2960X 15.02(EX5) %AAA-3-ACCT_LOW_MEM_UID_FAIL:AAA unable to create UID for incoming calls due to insufficient processor memory.

Similar Messages

• Aaa-reports! enterprise v1.2 - audit solutions for Cisco Secure ACS

  Extraxi is pleased to announce the latest version of its flagship reporting package - aaa-reports! enterprise v1.2
  The next release of aaa-reports! enterprise has just been made - mainly concentrating on new reports and datasets including:
  Single TACACS+ command authorisations. Shows both permitted and denied commands by combining log entries from Failed Attempts and T+ Device Administration logs
  RADIUS and TACACS session reports. These provide single row per session with all relevant data.
  RADIUS identity networking reports. The dataset used by the RADIUS session report is key for auditing identity network environments allowing for a username to be tied to a client side MAC address/IP Address or telephone number, assigned IP address etc. Using the point and click query builder its possible to create deployment-centric reports with multi-level grouping, sorting, filtering plus calculated fields using flexible Visual Basic syntax and full function library
  Stability and bug fixes
  Updated installers
  aaa-reports! enterprise v1.2 is a free upgrade for existing customers with a current support contract.
  Visit www.extraxi.com for full product details and a 60 day fully working trial.
  To see how aaa-reports! can help you meet your ACS audit requirements please take a look at this earlier post.

  bump

• ACS AAA and LOCAL AAA database...

  Hello,
  We have implimented an 5520 device and configured it for ACS successfully. I want to also have a local database with a few accounts in the event our ACS server went down. I am having trouble finding documentation for the syntax I need to enter on this 5520 device configuration so I can have redundacy for AAA...can some help with this? TIA, Gary

  Hi ,
  Check this example
  aaa-server SERVER protocol tacacs+
  aaa-server SERVER host 1.1.1.1
  key $har3dK3y
  This command applies the server group to the vty or
  console lines:
  ==========
  aaa authentication ssh console SERVER LOCAL <---
  For SSH sessions
  aaa authentication serial console SERVER LOCAL
  <--- For console access
  Hope that helps
  Regards,
  JG~
  Please rate helpful posts

• AAA problems Nexus 7000 %AUTHPRIV-3-SYSTEM_MSG: Unable to create temporary user

  Hi,
  I'm having problems getting our Nexus 7000 to authenticate users from our Windows domain. If I set up a user within the ACS server and use the CiscoSecure database for password authentication it works fine.
  In the logs on the nexus I receive the following messages when logging on using my windows account.
  %AUTHPRIV-3-SYSTEM_MSG: Unable to create temporary user 16894. Error 0x404a0036  - login[20923]
  %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user 16894 from 10.128.45.44 - login[20923]
  We can log on to all other Cisco OS devices using windows domain accounts, its just the Nexus.
  Any help much appreciated.
  Thanks
  Darren

  No errors the autnetication on the ACS is showing as passed. The problem is I get an access denied message from the nexus switch,

• C3750 Unable to ssh after few days!

  Hi all,
  If anyone could help me please, I'm having a problem with my switch, it seems that I'm losing the ablity to ssh to the switch after few days but if I reload it I can ssh into it again with no problem! At first I thought it was something wrong with my configuration so I've reconfugred the ssh, username, domain name and cleaned the rsa keys and regenrated new new ones.
  My switch version is:
  Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9NPE-M), Version 15.0(1)SE3, RELEASE SOFTWARE (fc1)

  Thank you guys for the reply,
  This is what I get when I try to ssh:
  ssh [email protected]
  [email protected]'s password:
  Permission denied, please try again.
  And Leo Laohoo, you guessed it right! it's look like a memory leaks, this is the output for "sh log":
  *Mar  5 17:19:57.579: %AAA-3-ACCT_LOW_MEM_UID_FAIL: AAA unable to create UID for incoming calls due to insufficient processor memory
  *Mar  5 17:19:58.385: %AAA-3-ACCT_LOW_MEM_UID_FAIL: AAA unable to create UID for incoming calls due to insufficient processor memory
  *Mar  5 17:19:59.005: %AAA-3-ACCT_LOW_MEM_UID_FAIL: AAA unable to create UID for incoming calls due to insufficient processor memory
  *Mar  6 23:22:38.979: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:!exec: enable
  cs08#
  Do you guys think of any work around other than down/upgrade the software? cuase the biggest issue now is, it's one of 9 switches that all run the same ISO version and all of them are on new production data center, and honestly I've had other weird issue with other switches too!

• How to survive an ACS audit with aaa-reports!

