getXML('AAA5518 ncharaipotraNov 16, 2009, 1:09pm PSTIf you wanted to stand up a ACS solution in your environment, which is the better choice at this time? Is 4.2 going to be around, or is it going away for 5.x in the near future? 30 fasehbaiNov 16, 2009, 6:00pm PST4.x will be around for quite some time, but if you have the option, go to 5. Very flexible and powerful!<br /><br />FaisaldarpotterNov 17, 2009, 1:46am PSTI would urge caution.<br /><br />Carefully assess what 4.x features you need and check they are available in 5.x. <br />Not only that, but check for outstanding bugs on those features.<br /><br />If you depend on TACACS+ stick with 4.x. If you do large scale 802.1x or NAC consider 5.x<br /><br />We speak to a lot of Cisco users and 5.x does not have feature parity and hasn't reached maturity w.r.t bugs etc.jrabinowNov 17, 2009, 3:10am PSTACS 5.1 has just been released that includes many of the missing 4.x parity features. This includes TACACS+ specific features such as custom attributes, change passwords and other features such as RSA, custom VSAs etc.<br /><br />ACS 5.1 also includes a built in monitoring and trubleshooting module and the need for an additional license for these features has been dropped. eastlinkitNov 16, 2009, 11:58am PSTHello,<br /><br />I have a PIX 515E running Cisco PIX Firewall Version 6.3(5)123. I am looking to have Management users connect to the PIX with their Active Directory credentials to manage the PIX. I have been successful in configuring this for all my switches, (2950s, 2960s 3350s etc.) but it does not work with the PIX.<br /><br />Here is the AAA info I have:<br /><br />aaa-server TACACS+ protocol tacacs+ <br />aaa-server TACACS+ max-failed-attempts 3 <br />aaa-server TACACS+ deadtime 10 <br />aaa-server RADIUS protocol radius <br />aaa-server RADIUS max-failed-attempts 3 <br />aaa-server RADIUS deadtime 10 <br />aaa-server RADIUS (inside) host 172.18.1.1 mykey timeout 5<br />aaa-server LOCAL protocol local <br />aaa authentication ssh console RADIUS LOCAL<br />aaa authentication telnet console RADIUS LOCAL<br />aaa authentication serial console RADIUS LOCAL<br />aaa authentication enable console RADIUS LOCAL<br />aaa authorization command LOCAL<br /><br />Anyone have any clear documents or examples of a setup like this?<br /><br />Thanks,<br /><br />Craig dominicstalderNov 16, 2009, 12:07am PSTHi there<br /><br />is it possible to have multiple windows databases on an ACS SE? The problem is, that we need access to two differen domains, that are not trusted and have no super domain.<br /><br />Thanks a lot and best regards<br />Dominic 30 jgambhirNov 16, 2009, 8:49am PSTHi,<br /><br />We would require two way external/transitive trust between the two domains.<br /><br />There are 2 ways to work around our problem:<br /><br />1. Install another ACS at the remote site/domain and forward all the<br />requests for the users of remote domain to that ACS.<br /><br />2. Configure partner domain as LDAP on the ACS (at corp site), this should not require domain trust. The only problem we will have certain authentication methods will not be supported when using ldap.<br /><br />Here is the complete list of stuff which is supported with LDAP:<br /><br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server')">http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server</A>_for_windows/4.1/user/Overvw.html#wp824733<br /><br />Hope that helps!<br /><br />Regards,<br />~JG<br /><br />Do rate helpful posts dominicstalderNov 16, 2009, 9:20am PSTHi JG<br /><br />thanks for your feedback. We now installed two more ACS' on virtual machines and forward all the domain.xx suffix requests to the remote domain.<br /><br />Regards<br />DominicjbarrettwcNov 15, 2009, 6:39am PSTI was securing my switches to allow users to login using radius and notice that I have to set the IAS server to PAP for the Cisco equipment to authenticate. Is there an alternative to this since PAP is clear text.<br /><br />[ PC ]__SSH__[Switch]___PAP___[ IAS ] 30 jgambhirNov 16, 2009, 9:17am PSTWhen using SSH to the switch for switch based authentication you need to <br />enable PAP on the Radius policy. <br /><br /><br />Telnet/SSH work on PAP only. <br /><br /><br />Regards,<br />~JG<br /><br />Do rate helpful posts<br />Kevin.MoralesNov 13, 2009, 9:52am PSTHello.<br /><br />In Failed Attempts report, under "Author-Failure-Code" I get "Command denied". Is there any way to record the commands that the user wanted to enter?<br /><br />Thanks!. 30jkatyalNov 13, 2009, 10:39am PSTHi kevin,<br /><br />What command are you trying to execute?<br /><br />Do you have accounting enabled on the devices? If yes, then look under the tacacs administration logs and copy the command that is not working.<br /><br />Looks like the command you are trying to execute is not allowed under the command set.<br /><br />Configuration example:<br />======================<br /><br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml')">http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml</A><br /><br />HTH<br /><br />JK<br /><br />Plz rate helpful posts-Kevin.MoralesNov 13, 2009, 12:27pm PSTThanks for your reply. I Shell Command Authorization Sets configured to only allow commands: show, ping, traceroute.<br /> <br />when a user executes a command that is not possible in the Failed Attempts report log is generated "Command denied", as I know which command the user try to run? jgambhirNov 14, 2009, 7:34am PSTKevin,<br />You should see something like this in the<br />failed attempts:<br /><br />Command denied service=shell cmd=interface FastEthernet 0 21 <cr><br /><br />By this we can see that the argument that is being sent by the switch command parser is actually 'FastEthernet 0 21'<br /><br />So user tried to execute command " interface FastEthernet 0\\21.<br /><br /><br /><br />Regards,<br />~JG<br /><br />Do rate helpful post.Kevin.MoralesNov 14, 2009, 8:39am PSTThanks for responding.<br /><br />failed in the report do not show me the Command denied . attached configuration. <br /><br />I am using <br />CiscoSecure ACS<br />Release 4.2(0) Build 124 Patch 13<br /><br />***Tacacs+ Configuration <br />aaa new-model<br />aaa authentication attempts login 1<br />aaa authentication login default group tacacs+ local<br />aaa authentication enable default group tacacs+ enable<br />aaa authorization console<br />aaa authorization config-commands<br />aaa authorization exec default group tacacs+ local<br />aaa accounting exec default start-stop group tacacs+<br />aaa accounting commands 0 default start-stop group tacacs+<br />aaa accounting commands 1 default start-stop group tacacs+<br />aaa accounting commands 15 default start-stop group tacacs+<br />aaa accounting connection default start-stop group tacacs+<br />aaa accounting system default start-stop group tacacs+<br />tacacs-server directed-request<br />tacacs-server key Presharedciscoxx<br />tacacs-server host 192.168.1.10<br />ip tacacs source-interface Loopback0 <br />aaa authorization commands 15 default group tacacs+ if-authenticated<br /><br /><b>Attachment Keywords : </b> <br />1) ACS1.JPG<br />2) ACS2.JPG<br />3) ACS3.JPG<br />ACS1.JPG123587image/jpegimage5015511/14/2014noACS2.JPG123588image/jpegimage5921111/14/2014noACS3.JPG123589image/jpegimage1598811/14/2014noKevin.MoralesNov 16, 2009, 7:01am PSTGreetings.<br />had an error in the configuration of the report, had not enabled the option Author-Date .. thanks for your help! .. vpanciscoNov 16, 2009, 2:58am PSTI succed to setup a LOCAL-CA-SERVER<br /><br />I would like to generate an Identify certificate from the LOCAL-CA-SERVER<br /><br />so i generated a CSR so as to submit from the the LOCAL-CA-SERVER<br /><br />it's possible ?? what's the way to vpanciscoNov 4, 2009, 1:10am PSTI'm trying to setup a LOCAL CA SERVER<br />for an ASA 5520.<br /><br />i'm stoppped to the authentification page<br />/+CISCOA+/enroll.html from IE7<br /><br />the server return authentication failed<br /><br />even if i use the correct user One-time Password received by mail<br /><br />Does anyone could help me ?<br /> 30vchepikovNov 11, 2009, 4:46am PSTHi,<br /><br />if you do 'debug http 255', you'll see something like that:<br /><br />HTTP: file not found: CSCOCA /enroll.html jgambhirNov 11, 2009, 10:30am PSTNot sure if you are accessing CA server or ASDM?<br /><br />One time password does not work for http connection.<br /><br /><br />Regards,<br />~JGvchepikovNov 11, 2009, 12:18pm PSTHe is accessing CA server running locally on ASA in order to enroll. But he couldn’t get authenticated against CA user database (LOCAL AAA method is used instead). That's why OTP doesn't work for him. vpanciscoNov 12, 2009, 3:01am PSTThanks for interest<br /><br /><br />So i can't get authenticated against CA user database because LOCAL AAA method is used instead<br /><br />How to set auth against CA user database ??<br /> vpanciscoNov 16, 2009, 2:17am PSTthanks for all<br /><br />i succed to enroll<br /><br />the way is enable webvpn so as to<br />query the correct data-base<br /><br /><br />regards<br />Kevin.MoralesNov 14, 2009, 10:10am PSTHello. I NDGs configured, there is a group called "GR1" with 30 switch.<br /><br />This group is set up a Shell Command Authorization set called "Monitoring", in which only show commands, ping and traceroute are allowed.<br /><br />I want to let users switch in only 10 of the group "GR 1" to configure certain interfaces and IP addresses, switch to the other not. ! Note: The number of interface is not the same for each switch, one can be FA0 / 1, but for others it may fa0/3.etc.<br /><br />I want to retain these 10 switch within the group "GR1", it is possible to make this configuration?<br /><br />- Thanks Charles_Chi4Nov 14, 2009, 12:05am PSTHi,<br /><br />I've got ACS 4.2 windows installed in domain member server n run well. I can authenticate using users in AD. I use this ACS for authenticating user for routers & switches access, VPN access and wireless access.<br /><br />The question is how could i restrict certain person for VPN acess and routers / switches access? But allowed all users in AD for wireless access? 30 jgambhirNov 14, 2009, 7:27am PSTCharles,<br />You need to set up NARs to control the device access on the group membership basis.<br /><br /><br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml')">http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml</A><br /><br />Now since we are using windows AD, we need to map AD group with specific ACS group.<br /><br />Example <br /><br />Wireless Group ACS <----> Wireless group AD<br /><br />NAR would be configured on ACS wireless group.