AAA Source addressing

Is their a way to set the source address for TACACS?
I have about 170 remote sites that I want to use my ACS server (Ver. 3.3) for Autentication/Authorization. I am using 1918 addressing at the remote locations, and at the corporate office. The ACS server is inside the Corporate network, and I am telnetting to the 10.address inside interface of the router at the remote site. It looks for the tacacs server, but does not find it, and fails back to use the local password.
I can ping the IP address of the tacacs server doing a ping with the source IP of the Inside ethernet, and the IP address of the loopback, on the remote router.

OK, 16 pages down in the forum, I finally found my answer.
Use the command:
ip tacacs source-interface

Similar Messages

  • Match source-address and url

    I have an existing policy-map with vip and port 80. Now I need to do:
    1. Match pool of ip address and url /abc then redirect to url /abc1
    2. If url is ok but ip is out of the pool then redirect to url /abc2
    It's probably possible to achieve but I have problem with mixing class maps (L4 and L7). Please advice how to do it.
    Thank you.

    HI Kamil,
    Something like below. Please try and let me know if it helps.
    rserver redirect red
      webhost-redirection www.abc1.com
      inservice
    rserver redirect red1
      webhost-redirection www.abc2.com
      inservice
    serverfarm redirect red
      rserver red
        inservice
    serverfarm redirect red1
      rserver red1
        inservice
    class-map type http loadbalance match-all url
      2 match http url abc
      4 match source-address 2.2.2.2 255.255.255.0
    class-map type http loadbalance match-all url1
      2 match http url abc
     policy-map type loadbalance first-match url
      class url
        serverfarm red
      class url1
        serverfarm red1
      class class-default
        serverfarm xxxx
    Regards,
    Kanwal
    Note: Please mark answers if they are helpful

  • NI XNET in LabView: Transmitting source address along with signal

    Hi all!
    Does anyone know a way to transmit a user-determined source address along with a specific signal (J1939)?  I'm outputting a signal from CVI with nxWriteSignalSinglePoint and reading it with CANalyzer, which says that the source address is NULL (254).  Is there a way to set this or would I have to transmit the whole frame (maybe doing the raw bits format)?  Thanks in advance!

    Hey BLowery,
    Given that this is a more XNET-oriented question, I would recommend asking this type of question on the Embedded Networks forum page rather than the CVI Forum since that's where user dealing with CAN and J1939 reside.
    Embedded Networks Forum:
    http://forums.ni.com/t5/Automotive-and-Embedded-Networks/bd-p/30
    However, if you are wanting to be able to specify the source address manually in the 29-bit extended arbitration ID, as J1939 requires, it wouldn't be too hard, but you can't do it with Signal session. A Signal session uses the CAN database file to determine the ID and parameters of the frame to be sent automatically, and you simply provide the signal data. To be able to edit the ID yourself, a Frame Stream session that doesn't rely on a database would be required, since it would allow you to provide the ID manually.
    I recommend taking a look a this white paper, which shows how to use XNET with the J1939 standard. In the sample code that they provide, there is an example using a Frame Out Stream session which edits the ID manually based on the user's input.
    http://www.ni.com/example/31215/en/
    Regards,
    Ryan

  • Routing RTSP though Ace but keeping source address information

    Hello
    I am trying to set up load balancing for a Wowza streaming media server.  The problem I have is that some of the media that we will be on the server is not allowed to be watched from other countries.  The server has a modification that can sort this based on the IP address, our ACE is in Routed Mode, so the source address is replaced with a internal one which means that they will be allowed to watch whatever they like. 
    I have tried to look into injecting the original source address in to RTSP but as far as I can see you cant.
    Can anyone help with making the connections from other countries readable thought the ACE?