  For many organisations the Cisco Secure ACS server is the guardian of the network - controlling administrative access to routers and switches plus overseeing end network users over VPN, wireless and firewall.
  Its no surprise therefore that it should come under intense scrutiny during an audit. Perhaps what is surprising is the lack on awareness over best practice for running ACS in a secure way. We'd like to help in our small way and below is a list of tips we've picked up over the years of providing reporting services for ACS.
  Buy aaa-reports! Of course we would say that... But without the ability to aggregate the logs from all your ACS servers and report on the data, or use our query builder for forensic analysis, or import the ACS database to document the policy features enabled.... you'll have a hard time getting the evidence that an auditor might ask for.
  Make sure ACS is logging the appropriate attributes for the reports you need to create. For example if you need to document who did what to devices in specific Network Device Groups (NDG) you must ensure this value actually gets logged. Performing ACS upgrades often sets logging configs back to their defaults.
  Create a build specification for your ACS. Detail the "meta config" of your ACS so that after an emergency hardware swap-out or software upgrade you can quickly check that the ACS has the correct configuration. The build spec document should be under version control and is a useful item in itself to convince an auditor your system is well controlled.
  Create a Change Control system for config changes on the ACS. Since its ACS that decides who gets access and what commands they run on your network its vital you report on the Administration Audit logs. During an audit you can then correlate entries in your change control system with actual edits recorded in the Admin Audit logs. aaa-reports! can document what all or individual ACS admins did in detail.
  Retain 2 years of actual CSV log data on your reporting server. For general day-to-day reporting you dont need this amount, but during an audit you may be required to show what happened on a specific historic date. aaa-reports! multi-db feature will allow you to create a specific back-end database just for this task and import logs from the required time period. Alternatively use the aaa-reports! snapshot feature to regularly save its database state, for example quarterly. You may then connect aaa-reports! to any of the historic snapshot databases to report on the data from that quarter.
  Regularly export the ACS database into aaa-reports! If you are running reports against log data from 2 years ago you also need to know what was in the ACS database at the same time - using a more recent ACS database might yield unexpected results because the configuration is likely to changed in the meantime. Usecsvsync to regularly grab the ACS database and keep them alongside the retained CSV logs for future reference.
  Review the quality of ACS log data. From time to time its worth taking a look at the quality of the data getting logged. We often find customers with rogue scripts being automated on devices that cause the ACS Failed Attempts logs to become full of many MBs of "junk data" - essentially one failed attempt for each line of the script. If left to continue for months the real data starts to become more difficult to find.
  In terms of specific questions that an audit will concentrate on, typically it will revolve around demonstrating that not only is there specific and adequate policy to control access to those parts of the network require it, but also to seek evidence that those policies are in fact working. In aaa-reports! we added a whole set of reports for TACACS+ Device Administration (TDA) that attempt to document the ACS policy configuration, answer questions such as "who can/cannot access devices and once connected what can they do?" and finally report on what did actually happen.
  Below are some additional TDA specific tips:
  Ensure services such as shell/exec are only enabled for ACS groups that really need it. The aaa-reports! TDA Group Summary report will list every ACS group and what TDA features are enabled. The TDA Group Detailreport can be used to inspect the policy in detail.
  Check for user-level ovverides. In general users should always inherit policy from their group unless there is good reason. The aaa-reports! TDA User Summary report list users with group overriden configuration. The TDA User Detail report can be used to inspect what policy items are specific to the user.
  Use Network Access Restrictions (NAR) to prevent login by unauthorised personnel. The first line of defence is to only allow device admin users access to routers and switches. We find some customers rely purely on command authorisation - this potentially lets anyone access the device who can authenticate. Imagine the scenario where ACS has "unknown authentication" enabled pointing at your Windows AD then answer "Who has access?". aaa-reports! can report group-by-group on device access controlled by NARs and therefore answer "Who has access to device XYZ?"
  Use Device Command Sets (DCS) for command authorisation. Create a set of re-usable DCSs with meaningful names in preference to simple group-level command authorisations. ACS administration is simplified and the auditor should understand what the intent of the policy is by its name. aaa-reports! can document the both the content of each DCS and the group assignments, thereby answering the question "What commands can user X execute on device XYZ?"
  Seek out and remove old ACS user accounts. aaa-reports! can report on inactive users both from examination of accounting logs and (if password aging is enabled) from the imported ACS database itself.
  Learn how to use the aaa-reports! Query Builder. Despite the comprehensive set of pre-built canned reports, during an audit you are likely to be asked questions about a specific date, user or device. Knowing how to use the QB to build filter/sort and group/totalling queries will get the answers quickly. Take the random question "How many sessions did user X have on devices A, B and C on this date?" The aaa-reports! QB can easily create custom reports that filter on any number of attribute values, group by multiple columns and have calculated fields such as sum, count, average etc. If you have a working knowledge of Visual Basic 6 (VB6) its also possible to use a rich array of formatting and other VB6 functions to create additional fields.
  The above list is of course by no means definitive as every customer will have their own specific needs from ACS and face different levels of compliance. Undergoing an audit is never easy, but at least with the right tools it doesnt have to be awful!
  For more infomation on extraxi aaa-reports! or to download our free 60 day trial version please visit http://www.extraxi.com/audit.htm

  .

