AAA Authentication for Traffic Passing through ASA

Similar Messages

• Does user traffic pass through Controller and Aironet 1030?

  Hi All,
  I want to beat out some questions that I cannot find exactly guideline in Cisco. I intend to implement 2 Airespace 2000 controller and some 1010s and one 1030 to my main office and branch office. At present, there is a 512kbps WAN link between this two office. So I don't want to let the traffic within the branch office to pass through the WAN link. Therefore, I intend to use the solution that 1 controller stay in main office to serve the 1010s in main office and 1 controller stay in remote office to serve the 1010s in remote office. But the remote site only needs 1 AP, thus I would like to use one 1030 to stay in branch office and 2 controller stay in main office to perform controller's redundancy. I would like to know Does the clients' traffic pass through the link between 1030 and controller as the same as 1010? I does very confuse whether 1030 has this feature because I found some blur instruction of 1030 in Cisco.
  Further, if I place one of the controller in remote office, how can I control the APs in remote office to choose the local controller instead of the controller in main office using Layer 3 discovery method? Does any know? Thanks!
  Jason,
  best regards,

  Hi Jason,
  Hopefully this info will clear this up for you;
  Q. Can I install an access point (AP) at a remote office and install a Cisco WLC at my headquarters? Does the Lightweight AP Protocol (LWAPP) work over a WAN?
  A. Yes, you can have the WLCs across the WAN from the APs. LWAPP works over a WAN. Use Remote Edge AP (REAP) mode. REAP allows the control of an AP by a remote controller that is connected via a WAN link. Traffic is bridged onto the LAN link locally, which avoids the need to unnecessarily send local traffic over the WAN link. This is precisely one of the greatest advantages of having WLCs in your wireless network.
  Note: Not all lightweight APs support REAP. For example, the 1030 AP supports REAP, but the 1010 and 1020 AP do not support REAP. Before you plan to implement REAP, check to determine if the APs support it. Cisco IOS Software APs that have been converted to LWAPP do not support REAP.
  Q. I want to set up the Cisco 1030 Lightweight Access Point (AP) with a Cisco WLC in Remote Edge AP (REAP) mode. In this mode, is all wireless traffic tunneled back to the WLC? Additionally, if the AP cannot contact the WLC, what happens to the wireless clients?
  A. The 1030 AP tunnels all WLC traffic (control and management traffic) to the WLC via Lightweight AP Protocol (LWAPP). All data traffic stays local to the AP. The 1030 REAP can only reside on a single subnet because it cannot perform IEEE 802.1Q VLAN tagging. As such, traffic on each service set identifier (SSID) terminates on the same subnet on the wired network. So, while wireless traffic may be segmented over the air between SSIDs, user traffic is not separated on the wired side. Access to local network resources is maintained throughout WAN outages.
  At times of WAN link outage, all WLANs except the first is decommissioned. Therefore, use WLAN 1 as the primary WLAN and plan security policies accordingly. Cisco recommends that you use a local authentication/encryption method, such as the Wi-Fi Protected Access (WPA) Pre-Shared Key (WPA-PSK), on this first WLAN.
  Note: Wired Equivalent Privacy (WEP) suffices, but this method is not recommended because of known security vulnerabilities.
  If you use WPA-PSK (or WEP), properly configured users are still able to gain access to local network resources even when the WAN link is down.
  From this doc;
  http://www.cisco.com/en/US/products/ps6366/products_qanda_item09186a008064a991.shtml
  Hope this helps!
  Rob
  Please remember to rate helpful posts.....

• AAA authentication for networking devices using ACS 4.1 SE

  Hi!!!
  I want to perform AAA authentication for networking devices using ACS 4.1 SE.
  I do have Cisco 4500, 6500,2960, 3750, 3560, ASA, CSMARS, routers (2821) etc in my network. I want to have radius based authentication for the same.
  I want telnet, ssh has,console attempt to be verified by radius server & if ACS goes down then it will be via local enable passwordf.
  For all users i need to have different privilege levels based upon which access will be granted.
  could u plz send me the config that is required to be done in the active devices as well as ACS!!!!

