AAA Servers toggles per WLAN

Similar Messages

• WLAN and multiple AAA servers

  Hello,
  Our WLANs are configured with 2 AAA servers. The first authentication server is local, the 2nd authentication server is remote. I noticed that often, the 2nd server is used for the authentication even if the first server is up and available. It looks also that once the authentatication is done on the 2nd server it's stays there. Is there an option to:
  - define server 1 is as the priority for authentication?
  -switch authentication to server 2 when server 1 is not reachable, but switch back to server 1 as soon as server 1 reachable again?
  Thanks

  Hi,
  I asked the question at CiscoNetworker2008.
  In the version 5.0 it will be fixed.
  When the first Radius is reachable again, the authentication will switched back on the first radius server.
  Let see if this will be confirmed in the release notes...
  Brgds.

• Replication overwrites the AAA servers table in the secondary server

  Hi,
  I've configured two ACS servers with replication but i noticed that when the replication takes place it overwrites the AAA servers table configured in the network configuration of the secondary server and that makes the next replication to fail because the two servers have the same configuration of AAA servers, if i uncheck the "Network Configuration Device tables" and the "Network Access Profiles" from the "Database Replication Setup" wich includes the AAA servers table I also missed the replication of the new network devices that are added in the master server.
  Do you know how can i exclude only the AAA servers table from the replication??
  Other thing is that I configured the Outbound replication as "Automatically triggered cascade", I'm not sure if this means that at the exactly moment that there is a change on the primary server it will replicate it to the secondary???? because if that is the case it is not doing it.
  Thanks in advance for your help

  Hi,
  I understand, thanks alot for making that clear!.
  I now have another situation and i was wondering if you can help me, i made some changes in the AAA servers trying to solve this situation but i wasn't able to, so i leave again the servers in the same way that they were configured by the time the replication was working but now it is not, in the master server i get this message:
  ERROR ACS 'LACSLVBCDVAS007' has denied replication request
  and in the second server i get this:
  ERROR Inbound database replication from ACS 'lacslvbcpvas011' denied - shared secret mismatch
  I've checked the same key configured for both and are the same, i've deleted the AAA servers and the configure them again, restart the services but the problem remains, dou you have any idea what this could be??
  Thanks in advance for your help.
  Best Regards,

• Help AAA Servers Database Replication

  Hi Guys,
  I have 2 AAA Servers Acting as Prim/Backup.
  Recently we were facing some issues with Backup Server, so upgraded the windows to Windows 2008 Server, and reinstalled ACS 4.2
  Now when i try to Replicate every thing from Primary to Secondary. it is not replicating AAA Clients. i can see all the groups / users / Settings replicated. but there are no AAA Clients in Network Configuration.
  Any point i am missing in Replication Configuration????
  Replication Components "Network Configuration Device Tables" already marked.  So whats missing???
  Thanks in advance

  Ok got answer myself....
  in future anyone faces same issue... Just make sure you are using the EXACT SAME Versions on both devices. the Minior version difference will even not work.
  i hade 4.2.1(15) on primary and 4.2.0 on secondary... there was no errors but still not working. after upgrading to same version it worked. !!!

• Per Wlan - Rate-Limit

  Hello, anyone know if its possible to set a maximum bandwidth for the entire wlan or for entire Vlan in the WLC 5508 ?
  Thanks

  This is a big desire for us too.
  You can do this multiple ways on the infrastructure:
  if using 6500s, you can use user-based rate limiting
  you can do this on various firewall products such as pfsense.
  You can use ingress & egress queuing on the switch, but it may not work as desired.
  We settled on using ip-nbar & policy routing for now to clamp down on file sharing protocols and also download urls with various extensions such as .iso, .dmg, .zip.....
  The challenge we found with per user limiting was that few solutions support the client count/demand that we see.
  If your environment is more spread out, you may have better luck with traffic policing and/or shaping at the switch level.
  As per wlan rate limiting, it will really depend on your infrastructure hardware & IOS supported functions.
  I agree about not shaping over the air, keep as much extraneous traffic off the air as possible.

• Adding AAA servers to ACS to use Proxy RADIUS distribution Table

  Hello,
  I've added two non ACS radius servers (Radiator) to the AAA servers on Network Config, in order to use them on a proxy distribution table.
  I had problems authenticating users through those servers and I did a sniffer trace on the outside interface of the ACS.
  What I saw is that ACS sends packets to the AAA server configured as RADIUS on port 1645, not 1812, the expected standard, and port to which the others servers are listening to. How can I change this behaviour?
  Thanks
  Gustavo

  ACS by default will listen on both ports 1645 and 1812, the two "standard" Radius ports. However, when talking to a proxy server it will only send them on 1645, by default. To change this you have to go into the registry and change it as follows:
  Under [HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\CiscoAAAv3.x\Hosts\\RADIUS] (where is the server you want to send the 1812 reuests to, and note that you may have to add the RADIUS key if it isn't there already), you can add the following:
  "authPort"=dword:0000066e <<---- 1645
  "acctPort"=dword:0000066d <<---- 1646
  "timeout"=dword:00000001
  "single connection"=dword:00000000
  "strip users"=dword:00000000
  You don't need all of them, you can just change the authPort to 1812 (714 in hex) and acctPort to 1813 (0x715) and you should be good to go. Make sure you reboot the server after making the registry changes. Keys are case-sensitive too so make sure you type them in EXACTLY as I've shown above.

