Showing posts with label AAA. Show all posts
Showing posts with label AAA. Show all posts

TACACS+ and ISE:2.x Recommended Configuration :-

on Sunday, October 21 21 October , in , 1 Comment

TACACS+ and ISE:2.x Recommended Configuration :-
Layer-3 and Layer-2 switches: -
Define TACACS SERVER: -
aaa group server tacacs+ ISE-GROUP

 server-private <primary ISE server> key <plain key>
 server-private <secondary ISE Server> key <plain key>


AAA Login Commands: -
aaa new-model
aaa authentication login ISEauth group ISE-GROUP local

aaa authorization exec ISEauth group ISE-GROUP local if-authenticated

line vty 0 15
 login authentication ISEauth
 authorization exec ISEauth


AAA Command Authorization Config: -
you can monitor and restrict the commands that have been issued in the Switch.
aaa authorization commands 1 default group ISE-GROUP local if-authenticated
aaa authorization commands 15 default group ISE-GROUP local if-authenticated
aaa authorization config-commands
Login Accounting Logs sent to ISE server: -
"Exec accounting” will capture details about user accessing the shell prompt where you run all the commands & “command accounting” keep track of what commands users execute on a Cisco device.
aaa accounting exec default start-stop group ISE-GROUP
aaa accounting commands 1 default start-stop group ISE-GROUP
aaa accounting commands 15 default start-stop group ISE-GROUP





ASA Firewall Configuration: -
Define TACACS SERVER: -
·        max-failed-attempts: - To specify the maximum number of failures that will be allowed for any server in the group before that server is deactivated. The default value is three.
·        reactivation-mode: -There are two different AAA server reactivation modes in ASA:
timed mode and depletion mode. The command below is the timed mode.
1.      With the timed mode, it reactivates a failed server after 30 seconds of downtime. In my limited testing, it continuously tried to reactivate the server after 30 seconds when I bring the TACACS+ server down.
2.      With the depletion mode shown below, the failed TACACS+ server will stay down until all servers in the group are in the failed state. The default deadtime is 10 minutes.
                                                           
aaa-server TACACS protocol tacacs+
 aaa-server TACACS+ max-failed-attempts 3
 reactivation-mode timed
aaa-server TACACS (inside) host <primary ISE server>
 timeout 5
 key *****
aaa-server TACACS (inside) host <secondary ISE server>
 timeout 5
 key *****
AAA Login Commands: -
aaa authentication http console TACACS LOCAL
aaa authentication ssh console TACACS LOCAL
aaa authentication enable console TACACS LOCAL
aaa authentication telnet console TACACS LOCAL
aaa authentication serial console TACACS LOCAL
aaa authorization exec authentication-server




AAA Command Authorization Config: -
 you can monitor and restrict the commands that have been issued in the ASA.
aaa authorization command TACACS LOCAL
Login Accounting Logs sent to ISE server: -
aaa accounting telnet console TACACS
aaa accounting ssh console TACACS
aaa accounting command privilege 15 TACACS




ISE 2.x configuration:-

NOTE:- you need device admin License to configure tacacs+ in ISE2.x version and above.

Step1:- configure Shell profiles  having privilege 15 access


Step2:-
Configure READ WRITE command authorization or Command Sets



Step3:- 
Configure READ-ONLY access, by unchecking permit any commands and configure only specific commands, you can either permit or deny these specific commands as shown below



If you have any queries please comment below

Cisco ACS-Auth-Proxy

on Monday, May 21 21 May , in , 0 Comments



OR

Config ON Router



RADIUS<-------------(SERVER_SIDE)#ROUTER#(USER_SIDE)------------------>CLIENT

aaa authentication login default group tacacs
aaa authorization auth-proxy default group tacacs

ip auth-proxy name PROXY-RULE http [list ACL]

ip access-list extended PROXY-ACL
permit icmp any any log
permit tcp any any eq 22 log
permit ip host <SERVER_SIDE> host <SERVER> lOG
deny   ip any any log

int <USER_SIDE>
ip auth-proxy PROXY-RULE
ip access-group PROXY-ACL in



ip http server
ip http access-class 61
ip http authentication aaa
ip http secure-server


Cisco AAA-VPN Dual Factor Authentication

21 May , in , 0 Comments





Cisco ACS-Certificate History

21 May , in , 0 Comments

CERTIFICATE HISTORY IN ACS
please note that the ACS will always send back the whole certificate chain.

