Using Cisco ACS for Solaris login authentication

Hi all
I am planning to authenticate ssh logins to Solaris 8/9 systems using PAM and radius (while radius is considered the primary solution, tacacs+ could be used, too). The radius/tacacs+ server is provided by a Cisco ACS.
Can anybody out there confirm that the combination "Solaris & PAM & radius/tacacs+ & Cisco ACS" is correctly doing this authentication stuff? Is there anything to specially consider?
Thanks, David

Hard to comment with any certainty but provided the client implementation of RADIUS is sound AND the authentication protocol is one that ACS supports, eg PAP, CHAP, MSCHAP, LEAP, EAP (PEAP/FAST/TLS/GTC/MSCHAP) then should be fine.

Similar Messages

  • ACS for 802.1x Authentication using RSA Tokens and Microsoft PEAP

    Has anyone been able to configure 802.1x authentication on Windows XP machines using RSA tokens using Cisco ACS as the RADIUS server?
    I have come up with bunch of incompatibilities between the offered support e.g.
    1. Microsoft PEAP does not support anything but smartcard/certificate or MSCHAP2.
    2. Cisco support PEAP and inside it MSCHAP2 or EAP-GTC
    We tried using RSA provided EAP client both the EAP security and EAP-OTP options within Microsoft PEAP but ACS rejects that as "EAP type not configured"
    I know it works with third party EAP software like Juniper Odyssey client and the Cisco Aegis Client but we need to make it work with the native Windows XP EAP client.

    Hi,
    We have tried to do the exact same setup as you and we also failed.
    When we tried to authenticate the user with PEAP-MSCHAPv2 (WinXP native) ACS gives "external DB password invalid", and does not even try (!) to send the login to the RSA server. No traffic is seen between RSA and ACS.
    MS-PEAP relies on hashing the password with MS-CHAPv2 encoding. This is not reversible. RSA, on the other hand, does not require hashing of the password due to the one time nature of it. So they (RSA) don't.
    When we authenticate using e.g. a 3rd party Dell-client, we can successfully authenticate using either PEAP-GTC (Cisco peap), EAP-FAST and EAP-FAST-GTC.
    A list with EAP protocols supported by the RSA is in attach.
    Also below is the link which says the MS-PEAP is NOT supported with the RSA, please check the
    table "EAP Authentication Protocol and User Database Compatibility "
    http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/o.htm#wp792699
    What we are trying to do now in the project is leaving the AP authentication open and try to authenticate it using RADIUS through a firewall or Cisco router authentication proxy.

  • Please help me configure authentic connection with Caller ID via ISDN 30B+D using Cisco ACS

    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin-top:0in;
    mso-para-margin-right:0in;
    mso-para-margin-bottom:10.0pt;
    mso-para-margin-left:0in;
    line-height:115%;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;}
    Hi all
    I have set up a dial up connection between to PC's at remote site and center. It using ISDN 30B+D which is configured on Router 3845. Currently I have configured authentic connection with username and password using Cisco ACS. To enhance the security configuration I want to authenticate both the phone number which dialup with Cisco ACS. And currently I have not done this. Please help me solve this problem.
    Thanks so much
    Longn

    1) I deleted bridge-utils, netcfg
    2) I edited /etc/hostapd/hostapd.conf:
    interface=wlan0
    #bridge=br0
    edited /etc/dnsmasq.conf:
    interface=wlan0
    dhcp-range=192.168.0.2,192.168.0.255,255.255.255.0,24h
    and edited /etc/rc.local:
    ifconfig wlan0 192.168.0.1 netmask 255.255.255.0
    ifconfig wlan0 up
    3) I added in autostart these daemons: hostapd, dnsmasq and iptables.
    Profit!

  • Cisco ACS 4.2.1 authentication problem

    We are using cisco ACS 4.2.1 on windows 2003  to authenticate  with windows 2003 Actice Directory. We have update Active directory server windows 2008 version. We have checked the configuration of ACS on windows database and no problem but we can't see in ACS dynamic user. I have authentication problem ACS 4.2.1 to Windows 2008 R2 active directory.

