AAA server group tag

Similar Messages

• ASA5500 AAA SERVER GROUP (RADIUS) - FREERADIUS AUTH

  hello,
  i'm trying to authenticate users from ASA 5520 to FREERADIUS on Debian
  Does anyone succed in ? what's the way to ?
  thanks

  There are many other databases you can use. Check the users file in /etc/raddb/users for examples.
  You can also have it authenticate against the unix user db, i.e. /etc/passwd. This is the default configuration for freeradius.
  e.g. /etc/raddb/users
  DEFAULT Auth-Type = System
          Fall-Through = 1
  /etc/passwd uses MD5 for its hashing if I'm not mistaken.
  Cheers,
  Conor

• Anyconnect IKEV2 restricting access via AAA auth Group

  Hi Everyone,
  I have ASA config with 2 connection groups
  Say Group  1 and 2.
  Currently both are assigned to Same Auth AAA group
  One of our external vendor has access to both XM files of connection group 1 and 2..
  If i want Vendor should connect only to  Connection Group 2 should i change the AAA auth group for connection group 2?
  Then even if he tries to connection group 1 it should not work as AAA Auth group will be only assigned to Group 2 right?
  Regards
  Mahesh

  Hi Rick,
  There is info
  Our ASA is configured with two connection groups.Our Vendor has XML files of both the
  Connection groups say                                      1 and 2.
  AAA Authentication group  called ----------------- RSA  ----Two servers are there in RSA group.
  We are using 2 factor Authentication.
  We want vendor to connect to connection group 2 only.
  We have two RSA Authentication  servers they are in HA mode so if one dies other can do the authentication.ASA has only 1 authentication  group called say RSA and both connection groups 1 and 2 are tied to the same Authentication group called RSA.
  If i configure new AAA server group say RSA2 for connection group 2 but it has same 2 servers will
  it restrict the vendors connection to connection group 2 only?
  Also when you say --- authentication server can differentiate between the vendor users and other users and supply a group membership ID in the authentication response?
  Need to know how i can do this?
  Regards
  MAhesh

• AAA server logs replication

  •1.       We have two locations and require Cisco ACS 5.x for each location.
  •2.       Both locations are connected via MPLS link.
  •3.       Need to deploy both ACS in Active-Active OR Active-Standby.
  •4.       The idea is that users in network A will have their primary ACS as ACS A and secondary ACS as ACS B.
  •5.       Similarly users in network B will have its primary ACS as ACS B local to their LAN.
  If ACS in network A goes down, then users in network A should be able to authenticate using ACS B in remote network and vice versa.
  •6.       Now what we got to understand by reading ACS documents is that incase one of ACS goes down, the accounting logs do not get replicated to secondary ACS and vice versa.
  •7.       I would like to have a kind of setup where in  Accounting logs are also replicated between ACS servers. The idea is that, I should have complete logs of both the servers up to the time till one of the ACS breaks down.
  Kindly let me know if the accounting logs can be replicated in the manner as mentioned above.
  Also let me know the typical bandwidth utilized during replication of ACS A to ACS B.
  We have around 500 users combining both sides.
  Our proposal is dependent upon working of the above solution…kindly see if ACS5.x will work in the above scenario as we need to propose the same.

  I hope I get your question correctly. The AAA group tag is local to the AAA Client and has nothing to do with the AAA Server (e.g. ACS). It is meant to group more than one TACACS/RADIUS server.
  Proxy Distribution Table is used when you have Multiple ACS servers and you want to route incoming AAA requests to particular server(s) based on pre-defined criteria. Like user1@NY should be redirected to the NewYork ACS.
  Regards
  Farrukh

• How to use 2 AAA server for different login purpose

  Hello, could you help me?
  This is a part of my configuration; I would like to add another TACACS server, witch should take care of the telnet at vty 0 4.
  The Tacacs server 10.20.30.40 takes care of the virtual access, and I have another Tacacs server who takes care of login on our network equipment.
  ! Cisco 7204 with system flash c7200-io3s56i-mz.121-4.bin
  aaa new-model
  aaa authentication login default group tacacs+
  aaa authentication login no_tacacs enable
  aaa authentication ppp default group tacacs+
  aaa authorization exec default group tacacs+
  aaa authorization network default group tacacs+
  aaa accounting exec default start-stop group tacacs+
  aaa accounting network default start-stop group tacacs+
  aaa accounting connection default start-stop group tacacs+
  virtual-profile virtual-template 1
  virtual-profile aaa
  interface Serial2/0:15
  description ISDN30
  no ip address
  encapsulation ppp
  no ip route-cache
  no keepalive
  dialer pool-member 10
  isdn switch-type primary-net5
  isdn tei-negotiation first-call
  isdn caller xxxxxxx
  no fair-queue
  compress stac
  no cdp enable
  ppp authentication chap
  ppp multilink
  interface Virtual-Template1
  ip unnumbered FastEthernet1/0
  ip nat outside
  ppp authentication chap
  tacacs-server host 10.20.30.40 key ********
  line con 0
  exec-timeout 20 0
  password ************
  login authentication no_tacacs
  transport input none
  flowcontrol hardware
  line aux 0
  line vty 0 4
  access-class 1 in
  exec-timeout 60 0
  password *************
  login authentication no_tacacs
  transport input telnet
  transport output telnet
  If I just add
  aaa authentication login vtymethod group tacacs+ enable
  tacacs-server host 10.50.60.70 key ********
  line vty 0 4
  login authentication vtymethod
  My telnet request ask 10.20.30.40 and I have a deny! Could you help to make a secure solution?
  Thanks

  Jens
  I believe that your solution would be to configure a different tacacs server group with the new server in the new group and to use the new group to authenticate for your vty. The config might look something like this:
  aaa group server tacacs+ vty_TAC
  server 10.50.60.70
  aaa authentication login vtymethod group vty_TAC enable
  tacacs-server host 10.50.60.70 key ********
  I have configured this type of thing and it worked well. When I configured it I explicitly configured (and named) two different TACACS server groups and referenced specific server groups for each authentication method. I am not clear whether it works to keep the default group tacacs+ and use it for your normal authentication or whether you may need to configure a non-default group for it.
  Give it a try and let us know what happens.
  HTH
  Rick

• Problem with Grouping Tag in iTunes

  Hi,
  I am trying to use getID3 to read the 'Grouping' tag from iTunes. It would seem that iTunes is writing these tags to my MP3 files, as, when I open them in Media Rage the Grouping Tag shows up OK. However, when I then upload the tracks to my server and use 'content_group_description' to read these tags (the getid3 code for the 'Grouping' tag, nothing shows up. If however, I change the Grouping Tag in Media Rage, and then re-upload, the Grouping Tag does show up.
  I wonder if someone could help me troubleshoot why this is happening. I would rather not have to retag all of my files in Media Rage if possible.
  Thanks,
  Nick

  After further investigation it would seem that the Grouping Tag is preserved such that getid3 can read it for the original files in my iTunes library.  The problem occurs with files are converted using iTunes (from higher bitrate to lower bitrate MP3s).  For these files, the Grouping Tag shows up in Media Rage, but cannot be read by getid3.  If anyone has an idea why this might be, and what I can do to resolve this issue, I'd be glad to hear of it.
  Thanks,
  Nick

• AAA Server IP Pool based on AAA Client

  Hi,
  I have a scenario where I need to be able to allocate an IP address to a user group from a pool on the AAA server based on the AAA client that the user authenticates against.
  So for example if the user comes in on CPE1 they get assigned an address from Pool A, if they come in on CPE2 they get an address assigned from Pool B.
  Any pointers on how to do this (if possible) would be greatly appreciated.
  Thanks in advance
  Andy

  With ACS v4 you could do this....
  Define your pools and add your devices to their own NDGs. Then define a NAP which is triggered off each NDG. Each NAP can use its own group mapping scheme which each target group using a different IP pool.
  Probably only works when users are external as you need group mapping to make it work.
  A bit cludgy.. but should work.

