AAA Server on a Catalyst 4500
Is it possible to configure a catalyst 4500 for example, to be a AAA Server and hold a local username and password database for other switches/routers to authenticate against?
Thanks
Wayne
Wayne
While it is possible to configure a catalyst switch as aaa client, and it is possible to configure a catalyst switch to do local authentication using a locally configured username/password database, I believe that it is not possible to configure a catalyst switch to provide authentication to other switches based on its local username/password database. I do not believe that the catalyst swithes include the server code for aaa.
HTH
Rick
Similar Messages
-
Catalyst 4500, scp, rcp
Does anybody know is it possible to set up a remote access to the Catalyst 4500 series switch thru the rcp or scp protocol? I want to start commands on the remote unix server. Like unix# scp -i identity -B acl.file user@catalyst:system:running-config or unix# rcp acl.file user@catalyst:system:running-config, where acl.file is the file with access-list. It's important to start commands on the remote server, not on the switch. Thanks for any advice.
Hello,
I just tried this on a Cat 4500 using tftp, and successfully changed its hostname, and added a new ACL.
The same should be true for rcp and scp.
Just remember to put "end" as the last line of the file, otherwise you will get a %PARSER-4-BADCFG: Unexpected end of configuration file message (but it still works).
This was tried on Version 12.2(25)EWA4.
Hope this helped,
Michael. -
We have a 1000v switch uplinked to nexus 5K and Catalyst 4500 switches. I can see all the VEMs(ESX servers) connected to the nexus 5K uplink switch and everything seems working fine. However, I am not able to see the VEMs uplinked to Cisco Catalyst 4500 switch. The "show Module" command shows all VEMs connected to the nexus 5K uplink switches but not the Catalyst 4500 switches.The log file on the 1000V shows the following:
7 09:36:21 NX-1K-100 %VMS-5-DVS_HOSTMEMBER_INFO: A host with name=[IP ADD. OF ESX SERVER] and uuid=[34393232-3035-3255-5839-3430303
03537] is added to the dvs. The host is not found as a module in the VSM configuration.
If anyone have run into similar situation, plpease let me know how you handled it.
ThanksHi bharga,
I did all the checking....
1) all important VLANS including the control vlan are not blocked (No STP issue)
2) The Nexus 5K and the 4500 switch are in layer layer 2 ( They are not directly connected but are in layer two domain or no hop between them)
3) the ESX Server hosting the VSM is connected to the Nexus 5K
Here is some of the show commands that i run on the 4500 switch that is connects the ESX server to the rest ofd the network:-
Catalyst-4500#sh spanning-tree interface gigabitEthernet 1/38
Vlan Role Sts Cost Prio.Nbr Type
VLAN0073 Desg FWD 4 128.38 P2p Edge
VLAN0074 Desg FWD 4 128.38 P2p Edge
VLAN0151 Desg FWD 4 128.38 P2p Edge
VLAN0152 Desg FWD 4 128.38 P2p Edge
VLAN0153 Desg FWD 4 128.38 P2p Edge
VLAN0165 Desg FWD 4 128.38 P2p Edge
Catalyst-4500#sh mac address-table interface gigabitEthernet 1/38
Multicast Entries
vlan mac address type ports
-------+---------------+-------+--------------------------------------------
73 ffff.ffff.ffff system Gi1/32,Gi1/38,Gi1/42,Gi1/45
74 ffff.ffff.ffff system Gi1/38,Gi1/41,Gi1/45
151 ffff.ffff.ffff system Gi1/3,Gi1/5,Gi1/6,Gi1/7,Gi1/9,Gi1/10,Gi1/11
Gi1/12,Gi1/14,Gi1/16,Gi1/17,Gi1/18,Gi1/19
Gi1/21,Gi1/22,Gi1/23,Gi1/25,Gi1/26,Gi1/27
I still don't see the VEM connected to port 1/38 of this switch on my nexus 1000v switch. The configuration file show exactly how many VEMs I have as shown below:
Nexus-1000v# sh running-config
host vmware id 34373030-3635-3255-5830-303630344
vem 4
host vmware id 34373030-3635-3255-5830-313130313
vem 5
host vmware id 34373030-3635-3255-5830-303630344
vem 6
host vmware id 34393232-3035-3255-5839-3134303537
vem 7
host vmware id 34373030-3635-3255-5830-313130313
vem 8
host vmware id 33393138-3335-5553-4539-31314e3438
vem 9
host vmware id 34393232-3035-3255-5839-3339303646
vem 10
host vmware id 34393232-3035-3255-5839-3430303035
vem 11
host vmware id 34393232-3035-3255-5839-3339303646
But the show module command on the nexus 1000v shows only those VEMs coonected to the Nexus 5K switches and not those connected to the Catalyst 4500 switches.
the uplink por-profile confguration on the Nexus 1000 V :
vmware port-group
switchport mode trunk
switchport trunk native vlan 74
switchport trunk allowed vlan 73-74,151-153,165,180,811,813,815,817-822,824,826-831
channel-group auto mode on sub-group cdp
no shutdown
system vlan 74,180,811,819-821
state enabled
the corresponding interface on the 4500 switch :
interface GigabitEthernet1/38
switchport trunk encapsulation dot1q
switchport trunk native vlan 74
switchport trunk allowed vlan 73,74,151-153,165,180,811,813,815,817-822,824
switchport trunk allowed vlan add 826-831
switchport mode trunk
mtu 9000
spanning-tree portfast trunk
I really appreciate in finiding out why I can't see the VEM (ESX Servers) connected to the 4500 switches.
Thanks -
•1. We have two locations and require Cisco ACS 5.x for each location.
•2. Both locations are connected via MPLS link.
•3. Need to deploy both ACS in Active-Active OR Active-Standby.
•4. The idea is that users in network A will have their primary ACS as ACS A and secondary ACS as ACS B.
•5. Similarly users in network B will have its primary ACS as ACS B local to their LAN.
If ACS in network A goes down, then users in network A should be able to authenticate using ACS B in remote network and vice versa.
•6. Now what we got to understand by reading ACS documents is that incase one of ACS goes down, the accounting logs do not get replicated to secondary ACS and vice versa.
•7. I would like to have a kind of setup where in Accounting logs are also replicated between ACS servers. The idea is that, I should have complete logs of both the servers up to the time till one of the ACS breaks down.
Kindly let me know if the accounting logs can be replicated in the manner as mentioned above.
Also let me know the typical bandwidth utilized during replication of ACS A to ACS B.
We have around 500 users combining both sides.
Our proposal is dependent upon working of the above solution…kindly see if ACS5.x will work in the above scenario as we need to propose the same.I hope I get your question correctly. The AAA group tag is local to the AAA Client and has nothing to do with the AAA Server (e.g. ACS). It is meant to group more than one TACACS/RADIUS server.
Proxy Distribution Table is used when you have Multiple ACS servers and you want to route incoming AAA requests to particular server(s) based on pre-defined criteria. Like user1@NY should be redirected to the NewYork ACS.
Regards
Farrukh -
Hello,
pls which service is actually suspended when the AAA server gives this report.
"Service CSAuth has been stopped or paused by the system. Monitoring will suspend until the service is restarted."
And how can I resolve it.
Also, my backup AAA server is still not replying. If I shutdown the service on the primary acs, the errors i get when i try to login are "auth server down".
What can I do to correct these?To my knowledge, it's the authentication service like Radius or Tacacs+ that is suspended.
-
ACS 4.2.0 AAA-server-IP-address changing to 169.254.x.x
Hello,
I have ACS 4.2.0.124.15 installed on a windows server 2008.
In the configuration menu : network config > AAA server , the AAA-server-IP-address change to 169.254.x.x each time I disconnect the ethernet interface of the server.
Allthough, the ip adresse in my network connection of the windows-Lan-connection is set to static.
Whe I reconnect the ethernet interface of the server, it stays in 169.154.x.x. And I need to reconfigure the real static adresse each time.
Do you knows this problem. Is it a way to avoid it ?
Michel MisonneHello,I have ACS 4.2.0.124.15 installed on a windows server 2008.In
the configuration menu : network config > AAA server , the
AAA-server-IP-address change to 169.254.x.x each time I disconnect the
ethernet interface of the server.Allthough, the ip adresse in my network connection of the windows-Lan-connection is set to static.Whe
I reconnect the ethernet interface of the server, it stays in
169.154.x.x. And I need to reconfigure the real static adresse each
time.Do you knows this problem. Is it a way to avoid it ?Michel Misonne
Hi Michel,
It was issue in ACS 1113 SE Appliance and clear solution for the above is mentioned in the below link
http://www.ciscosystems.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a00808d9199.shtml#stat
HTH
Ganesh.H -
AAA Server IP Pool based on AAA Client
Hi,
I have a scenario where I need to be able to allocate an IP address to a user group from a pool on the AAA server based on the AAA client that the user authenticates against.
So for example if the user comes in on CPE1 they get assigned an address from Pool A, if they come in on CPE2 they get an address assigned from Pool B.
Any pointers on how to do this (if possible) would be greatly appreciated.
Thanks in advance
AndyWith ACS v4 you could do this....
Define your pools and add your devices to their own NDGs. Then define a NAP which is triggered off each NDG. Each NAP can use its own group mapping scheme which each target group using a different IP pool.
Probably only works when users are external as you need group mapping to make it work.
A bit cludgy.. but should work. -
Hello all,
Quick question (couldn't find answer on google).
Can the Cisco Wireless LAN Controller model 5508 act as an AAA server, or does that require a separate device/server/appliance?
My initial answer to this question was yes, if running in local EAP mode...
Anybody?Thank you both. I love this forum I am working as an intern with my current company; but no stranger to IT. The pay is humbling, but I am learning fast and this forum has really helped accelerate my learning. I thought having a CCNA along would get me the good job, but nothing beats experience.
Thanks again! -
ACS error, AAA Server is a referenced in the Proxy Distribution Table
When installing the ACS appliance (4.1) I have an issue where during the setup it prompts for a static address, Gateway, and DNS. This fine and network connectivity is tested during this time and success.
The issue seems to be fine but that when logging in to the GUI under Network Configuration>AAA servers.
AAA server AAA server IP address AAA server type
self 10.10.10.1 CiscoSecure ACS
ciscoacs 169.254.25.58 CiscoSecure ACS
Under Network Configuration>Proxy Distribution Table
Character String AAA Servers Strip Account
Default ciscoacs no Local
The 2 questions I have how to stop the 169.x.x.x address or why this is being put into the configuration, and how to delete as the following error is obsvered when trying.
ACS error when trying to delete..
âCan not Delete AAA Server, AAA Server is a referenced in the Proxy Distribution Tableâ
Many Thanks MJGo to,
Network configuration > Proxy Distribution Table > (Default).
swap the entry in this section under tables AAA Server and Forward to > Submit + Restart.
Then try to delete 169.x.x.x entry.
Regards,
Prem -
More than 1 AAA server for logging in to WebVPN
Hi everybody,
Does anyone know if ASA supports simultaneous authentication more than 1 AAA server? I've created LDAP and SecurID token account for every users and want them provide both account information for logging in to WebVPN.
Please advice.
Thanks for advance,
NitassIf you are aaa server you are referring to is "radius server", then you can try out the following commands.
In ASDM you would simply add the said RADIUS servers to the "server group"
If you wish to do this through CLI, you would define a group eg
aaa-server radius protocol radius
aaa-server radius host x.x.x.x
aaa-server radius host y.y.y.y
aaa-server radius host z.z.z.z
and you would then call this in the said tunnel-group :
tunnel-group opsource type ipsec-ra
tunnel-group opsource general-attributes
address-pool admin_ra
authentication-server-group radius LOCAL
default-group-policy opsource -
Catalyst 4500 Ethernet and fibre channel passthru
dear sir,
anyone have any idea / documentation showing that the belows device 1.) & 2.) can support Ethernet and fibre channel passthru ? thanks.
1.) WS-X4424-GB-RJ4 (Catalyst 4500 24-port 10/100/1000 Module (RJ45)
2.) WS-X4306-GB (Catalyst 4500 Gigabit Ethernet Module, 6-Ports (GBIC)You're welcome. Check below for the module info. And there is description about support of fibre channel passthru.
http://www.cisco.com/en/US/products/hw/switches/ps4324/products_data_sheet0900aecd802109ea.html
You can also seach Cisco web for more info.
Hope this helps. -
Trunking on Nexus 5000 to Catalyst 4500
I have 2 devices on the each end of a Point to Point. One side has a Nexus 5000 the other end a Catalyst 4500. We want a trunk port on both sides to allow a single VLAN for the moment. I have not worked with Nexus before. Could someone look at the configurations of the Ports and let me know if it looks ok?
nexus 5000
interface Ethernet1/17
description
switchport mode trunk
switchport trunk allowed vlan 141
spanning-tree guard root
spanning-tree bpdufilter enable
speed 1000
Catalyst 4500
interface GigabitEthernet3/39
description
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 141
switchport mode trunk
speed 1000
spanning-tree bpdufilter enable
spanning-tree guard rootThanks guys, we found the issue. The Catalyst is on my side and the Nexus is on the side of the hosting center. The hosting center moved his connection to a different Nexus 5000 and the connection came right up. We dropped the spanning-tree guard root.
It was working on the previous nexus when we set the native vlan for 141. So we thought it was the point to point dropping the tags.
The hosting center engineer this it might have to do with the VPC Peer-Link loop prevention on the previous Nexus.
Anyway it is working the way we need it to. -
Wism and aaa server communication
Hi
How a wism talking to aaa server .? The wism will talk on behalf of the user ?