    Ricardo,
    What is this route ??
    ip route 0.0.0.0 255.255.255.0 10.0.0.1 (VIP address)
    You can't have 0.0.0.0/24.
    You must be missing something ?
    Also, since the vip is part of a vlan with subnet 10.0.0.0/24 you don't need to add a static route to reach that vip.
    It should normally be directly connected to your router.
    With the static route, do you see traffic coming to the ACE module ?
    Does it loadbalance to the server ?
    'show service-policy detail' check the packet counters
    Gilles.

  • Change the source address in socket

    Hi all,
    I need some help here. I need to write a program to forward the UDP message received to another machine.
    The requirement form my boss is that the source ip field must remain the same as when I receive it. However, when I forward the message, the socket will automatically change the source to my machine's address.
    How can I do this? any idea?
    Actually, I am not even sure this can work. A fake source ip address at the IP layer. will this work?
    Please advices. thanks
    Alan

    Have you resolved your problem with change the source address in socket yet ???

  • Imanager source address type Network

    I am trying to add a range of ip address as a filter exception through
    iManagers NBM filter management snap-in. If I add an individual host or
    use "any address" it works fine, however, if I select "Network" as the
    Source Address type (or destination address type), when I click next
    nothing happens (I.E. responds as if next was not clicked).
    I have tried various combinations for the address and subnet, but none
    seem to work. What I THINK belongs there is:
    Network
    10.117.12.0
    255.255.255.0
    Is this a known bug, or am I just missing something obvious? Is there a
    workaround?
    Thanks for any help you can provide.
    BM 3.8sp4 on NW 6.5 sp5 (plus post patches).
    Daryl

    In article <V9WNg.2780$[email protected]>, Caterina
    Luppi wrote:
    > i've the VAGUE recollection of this being reported as a bug.
    >
    I have exactly the same vague recollection, and offer the same excuse
    for not using iManager for filtering!
    Craig Johnson
    Novell Support Connection SysOp
    *** For a current patch list, tips, handy files and books on
    BorderManager, go to http://www.craigjconsulting.com ***

  • How is NTP reply routed when requesting router uses loopback as source address

    The Cisco NTP Best Practices White Paper and DISA STIGs recommend setting the NTP source address to a loopback interface (e.g. "ntp source loopback0").
    But this only seems to work if the requesting (NTP client) router is the default gateway for the NTP server. 
    Specifically, the NTP server will attempt to reply to the requesting router's loopback-based source address (taken from the NTP request packet).  Since that address will always be non-local from the perspective of the NTP server, the NTP server will encapsulate the reply in a Layer 2 frame addressed to its default gateway.  If the gateway was the source of the original NTP request, that should work.  But in most other situations that gateway won't know how to reach a loopback-based address, and will discard the reply.
    I have verified this in tests with routers running both 12.4 and 15.1 releases (and NTP debugging enabled).  When the NTP source is a loopback address, NTP replies never reach the requesting router.  With the default NTP source address (i.e. based on the exit interface) everything works fine.
    Obviously, you could employ workarounds, such as static routes or injecting loopback addresses into your routing protocols.  But that seems uglier than leaving NTP source addresses at their defaults.
    Why is this "best practice" so commonly advocated without mention of some significant caveats regarding routing?  Am I missing something? 
    Thanks,
      Mark

    Michel:
    Thanks for the response.  Actually, I understand what kind of routing workarounds could allow NTP to function in spite of this "best practice."  But I am mystified as to why a Cisco "NTP best practice" paper (http://www.cisco.com/en/US/tech/tk869/tk769/technologies_white_paper09186a0080117070.shtml) and various security policies would call for setting a loopback address as the NTP source when that practice will often cause more problems than it solves.
    The stability of a loopback address is nice when that address is used to uniquely identify the platform for a routing protocol or syslog.  A loopback-based source address can also simplify ACL management, since that address won't change if an interface or link failure forces the router to send traffic from a different interface.  But I keep seeing security configuration guides/policies that call for also using a loopback address as the source for two-way protocols, such as FTP and NTP. That just doesn't make sense to me when you balance the routing implications against the limited security benefits (stable device identification, simplified ACL maintenance, and obfuscation of device addresses).
    I was hoping to learn that some obscure command might allow me to control which NTP exchanges use the loopback-based source address.  For example, the loopback source address would work fine on outgoing NTP broadcasts (and probably in replies from NTP servers).  But I would prefer that NTP client requests use a source address based on the exit interface. That way replies can be routed back to the client without cluttering up routing tables with routes to loopback addresses.
    So far, it looks like I'll need to chalk this up to poor coordination between the network security and network administration communities.
    Thanks again,
      Mark