The procedure for CA certificate install on ACS is documented here:
https://supportforums.cisco.com/servlet/JiveServlet/previewBody/13545-102-1-30993/IBNS%20Phased%20Implementation%20Configuration%20Guide.pdf

The procedure for CA certificate install on ISE is documented here from page 13 onwards:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_2.0/trustsec_2.0_dig.pdf

The certificate errors occur when the client is not having the CA certificate in the client trusted certificate store.

For example with windows (same will apply to Android as well, but you can search the details on the Android forums via Google search, since this is client side issue):
If the ACS certificate is signed by an external CA server like verisign, then the windows client PC by default should have this CA server in the list, and you can select/check mark the CA server in the Trusted Root Certification authorities list on the windows client PC.

If the certificate issued to ACS is from unknown CA server which is not on client side, you can then export the CA server certificate by running the following command on your CA server:
certutil -ca.cert c:\temp\domain-SERVERNAME-CA.cer

On the Windows 7 client for example, you can use the Certificates MMC snap-in to import it into the user's Trusted Root CA Certificate Store
(run MMC.EXE, File -> Add/Remove Snap-in -> Certificates -> My User Account -> Trusted Root Certification Authorities -> Certificates -> right-click -> All Tasks -> Import).

On your Win 7 client PC, from the network properties settings, if you go to security tab, and click on the "settings" option next to Protected EAP (PEAP).
Under Trusted Root Certification authorities, you should then see and check mark your ACS local-certificate in the list.

Also refer to microsoft article:
http://support.microsoft.com/kb/2518158

For third party certs, you can export the certificate of the CA that issued the certificate to the authentication server to a file. Copy the file to the workgroup machine and then run the following command from an elevated Command Prompt:
certutil -enterprise -addstore NTAuth CA_CertFilename.cer
-----------------------------------------------------------------------------------------------------------------------------
1.go to localserver cert>create CSR with
Field Field Name Min. Length Max. Length Required?
CN commonName 1 64 Yes
OU organizationalUnitName — — No
O organizationName — — No
S stateOrProvinceName — — No
C countryName 2 2 No
E emailAddress 0 40 No
L localityName — — No
2.bind this ce

Cisco ACS- All about Active Directory.

21 May , in , 1 Comment 




ACS TO AD



1. First it looks to see if it can reach DNS using both UDP and TCP



2. Next it does a reverse DNS lookup of its IP to find the name



associate with that IP in DNS. If ACS is behind NAT, the local (not



natted) IP address should resolve to the hostname of the ACS.



3. Next it does a _ldap._tcp. DNS query for the domain to find the DC



4. It then checks to see if it can reach the DC on the following ports:



ldap: 389/tcp



ldap: 389/udp



smb: 445/tcp



kdc: 88/tcp



kpasswd: 464/tcp



ntp: 123/udp



5. It then binds (LDAP) anonymously to the DC to find the following:



DC name



DC OS



Domain name



GC Status



DC funtionality



Site name



6. Next it tries to find the GC using the _gc._tcp. DNS query.



7. Then it checks if GC is reachable on port 3268.



8. Next it connects to the DC again to verify the site name and subnet.



9. Finally it compares the clock with ACS and the DC



========================================================================






Database replicationTCP 2638



=====================================================================






ACS View CollectorUDP 20514



========================================================================




SNMP (for request)UDP 161


SNMP (for notifications)UDP 162





=======================================================================







AD:-




++Check that the clock between AD and the ACS matches there could be a



5 minute difference  but the time zone has to be the same.



+ +That the domain name that you configure on the AD 



configuration on the ACS can be resolved by the DNS server set up on the



ACS. To check this you can perform a ping < domain-name> or nslookup <domain



name>.



++That the user being used to make the bind has account 



operator rights since this account will be used to create a computer account



on AD. Also we recommend that this account isn't used by anyone and is set



to never expiries.



++Go to the ACS GUI and perform a test connection and 



send me the output. To do this go to Users and identity stores > External



Identity stores > Active directory.











ACS 5.x version was designed to retrieve the AD Attribute information only
when referring to the AD:External Groups.
1.Restarting the acs services
2.Delete the ACs machine account from the AD and disconnect/re-join it to the AD.


