WCS 7.0 with ACS 5.1

Similar Messages

• Integrating WCS 7.0 with ACS 5.1

  Has anybody got any experience with trying the config as depicted in the WCS 7 config guide?
  I have tried today to integrate WCS 7 with ACS 5.1 and got a partial success.  I have created a unique Shell Profile that invokes for the WCS only which contains 1 role (role0=Root) and 73 task entries (as copied from the WCS group pages) and I can log in to WCS with the new account, but some things I dont appear to have priviledges for, such as Reports.  Is there any way to debug which task WCS thinks I dont have to do this?  Any other ideas?

  Turned on trace in WCS and saw info like this: (abreviated)
  01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task14 = View Alerts and Events
  01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task51 = Performance Reports
  01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task15 = Email Notification
  01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] rejecting task: task50 = Device Reports                is not a valid task
  01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task53 = Network Summary Reports
  01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task16 = Delete and Clear Alerts
  01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task48 = Mesh Reports
  01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] rejecting task: task47 = Config Audit Dashboard    is not a valid task
  01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task42 = Monitor Chokepoints
  01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task41 = Monitor Security
  01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task40 = Monitor Tags
  01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task46 = RRM Dashboard
  01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task45 = Monitor Interferers
  01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task44 = Monitor Spectrum Experts
  01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding task: task43 = Monitor WiFi TDOA Receivers
  01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] adding role: role0 = Root
  01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] Disconnecting from authorization socket  - From Server:  10.9.2.253  - For User:  acstest
  01/06/11 15:11:37.847 TRACE [general] [TP-Processor3] [TACACS+ AAAModule] Total permissions for user acstest : tasks  68 : roles  1 : virtual-domains  0
  all i did was copy and paste in all tasks from the WCS export list???

• Cisco WCS 7.x TACACS+ with ACS 5.2

  Ok, so I took my bday off today so I could stay home and setup my lab for ie v2 and have the birthday wish of 'leave daddy alone for awhile' come true.  Here we are at 7:00pm and everything is flowing good including my blue moons and I decided to get tacacs working on an eval version of acs 5.2 per the ie list of lab equipment. frack me.  Instead of walking away and coming back later and going 'doh!', I'm going to whine instead....
  So I'm trying to get WCS to work with TACACS per this document:
  http://www.cisco.com/en/US/docs/wireless/wcs/7.0/configuration/guide/7_0admin.html#wp1191980
  However, after having to enter EVERY SINGLE TASK, once you get down to:
  Creating Service Selection Rules for TACACS
  To create service selection rules for TACACS, perform the following steps:
  Step 1 Choose Access Policies > Access Services > Service Selection Rules.
  Step 2 Click Create.
  Step 3 Select the protocol as TACACS and Service as Default Device Admin (see Figure 18-49).
  I'm alittle confused as to where it wants me to do click 'Create' at.  I of course did the 'hunt and peck' method and the only place I see where there is a 'create' buttong is under
  Access Policies >
  Access Services >
  Default Device Admin >
  Authorization
  but it's grayed out.  Someone wanna tell me what the crap.. and really, why 5.2 cisco.. why.

  Yeah, I've heard that, but in trying to stick with the IE list of used equipment/software I'm going for 5.2.  I've learned it's best to stick with the list so that you are not only familliar with that exact software, but that exact versions 'issues' as well.  No panic in the lab from ACS going NO NO NO, NOT IN MY HOUSE.

• Using Multiple AD domains with ACS

  Hi,
  Is it possible to use multiple domains for authentication with ACS? I need to use AAA to authenticate remote users into a centralised location but the users will be from different domains and I was hoping to use a single applicance to cater for all domains. Can this be achieved using LDAP? I understand that ACS can only be part of one AD domain.....
  In essence I am hoping that I will be able to authenticate the user based on their domain\credentials.
  Thanks in advance
  Jason

  Hi Javier,
  I understand that ACS can only join a single AD domain - but can it use LDAP to authenticate users from different AD domains - I don't want to have to established trusts between different domains.
  Kind regards
  Jason

• LMS 3.2 integration with ACS 5.1

  Hi
  Is it
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin-top:0cm;
  mso-para-margin-right:0cm;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0cm;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;
  mso-fareast-language:EN-US;}
  possible to integrate LMS 3.2 with ACS 5.1? I know it works with ACS 4.X, but I can't get it to work with ACS 5.1.
  Here is a link to how to do it with ACS 4.X:
  http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/prod_white_paper0900aecd80613f62.html
  Regards
  Reidar

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin-top:0cm;
  mso-para-margin-right:0cm;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0cm;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  Thanks Reidar.... hmm very strange. I really wish an expert would respond to this thread as it will help a lot of people who might be planning to deploy these versions and they can help put this matter to rest once and for all. Not sure why LMS 3.2 will not support ACS 5.1 and it might help to know when it will (updates etc). Kindly let me know if you get any further information. My deployment is so large that setting a local username and password on all the devices is not an option unfortunately .......

• Dynamic Vlan Assigment on 2950 with acs 4.2

  Hello to everyone
  We have a problem with Cisco 2950G 48 EI and ACS (version 4.2) providing dynamic Vlan assignment based on groups
  On the ACS we configured the following attributes for the specific group
  64 = VLAN
  65 = 802
  81 = VLAN Name
  We tried for the 81 attribute both Vlan name and Vlan ID but we get the same results
  In detail, we need the machine to be placed on Vlan ID 6 named vlan_sio so we inserted these value in the attribute field
  Before we configured the switch to speak with ACS:
  aaa new-model
  aaa group server radius Switch
                                 server 172.16.0.93 auth-port 1812 acct-port 1813
  dot1x system-auth-control
                  radius-server host 172.16.0.93 auth-port 1812 acct-port 1813 key xxxxxx
  radius-server retransmit 3
  Configured the ports for the use of dot1.x.
  switchport mode access
                 dot1x port-control auto
                 dot1x guest-vlan 7
                 spanning-tree portfast
  The users are correctly authenticated but the ports are always connected to the default Vlan of the ports
  We tried to debug with the debug dot1.x events command and we get the following errors:
  Feb 16 12:00:04.017:         Attribute 64 6 0100000D
  Feb 16 12:00:04.017:         Attribute 65 6 01000006
  Feb 16 12:00:04.017:         Attribute 81 4 01360806
  Feb 16 12:00:04.025: dot1x-ev:Received VLAN is No Vlan
  Feb 16 12:00:04.037: dot1x-ev:Received VLAN Id -1
  Feb 16 12:00:04.041: dot1x-ev:dot1x_port_authorized: clearing HA table from vlan 1
  Feb 16 12:00:04.049: dot1x-ev:dot1x_port_authorized: Added 0006.1bdb.6a09 to HA table on vlan 1
  Does anyone know what we could have missed?
  Thank’s

  solved
  It was just missing the command
  aaa authorization network default group XXXX

• EAP-TLS authentication with ACS 5.2

  Hi all,
  I have question on EAP-TLS with ACS 5.2.
  If I would like to implement the EAP-TLS with Microsoft CA, how will the machine and user authentication take place?
  Understand that the cert are required on both client and server end, but is this certificate ties to the machine or ties to individual user?
  If ties to user, and I have a shared PC which login by few users, is that mean every user account will have their own certificates?
  And every individual user will have to manually get the cert from CA? is there any other method as my environment has more than 3000 PCs.
  And also if it ties to user, all user can get their cert from CA with their AD login name and password, if they bring in their own device and try to get the cert from CA, they will be able to successfully install the cert into their device right?
  Hope you guys can help on this. THanks.

  Yes, you can configure:
  machine authentication only
  user authentication only
  Machine and user authentication.
  Machine or user authentication
  So machine authentication only is quite common scenarion. Correct, as long as machine is a part of a domain, you will be authenticated via machine authentication.
  PEAP-based machine authentication uses PEAP (EAP-MS-CHAPv2) and the password for the computer established automatically when it was added to the Microsoft Windows domain. The computer sends its name as the username and the format is:
  host/computer.domain
  If the machine is a valid machine in the domain then during the boot process, once the HAL is loaded, the system begins loading device drivers to support the various hardware devices configured on the client in question. After loading the device drivers, the network interface is initialized. At this point, machine start getting ip address and once it done, the user may have access to most of the network.
  Regards,
  Jatin

• WLC 4402-50 with ACS 3.3

  Hi,
  We want to use ACS to authenticate an ssh or http connection to a WLC 4403-50 4.2.99 using TACACS+. On our ACS 4.2 test server it works fine. Configured identically on an ACS 3.3 appliance we are not able to log in although we do see a successful login in the Passed Authentications report withing ACS.
  Is there an incompatability between the WLC 4402-50 with ACS 3.3?
  thanks
  Bob

  The Cisco Secure Access Control Server (ACS) provides authentication, authorization, and accounting (AAA) services for users of the wireless network.
  It is also possible to employ a WLC controller strategy that uses an N+1 approach. When using N+1 architecture, each WLC is configured with a WLC that is designated as a backup WLC in the event of a failure. This controller is not used until there is a failure event upon which all APs using the failed controller switch to the backup WLC. This cost-effective approach provides a high level of availability in the event of a single WLC failure scenario.

• MARS 5.2.7 integration with ACS 4.1

  Hello
  I cannot find any documentation I can follow to integrate MARS with ACS. I mean I want to use ACS to authenticate user in MARS.
  Any of you know if MARS 5.2.7 has this feature? If yes can please give some info where to find docs?
  Thank you really much
  Best regards Antonello.

  HI ,
  LMS 4.0 no longer integrates with ACS the way that LMS 3.x did.  You  can still use ACS for authentication in LMS 4.0, but for authorization,  each user must have a local account in LMS, and the roles will be  assigned using LMS 4.0's new RBAC.  Users are defined under Admin >  System > User Management > Local User Setup, and roles are defined  under Admin > System > User Management > Role Management  Setup.
  By default, if a user does not have an account in LMS, they will receive the Help Desk role
  Please check the below link:
  http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.2/user/guide/admin/security.html#wp1100379
  Thanks-
  Afroz
  [Do rate the useful post]

• 802.1x with ACS and Windows AD

  Hi
  Im trying to setup 802.1x with ACS 5.2 but am struggling as its very differnet to ACS 4.2.
  I have setup the ACS to be the domain and think i have setup up the External Idnetity Store, however when i try to authenticate a pc using authentication Medthod 'PEAP (EAP-MSCHAPv2), i get a failure reason '22056 Subject not found in the applicable identity store'
  Marco

  Hi Marco,
  i guess you've missed a mapping configuration in the Access Policy Section.
  Create a Access Service name it AS-802.1x select User Select Service Type and select Network Access. Select the Policy Structure Identity and Authorization. Select PEAP as allowed Protocol. Click Finish
  You'll see the new service click Identity.
  Select the identity source you've created then save.
  Click on authorization
  Select a default authorization rule permit access and save.
  Create a Service Access Rule name it 802.1x
  Select Protocol Radius as Condition and as Compound Condition select RADIUS-IETF:Service-Type match Framed then select the service you created before.
  then you can try again.
  regards
  alex

• 802.1x and Windows Domain Controller with ACS

  Wow, I am having a tough time getting my ACS and the Domain controller to work with 802.1x PEAP. Can somebody explane to me how to set up the domain controller (Active directry) to get a PEAP cert? Some other questions. If I am using PEAP and 802.1x how does my computer get a cert. from the CA if the port is disabled by 802.1x? And How do I set up my domain controller to work with ACS to authenticate users. I have been beating my self to death to figure this out. Any help would be ausome. I am really stuck on trying to make this work.
  Thanks a ton in advance
  Justin

  I as a Cisco customer would like to see answers to our questions based on some real world experience or something you've noticed in a lab environment.
  By simply posting links is not very helpful. The reason most of us come to this site and post our questions, is because we already went to the Cisco website and found the explanation to be vague. In the future, please post answers to our question, intead of referring us to a link.
  Thank you,
  John...

• LMS PRIME 4.2 integrating with ACS 4.2

  Hello,
  i would like to integrate new lms prime 4.2 with acs.4.2 . .. !!
  is there document or user guide for this version of lms?
  Thanks in advance.
  Marwan

  IN LMS 4.2 there is nothing which is known as Integration (like LMS 3.x), since it added feature RBAC.
  Now ACS can just be used as PAM to have ciscoworks authenticated for Tacacs+ or Radius. After the auth is done, you should have a authorization set in LMS locally for user, else it will be given a default HELP DESK access.
  For more details check :
  Authentication Using Login Modules - Overview
  -Thanks

• EAP-TLS match on custom EKU with ACS 5.5

  Hi,
  is there any possibility to match on a custom EKU with ACS 5.5?
  I have to create a solution to limit access to a specific WLAN SSID. Only certificates containing a specific, self-created EKU should have access to this SSID. Other certificates from the same CA should be denied.
  I know that it's possible with Microsoft NPS but I would prefer a solution with ACS. But in ACS the ceritifcate dictionary contains only a few attributes i.e. common name, issuer, subject, but not the Enhanced Key Usage  (EKU).
  Any suggestions?
  Thanks,
  Werner

  Object Identifier Check for EAP-TLS Authentication
  ACS can compare the OID against the Enhanced Key Usage (EKU) field in the user's certificate. ACS denies access if the OID and EKU do not match. For more information about options, see Authentication for profile_name Page, page 14-46.
  When OID comparison is enabled and a valid OID string is entered, all the certificates that the users present for EAP-TLS authentication are checked against the OIDs entered. Authentication will be successful only if the OIDs match. If OID comparison is enabled but the user certificate presented does not contain any OID in the EKU field, authentication will fail.
  To enable OID comparison you must:
  •Enable EAP-TLS from the NAP page.
  •Enter only contain numbers, dots, commas and spaces in the OID strings, for example: 1.3.6.1.5.5.7.3.2 is a valid OID string.
  •Enter multiple OIDs as comma-separated values. For example: 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2 is a valid string.

• Cisco Works LMS R3.1 with ACS R5.1

  I search on internet about the AAA integration between LMS R3.1 y ACS R5.1, and all the information that I found it's related to ACS R4.1. It's possible to integrate with ACS R5.1.
  Regards and thanks in advanced
  Luis Martinez

  Nael,
  Sorry to batter you, but I was trying to migrate my Cisco Works LMS R3.1 to R3.2 and from the support page of CISCO I just can donwload the following version LMS R3.2.1 (LMS R3.2 service pack 1). I tried to install that version but i got an error that saids "LMS R3.2.1 needs LMS R3.2 installed on the server"
  Could you please tell me where can I download the complete and initial LMS R3.2.
  Thanks in advanced for your kindly help.
  Luis Martinez

• Ciscoworks 3.2 login issue with ACS

  Hi All,
  I am facing an issue with login into Ciscoworks portal from the LMS server, which is integrated with ACS tool.
  Now I am unable to login to the portal with the username and password, which is already configured in the ACS server.
  I have ended up with reinstalling the ciscoworks software and restored the backup, still problem persists. Please let me know how to fix it.
  If I again reinstall it, how would I restore the backup - since back restoration again gives the login issue.
  If Im using only the dcrcli exported devices list after the reinstallation, all the devices gets stuck in DFM question status, hence I restored the proper backup. Now I am stuckup. please help.

  You need to sort out your DNS get the lookup and reverse lookup working.
  Say your device is a box with
  Fa 0/0 10.10.1.1
  Lo 0    172.32.1.1
  If you get you dns to resolve the address of port Fa 0/0  (10.10.1.1)  to the DNS "name adevice.yournetwork.com".
  Next you get your DNS to resolve the name "adevice.yournetwork.com" to 172.32.1.1 with happens to be to Lo0 interface of the device
  Then you can get LMS to use the address you want as it is configured in DNS
  Cheers,
  Michel