AAA server & Ciscoworks

Hi
How can use the users profiles that can access the AAA server with the ciscoworks2000 , e.g. suppose that I have a user name and password that allows me to access the AAA server and I want the AAA server authenticate me to access CW200 with the same username & password . in otherword can I make the AAA server authenticate CW2000 access or can I have the same authentication database ??
Thanks

CW2K supports using external authentication for logins like TACACS+ etc. After you select and configure a login module, all authentication transactions are performed by that source. The CW2K Server still determines user roles; therefore, all users must be in the local database of user IDs and passwords. Users who are authenticated by an alternative service and who are not in the local database are assigned to the same role as the guest user (by default, the Help Desk role). To assign a user to a different role, such as the System Admin role, you must configure the user locally. Such users must have the same user ID locally as they have in the alternative authentication source. Users log in with the user ID and password associated with the current login module. See the User Guide for more details:
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_d/5steditn/gs_guide/setup.htm

Similar Messages

  • AAA server logs replication

    •1.       We have two locations and require Cisco ACS 5.x for each location.
    •2.       Both locations are connected via MPLS link.
    •3.       Need to deploy both ACS in Active-Active OR Active-Standby.
    •4.       The idea is that users in network A will have their primary ACS as ACS A and secondary ACS as ACS B.
    •5.       Similarly users in network B will have its primary ACS as ACS B local to their LAN.
    If ACS in network A goes down, then users in network A should be able to authenticate using ACS B in remote network and vice versa.
    •6.       Now what we got to understand by reading ACS documents is that incase one of ACS goes down, the accounting logs do not get replicated to secondary ACS and vice versa.
    •7.       I would like to have a kind of setup where in  Accounting logs are also replicated between ACS servers. The idea is that, I should have complete logs of both the servers up to the time till one of the ACS breaks down.
    Kindly let me know if the accounting logs can be replicated in the manner as mentioned above.
    Also let me know the typical bandwidth utilized during replication of ACS A to ACS B.
    We have around 500 users combining both sides.
    Our proposal is dependent upon working of the above solution…kindly see if ACS5.x will work in the above scenario as we need to propose the same.

    I hope I get your question correctly. The AAA group tag is local to the AAA Client and has nothing to do with the AAA Server (e.g. ACS). It is meant to group more than one TACACS/RADIUS server.
    Proxy Distribution Table is used when you have Multiple ACS servers and you want to route incoming AAA requests to particular server(s) based on pre-defined criteria. Like user1@NY should be redirected to the NewYork ACS.
    Regards
    Farrukh

  • Errors on aaa server

    Hello,
    pls which service is actually suspended when the AAA server gives this report.
    "Service CSAuth has been stopped or paused by the system. Monitoring will suspend until the service is restarted."
    And how can I resolve it.
    Also, my backup AAA server is still not replying. If I shutdown the service on the primary acs, the errors i get when i try to login are "auth server down".
    What can I do to correct these?

    To my knowledge, it's the authentication service like Radius or Tacacs+ that is suspended.

  • ACS 4.2.0 AAA-server-IP-address changing to 169.254.x.x

    Hello,
    I have ACS 4.2.0.124.15   installed on a windows server 2008.
    In the configuration menu : network config > AAA server , the AAA-server-IP-address change to 169.254.x.x each time I disconnect the  ethernet interface of the server.
    Allthough, the ip adresse in my network connection of the windows-Lan-connection is set to static.
    Whe I reconnect the ethernet interface of the server, it stays in 169.154.x.x.  And I need to reconfigure the real static adresse each time.
    Do you knows this problem. Is it a way to avoid it ?
    Michel Misonne

    Hello,I have ACS 4.2.0.124.15   installed on a windows server 2008.In
    the configuration menu : network config > AAA server , the
    AAA-server-IP-address change to 169.254.x.x each time I disconnect the
    ethernet interface of the server.Allthough, the ip adresse in my network connection of the windows-Lan-connection is set to static.Whe
    I reconnect the ethernet interface of the server, it stays in
    169.154.x.x.  And I need to reconfigure the real static adresse each
    time.Do you knows this problem. Is it a way to avoid it ?Michel Misonne
    Hi Michel,
    It was issue in ACS 1113 SE Appliance and clear solution for the above is mentioned in the below link
    http://www.ciscosystems.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a00808d9199.shtml#stat
    HTH
    Ganesh.H

  • AAA Server IP Pool based on AAA Client

    Hi,
    I have a scenario where I need to be able to allocate an IP address to a user group from a pool on the AAA server based on the AAA client that the user authenticates against.
    So for example if the user comes in on CPE1 they get assigned an address from Pool A, if they come in on CPE2 they get an address assigned from Pool B.
    Any pointers on how to do this (if possible) would be greatly appreciated.
    Thanks in advance
    Andy

    With ACS v4 you could do this....
    Define your pools and add your devices to their own NDGs. Then define a NAP which is triggered off each NDG. Each NAP can use its own group mapping scheme which each target group using a different IP pool.
    Probably only works when users are external as you need group mapping to make it work.
    A bit cludgy.. but should work.