  Pradeep,
  Are you planning MAC authentication for some users while using EAP for others?
  For MAC authentication, just use the following in your AP.
  aaa authentication login mac_methods group radius
  In your AP, select the radius server for mac authentication. You must have already defined your ACS as a radius server.
  In your SSID configuration, under client authentication settings,
  check "open authentication" and also select "MAC Authentication" from the drop-down list.
  If you want both MAC or EAP, then select "MAC Authentication or EAP" from the dropdown.
  Define the mac address as the username and password in ACS. Make sure the format of the mac is without any spaces.
  You will not need to change anything in XP.
  NOTE: XP normally does not require user authentication if machine has already authenticated but it might behave differently. If it does, I can let you know the registry settings to force the behaviour change.
  HTH

• Black box able to log traffic passing through...

  Hi
  I'm looking for a box able to sniff the tcp/ip traffic (source ip address, destination ip address and ports) passing from it's ingress interface to the egress interface and viceversa (useful the bypass option if this box fails) without any change of the traffic passing through, just logging it and sending this log to a syslog server.
  We need it as solution to be compliant with the new police law against computer criminals where is written that all the internet traffic has to be logged (we offer sometimes transparent internet access to our customers where we do not put any kind of equipment as firewall, proxy or something else, only the router providing the internet access).
  Do you know if Cisco provide something like that ? Other vendors ?
  Any other idea how to be compliant with this request ?
  Thanks
  Pls advise
  Ric

  Cisco Intrusion Prevention System Sensor can be used to log ip traffic. You can manually configure the sensor to capture all IP traffic associated with a host you specify by IP address. You can specify how long you want the IP traffic to be logged, how many packets you want logged, and how many bytes you want logged. The sensor stops logging IP traffic at the first parameter you specify.You can also have the sensor log IP packets every time a particular signature is fired. You can specify how long you want the sensor to log IP traffic and how many packets and bytes you want logged

