3640 RAS aaa accounting on IAS Server
Hi gentlemen,
I have configured aaa accounting on Cisco 3640 RAS and I need collect the aaa remote user time connections (start and end time connections) for time management cost.
Accounting information received on IAS seems to be only from start remote connection and never to stop connection.
I don't know if the problem is on 3640 configuration or on IAS configuration, but I would undertood if my configuration is correct.
I send RAS config file to you.
Many Thank in advance,
Luca
Luca
I have looked at the config that you posted and I believe that I see an issue. You have configured accounting for DIALER with this method list:
aaa accounting network DIALER start-stop group radius
I would expect to see the method list DIALER accounting referenced under interfaces Serial1/0:15, interface Virtual-Template1, and interface Group-Async10. I suggest that you add:
ppp accounting DIALER
under these interfaces and let us know if it helps.
HTH
Rick
Similar Messages
-
User account locked out in IAS Server.
Hi,
Windows Server 2003 stand-alone with IAS Server working as a RADIUS Server for WIFI connections.
There is a domain user account that keeps locking out randomly a few times a day.
This user account doesn't show up within the IAS server log file.
The Audit Policy is enabled in the w2k3 server for Succes, Failure and the events below comes up for every locking,
The Caller User Name is the IAS Server machine account.
I had to enable in the DCs the Netlogon debug mode to get the lock outs source, that turns out to be the IAS Server.
This is quite strange as I can't find the user account within the IAS Server log.
Could anybody clues me in on this issue?
Thak you.it seems to me the user is logged on to some computer with an expired password. The computer attempts to connect to wifi and thus authenticate using the users expired credentials.
Ask the user to reboot all of the computers he uses. If the problem persists, check if the user has open sessions on other machines and check the configuration of the wireless network on the client.
MCP/MCSA/MCTS/MCITP -
Web Authentication with MS IAS Server
I'm trying to configure my 2106 WLC to authenticate with an MS IAS Radius Server. I had this working, but my boss did not want to do any configuration on the client side and now wants to do all authentication through Web authentication with the Radius server. The wireless client connects and is redirected to the login page like they're supposed to, but when I enter my credentials the login fails. However, if I enter the login of a local user to the controller the authentication works.
I see in the logs the following error: AAA Authentication Failure for UserName:chevym User Type: WLAN USER. The authentication is reaching the server too, but the logs don't tell you much.
Here is what is in the server logs: 192.168.0.77,chevym,07/29/2008,05:58:16,IAS,TESTLAB1,25,311 1 192.168.0.221 07/28/2008 17:27:10 48,4127,2,4130,TESTLAB\chevym,4129,TESTLAB\chevym,4154,Use Windows authentication for all users,4155,1,4128,Wireless LAN Controller,4116,9,4108,192.168.0.77,4136,3,4142,19
I don't really understand any of that and I'm not really sure if I have the server itself configured correctly for what I want to do. Does anyone have instructions on how to do this?I had another thread going on this, but since it appears to be an IAS problem, I've been posting on the MS forum instead of here.
I'm trying to set up wireless laptop-WLC-IAS authentication using PEAP.
The machine authenticates on boot, but any login by any user results in this message in the Windows Event log on the IAS server:
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 9/3/2008
Time: 11:00:55 PM
User: N/A
Computer: DC1
Description:
User SCOTRNCPQ003.scdl.local was denied access.
Fully-Qualified-User-Name = SCDL\SCOTRNCPQ003.scdl.local
NAS-IP-Address = 10.10.10.10
NAS-Identifier = scohc0ciswlc
Called-Station-Identifier = 00-21-55-C0-7D-70:Domain Staff
Calling-Station-Identifier = 00-90-4B-4C-92-B7
Client-Friendly-Name = WLAN Controller
Client-IP-Address = 10.10.10.10
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 29
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server =
Policy-Name =
Authentication-Type = EAP
EAP-Type =
Reason-Code = 8
Reason = The specified user account does not exist.
