AAA Servers

Similar Messages

• Replication overwrites the AAA servers table in the secondary server

  Hi,
  I've configured two ACS servers with replication but i noticed that when the replication takes place it overwrites the AAA servers table configured in the network configuration of the secondary server and that makes the next replication to fail because the two servers have the same configuration of AAA servers, if i uncheck the "Network Configuration Device tables" and the "Network Access Profiles" from the "Database Replication Setup" wich includes the AAA servers table I also missed the replication of the new network devices that are added in the master server.
  Do you know how can i exclude only the AAA servers table from the replication??
  Other thing is that I configured the Outbound replication as "Automatically triggered cascade", I'm not sure if this means that at the exactly moment that there is a change on the primary server it will replicate it to the secondary???? because if that is the case it is not doing it.
  Thanks in advance for your help

  Hi,
  I understand, thanks alot for making that clear!.
  I now have another situation and i was wondering if you can help me, i made some changes in the AAA servers trying to solve this situation but i wasn't able to, so i leave again the servers in the same way that they were configured by the time the replication was working but now it is not, in the master server i get this message:
  ERROR ACS 'LACSLVBCDVAS007' has denied replication request
  and in the second server i get this:
  ERROR Inbound database replication from ACS 'lacslvbcpvas011' denied - shared secret mismatch
  I've checked the same key configured for both and are the same, i've deleted the AAA servers and the configure them again, restart the services but the problem remains, dou you have any idea what this could be??
  Thanks in advance for your help.
  Best Regards,

• Help AAA Servers Database Replication

  Hi Guys,
  I have 2 AAA Servers Acting as Prim/Backup.
  Recently we were facing some issues with Backup Server, so upgraded the windows to Windows 2008 Server, and reinstalled ACS 4.2
  Now when i try to Replicate every thing from Primary to Secondary. it is not replicating AAA Clients. i can see all the groups / users / Settings replicated. but there are no AAA Clients in Network Configuration.
  Any point i am missing in Replication Configuration????
  Replication Components "Network Configuration Device Tables" already marked.  So whats missing???
  Thanks in advance

  Ok got answer myself....
  in future anyone faces same issue... Just make sure you are using the EXACT SAME Versions on both devices. the Minior version difference will even not work.
  i hade 4.2.1(15) on primary and 4.2.0 on secondary... there was no errors but still not working. after upgrading to same version it worked. !!!

• Adding AAA servers to ACS to use Proxy RADIUS distribution Table

  Hello,
  I've added two non ACS radius servers (Radiator) to the AAA servers on Network Config, in order to use them on a proxy distribution table.
  I had problems authenticating users through those servers and I did a sniffer trace on the outside interface of the ACS.
  What I saw is that ACS sends packets to the AAA server configured as RADIUS on port 1645, not 1812, the expected standard, and port to which the others servers are listening to. How can I change this behaviour?
  Thanks
  Gustavo

  ACS by default will listen on both ports 1645 and 1812, the two "standard" Radius ports. However, when talking to a proxy server it will only send them on 1645, by default. To change this you have to go into the registry and change it as follows:
  Under [HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\CiscoAAAv3.x\Hosts\\RADIUS] (where is the server you want to send the 1812 reuests to, and note that you may have to add the RADIUS key if it isn't there already), you can add the following:
  "authPort"=dword:0000066e <<---- 1645
  "acctPort"=dword:0000066d <<---- 1646
  "timeout"=dword:00000001
  "single connection"=dword:00000000
  "strip users"=dword:00000000
  You don't need all of them, you can just change the authPort to 1812 (714 in hex) and acctPort to 1813 (0x715) and you should be good to go. Make sure you reboot the server after making the registry changes. Keys are case-sensitive too so make sure you type them in EXACTLY as I've shown above.

• WLAN and multiple AAA servers

  Hello,
  Our WLANs are configured with 2 AAA servers. The first authentication server is local, the 2nd authentication server is remote. I noticed that often, the 2nd server is used for the authentication even if the first server is up and available. It looks also that once the authentatication is done on the 2nd server it's stays there. Is there an option to:
  - define server 1 is as the priority for authentication?
  -switch authentication to server 2 when server 1 is not reachable, but switch back to server 1 as soon as server 1 reachable again?
  Thanks

  Hi,
  I asked the question at CiscoNetworker2008.
  In the version 5.0 it will be fixed.
  When the first Radius is reachable again, the authentication will switched back on the first radius server.
  Let see if this will be confirmed in the release notes...
  Brgds.

• Sending AAA accouting log records to multiple AAA servers

  IOS version c3640-a3jk9s-mz.123-18.bin
  aaa group server tacacs+ cciesec
  server 192.168.3.10
  aaa group server tacacs+ ccievoice
  server 192.168.3.11
  aaa authentication login VTY group cciesec local
  aaa accounting exec cciesec start-stop broadcast group cciesec group ccievoice
  aaa accounting commands 0 cciesec start-stop broadcast group cciesec group ccievoice
  aaa accounting commands 1 cciesec start-stop broadcast group cciesec group ccievoice
  aaa accounting commands 15 cciesec start-stop broadcast group cciesec group ccievoice
  tacacs-server host 192.168.3.10 key 123456
  tacacs-server host 192.168.3.11 key 123456
  C3640#sh tacacs
  Tacacs+ Server : 192.168.3.10/49
  Socket opens: 8
  Socket closes: 8
  Socket aborts: 0
  Socket errors: 0
  Socket Timeouts: 0
  Failed Connect Attempts: 0
  Total Packets Sent: 21
  Total Packets Recv: 21
  Tacacs+ Server : 192.168.3.11/49
  Socket opens: 0
  Socket closes: 0
  Socket aborts: 0
  Socket errors: 0
  Socket Timeouts: 0
  Failed Connect Attempts: 0
  Total Packets Sent: 0
  Total Packets Recv: 0
  C3640#
  As you can see, I can receive AAA accounting logs on server 192.168.3.10 but I am not getting logs on 192.168.3.11. I can confirm this with
  tcpdump on host 192.168.3.11 and that I am not seeing any sent AAA to host 192.168.3.11.
  Anyone know why?

  http://www.cisco.com/en/US/docs/ios/12_1t/12_1t1/feature/guide/dt_aaaba.html
  It stated the following:
  "Before the introduction of the AAA Broadcast Accounting feature, Cisco IOS AAA could send accounting information to only one server at a time. This feature allows accounting information to be sent to one or more AAA servers at the same time. Service providers are thus able to simultaneously send accounting information to their own private AAA servers and to the AAA servers of their end customers. This feature also provides redundant billing information for voice applications."

• Can you authenticate users from 2 different AAA-servers for one specific tunnel-group?

  I need to authenticate users from two separate AD LDAP databases on the same tunnel-group. I would like them to use the same tunnel-group and thereby using the  same group-alias. I tried creating a new aaa-server group and putting both LDAP servers into group but apparently the ASA does not roll through the separate servers in the aaa-server group and will stop if the first server states that the authentication failed.
  I also tried assigning multiple aaa-server groups into the tunnel-group authentication-server-group but that also did not work. I finally tried to create a separate tunnel-group and assigning it the same group-alias but the ASA will not allow me to assign the same group-alias to different tunnel-group. What is the best way to accomplish this without having to create a new group-alias that will show up and possible confuse the dumb users requiring this access? Please help.

  If you don't want ANY drop down I believe you can do it in a kludgy sort of way.
  Eliminate all the group aliases (which are used to populate the dropdown) and make a local database of the users for the sole purpose of assigning / restricting them to a non-default tunnel-group which authenticates to the secondary LDAP server. 
  You can also send out a non-published URL that points to a second tunnel-group not in the dropdown.
  Of course, we can accomplish this if the AAA server is ISE. ISE 1.3 can authenticate users to multiple AD domains (with or without trust relationships) or a single domain with multiple join points in the Forest.
  The ISE answer makes me wonder - could you establish trust between the domains and authenticate users that way?

• AAA Servers toggles per WLAN

  Dear Team, i have a Controller based Installation with 802.1x Auth via ACSSE and AD. The Controllers running 4.2.173.0. 2 ACSSE are configured. Since a few Days we see Problems with Client Authentication. The WLC Log shows, that the WLAN toggles between the 2 Radius Servers:
  84 Tue Dec 9 09:29:19 2008 RADIUS server xx.xx.xx.xx:1812 activated on WLAN 2
  85 Tue Dec 9 09:29:19 2008 RADIUS server xx.xx.xx.yy:1812 deactivated on WLAN 2
  86 Tue Dec 9 09:29:19 2008 RADIUS server xx.xx.xx.yy:1812 failed to respond to request (ID 148) for client <Client-MAC> / user 'unknown'
  Does anyone know, under which Conditions, Timeout etc the WLAN changes the Radius Server? Since we dont run 5.x , we cant use the dedicated Radius Fallback Feature. Has anyone seen this Problem? Regards, Michael

