Configuring Radius server with Cisco MDS - 9606 switch

Similar Messages

• Windows 2k8 Radius Server with Cisco Wireless Controllers

  We currently are using a Cisco 4400 wireless controller with an older Cisco Secure ACS appliance that is going EOL.  My hope was to just connect our 4400 Wireless Controller to a Windows Server 2008 Radius Server (Just using Microsoft's Network Policy Server) but have not had any luck in getting this to work.  Does anyone have an easy to follow set of instructions on configuration of Microsoft Windows Server 2008 NPS for use with Cisco Wireless Controllers?  Any advise would be greatly appreciated.
  Thank You,
  Jim

  Hi NPT,
  Here is the post which may help you!!
  https://supportforums.cisco.com/message/3073519
  Regards
  Surendra

• Cisco MDS series switch details

  Hello I 'm new to CISCO  Switch world.
  I 'm working as Clariion Admin and have have taken up the responsibilty to manage switches.Since,i am a novice i need little guidance on how work on cisco switches.I know the Zoning (how zoning done on MDS 9000 series switches) part ,but would like to venture deep into the details on CISCO MDS series switches.
  Like, the use of Port channels etc.
  Will really appreciate if some one can help me with a link or place ( not the configuration guide) where in i can find details on concentrated more on the theory part .
  Thanks in advance!

  Actually the best info is in the configuration guides.  There are some external companies that run training sessions on the MDS to provide in depth training.  There is the MDS cookbook available on CCO that is also a good point of information.    If you search on 'MDS white papers' after you login into Cisco.com, there are several good documents that might meet your needs.
  Hope this hels,
  Mike

• Using Cisco MDS 9148 switch for switching and routing

  Hi Gurus,
  Can you please advice me! Can i configure interface trunking, routing and dhcp services on the Cisco MDS 9148 switch?
  Thanks for your response!!

  Tommy,
  MDS9148 is a Storage SAN Fibre Channel switch, it doesn't support Ethernet, IP, VLANs, VLAN trunking, 802.1Q, IP routing, DHCP. It's meant for Fibre Channel connectivity between Fibre Channel server HBAs and Fibre Channel storage.
  Roman

• Does cisco MDS 9000 switch by default set a little higher R_T_TOV?

  Hi, All:
  Not sure anyone has done LOS for cisco MDS 9000 switch before. I tried to insert code violation which is equal to 103ms but only see link reset but not NOS/OLS. is it because that Cisco MDS has default higher ? Or can we set R_T_TOV on switch?

  Hi Larry - [this|http://lists.apple.com/archives/usb/2008/Oct/msg00021.html] was the only thing I could find about transactions timing out, but since you don't have anything plugged in, it really doesn't apply. Have you tried resetting your SMU?
  If that doesn't work, run Disk Utility from your install disc and see what it comes up with. Your suspicion that the MB may be faulty is probably correct, and if you are still within the 90 day warrant period, you should call the repair place and have them replace it yet again.

• Cisco MDS 9418 switch doubt

  Hi Team,
  We have an issue, whether the cisco MDS 9418 switch supports FCIP feature.
  We are planning to migrate the data from our old data center over WAN to the EMC VNX storage box in other location.
  In our old data center we have 2 FC cisco switches connected to the EMC clariion storage array. Inorder to replicate data from clariion box to EMC VNX box over WAN ,it can be done via FCIP.
  I wanted to know if we can use insert the FCIP converters into these MDS 9418 switch or do we need to have separate FCIP converters.
  Do we need FCIP converters on both sides for doing replication over FCIP.
  For clear understanding please see the attachment.
  Will waiting for your response......
  Regards,
  Pranav.

  Hi,
  Since the 9148 does not have IP interfaces, something will be needed to tunnel the FC into IP (FCIP) such as an MDS 9222i, which has both FC interfaces and GigE interfaces and supports FCIP.
  Regards,
  David

• How to configure portal server with the Backend Oracle database

  Hi Portal Experts,
  we are planning to install Netweaver 04s sp stack 9 full java edition with Oracle 8i on windows platform.
  we have the installation docs of portal but we didn't have any idea about how to configure Portal server with the Backend Oracle database at the time of installation or after ost installation of portal.can anyone provide the documentation about this or guide me how to achieve this.
  PLZ share ur views---your help would be highly appreciable.
  Regds
  Phani.