The policy is the default connection policy created when installing IAS.
In ADUC, I've tried setting both the machine and users Dial-In properties to Allow Access or Control through policy, with the same result.
I've gone through the policy and there isn't anything there, other than the Day-Time rule which is set to allow access for all hours of the whole day, every day.
In the last few days, I've read about the Ignore User Dial In properties, but can't find where/how you set this.
It sounded to me as if this had been resolved in this thread, so I wanted to know how this had been accomplished. -
Question about usage of aaa accounting commands
Hi everyone,
I have the problem that Cisco routers and switches do not send some accounting command
information to ACS.
Accounting commands do not send to ACS are "show log" and "show version".
Accounting commands send to ACS are "show runn", "conf t" and "debug"
The configuration of routers and switches is the following
aaa new-model
aaa authentication login default group tacacs+ line
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
tacacs-server host xxx.xxx.xxx.xxx key yyyy
I think the commands do not send to ACS are privilege level 1 command and the commands
send to ACS are privilege level 15 command.
So I need to additional aaa accounting command below to get routers and switches send level 1
command to ACS, because the "15" of "aaa accounting commands 15" does not include level 1
so need to configure "aaa accounting commands 1" for level 1 commands.
aaa accounting commands 1 default start-stop group tacacs+
Is my understanding correct ?
Your information would be greatly appreciated.
Best regards,Hi,
plese do this and the router will send
everything to the ACS server, except
whatever you are doing to the router in http:
aaa new-model
aaa authentication login notac none
aaa authentication login VTY group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec notac none
aaa authorization exec VTY group tacacs+ if-authenticated none
aaa authorization commands 0 VTY group tacacs+ if-authenticated none
aaa authorization commands 1 VTY group tacacs+ if-authenticated none
aaa authorization commands 15 VTY group tacacs+ if-authenticated none
aaa authorization network VTY group tacacs+ if-authenticated none
aaa accounting exec VTY start-stop group tacacs+
aaa accounting commands 0 VTY start-stop group tacacs+
aaa accounting commands 1 VTY start-stop group tacacs+
aaa accounting commands 15 VTY start-stop group tacacs+
aaa accounting network VTY start-stop group tacacs+
aaa accounting connection VTY start-stop group tacacs+
aaa session-id common
ip http authentication aaa login-authentication VTY
ip http authentication aaa exec-authorization VTY
tacacs-server host 192.168.15.10 key 7 1446405858517C
tacacs-server directed-request
line con 0
exec-timeout 0 0
authorization exec notac
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
logging synchronous
login authentication notac
line aux 0
session-timeout 35791
exec-timeout 35791 23
authorization exec notac
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
login authentication notac
transport input all
line vty 0
exec-timeout 0 0
authorization commands 0 VTY
authorization commands 1 VTY
authorization commands 15 VTY
authorization exec VTY
accounting commands 0 VTY
accounting commands 1 VTY
accounting commands 15 VTY
accounting exec VTY
login authentication VTY
David
CCIE Security -
Accounting in primary server.
We have two locations and locationwise two acs servers have been installed.
We have kept the servers which are in the location as primary.
Everything is working fine. But i want the accounting part should be in both the servers. Dont know ("A" location acounting at "A" server only) and ("B" location accounting at "B" server only)
I want the singlepoint administration. Can anybody help me.
My config is like this:
A-Location:
aaa new-model
tacacs-server host A.A.A.A key access
tacacs-server host B.B.B.B key access
aaa authentication login default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
B-Location:
aaa new-model
tacacs-server host B.B.B.B key access
tacacs-server host A.A.A.A key access
aaa authentication login default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
Help will be appreciated.Adding to my previous message:
I have configured database replication for the Location A server as send and Location B server as receive. problem is If i have to edit my location B users or AAA clients, i am editing it in location A and replicating the same. i dont want this delay.So if i configure the replication as Both servers send and receive, is there any problem. My aim is i want to edit the settings as per location wise.