    Hi there,
    There is a section in the ACS 4.x where you can define if the ACS should show the dynamic users or not, make sure that this option is unchecked, for this go to External User Databases/Unknown User Policy/Configure Caching Unknown Users
    Also if you are facing authentication issues with ACS 4.x and Windows 2008 R2, you may want ready my previous answer.
    Let me know if this helps.

  • 802.1X for wired environments using Radius/ACS for Dynamic Vlan Assignment

    Currently Being Moderated
    802.1X for wired environments  using Radius/ACS for Dynamic Vlan Assignment
    Could someone please provide me with a simplest set of configuration steps to fire up Radius in ACS and 802.1X for dynamic vlan assignment. The objective is to roll out NAC L2 OOB using the 802.1X method for dymamic vlan assignments.
    If possible show:
    1. ACS/Radius Configurations.
    2. End User Switch Configurations
    Variables:
    Switch A
    MAC Address aaaa.bbbb.cccc     Vlan 10
                bbbb.cccc.dddd     Vlan 20
    Also, if someone posts the Pros and Cons of using Radius/ACS/802.1X for Dynamic Vlan Assignments.
    Other technology sets that can be used for Dynamic Vlan assignment EXCEPT from deprecated/obsolete VMPS.
    Thanks in advance. .

    Hi Guys,
        Hmmm, well if your just looking for Mac based authentication the good news is that is very easy.  Just set create your Radius server, ACS, FreeRadius, Steelbelted radius etc.  Then create user with the name of the Mac address, in other words if the mac address is 0012.0021.1122 the the name would be 001200211122 and the password would be the mac address.  Then you set the vlan and tunnel stuff, like so tunnel-Type would be vlan, Tunnel-medium would be 802 and Tunnel-Private-Group-ID is the name of the vlan(not the vlan number)
       So for the Cisco ACS 4.x you would create a user as specified above, fill in all the password boxes with MAC address, I believe the mac has to be all lower case in the name and the password.  Then check the Separate(Chap/MS-Chap/ARAP) box.  Then you pick the group the machine belongs to, the group is the part that defines what vlan it is on.
       Before you create the user, create the group with info I wrote above and in addition specify the Service-Type as Authenticate Only.
        Freeradius is a bit harder to configure the specifics and I am just now testing a freeradius server so I do not know the process for Machine authentication.
        If, however, you are trying to authenticate a user that gets a bit trickier and is not so straight forward.

  • Autheticating useing Cisco ACS 4.2 integrated with Active Directory 2003

    How do i check that users are Autheticated useing Cisco ACS 4.2 integrated with Active Directory 2003, any one help me in this thanks

    You can't actually see the user's membership from ACS. All you can do, create group-mapping under external database >> group mapping section. This would give you an option to map external (AD) group with an Internal group.The group memberrship need to be modified under Active Directory.
    Once user is succussfully authenticated and learned as a dynamic user in ACS user setup database, it would be mapped with an ACS internal group based on group mapping we did.
    Let me know if you have any doubts.
    Regards,
    Jatin

  • If I upgrade to Friefox 3.6 I can't use Loginking software for auto login. Any chnce this will be possible in the future?

    I have not upgraded to Firefox 3.6 yet because I am unable to use loginking software for auto login. When will a future update not exclude me from using this software?

    I contacted Login King but never got a response. So, I'm hoping that a future update from Firefox will be the answer. How far off is 3.7?

  • Cisco ACS for Unix authentication

    My company is looking for a single sign on for all the windows and unix servers mainly for admins. I was wondering if Cisco ACS will work for this.
    Basically the authentication will be all for the servers and routers ofcourse. I am thinking if I specifies windows AD in ACS config,  Can I get the unix boxes to get authenticated against Radius?
    Any help will be appreciated.
    Manny

    Hi,
    Authentication of unix servers  via ACS over radius protocol can be achiveable,check out the below link client end configuration needs to be done for radius authentication
    Hope that helps out your query !!
    http://www.ibm.com/developerworks/library/l-radius/
    Regards
    Ganesh.H

  • CS-MARS user authentication using Cisco ACS

    Hi,
    I would like CS-MARS (Web Interface) user authenticaiton to be done by Cisco ACS Server. Please let me know, either it is possible or not? And if possible then reply how to configure it.
    Thanks and Regards,
    Ahmed Shahzad.