  HI
  if you r working in Sap enterprise portal use for connection url
  jdbc:sap:sqlserver://ilsql01.tlv.sap.corp:1433;DatabaseName=Northwind
  ilsql01.tlv.sap.corp:1433 this is your portal url with port number
  Northwind is your database name.
  for dirver you need to give
  com.sap.portals.jdbc.sqlserver.SQLServerDriver
  in case if you r working on other than sap say windows along with oracle try to use
  Connection URL as jdbc:oracle:<drivertype>:@<database>
  Driver name as oracle.jdbc.driver.OracleDriver
  ex jdbc:oracle:thick:@localhost:3036:mydb
  Oracle implements two types of JDBC drivers:
  Thick JDBC drivers built on top of the C-based Net8 client, as well as a Thin (Pure Java) JDBC driver to support downloadable applets. Oracle JDBC drivers are used to create JDBC applications to communicate with Oracle databases.
  Oracle extensions to JDBC include the following features:
  Data access and manipulation
  LOB access and manipulation
  Oracle object type mapping
  Object reference access and manipulation
  Array access and manipulation
  Application performance enhancement
  *************if the information is helpful to you please reward points************

• Server 2008 R2 RADIUS Server with a Cisco Aironet 1040 Wireless AP

  I am trying to get Server 2008 R2 RADIUS Server to work with a Cisco Aironet 1040 Wireless AP. I have installed the RADIUS server by MS standards and performed some searches on Google to configure the Cisco Aironet. I see others using a Wireless LAN Controller, which I do not have. I found this post below:
  https://supportforums.cisco.com/discussion/11546056/wlc-2504-radius-2008-r2-server
  But I have yet to locate a good step by step document on how to set it up and I have found so many different ways that others have set it up, but none have yet to work. I am having authentication issues that I have know of and I do not see any errors in the Windows Event Viewer and I do not know where the Acess Point stores it logs for any sort of error. Keep in mind this is the first time I am doing this. I do not have a Wireless LAN Controller and all my network / domain services are on individually built servers and not on one single server as I have seen with most of the documentation they all say the same thing by putting the Certificate Services, Domain Services (AD / ADS, etc), and NPS. I do not want that configuration and my setup should not be any different, but something is not right. I know from reading that this is not rocket science, but from someone who has never done it before this is difficult as I keep reading on and so many people do it different ways including what I have been reading according to what Cisco says to configure in the environment. Does anyone know where I can find good step by step documentation along with where I can look for logs on either device? I find that all the documentation I see on Cisco's website and from searching that it is old and outdated and not been updated in a long time so it is hard to determine what works and what does not work. I am stumped here and have been doing this for several weeks now with no luck. Thank you in advance.

  I did configure the Server 2008 R2 RADIUS Server using this video below: 
  https://www.youtube.com/watch?v=g-0MM_tK-Tk
  I also referenced Technet to make sure it was configured correctly as well. I am still not sure if I am 100% setup correctly on the Windows Server side, but I for sure want to make sure I have the AP side setup correctly. Do you know of a better article for the Windows Server 2008 R2 setup? Does it matter that I do not have all the services installed on the same server? Instead I have them installed on multiple servers.
  I have image number c1140-k9w7-tar.124.25d.JA1 on the AP. The part that confused me in that article, which I have seen before was the part about "Setting up access point must be configured in the authentication server as an AAA client." What is the AAA Client? I also am not aware of having Cisco Secure ACS anywhere built into the AP as that part through me off completely. Do I need to skip these steps? Thank you for help on this.

• How to configure an external Cisco MDS 9124 Switch

  I have worked with some other Fibre switches before but not Cisco and was wondering if someone can pass me some quick info on how to configure the MDS 9124. I saw the Quick Guide and it briefly talked about config, but do I have to go thru hyperterminal to do the initial IP config? Is there a default one already I can use to get to the WebGUI. Some of the ones I worked with (like the ones that come with the Bladecenter) have a default IP, where I can enter the IP into the web browser and access the GUI right away and start doing configs.
  With the MDS 9124, can I do this? Or do I have to configure IP thru hyperterminal and then install Fabric Manager etc.
  Thanks in advance for any help!

  I assume that you actually read the guide:
  http://www.cisco.com/en/US/docs/storage/san_switches/mds9000/hw/9124/quick/quide/9124QSG.html
  Setup of the network is pretty clear. If the switch is brand new, you have to give it an IP address. Generally just follow the dotted line and don't vary except if you know what you are doing.
  Once its on the network, DM and FM can do the rest.
  The 9124e's don't have serial ports so the OA looks after that for you.