**once i configured the Users for location B and added to one group. when the user tried to login to the switch it showed "CHPASS Disabled" and Location B server is showing that User is expired where as Location A server showing it as enabled only. I am unable to avoid this situation.
Can you please provide me the solution for this.
Experts reply will be greatly appreciated. -
Missing Tunnel-Client-Endpoint attribute in AAA accounting from 2821
I am trying to optimise the detailed accounting records for VPN client connections on our system
but have noticed I am not receiving Tunnel-Client-Endpoint (attribute 66) in tunnel start accounting records from the router.
The VPN functionality works fine, this is just an accounting issue.
All other accouting attributes I need are received fine (times, username, VPN Framed IP, NAS identifier).
The system details are:
VPN server : Cisco 2821 with IOS 12.4(11)XW3
Tunnel type: VPDN, PPTP, MPPE 128bit, MS-CHAPv2
Accouting RADIUS: Microsoft Windows Server 2008 R2 NPS
I have used the same setup many times previously on various 2801, 2811, and 2911 platfroms with no issue (across v12 and v15 IOS).
Sending attribute 66 "Tunnel-Client-Endpoint" appeared to be standard for any tunnel setup, no config was require to send it.
Does anyone know a reason why this fairly standard tunnel RADIUS attribute is not being sent to us from the router in this case?
Example debug of tunnel start accounting message, showing that attribute 66 is not included in info sent to accouting server:
Jun 25 2013 14:55:13.591 AEST: RADIUS/ENCODE(0000061A):Orig. component type = VPDN
Jun 25 2013 14:55:13.595 AEST: RADIUS(0000061A): Config NAS IP: 0.0.0.0
Jun 25 2013 14:55:13.595 AEST: RADIUS(0000061A): sending
Jun 25 2013 14:55:13.595 AEST: RADIUS/ENCODE: Best Local IP-Address 192.168.xxx.xxx for Radius-Server 192.168.xxx.xxx
Jun 25 2013 14:55:13.595 AEST: RADIUS(0000061A): Send Accounting-Request to 192.168.xxx.xxx:1646 id 1646/220, len 184
Jun 25 2013 14:55:13.595 AEST: RADIUS: authenticator D7 DD 05 D9 72 FC 72 9C - 02 E0 6A FD D1 AC DB 06
Jun 25 2013 14:55:13.595 AEST: RADIUS: Acct-Session-Id [44] 10 "00000642"
Jun 25 2013 14:55:13.595 AEST: RADIUS: Tunnel-Medium-Type [65] 6 00:IPv4 [1]
Jun 25 2013 14:55:13.595 AEST: RADIUS: Tunnel-Assignment-Id[82] 3 "1"
Jun 25 2013 14:55:13.595 AEST: RADIUS: Tunnel-Server-Auth-I[91] 14 "********"
Jun 25 2013 14:55:13.595 AEST: RADIUS: Acct-Tunnel-Connecti[68] 4 "44"
Jun 25 2013 14:55:13.595 AEST: RADIUS: Framed-Protocol [7] 6 PPP [1]
Jun 25 2013 14:55:13.595 AEST: RADIUS: Framed-IP-Address [8] 6 192.168.xxx.xxx
Jun 25 2013 14:55:13.595 AEST: RADIUS: User-Name [1] 10 "*********"
Jun 25 2013 14:55:13.595 AEST: RADIUS: Acct-Authentic [45] 6
Jun 25 2013 14:55:13.595 AEST: RADIUS: Acct-Status-Type [40] 6 Start [1]
Jun 25 2013 14:55:13.595 AEST: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Jun 25 2013 14:55:13.595 AEST: RADIUS: NAS-Port [5] 6 426
Jun 25 2013 14:55:13.595 AEST: RADIUS: NAS-Port-Id [87] 17 "Uniq-Sess-ID426"
Jun 25 2013 14:55:13.595 AEST: RADIUS: Class [25] 46
Jun 25 2013 14:55:13.595 AEST: RADIUS: 69 89 04 FA 00 00 01 37 00 01 02 00 C0 A8 AC 01 [i??????7????????]
