AAA Server on a Catalyst 4500

Similar Messages

• Catalyst 4500, scp, rcp

  Does anybody know is it possible to set up a remote access to the Catalyst 4500 series switch thru the rcp or scp protocol? I want to start commands on the remote unix server. Like unix# scp -i identity -B acl.file user@catalyst:system:running-config or unix# rcp acl.file user@catalyst:system:running-config, where acl.file is the file with access-list. It's important to start commands on the remote server, not on the switch. Thanks for any advice.

  Hello,
  I just tried this on a Cat 4500 using tftp, and successfully changed its hostname, and added a new ACL.
  The same should be true for rcp and scp.
  Just remember to put "end" as the last line of the file, otherwise you will get a %PARSER-4-BADCFG: Unexpected end of configuration file message (but it still works).
  This was tried on Version 12.2(25)EWA4.
  Hope this helped,
  Michael.

• 1000v uplink to Catalyst 4500

  We have a 1000v switch uplinked to nexus 5K and Catalyst 4500 switches. I can see all the VEMs(ESX servers) connected to the nexus 5K uplink switch and everything seems working fine. However, I am not able to see the VEMs uplinked to Cisco Catalyst 4500 switch. The "show  Module" command shows all VEMs connected to the nexus 5K uplink switches but not the Catalyst 4500 switches.The log file on the 1000V shows the following:
     7 09:36:21 NX-1K-100 %VMS-5-DVS_HOSTMEMBER_INFO: A host with name=[IP ADD. OF ESX SERVER] and uuid=[34393232-3035-3255-5839-3430303
  03537] is added to the dvs. The host is not found  as a module in the VSM configuration.
  If anyone have run into similar situation, plpease let me know how you handled it.
  Thanks

  Hi bharga,
  I did all the checking....
      1) all important VLANS including the control vlan are not blocked (No STP issue)
      2) The Nexus 5K and the 4500 switch are in layer layer 2  ( They are not directly connected but are in layer two domain or no hop between them)
     3) the ESX Server hosting the VSM is connected to the Nexus 5K 
  Here is some of the show commands that i run on the 4500 switch that is connects the ESX server to the rest ofd the network:-
  Catalyst-4500#sh spanning-tree interface gigabitEthernet 1/38
  Vlan                Role Sts Cost      Prio.Nbr Type
  VLAN0073            Desg FWD 4         128.38   P2p Edge
  VLAN0074            Desg FWD 4         128.38   P2p Edge
  VLAN0151            Desg FWD 4         128.38   P2p Edge
  VLAN0152            Desg FWD 4         128.38   P2p Edge
  VLAN0153            Desg FWD 4         128.38   P2p Edge
  VLAN0165            Desg FWD 4         128.38   P2p Edge
  Catalyst-4500#sh mac address-table interface gigabitEthernet 1/38
  Multicast Entries
  vlan    mac address     type    ports
  -------+---------------+-------+--------------------------------------------
    73    ffff.ffff.ffff   system Gi1/32,Gi1/38,Gi1/42,Gi1/45
    74    ffff.ffff.ffff   system Gi1/38,Gi1/41,Gi1/45
  151    ffff.ffff.ffff   system Gi1/3,Gi1/5,Gi1/6,Gi1/7,Gi1/9,Gi1/10,Gi1/11
                                  Gi1/12,Gi1/14,Gi1/16,Gi1/17,Gi1/18,Gi1/19
                                  Gi1/21,Gi1/22,Gi1/23,Gi1/25,Gi1/26,Gi1/27
  I still don't see the VEM  connected to port 1/38 of this switch on my nexus 1000v switch. The configuration file show exactly how many VEMs I have as shown below:
  Nexus-1000v# sh running-config
    host vmware id 34373030-3635-3255-5830-303630344
  vem 4
    host vmware id 34373030-3635-3255-5830-313130313
  vem 5
    host vmware id 34373030-3635-3255-5830-303630344
  vem 6
    host vmware id 34393232-3035-3255-5839-3134303537
  vem 7
    host vmware id 34373030-3635-3255-5830-313130313
  vem 8
    host vmware id 33393138-3335-5553-4539-31314e3438
  vem 9
    host vmware id 34393232-3035-3255-5839-3339303646
  vem 10
    host vmware id 34393232-3035-3255-5839-3430303035
  vem 11
    host vmware id 34393232-3035-3255-5839-3339303646
  But the show module command on the nexus 1000v shows only those VEMs coonected to the Nexus 5K switches and not those connected to the Catalyst 4500 switches.
  the uplink por-profile confguration on the Nexus 1000 V :
  vmware port-group
    switchport mode trunk
    switchport trunk native vlan 74
    switchport trunk allowed vlan 73-74,151-153,165,180,811,813,815,817-822,824,826-831
    channel-group auto mode on sub-group cdp
    no shutdown
    system vlan 74,180,811,819-821
    state enabled
  the corresponding interface on the 4500 switch :
  interface GigabitEthernet1/38
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 74
  switchport trunk allowed vlan 73,74,151-153,165,180,811,813,815,817-822,824
  switchport trunk allowed vlan add 826-831
  switchport mode trunk
  mtu 9000
  spanning-tree portfast trunk
  I really appreciate in finiding out why I can't see the VEM (ESX Servers) connected to the 4500 switches.
  Thanks

• AAA server logs replication

  •1.       We have two locations and require Cisco ACS 5.x for each location.
  •2.       Both locations are connected via MPLS link.
  •3.       Need to deploy both ACS in Active-Active OR Active-Standby.
  •4.       The idea is that users in network A will have their primary ACS as ACS A and secondary ACS as ACS B.
  •5.       Similarly users in network B will have its primary ACS as ACS B local to their LAN.
  If ACS in network A goes down, then users in network A should be able to authenticate using ACS B in remote network and vice versa.
  •6.       Now what we got to understand by reading ACS documents is that incase one of ACS goes down, the accounting logs do not get replicated to secondary ACS and vice versa.
  •7.       I would like to have a kind of setup where in  Accounting logs are also replicated between ACS servers. The idea is that, I should have complete logs of both the servers up to the time till one of the ACS breaks down.
  Kindly let me know if the accounting logs can be replicated in the manner as mentioned above.
  Also let me know the typical bandwidth utilized during replication of ACS A to ACS B.
  We have around 500 users combining both sides.
  Our proposal is dependent upon working of the above solution…kindly see if ACS5.x will work in the above scenario as we need to propose the same.

  I hope I get your question correctly. The AAA group tag is local to the AAA Client and has nothing to do with the AAA Server (e.g. ACS). It is meant to group more than one TACACS/RADIUS server.
  Proxy Distribution Table is used when you have Multiple ACS servers and you want to route incoming AAA requests to particular server(s) based on pre-defined criteria. Like user1@NY should be redirected to the NewYork ACS.
  Regards
  Farrukh

• Errors on aaa server

  Hello,
  pls which service is actually suspended when the AAA server gives this report.
  "Service CSAuth has been stopped or paused by the system. Monitoring will suspend until the service is restarted."
  And how can I resolve it.
  Also, my backup AAA server is still not replying. If I shutdown the service on the primary acs, the errors i get when i try to login are "auth server down".
  What can I do to correct these?

  To my knowledge, it's the authentication service like Radius or Tacacs+ that is suspended.

• ACS 4.2.0 AAA-server-IP-address changing to 169.254.x.x

  Hello,
  I have ACS 4.2.0.124.15   installed on a windows server 2008.
  In the configuration menu : network config > AAA server , the AAA-server-IP-address change to 169.254.x.x each time I disconnect the  ethernet interface of the server.
  Allthough, the ip adresse in my network connection of the windows-Lan-connection is set to static.
  Whe I reconnect the ethernet interface of the server, it stays in 169.154.x.x.  And I need to reconfigure the real static adresse each time.
  Do you knows this problem. Is it a way to avoid it ?
  Michel Misonne

  Hello,I have ACS 4.2.0.124.15   installed on a windows server 2008.In
  the configuration menu : network config > AAA server , the
  AAA-server-IP-address change to 169.254.x.x each time I disconnect the
  ethernet interface of the server.Allthough, the ip adresse in my network connection of the windows-Lan-connection is set to static.Whe
  I reconnect the ethernet interface of the server, it stays in
  169.154.x.x.  And I need to reconfigure the real static adresse each
  time.Do you knows this problem. Is it a way to avoid it ?Michel Misonne
  Hi Michel,
  It was issue in ACS 1113 SE Appliance and clear solution for the above is mentioned in the below link
  http://www.ciscosystems.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a00808d9199.shtml#stat
  HTH
  Ganesh.H

• AAA Server IP Pool based on AAA Client

  Hi,
  I have a scenario where I need to be able to allocate an IP address to a user group from a pool on the AAA server based on the AAA client that the user authenticates against.
  So for example if the user comes in on CPE1 they get assigned an address from Pool A, if they come in on CPE2 they get an address assigned from Pool B.
  Any pointers on how to do this (if possible) would be greatly appreciated.
  Thanks in advance
  Andy

  With ACS v4 you could do this....
  Define your pools and add your devices to their own NDGs. Then define a NAP which is triggered off each NDG. Each NAP can use its own group mapping scheme which each target group using a different IP pool.
  Probably only works when users are external as you need group mapping to make it work.
  A bit cludgy.. but should work.

