checkpoint. Both the ACS servers are configured to use AD as the external database.
  Checkpoint is forwarding the authentication request to the primary ACS server. The primary ACS server receives the request and keeps trying to authenticate with the AD. For some reason, the authentication is failing. Please check the attached failed login attempt log. ACS tries the authentication many times and hence the account of the user is being locked out on the AD.
  Meanwhile, Checkpoint does not receive any response from the primary ACS server. So, it goes to the secondary ACS server. Checkpoint is able to authenticate with the Secondary ACS server.
  To add more information to the case, the primary ACS server is successfully authenticating requests from wireless Access Points for the same user accounts.
  The External Database configuration on both the ACS servers look the same.
  Please let me know, what could be the problem and why the Primary ACS server is not authenticating requests from Checkpoint, while it can authenticate requests from Wireless Access Points.
  Regards,
  Suresh

  Hi Suresh,
  In the package.cab this is what I find,
  5/2/200723:48:13Authen failedjiwilsonGlobal_AdminsExternal DB account locked outjiwilson10.64.45.1
  5/2/200723:48:18Authen failedjiwilsonGlobal_AdminsExternal DB account locked outjiwilson10.64.45.1
  AUTH 05/02/2007 23:47:14 E 0365 0728 External DB [NTAuthenDLL.dll]: Windows authentication FAILED (error 1326L)
  AUTH 05/02/2007 23:47:14 I 0365 0728 External DB [NTAuthenDLL.dll]: Reattempting authentication at domain PLT
  AUTH 05/02/2007 23:47:14 I 0365 0728 External DB [NTAuthenDLL.dll]: Attempting Windows authentication for user jiwilson
  Windows is returning error code "error 1326L"
  1326L ERROR_LOGON_FAILURE : The attempted logon is invalid. This is due to either a bad user name or authentication information.
  I would like you to check for permission issue since the same user is able to login from secondary acs.
  In the domain controller serving the ACS server:
  - Create a user.
  - To make it hard to hack, give it a very long complicated password.
  - Make the user a member of Domain Admins group.
  - Make the user a member of Administrators group.
  On the Windows 2000 server running ACS:
  - Add new user to proper local group.
  -- Open "Administrative Tools" from the control panel.
  -- Open "Computer Management."
  -- Open "Local Users and Groups" and then "Groups."
  -- Double-click the "Administrators" group.
  -- Click "Add."
  -- Choose the domain from the "Look in" box.
  -- Double-click the user created earlier to add it.
  -- Click OK.
  - Give new user special rights on ACS server.
  -- Open "Administrative Tools" from the control panel.
  -- Open "Local Security Policy."
  -- Open "Local Policies."
  -- Open "User Rights Assignment."
  -- Double-click on "Act as part of the operating system."
  -- Click "Add."
  -- Choose the domain from the "Look in" box.
  -- Double-click the user created earlier to add it.
  -- Click OK.
  -- Double-click on "Log on as a service."
  -- Click "Add."
  -- Choose the domain from the "Look in" box.
  -- Double-click the user created earlier to add it.
  -- Click OK.
  - Set the ACS services to run as the created user.
  -- Open "Administrative Tools" from the control panel.
  -- Open "Services."
  -- Double-click the CSADMIN entry.
  -- Click the "Log On" tab.
  -- Click "This Account" and then the "Browse" button.
  -- Choose the domain, double-click the user created earlier.
  -- Click "OK."
  -- Repeat for the rest of the CS services.
  - Wait for Windows to apply the security policy changes, or reboot the
  server.
  - If you rebooted the server, skip the rest of these instructions.
  - Stop and then start the CSADMIN service.
  - Open the ACS GUI.
  - Click on System Config.
  - Click on Service Control.
  - Click "Restart."
  Note that if the Domain Security Policy is set to override settings for "Act as part of the operating system" and "Log on as a service" rights,
  the user rights changes listed above will also need to be made there.
  Regards,
  Jagdeep