    Hi,
    I would like CS-MARS (Web Interface) user authenticaiton to be done by Cisco ACS Server. Please let me know, either it is possible or not? And if possible then reply how to configure it.
    Thanks and Regards,
    Ahmed Shahzad.

  • [Cisco ACS] 11036 The Message-Authenticator RADIUS attribute is invalid

    Hi,
    I got many Cisco AP which are linked to 2 Cisco WLC.
    On each WLC, I configured a primary and a secondary RADIUS Server.
    RADIUS servers are Cisco ACS 5.2.0.26 (patch 10)
    Primary and secondary ACS configurations are synchronized.
    There are no problem between primary WLC and Cisco ACS (primary and secondary).
    When secondary WLC requests primary Cisco ACS, I get this error "11036 The Message-Authenticator RADIUS attribute is invalid"
    Secondary WLC automatically contacts secondary Cisco ACS and it works fine.
    Cisco ACS description for this error: "This maybe because of mismatched Shared Secrets."
    The two Cisco ACS are synchronized so I should have same error on them...
    Why does primary ACS generate this error?
    Thanks for your help,
    Patrick

    Tarik Admani wrote:Amjad,That is a good observation, shouldnt 7.3 (which recently released) help put these types of issues to rest? I hear that the configuration can now be replicated from one controller to the next in a failover setup.Thanks,Tarik Admani
    *Please rate helpful posts*
    Yes. That is a good point.
    With 7.3 you can use high availability (HA) between two WLCs and you can configure only one WLC (the primary) and all the configuraiotn can be replicated and synched to the other WLC (the secondary).
    The two WLCs in the HA must be on same subnet though. Otherwise hot-standby HA between WLCs can't be used.
    Rating useful replies is more useful than saying "Thank you"

  • Using Cisco TACACS for CSS11501

    I currently have an 11501 series CSS and am trying to have authentication use our ACS appliance. I added the config listed below but when running a "show tacacs-server" both servers are listed as dead. I am able to ping both of the ACS servers without issue.
    The following is the configuration I have added to the CSS:
    virtual authentication primary tacacs
    tacacs-server authorize config
    tacacs-server authorize non-config
    tacacs-server account non-config
    tacacs-server account config
    tacacs-server 10.10.75.9 49 primary frequency 10
    tacacs-server key ****
    ip management route 10.10.75.0 255.255.255.192 10.10.253.1
    Any help would be greatly appreciated.
    Thanks,
    -Dennis

    Lists the external user databases that CiscoSecure ACS uses to authenticate an unknown user (if the Check the following external user databases option is selected). CiscoSecure ACS attempts authentication using the selected databases one at a time in the order specified.
    Users whose accounts were created in the CiscoSecure ACS database when CiscoSecure ACS successfully authenticated them using the Unknown User Policy. When CiscoSecure ACS creates a discovered user, the user account contains only the username, a Password Authentication list setting that reflects the external user database that authenticated the user, and a "Group to which the user is assigned" list setting of Mapped By External Authenticator, which enables group mapping. Using the CiscoSecure ACS HTML interface, you can further configure the user account as needed. For example, after a discovered user is created in CiscoSecure ACS, you can assign user-specific network access restrictions to the discovered user.
    http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_user_guide_chapter09186a0080204cf8.html

  • Use same ACS for multiple forests

    Is it posible to use one ACS appliance to authenticate users in different Windows forests ?
    It may be only possible when a trust relationship exists between the forests ?
    Gr.
    Remco

    Remco,
    Yes,trust is reqd. Other way is to set up proxy
    Cross-Forest Authentication
    http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx#EE
    VAG
    In this set up we would need one more radius server and also need to set up proxy in it.
    Regards,
    ~JG
    Do rate helpful posts

  • Useing "Federation Trust" for remote login to cleint

    I have a question if “ADFS Federation Trusts” would work for remote RDP login to
    clients?
    Quick explanation: We have a service provider who has multiple engineers who need access
    to number of client’s networks. Rather than creating a “shared account” at each
    client which isn’t auditable I’m looking for a way I can have the engineers use
    their domain accounts to authenticate at the clients networks. <o:p></o:p>
    I know this could be done by setting up full AD trusts but creating VPN tunnels with full
    network access to each client is not an option. Is this possible with ADFS in
    anyway?
    Thanks,