<br /><br /><br />Regards,<br />~JG<br /><br />Do rate helpful posts.subashmbiNov 14, 2009, 2:24am PSTDear Team,<br /><br />I am facing a issue in RA agent installation in win2003.<br />Details:-<br /><br />1.windows 2003 server r2 service pack 2<br />2.Remote agent 4.1.4.13.16<br />3.OS 32 bit version<br /><br />Kindly advice<br /><br />Regards,<br />Subash.c 30 jgambhirNov 14, 2009, 7:21am PSTHi Subash,<br />This is a patch for release 4.1.4. Acs 4.1.4 must be installed before installing this patch.<br /><br /><br />Instructions on how to install the patch<br />========================================<br />1. Make sure for Cisco Secure ACS Agent 4.1.4.13 is installed.<br />2. Extract files NTlib.dll , CSLogAgent.exe , CSAgent.exe,CSWinAgent.exe , NAS.dll,ConsoleDLL.dll , csvLog.dll , EndPoint.dll & odbcLogger.dll from Acs-4.1.4.13.16-RA.zip<br />3. Stop Cisco Secure ACS Agent service.<br />4. Locate CiscoSecure ACS Agent\\bin and save a copy of current NTlib.dll , NAS.dll,CSAgent.exe,CSLogAgent.exe , CSWinAgent.exe & EndPoint.dll<br />5. Copy NTlib.dll , CSLogAgent.exe , CSAgent.exe,NAS.dll,CSWinAgent.exe & EndPoint.dll files extracted from zip to CiscoSecure ACS Agent\\bin<br />6. Locate CiscoSecure ACS Agent\\Support and save a copy of current ConsoleDLL.dll , csvLog.dll & odbcLogger.dll<br />7. Copy ConsoleDLL.dll , csvLog.dll & odbcLogger.dll extracted files from zip to CiscoSecure ACS Agent\\Support<br />6. Start Cisco Secure Agent Service.<br /><br />Regards,<br />~JG<br /><br />Do rate helpful posts netadmincsmNov 13, 2009, 10:22am PSTHi all.<br /><br />I want to know if there's a way for the User-level NAR to overwrite the Group-level NAR in ACS 4.2.<br /><br />Presently both of them seems to be added to each other.<br /><br />Thank you very much for your help. 30jkatyalNov 13, 2009, 10:34am PSTHi,<br /><br />If you configure NAR on the user level, this will always take precedence over group.<br /><br />NAr white paper:<br /><br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml')">http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml</A><br /><br />HTH<br /><br />JK<br /><br />Plz rate helpful posts- e.bayonNov 12, 2009, 9:40am PSTI´ve configured new CA in the Certification trusted list, when I go to the CRL configuring menu, and I check the "CRL in use" and I push over the "submit" label to activate it, I always receive the same message: Failed to retrieve or verify CRL. Verify the CRL Distribution URL.<br /><br />The message from de ADM.log is the next:<br />CRL: CRL: failed to find an issuer's certificate for crl C:\\Archivos de programa\\CiscoSecure ACS v4.1\\CRL\\acs1(12-11-2009@16-30-14).crl<br /><br />The CRL Distribution URL is:<A HREF="javascript:newWin('http://10.252.252.4/crl.crl')">http://10.252.252.4/crl.crl</A><br />Nevertheless, If I do a Remote terminal session to the 2K3 windows server where the Cisco ACS software is installed, and try to open an I.e. session to the same URL where the crl file is allocated, I can download perfectly.<br />This procedure needs to be OK,in order to perform a EAP-TLS session with wireless client against external LDAP data base.<br /><br />Where is my mistake?<br />Regards 30 ansalazaNov 12, 2009, 11:45am PST"Might" be hitting:<br />CSCsg61729 - ACS fails to find an issuer's certificate for CRL list uploaded from CDP <br /><br />ACS will sometimes take the CRL pointer from the root certificate, even if the CRL URL is configured to point to a different system.<br /><br />Do you already have the CA installed in ACS?<br /><br /> e.bayonNov 13, 2009, 1:33am PSTYes I have installed the certificate in ACS application (CTL) and the W2k3 server I.e content tools menu. <br />The CA is not a Microsoft Certs Server is a Autonomous server wich is istalled a software to generate certificates<br />I want to use this certificate only for EAP-TLS connections purpose, because the ACS web page is certicated with Cisco ACS self signed certificate. Could it be the problem? adhityakarthikNov 12, 2009, 10:07pm PSTI'm wondering if anyone would be willing to share their experiences in<br />creating polices and procedures for a NOC, engineering and architectural<br />group as it relates to TACACS+/privilege levels.<br /><br /><br />Adhitya lrm001c474Nov 12, 2009, 12:23pm PSTHi,<br /> Can any one provide me with a link on the Cisco website where I can download the 90-day evaluation copy of Cisco Secure ACS? I can't seem to locate it on the download page.<br /><br />Thanks. 30 ansalazaNov 12, 2009, 12:43pm PSTI think I am seen double, but here is the link for ACS 4.1 and ACS 4.2:<br /><A HREF="javascript:newWin('http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-eval')">http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-eval</A> <br /><br />:Dlrm001c474Nov 12, 2009, 11:34am PSTHi,<br /> Can any one provide me with a link on the Cisco website where I can download the 90-day evaluation copy of Cisco Secure ACS? I can't seem to locate it on the download page.<br /><br />Thanks. 30 ansalazaNov 12, 2009, 11:35am PSTACS 4.2<br /><A HREF="javascript:newWin('http://www.cisco.com/cgi-bin/Software/Tablebuild/doftp.pl?ftpfile=cisco/crypto/3DES/ciscosecure/acs/win/90-dayeval/eval-ACS-4.2.0.124-SW.zip&app=Tablebuild&status=showC2A%3E')">http://www.cisco.com/cgi-bin/Software/Tablebuild/doftp.pl?ftpfile=cisco/crypto/3DES/ciscosecure/acs/win/90-dayeval/eval-ACS-4.2.0.124-SW.zip&app=Tablebuild&status=showC2A%3E</A>lrm001c474Nov 12, 2009, 11:44am PSTI'm sorry, I forgot to mention that I am looking for version 4.1. ansalazaNov 12, 2009, 11:47am PSTThat was in your initial request, but I don't think we have an Evaluation Version for ACS 4.1.<br /> jgambhirNov 12, 2009, 11:48am PSTHere is the link to download ACS eval software ver 4.1<br /><br /><A HREF="javascript:newWin('http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-eval')">http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-eval</A><br /><br /><br />Regards,<br />~JG<br /><br />Do rate helpful posts ansalazaNov 12, 2009, 11:56am PSTNice! nigelbNov 12, 2009, 6:13am PSTHi<br />I’m currently looking to migrate a customer from ACS 3.3 on a Win2K server to an Appliance.<br />The current ACS server provides AAA for approx 1000 routers/switches etc to provide authentication for interactive logon (via Novell LDAP) and scripted maintenance logon (via local DB). ACS also provides accounting for logon/configuration changes etc.<br /> Q1. Will both 5.1 and 4.2 ACS appliance engines provide these facilities (local db/ldap etc), if so then 5.1 would be the best choice?<br />Q2. Can the data (AAA clients/users etc) be exported from 3.3 and imported to 4.2 or 5.1, as ideally I want to keep the original server untouched for rollback.<br />Thanks in advance.<br /> 30jrabinowNov 12, 2009, 9:00am PSTBoth 5.1 and ACS 4.2 ACS appliance support authentication against LDAP and local DB.<br /><br />ACS 5.1 is the next generation ACS platform and provides a policy based mechanism for defining authorizations; as opposed to the user/group based mechanisms in ACS 4.2. <br /><br />To migrate the system from ACS 3.3 requires a two stage process:<br />1) upgrade to ACS 4.2<br />2) migrate data from ACS 4.2 to ACS 5.1<br />The second migration process can extract all user/device definitions from the ACS 4.2 to ACS 5.1 and then need to create the appropriate policies that define the user access<br /><br />The ACS 5.1 DVD set should include all the required software versions to perform this upgrade although I am not familiar with the specifics of upgrade of ACS 3.3 to ACS 4.2. The original 3.3 system could be kept in place and the upgrade/migration be performed on a parallel system.<br /><br />ACS 5.1 does have capability to import user/device data from a csv file and so if can get the data in this format can avoid all the upgrade/migration related activities<br /><br />Hope this helpsalvaro.mottaNov 12, 2009, 4:24am PSTFolks, greetings.<br /><br />We have a customer that needs to install a patch on his ACS-SE, but since this is a very big and productive environment, he is very concerned in doing so without testing on a lab in advance.<br /><br />As we don't have an appliance to run the tests, I was wondering if we could install an ACS-SE image onto a virtual machine (VMWare, Sun Virtual Box or MS Virtual PC).<br />Does anybody out there has any experience in trying this kind of lab?<br /><br />Thanks in advance,<br /><br />AL 30alvaro.mottaNov 12, 2009, 4:25am PSTBTW, the patch was not designed to run on ACS For Windows. That's why this is not a solution.<br /><br />Thanks,<br /><br />AL ihillOct 16, 2007, 4:01am PSTCan I use the ACS Network Device Groups to have a single ACS apliance acting as the authenticator for two Windows domains for 802.1x for a single switch?<br /><br />Hope the question makes sense but to put a little more meat on the question:<br />i have a single ACS Appliance which I am trying to use for 802.1x authentication on a switch. The issue comes as I want to have the VLAN allocation part of the set-up allocated through the ACS server dependant on checking the users against a domain account but we have two domains with no trust between them. the ACS remote agent specifically states it should not be installed on servers in different domains and that the two available agents are for resiliance only, so this unfortunatley doesn't fit.<br /><br />this is why i have ended up with looking at using multiple device groups.<br /><br />anyone any ideas if this will work or if there is another way of making this work. 30 jgambhirOct 16, 2007, 5:28am PSTHi,<br />ACS cannot "natively" authenticate to 2 different domains that don't have a trust relationship defined. If that is not possible then you need to have 2 ACS servers, one in each domain. Configure the "primary" ACS to proxy requests to the "secondary" server based on the provided domain.<br /><br />This would require a second ACS server be set up (you would likely have to pay an additional fee for the second ACS server). You would want to configure a proxy distribution table . This would require user explicitly provide the domain name with their user name.<br /><br /><br />Regards,<br />~JG<br /><br />Please rate helpful posts dominicstalderNov 12, 2009, 2:24am PSTBut this means that, for 2 domain and ACS redundancy, I would need 4 ACS appliances?<br /><br />Because if one ACS goes down, the proxy function won't work anymore.Kevin.MoralesNov 10, 2009, 10:02am PSTI set a Catalyst 2950 switch to the console port authentication is THROUGH the ACS, in case of failure to use the local user base, works well.<br /><br /> <br />the problem is with a 2950-XL switch, which does not support the command aaa authorization console, I can do?<br /><br />the configuration is:<br /><br />username admin privilege 15 password 0 123456<br /><br />aaa authentication login default group tacacs+ local<br />aaa authentication login CONSOLE local<br />aaa authorization config-commands<br />aaa authorization exec default group tacacs+ local<br />aaa authorization exec CONSOLE local<br />aaa authorization commands 0 default group tacacs+ if-authenticated<br />aaa authorization commands 1 default group tacacs+ if-authenticated<br />aaa authorization commands 15 default group tacacs+ if-authenticated<br />aaa accounting exec default start-stop group tacacs+<br />aaa accounting commands 0 default start-stop group tacacs+<br />aaa accounting commands 15 default start-stop group tacacs+<br />aaa accounting connection default start-stop group tacacs+<br />aaa accounting system default start-stop group tacacs+<br /><br />line con 0<br /> authorization exec CONSOLE<br /> login authentication CONSOLE<br /><br />i try to access the switch:<br /><br />Username: admin<br />Password: ******<br /><br />SWAdmin5>en<br />Password: <br />% Access denied<br /><br />SWAdmin5><br /><br />suggestions friends " 30 jgambhirNov 11, 2009, 12:38pm PSTI guess you have 2900XL switch. CAT 2950 do support this command.<br /><br />The problem is that the XL switches do not support this command.<br /><br /><br />Regards,<br />~JG<br /><br />Do rate helpful posts<br /><br /> xayavongpNov 11, 2009, 8:21am PSTI am trying to implement Radius (using ACS v3.2) on Secure Computing's Sidewinder G2. It appears I need a VSA (vendor specific attribute) to make it work properly. I have tried it with Radius (IETF) but no luck. Any suggestions on how I might go about this ? Or is this even possible ? 30 jgambhirNov 11, 2009, 10:24am PSTIf G2 Sidewinder firewall vendor has/require vendor specific attributes to be sent by authentication server, then we would require the VSA definition from the vendor.<br /><br /><br />On the other hand I have seen it working (basic authentication)with Radius IETF.<br /><br />Regards,<br />~JG<br /><br />Do rate helpful posts<br /><br />jozef.cmorejNov 6, 2009, 3:21am PSTHi,<br /><br />I need an advice about ACS's replication. I have 2 independent ACSs, The first one ACS1 is for routers/switches, remote VPN and some servers using MS-CHAP v1/2, EAP-TLS and PEAP-GTC. The second one ACS2 is only for Wifi APs using EAP-TLS and PEAP-GTC.<br />I'd like to make a replication between them. As I read, the one should be a primary ACS and the other one should be as secondary ACS.<br />If I understood well I should move Wifi authentication to ACS1 and authenticate all devices (routes/switches/VPN/wifi) to this ACS1 (with all methods MS-CHAP v1/2, EAP-TLS and PEAP-GTC) as primary. ACS2 will be as secondary ACS2 with the same configuration (routes/switches/VPN/wifi) but authenticates them only in case of its failure. 30jkatyalNov 6, 2009, 5:19am PSTHi,<br /><br />This is actually a right practice. I would also suggest you to let primary ACS authenticate all kind of session including Wi-Fi and use secondary ACS as a standby.<br /><br />ABOUT DB REPLICATION<br />====================<br /><br />Database replication creates mirror systems of ACSs by duplicating parts of the primary ACS setup to one or more secondary ACSs. You can configure your AAA clients to use these secondary ACSs if the primary ACS fails or is unreachable. With a secondary ACS whose ACS internal database is a replica of the ACS internal database on the primary ACS, if the primary ACS goes out of service, incoming requests are authenticated without network downtime, provided that your AAA clients are configured to fail over to the secondary ACS.<br /><br />I am sending you one link for Setting Up Replication for Cisco Secure ACS, I am sure this example with screen shots gives you better understanding.<br /><br />Please visit the below suggested ULR:<br /><br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00800e518a.shtml')">http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00800e518a.shtml</A><br /><br />HTH<br /><br />JK<br /><br />Plz rate helpful posts-jozef.cmorejNov 11, 2009, 1:25am PSTHi,<br /><br />thanks for reply. I have another issue. Lets imagine I have done replication described above. Can I set up specific authetication methods for particular AAA client. If yes, where?<br />Because I guess, it's possible only in global mode for all AAA clients through "System Configuration > Global Authentication Setup".<br />jozef.cmorejNov 11, 2009, 4:12am PSTI've found "Network Access Profiles" which could probably figure out my issue. I would create particular profiles for separate bundle of AAA clients (wifi vs VPN, routers) and assign them their authentication methods.<br />And important information - I'm using ACS v4.1.<br />Am I right? jgambhirNov 11, 2009, 10:18am PSTYes, you need to use NAP feature inorder to achieve it.<br /><br /><br />Regards,<br />~JG<br /><br /><br />Do rate helpful posts mshahzad@hotmail.comNov 10, 2009, 5:29pm PSTI have to define the following IPSO-specific service in your TACACS+ server:<br />service = nokia-ipso {<br />Nokia-IPSO-User-Role = "role_name_on_IPSO"<br />Nokia-IPSO-SuperUser-Access = <0|1><br />}<br /><br />How can I do it? 30darpotterNov 11, 2009, 3:21am PSTTo add a custom service to ACS...