• Replacing ACS with ISE

  What is required to replace ACS with ISE in simple terms?
  I am looking to basically authenticate wired and wireless access against the local/AD) user database via Cisco kit
  I am thinking all I need is the BASE (perpetual) license rather than the advanced/wireless licenses
  Is there a limit to how many devices or users the base can deal with in its simplest form.
  I would also like to be able to push out a splash screen for wireless users during authentication. Can this be done just with the ISE Base License alone for a wireless solution (via WLC with LWAPS or Autonomous APs)
  thanks 
  dave

  yes you can authenticate the user using the ISE and but you need a advance license if you want to use both wire and wireless here is small table to help you understand the license requirements also the max. devices support depends on the type of deployment and with advance feature you have the abilitity of profiling and posturing which provide very good control for admins in the network
  Software Packages
  Options
  Base
  Capabilities: Basic network access and guest access
  Network deployment support: Wired, wireless, and VPN
  License prerequisite: None
  Perpetual license
  Licenses are available for 100, 250, 500, 1000, 1500, 2500, 3500, 5000, 10,000, 25,000, 50,000, and 100,000 endpoints
  Advanced
  Capabilities: Profiler and feed service, posture, MDM integration, automated endpoint onboarding, and Security Group Access (SGA)
  Network deployment support: Wired, wireless, and VPN
  License prerequisite: Base license
  Term license: 1, 3- and 5-year terms
  Licenses are available for 100, 250, 500, 1000, 1500, 2500, 3500, 5000, 10,000, 25,000, 50,000, and 100,000 endpoints
  Wireless
  Capabilities: Basic network access, guest access, profiler, posture, and SGA
  Network deployment support: Wireless
  License prerequisite: None
  Term license: 1, 3- and 5-year terms
  Licenses are available for 100, 250, 500, 1000, 1500, 2500, 3500, 5000, 10,000, 25,000, 50,000, and 100,000 endpoints
  Wireless Upgrade
  Capabilities: Basic network access, guest access, profiler, posture, and SGA
  Network deployment support: Wired, wireless, and VPN
  License prerequisite: Wireless license
  Term license: 1, 3- and 5-year terms
  Upgrade licenses are available for 100, 250, 500, 1000, 1500, 2500, 3500, 5000, 10,000, 25,000, 50,000, and 100,000 endpoints
  ***Do rate Hekofuls posts***

• Using CiscoSecureACS with CiscoWorks-RME

  I need help in configuring CiscoWorks to use CiscoSecureACS for login authentication. I have specified TACACS+ as the login module. I am able to login with a account from the ACS server. However, the permissions aren't configured correctly. When I login with the ACS server account, options aren't displayed (e.g., under RME, Administration, Inventory, Add Devices...the Add Device option isn't present). Please advise.

  To be succinct, ACS doesn't have all the fields that are required by Ciscoworks. That is why you still need to define the user profiles in ACS.
  ACS is simply an authenticator. Ciscoworks still handles authorization. Look at the fields available in Ciscoworks and you'll see there are a number of roles that each user can take. I suppose Cisco may someday include extensions in ACS to handle the specific CiscoWorks profile fields but that isn't the case today.
  I think the advantage to using ACS is the centralized authentication. Users don't have to change their passwords in multiple places. Logon violations are recorded in one place.
  You'll find that once you define the profiles in CiscoWorks they will remain quite static.

• Authenticate users by Windows group using ACS

  Currently we are using Windows IAS/RADIUS to authenticate users onto out wireless network and it is set to allow users in a certain Windows group to connect.
  Is there a way to do this with ACS?
  Please note that we are using ACS Solution Engine, not ACS for Windows.
  Thanks.

  Use Remote Agent for Windows user authentication feature or configure Windows AD as the LDAP on ACS SE.
  then configure group mapping, and put the restrictions accordingly.
  Regards,
  Prem
  Please rate if it helps!

• ACS with Tivoli Identity Manager

  Has anyone implemented ACS with ITIM? It was press released almost a year ago and I cannot find any technical documentation to find out how it integrates. What I need to find out is: Does the ACS server use ITIM as a external database for user auth? Or do both products need to backend into the same LDAP dir for user/pass info?

  Yes, we have. ITIM has develped an ITIM ACS agent for Cisco ACS integration. The ITIM ACS Agent is installed on the ACS server and it communicates with Cisco ACS application through Cisco ACS available API. Through the ITIM agent, TIM can creat, delete and modify ACS user's account. No, Cisco ACS server can not use ITIM database as an external for user auth.