  • Source address as 0.0.0.0

    We are getting Critical incidents in MARS with source address as 0.0.0.0 What does this mean and what action can be taken ?

    Source address= 0.0.0.0 means that there's no Source IP information. Since there are lots of different
    event types with source address= 0.0.0.0 , then you need to post what the exact event is
    to help you out.

  • Sources addresses need be changed.

    I have a case which is showed in attachments.That is in pix outside interface changed the sourecs addresses as illustrate.How can I config the pix.
    the changed sources addresses doesn't in the same network with the pix outside interface's.

    Hi
    i feel you want to change the source ip of the packets coming from outside world especially from the 3 networks mentioned in ur figure.
    i feel you can make use of ip nat source outside source list command to modify the same.
    But do remember you can configure this up in your router also refer this link for more info on the same..
    http://cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080093f8e.shtml
    regds

  • WRVS4400N - eth0: received packet with own address as source address

    I am using a WRVS4400N as my primary router for a small office.  I get the following message repeated over and over in my logs.  This seems to happen for 2 or 3 days and then it will go away for about a week and then come back.  Does anyone know what is causing this?  The best I can tell I don't have any IP conflicts on the network and most of the time the network has very little traffic other than 2 or 3 computers surfing the web.
    Jan  3 16:48:09  - eth0: received packet with  own address as source address
    Jan  3 16:48:09  - eth0: received packet with  own address as source address
    Jan  3 16:48:15  - eth0: received packet with  own address as source address
    Jan  3 16:48:27  - eth0: received packet with  own address as source address
    Jan  3 16:48:51  - eth0: received packet with  own address as source address

    any news on this issue?
    I am getting more and more messages (20+/day) - hundreds this month.
    Now Coming every 10 minutes - HELP
    eth0: received packet with own address as source address
    Done everything, now waiting for input from Cisco.
    Please, anyone as Cisco got any answers?
    1:38 AM [email protected] WRVS4400N Security Log [6B:C6:FD]
    12:36 AM [email protected] WRVS4400N Security Log [6B:C6:FD]
    2:38 AM [email protected] WRVS4400N Security Log [6B:C6:FD]
    3:38 AM [email protected] WRVS4400N Security Log [6B:C6:FD]
    4:38 AM [email protected] WRVS4400N Security Log [6B:C6:FD]
    5:38 AM [email protected] WRVS4400N Security Log [6B:C6:FD]
    6:38 AM [email protected] WRVS4400N Security Log [6B:C6:FD]
    7:38 AM [email protected] WRVS4400N Security Log [6B:C6:FD]
    8:38 AM [email protected] WRVS4400N Security Log [6B:C6:FD]