• How to use 2 AAA server for different login purpose

  Hello, could you help me?
  This is a part of my configuration; I would like to add another TACACS server, witch should take care of the telnet at vty 0 4.
  The Tacacs server 10.20.30.40 takes care of the virtual access, and I have another Tacacs server who takes care of login on our network equipment.
  ! Cisco 7204 with system flash c7200-io3s56i-mz.121-4.bin
  aaa new-model
  aaa authentication login default group tacacs+
  aaa authentication login no_tacacs enable
  aaa authentication ppp default group tacacs+
  aaa authorization exec default group tacacs+
  aaa authorization network default group tacacs+
  aaa accounting exec default start-stop group tacacs+
  aaa accounting network default start-stop group tacacs+
  aaa accounting connection default start-stop group tacacs+
  virtual-profile virtual-template 1
  virtual-profile aaa
  interface Serial2/0:15
  description ISDN30
  no ip address
  encapsulation ppp
  no ip route-cache
  no keepalive
  dialer pool-member 10
  isdn switch-type primary-net5
  isdn tei-negotiation first-call
  isdn caller xxxxxxx
  no fair-queue
  compress stac
  no cdp enable
  ppp authentication chap
  ppp multilink
  interface Virtual-Template1
  ip unnumbered FastEthernet1/0
  ip nat outside
  ppp authentication chap
  tacacs-server host 10.20.30.40 key ********
  line con 0
  exec-timeout 20 0
  password ************
  login authentication no_tacacs
  transport input none
  flowcontrol hardware
  line aux 0
  line vty 0 4
  access-class 1 in
  exec-timeout 60 0
  password *************
  login authentication no_tacacs
  transport input telnet
  transport output telnet
  If I just add
  aaa authentication login vtymethod group tacacs+ enable
  tacacs-server host 10.50.60.70 key ********
  line vty 0 4
  login authentication vtymethod
  My telnet request ask 10.20.30.40 and I have a deny! Could you help to make a secure solution?
  Thanks

  Jens
  I believe that your solution would be to configure a different tacacs server group with the new server in the new group and to use the new group to authenticate for your vty. The config might look something like this:
  aaa group server tacacs+ vty_TAC
  server 10.50.60.70
  aaa authentication login vtymethod group vty_TAC enable
  tacacs-server host 10.50.60.70 key ********
  I have configured this type of thing and it worked well. When I configured it I explicitly configured (and named) two different TACACS server groups and referenced specific server groups for each authentication method. I am not clear whether it works to keep the default group tacacs+ and use it for your normal authentication or whether you may need to configure a non-default group for it.
  Give it a try and let us know what happens.
  HTH
  Rick

• Read-only aaa statements

  I've setup the TACACS server with two groups
  -FULL admin rights
  -READ only rights
  Two users have been created
  -admin_test
  -read_test
  The admin_test config works fine on AAA but i keep getting stuck with read_test configs. I can never get to enable mode eventhough i've defined it on the group policy. Is there something wrong with my aaa statements below?
  aaa authentication login default group tacacs+ line enable
  aaa authentication enable default group tacacs+ enable line
  aaa authorization exec default if-authenticated
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+