How to change kerberos encryption:
Security Settings \ Local Policies \ Security Options \ "Network security:

"Configure encryption types allowed for Kerberos"


While processing an AS request for target service krbtgt, the account smcwifiacs01$ did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes were 1. The accounts available etypes were 23  -133  -128  18  17  3  -140

http://support.microsoft.com/kb/978055 - KB Article:
FIX: User accounts that use DES encryption for Kerberos authentication types cannot be authenticated in a Windows Server 2003 domain after a Windows Server 2008 R2 domain controller joins the domain

http://technet.microsoft.com/en-us/library/cc734055.aspx- Event ID 26 — KDC Encryption Type Configuration


http://technet.microsoft.com/en-us/library/jj852180%28v=ws.10%29.aspx - Network security: Configure encryption types allowed for Kerberos

While processing an AS request for target service krbtgt/SOMERSET-HEALTHCARE.COM, the account smcwifiacs02$ did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 3). The requested etypes : 17. The accounts available etypes : 23  -133  -128. Changing or resetting the password of krbtgt will generate a proper key.
http://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xml



While processing an AS request for target service krbtgt, the account smcwifiacs01$ did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes were 1. The accounts available etypes were 23  -133  -128  18  17  3  -140


http://support.microsoft.com/kb/978055 - KB Article:
FIX: User accounts that use DES encryption for Kerberos authentication types cannot be authenticated in a Windows Server 2003 domain after a Windows Server 2008 R2 domain controller joins the domain

http://technet.microsoft.com/en-us/library/cc734055.aspx- Event ID 26 — KDC Encryption Type Configuration


http://technet.microsoft.com/en-us/library/jj852180%28v=ws.10%29.aspx - Network security: Configure encryption types allowed for Kerberos




ACS was sending DES which is disabled by default on 2008 R2



http://tools.ietf.org/html/rfc3961#section-8
================================================================================



Below are the Use commands performed under Root Mode after installing Root Patch provided by cisco TAC




To stop the adclient:
./ACS_AD_Runner.sh adclient -x

To start the adclient:
./ACS_AD_Runner.sh adclient

To leave a domain:
./ACS_AD_Runner.sh adleave –u <username> -r

To join a domain:
 ./ACS_AD_Runner.sh adjoin –u <username> -z null –V <domain>


To flush the client cache:
./ACS_AD_Runner.sh adflush


/opt/CSCOacs/runtime/adagent/etc
# acs stop adclient
# vi centrifydc.conf
 dns.dc.<domain.name>: <hostname>
dns.gc.<domain.name>: <hostname>
# Example:
# dns.dc.acme.com: anvil.acme.com cayote.acme.com 
# dns.gc.acme.com: roadrunner.acme.com
Press 'a' on your keyboard to enter write mode
Press Esc to exit write mode
9) Enter :wq


========================================================================


acstest/rsriramo# acs troubleshoot adcheck MCS55.com


acs/admin# acs troubleshoot adcheck -v   (centrify DC)





acstest/rsriramo# acs troubleshoot adinfo -a   (connected or not connected)


acstest/rsriramo# acs troubleshoot adinfo -r (shows joined domain controller)




















































Cisco ACS- SNMP working




21 May
, in 
      

, 
      
0 Comments
        











Here basically snmp below 5.2 patch 9 there was an issue
 where always snmp will stop responding
 so this is a bug.
 the work around for that is
 we need to go into the linux mode and restart snmp services.
 but every time we cannot restart the services

 but questions comes after 5.2p9 i.e we are running in 5.5
 in this there was a new term called cron


cron is a new feature introduced in 5.4 p1 above
 where for every 1min it will check whether my snmp running or not
 for ex if it is not running cron will automatically restart snmp process
 will send coldstrap alert to solor winds(snmp server)
 coldstrap is =restart of snmp=device reboot
 now this nsg is sent to snmp server,we think it device reboot
 now you can ask me another question
 like what if my device really reboots services restarts
 yes, there also another trap which sent to snmp server when services restarts
















































Cisco ACS- Auth Errors




21 May
, in 
      

, 
      

          1 Comment
        











#5411 EAP session timed out ->
 this means the client did not respond to the ACS within certain timeout hence failed the authentication.