  • Source address for FXS port

    My confusion is about the source address that voice packets assume for a FXS port in a Ciso router.
    I am pasting relevant configuration from 2 routers below.
    For the 1st router I have the session targets in the dial peer config as the loopback addresses but the QoS is working using a access-list where the source address is the serial ip.
    While in the other router I am getting no packet matches for either the loopback ip or the serial ip.
    ROUTER 1
    class-map shell_voip
    match access-group 170
    policy-map shell_voip
    class shell_voip
    priority 64
    class class-default
    fair-queue
    random-detect
    interface Loopback0
    ip address 10.66.12.25 255.255.255.255
    interface Multilink101
    mtu 100
    bandwidth 1544
    ip address 10.66.50.14 255.255.255.252
    no ip mroute-cache
    load-interval 30
    service-policy output shell_voip
    no cdp enable
    ppp multilink
    ppp multilink fragment-delay 20
    ppp multilink interleave
    multilink-group 101
    access-list 170 permit udp host 10.66.50.14 range 16000 35000 any range 16000 35000
    access-list 170 permit tcp any eq 1720 any
    access-list 170 permit tcp any any eq 1720
    voice-port 2/0
    cptone IN
    voice-port 2/1
    input gain -6
    cptone IN
    dial-peer voice 1 pots
    destination-pattern 40
    port 2/0
    dial-peer voice 100 voip
    destination-pattern 10
    session target ipv4:10.129.67.105
    dial-peer voice 2 pots
    destination-pattern 99
    port 2/1
    dial-peer voice 102 voip
    destination-pattern 11
    session target ipv4:10.129.67.105
    ROUTER 2
    no voice hpi capture buffer
    no voice hpi capture destination
    class-map match-all Vsp_voice
    match access-group 160
    policy-map Vsp_voip
    class Vsp_voice
    priority 32
    class class-default
    fair-queue
    random-detect
    interface Loopback0
    ip address 10.65.10.121 255.255.255.248
    interface Multilink60
    ip address 10.65.50.246 255.255.255.252
    service-policy output Vsp_voip
    load-interval 30
    no cdp enable
    ppp multilink
    ppp multilink fragment delay 10
    ppp multilink interleave
    ppp multilink group 60
    access-list 160 permit udp host 10.65.50.246 range 16000 35000 any range 16000 35000
    access-list 160 permit tcp any eq 1720 any
    access-list 160 permit tcp any any eq 1720
    voice-port 2/0
    cptone IN
    voice-port 2/1
    cptone IN
    dial-peer cor custom
    dial-peer voice 9 pots
    destination-pattern 1101
    port 2/0
    dial-peer voice 10 pots
    destination-pattern 1102
    port 2/1
    dial-peer voice 5 voip
    destination-pattern 8901
    session target ipv4:10.196.3.57
    dial-peer voice 6 voip
    destination-pattern 8902
    session target ipv4:10.196.3.57

    You may want to refer to the following link.
    http://www.cisco.com/en/US/products/sw/iosswrel/ps1834/products_feature_guide09186a0080080115.html
    Your dial peers are using H.323, your source will be what ever interface is used to exit the router as determined by the routing table.
    You could also use a debug IP packet to have a look at your source and destination if you are unsure.
    For this case you may want to just apply:
    h323-gateway voip bind srcaddr 10.66.12.25 on Router 1 and h323-gateway voip bind srcaddr 10.65.10.121 to Router 2. Rememeber to put them under the loopback interface.

  • How does IOS choose what IPv6 source address to use?

    I have a 3750X with IOS 15.2.2E.
    I have multiple IPv6 addresses on the default VLAN (VLAN 1):
    ipv6 address 2001:470:...../64
    ipv6 address 2001:470:...../64
    ipv6 address 2605:A000:..../64
    I have one default IPv6 route:
    ipv6 route ::/0 Vlan1 FE80::.....
    S   ::/0 [1/0]
         via FE80::....., Vlan1
    My question is: when I issue a ping from the 3750X, how does the switch choose what source address to use?
    Currently, it seems to use the 2605:A000 address, but why?
    Can I change this behavior?
    Thanks!

    OK,
    How about my second question: Can I change this behavior in IOS?
    Thanks!

  • Router Source address for ACS Server

    Does anyone know how to configure a router(MSFC in this case so the same ip address is sent to the ACS server for authenticating. The source address may not always be the same depending on the path taken, If the source address isnt an ip address configured for one of my devices the acs server rejects the attempt and the router defaults to local login. I tried settigng a loopback address and always telnetiing to the loopback address however the source address from the MSFC is not the loopback I have 38 vlans, snd i suppose i could configure thoe ip addresses under a device, however if iI add a vlan then I must remember to add that vlan to ACS. Im sure there is a simpler way to address this, I just cant seem to find the configs needed on the MSFC to make it work.
    Any help will be greatly appreciated.
    Thanks

    Hi,
    Sounds like you need:
    ip tacacs source-interface interface-name
    (or ip radius source-interface interface-name)
    It's recommended to use a loopback interface, so this would give you (assuming loopback0):
    ip tacacs source-interface loopback0
    HTH - plz rate if it does
    Andrew.