  Privilege is not scalable in a big environment.
  What you need is authorization on the ACS
  server. In Cisco Freeware TACACS+ I defined
  the following groups: readonly, advanced and
  admin:
  group = readonly {
  default service = deny
  cmd = show { deny .* }
  cmd = show { permit .* }
  cmd = copy { permit .* }
  cmd = ping { permit .* }
  cmd = enable { permit .* }
  cmd = configure { deny .* }
  cmd = disable { permit .* }
  cmd = telnet { permit .* }
  cmd = disconnect { permit .* }
  cmd = where { permit .* }
  cmd = set { permit .* }
  cmd = clear { permit line }
  cmd = exit { permit .* }
  cmd = debug { permit .* }
  group = advanced {
  default service = deny
  cmd = show { permit .* }
  cmd = copy { permit flash }
  cmd = copy { permit running }
  cmd = ping { permit .* }
  cmd = configure { permit .* }
  cmd = enable { permit .* }
  cmd = disable { permit .* }
  cmd = telnet { permit .* }
  cmd = disconnect { permit .* }
  cmd = where { permit .* }
  cmd = set { permit .* }
  cmd = clear { permit line }
  cmd = exit { permit .* }
  cmd = interface { permit .* }
  group = admin {
  default service = permit
  As you can see, admin can access everything,
  readonly can only read. Advanced can make
  limited changes and admin can do everything.
  On the Cisco router, I have the following
  configuration:
  aaa authentication login notac none
  aaa authentication login VTY group tacacs+ local
  aaa authentication enable default group tacacs+ enable
  aaa authorization console
  aaa authorization config-commands
  aaa authorization exec notac none
  aaa authorization exec VTY group tacacs+ if-authenticated none
  aaa authorization commands 0 VTY group tacacs+ if-authenticated none
  aaa authorization commands 1 VTY group tacacs+ if-authenticated none
  aaa authorization commands 15 VTY group tacacs+ if-authenticated none
  aaa authorization network VTY group tacacs+ if-authenticated none
  aaa accounting exec VTY start-stop group tacacs+
  aaa accounting commands 0 VTY start-stop group tacacs+
  aaa accounting commands 1 VTY start-stop group tacacs+
  aaa accounting commands 15 VTY start-stop group tacacs+
  aaa accounting network VTY start-stop group tacacs+
  aaa accounting connection VTY start-stop group tacacs+
  I find that by doing it this way, it is much
  more scalable than using privilege commands
  on the router itself.
  David
  CCIE Security

• ISE - AAA radius authentication for NAD access

  Hi ,
  I have configured the switches to use the ISE as the Radius server to authenticate with , on the ISE i've configured an authentication policy
  for the "NADs" using the "Wired Devices" group which points to the AD indentity source to authenticate against .
  While testing the login access to the switches we've come up with 2 results :
  1.A domain user can indeed login to the switch as intended.
  2.Every domain user which exists in the AD indentity source can login , this is an undesired result .
  So I am trying to search for a way to restrict access to the NADs to only a particular group belonging to the AD , for example the group/ou
  of the IT_department only .
  I haven't been successfull , would appreciate any ideas on how to accomplish this .
  Switch configurations :
  =================
  aaa new-model
  aaa authentication login default group radius local
  ISE Authentication policy
  ==================
  Policy Name : NADs Authentication
  Condition:  "DEVICE:Device Type Equals :All Device Types#Wired"
  Allowed Protocol : Default Network Access
  use identity source : AD1

  Thank you for the quick replys , and now  ok , I've configured the following authorization policy :
  Rule Name : Nad Auth
  Conditions
  if: Any
  AND : AD1:ExternalGroups EQUALS IT_Departments
  Permissions , then PermitAccess
  What I don't understand is that it needs to match an "identity group" which can be either "Endpoint Identity group" or "Users Identity group" , I am limited with the if statement and cannot chose the same device group a choose before .
  How can i do that , i am thinking ahead an asking myself if in other cases a user might match this policy rule and can interfer ?

• Question about usage of aaa accounting commands

  Hi everyone,
  I have the problem that Cisco routers and switches do not send some accounting command
  information to ACS.
  Accounting commands do not send to ACS are "show log" and "show version".
  Accounting commands send to ACS are "show runn", "conf t" and "debug"
  The configuration of routers and switches is the following
  aaa new-model
  aaa authentication login default group tacacs+ line
  aaa authorization commands 15 default group tacacs+ none
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  tacacs-server host xxx.xxx.xxx.xxx key yyyy
  I think the commands do not send to ACS are privilege level 1 command and the commands
  send to ACS are privilege level 15 command.
  So I need to additional aaa accounting command below to get routers and switches send level 1
  command to ACS, because the "15" of "aaa accounting commands 15" does not include level 1
  so need to configure "aaa accounting commands 1" for level 1 commands.
  aaa accounting commands 1 default start-stop group tacacs+
  Is my understanding correct ?
  Your information would be greatly appreciated.
  Best regards,