• Only some of the traffic passing through inline vlan pair

  Here is my network setup
     firewall<---- >(g1/2)Coreswitch 6500 with IDSM(TG9/1)<-----> (TG9/1) Distrib switch with FWSM---------Accessswitch
  configuration in core switch
  interface GigabitEthernet1/2.11
  description **** ****
  encapsulation dot1Q 211
  ip vrf forwarding VRF11
  ip address 10.2.11.73 255.255.255.248
  ip ospf network point-to-point
  standby 1 ip 10.2.11.75
  standby 1 priority 110
  standby 1 preempt
  interface GigabitEthernet1/2.37
  description **** ****
  encapsulation dot1Q 237
  ip vrf forwarding VRF37
  ip address 10.2.37.73 255.255.255.248
  ip ospf network point-to-point
  standby 1 ip 10.2.37.75
  standby 1 priority 110
  standby 1 preempt
  interface TenGigabitEthernet9/1.11
  description ****   ****
  encapsulation dot1Q 311
  ip vrf forwarding VRF11
  ip address 10.2.11.2 255.255.255.252
  ip ospf network point-to-point
  interface TenGigabitEthernet9/1.12
  description ****   ****
  encapsulation dot1Q 312
  ip vrf forwarding VRF12
  ip address 10.2.12.2 255.255.255.252
  ip ospf network point-to-point
  configuration in Distribution switch:
  interface TenGigabitEthernet9/1.11
  description ****  ****
  encapsulation dot1Q 311
  ip vrf forwarding VRF11
  ip address 10.2.11.1 255.255.255.252
  no ip route-cache
  ip ospf network point-to-point
  interface TenGigabitEthernet9/1.37
  description ********
  encapsulation dot1Q 337
  ip vrf forwarding VRF37
  ip address 10.2.37.1 255.255.255.252
  no ip route-cache
  ip ospf network point-to-point
  i  have seggregated  n/w like this. i am using inline vlan  pair , to pass all the traffic through the IDSM module ,
  i am using the monitoring port gi0/8
  config in core switch
  intrusion-detection module 8 data-port 2 trunk allowed-vlan 211-260,311-360
  IDSM
  physical-interfaces GigabitEthernet0/8
  subinterface-type inline-vlan-pair
  subinterface 11
  description
  vlan1 211
  vlan2 311
  exit
  subinterface 37
  description
  vlan1 237
  vlan2 337
  exit
  Problem i am facing is , some of the vlan-pair traffic passing through the IDSM some of the traffic are not passing , here i have given the statistics
  MAC statistics from interface GigabitEthernet0/8
     Statistics From Subinterface 11
        Statistics From Vlan 211
           Total Packets Received On This Vlan = 0
           Total Bytes Received On This Vlan = 0
           Total Packets Transmitted On This Vlan = 0
           Total Bytes Transmitted On This Vlan = 0
        Statistics From Vlan 311
           Total Packets Received On This Vlan = 0
           Total Bytes Received On This Vlan = 0
           Total Packets Transmitted On This Vlan = 0
           Total Bytes Transmitted On This Vlan = 0
  Statistics From Subinterface 37
        Statistics From Vlan 237
           Total Packets Received On This Vlan = 3189658726
           Total Bytes Received On This Vlan = 64165872092928
           Total Packets Transmitted On This Vlan = 3549575166
           Total Bytes Transmitted On This Vlan = 64165872092928
        Statistics From Vlan 337
           Total Packets Received On This Vlan = 3549575166
           Total Bytes Received On This Vlan = 64165872092928
           Total Packets Transmitted On This Vlan = 3189658726
           Total Bytes Transmitted On This Vlan = 64165872092928
     Statistics From Subinterface 38
        Statistics From Vlan 238
           Total Packets Received On This Vlan = 2215151150
           Total Bytes Received On This Vlan = 64165872092928
           Total Packets Transmitted On This Vlan = 126546964
           Total Bytes Transmitted On This Vlan = 64165866995200
        Statistics From Vlan 338
           Total Packets Received On This Vlan = 126546964
           Total Bytes Received On This Vlan = 64165866995200
           Total Packets Transmitted On This Vlan = 2215151150
           Total Bytes Transmitted On This Vlan = 64165872092928
  Give me idea experts , so that i can resolve this issue.
  Help me thanks in advance

  I believe the issue is because of the config below:
  interface GigabitEthernet1/2.11
  description **** ****
  encapsulation dot1Q 211
  ip vrf forwarding VRF11
  ip address 10.2.11.73 255.255.255.248
  ip ospf network point-to-point
  standby 1 ip 10.2.11.75
  standby 1 priority 110
  standby 1 preempt
  encapsulation dot1Q 311
  ip vrf forwarding VRF11
  ip address 10.2.11.2 255.255.255.252
  ip ospf network point-to-point
  interface TenGigabitEthernet9/1.12
  description ****   ****
  encapsulation dot1Q 312
  ip vrf forwarding VRF12
  ip address 10.2.12.2 255.255.255.252
  ip ospf network point-to-point
  As you can see we have 2 ip subnets in the VRF 11 .73 &  .2 in vlan 211 & 311 respectively.
  The switch is doing intervlan routing directly without having to go through the IDSM for VRF 11.
  What we need to remember is IDSM does not do routing, and it can only bridge vlans.
  Hence we have to force to packet to go through the IDSM.
  Here is what we do when we use IDSM to see traffic going between vlans.:
  Normally, with vlans, and IDSM inline mode, we have one IP subnet and 2 Vlans.
  IDSM2 in inline mode necessitates an additional artificial Vlan on the  SAME subnet as the Vlan you wish to sense.
  A layer 3 switch  interface  needs to be configured within this additional artificial Vlan.
  In a nutshell, we need to create 2 Vlans that share one same ip subnet and put SVI on only one of the Vlans.
  In your case you will need one ip between vlans 211 & 311 in VRF 11 to force the data to go through the IDSM.
  I can understand if this is a bit tricky to understand.
  Please go through my design document for IDSM inline mode, which explains the basic concepts and packet walk in detail.
  It will explain why we need the above and how arp makes the mac-address table populate correct entries, (with one ip subnet for 2 vlans) so that traffic goes through the IDSM.
  https://supportforums.cisco.com/docs/DOC-12206
  - Sid