    RDP client nor server support this. Citrix has an option for federated logins but you have to find out all requirements from Citrix directly.
    Because this is a ADFS related question I recommend to move the thread to the ADFS forum - http://social.msdn.microsoft.com/Forums/vstudio/en-US/home?forum=Geneva
    Hope that helps,
    Lutz

  • With Cisco Secure ACS For Windows TACACS+, authentication fails with AD

      I am setting up a Cisco Secure ACS 4.2 server to act as a TACACS server for Switches and Routers  I am using Windows 2003 server for the ACS,
    and a Windows 2003 Active Directory server.  The AD server is fine, as it is used for many other things.
    I have set up ACS as defined nit he installation guide, including all the steps in the 'Member Server' section of the install guide
    when using AD as an external database (i.e. setting up the services to run with a domain admin account, setting up a machine called 'CISCO'
    on the domain etc).
    I've set the unknown user policy to use the Windows database if the internal database doesn;t contain the user details.
    If I add a user to the internal database, the authentication goes through fine, with an entry in the 'Passed Authentications' log,
    02/24/2010,05:07:03,Authen failed,eXXXX,Network Administrators(NDG) ,X.X.X.X,(Default),Internal error,,(geting error message as INternal Error)
    I've scoured google etc, and just cannot come up with any reason why this should be happening.
      I've followed all the install guides to the letter.  I need to get this up and running as soon as possible,
    so am looking forward to finding out if anyone can help me with this one!
    THanks and regards
    Sharan

    Hi  Jesse,
    Thasts a great answer and Soution.
    My previous version was 4.2 and it was installed on 64 bit machine hence getting internal Error.
    After this answer i have upgraded it to ACS4.2.1 and its started working fine
    Thanks very much for the help
    Dipu

  • Use Cisco ACS to verify MAC address for VPN User

    Question: I want to have the MAC address of a machine checked when the user is logging into VPN Client.
    For example:
    User opens VPN client-->Clicks connect-->types in User/Pass which gets passed to ACS (part of what should be sent is the MAC address)---> ACS responds with a yes/no on user/pass and whether the MAC address is right)

    Hi Pete,
    I have found out in some of my testings that If a PC doesnot genareate any kind of traffic and is totally ideal and once the MAC-address table ages out, it doesnot show its MAC untill the PC generates some kind of traffic.I guess this is what you must be seeing.
    I have oberved one more thing that If I connect a fully booted PC which not generating any traffic to a switch port it doesnot learn its Mac-address untill its generates the traffic. This is what my obeservations is and that what I believe in most of the cases.
    i dont know whether that answer your question or not but it could be something closer. I think there will be some who can put some more ligth on this.
    regards,
    -amit singh

Maybe you are looking for

  • STOPPED JOBS with expdp and dbms_scheduler

    Hello. I am working with the 10g release 2 in a RAC enviroment, and i am trying to put an export job at the scheduler. To launch the export i have make a shell script, then first exec the export process and after launch a bzip2 command to compress th

  • Help:UIModel.xml file for ADF Tree with three level depth

    Hello, I am trying to create a DCTree with structure like this: root....branch1----child11,child12 ..........branch2......branch21---child212,child212 ............................branch22---child221,child222 Because I can not create more than one bin

  • Preview isn't worth much after Lion & Cannot access network Server

    I updated to Lion and found two very annoying issues: I can not access my network server Preview have now lost all its previous capabilities, because now you can not: Delete pages in a multiple pdf document. It crashes when trying to print. You now s

  • Screen flickers and photoshop becomes slow

    Hi, I have been using photoshop for quite a while now and have never faced any issues until now. I upgraded from windows 7/64 bit to windows 8.1/64 bit and the problems have started. When I turn on the ruler view my ruler flickers and also the photos

  • Settlement rule in MILL_CO

    Dear SAPper, I use industry solution MILL and use order combination for slitting. When i check the settlement rull, SAP always divide the cost from parent order combination proportionally with their child prod order quantity. I think it is not right.