  Hi,
  plese do this and the router will send
  everything to the ACS server, except
  whatever you are doing to the router in http:
  aaa new-model
  aaa authentication login notac none
  aaa authentication login VTY group tacacs+ local
  aaa authentication enable default group tacacs+ enable
  aaa authorization console
  aaa authorization config-commands
  aaa authorization exec notac none
  aaa authorization exec VTY group tacacs+ if-authenticated none
  aaa authorization commands 0 VTY group tacacs+ if-authenticated none
  aaa authorization commands 1 VTY group tacacs+ if-authenticated none
  aaa authorization commands 15 VTY group tacacs+ if-authenticated none
  aaa authorization network VTY group tacacs+ if-authenticated none
  aaa accounting exec VTY start-stop group tacacs+
  aaa accounting commands 0 VTY start-stop group tacacs+
  aaa accounting commands 1 VTY start-stop group tacacs+
  aaa accounting commands 15 VTY start-stop group tacacs+
  aaa accounting network VTY start-stop group tacacs+
  aaa accounting connection VTY start-stop group tacacs+
  aaa session-id common
  ip http authentication aaa login-authentication VTY
  ip http authentication aaa exec-authorization VTY
  tacacs-server host 192.168.15.10 key 7 1446405858517C
  tacacs-server directed-request
  line con 0
  exec-timeout 0 0
  authorization exec notac
  accounting commands 0 VTY
  accounting commands 1 VTY
  accounting commands 15 VTY
  accounting exec VTY
  logging synchronous
  login authentication notac
  line aux 0
  session-timeout 35791
  exec-timeout 35791 23
  authorization exec notac
  accounting commands 0 VTY
  accounting commands 1 VTY
  accounting commands 15 VTY
  accounting exec VTY
  login authentication notac
  transport input all
  line vty 0
  exec-timeout 0 0
  authorization commands 0 VTY
  authorization commands 1 VTY
  authorization commands 15 VTY
  authorization exec VTY
  accounting commands 0 VTY
  accounting commands 1 VTY
  accounting commands 15 VTY
  accounting exec VTY
  login authentication VTY
  David
  CCIE Security

• Role-Based CLI Views with AAA method

  Hi,
  I'm configuring Role-Based CLI Views on a router for limiting access to users.
  My criteria:
  - There should be a local user account on the router that has the view 'service' attached to it
  - If the router is online and can reach the radius server, people in the correct group are assigned the view 'service'
  My configuration:
  aaa new-model
  enable secret 1234
  username service view service secret 1234
  aaa group server radius my_radius
  server-private 10.1.1.1 auth-port 1645 acct-port 1646 timeout 3 retransmit 2 key 0 1234
  server-private 10.1.1.2 auth-port 1645 acct-port 1646 timeout 2 retransmit 1 key 0 1234
  aaa authorization console
  aaa authentication login mgmt group my_radius local
  aaa authorization exec mgmt group my_radius local
  line con 0
  authorization exec mgmt
  logging synchronous
  login authentication mgmt
  line vty 0 4
  authorization exec mgmt
  logging synchronous
  login authentication mgmt
  transport input ssh
  The ERROR
  Now I want to go configure the cli view 'service'...
  # enable view
  Password: 1234
  *Jun  1 08:00:02.991: AAA/AUTHEN/VIEW (0000000D): Pick method list 'mgmt'
  *Jun  1 08:00:02.991: RADIUS/ENCODE(0000000D): ask "Password: "
  *Jun  1 08:00:02.991: RADIUS/ENCODE(0000000D): send packet; GET_PASSWORD
  *Jun  1 08:00:21.011: RADIUS: Received from id 1645/13 10.1.1.1:1645, Access-Reject, len 20
  The Questions
  Why does the 'enable view' try to pick a method list when you have to supply the enable secret to access the root view?
  Can you change this behaviour to always use the enable secret?
  The TEMP Solution
  If you're logged on to the router via telnet or SSH, the solution or workaround to this issue is:
  aaa authentication login VIEW_CONFG local
  line vty 0 4
  login authentication VIEW_CONFG
  Do your configuration of the view and re-configure the line to use the correct (wanted) method of authentication.
  Thanks so much for the suggestions
  /JZN

  hi,
  You have the following configured:
  aaa  authentication login mgmt group my_radius local
  aaa authorization  exec mgmt group my_radius local
  line  con 0
  authorization exec mgmt
  logging synchronous
  login  authentication mgmt
  line vty 0 4
  authorization exec mgmt
  logging synchronous
  login authentication mgmt
  transport  input ssh
  Hence every time you try to login to the console or try the ssh the authentication will head to the radius server because of the following command "login  authentication mgmt".
  You cannot make it locally. Whatever defined on the method list mgmt first will be taking the precedence.
  enable seceret will be locally defined. but you have the following configured:
  aaa  authorization  exec mgmt group my_radius local
  line  con 0
  authorization exec mgmt
  line  vty 0 4
  authorization exec mgmt
  Hence exec mode will also be done via radius server.
  when you configure:
  aaa  authentication login VIEW_CONFG local
  line vty 0 4
  login  authentication VIEW_CONFG
  You are making the authentication local, hence it is working the way you want.
  In short, whatever authentication is defined 1st on the method list will take precendence. the fallback will be checked only if the 1st aaa server is not reachable.
  Hope this helps.
  Regards,
  Anisha
  P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