• Ask the Expert: ISE 1.2: Configuration and Deployment with Cisco expert Craig Hyps

  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about how to deploy and configure Cisco Identity Services Engine (ISE) Version 1.2 and to understand the features and enhanced troubleshooting options available in this version, with Cisco expert Craig Hyps.
  October 27, 2014 through November 7, 2014.
  The Cisco Identity Services Engine (ISE) helps IT professionals meet enterprise mobility challenges and secure the evolving network across the entire attack continuum. Cisco ISE is a security policy management platform that identifies users and devices using RADIUS, 802.1X, MAB, and Web Authentication methods and automates secure access controls such as ACLs, VLAN assignment, and Security Group Tags (SGTs) to enforce role-based access to networks and network resources. Cisco ISE delivers superior user and device visibility through profiling, posture and mobile device management (MDM) compliance validation, and it shares vital contextual data with integrated ecosystem partner solutions using Cisco Platform Exchange Grid (pxGrid) technology to accelerate the identification, mitigation, and remediation of threats.
  Craig Hyps is a senior Technical Marketing Engineer for Cisco's Security Business Group with over 25 years networking and security experience. Craig is defining Cisco's next generation Identity Services Engine, ISE, and concurrently serves as the Product Owner for ISE Performance and Scale focused on the requirements of the largest ISE deployments.
  Previously Craig has held senior positions as a customer Consulting Engineer, Systems Engineer and product trainer.   He joined Cisco in 1997 and has extensive experience with Cisco's security portfolio.  Craig holds a Bachelor's degree from Dartmouth College and certifications that include CISSP, CCSP, and CCSI.
  Remember to use the rating system to let Craig know if you have received an adequate response.
  Because of the volume expected during this event, Ali might not be able to answer each question. Remember that you can continue the conversation on the Security community, sub-community shortly after the event. This event lasts through November 7, 2014. Visit this forum often to view responses to your questions and the questions of other community members.
  (Comments are now closed)

  1. Without more specifics it is hard to determine actual issue. It may be possible that if configured in same subnet that asymmetric traffic caused connections to fail. A key enhancement in ISE 1.3 is to make sure traffic received on a given interface is sent out same interface.
  2. Common use cases for using different interfaces include separation of management traffic from user traffic such as web portal access or to support dedicated profiling interfaces. For example, you may want employees to use a different interface for sponsor portal access. For profiling, you may want to use a specific interface for HTTP SPAN traffic or possibly configure IP Anycast to simplify reception and redundancy of DHCP IP Helper traffic. Another use case is simple NIC redundancy.
  a. Management traffic is restricted to eth0, but standalone node will also have PSN persona so above use cases can apply for interfaces eth1-eth3.
  b. For dedicated PAN / MnT nodes it usually does not make sense to configure multiple interfaces although ISE 1.3 does add support for SNMP on multiple interfaces if needed to separate out. It may also be possible to support NIC redundancy but I need to do some more testing to verify. 
  For PSNs, NIC redundancy for RADIUS as well as the other use cases for separate profiling and portal services apply.
  Regarding Supplicant Provisioning issue, the flows are the same whether wireless or wired. The same identity stores are supported as well. The key difference is that wireless users are directed to a specific auth method based on WLAN configuration and Cisco wired switches allow multiple auth methods to be supported on same port. 
  If RADIUS Proxy is required to forward requests to a foreign RADIUS server, then decision must be made based on basic RADIUS attributes or things like NDG. ISE does not terminate the authentication requests and that is handled by foreign server. ISE does support advanced relay functions such as attribute manipulation, but recommend review with requirements with local Cisco or partner security SE if trying to implement provisioning for users authenticated via proxy. Proxy is handled at Authentication Policy level. CWA and Guest Flow is handled in Authorization Policy.  If need to authenticate a CWA user via external RADIUS, then need to use RADIUS Token Server, not RADIUS Proxy.
  A typical flow for a wired user without 802.1X configured would be to hit default policy for CWA.  Based on successful CWA auth, CoA is triggered and user can then match a policy rule based on guest flow and CWA user identity (AD or non-AD) and returned an authorization for NSP.
  Regarding AD multi-domain support...
  Under ISE 1.2, if need to authenticate users across different forests or domains, then mutual trusts must exist, or you can use multiple LDAP server definitions if the EAP protocol supports LDAP. RADIUS Proxy is another option  to have some users authenticated to different AD domains via foreign RADIUS server.
  Under ISE 1.3, we have completely re-architected our AD connector and support multiple AD Forests and Domains with or without mutual trusts.
  When you mention the use of RADIUS proxy, it is not clear whether you are referring to ISE as the proxy or another RADIUS server proxying to ISE.  If you had multiple ISE deployments, then a separate RADIUS Server like ACS could proxy requests to different ISE 1.2 deployments, each with their own separate AD domain connection.  If ISE is the proxy, then you could have some requests being authenticated against locally joined AD domain while others are sent to a foreign RADIUS server which may have one or more AD domain connections.
  In summary, if the key requirement is ability to join multiple AD domains without mutual trust, then very likely ISE 1.3 is the solution.  Your configuration seems to be a bit involved and I do not want to provide design guidance on a paper napkin, so recommend consult with local ATP Security SE to review overall requirements, topology, AD structure, and RADIUS servers that require integration.
  Regards,
  Craig