<br /><br />Goto "Interface Configuration" then "TACACS+ (Cisco IOS)" and in the "New Services" section enter your new service "nokia-ipso" plus tick the user & group checkboxes. You might need to add "ip" as the protocol depending on what the actual T+ requests look like.<br /><br />When you next edit a user or group you'll see a new TACACS+ service into which you can enter your custom attributes:<br /><br />Nokia-IPSO-User-Role=role_name_on_IPSO<br />Nokia-IPSO-SuperUser-Access=<0|1><br /><br />Note that only very basic syntax checks are applied, basically as long as eahc line has somehing=something ACS will not complain, so its up to you to make sure the values are correct. mbohlerNov 10, 2009, 11:31am PSTI am have problems setting up the Cisco ACS server with PEAP-MACHAPv2. Does any one have a step by step guide to help with this issue.. 30jrabinowNov 10, 2009, 12:34pm PSTI do not have a step by step guide to hand. A few things that come to mind are<br />1) Define netwrok device<br />2) Set allowed protocols in service definition and select identity store<br />3) Install server certificate<br /><br />One good way to trouble shoot such issues is to Monitoring & Reports: > Reports > Catalog > AAA Protocol <br />and then select "RADIUS_Authentication"<br /><br />You will see pass/fail records. For each fail record see failure reason. Also select magnifying glass icon under "Details" and will get step-by-step details so that should see step where processing was stopped and failure returned. Will give input to see what configuration is missing<br />Kevin.MoralesNov 10, 2009, 8:21am PSTI am running the ACS and all this good, I delete a AAA client of the ACS, try logging in again and let myself go! .. I had to restart the service CSTacacs to not allow access to the AAA client is well removed ..this is correct? or is there some way to correct this? .. Thanks! 30 jgambhirNov 10, 2009, 8:32am PSTYes, when ever you make any changes it is recommend to reload the services.<br /><br />Use Delete+Restart option instead of Delete.<br /><br />Incase Delete+Restart does not makes any difference then try updating Java or try with different browser.<br /><br />Regards,<br />~JG<br /><br />Do rate helpful postsKevin.MoralesNov 10, 2009, 8:51am PSTI change the IP to the Client AAA, and restart the service CSTacacs and will not let me login with the user.. jgambhirNov 10, 2009, 10:40am PSTPlease provide more details...you are not able to login to that aaa-client or acs itself?<br /><br />Kevin.MoralesNov 10, 2009, 11:05am PSTif you change the IP to the AAA client, this lets me log into the user configured in ACS. I have to restart the service CSTacacs not let me log into the user of ACS and local users can use the router.webbcoreyNov 10, 2009, 10:36am PSTHow do I stop an FTP upgrade if it is pointed to an incorrect FTP location. 30jrabinowNov 10, 2009, 10:54am PSTWas this operation done from the GUI? If so I think can go to: <br />System Administration > Operations > Distributed System Management > Edit: "hostname"<br />If a software update is in progress for this server should see a "cancel software update" buttonwebbcoreyNov 10, 2009, 10:55am PSTThank you this has solved my issue!jrabinowNov 10, 2009, 11:00am PSTPerfect. Can you mark the thread accordingly? jason.williams@lowes.comNov 10, 2009, 8:17am PSTI'm trying to set up an authorization set to restrict users to certain commands. However, it seems like it works for some commands, but not for others.<br /><br />In ENABLE mode, the auth set seems to work properly. However, once I get into CONFIG mode, it no longer works. I can run any command.<br /><br />What am I missing that could be causing this?<br /><br />Also, note that I have this auth set assigned to a group.<br /><br />Thanks.<br /><br />Jason 30 jgambhirNov 10, 2009, 8:23am PSTIt seems that you are missing this command,<br /><br />aaa authorization config-command<br /><br /><br /><br />Regards,<br />~JG<br /><br />Do rate helpful posts jason.williams@lowes.comNov 10, 2009, 8:43am PSTThat might be it, the command isn't there.<br /><br />I'll try it and let you know if that was it.<br /><br />Thanks.<br /><br />Jason jason.williams@lowes.comNov 10, 2009, 10:37am PSTAdding <br /><br />aaa authorization config-command <br /><br />worked.<br /><br />However, I've got another issue (I think).<br /><br />Other groups have "none" selected for the auth sets. When I log in as a user in one of those groups, I get an access denied error when I enter ANY command.<br /><br />The only way that I've been able to work around this is to set the group to use group based command sets and permit everything.<br /><br />Is there something else that I missed or is this necessary?<br /><br />Here are my current AAA settings:<br /><br />aaa new-model<br />aaa authentication login default group tacacs+ local<br />aaa authentication login no_tacacs local<br />aaa authentication enable default group tacacs+ enable<br />aaa authorization exec default group tacacs+ none<br />aaa authorization exec no_tacacs none<br />aaa authorization config-command<br />aaa authorization commands 0 default group tacacs+ if-authenticated<br />aaa authorization commands 1 default group tacacs+ if-authenticated<br />aaa authorization commands 15 default group tacacs+ if-authenticated<br />aaa accounting exec default start-stop group tacacs+<br />aaa accounting commands 15 default start-stop group tacacs+<br />aaa accounting system default start-stop group tacacs+<br /><br />Thanks.