  • WLC 5508 and AAA server

    Hello all,
    Quick question (couldn't find answer on google).
    Can the Cisco Wireless LAN Controller model 5508 act as an AAA server, or does that require a separate device/server/appliance?
    My initial answer to this question was yes, if running in local EAP mode...
    Anybody?

    Thank you both.  I love this forum   I am working as an intern with my current company; but no stranger to IT.  The pay is humbling, but I am learning fast and this forum has really helped accelerate my learning.  I thought having a CCNA along would get me the good job, but nothing beats experience.
    Thanks again!

  • ACS error, AAA Server is a referenced in the Proxy Distribution Table

    When installing the ACS appliance (4.1) I have an issue where during the setup it prompts for a static address, Gateway, and DNS. This fine and network connectivity is tested during this time and success.
    The issue seems to be fine but that when logging in to the GUI under Network Configuration>AAA servers.
    AAA server AAA server IP address AAA server type
    self 10.10.10.1 CiscoSecure ACS
    ciscoacs 169.254.25.58 CiscoSecure ACS
    Under Network Configuration>Proxy Distribution Table
    Character String AAA Servers Strip Account
    Default ciscoacs no Local
    The 2 questions I have how to stop the 169.x.x.x address or why this is being put into the configuration, and how to delete as the following error is obsvered when trying.
    ACS error when trying to delete..
    “Can not Delete AAA Server, AAA Server is a referenced in the Proxy Distribution Table”
    Many Thanks MJ

    Go to,
    Network configuration > Proxy Distribution Table > (Default).
    swap the entry in this section under tables AAA Server and Forward to > Submit + Restart.
    Then try to delete 169.x.x.x entry.
    Regards,
    Prem

  • More than 1 AAA server for logging in to WebVPN

    Hi everybody,
    Does anyone know if ASA supports simultaneous authentication more than 1 AAA server? I've created LDAP and SecurID token account for every users and want them provide both account information for logging in to WebVPN.
    Please advice.
    Thanks for advance,
    Nitass

    If you are aaa server you are referring to is "radius server", then you can try out the following commands.
    In ASDM you would simply add the said RADIUS servers to the "server group"
    If you wish to do this through CLI, you would define a group eg
    aaa-server radius protocol radius
    aaa-server radius host x.x.x.x
    aaa-server radius host y.y.y.y
    aaa-server radius host z.z.z.z
    and you would then call this in the said tunnel-group :
    tunnel-group opsource type ipsec-ra
    tunnel-group opsource general-attributes
    address-pool admin_ra
    authentication-server-group radius LOCAL
    default-group-policy opsource

  • Wism and aaa server communication

    Hi 
    How a wism  talking to aaa server .? The wism will talk on behalf of the user ? 
    What i mean if there is an acl on the interface vlan ( switch) , Do we need to allow the aaa server in the access list ? 
    Thanks 

    Yes you should AAA server on the ACL. Client data reaches in a CAPWAP tunnel between AP and WLC from where it is sent to wired network, so communication is done by WLC on behalf of client.
    Usually, high level topology is like this :
    -Thanks
    Vinod
    **Encourage Contributors. RATE Them.**

  • Acs se aaa server problem

    HI
    I have installed acs se for peap authenetication in a wireless network .
    however when i install the acs se it shows me 2 profiles (self and deliverance) after initial config in the aaa server window of network configuration .
    The name of the default server is delivernace and its ip is 169.x.x.x which is the default nic ip as u can check it out during the initial startup configuration.
    Pls help me to get this fixed

    Hi.
    The name of the ACS SE listed in AAA Server section is "self".
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/NetCfg.html#wp341780
    "In ACS SE, the name of the machine is listed as self."
    "deliverance1" is the default ACS SE name(hostname).
    Sometimes what happens is, even if we have ACS SE connected to Netowork during initial configuration. And we change the name of the ACS SE from "deliverance1" to something that we want. After changes has been made, on ACS SE, it comes back, and shows the ip 169.x.x.x associated with the new hostname.
    NOTE: I am considering that during initial configuration ACS SE was connected to network. If not, then this is supposed to happen.
    In order to correct this issue, follow following steps:
    [1] On ACS hardware/appliance go to,
    Reports and Activity > Appliance Status Page >
    From "NIC Configuration", copy the IP address of the ACS SE.
    Interface Configuration > Advanced Options > check "Distributed System Settings" > Submit.
    Network Configuration > under "AAA Servers" > Search > type the IP address of the ACS hardware/appliance > Search.
    Note down the "Name" against the Ip address of the ACS SE.
    Now go to, Network Configuration > under "Proxy Distribution Table" > (Default) > make sure that the name that appeared against the Ip address of the ACS Hardware/appliance is in "Forward To" Column, If it is not, move it , and move all other entries under "AAA Servers" column and press "Submit + Restart"
    And delete the entry from the AAA Server section, that is associated with IP address 169.x.x.x
    [2] Now, if you do not want the name that is shown in the Proxy Distribution Table, and want the one that is there in the section,
    System configuration > Appliance Configuration... Hostname section, associated with the correct IP address. Then do this,
    Establish Serial Console connection to ACS SE,
    Issue the command "set hostname " and then reboot the ACS SE by command, "reboot".
    [3] Once ACS SE is backup, go to, Network Configuration > under "Proxy Distribution Table" > (Default) > And make sure that the new name is in "Forward To" Column > Submit + Restart.
    Now, the correct IP address will be associated with the correct hostname.
    Regards.
    Prem