• Tracing a route passing through ASA

  Hi Everyone,
  Need help on tracing a route IP 192.168.27.0  that is passing through ASA
  i did sh route on ASA
  S    192.168.27.0 255.255.255.0 [1/0] via 192.168.101.14, Xnet
  so this means that this ASA is learning this route statically through int Xnet  right ?
  when i do sh int on ASA  it shows Xnet as interface.
  what should be my next step?
  also i am able to ping this IP from ASA  but whne i do sh arp it does not show this IP 192.168.27.251 and mac address
  Thanks
  Mahesh
  Message was edited by: mahesh parmar

  So I presume you have ASA5550 or you have bought addiotional 4 GigabitEthernet module.
  When you look at the ASA from the side where the physical ports are
  The usual ports (without the module) should be in the Right side
  The modules ports should be on the Left side
  The module should contain 8 ports
  4 Ports are for SFP slots (usually for fiber connections)
  4 Ports are for basic Ethernet connectivity
  The configuration should have some line "media-type" which defines which type is used "rj45" of "sfp"
  rj45 for Ethernet
  sfp for SFP module
  So GigabitEthernet 1/2 port should be to my understanding either the Third Ethernet or Third SFP port of the module depending on the above port configuration mentioned (media-type rj45/sfp)
  The ports GigabitEthernet0/0 - x are the ports that are in every ASA, Ports GigabitEthernet1/0 - x are the expansion modules ports
  Hope this helps. Hopefully I remembered that right.
  - Jouni

• Aaa authentication for https access

  I have several Catalyst 3750 switches that I'm running Tacacs on. I set the switch up to be an http server so that some of our admins could administer the switches through the web gui. Is it possible to login to the web console via your Tacacs login (in our case, our Windows username/password)? I found the "ip http authentication aaa" command but this doesn't seem to do it. I just don't want to share the local passwords if I don't have to.
  Thanks in advance,
  Eric

  My experience of the web interface is that it uses the local password on the device and not the aaa authentication IDs and passwords.
  HTH
  Rick

• Need help on Hyper V 2012 for configuring pass through disks

  Hallo guys,
  I have 7 hypervisors of Windows server 2012 running on bare metal, all are in cluster. I also configured SCVMM 2012 server.I created 10 Vm's. Now i want to make clusters of 2 node each & assign LUNs to my VM.
  Storage guys have assigned all the LUNs to my physical servers, when i go to disk management of my physical servers , i see all LUNs are offline state(by default..)
  My question is how do i assign the LUN to my VM? what is the steps for this ? i also wil be making 2 node cluster of VM's.
  Regards,
  Amol Sutar

  Hi Amol,
  >>i see all LUNs are offline state(by default..)
  It's normal. To ensure the Guest has exclusive access to the storage, the LUNs must be placed in an
  Offline state from the Hyper-V server perspective.
  >>My question is how do i assign the LUN to my VM? what is the steps for this ? i also wil be making 2 node cluster of VM's.
  Here is a detailed guide, it may be helpful:
  Configuring Pass-through Disks in Hyper-V
  http://blogs.technet.com/b/askcore/archive/2008/10/24/configuring-pass-through-disks-in-hyper-v.aspx
  Best Regards.
  Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Does IPv6 traffic "pass-through" or "drop" by cisco waas?

  Since cisco waas is not yet supported IPv6, if i am running IPv4 and IPv6 dual stack mode on the same circuit, does IPv6 traffic get dropped by the waas or does waas put IPv6 traffic in "pass-through" mode and let it goes?  I am thinking, waas will treat IPv6 as non-IP traffic and will let it goes.  Am i right?
   