<br /><br />Jason<br /><br /> jgambhirNov 10, 2009, 10:45am PSTExpected behavior, since we have seleted none in the authorization set...that is = no access.<br /><br />You need to make a new set for limited group allowing certain commmands.<br /><br />Check this link,<br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml')">http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml</A><br /><br /><br />Regards,<br />~JG<br /><br />Do rate helpful posts joao@multisuporte.com.brNov 10, 2009, 9:26am PSTHi<br />I change my Radius from MS IAS to MS NPS. The wired 802.1x works fine but the wireless 802.1x doesent work. AP1250's radius debug is attached. <br />Obs: On IAS everything works fine<br /><br /><b>Attachment Keywords : </b> <br />1) DebugRadius.txt<br /> DebugRadius.txt123424text/plaintext1493411/10/2014no david.knetNov 10, 2009, 3:48am PSTHi all,<br /><br />I was reading a lot documentation and testing a lot of scenarios but i can not set template configuration from RADIUS…<br /><br />This it my configuration,<br /><br />aaa new-model<br />!<br />!<br />aaa authentication login admin local<br />aaa authentication ppp default local group radius<br />aaa authorization template<br />aaa authorization network default group radius local<br />aaa accounting delay-start<br />aaa accounting update newinfo<br />aaa accounting network default start-stop group radius<br />!<br />!<br />bba-group pppoe pruebavrf<br /> virtual-template 33<br /> sessions per-mac limit 48<br /> sessions per-vlan limit 1400<br />!<br />interface Loopback10<br />ip address 192.168.44.1 255.255.255.0<br />!<br />interface FastEthernet0/0.8<br /> description PRUEBAS<br /> encapsulation dot1Q 8<br />pppoe enable group pruebavrf<br />!<br />interface Virtual-Template33<br /> no ip address<br /> no ip redirects<br /> no ip unreachables<br /> ip mtu 1480<br /> ip tcp adjust-mss 1400<br /> peer default ip address pool pool_local<br /> ppp authentication pap chap<br />!<br />radius-server attribute 44 extend-with-addr<br />radius-server attribute 8 include-in-access-req<br />radius-server attribute nas-port format d<br />radius-server configure-nas<br />radius-server host X.X.X.X auth-port 1812 acct-port 1813 key xxxx<br />radius-server retransmit 2<br />radius-server timeout 6<br />radius-server vsa send accounting<br />radius-server vsa send authentication<br /><br />ip local pool pool_local x.x.x.x<br /><br />And this is RADIUS configuration<br /><br />testvdsl@knetip Auth-Type := local, User-Password == "xxxx"<br /> Service-Type = Framed-User,<br /> cisco-avpair += "template:ip-unnumbered=Loopback 10",<br /> Framed-Protocol = PPP<br /><br />I think that with this configuration virtual-access would be take the ip of Loopback 10 as unnumbered but doesn’t work.<br /><br />Router#sh int Vi2.1<br />Virtual-Access2.1 is up, line protocol is up<br /> Hardware is Virtual Access interface<br /> MTU 1492 bytes, BW 100000 Kbit/sec, DLY 100000 usec,<br /> reliability 255/255, txload 1/255, rxload 1/255<br /> Encapsulation PPP, LCP Open<br /> PPPoE vaccess, cloned from Virtual-Template33<br /> Vaccess status 0x0<br /> Keepalive set (10 sec)<br /> 128 packets input, 1803 bytes<br /> 128 packets output, 1799 bytes<br /> Last clearing of "show interface" counters never<br /><br />This is the RADIUS debug,<br /><br />.Nov 10 12:38:42: RADIUS(000E4E19): Send Access-Request to x.x.x.x:1812 id 1645/79, len 135<br />.Nov 10 12:38:42: RADIUS: authenticator 3C 22 8C 1E AE 21 20 82 - B9 58 57 E3 16 6D C9 8B<br />.Nov 10 12:38:42: RADIUS: Vendor, Cisco [26] 41<br />.Nov 10 12:38:42: RADIUS: Cisco AVpair [1] 35 "client-mac-address=xxxx"<br />.Nov 10 12:38:42: RADIUS: Framed-Protocol [7] 6 PPP [1]<br />.Nov 10 12:38:42: RADIUS: User-Name [1] 17 "testvdsl@knetip"<br />.Nov 10 12:38:42: RADIUS: User-Password [2] 18 *<br />.Nov 10 12:38:42: RADIUS: NAS-Port-Type [61] 6 Ethernet [15]<br />.Nov 10 12:38:42: RADIUS: NAS-Port [5] 6 8<br />.Nov 10 12:38:42: RADIUS: NAS-Port-Id [87] 9 "0/0/0/8"<br />.Nov 10 12:38:42: RADIUS: Service-Type [6] 6 Framed [2]<br />.Nov 10 12:38:42: RADIUS: NAS-IP-Address [4] 6 x.x.x.x<br />.Nov 10 12:38:42: RADIUS: Received from id 1645/79 x.x.x.x:1812, Access-Accept, len 74<br />.Nov 10 12:38:42: RADIUS: authenticator E5 D8 63 D4 D5 EE EC C8 - F7 BB 4A B9 6A C8 60 F6<br />.Nov 10 12:38:42: RADIUS: Service-Type [6] 6 Framed [2]<br />.Nov 10 12:38:42: RADIUS: Vendor, Cisco [26] 42<br />.Nov 10 12:38:42: RADIUS: Cisco AVpair [1] 36 "template:ip-unnumbered=Loopback 10"<br />.Nov 10 12:38:42: RADIUS: Framed-Protocol [7] 6 PPP [1]<br />.Nov 10 12:38:42: RADIUS(000E4E19): Received from id 1645/79<br /><br />Somebody can help me?<br /><br />Thank you in advance.<br /> joe.marcelo9Nov 9, 2009, 9:41pm PSTHello<br />I have ACS 4.0 authentication through external database Windows Active Directory. I want only support group created on ACS to have access rights to AAA client [Routers,Firewall,Switches] for telnet & SSH all members of other group should be denied.<br /><br />Groups are created.