• More than 1 AAA server for logging in to WebVPN

  Hi everybody,
  Does anyone know if ASA supports simultaneous authentication more than 1 AAA server? I've created LDAP and SecurID token account for every users and want them provide both account information for logging in to WebVPN.
  Please advice.
  Thanks for advance,
  Nitass

  If you are aaa server you are referring to is "radius server", then you can try out the following commands.
  In ASDM you would simply add the said RADIUS servers to the "server group"
  If you wish to do this through CLI, you would define a group eg
  aaa-server radius protocol radius
  aaa-server radius host x.x.x.x
  aaa-server radius host y.y.y.y
  aaa-server radius host z.z.z.z
  and you would then call this in the said tunnel-group :
  tunnel-group opsource type ipsec-ra
  tunnel-group opsource general-attributes
  address-pool admin_ra
  authentication-server-group radius LOCAL
  default-group-policy opsource

• RADIUS-3-NOSERVERS: No radius hosts configured or no valid server present in the server group

  Hi,
  I currently have an C2960 switch with IOS 15.0(2) SE4. To log on the CLI of the switch authentication against a RADIUS server takes place. Accounting is not wanted. The config of the switch is as follows:
  aaa new-model
  aaa group server radius RADIUSGROUP
   server xxx.xxx.xxx.1 auth-port 1812 acct-port 0
   server xxx.xxx.xxx.2 auth-port 1812 acct-port 0
  aaa authentication login default group RADIUSGROUP local
  aaa authentication dot1x default group RADIUSGROUP
  aaaauthorization network default group RADIUSGROUP
  radius server host xxx.xxx.xxx.1 auth-port 1812 acct-port 0 key 7 [encrypted password]
  radius server host xxx.xxx.xxx.2 auth-port 1812 acct-port 0 key 7 [encrypted password]
  It works fine, the authentication and the login are successful, but every login generates a message in the logging of the switch:
  RADIUS-3-NOSERVERS: No radius hosts configured or no valid server present in the server group
  What is going wrong???
  Any help would be appreciated.

      That's going to be something you are going to have to go the cisco TAC with .  That looks to be some kind of software bug.  Also a feature probably not a lot of people actually use and have knowlwedge about.

• AAA server precedence

  Hi,
  I have two AAA servers configured in Global config, in the WLAN and in FlexConnect groups. If I understand correctly the AAA server in the WLAN has precedence over the others. Is this true? Does that mean that I can remove the AAA server config from the other two?
  The AAA servers are used for 802.1x user authentication.
  Regards,
  Philip

  AAA in the WLAN is used first... if you have network user also checked on the AAA server and for example you have a total of 4 AAA servers, 2 defined on your WLAN and two defined globally also maybe for another WLC, then when the two in the WLAN is marked as down, then the WLC will use your global AAA servers.  I don't check the box for network user or management in the AAA server, but define it in the WLAN.

• ITunes "grouping" tag - ID3 tags and file rewriting

  From Wikipedia's entry about ID3 tags:
  "ID3v2.2 and 2.3 require that the tag data precede the file. Whilst for streaming data this is absolutely required, for static data it means that the entire audio file must be updated to insert data at the front of the file. For initial tagging this incurs a large penalty as every file must be re-written."
  So what I'm wondering, essentially, is whether the "grouping" tag in iTunes is a part of the ID3 tag information, which would mean that altering this tag necessitates re-writing the entire file. I don't like the idea of this, because I'd be paranoid/anal about the possibility of introducing errors in the process. However, I'd love to use the "grouping" tag for creating smart playlists. So does anyone have any more information about this tag? Thanks.

  iTunes uses the TPE2 frame tag for grouping. This is also known as the 'Band/Orchestra/Accompaniment' frame which is included in the list you linked to. This isn't a guess - I've been playing about with dnuos and querying id3 tags in mp3 files. I can confirm it is a id3v2 frame.
  As to having to re-write the entire file. Yes this is likely but the id3v2 standard also covers padding which can be used to avoid a complete re-write in these situations. Whether or not this happens in the case of iTunes I couldn't tell you.
  As far as worring about quality or reliability when performing this... If a player (in this case iTunes) can't even write some tags you probably need to be worrying about using it full stop. Damage could also happen if the storage device itself is dying but again you don't want to be using it full stop.

• Executing a Job via Web Services using a Server Group?

  When executing a job from Designer or from the Management Console you have the option to select a specific job server or a server group.
  But when executing a job via Web Services it uses the first job server with which the repository was associated (i.e. the first job server listed in AL_MACHINE_INFO).
  Is there a way to get the job to execute using a server group instead simply choosing the first job server in the list?
  Note: We are using FIM to execute the jobs via web services and don't have access to additional parameters.

  Joe
  Here is the where you can change the server group/job server.
  - After you add the Batch/real Time job as a webservice.
  - Go to the Webservice Batch Job Attribute and from the drop down choose the "Enable job Attributes" and hit apply.
  - After this if you use the WSDL URL http://<Data Services Web Server>:<Web server Port>/DataServices/servlet/webservices?ver=2.0&wsdlxml
  - You will see the job attributes that you can change based on the allowed parameters mentioned in the documentation.
  The batch job or real time job is published without the job parameters by default. Once you enable the job attributes, remove and re publish the batch job as a web service. The application making the call to this webservice should be able to read the WSDL generated by Data services and pickup all the input and output parameters of the method.
  Refer to the Data Services Integrator guide (Chapter 3 : pages 25 - 33 ) to get the exact parameter values permitted via Data Services jobs called via web services.
  Hope this helps!
  Thanks & Regards
  Tiji

• Bit Locker Implementation in Windows 8.1 machine using Windows server 2008 r2 server group policy.

  is it possible to enable the bit locker only for windows 8.1 machines through windows 2008 r2 server group policy ?
  Thanx and Regards,
  Shanif

  Hi Shanif,
  Yes, we can do this.
  Regarding how to enable Bitlocker via group policy, the following article can be referred to as reference.
  Cannot Save Recovery Information for Bitlocker in Windows 7
  http://blogs.technet.com/b/askcore/archive/2010/02/16/cannot-save-recovery-information-for-bitlocker-in-windows-7.aspx
  After configuring the settings, we can use security filtering or WMI filtering to apply the policy to specific computers.
  Regarding this point, the following blog can be referred to for more information.
  Security Filtering, WMI Filtering, and Item-level Targeting in Group Policy Preferences
  http://blogs.technet.com/b/grouppolicy/archive/2009/07/30/security-filtering-wmi-filtering-and-item-level-targeting-in-group-policy-preferences.aspx
  Best regards,
  Frank Shen

• Server Group not working when one of Job Servers is down

  I have a Server Group of two job servers. They have the same version 12.2.2.3 and are attached to the same Local Repository of version 12.2.2.0.
  When I execute a batch job (from the Designer) and explicitly specify on which job server it should run, it works fine for either job server. Also, when I specify Batch Job execution on Server Group, it works fine.
  However, when I shutdown one of the Job Servers, and then try to execute the job on Server Group, I'm getting two error messages, BODI-1111011 that one Job Server is down, and BODI-1111009 that another Job Server has failed.
  At the same time, when I check the Server Group in the Management Console, it shows that the allegedly failed Job Server is in the status green.
  That error is not reflected in a job server eveng log, nor there is anything written to webadmin log, not in the job trace (the latter isn't created at all).
  Is there anything I can do at this point except raise a support message?

  The issue was with different users for Local Repository in Admin and Job Server config. I discovered it when trying to run the job from Admin Console. Designer is probably not the best diagnostic tool for such kind of issues.

• How to use two group tags in the header?

  I am using BI Publishing,RTF Template,I found when I put two group tags before <?start:body?> ,the BI Publishing only keep the 2nd group tag right before <?start:body?> as header, it moved the 1st group tag to the body section.
  Is this a bug? Can anyone give me some ideas how to make BI Publish treat all the group tags before <?start:body?> as the header/sub header?
  thanks for your help

  Hi dirk,
  Thanks it worked well.
  I have one question for you in the tabular form.
  i have totally 10 columns in my tabular form, in that 9 column is of database column and only one column is non-database column, while updating the row in the tabular form it is throwing the below error like
  Current version of data in database has changed since user initiated update process. current row version identifier = "A0FD649E5A28DF9244990A3B9368298A" application row version identifier = "44CE02A233595BCA6F7D4A140BD4DF30" (Row 1)I thought the above error is due to the existence of non-database column in my tabular form. Is there any way to solve this issue. I need to have a non-database column in my tabular form but the presence of that column is not allowing to perform update in that tabular form.
  how to get rid of this issue dirk.
  Any ideas??
  Brgds,
  Mini