• Match different AAA Groups per source IP

  Dear Colleagues,
   The issue that Im facing right now is the following:
    I have an external device that run auto-commissioning on my router and doesn't support "username" loggin, only "password" when attempt to loggin through telnet in order to access and run the script. In addition I have AAA TACACs running on the same router so this device is unable mow to access to the router as the first loggin request is the "username". I can not change the telnet command executed by the external device, its doing a single telnet to the destination IP of my router so I discard any option like adding a TCP port dedicated for this external device access.  To be clear, what is expecting to receive after execute the telnet is:
  c:/> telnet 1.1.1.1
  Trying 1.1.1.1...
  Connected to 1.1.1.1.
  Escape character is '^]'.
  User Access Verification
  Password:
   To fix this issue my idea is try to configure two different AAA groups, one AAA_GROUP that request normal authentication to TACACs for all telnet session and one EXCEPTION with authentication "none" and exec "local". The configuration should be something like this:
  aaa new-model
  aaa group server tacacs+ AAA_GROUP
   server-private A.B.C.D key 7 ###################
   ip tacacs source-interface Loopback0
  aaa authentication login default group AAA_GROUP local
  aaa authentication login EXCEPTION none
  aaa authentication enable default group AAA_GROUP enable
  aaa authorization console
  aaa authorization config-commands
  aaa authorization exec default group AAA_GROUP local 
  aaa authorization exec EXCEPTION local 
  aaa authorization commands 15 default group AAA_GROUP none 
  aaa accounting exec default start-stop group AAA_GROUP
  aaa accounting commands 15 default stop-only group AAA_GROUP
  aaa accounting connection default stop-only group AAA_GROUP
  aaa accounting system default start-stop group AAA_GROUP
  aaa session-id common
   Then match in some way all telnet session with source IP of the external device with the group EXCEPTION and the rest with AAA_GROUP. Finally, configure only a  "password" in the VTY lines so when the device attempt to loggin in the group EXCEPTION with no authentication and loggin local will be just requested to set the "password".
   The main issue is do this AAA groups discrimination between AAA_GROUP and EXCEPTION lists per source IP of the host originating the telnet session to my router.  Is that possible?
  Thanks in advance for your support.

  Hi,
  problem is in you config, both class are pointing to same VIP and PORT, so first class will be only HIT.
  try this confgiuration
  policy-map type loadbalance first-match NON_AUTHENT_PM
    class NON_AUTHENT_CM   --------for desired client source IP's
      serverfarm PROXY_HTTP_SF
      nat dynamic 6 vlan 1601 serverfarm primary
    class class-default    ------for rest of client IP's
      serverfarm PROXY_HTTP_SF
      nat dynamic 5 vlan 1601 serverfarm primary
  and remove NAT from multi-match policy. use single class, so rest of config will be
  serverfarm host PROXY_HTTP_SF
    description Proxied Internet Connections
    probe PROXY_HTTP_PROBE
    fail-on-all
    rserver ELFCPRXY1
      inservice
    rserver ELFCPRXY2
      inservice
    rserver ELFCPRXY3
      inservice
  class-map match-any NONAUTHENT_HTTP_VIP
    3 match virtual-address 10.10.240.5 tcp eq 80
  class-map type http loadbalance match-any NON_AUTHENT_CM
    description Subnets from which Internet Authentication is not Required
    3 match source-address 10.10.16.0 255.255.240.0
    4 match source-address 10.10.32.0 255.255.240.0
    5 match source-address 10.10.48.0 255.255.240.0
  policy-map type loadbalance first-match NON_AUTHENT_PM
    class NON_AUTHENT_CM
      serverfarm PROXY_HTTP_SF
      nat dynamic 6 vlan 1601 serverfarm primary
    class class-default
      serverfarm PROXY_HTTP_SF
      nat dynamic 5 vlan 1601 serverfarm primary
  policy-map multi-match LOAD_BAL
    class NONAUTHENT_HTTP_VIP
      loadbalance vip inservice
      loadbalance policy NON_AUTHENT_PM
      loadbalance vip icmp-reply
  Hope this help

