With Javier Henderson
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about how to install and configure the Cisco Secure Access Control System (ACS) with expert Javier Henderson.
The Cisco Secure ACS is a centralized identity and access policy solution that ties together an enterprise's network access policy and identity strategy. Cisco Secure ACS operates as a RADIUS and TACACS+ server, combining user authentication, user and administrator device access control, and policy control in a centralized identity networking solution.
Javier Henderson has been a customer support engineer with the Security Team, specializing in AAA technologies, since 2004. In addition to supporting Cisco customers, he has delivered training to other teams on various AAA products. Javier attended Buenos Aires University and holds CCNA and Checkpoint certifications.
Remember to use the rating system to let Javier know if you've received an adequate response.
Because of the volume expected during this event, Javier might not be able to answer every question. Remember that you can continue the conversation in the Security community, subcommunity, AAA, Identity and NAC, shortly after the event. This event lasts through October 18, 2013. Visit this forum often to view responses to your questions and those of other Cisco Support Community members.
Regarding your questions:
1) Can you post the AAA configuration that you're using on the router? Please redact any passwords and IP addresses.
2) By default, ACS has a RADIUS default access policy called Default Network Access, and a TACACS+ access policy called Default Device Admin. You can create additional policies, as needed.
3) Please log into the CLI and run the following command:
# show application status acs
Then post the results.
Also, what version of ACS are you running? Include patch level, please. You can get this information from the "About..." link on the GUI, or "show version" on the CLI.
I'm implementing a Cisco ACS in a multi tenant private cloud. Has anyone else done this using multiple LDAP identity stores? I need to research other work done in this area by universities, government and individuals. Can you help me with any examples?
ACS supports having multiple LDAP servers as identity stores.
Do you have specific configuration scenarios in mind that you'd care to discuss?
I found my answer, the IP address format I was using was incorrect.
I had been using 10.*.*.* or a combination of this when I should have been a bit more detailed.
I have used 10.#-#.*.* or 10.0.#-#.#-# and now that issue has been resolved.
The next issue deals with AD and some users not being able to use their passwords to access the Priv Exec portion.
Should be an easy thing to track down.
We configured AAA on the switch on the group, and we added 2 ACS on that group, and on the row we added Enable last.
So first i can see deny message on our ACS but 2 time i can go switch by my Enable password, but on second ACS on the group at the moment shut down, is that affected or ? that Enable command is allowing us to access switch any idea?
Could I see the current switch configuration, please?
In general, authentication methods are tried in the order in which they appear, until a valid response is received.
Note: access-reject is a valid response, so if the user enters an invalid username/password combination and ACS returns access-reject then no subsequent methods will be tried.
For example, consider the following configuration on a router:
aaa authentication login default group tacacs+ local
In the above case, access-reject by ACS will cause the router to reject the login. if ACS returns an error condition, or is unreachable, then the local user account configuration on the router will be used.
That error condition making some confusions ... i've tried both Drop,Reject actions on it.
line vty 0 4
password 7 121A0C041104
authorization commands 1 COMMANDS-1-AUTH
authorization commands 15 COMMANDS-15-AUTH
authorization exec EXEC-AUTH
accounting commands 1 COMMANDS-1-ACCT
accounting commands 15 COMMANDS-15-ACCT
accounting exec EXEC-ACCOUNTING
login authentication VTY-LOGIN
transport input ssh
transport output telnet ssh
and AAA config
aaa group server tacacs+ TEST
aaa authentication login VTY-LOGIN group TEST enable
aaa authentication login CONSOLE group TEST enable
and i can see deny message in ACS on our primary ACS, and second time it is allowing to access it by Enable password, so i am guessing that is why because our Secondary ACS is shutdown ... so wondering procedure is it should access both ACS in the group?
The router should try to contact both ACS serves listed in the TEST server group. If neither respods, or both respond with an error condition, then the router should try the next method on the list, which in your configuration is "enable" (ie, the enable password configured on the router).
Keep in mind that if either of the ACS servers returns a deny then the authentication process will stop at that point and reject the login attempt.
For the purpose of ACS database replication - what ports need to be open on any firewalls between primary and secondary nodes? appreciate your help on this.
The following table lists what ports are used by ACS, and for what purpose:
How are you? I'm Jackson from Westrac Australia, we use AIRONET 1300 series WIFI radios.
Logging in via hyperterminal, we are normally present with "AP>" , we've seen a couple of "Bridge:".
Could you point out to me how to go from Bridge prompt to AP prompt pls, thank you
The Bridge: prompt is from the bootloader, rather than IOS. Please refer to the wireless area of this support forum for further assistance, since this event is centered around ACS.
Another quick question, how do I configure ACS to use Windows AD credentials for administrative access to the ACS GUI?
To configure ACS to use Windows AD credentials for administrative access to the GUI once ACS has been joined to an AD domain:
1) Go to System Administration -> Administrators -> Administrative Access Control
2) Click on Identity, then for Identity Source select "AD1"
3) Click on Save Changes
4) Click on Authorization
5) Create an authorization policy with the desired criteria to grant access and grant the desired role
Complete, step by step instructions are available in the following document:
How can we integrate ACS with RSA Authentication Manager for two factor authentication.
How does the two factor authentication work in this integration scenario?
Is there any other App other than RSA, we can integrate with ACS for two factor authentication.
ACS supports the RSA product, in addition to other third party products as external user databases to provide two-factor authentication.
Details on the configuration steps can be found int he following document:
Please let me know if you have specific questions regarding ACS configuration once you had a chance to read that document.
Thank you for covering this topic. Have a question for you. What are the requirements for the AD account used to join ACS to AD?
An AD account which is required for the domain access in ACS, should have either of the following:
•Add workstations to the domain user in the corresponding domain.
•Create Computer Objects or Delete Computer Objects permission on corresponding computers container where ACS machine's account is precreated (created before joining ACS machine to the domain).
Cisco recommends that you disable the lockout policy for the ACS account and configure the AD infrastructure to send alerts to the administrator if a wrong password is used for that account. This is because, if you enter a wrong password, ACS will not create or modify its machine account when it is necessary and therefore possibly deny all authentications.
In terms of ipv6 is the platform ACS and protocols ready to receive ipv6 request, it would be very nice if we can create a simple network esenario where we can authenticate a user on 802.1x using nothing but ipv6 conectivity.
i hope my question bring more people together and we can discuss further.
thanks in advance for your answer.
My question is, in Cisco ACS 5.2 (VMWARE) if the ssh password is lost but I still have access to the web gui, can I create or change an account from there to be able to ssh into the system?
It is not possible to change the password for the shell users from the GUI.
However, you can change the password on the virtual console by booting from the virtual CD using the installation ISO image, one of the options is to reset the admin user password.