Jun 25 2013 14:55:13.595 AEST: RADIUS: 00 00 00 00 00 00 00 00 00 00 00 00 01 CE 6E 22 [??????????????n"]
Jun 25 2013 14:55:13.595 AEST: RADIUS: 2F A7 37 14 00 00 00 00 00 00 00 29 [/?7????????)]
Jun 25 2013 14:55:13.595 AEST: RADIUS: Service-Type [6] 6 Framed [2]
Jun 25 2013 14:55:13.595 AEST: RADIUS: NAS-IP-Address [4] 6 192.168.xxx.xxx
Jun 25 2013 14:55:13.595 AEST: RADIUS: Acct-Delay-Time [41] 6 0
Jun 25 2013 14:55:13.691 AEST: RADIUS: Received from id 1646/220 192.168.xxx.xxx:1646, Accounting-response, len 20
Jun 25 2013 14:55:13.691 AEST: RADIUS: authenticator E8 EC 1C 30 D2 01 8E D8 - 15 10 09 5F 37 95 D4 25
Important config
aaa new-model
aaa authentication login default local group radius
aaa authentication ppp default local group radius
aaa authorization exec default local group radius
aaa authorization network default local group radius
aaa accounting delay-start
aaa accounting session-duration ntp-adjusted
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa session-id common
vpdn enable
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
interface Virtual-Template1
ip unnumbered Dialer1
ip nat inside
ip virtual-reassembly
peer default ip address pool VPN
no keepalive
ppp encrypt mppe 128
ppp authentication ms-chap-v2
ip local pool VPN 192.168.xxx.xxx 192.168.xxx.xxx
radius-server host 192.168.xxx.xxx auth-port 1645 acct-port 1646 key 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxLarry,
1) Please set up enable authentication to get the actual user name,
aaa authentication enable console tacacs-auth LOCAL
On ACS user setup you need to set up tacacs+ enable password.
3) Since you have defined both server for authentication and accounting ie 219 and 218 it is sending accounting to 218, as it is also defined as accounting server and firewall it active.
Use only
aaa-server tacacs-auth (dept-outside) host 10.1.26.218 key tacacs-secret
aaa-server tacacs-acct (dept-outside) host 10.1.26.219 key tacacs-secret
Now auth should go to 218 and acc to 219.
Regards,
~JG
Do rate helpful posts -
RADIUS authentication on IAS server
I have a 1200 AP configured for RADIUS authentication on Microsoft IAS server but I am experiencing a problem getting clients authenticated. (Association is working fine.)
The 1200 is connected to the IAS Server via an 837 router (no switch involved) and I am wondering if any RADIUS settings have to be configured on the 837 for AAA communication to pass through to the IAS server or will the requests pass through automatically?ScottMac is correct, if you're using IAS you need to use PEAP which requires a security cert. Microsoft provide a very nice toolkit of scripts and documents to simplify the installation and configuration of IAS, Cert Services, etc, etc, you can get it from here:
http://www.microsoft.com/downloads/details.aspx?FamilyId=CDB639B3-010B-47E7-B234-A27CDA291DAD&displaylang=en -
Missing aaa accounting commands
Hi,
I might be being REALLY STUPID, but I am trying to config a 12.3 IOS router to send command accounting records to an ACS 3.3 server via RADIUS.
When a input the 'aaa accounting commands 15 default group radius' command, it is accepted by the router, but show the config, and its not there. This is the same for all command levels. This router is logging VoIP accounting records too, to the same RADIUS box, without problems.
Have I missed somthing about setting up AAA ?
Grateful for any help!
Thanks
Pete MooreEven if IOS did support it, the format of any RADIUS cmd accounting will be inferior for a couple of reasons
1) The ACS TACACS+ reports are totally geared up for this with pre-defined columns for each T+ attrbute.