  • CSS SSL Proxy - how can I write the original source address in http header

    I'm replacing some BigIP's with CSS11500's that are configured to do front/backend ssl proxying in a one-armed configuration. The BigIP's write the original source IP address as a http header value when the traffic is sent to the application, and the application uses the IP to match against an application ACL. How can I do the same in the CSS.
    thanks,
    Brian

    here is what you can insert with the SSL module :
    http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a0080292a76.html#wp1027619
    Gilles.

  • Changed source address based on destination IP

    Hello,
    Suppose I had the following configuration in an IOS router
    interface <interface type/number>
     ip address 1.1.1.3 255.255.255.0 secondary
     ip address 1.1.1.2 255.255.255.0
    ip route 0.0.0.0 0.0.0.0 1.1.1.1
    access-list standard INTERNET_BOUND_ACL
     permit <lan subnet-id> <lan wildcard>
    ip nat inside source list INTERNET_BOUND_ACL interface <interface type/number> overload
    I need to change the source inside global IP address based on the destination outside global IP address.
    Example: I need our source IP to be 1.1.1.3 when I ping 8.8.8.8
    How would i accomplish this?

    Hi,
    You would need to use two NAT pools and two different ACLs to separate your internal clients depending on the destination they want to communicate with, and to subsequently NAT them using a selected NAT pool. For example:
    ip access-list extended NAT_2
      permit ip <LAN Network> <Wildcard> <DestinationX> <WildcardX>
    ip access-list extended NAT_3
      permit ip <LAN Network> <Wildcard> <DestinationY> <WildcardY>
    ip nat pool NATPOOL_2 1.1.1.2 1.1.1.2 netmask 255.255.255.0
    ip nat pool NATPOOL_3 1.1.1.3 1.1.1.3 netmask 255.255.255.0
    ip nat inside source list NAT_2 pool NATPOOL_2 overload
    ip nat inside source list NAT_3 pool NATPOOL_3 overload
    Exactly one of the ACLs should actually contain an entry saying
    permit ip <LAN Network> <Wildcard> any
    to make sure that the internal network gets translated to some of the two public addresses even if itt does not communicate with any specific destination IP.
    Do you believe this could be a workable solution for you?
    Best regards,
    Peter

Maybe you are looking for

  • Why do I get an error "50" when trying to download a purchase and what can be done about it?

    I've been trying (over a number of evenings, days) during the last 8 weeks to download my purchase of The Amazing Spiderman movie itunes extras.  It gets so far and re-starts from where it last started and if I stop it and start it I get an error "50

  • Fn functionality switching according to focused application

    I am trying to find a way to switch my Fn keys behavior depending on the application I have in focus. Example: use Fn keys as media keys (brightness, volume, exposé etc) as default but when Textmate is in focus, switch them to function keys (F1, F2 e

  • Oracle 8i client configuration on win98?

    hi friends , first time i'm using the technet forum so i'm very much excited to get solved my problem thru your vital support. Problem i'm facing ...i'm having four machines 1>Two WIN NT having installed oracle 8i server and client . 2>Two WIN 98 hav

  • Problem in payments terms

    Dear sap guru, i have a problem in payments terms. When we create P.O. at that time payment terms is compulsory.But now-a-days problem is created, if we entered payment terms for 15 days at that time its shown 30 days in some P.O. and 15 days in some

  • Windows xp Update/boot camp???

    can i get the windows xp update and use that to make boot camp work or do i have to get the full windows xp that is $200?? i am asking this because i just found a 50% off windows xp upadate so it would only be $50 for me to get that compared to the $