  • Two aaa-server TACACS+ in PIX 525

    I have a PIX 525 with two aaa-server for TACACS+; My aaa comands are configured by default.
    I understand that my aaa-server TACACS+max-failed-attempts "number" have a "3" times to declare my aaa-server unresponsive and move on to try the next server in the list.
    Once it happens, how long does the aaa requests are send to the secundary aaa-server?
    Can somebody of you can help me? I want to keep my first aaa-server as primary and just in case of failure use the second aaa-server.
    Thanks a lot.

    The timeout interval also has to be configured for the request. This is the time after which the PIX Firewall gives up on the request to the primary AAA server. If there is a standby AAA server, the PIX Firewall will send the request to the backup server. The retransmit timeout is currently set to 10 seconds and is not user configurable.

  • AAA Server on a Catalyst 4500

    Is it possible to configure a catalyst 4500 for example, to be a AAA Server and hold a local username and password database for other switches/routers to authenticate against?
    Thanks
    Wayne

    Wayne
    While it is possible to configure a catalyst switch as aaa client, and it is possible to configure a catalyst switch to do local authentication using a locally configured username/password database, I believe that it is not possible to configure a catalyst switch to provide authentication to other switches based on its local username/password database. I do not believe that the catalyst swithes include the server code for aaa.
    HTH
    Rick

  • AAA server precedence

    Hi,
    I have two AAA servers configured in Global config, in the WLAN and in FlexConnect groups. If I understand correctly the AAA server in the WLAN has precedence over the others. Is this true? Does that mean that I can remove the AAA server config from the other two?
    The AAA servers are used for 802.1x user authentication.
    Regards,
    Philip

    AAA in the WLAN is used first... if you have network user also checked on the AAA server and for example you have a total of 4 AAA servers, 2 defined on your WLAN and two defined globally also maybe for another WLC, then when the two in the WLAN is marked as down, then the WLC will use your global AAA servers.  I don't check the box for network user or management in the AAA server, but define it in the WLAN.

  • Aaa-server reset

    In Cisco Doc: http://www.cisco.com/en/US/customer/docs/security/asa/asa80/command/reference/a1.html#wp1510772
    the command:
    aaa-server active host 192.168.125.60
    is referenced, but is an 8.02 addition.
    Does anyone know how to do the same thing in 7.2.2.x rel of ASA code?
    I have several AAA Servers in failed state and need to restart/refresh them. If I do the test aaa-server command, it works so I know the AAA Server is now online.

    You can do this through ASDM. In ASDM you can define the method using which the servers will be activated. Following link may help you
    http://www.cisco.com/en/US/docs/security/asa/asa72/asdm52/user/guide/aaasetup.html#wp1160615

  • AAA server group tag

    is the "AAA server group tag" the same as the proxy distribution entry.
    trying to setup my asa for tacacs+
    cisco# aaa-server ?
    WORD < 17 char Enter a AAA server group tag

    I hope I get your question correctly. The AAA group tag is local to the AAA Client and has nothing to do with the AAA Server (e.g. ACS). It is meant to group more than one TACACS/RADIUS server.
    Proxy Distribution Table is used when you have Multiple ACS servers and you want to route incoming AAA requests to particular server(s) based on pre-defined criteria. Like user1@NY should be redirected to the NewYork ACS.
    Regards
    Farrukh

Maybe you are looking for

  • Vendor Mass Update

    Hello SRM Folks, We want to do mass update for vendors (Updating proxy bidding flag in Manage Business Partner) since we have 3000  vendors.  It will be highly complex to update it manually. Could any one of you have gone through such experience then

  • Same Template in Multiple Smartforms

    Hi Experts, We have a same template to be used in different Smartforms, Is it viable for us to create standard text in SO10 transaction & use in smart forms. Our template will have rows & columns with hard coded text. How is the procure to attach sta

  • Finding Symbolic Links in Unix

    Hi All, Is there a way to find whether a File is a Symbolic Link or not in Unix Environment using Java API ?? Thanks Sateesh

  • Saving a Slideshow in LR 2

    Hi! I am new. I have just created a great slideshow in LR2 that I want to save. How do I do that? I spent a lot of time on it, so I don't want to have to redo it. Do I burn a disk or export to CS3 or what? Thanks in advance.

  • HT4623 I forget my answers to my two security question. How do I find out what they are or how to change my security questions.

    I forgot my answers to my 2 security questions. How do I go about find the answers? Thank you