What i mean if there is an acl on the interface vlan ( switch) , Do we need to allow the aaa server in the access list ?
ThanksYes you should AAA server on the ACL. Client data reaches in a CAPWAP tunnel between AP and WLC from where it is sent to wired network, so communication is done by WLC on behalf of client.
Usually, high level topology is like this :
-Thanks
Vinod
**Encourage Contributors. RATE Them.** -
WS-X4306-GB - Catalyst 4500 6-port GBIC Module & FC Tape Libraries
WS-X4306-GB - Catalyst 4500 6-port GBIC Module & FC Tape Libraries
I have several Tape Autoloader Libraries from Dell which have Fibre Channel interfaces. I have loop switches that these connect to today. I also have a Catalyst 4506 with a WS-X4306-GB - 6-port GBIC Module. I would like to use the X4306 as a loop switch. Some of the libraries can also connect via point-to-point FC.
Can this be done? If yes, how do I start in making this happen?
Thank You.Sorry but the Catalyst 4500 does not support Fibre Channel connections on the WS-X4306-GB (or on any card). It's strictly an Ethernet switch. Reference
To mix and match Ethernet and FC interfaces, you'd have to be on a new platform like the Nexus 5k series - specifically the UP (Unified Port) variants. -
QoS trust dscp or cos on catalyst 4500
We have a 4510R with Cisco IOS Software, IOS-XE Software, Catalyst 4500 L3 Switch Software cat4500e-UNIVERSALK9-M), Version 03.05.02.E RELEASE SOFTWARE (fc1).
I want use qos trust dscp or qos trust cos on the interface conected to other cisco switch or wlan controller.
The current IOS version, do not support qos trust dscp:
SW(config)#interface gi10/16
SW(config-if)#qos tr
SW(config-if)#qos trust ?
device trusted device class
extend Extend trust through a connected device
SW(config-if)#qos trust device ?
cisco-phone Cisco IP Phone
cts Cisco-telepresence
ip-camera Cisco video surveillance camera
media-player Cisco Digital Media Player
SW(config-if)#qos trust device
What is the software that I need for this?. I tried with command lookup tool but the cat4500 do not appears.That is even new for me.
I did a search and found that, now a days you no longer have to provide the Trust DSCP command, it is by default trusted.
Went through this White Paper and excerpts are below:
http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-4500-series-switches/white_paper_c11-539588.html
The answer to your question comes from the following excerpt :-
"Previously supervisor engines relied on “port trust” to classify traffic; however, this does not fall into the MQC CLI construct. MQC provides a more flexible capability, i.e. all traffic is trusted by default, an administrator can change this trust state using a policy map. Another difference is the “internal DSCP” value used within the switch to place packets in the proper queue.
Cisco Catalyst 4500E Supervisor Engines do not use “internal DSCP”; rather, it relies on explicit matching of QoS values using class maps so that packets can be placed in the correct queue.
Also, note that there is no specific priority queue: it is not queue 3 or queue 1. The priority queue is simply configured within a class; therefore, it is not tied to a specific queue. One final difference is that of classification. Cisco Catalyst 4500E Supervisor Engines provide sequential classification rather than parallel. This allows the network administrator to classify traffic at egress based on the ingress markings. These markings can be done unconditionally, using a policer or using a table map. Based on these changes, QoS CLI will now be more contiguous on the Supervisor Engines as it will now have standard Cisco MQC CLI, making configuration management much simpler"
HTH,
Please rate all helpful posts.
Regards
Maybe you are looking for
-
Replication Of Z Partner Functions from CRM to ECC
HI All, We are creating the " Z Partner Functions " in SAP CRM & ECC.in our scenario partner functions flows from CRM to ECC and we want to replicate these partner functions from CRM to ECC. So can some onle please tell me how to do this?. Thanks in
-
Help me! I want to buy songs on iTunes, but it won't let me! Is there a way I can let iTunes know that I use Google Chrome? Or do I just have to spend a lot of money on buying another version of Mac OS X?
-
So i decided to do an update for my iphone 4. and I did. but now it is saying to plug up to itunes? what? i am on itunes right now and my phone is plugged up tp the computer. What am i doing wrong?
-
Report painter, lead column doesn't display the key, only description is di
Hi Gurus, I am facing a problem as the report painter report only shows the description for the objnr (charasterstic) and not the key and description thoughin the format key and description is set. Kindly suggest me the how to overcome this problem.
-
Distance between two points with degrees and minutes
I would like to store several points in the database given degrees and minutes as position. In this example I have point 1 that is E 150, 0/S 30, 0 and points 2 that is E 150, 0/S 30.1. For example if I enter 2 km as distance from position of point 1