 This usually happens when a client starts the authentication process,
 however for some reason this never ends and ACS is still waiting for
 information coming from the client machine,
 but if there is not a response in the next 120 seconds then the ACS finish
 the process and shows the error 5411 EAP session timed out

Workaround:
 I assume that the WLC is the one sending the authentication request to the
 ACS server, right? If so, go to the RADIUS server configuration in the WLC
 and increase the time out value to 20 seconds.
 Please give it a try and let me know the results.
 If The error message that we are getting "
 5411 EAP session time out" is more of cosmetic issue rather than
 authentication related issue.


 We can actually ignore the error message if all your users are able to
 authenticate fine .

"This may be due to EAP mis-configuration on ACS or Network Device."

 So you want to know if there is a problem with the ACS or network client
 configuration that you need to take care here, please correct me if I am
 wrong.

 This is a very common request ___ and the message the ACS provides makes
 anyone think that could be a problem with the EAP setting in your server,
 most of the times when we receive similar cases the error message comes
 along with this other alarm "5411 EAP session timed out", first of all ___
 there is nothing to worry or change in the ACS server.

 The new ACS 5.x now provides way more information about the authentication
 requests (pass or fail), this is a generic message, and may be generated for
 multiple reasons for example when there is no response for first EAP packet
 from client, the client dis-associating from WLC, the end user didn't type
 the username or password in the proper time, client closed the
 authentication prompt without entering the credentials, etc.

 When this occurs the ACS displays the error "EAP session timeout" or "This
 may be due to EAP misconfiguration on ACS or Network Device" because its
 expecting an EAP response from the client, but does not receive the response
 in a timely manner.

 This doesn't represent a problem in the authentication unit or similar is
 just an informational message that the ACS provides in the reports.

















































CISCO ACS- All about Purging Logs




21 May
, in 
      

, 
      

          1 Comment
        













@@@@WHAT IS PURGING?



  The Monitoring & Report Viewer database handles large volumes of data.



  When the database size becomes too large, it slows down all the processes. to efficiently manage data and



to make good use of the disk space,



you must back up your data regularly and purge unwanted data that uses up necessary disk space.



 Purging data deletes it from the database.







Database Purge Limits:
Maximum Allowed Disk size: 139.03 GB
 Lower Limit: 83.42 GB
 Upper Limit: 111.22 GB

 Database Purging:
 If database size exceeds lower limit, backup will be taken (if configured) and purge will be initiated.
 If database size exceeds upper limit , a purge will be initiated even though backup failed
 If database size exceeds max limit, ACS services will be stopped and ACS View database will be compressed.





 The Monitoring & Report Viewer database handles large volumes of data.
   When the database size becomes too large, it slows down all the processes.



To efficiently manage data and To make good use of the disk space,
 you must back up your data regularly and purge unwanted data that uses up necessary disk space.



Purging data deletes it from the database. 











acsview-db-compress====to reduce physical size



Use the acsview-db-compress command to compress the ACS View database file size.
 This command compresses the ACS View database by rebuilding each table in the database and
 releasing the unused space. As a result,
  For example after purge
 actual db size =100 GB
 physical db size=160GB, now view db compress to take place this requires 100GB  free space is /opt
 generally viewdbcompress happens when diff between actual and physical size of the db ( > 50 GB)(160-100=60)

 @@@@@@This operation stops all services and takes time depending on the size of the database 



@@@@@@This operation requires some space in /opt   minimum it requires actual size of db
 acsview replace-cleandb
 Use the acsview replace-cleandb command to clean up the information in the ACS view database.
 This command removes all data from the ACS view database.
 That is, this command replaces the current database with a fresh view database. 









REASON WHY DATABASE SIZE INCREASE:



clearing /opt



+acsview51.db and acsview.log







Do not clear /opt if it is >30%



/opt also contains:-debug logs, local store logs, session database and lots of other files



hence it might also go 45%>>which is normal







Actual size: This is the size of logs inside the acsview51.db file.



Physical size: This is the size of acsview51.db file on the hard disk.