• Integrating AAA Radius-server with Micro-soft IAS for SSH

  Hi,
  I am configuring aaa-server on ASA-5505(Radius) and i am Using microsoft IAS for authentication for SSH connections on ASA, so during " test aaa-server authentication " i getting this message
  ERROR: Authentication Server not responding: AAA decode failure.. server secret mismatch
  All users are there on active  directory  And below are the debug radius and debug aaa authentication.
  ASA# test aaa-server authentication SSH-TULIP-ASA host 172.16.1.10 usern$
  INFO: Attempting Authentication test to IP address <172.16.1.10> (timeout: 12 seconds)
  radius mkreq: 0xd4
  alloc_rip 0xd83bb99c
      new request 0xd4 --> 124 (0xd83bb99c)
  got user 'praveeny'
  got password
  add_req 0xd83bb99c session 0xd4 id 124
  RADIUS_REQUEST
  radius.c: rad_mkpkt
  RADIUS packet decode (authentication request)
  Raw packet data (length = 66).....
  01 7c 00 42 37 a4 0d c2 d3 10 09 0e 2f 3c c5 1a    |  .|.B7......./<..
  4b 28 41 e6 01 0a 70 72 61 76 65 65 6e 79 02 12    |  K(A...praveeny..
  a1 8f e1 ae 58 dd c2 52 d6 37 f7 32 13 3a 1c 71    |  ....X..R.7.2.:.q
  04 06 ac 1e 1e 06 05 06 00 00 00 0e 3d 06 00 00    |  ............=...
  00 05                                              |  ..
  Parsed packet data.....
  Radius: Code = 1 (0x01)
  Radius: Identifier = 124 (0x7C)
  Radius: Length = 66 (0x0042)
  Radius: Vector: 37A40DC2D310090E2F3CC51A4B2841E6
  Radius: Type = 1 (0x01) User-Name
  Radius: Length = 10 (0x0A)
  Radius: Value (String) =
  70 72 61 76 65 65 6e 79                            |  praveeny
  Radius: Type = 2 (0x02) User-Password
  Radius: Length = 18 (0x12)
  Radius: Value (String) =
  a1 8f ERROR: Authentication Server not responding: AAA decode failure.. server secret mismatch
  Tulip-ASA# e1 ae 58 dd c2 52 d6 37 f7 32 13 3a 1c 71    |  ....X..R.7.2.:.q
  Radius: Type = 4 (0x04) NAS-IP-Address
  Radius: Length = 6 (0x06)
  Radius: Value (IP Address) = 172.30.30.6 (0xAC1E1E06)
  Radius: Type = 5 (0x05) NAS-Port
  Radius: Length = 6 (0x06)
  Radius: Value (Hex) = 0xE
  Radius: Type = 61 (0x3D) NAS-Port-Type
  Radius: Length = 6 (0x06)
  Radius: Value (Hex) = 0x5
  send pkt 172.16.1.10/1645
  rip 0xd83bb99c state 7 id 124
  rad_vrfy() : bad req auth
  rad_procpkt: radvrfy fail
  RADIUS_DELETE
  remove_req 0xd83bb99c session 0xd4 id 124
  free_rip 0xd83bb99c
  radius: send queue empty
  Thanks in advance all comments and suggestion are welcome
  Regards,
  Praveen

  Hi,
  RADIUS as a protocol does not support command accounting, ie., logging of commands that a users enters once authenticated to a router/switch. You will need to use TACACS+ for this purpose. The aaa command accounting commands that you used has been removed from IOS since 12.2T. Please take a look at this for details: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCdp57020.
  Thanks,
  Wen

