Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5911
Views
79
Helpful
44
Replies

what is the use of status field in ACS 5.3

Go to solution
kerim mohammed
Level 3
Level 3

‎08-08-2012 12:38 PM - edited ‎03-10-2019 07:23 PM

                   users whose status is manually disabled don not have difficulty in authenticating and access managing nework devices. that makes me wonder what is the difference between status enabled and disabled?

Thanks,

Kerim

Labels:
0 Helpful
44 Replies 44

Go to solution
kerim mohammed
Level 3
Level 3
In response to Jagdeep Gambhir

‎08-28-2012 07:59 AM

Hi  JG,

thanks for the detailed reply, just one more question. we are using CVPN3000. i tried to create a pool on this device but there is no field for pool name which an important variable. i am supposed to invoke this pool name on ACS5.3 to create the network access profile. the CVPN3000 takes input for start address end address and mask no filed for pool name. am i missing something?

Thanks,

Kerim

0 Helpful

Go to solution
kerim mohammed
Level 3
Level 3
In response to kerim mohammed

‎08-28-2012 08:07 AM

is there a way to use IP address range as an attribute as opposed to pool name?

0 Helpful

Go to solution
Jagdeep Gambhir
Level 10
Level 10
In response to kerim mohammed

‎08-28-2012 10:42 AM 

Hi Kermin,
Unfortunately the VPN 3000 does not have a concept of a named address pool as is available on the 
other platforms. 

No there is no option to push ip range instead of pool name. 

My bad, I should have told you yesterday itself.

Regards,
~JG
0 Helpful

Go to solution
kerim mohammed
Level 3
Level 3
In response to Jagdeep Gambhir

‎08-29-2012 11:14 AM

Hi,

currently I am using the dictionary RADIUS-Cisco and am using Cisco-av-pair to set a privilege level 15 in my network authrorization profile. can this be applied to any Radius client. i mean any vendor? we have juniper, APC UPS, netscreen... or should i select different dictionary for different vendors? please , let me know at your ealiest.

Thanks,

Kerim

0 Helpful

Go to solution
Jagdeep Gambhir
Level 10
Level 10
In response to kerim mohammed

‎08-29-2012 01:52 PM

Hi Kerim,

Cisco avpair is used for cisco devices only. For other 3rd party devices, separate attribute is required to be pushed by radius server.

You have to add these attributes are defined under ACS 5 GUI >System Administration => Configuration =>Dictionaries =>Protocols => RADIUS => RADIUS VSA

Then in Authorization Profiles under Policy Elements =>Authorizations=>Network access=> Authorization profiles, we need to call it.

Here is the VSA for netscreen.


Name=Netscreen

IETF Code=3224

VSA 1=NS-Admin-Privilege

VSA 2=NS-Admin-Vsys-Name

VSA 3=NS-User-Group

VSA 4=NS-Primary-DNS-Server

VSA 5=NS-Secondary-DNS-Server

VSA 6=NS-Primary-WINS-Server

VSA 7=NS-Secondary-WINS-Server

Regards,

~JG

Do rate helpful posts

Go to solution
Jagdeep Gambhir
Level 10
Level 10
In response to Jagdeep Gambhir

‎08-29-2012 02:03 PM

Here is the APC VSA that needs to be added,

=====================================
[User Defined Vendor]
 
Name=APC Devices
IETF Code=318
 
VSA 1=APC-Service-Type
 
[APC-Service-Type]
Type=INTEGER
Profile=OUT
Enums=APC-Auth-Type
 
[APC-Auth-Type]
1=Admin
2=Device
3=ReadOnly 



Regards     
~JG

Do rate helpful posts

Go to solution
kerim mohammed
Level 3
Level 3
In response to Jagdeep Gambhir

‎08-29-2012 02:49 PM

am assuming, the VSA for APC-Auth-Type to be 2 and Profiel=BOTH and Type=Enumeration. the other thing, in case of Juniper what attribute should I pick and what should be the value for this attribute if i want to give admin privilege (level 15).

thanks,

Kerim

0 Helpful

Go to solution
Jagdeep Gambhir
Level 10
Level 10
In response to kerim mohammed

‎08-29-2012 03:50 PM

Hi Kerim,

Attribute Value Pairs for Juniper. 

VALUE NS-Admin-Privilege       ROOT         1

VALUE NS-Admin-Privilege       READ_WRITE   2

VALUE NS-Admin-Privilege       VSYS_ADMIN   3

VALUE NS-Admin-Privilege       READ_ONLY    4

VALUE NS-Admin-Privilege       VSYS_READ_ONLY   5


Regards,
~JG

Go to solution
kerim mohammed
Level 3
Level 3
In response to Jagdeep Gambhir

‎08-30-2012 08:37 AM

Thanks JG,

I couldn't get the APC VSA working for me. Attached is the screen shoot of APC authorization profile. the poblem I am facing is, it just tries authenticating twice against RSA. as you know RSA is one time authentication and fails. don't know why tries authenticating twice? am i missing something.

Preview file
30 KB
0 Helpful

Go to solution
Jagdeep Gambhir
Level 10
Level 10
In response to kerim mohammed

‎08-30-2012 10:47 AM

Hi,

Add APC UPS
System Administration > Configuration > Dictionaries > Protocols > 

RADIUS > RADIUS VSA, click Create, Enter the Name: APC 
Vendor ID: 318
click Submit

Go to System Adminis .... 

Add APC UPS
System Administration > Configuration > Dictionaries > Protocols > 

RADIUS > RADIUS VSA, 
click Create
Enter the Name: APC 
Vendor ID: 318
click Submit

Go to System Administration > Configuration > Dictionaries > 

Protocols > RADIUS > RADIUS VSA > APC (or from the Vendor Specific Dictionary Page, check the box 
next to APC and click Show Vendor Attributes), click Create and enter the following values

Attribute: APC-Service-Type
Vendor Attribute ID: 1
Direction: BOTH
Multiple Allowed: True
Attribute Type: Unsigned Integer 32
click Submit

Go to Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles, 
click Create under the General tab enter a Name for the Profile APC_UPS_RADIUS_AUTH

Then under the RADIUS Attributes tab, Select RADIUS-APC from the Dictionary Type drop down list
Select RADIUS Attribute as APC-Service-Type enter the Attribute Value as Static with value 1
(to get Admin user privilege) click Add^ to Manually Enter the Attribute click Submit.

Hope that helps!

Regards,
~JG


Do rate helpful posts

Go to solution
kerim mohammed
Level 3
Level 3
In response to Jagdeep Gambhir

‎08-30-2012 09:21 AM

I already have 8 attributes for juniper:

Allowed-Commands  ID-2

Allowed_Configuration ID-4

             .

             .

             .

the list goes on and i checked on Juniper web site too. I couldn't find NS-Admin-Privilege and if is something i have to create what is its ID , am assuming it is of type Enumeration, please let me know.

0 Helpful

Go to solution
kerim mohammed
Level 3
Level 3
In response to kerim mohammed

‎08-30-2012 12:54 PM

                   I made the changes as suggested but, for some reason it tries to authenticate against RSA twice. and when i use internal account on ACS, it just works fine. please , check attached finle.

Thanks,

Kerim

Preview file
21 KB
0 Helpful

Go to solution
Jagdeep Gambhir
Level 10
Level 10
In response to kerim mohammed

‎08-31-2012 03:26 PM

Kerim,

Can you show me the setting on the identity sequence? If we have RSA listed first then it will go to that database.

Regards,

~JG

0 Helpful

Go to solution
kerim mohammed
Level 3
Level 3
In response to Jagdeep Gambhir

‎09-05-2012 07:46 AM

Hi JG,

that is correct the identity sequence is such that it checks for RSA first then moves to internal database. that is not the problem. the problem is it tries to authenticate twice for APC devices only. once i put in the username and RSA token, it atuhenticates fine and almost immediatley, reauthenticates without prompting me and ofcourse fails. when i use local account. I don't have problem. this is just for APC devices.

Thanks,

Kerim

Preview file
30 KB
0 Helpful

Go to solution
Jagdeep Gambhir
Level 10
Level 10
In response to kerim mohammed

‎09-05-2012 10:22 AM

Hi Kerim,

Have to tried it from different PC and Browser?

Regards.

~JG

0 Helpful
Customers Also Viewed These Support Documents