+we already know when it reaches



+lower limit 80GB=it takes backup, if backup is success then only purge is done



+upper limit 110GB =even if backup fails, it does purge







for example if backup fails, then also  /opt size will be in between 80Gb to 110GB







RCA:-



+find out which logs is taking more space for /opt



+acs is tested with  2 GB of logs per day.if it is higher than that then it might create problems











before clearing /opt try below



+Retart services,reload






























































CHAP-PAP-MSCHAP




21 May
, in 
      

, 
      
0 Comments
        













PAP:-



+used in PPP



+uses two-way handshake



In PAP the passwords are sent across the link in clear text and there is no protection from playback or trail-and-error attacks























CHAP:-



+used in PPP



+In CHAP the user credentials are hashed & send, 



+With
 CHAP, the authenticator (i.e. the server) sends a randomly generated 
``challenge'' string to the client, along with its hostname. The client 
uses the hostname to look up the appropriate secret, combines it with 
the challenge, and encrypts the string using a one-way hashing function.
 The result is returned to the server along with the client's hostname. 
The server now performs the same computation, and acknowledges the 
client if it arrives at the same result.











PC-<----- "challenge''+Hostname --------server



PC------hash= encrypts string(challenge)  --------server







R1-------------challenge----->R2



R1<--------------response-----R2



R1-->access accept/reject-->R2

























EAP-MD5:-



+all EAP are used for port based authentication,cannot used for WIFI.



++Both challenge and response goes in unencrypted or plain text.....







+its also secure, hases users password



+The
 server sends the client a random challenge value, and the client proves
 its identity by hashing the challenge and its password with MD5.



+cannot used in public networks like wireless or guest



because  EAP-MD5-Challenge  does not provide server authentication, it is vulnerable to spoofing ge does 















MSCHAPV1 and MSCHAPv2:-



Basically
 MS-CHAP v2 is more secure, it provides mutual authentication, stronger 
initial data encryption keys, and different encryption keys for sending 
and receiving.







 MS-CHAP v1, only the Server 
requires authentication from the client, where as MS-CHAP v2, the client
 requires authentication from the Server and vice versa







PC---------ACS



++client has to validate the radius servers certificate.



along with that client enters user credentials which are send in HASH to radius server







PEAP:-



If we use Peap over MsChapv2 then there will be a TLS/SSL tunnel to protect these authentication traffic






















































802.1x AAA Authentication timer




21 May
, in 
      

, 
      
0 Comments
        













authentication timer {{[inactivity | reauthenticate]} {restart value}}



OR
 dot1x timeout reauth-period {seconds | server}
   



Set the number of seconds between re-authentication attempts.



The authentication timer keywords have these meanings:


inactivity—Interval in seconds after which if there is no activity from the client then it is unauthorized


reauthenticate—Time in seconds after which an automatic re-authentication attempt is initiated


restart value—Interval in seconds after which an attempt is made to authenticate an unauthorized port



The dot1x timeout reauth-period keywords have these meanings:


seconds—Sets the number of seconds from 1 to 65535; the default is 3600 seconds.


server—Sets
 the number of seconds based on the value of the Session-Timeout RADIUS 
attribute (Attribute[27]) and the Termination-Action RADIUS



====================================================================



dot1x pae authenticator
 dot1x timeout quiet-period 5
 dot1x timeout server-timeout 5
 dot1x timeout tx-period 5 default=30sec)(eap/request/identity)
 dot1x max-req 1              (default=2 request)(eap/request)
 dot1x max-reauth-req 1   (default=2 eapreq/identity)



dot1x timeout supp-timeout 2   (default=30sec)(eap/request)



=========================================================



dot1x timeout quiet-period 5



used when there is no failover machanism like mab,webauth..

CLIENT<-------------------->SWITCH

               <---------------1 eap-req/identity

          authntication is failed

               ---------------->                 
                                    quiet-period -1sec
                                    quiet-period -1sec
                                    quiet-period-1sec
                                    quiet-period-1sec
                                    quiet-period-1sec
                <---------------1



=====================================================================



dot1x timeout server-timeout =NOT USED



switch<---------------------------------->radius server

 switch<----------$%$%$%%%---------------->radius server

                    no responce from server

                 

                 

default value is 0>>never modify this command

because  retransmission to the server is goo parctice



http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/Dot1X_Deployment/Dot1x_Dep_Guide.html#wp387334



=======================================================================



dot1x timeout tx-period 5     (default=30sec)(eapreq/identity)





CLIENT<-------------------->SWITCH

               <---------------1 eap-req/identity
                                 WAIT FOR 5SEC
                <---------------2 eap-req/identity
                                WAIT FOR 5SEC            
 FD
                <---------------GUEST VLAN