2) ACS has a dedicated cmd accounting report which splits out cmds from sessions
3) To package in RADIUS, IOS would have to create many cisco-av-pair VSA instances. In the RADIUS accounting logs these will all be compressed into a single column of the format
"attr1=value1;attr2=value2;..."
Depending on what you want to do with the data this format is quite restrictive.
My advice is to enable TACACS+
Darran -
AAA accounting on ASA 5510/ 8.4(1)
I have AAA accounting setup and working on my ASA 5510 running 8.4(1). I can account specific service based on TCP ports, etc. I want to do accounting for VPN use sessions for when users connect and disconnect from the VPN in the 5510. I found several docs online but the code syntax on how to do it seems to be obsolete in 8.4(1). Any help would be grearly appreciated.
Thanks much
MikeHello,
This is a very simple setup.
You may want to configure something like this
Hostname (config)# tunnel-group xxx type xxxx
Hostname (config)# tunnel-group xxx general-attributes
Hostname (config-tunnel-general)# accounting-server-group aaa_server
Please do not hesitate to contact me if you have any question.
Erick Delgado
AAA TEAM -
Question on AAA accounting command?
Is AAA command “aaa accounting commands 15 default start-stop group” just for tacacs+ groups and not for radius?
jjohnston1127 answered correctly. Command authorization and command accounting are only supported by the tacacs protocol.
You will not even see an option for radius.
jkatyel(config)#aaa accounting commands 15 default start-stop gr
jkatyel(config)#aaa accounting commands 15 default start-stop group ?
WORD Server-group name
tacacs+ Use list of all Tacacs+ hosts.
Accounting supported by radius
https://tools.ietf.org/html/rfc2866
Regards,
Jatin Katyal
*Do rate helpful posts* -
Dear All,
I listed an AAA accounting record from my radius server with WLC8510 after I finished a session with downloaded a 100MB file.
1.) The Acct-Output-Octets > Input-Octets mean the Octets direction is from Controller to Client because I download a 100mb file, in general should be input > outpu, but in cisco WLC, it is inverted, is it correct?
2) The packet number of input and output is similar, that is different with other brands when I perform the same testing.
NAS-Identifier = "WLC8510"
Airespace-WLAN-Id = 124
Acct-Session-Id = "52a91c23/00:1c:bf:78:2b:21/1575117"
NAS-Port-Type = Wireless-IEEE-802-11
Acct-Authentic = Remote
Tunnel-Type = 0:VLAN
Tunnel-Medium-Type = 0:802
Tunnel-Private-Group-ID = 30
Event-Timestamp = 1386814675
Acct-Status-Type = Stop
Acct-Input-Octets = 3773718
Acct-Input-Gigawords = 0
Acct-Output-Octets = 98257335
Acct-Output-Gigawords = 0
Acct-Input-Packets = 64838
Acct-Output-Packets = 64886
<omitted>
Thanks.
MicCheck the following services are working:
CSAdmin
CSauth
CSDBsync
CSlog
CSmon
cSradius
CSTacacs -
Does "aaa accounting commands" not support radius?
When I issue this command:
aaa accounting commands 15 default start-stop group myradiusgroup
I get this error: %AAAA-4-SERVNOTACPLUS: The server-group "myradiusgroup" is not a tacacs+ server group. Please define "myradiusgroup" as a tacacs+ server group.
No where in the documentation could I find anything saying the "commmands" accounting type is only available to tacacs+. Does aaa not support this accounting type for radius?Hi Red,
The Cisco implementation of RADIUS does not support command accounting. So that's the reason you are getting that error. Please use TACACS if you want to use this.
Regards,
Kanwal
Note: Please mark answers if they are helpful. -
AAA Accounting through a NAT device
Good Day to you all,
I am trying to configure aaa accounting through a natted device to a ACS 4.0 server. the information is logged ok but is logged as the device that is performing the natting. is there a way to configure aaa accounting to show the acctual device being updated in the ACS logsAssuming its RADIUS...
Is it possible to get the originating device to include the NAS-IP-Address or NAS-Identifier attributes in the accounting records?
