Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn how to secure your infrastructure with AAA with Cisco expert Mike Griffin. Mike is a network consulting engineer in the central engineering - security architecture and design group of advanced services. He works with many of Cisco's largest customers in the design and implementation of their networks with a focus in network security. In this role, he concentrates on establishing leading practices for the implementation of various security products. Mike has been in the networking industry for 17 years (10 of that with Cisco) and he is also CCIE certified in routing and switching (# 8492).
Remember to use the rating system to let Mike know if you have received an adequate response.
Mike might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through May 8, 2009. Visit this forum often to view responses to your questions and the questions of other community members.
Does ASR 1002 (IOS XE 2.3.0) support pptp dialin? I would like to terminate MS Windows pptp connections.
I've configured l2tp and it's work. PPTP is not work. Is it my mistake or IOS XE 2.3.0 bug? (if you know about the bug, do you know a date of release corrected IOS XE?)
This forum is dedicated to AAA questions. I'd suggest one of the Network Infrastructure forums, probably WAN, Routing & Switching.
This is Raja. Im a baby to this field and planning to start a business which is gonna support a application through online, I want to do a network set up for the communication.Its gonna be a 10 node small business.where i want to manage the LAN connection for internet and also the tunneling. can some one suggest me which series of switch , router and firewall will work out my set up. waiting for you experts.. thanks in advance..
This forum is dedicated to AAA questions. I'd suggest one of the Network Infrastructure forums for your question.
I need to create a users in TACACS+ and allow him only "SHOW RUNN" command. There are two users in default NDG and one user ID is for the administrator with priviliege 15 and other user id ll be used to view only the devices configuration. Any suggestion?
yes you can configure it the below link may help you,
Try enabling shell command authorization permit "Show Run" and grant privilege level "6" to restrict the user from executing other commands.
The best approach will be assigning two users to two different groups such as Admin Group and User Group in order to achieve group and user level authorizations.
Hope this helps
Users are assigned to User Groups while network devices are assigned to Network Device Groups (NDGs). This is an important distinction which will be referenced later in this post.
This topic is more complicated than you might think. The "show running-config" and "write terminal" commands only show the parts of the running config that a user's privilege level would be authorized to change. The "show startup-config" and "show config" commands, on the other hand, will show the entire start up (saved) configuration. For this reason, you can't simply have a user at level 1 (or anything under level 15), allow access to the "show running-config" command and expect them to see the entire config.
What you will need to do is assign the desired user to a new group, have the user login as privilege level 15, apply a command authorization set to that group that ONLY allows the "show running-config" command (and denies all others), and perform command level 15 authorization on the devices. The downside is that this user MUST have level 15 access. This means that the user will have complete access alter to the config of any device that is not performing command level 15 authorization. You can use NDGs in ACS to restrict which devices this user (or user group) has access to though.
Remember that a user can be dropped directly into level 15 with "aaa authorization login" on the devices and a privilege-level defined in ACS.
we want to authenticate local users with our Cisco Secure ACS SE and non-local users via proxy radius servers.
This works, when we have not more than 12 entries (+1 for default) in the proxy distribution table of the ACS. But for "eduroam" we need up to 40 entries and then we get "user unknown" errors in the log of our WLC.
Any ideas or a known limitation?
I am not aware of any restrictions of limitations on the number of entries in a proxy distribution table. Can you provide me with a list of the prefix entries that you are using? If it is considered confidential, you can e-mail them directly to firstname.lastname@example.org.
I am facing a very big issue and only you can help me to find a solution.
The scenario is I have some Cisco IPSEC VPN Concentrator's that need to be removed from the network. We already have another Juniper VPN which is working fine all the way.But a large number of users were using this IPSEC VPN previously.So the customer needs to allow access to this IPSEC VPN to some users and deny access to others.But these "some" permitted users are from different groups inside the Windows AD.So i tried creating a local group and adding all these permitted users in to it and applied Network Access Restrictions. I have applied shared NAR, per group NAR and CLI/DNIS based Acces Restrictions to deny access to my IPSEC VPN. but somehow it doesnt work. After applying all these my IPSSEC VPN Client still can communicate with the VPN 3000 concentrator.
Does i did any wrong? Please advice me on how can i achieve the intended result. If i can use any other ways to achieve the result, please advice me that too...
Appreciate your great help and eagerly waiting for your reply
Putting the users into another group and using NARs should be the proper approach for this. Another approach would be, if the list of users is relatively small, to add the users directly to the VPN3K (with external AD authentication) and do away with the default authentication method there. That way, only users in the local DB (even though their authentication method is remote) would be able to log into the VPN3K.
here is my suffix list:
@ourdomain pointing to our ACS,
pointing to the 2 proxy radius servers.
When I add another TLD, eg. .ca or .fr, no authentication and "user unknown" errors at the WLC.
My first idea was to use the "Default"-entry for proxy authentication of non-local users and let the ACS authenticate our users but this doesn't work so we need to do it with the TLDs for each country...
What kind of errors are you getting on the ACS? An Unknown user error on the WLC could simply mean there was an authentication timeout. I'd like to see what the ACS is saying.
Also, have you opened a TAC case on this issue? I'd be interested to see what the ACS TAC folks have to say regarding this.
The ACS says nothing for passed authentications and failed attempts. I only see radius accounting for successful authentications.
Our local Cisco distributor has opened a TAC case and I send him debug infos of the WLC for successful and unsuccessful authentication requests so he can forward this info to the folks.
I think the TAC case is your best bet here. If passed and failed authentication logging is enabled on the ACS, then you should see something in those logs regarding these sessions.
Through Cisco Network Assistance, how do you create a user with level 14, so they only have read only access.
I am not sure what you mean by "Network Assistance". However, commands are only assigned to privilege levels 0,1, and 15 by default. So if you have not changed any of the command privilege levels, then a user at level 14 has the exact same access as a user at level 1.
Hi Mike, i would like to setup AAA accounting. Is there a doc somewhere that show you the steps and procedures required to have this setup?.
Assuming you are talking IOS, the AAA Accounting guide is located here: http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfacct.html
There are several different things that you can collect accounting records for and those are exlpained in this document.
as per my moderate knowledge there is no built-in failover or statfull failover mechanism for on ACS for HA.
What is the best visible way to implement HA (High Availability) for ACS appliance and windows based as well ?!
Authentication sessions are very fast and short lived sessions. While there is state involved in the TACACS+ TCP session (RADIUS is UDP), the sessions are so short lived that it does not make sense to keep the state of the authentication session. So no, there is no stateful failover for ACS.
You build HA with service redundancy. You can either put your ACS servers behind a load balancer like you would with a web server or you can have the redundancy added to the device (router and switch) configuration. You can configure your devices to reference 2 (or more) servers. If the primary server is unresponsive, then the device will query the next server on the list.
This is great, but here you are talking about load balancing for the client's request. my concern how could I have shared or synced database for two different ACS's, in case one failed the secondary can carry over.
There is synchronization built into ACS. There is a master/slave relationship configured for the replication of the data. If you do backend authentication (forward the requests to AD or a Token server) then you will need to consider HA for those systems as well.
Can you recommend a Cisco router for one of our clients? They recently switched ISP to Speakeasy who installed a Hatteras HN 407 bridge. We have had Internet connectivity problems using our customer's SonicWall 3060 firewall, and we experienced similar problems when attempting to use a newer Sonicwall TZ180. We temporarily installed a Linksys W54GT router, which has been working perfectly; however, I would like to have a more robust router for their 25 user network - VPN, two WAN connections, etc. Can you recommend a small business router with 2 WAN connections?
This forum is for questions related to AAA. You should try one of the other forums for this question. The WAN, Routing, and Switching forum might be a good place to start.
Would you please help me how to set up a home network.There are few questions:
How to connect outside network which is AT&T DSL moderm to A Cisco firewall and than to Cisco Switch 3550 which has 48 ports???
I have connected them like the folowing instruction; however, it did not work.http://www.cisco.com/en/US/docs/security/pix/pix63/quick/guide/63_515qk.html#wp47817. Please help, any advices,It would be appreciated.