========================================================================



  dot1x max-req 1    (default=2 request)(eap/request)



CLIENT<-------------------->SWITCH<-------------------------------------------->RADIUS SERVER

        <-------------------1 eap-req/identity
    
 eap/responce--------------->access/req----------------------------------------->

           <-------------------eap/request(30sec)<-----------------------------------access/challenge
       
      ONLY ONE EAP/REQUEST IS SENT



========================================================================



 dot1x max-reauth-req 1     (default=2 eapreq/identity)



CLIENT<-------------------->SWITCH

               <---------------1 eap-req/identity

                                WAIT FOR 30SEC

               <---------------GUEST VLAN



=======================================================================



dot1x timeout supp-timeout 2   (default=30sec)(eap/request)



CLIENT<-------------------->SWITCH<-------------------------------------------->RADIUS SERVER

        <-------------------1 eap-req/identity

     

eap/responce--------------->access/req----------------------------------------->



          <-------------------eap/request(2sec)<-----------------------------------access/challenge

        

          <--------------------eap/request(2sec)



========================================================================



===============



   ------------- -----               ---------------



|                         |         |                   |



|TELEPRESENCE |-------|  IPPHONE    |--------------ACS SERVER



|  (PEAP)              |         |   (EAP-TLS) |



 ----------------------             ---------------


















































802.1x AAA Authentication Host Modes




21 May
, in 
      

, 
      
0 Comments
        













authentication host-mode:-



Single-Host Mode:-



1PC----switch



Multiple-Hosts Mode:-



PC1----PCn------HUB----Switch



++If one PC authorizes then everyone will get access.



++If that PC unauthorized then everyone will loose access.



++aditionally we can use port security to manage PC MAC addresses,



Multidomain Authentication Mode:-



1PC---1Phone---Switch



++multidomain=two domains=data+voice



++authentication:- MAB or 802.1x or webauth



Multi-authentication Mode:-



PC1----PCn--1Phone-----Switch



++authentication:- MAB or 802.1x or webauth



++all PC have to authenticate/authorize with radius server



++No vlan assignment



Pre-Authentication:-



PC--unauthorized--Switch----Internet



PC--authorized----switch----Internal access



++PC gets access Pre-auth through some guest ACL or Guest VLAN.



once the PC is authorized it will be placed in Internal VLAN or he can access all internal resources.



++can use preauth with any above authentication modes,



=================================================



authentication open - traffic is allowed even before authentication




The command "authentication open", means that the switch will let 
traffic through (as per the port ACL) even if the device is not 
authenticated.
So even if devices fail the authentication, they will be able to pass 
traffic.

This mode is used in 2 scenarios :
-Sometimes you want to allow a basic access to people who failed the 
authentication.
-You want to monitor if clients are configured correctly for dot1x/mab 
but you don't want to affect their connectivity. This mode allows to see 
the authentications on ISE without blocking user access.






========================================================




"Authentication violation restrict" means log the event AND DENY traffic from the new mac address (one of the table of the doc just talks about the log action and not abount the deny)
"Authentication violation protect" means Deny traffic from the new mac address without logging anything
"Authentication violation replace" means do authenticate the new mac address and clear the old one from mac address table:





















































802.1x AAA Machine authentication




21 May
, in 
      

, 
      
0 Comments
        











Using cisco ACs server you can authenticate Windows Machine whether it has joined to Domain or not. You can use below config in ACS server with Machine Access restriction enabled.











































Rule1:-



WIRED-MAB



Wired MAB:-



Radius:NAS-Port-Type = Ethernet



Radius:Service-Type = Call Check







ANY  ANY ====>PERMIT ACCESS OR (DACL with permit ip any any)







RULE2:- (authenticating machines/host names with AD )



WIRED-MACHINE



Radius:NAS-Port-Type = Ethernet



Radius:Service-Type = framed







AD/Domain computers , ANY ====>PERMIT ACCESS OR (DACL with permit ip any dns , permit ip any DC's)







RULE3:- (authenticating user only if RULE2 is passed )



WIRED-USER



Radius:NAS-Port-Type = Ethernet



Radius:Service-Type = framed







was machine authenticated=TRUE  , Domain Users, ANY ====>PERMIT ACCESS OR (DACL with permit ip any any)







































































Subscribe to:
Posts (Atom)



































Powered by Blogger