This will be the actual device values rather than the peer address of the NAT device. -
FWSM 2.3(4) with AAA accounting
i have FWSM version 2.3(4) , but i can't find a command to enable AAA accounting to
remote TACACS server , does 2.3(4) support AAA accounting or not , and what is the minimum version that support AAA accountingFWSM 2.3(4) does support aaa accounting. To define a TACACS server, you can use the 'aaa-server' command. Please see the command reference below for more details:
aaa accounting:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm23/command/reference/ab.html#wp1073208
aaa-server:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm23/command/reference/ab.html#wp1070086 -
AAA authenticate to ACS Server
I am trying to get my cisco switches to authenticate to our ACS server through TACAS but I am running into a problem when I try to put in the secret key.
Below is an output
aaa new-model
aaa group server tacacs+ VTY
server 10.1.10.99
server-private 10.1.10.99 key BrAqaq4h
ip tacacs source-interface Vlan99
aaa authentication login VTY group VTY local
aaa authorization exec VTY group tacacs+ if-authenticated
aaa accounting commands 1 default start-stop group VTY
aaa accounting commands 15 default start-stop group VTY
aaa session-id common
Whenever I try to make the server-private key 7 BrAqaq4h I get the error
server-private 10.1.10.99 key 7 BrAqaq4h
%Invalid encrypted key: BrAqaq4h
I don't know if this is the reason I cannot authenticate with AD but on the server ACS that is the key it has under every other device that is working.
aaa new-model
aaa group server tacacs+ VTY
server 10.1.10.99
server-private 10.1.10.99 key 7 0529142E304D5F5D11
ip tacacs source-interface Vlan99
aaa authentication login VTY group VTY local
aaa authorization exec VTY group tacacs+ if-authenticated
aaa accounting commands 1 default start-stop group VTY
aaa accounting commands 15 default start-stop group VTY
aaa session-id common
The last output is a device where I can authenticate correctly. Does anyone have any ideas as to why this doesn't work? The vty settings on both devices are the same.
line vty 0 4
privilege level 15
logging synchronous
login authentication VTY
transport input allHi Jeff,
If you use the command, "server-private key 7 " command, then the string that is entered is considered to be encrypted text. If no number or 0 is entered, the string that is entered is considered to be plain text.
So if you are planning to enter your shared secret in plain text, try using the command "server-private key 0 " or "server-private key ".
If after entering the shared secret in plain text (using the 0 or no number) and if you are facing issue in authentication, then check the failed attempts logs in the tacacs+ server which should give you the hint of the issue.
Maybe you are looking for
-
Error while creating webservice from function module in ECC
Hi while creating a web service out of a function module in ECC, in the configure service section we get a message saying ' Remember that the service does not have any runtime configuration and therefore cannot be used. Create the Web service configu
-
Hard drive died -- how do I restore Library from Back up?
My hard drive died -- and a new one has been installed. I have a backup of my itunes as it was on the old hard drive -- but when I try to open it I get told: "The file itunes.library.it cannot be read because it was created by a newer version of itun
-
9.0.1: select on dba_users as sys gives ORA-03106
Hi, Select username from dba_users logged as sys gives ORA-03106: fatal two-task communication protocal error. Install done from zipped OTN files, server 9.0.1, OS Linux SuSe 7.2. Character set UTF8. Is UTF8 incompatible with 9i? Any treatment ideas
-
Is Adobe Bridge CS6 Compatable with Windows 8?
I'm thinking about upgrading but i really need to know if Bridge is going to work on Windows 8 for sure.
-
Solaris 10 SCSI transport failed reason 'tran err' on host level
Hello, we are frequently getting below errors on host, can any one please help to solve this issue? Mar 1 04:41:49 host scsi: [ID 243001 kern.info] /pci@8,600000/SUNW,qlc@1/fp@0,0 (fcp3): Mar 1 04:41:49 host ndi_devi_online: failed for scsa,00.bfcp: