Using ACS with PIX/ASA

Similar Messages

• Using ACS with Ironport?

  Hello
  In our libraries we use a product called Netloan which authenticates the users using an SQL database. Effectively the users login to the machines with a Username and Pin number and this is authenticated via an SQL database and a session is opened for an hour, allowing the user access of the PC.
  Once authenticated, the user the attempts to access the internet and the traffic is routed through to our Cisco Ironport appliance which provides the Web Filtering. We have no issues with the desktop devices as they are on an Active Directory domain so the Ironport sees thier traffic as authenticates and can provide different levels of filtering.
  The Issue we have is with our Public Wifi users who connect up to an Access Point and authenticate with Netloan using a login page we have created on the wireless controller. Once authenticated however, the ironport does not see them as authenticated because they are using thier own devices....i.e not on the domain so we can only apply a default filtering policy based upon source IP address.
  We need the ironport to provide different levels of filtering for the Public Wifi users, the same as it does for the Desktop ones, even though the Wifi users are using thier own devices..not on an AD domain.
  Hopefully this makes some sort of sense!
  Cheers

  Just re-reading the PIX/ASA 7.2 command reference guide below:
  http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/crt_72.pdf
  It appears some of the above are known issues.
  PASSCODE issue, page 2-17 states:
  We recommend that you use the same username and password in the local database as the
  AAA server because the security appliance prompt does not give any indication which method is being used.
  Failure to LOCAL, page 2-42 states:
  You can have up to 15 server groups in single mode or 4 server groups per context in multiple mode. Each group can have up to 16 servers in single mode or 4 servers in multiple mode. When a user logs in, the servers are accessed one at a time starting with the first server you specify in the configuration, until a server responds.
  AAA Accounting, page 2-2 states:
  To send accounting messages to the TACACS+ accounting server when you enter any command other than show commands at the CLI, use the aaa accounting command command in global configuration mode.
  ASDM issue, page 2-17 states:
  HTTP management authentication does not support the SDI protocol for AAA server group
  So looks like all my issues are known "features" of PIX/ASA integration with ACS, any ideas of how to achieve a "slicker" integration?
  Is there a roadmap to improve this with later versions of the OS?
  Will the PIX/ASA code ever properly support the same features as IOS?
  Would it be better to look at using something like CSM instead of ASDM?

• Noise using earbuds with Pixi

  I'm trying to figure out if there is a problem with my Pixi or if this is normal behaviour:
       I have had my Pixi for about a month and recently I've started using it as a video and music device.  The problem is, when I use earbuds with my Pixi, there is a lot of noise coming through them.   I can hear the headphone jack turn on because it goes from completely silent to very noisey.  If I turn the volume all the way down while I'm listening to music, I can still here the noise and when I put the volume at 'one' there is even more background noise accompanying my music. 
       The noise does not keep getting louder as I turn the volume higher and higher.  Eventually it is drowned out by the music.  But I like to listen to my music very quietly since I work in a quiet environment, and I would like to be able to keep it on 'one' or 'two.'
       I've tried three different headsets and they all have this background noise coming through, but I don't know if every pixi has this problem with music at low volumes or if mine needs to be repaired.  I would love to hear comments, experience, and advice about what to do to solve this problem.
  Thanks.
  Post relates to: Pixi p120eww (Sprint)

  Nope, not just you.  I've now heard it on two Pixis--second was a replacement from Amazon that apparently didn't solve my problem with echoing on the phone.

• PIX, ASA or VPN concentrator & dynamic VPN

  Hi all,
  I need help what to use and how to do next.
  What we need is to create remote VPN for many users so that every user is member of more than one group and every group is linked to predefined set of rules, for instance you can access this IPs, ports and so on.
  How to do that dynamically? Is it possible to do that with one certificate?
  Other question is what to use? ..PIX, ASA, VPN concentrator ?
  BR
  jl

  The PIX and VPNC are both end of sale products now and unless you already have them your only choice is IOS or ASA. Of those two the ASA is the Cisco preffered platform for Remote Access VPNs.
  You can map users to groups using Active Directory OUs, let them select a group at logon, have different logon URLs per group etc. However as far as I know this is not possible:
  "every user is member of more than one group "
  Some links:
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008089149d.shtml
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808bd83d.shtml
  With remote access IPSEC VPNs you can either define the groups on the ASA or externally on the ACS Server.
  Pls. rate if helpful.
  Regards
  Farrukh

• "authorization exec" on PIX/ASA

  I'm seeing posts that hit all around my questions, and based on my intereptation of the documentation it appears that there is no "shell exec" authorization available to the PIX when configured to use a TACACS+ server for authentication. Is this true? The problem I have is that whenever I create a new username in SecureACS that user (w/default settings) is immediately able to login and get a shell prompt on our PIX and ASA devices. I see no means (other than a NAR) that will restrict the user from getting a shell. Am I missing something?
  I know I can do command authorization, but exec authorization seems to be a glaringly missing feature.
  For example, how do I allow a user to be authenticated for a WebVPN session (via TACACS), but not be allowed to login via SSH for administration?

  Hi,
  Yes, you are correct, currently there is no shell exec on pix/asa, that we have on all routers and switches. In case you are using TACACS+ for WebVPN, and dont want to allow them to login via SSH for administration, probably you can try the same login that is used in Access Points,
  Actually what happens in, if you have ever came across mac authentication on AP's. On local database of AP, user accounts are created using the mac address as username/password. But interesting thing is, they have *autocommand* in the end i.e.
  username xxxx password xxxx
  username xxxx autocommand exit
  So what actually happens here is, though user is authenticated, but if that user tried to use their MAC address to log into AP [If they think they are cleaver enough], then they will login in and will be kicked out automatically.
  Havnt tried this yet, probably we can use same logic with PIX/ASA. Making use of "auto command" under "TACACS+ Settings" for a group/user.
  Probably, I'll do a small re-create of it and will let you know, you try at your end.
  Regards,
  Prem

• Automatic jump to privilege level 15 in PIX/ASA

  Hi, with IOS router and switch I'm able to authorize the user to jump automatically to the correct privilege level in login phase, as configured in authorization privilege field in ACS.
  With PIX/ASA the jump does not run: why ?
  thank you in advance
  RS

  I have to disagree here.
  It's not a security feature. The privilege level feature was never properly implemented in the PIX/ASA. You may call it a bug
  I would have been a security feature if it would be implemented on all privilege levels besides level 15, so that users were prevented from going directly to priv. exec mode. But on the ASA/PIX, it does not work for any level (as the feature was not implemented).
  Regards
  Farrukh

• ACS with MySQL

  Hi, Is it possible to use ACS with mySQL database?
  regards
  Steffen

  Depends on what you mean.
  The ODBC Authenticator (that is authenticate users against an external ODBC datasource) should work fine with mySQL. There is a white paper I wrote still kicking about on CCO somewhere if you search for it.
  If you mean can you use mySQL for ACSs own internal database.. then no you cant.
  Darran

• ACS with Dynamic VLAN which protocol to use ??

  Hello,
  Which Protocol do I need to use, for providing dynamic VLAN to my desktop machines?
  As in ACS 4.0 if I use local database of ACS then users successfully get the dynamic VLAN & as soon I use AD database while integration it with ACS ,the authentication fails!!
  Please help.

  Hi,
  Thanks for the reply. I am using EAP-MD5.
  However, the problem is if I am using ACS solution Engine local database, users are getting dynamic VLAN after authentication.
  But when I use AD as user database, the authentication fails. Even strange thing is that if I use AD database to log in to any Cisco Router then the authentication is working fine.
  Even I am struggling with TAC also from last week in two different cases! However, they are unable to help! I found TAC has limited resource for ACS.
  So please suggest what to do as on Cisco site, I found lots of stuff for Wireless but I have only the desktops (no wireless).
  So will the mention below URL be of any help?
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00805e7a18.shtml
  Thanks in advance
  Vijay

• TACACS config for PIX & ASA

  I am struggling in configuring the TACACS configure to allow authentication via Cisco ACS, I could able to configure for switches 2950,3750 but not with ASA & PIX, can any let me know the configs?

  I am actually looking for a similar command which I used on the Cisco 2950/3750
  aaa new-model
  aaa authentication login default group tacacs+ enable local
  aaa authentication enable default group tacacs+ enable
  aaa authorization exec default group tacacs+ if-authenticated
  aaa authorization commands 1 default group tacacs+ if-authenticated
  aaa authorization commands 15 default group tacacs+ if-authenticated
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 1 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  with this commands I could able to track the command what all the user has used, logs with the user name which I configured on TACACS, the command which you have sent me I could able to login with the TACACS user name "aaa-server TACACS+ host " but it is not accounting all the details like login & logout time, command what the user has issued etc..

• AAA problems PIX/ASA

  Hello
  I have a problem with authentication on my network. Here I have support level 2 and level 3.
  Level 2 support, has restricted access to some switches and routers, the firewalls they could only give "Show ", the problem is that this is not happening.
  I configured on the ACS command shell Authorization for the commands on switches and routers, for these users of level 2. and PIX / ASA shell commands, I set only the command Enable and Show.
  My problem is that even when the support level 2 tries to access PIX and ASA on my network, they use the authorization of routers and switches, they do not use the parameters that I set up the PIX and ASA for Shell.
  the only firewalls on my line is this Authorization below
  Authorization TACACS + aaa command LOCAL
  I have to configure anything else?
  I can not create command line only for Firewalls.
  I'm missing something? something missing?
  my firewall and IOS versions:
  Pix: 6.3
  ASA 6x, 7x, 8x
  thanks for help
  Digite um texto ou endereço de um site ou traduza um documento.
  Cancelar
  Ouvir
  Ler foneticamente
  Tradução do português para inglês

  My problem is that my ACS v4.2, is not able to be distinguished from other shell comamds PIX / ASA. The same shell commands used in the switches, is being applied in firewalls.
  There is a way to create separate privileges between switches and firewalls?
  output of routers and firewalls. Switches and routera are the same
  switches
  aaa authentication login ACS-AUTH group ACS-TACACS local
  aaa authorization config-commands
  aaa authorization exec ACS-AUTH group ACS-TACACS local
  aaa authorization commands 15 default group ACS-TACACS local
  aaa accounting exec default start-stop group ACS-TACACS
  aaa accounting commands 15 default start-stop group ACS-TACACS
  firewalls
  aaa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ (transit) host x.x.x.x
  aaa-server RADIUS protocol radius
  aaa authentication ssh console TACACS+ LOCAL
  aaa authentication http console TACACS+ LOCAL
  aaa authentication enable console TACACS+ LOCAL
  aaa authentication telnet console TACACS+ LOCAL
  aaa accounting enable console TACACS+
  aaa accounting ssh console TACACS+
  aaa accounting command privilege 15 TACACS+

• Using ACS for VLAN assignment

  Hi Guys, I have been looking at the use of Cisco ACS server for VLAN assignment. So far I have searched through a number of threads and no found what I am looking for specifically so here it goes.
  1) When the RADIUS attributes have been configured in ACS (64, 65 + 81), and in my case I have them in the group configuration. For the VLANs to be assigned to the various users at their ports will every VLAN name in the RADIUS settings have to in the switches which are used for access?
  2) Is there a limit to the number of VLANs that can be assigned by the RADIUS(IETF) portion of ACS or would it be better to use RADIUS(IOS/PIX)? I am thinking of about 15 VLANS.
  I am using a Catalyst 4500 (IOS supervisor) and 2950s and 2970s at the closets.
  Thanks for any help...
  Kelvin

  Access Control Lists..I am thinking it is better to apply the ACLs at the closet (access) switches where I can specify the servers that should be reached by the hosts my test VLAN and deny those which they should not.
  I used a named extended ACL for my tests however, it did not go well. With the ACL below applied I cannot reach anything including the server I actually want to reach. My intention was to allow the hosts in the test VLAN 172.16.12.0/24 to reach 2 particular servers and their gateway however with the list applied I cannot reach anything at all. The setup is one 2950 connected to a 4507 the 2 VLANs I am working with are trunked to the 2950 and dhcp is running. I have IP routing enable on the 4507 and it is the server for the VTP domain.
  ip access-list extended guest
  permit ip 172.16.12.0 255.255.255.0 host 172.16.12.1
  permit ip 172.16.12.0 255.255.255.0 host 172.16.2.254
  permit udp 172.16.12.0 255.255.255.0 host 172.16.2.245 eq 53
  deny ip any any
  Any advice on how I can restrict the hosts which will be on this VLAN from accessing the rest of the network?

• Converting PIX/ASA logs into CSV

  I work as a network forensics analyst for a gov't agency. We are getting large amounts of PIX and ASA logs being pushed to our Syslog server. I'm trying to create a script to parse/convert the standard PIX/ASA logs into CSV files in order to assist with integration to other products. Has anyone had success with this, or have a perl / shell script(awk grep, etc) written for this task?  I would like to capture as much data as possible.