  Hi Joe and Kanwai,
  One note though - if your running WCCP as the redirection mode, you won't get the IPv6 traffic redirected, as WCCP does NOT support IPv6. Hence you won't see IPv6 traffic at all on the WAAS device.
  Best Regards
  Finn Poulsen

• [Q] Trigger an event for calls passing through a CUBE

  Hi Guys
  Are there any events I could catch to trigger a script for new calls as they pass through a CUBE?
  I'm wanting to set up an alert based on a certain number been dialed.
  Ta
  Peter

  Not directly, but Tcl IVR can help here.  You can use IVR to generate a syslog message that EEM can process.  I'm not sure if this is applicable to CUBE, though (it works with CME).  Here's one such example implementation:
  https://supportforums.cisco.com/docs/DOC-19345

• Configure FRITZ!Box Fon WLAN 7320 for PPPOE PASS-Through

  I just switched ISP providers, from ARCOR to 1&1 and received a new FRITZ!Box Fon WLAN 7320 modem. I've been trying to figure our (without success) how to get it to do pppoe pass-through and allow my Airport Extreme router to the authenication with 1&1 versus the Fritzbox. I would greatly appreciate any and all assistance.
  I do not want to use the Fritzboz WLAN and/or have it do the PPPOE authenication.
  Message was edited by: jmpsohi

  One for the Airport forum, I would think:
  http://discussions.apple.com/category.jspa?categoryID=140
  Regards
  TD

• Slow SFTP throughput when passed through ASA 55xx

  I have an interesting scenario. I have setup two test boxes for SFTP.  One in a DMZ behind an ASA inteface, and the other on our external switch. If I send a file to the one on the external switch, I get 40 Mbps on a transfer from a remote location. When I try the same transfer but using a machine in the same DMZ, I get 100 Mbps while connected to a FastEthernet switchport. When I try the same transfer from the remote location previously mentioned, to the same server even, but using SFTP, my throughput goes down to 670 KB/s.  I get that same low speed even on the machine on the external switch to the DMZ. It should be much faster since there is no latency involved. It just goes to the switch to the ASA interface to the SFTP server. I even tried this across two different ASA, same result. One was a 5505, the other a 5520. 
  So, it seems the only limiting factor here is the ASA.  Does anyone have any observations or suggestions that might help?
  Thanks!

  Sorry, I should have been more clear. The throughput is only reduced when the ASA is in the picture and SFTP is used. I can FTP to the same server, same application, just different protocol, and get full throughput. As soon as I select SFTP instead of FTP, the throughput drops dramatically.
  I know it is not the over head on the server, because I tested an SFTP transfer from a client machine on the same LAN, and got full throughput. It is only when going through the ASA that the SFTP throughput drops by a factor of 7

• TUNNEL UP BUT NO TRAFFIC PASSING THROUGH

  Hello, we have a customer that has been working with us like 1 month with no problem. We did a connection between a fortigate firewall and a Cisco 2811. Now the tunnel is up but no traffic is going and coming through it. I did remake the whole configuration for this costumer: Key, cryptomap and access-list. The tunnel comes up but again, no traffic is coming or going.
  Any hints ?
  Thanks.

  Hi,
  Below is an excellent document on Most Common L2L and Remote Access IPSec VPN Troubleshooting Solutions.
  http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
  If this doc does not help, do post your configuration along with the Src and Dest IP Addresses that you are trying to ping across the tunnel.
  Regards,
  Arul
  *Pls rate if it helps*

• AAA authentication for IDS access?

  I've been implementing a new SSM-20 I haven't found anything that indicates we can use RADIUS to authenticate users logging into the GUI or telnet/ssh. Am I missing something here?

  You expectations are quite reasonable but regretably, Cisco ONLY supports local authentication on the IPS Sensor platform (4200 series, CIDS, IDSM-2 and SSM).
  This has been discussed in the past:
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Intrusion%20Prevention%20Systems/IDS&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddef483

• High delay when traffic passes through the tunnel

  Hello,
  i have a dmvpn topology, .
  When i try to ping the real ip on the hub's outside interface from the spoke, the delay is approximately 100ms, but when i ping the tunnel ip address the delay becomes 4000ms.
  Your help is really appreciated

  Can you post the configuration?
  Did you set the MTU of the tunnel interface correctly?
  Also check the switching (CEF/Process Switching) configuration.
  Regards
  Farrukh