• ISE Could not locate Network Device or AAA Client

  When authenticating using 802.1x and MAB, I recieve an authentication failure with the error 11007(Could not locate Network Device or AAA Client). The root cause that ISE spits back at me is "Could not find the network device or the AAA Client while accessing NAS by IP during authentication." I did pretty much everything by the book except instead of using a loopback interface I used a vlan with a defined ip address.  Could this be causing the problem?
  Here is the config of the port that I'm testing on:
  interface GigabitEthernet1/0/9
   switchport access vlan 9
   switchport mode access
   switchport voice vlan 8
   ip access-group ACL-ALLOW in
   srr-queue bandwidth share 1 30 35 5
   queue-set 2
   priority-queue out
   authentication event fail action next-method
   authentication event server dead action reinitialize vlan 4
   authentication event server dead action authorize voice
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication violation restrict
   mab
   mls qos trust device cisco-phone
   mls qos trust cos
   dot1x pae authenticator
   dot1x timeout tx-period 10
   auto qos voip cisco-phone
   spanning-tree portfast
   service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
  end

  I can ping both the vlan and the endpoint from the ISE.  As far as allowing ISE to speak snmp and RADIUS to the NAD, I have enabled it on the NAD config inside the ISE. I have also double checked the snmp and radius shared passwords.
  I have gotten MAB authentication to work but I am still getting the same error for dot1x authentication. Here are some of the configs on the switch.
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authentication dot1x defualt group radius
  aaa authentication dot1x group group radius
  aaa authorization network default group radius
  aaa accounting dot1x default start-stop group radius
  aaa server radius dynamic-author
  aaa session-id common
  ip radius source-interface TenGigabitEthernet1/0/1
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 6 support-multiple
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 5 tries 3
  radius-server host 10.10.10.47 auth-port 1812 acct-port 1813 test username test key 7 097940581F5412162B464D
  radius-server vsa send accounting
  radius-server vsa send authentication
  dot1x system-auth-control
   authentication order dot1x mab
   authentication priority dot1x mab
   dot1x pae authenticator
   dot1x timeout tx-period 10

• Missing Tunnel-Client-Endpoint attribute in AAA accounting from 2821

  I am trying to optimise the detailed accounting records for VPN client connections on our system
  but have noticed I am not receiving Tunnel-Client-Endpoint (attribute 66) in tunnel start accounting records from the router.
  The VPN functionality works fine, this is just an accounting issue.
  All other accouting attributes I need are received fine (times, username, VPN Framed IP, NAS identifier).
  The system details are:
  VPN server : Cisco 2821 with IOS 12.4(11)XW3
  Tunnel type: VPDN, PPTP, MPPE 128bit, MS-CHAPv2
  Accouting RADIUS: Microsoft Windows Server 2008 R2 NPS
  I have used the same setup many times previously on various 2801, 2811, and 2911 platfroms with no issue (across v12 and v15 IOS).
  Sending attribute 66 "Tunnel-Client-Endpoint" appeared to be standard for any tunnel setup, no config was require to send it.
  Does anyone know a reason why this fairly standard tunnel RADIUS attribute is not being sent to us from the router in this case?
  Example debug of tunnel start accounting message, showing that attribute 66 is not included in info sent to accouting server:
  Jun 25 2013 14:55:13.591 AEST: RADIUS/ENCODE(0000061A):Orig. component type = VPDN
  Jun 25 2013 14:55:13.595 AEST: RADIUS(0000061A): Config NAS IP: 0.0.0.0
  Jun 25 2013 14:55:13.595 AEST: RADIUS(0000061A): sending
  Jun 25 2013 14:55:13.595 AEST: RADIUS/ENCODE: Best Local IP-Address 192.168.xxx.xxx for Radius-Server 192.168.xxx.xxx
  Jun 25 2013 14:55:13.595 AEST: RADIUS(0000061A): Send Accounting-Request to 192.168.xxx.xxx:1646 id 1646/220, len 184
  Jun 25 2013 14:55:13.595 AEST: RADIUS:  authenticator D7 DD 05 D9 72 FC 72 9C - 02 E0 6A FD D1 AC DB 06
  Jun 25 2013 14:55:13.595 AEST: RADIUS:  Acct-Session-Id     [44]  10  "00000642"
  Jun 25 2013 14:55:13.595 AEST: RADIUS:  Tunnel-Medium-Type  [65]  6   00:IPv4                   [1]
  Jun 25 2013 14:55:13.595 AEST: RADIUS:  Tunnel-Assignment-Id[82]  3   "1"
  Jun 25 2013 14:55:13.595 AEST: RADIUS:  Tunnel-Server-Auth-I[91]  14  "********"
  Jun 25 2013 14:55:13.595 AEST: RADIUS:  Acct-Tunnel-Connecti[68]  4   "44"
  Jun 25 2013 14:55:13.595 AEST: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
  Jun 25 2013 14:55:13.595 AEST: RADIUS:  Framed-IP-Address   [8]   6   192.168.xxx.xxx          
  Jun 25 2013 14:55:13.595 AEST: RADIUS:  User-Name           [1]   10  "*********"
  Jun 25 2013 14:55:13.595 AEST: RADIUS:  Acct-Authentic      [45]  6  
  Jun 25 2013 14:55:13.595 AEST: RADIUS:  Acct-Status-Type    [40]  6   Start                     [1]
  Jun 25 2013 14:55:13.595 AEST: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
  Jun 25 2013 14:55:13.595 AEST: RADIUS:  NAS-Port            [5]   6   426                      
  Jun 25 2013 14:55:13.595 AEST: RADIUS:  NAS-Port-Id         [87]  17  "Uniq-Sess-ID426"
  Jun 25 2013 14:55:13.595 AEST: RADIUS:  Class               [25]  46 
  Jun 25 2013 14:55:13.595 AEST: RADIUS:   69 89 04 FA 00 00 01 37 00 01 02 00 C0 A8 AC 01  [i??????7????????]
  Jun 25 2013 14:55:13.595 AEST: RADIUS:   00 00 00 00 00 00 00 00 00 00 00 00 01 CE 6E 22  [??????????????n"]
  Jun 25 2013 14:55:13.595 AEST: RADIUS:   2F A7 37 14 00 00 00 00 00 00 00 29              [/?7????????)]
  Jun 25 2013 14:55:13.595 AEST: RADIUS:  Service-Type        [6]   6   Framed                    [2]
  Jun 25 2013 14:55:13.595 AEST: RADIUS:  NAS-IP-Address      [4]   6   192.168.xxx.xxx          
  Jun 25 2013 14:55:13.595 AEST: RADIUS:  Acct-Delay-Time     [41]  6   0                        
  Jun 25 2013 14:55:13.691 AEST: RADIUS: Received from id 1646/220 192.168.xxx.xxx:1646, Accounting-response, len 20
  Jun 25 2013 14:55:13.691 AEST: RADIUS:  authenticator E8 EC 1C 30 D2 01 8E D8 - 15 10 09 5F 37 95 D4 25
  Important config
  aaa new-model
  aaa authentication login default local group radius
  aaa authentication ppp default local group radius
  aaa authorization exec default local group radius
  aaa authorization network default local group radius
  aaa accounting delay-start
  aaa accounting session-duration ntp-adjusted
  aaa accounting exec default start-stop group radius
  aaa accounting network default start-stop group radius
  aaa session-id common
  vpdn enable
  vpdn-group 1
  ! Default PPTP VPDN group
  accept-dialin
    protocol pptp
    virtual-template 1
  interface Virtual-Template1
  ip unnumbered Dialer1
  ip nat inside
  ip virtual-reassembly
  peer default ip address pool VPN
  no keepalive
  ppp encrypt mppe 128
  ppp authentication ms-chap-v2
  ip local pool VPN 192.168.xxx.xxx 192.168.xxx.xxx
  radius-server host 192.168.xxx.xxx auth-port 1645 acct-port 1646 key 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

  Larry,
  1) Please set up enable authentication to get the actual user name,
  aaa authentication enable console tacacs-auth LOCAL
  On ACS user setup you need to set up tacacs+ enable password.
  3) Since you have defined both server for authentication and accounting ie 219 and 218 it is sending accounting to 218, as it is also defined as accounting server and firewall it active.
  Use only
  aaa-server tacacs-auth (dept-outside) host 10.1.26.218 key tacacs-secret
  aaa-server tacacs-acct (dept-outside) host 10.1.26.219 key tacacs-secret
  Now auth should go to 218 and acc to 219.
  Regards,
  ~JG
  Do rate helpful posts

• AAA and ISE

  Hi All,
  Where do I configure primary AAA and secondary AAA at ISE?
  According to deployments guide Fig 1-6. Dispersed Deployment
  http://www.cisco.com/en/US/docs/security/ise/1.0/install_guide/ise10_deploy.pdf
  If we are using AD.. then AAA solution is RODC?
  Thanks,
  John

  Hello,
  Yes you can also use Cisco Catalyst 3560 to configure AAA and RADIUS. You can configure MAB, DOt1X and CWA.
  Please refer to below link which might help you.
  http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_55_se/configuration/guide/sw8021x.html