  What syslog server are you using? The free kiwi syslog has an option to spin a new file based on the time or day to a text file automatically which can be archived later. Seems like kiwi can export in .csv format. http://www.kiwisyslog.com/help/syslogwebaccess/index.html?export_to_csv.htm
  -KS

• Problem when try to use ACSE+ Windows AD to authenticate two kind of WLAN c

  I met a problem when try to use ACSE+ Windows AD to authenticate two kind of WLAN clients:
  1. Background:
  We have two WLAN: staff and student, both of them will use PEAP-MSCHAPv2, ACSE will be the Radius server, it will use Windows AD's user database. In AD, they create two groups: staff and student. The testing account for staff is staff1, the testing account for student is student1.
  2. Problem:
  If student1 try to associate to staff WLAN, since both staff and student WLAN using the same authentication method, the auth request will be send to AD user database, since student1 is a valid user account in AD, then it will pass the authentication, then it will join the staff WLAN. How to prevent this happen?
  3. Potential solution and its limitation:
  1) Use group mapping in ACSE(Dynamic VLAN Assignment with WLCs based on ACS to Active Directory Group Mapping), but ACS can only support group mapping for those groups that have no more than 500 users. But the student group will definitely exceed 500 users, how to solve it?
  2) Use methods like “Restrict WLAN Access based on SSID with WLC and Cisco Secure ACS”: Configure DNIS with ssid name in NAR of ACSE, but since DNIS/NAR is only configurable in ACSE, don't know if AD support it or not, is there any options in AD like DNIS/NAR in ACSE?
  Thanks for any suggestions!

  I think the documentation for ACS states:
  ACS can only support group mapping for users who belong to 500 or fewer Windows groups
  I read that as, If a user belongs to >500 Windows Group, ACS can't map it. The group can have over 500 users, its just those users can't belong to more than 500 groups.

• Azure multiple site-to-site VPNs (dynamic gateway) with Cisco ASA devices

  Hello
  I've been experimenting with moving certain on-premise servers to Azure however they would need a site-to-site VPN link to our many branch sites e.g. monitoring of nodes.
  The documentation says I need to configure a dynamic gateway to have multiple site-to-site VPNs. This is not a problem for our typical Cisco ISR's. However three of our key sites use Cisco ASA devices which are listed as 'Not Compatible' with dynamic routing.
  So I am stuck...
  What options are available to me? Is there any sort of tweak-configuration to make a Cisco ASA work with Azure and dynamic routing?
  I was hoping Azure's VPN solution would be very flexible.
  Thanks

  Hello RTF_Admin,
  1. Which is the Series of CISCO ASA device you are using?
  Thank you for your interest in Windows Azure. The Dynamic routing is not supported for the Cisco ASA family of devices.
  Unfortunately, a dynamic routing VPN gateway is required for Multi-Site VPN, VNet to VNet, and Point-to-Site.
  However, you should be able to setup a site-to-site VPN with Cisco ASA 5505 series security appliance as demonstrated in this blog:
  Step-By-Step: Create a Site-to-Site VPN between your network and Azure
  http://blogs.technet.com/b/canitpro/archive/2013/10/09/step-by-step-create-a-site-to-site-vpn-between-your-network-and-azure.aspx
  You can refer to this article for Cisco ASA templates for Static routing:
  http://msdn.microsoft.com/en-us/library/azure/dn133793.aspx
  If your requirement is only for Multi-Site VPN then there is no option but to upgrade the device as Multisite VPN requires dyanmic routing and unfortunately there is no tweak or workaround due to hardware compatibility issue.
  I hope that this information is helpful
  Thanks,
  Syed Irfan Hussain

• How do I restrict access to 4 devices using ACS

  Currenlty in our ACS we have Group A configured to have access to all network devices-f with ull privilege level 15 access to all devies
  We are now trying to implement 4 new users, however we only want them
  to have access to 4 devices-routers (4 IP addresses)-and only have
  basic level 1 functions in the router
  Is this done under Network Access Filter or Network Access Group?
  Do I need to create a new group or can I somehow implent that into

  I'm using ACS v 4.2 on windows server-TACACS
  Under NAF I have configured the IP's of the server I want them to access under Selected Items
  Under NAR I have permitted calling point
  with the NAF and  *  *
  Under the Group Settings
  Network Access Restrictions (NAR)
    Shared Network Access Restrictions
  Only Allow network access when
  All selected NARs result in permi
  all selected NARs result in permit..with the NAR i just configured in the selected NAR list