• WLC 5508 and AAA server

  Hello all,
  Quick question (couldn't find answer on google).
  Can the Cisco Wireless LAN Controller model 5508 act as an AAA server, or does that require a separate device/server/appliance?
  My initial answer to this question was yes, if running in local EAP mode...
  Anybody?

  Thank you both.  I love this forum   I am working as an intern with my current company; but no stranger to IT.  The pay is humbling, but I am learning fast and this forum has really helped accelerate my learning.  I thought having a CCNA along would get me the good job, but nothing beats experience.
  Thanks again!

• ACS error, AAA Server is a referenced in the Proxy Distribution Table

  When installing the ACS appliance (4.1) I have an issue where during the setup it prompts for a static address, Gateway, and DNS. This fine and network connectivity is tested during this time and success.
  The issue seems to be fine but that when logging in to the GUI under Network Configuration>AAA servers.
  AAA server AAA server IP address AAA server type
  self 10.10.10.1 CiscoSecure ACS
  ciscoacs 169.254.25.58 CiscoSecure ACS
  Under Network Configuration>Proxy Distribution Table
  Character String AAA Servers Strip Account
  Default ciscoacs no Local
  The 2 questions I have how to stop the 169.x.x.x address or why this is being put into the configuration, and how to delete as the following error is obsvered when trying.
  ACS error when trying to delete..
  “Can not Delete AAA Server, AAA Server is a referenced in the Proxy Distribution Table”
  Many Thanks MJ

  Go to,
  Network configuration > Proxy Distribution Table > (Default).
  swap the entry in this section under tables AAA Server and Forward to > Submit + Restart.
  Then try to delete 169.x.x.x entry.
  Regards,
  Prem

• More than 1 AAA server for logging in to WebVPN

  Hi everybody,
  Does anyone know if ASA supports simultaneous authentication more than 1 AAA server? I've created LDAP and SecurID token account for every users and want them provide both account information for logging in to WebVPN.
  Please advice.
  Thanks for advance,
  Nitass

  If you are aaa server you are referring to is "radius server", then you can try out the following commands.
  In ASDM you would simply add the said RADIUS servers to the "server group"
  If you wish to do this through CLI, you would define a group eg
  aaa-server radius protocol radius
  aaa-server radius host x.x.x.x
  aaa-server radius host y.y.y.y
  aaa-server radius host z.z.z.z
  and you would then call this in the said tunnel-group :
  tunnel-group opsource type ipsec-ra
  tunnel-group opsource general-attributes
  address-pool admin_ra
  authentication-server-group radius LOCAL
  default-group-policy opsource

• Catalyst 4500 Ethernet and fibre channel passthru

  dear sir,
  anyone have any idea / documentation showing that the belows device 1.) & 2.) can support Ethernet and fibre channel passthru ? thanks.
  1.) WS-X4424-GB-RJ4 (Catalyst 4500 24-port 10/100/1000 Module (RJ45)
  2.) WS-X4306-GB (Catalyst 4500 Gigabit Ethernet Module, 6-Ports (GBIC)

  You're welcome. Check below for the module info. And there is description about support of fibre channel passthru.
  http://www.cisco.com/en/US/products/hw/switches/ps4324/products_data_sheet0900aecd802109ea.html
  You can also seach Cisco web for more info.
  Hope this helps.

• Trunking on Nexus 5000 to Catalyst 4500

  I have 2 devices on the each end of a Point to Point.  One side has a Nexus 5000 the other end a Catalyst 4500.  We want a trunk port on both sides to allow a single VLAN for the moment.  I have not worked with Nexus before.  Could someone look at the configurations of the Ports and let me know if it looks ok?
  nexus 5000
  interface Ethernet1/17
    description
    switchport mode trunk
    switchport trunk allowed vlan 141
    spanning-tree guard root
    spanning-tree bpdufilter enable
    speed 1000
  Catalyst 4500
  interface GigabitEthernet3/39
  description
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 141
  switchport mode trunk
  speed 1000
  spanning-tree bpdufilter enable
  spanning-tree guard root

  Thanks guys, we found the issue.  The Catalyst is on my side and the Nexus is on the side of the hosting center.  The hosting center moved his connection to a different Nexus 5000 and the connection came right up.  We dropped the spanning-tree guard root. 
  It was working on the previous nexus when we set the native vlan for 141.  So we thought it was the point to point dropping the tags.
  The hosting center engineer this it might have to do with the VPC Peer-Link loop prevention on the previous Nexus. 
  Anyway it is working the way we need it to.

• Wism and aaa server communication

  Hi 
  How a wism  talking to aaa server .? The wism will talk on behalf of the user ? 
  What i mean if there is an acl on the interface vlan ( switch) , Do we need to allow the aaa server in the access list ? 
  Thanks 

  Yes you should AAA server on the ACL. Client data reaches in a CAPWAP tunnel between AP and WLC from where it is sent to wired network, so communication is done by WLC on behalf of client.
  Usually, high level topology is like this :
  -Thanks
  Vinod
  **Encourage Contributors. RATE Them.**

• WS-X4306-GB - Catalyst 4500 6-port GBIC Module & FC Tape Libraries

  WS-X4306-GB - Catalyst 4500 6-port GBIC Module & FC Tape Libraries
  I have several Tape Autoloader Libraries from Dell which have Fibre Channel interfaces. I have loop switches that these connect to today. I also have a Catalyst 4506 with a WS-X4306-GB - 6-port GBIC Module. I would like to use the X4306 as a loop switch. Some of the libraries can also connect via point-to-point FC.
  Can this be done? If yes, how do I start in making this happen?
  Thank You.

  Sorry but the Catalyst 4500 does not support Fibre Channel connections on the WS-X4306-GB (or on any card). It's strictly an Ethernet switch. Reference
  To mix and match Ethernet and FC interfaces, you'd have to be on a new platform like the Nexus 5k series - specifically the UP (Unified Port) variants.

• QoS trust dscp or cos on catalyst 4500

  We have a 4510R with Cisco IOS Software, IOS-XE Software, Catalyst 4500 L3 Switch Software cat4500e-UNIVERSALK9-M), Version 03.05.02.E RELEASE SOFTWARE (fc1).
  I want use qos trust dscp or qos trust cos on the interface conected to other cisco switch or wlan controller.
  The current IOS version, do not support qos trust dscp:
  SW(config)#interface gi10/16
  SW(config-if)#qos tr
  SW(config-if)#qos trust ?
    device  trusted device class
    extend  Extend trust through a connected device
  SW(config-if)#qos trust device ?
    cisco-phone   Cisco IP Phone
    cts           Cisco-telepresence
    ip-camera     Cisco video surveillance camera
    media-player  Cisco Digital Media Player
  SW(config-if)#qos trust device
  What is the software that I need for this?. I tried with command lookup tool but the cat4500 do not appears.

  That is even new for me.
  I did a search and found that, now a days you no longer have to provide the Trust DSCP command, it is by default trusted.
  Went through this White Paper and excerpts are below:
  http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-4500-series-switches/white_paper_c11-539588.html
  The answer to your question comes from the following excerpt :-
  "Previously supervisor engines relied on “port trust” to classify traffic; however, this does not fall into the MQC CLI construct. MQC provides a more flexible capability, i.e. all traffic is trusted by default, an administrator can change this trust state using a policy map. Another difference is the “internal DSCP” value used within the switch to place packets in the proper queue.
  Cisco Catalyst 4500E Supervisor Engines do not use “internal DSCP”; rather, it relies on explicit matching of QoS values using class maps so that packets can be placed in the correct queue.
  Also, note that there is no specific priority queue: it is not queue 3 or queue 1. The priority queue is simply configured within a class; therefore, it is not tied to a specific queue. One final difference is that of classification. Cisco Catalyst 4500E Supervisor Engines provide sequential classification rather than parallel. This allows the network administrator to classify traffic at egress based on the ingress markings. These markings can be done unconditionally, using a policer or using a table map. Based on these changes, QoS CLI will now be more contiguous on the Supervisor Engines as it will now have standard Cisco MQC CLI, making configuration management much simpler"
  HTH,
  Please rate all helpful posts.
  Regards