<br />AAA members are added to ACS<br />but restricting to specific group not working 30darpotterNov 10, 2009, 1:30am PSTAssuming you've confirmed that T+ authentications are actually been sent to your ACS, then it should be just a case of adding Windows group mappings:<br /><br />Support -> ACS Support Group<br />Default -> NO ACCESS<br /><br />Group mapping is applied after AD authentication, so even if correct credentials are supplied the user will be mapped to NO ACCESS (ie rejected) if they are not a member of the correct AD group. dgentonOct 23, 2009, 8:30am PSTUsing 4.1 is there a "simple" method of simply denying a usergroup the ability to even login to specific AAA clients? Customer has a telephony group that they want to allow them to telnet and check into all the voice routers, but no other routers, they have the command sets and all that setup but wanted to see if a way to push that group simply to voice routers only ??<br />thanks in advance,<br />dave 30 jgambhirOct 23, 2009, 8:44am PSTYou can set it up using NAR in ACS.<br /><br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml')">http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a0080858d3c.shtml</A> <br /><br />Regards,<br />~JG<br /><br />Do rate helpful posts dgentonOct 23, 2009, 8:49am PSTI looked at that, but isn't that just simply "network restriction" I want them to be able to login to all voice routers and execute the "allowed" commands we have listed, but if they login to a data only router, to get denied access altogether, make sense ?jkatyalOct 23, 2009, 9:02am PSTHi,<br /><br />Just checked your reply. <br /><br />Well, you need to go bit tricky, looks like that you have data and voice routers and you want no access to data routers and restricted access to voice routers.<br /><br />Check this::<br /><br />Create two NDG's one for voice routers and other for data router's.<br /><br />Go to the group > apply NAR on data routers with action as denied. If we are getting anything apart from valid ip address than you have to use CLI/DNIS based NAR.<br /><br />since you have command set created with specific commands > on the same group > scroll down to the Shell Command Authorization Set<br /><br />Assign a Shell Command Authorization Set on a per Network Device Group Basis<br />Here you can map VOICE router's NDG with respective command authorization set.<br /><br />So this way we can denied access to data routers and restricted access to voice router's.<br /><br />HTH<br /><br />JK<br /><br />Plz rate helpful posts-<br /><br /><br />jkatyalOct 23, 2009, 8:50am PSTHi,<br /><br />Why don't you use NAR (Network access restriction)<br /><br />Under the network config > simply create one NDG and assign all the voice router under it.<br /><br />After that go to the group/user where you want to put this restriction<br /><br />You need to check that what are we getting in calling station id. If we are getting ip address then <br /><br />[1] To accomplish above we would configure the group with following <br />NAR (network access restriction)<br /><br />Define IP based Network Access Restriction<br />Permitted Calling Point<br />AAA client: VOICE NDG created <br />Port *<br />Src IP Address *<br /><br />Subit the changes and try.<br /><br />Here is more on configuring Network Access Restriction:<br /><br /><A HREF="javascript:newWin('http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4')">http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4</A>.<br />2/user/guide/GrpMgt.html#wp478900<br /><br />HTH<br /><br />JK<br /><br />Plz rate helpful posts-<br /> dgentonOct 23, 2009, 8:53am PSTThanks I will give that a shot, that's what was hanging me up on the NAR was that it showed CLID/DNIS but they are local telnet users... kwillaceyNov 9, 2009, 12:32pm PSTWhat do the stars mean, is it a wild card?<br /><br />If I select deny access and all AAA clients and apply it to a group. Does that mean that they will not have access to the AAA client? ie they will not be able to authenticate and log on to a router. jgambhirNov 9, 2009, 12:45pm PSTYes it is a wild card.<br /><br />Yes, if condition is deny for all aaa-client then that group will not have access to all clients.<br /><br />Access denied.<br /><br /><br />Regards,<br />~JG<br /><br />Do rate helpful postsjkatyalNov 9, 2009, 12:49pm PSTHi Kelvin,<br /><br />You got it right. * means wildcard and if we use (*) for port and source address then it would assume any port/address.<br /><br />If you use action as deny for all aaa client then users of that group in ACS will not able to access any device.<br /><br />HTH<br /><br />JK<br /><br />Plz rate helpful posts- kwillaceyNov 9, 2009, 12:54pm PSTOK thanks that's what I was hoping. One more question, if I have remote access VPN on an ASA and authentication is provided via the ACS and I add the NAR as I described earlier would those users in the group still be able to authenticate?jkatyalNov 9, 2009, 1:50pm PSTHi kelvin,<br /><br />They will be able to connect if you are using ASA for VPN using radius protocol.<br /><br />HTH<br /><br />JK<br /><br />Plz rate helpful posts- kwillaceyNov 9, 2009, 1:54pm PSTI am guessing if it is using TACACS then it is going to be a problem, am i right?jkatyalNov 9, 2009, 1:58pm PSTKelvin,<br /><br />You are correct. If we are using tacacs for both the sessions then this would not work because rem_address would be same and that will not allow the vpn users because NAR is there.<br /><br />HTH<br /><br />JK<br /><br />Plz rate helpful posts- kwillaceyNov 9, 2009, 2:01pm PSTACS 3.2 does not have device groups so I cannot separate the devices.... thanks a lot I'm gonna have to think about it some more.')