• Radius Server with Active Directory

  I have an XSERVE with 10.6.7. It is an OD Master that is also bound to Active Directory.
  I am trying to set up the RADIUS service to provide authentication to users on the wireless network.
  So far, I have been able to set it up to the point where the wireless access point is attempting to authenticate to the server. The client is asked for user ID and password. I will even see the self-signed certificate on the client. However, I am never able to connect to the wireless system.
  I tried using an Air Port Express with all the automatic settings from the server, and got the same results.
  I tried authenticating with a local OD test user, and that did not work, either.
  When I tried it on my network at home (no Active Directory), the RADIUS server worked exactly as expected.
  Is there some other setting that must be modified to make this work with AD?

  Here are some links:
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080921f67.shtml
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml

• Linux ntp server with cisco 3850

  hi all
  i'm trying to make sync with linux ntp with cisco 3850  here is the what i did
  linux centos 6.5 (on the ucs virtual machin) . this is a ntp server
  ip 10.1.1.251
  ===================================================
  For more information about this file, see the man pages
  # ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
  driftfile /var/lib/ntp/drift
  # Permit time synchronization with our time source, but do not
  # permit the source to query or modify the service on this system.
  restrict default kod nomodify notrap nopeer noquery
  restrict -6 default kod nomodify notrap nopeer noquery
  # Permit all access over the loopback interface.  This could
  # be tightened as well, but to do so would effect some of
  # the administrative functions.
  restrict 127.0.0.1
  restrict -6 ::1
  # Hosts on local network are less restricted.
  restrict 10.1.1.0 mask 255.255.255.0 nomodify notrap
  # Use public servers from the pool.ntp.org project.
  # Please consider joining the pool (http://www.pool.ntp.org/join.html)
  #server 1.centos.pool.ntp.org iburs
  #server 2.centos.pool.ntp.org iburst
  #server 3.centos.pool.ntp.org iburst
  server 127.127.1.0
  fudge 127.127.1.0 stratum 2
  #broadcast 192.168.1.255 autokey        # broadcast server
  #broadcastclient                        # broadcast client
  #broadcast 224.0.1.1 autokey            # multicast server
  #multicastclient 224.0.1.1              # multicast client
  #manycastserver 239.255.254.254         # manycast server
  #manycastclient 239.255.254.254 autokey # manycast client
  # Enable public key cryptography.
  #crypto
  includefile /etc/ntp/crypto/pw
  # Key file containing the keys and key identifiers used when operating
  # with symmetric key cryptography.
  keys /etc/ntp/keys
  # Specify the key identifiers which are trusted.
  #trustedkey 4 8 42
  # Specify the key identifier to use with the ntpdc utility.
  #requestkey 8
  # Specify the key identifier to use with the ntpq utility.
  #controlkey 8
  # Enable writing of statistics records.
  #statistics clockstats cryptostats loopstats peerstats
  and cisco 3850  configured this one
  ntp server 10.1.1.241
  and
  show ntp status
  clock is unsynchronized, stratum 16, reference is null
  why...didn't work.. somebody help me..

  Is there a typo in your post or configuration? You show the NTP server IP address as 10.1.1.251, but the router configured to use 10.1.1.241.
  Regards

• Troubleshoot connectivity with Cisco MDS 9124

  Hello,
  I recentrly discovered that it's become impossible to connect to a CISCO MDS 9124, neither with SSH nor with Serial connection.
  What should i do please to resolve that issue please?
  Regards!

  Hi,
  Are you able to access the 9124 by Device Manager, web browser, telnet, or ssh when your laptop is directly connected to the mgmt0 interface and your laptop configured on the same subnet as the mgmt0 interface?
  What console settings, console cable, terminal emulator application are you using and does it work with another MDS9000?
  Regards,
  David

• Help with connecting MacBook Pro with Cisco Routing and Switches?

  I'm running a CiscoASA 5510 router with several Cisco WS-C2960-48TT-L switches on a local network to connect with MacBook Pro. I need to be able to restrict access to specific users via their computer MAC address. ie: Joe Blow is limited to connecting through Switch 1 on port 10 and anywhere else he tries to plug in will simply not work.

  You need to look at the documentation that came with your router and switches. Or ask your network admin to set it up. Your question has nothing to do with your Macbook Pro configuration. MAC filtering is done in the router not in the computers/devices connecting to the router.