• 5508-DHCP per WLAN basis

  dear all, 
  kindly guide me  how to configure WLC 5508 internal DHCP  per WLAN basis , i read the following document it is clearly mentioned that we can configure DHCP on WLC 5508 per WLAN basis. but i did not find the configuration  per WLAN basis 
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0/configuration/guide/c70/c70wlan.html#wp1293808
  need your kindly response 
  my email address 
  [email protected]

  When you configure dynamic interfaces on your 5508, you can specify DHCP server IP address. Later on you will map a dynamic interface to WLAN.
  Also under WLAN advanced setting, you can specify DHCP server IP, if you want to override dynamic interface configured DHCP server to a particular WLAN.
  HTH
  Rasika
  **** Pls rate all useful responses ***

• Sending AAA accouting log records to multiple AAA servers

  IOS version c3640-a3jk9s-mz.123-18.bin
  aaa group server tacacs+ cciesec
  server 192.168.3.10
  aaa group server tacacs+ ccievoice
  server 192.168.3.11
  aaa authentication login VTY group cciesec local
  aaa accounting exec cciesec start-stop broadcast group cciesec group ccievoice
  aaa accounting commands 0 cciesec start-stop broadcast group cciesec group ccievoice
  aaa accounting commands 1 cciesec start-stop broadcast group cciesec group ccievoice
  aaa accounting commands 15 cciesec start-stop broadcast group cciesec group ccievoice
  tacacs-server host 192.168.3.10 key 123456
  tacacs-server host 192.168.3.11 key 123456
  C3640#sh tacacs
  Tacacs+ Server : 192.168.3.10/49
  Socket opens: 8
  Socket closes: 8
  Socket aborts: 0
  Socket errors: 0
  Socket Timeouts: 0
  Failed Connect Attempts: 0
  Total Packets Sent: 21
  Total Packets Recv: 21
  Tacacs+ Server : 192.168.3.11/49
  Socket opens: 0
  Socket closes: 0
  Socket aborts: 0
  Socket errors: 0
  Socket Timeouts: 0
  Failed Connect Attempts: 0
  Total Packets Sent: 0
  Total Packets Recv: 0
  C3640#
  As you can see, I can receive AAA accounting logs on server 192.168.3.10 but I am not getting logs on 192.168.3.11. I can confirm this with
  tcpdump on host 192.168.3.11 and that I am not seeing any sent AAA to host 192.168.3.11.
  Anyone know why?

  http://www.cisco.com/en/US/docs/ios/12_1t/12_1t1/feature/guide/dt_aaaba.html
  It stated the following:
  "Before the introduction of the AAA Broadcast Accounting feature, Cisco IOS AAA could send accounting information to only one server at a time. This feature allows accounting information to be sent to one or more AAA servers at the same time. Service providers are thus able to simultaneously send accounting information to their own private AAA servers and to the AAA servers of their end customers. This feature also provides redundant billing information for voice applications."

• Airwaves Survey shows duplicate entries per WLAN SSID

  Hello Cisco WLAN-experts,
  I have a nice problem for You:
  Our WLAN-networks appear twice in every WiFi-Catcher !
  We are running 1131LAPs in HREAP-Mode together with a 4402WLC and use two WLANs. One is the typical "Guest WLAN", another a more secure one, which we do not broadcast the SSID from.
  Both 802.11b/g and 802.11a are active.
  To our surprise, our 802.11b/g-only WLAN-clients see 4 instead of the expected 2 WLANs while they use tools like Airwaves Survey to scan the surrounding.
  The shortened output looks likes this:
  RSSI BSSID SSID Type
  -44db 00-1f-9e-7f-e1-60 802.11g
  -40db 00-1f-9e-7f-e1-61 guest 802.11g
  -40db 00-1f-9e-7f-e1-62 guest 802.11g
  -39db 00-1f-9e-7f-e1-63 802.11g
  Does anybody have an explanation why the Cisco LAP is appearing with 4 different Mac-addresses in our Clients ?
  Thank You for any hint in advance.
  Greetings from Good old Germany
  derobbacher

  You will see that because users need to see a different mac addess per radio and per ssid. So if you have one ssid and that ssid enabled on both radio's, then you will see two mac address entries. If you only had that on one radio, then you will only see on mac address entry. Hope this helps.

• Setting the Client Count per WLAN and per AP radio

  Hi
  We use WLC 5508 with 7.4. We tried to set max allowed clients per AP radio to 30 through GUI. We have APs with 80 clients associeted though.
  Has anyone else tried this feature?
  When entering config wlan max-associated-clients max-clients wlan-id we got 
  "WLAN/Guest-Lan/remote-lan is enabled.Please disable to configure max associated clients."
  GUI doesn't show that message, should it?  In GUI, Is it necesary to disable WLAN before too?
  Thanks
  This is the show wlan output

  No, the GUI does some stuff automatically, like disablen/enabling the WLAN when you make the change.
  From teh CLI *you* have to do them.
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• Can you authenticate users from 2 different AAA-servers for one specific tunnel-group?

  I need to authenticate users from two separate AD LDAP databases on the same tunnel-group. I would like them to use the same tunnel-group and thereby using the  same group-alias. I tried creating a new aaa-server group and putting both LDAP servers into group but apparently the ASA does not roll through the separate servers in the aaa-server group and will stop if the first server states that the authentication failed.
  I also tried assigning multiple aaa-server groups into the tunnel-group authentication-server-group but that also did not work. I finally tried to create a separate tunnel-group and assigning it the same group-alias but the ASA will not allow me to assign the same group-alias to different tunnel-group. What is the best way to accomplish this without having to create a new group-alias that will show up and possible confuse the dumb users requiring this access? Please help.

  If you don't want ANY drop down I believe you can do it in a kludgy sort of way.
  Eliminate all the group aliases (which are used to populate the dropdown) and make a local database of the users for the sole purpose of assigning / restricting them to a non-default tunnel-group which authenticates to the secondary LDAP server. 
  You can also send out a non-published URL that points to a second tunnel-group not in the dropdown.
  Of course, we can accomplish this if the AAA server is ISE. ISE 1.3 can authenticate users to multiple AD domains (with or without trust relationships) or a single domain with multiple join points in the Forest.
  The ISE answer makes me wonder - could you establish trust between the domains and authenticate users that way?

• AAA Override on Anchored WLANs

  Hi,
  Is it possible to create an anchored WLAN using 802.1x and use AAA override to dynamically change the VLAN clients are put in on the anchor WLC?
  I am assuming not but can't hurt to ask!
  Thanks,

  No:) the reason is that the foreign WLC does the encryption/decryption, so it would have to be done there without anchor. You wouldn't be able to change the vlan id from an anchor WLC.
  Sent from Cisco Technical Support iPhone App

• AAA Servers

  Once the ASA marks the NPS server "failed" it has to be a manual actions to re-mark it "active". What are some options around this?
  What I don't know is how the ASA fails a server. I know that if anyone failed the server on the ASA it will mark it failed. If I bring down a backup server *not the primary* the ASA does not change the server status. We know the ASA will mark the primary server down and try to select another in its pool if authentication is not pointed to the "local server group" when the primary is down. How does that take place and what are the events, logs, alerts and if any notification are being sent and to who?

  The default dead time on a AAA-Server group is 10 minutes so if the ASA is failed to reach/contact the radius server then the server will be marked dead/failed for next 10 mins.  Even if you only lose the connectivity from the tacacs server for a very short period of time but the server won't become active again for next 10 mins so in order to over come this issue you need reduce this time by changing the reactivation-mode command under the AAA server-group. enter the following command:
  hostname(config-aaa-server-group)# # reactivation-mode {depletion [deadtime minutes] | timed}
  'reactivation-mode timed' thinking that this would probably be a good option so that server should come back more quickly (in 30 seconds). I hope that will be still there.
  Where the depletion keyword reactivates failed servers only after all of the servers in the group are inactive.
  The timed keyword reactivates failed servers after 30 seconds of down time.
  More info
  http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/qr.html#wp1787712
  You may also try to run show aaa-server to see the status of the servers in the group.
  Jatin Katyal
  - Do rate helpful posts -

• Servers/VMs per pool

  Is there a best practice document out there with recommendations/hard limits for the number of servers that should be in a pool or number of vms that should be in a specific pool?
  I'm trying to determine how many servers per pool I should go with as a standard in our data center.

  It might be helpful in defining my question: this is the output from the Oracle VM Manager Template deployment script [note again, that this is an Oracle Server Template consisting of Oracle VM Manager to be run as a virtual machine inside Oracle Server:]
  Setting up the network for Oracle VM Manager ...
  Oracle VM Manager needs to be configured using a static IP address. Follow
  the prompts to provide your network settings for Oracle VM Manager.
  Press any key to continue...
  Available network bridges:
  0) xenbr0 Link encap:Ethernet HWaddr 00:1A:64:48:A8:EE
  inet addr:9.123.123.123 Bcast:0.0.0.0 Mask:255.255.255.0
  Please choose one of the network bridges(default is xenbr0):0
  You selected the network bridge: xenbr0
  Enter static IP address: 9.123.123.123
  Enter netmask: [255.0.0.0] 255.255.255.0
  Enter gateway: 9.23.123.123
  Enter DNS server: 9.23.234.234

• AAA accounting for per-user data amount limit

  Hello,
  I don't have too much experience with AAA, and I want to implement the following:
  - I have a FreeRadius, ASR1001-X with IOS XE
  - I want to keep records of how many data is consumed by each user
  Any suggestion will be welcome.
  Thank you.

  Just for information i post these links
  1. http://www.linuxquestions.org/questions … er-715490/
  2. http://www.linuxquestions.org/questions … ge-617928/
  3. http://www.linuxquestions.org/questions … asis-8674/