  After working with TAC, I resolved this issue recently.  Increasing the timeout value did not help. On the WLC, try:
  config radius aggressive-failover disable
  As per http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml :
  If the aggressive failover feature is enabled in WLC, the WLC is too aggressive to mark the AAA server as not responding. But, this should not be done because the AAA server is possibly not responsive only to that particular client, if you do silent discard. It can be a response to other valid clients with valid certificates. But, the WLC can still mark the AAA server as not responding and not functional.
  In order to overcome this, disable the aggressive failover feature. Issue the config radius aggressive-failover disable command from the controller GUI in order to perform this. If this is disabled, then the controller only fails over to the next AAA server if there are three consecutive clients that fail to receive a response from the RADIUS server.

• How to set two radius servers one is window NPS another is cisco radius server

  how to set two radius servers one is window NPS another is cisco radius server
  when i try the following command, once window priority is first , i type cisco radius user name, it authenticated fail
  i can not use both at the same time
  radius-server host 192.168.1.3  is window NPS
  radius-server host 192.168.1.1 is cisco radius
  http://blog.skufel.net/2012/06/how-to-integrating-cisco-devices-access-with-microsoft-npsradius/
  conf t
  no aaa authentication login default line
  no aaa authentication login local group radius
  no aaa authorization exec default group radius if-authenticated
  no aaa authorization network default group radius
  no aaa accounting connection default start-stop group radius
  aaa new-model
  aaa group server radius IAS
   server 192.168.1.1 auth-port 1812 acct-port 1813
   server 192.168.1.3 auth-port 1812 acct-port 1813
  aaa authentication login userAuthentication local group IAS
  aaa authorization exec userAuthorization local group IAS if-authenticated
  aaa authorization network userAuthorization local group IAS
  aaa accounting exec default start-stop group IAS
  aaa accounting system default start-stop group IAS
  aaa session-id common
  radius-server host 192.168.1.1 auth-port 1812 acct-port 1813
  radius-server host 192.168.1.2 auth-port 1812 acct-port 1813
  radius-server host 192.168.1.3 auth-port 1645 acct-port 1646
  radius-server host 192.168.1.3 auth-port 1812 acct-port 1813
  privilege exec level 1 show config
  ip radius source-interface Gi0/1
  line vty 0 4
   authorization exec userAuthorization
   login authentication userAuthentication
   transport input telnet
  line vty 5 15
   authorization exec userAuthorization
   login authentication userAuthentication
   transport input telnet
  end
  conf t
  aaa group server radius IAS
   server 192.168.1.3 auth-port 1812 acct-port 1813
   server 192.168.1.1 auth-port 1812 acct-port 1813
  end

  The first AAA server listed in your config will always be used unless/until it becomes unavailable. At that point the NAD would move down to the next AAA server defined on the list and use that one until it becomes unavailable and then move to third one, and so on. 
  If you want to use two AAA servers at the same time then you will need to put a load balancer in front of them. Then the virtual IP (vip) will be listed in the NADs vs the individual AAA servers' IPs. 
  I hope this helps!
  Thank you for rating helpful posts!

• AAA Authorization named authorization list

  Ladies and Gents,
  Your help will be greatly appreciated – I am currently studying CCNP Switch AAA configuration and I work with a tacacs+ server at work butI having difficulty getting my head around the below
  Cisco.com extract below
  When you create a named method list, you are defining a particular list of authorization methods for the indicated authorization type.
  Once defined, method lists must be applied to specific lines or interfaces before any of the defined methods will be performed. The only exception is the default method list (which is named "default"). If the aaa authorization command for a particular authorization type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, local authorization takes place by default.
  My question is how do you define the Named Method List i.e. the none-default method list?
  I don't mean the cisco switch config but how the list is created, is this on the tacacs+ server and the referred to in the CLI?
  Any help would be much appreciated as I have read over tons of documents and I can’t see how this is created
  Thanks in advance
  David

  Hi David,
  An example of a named AAA list might look something like this:
  aaa authorization exec TacExec group AAASrv local
  In the example above, I've created a AAA authorization list for controlling shell exec sessions called "TacExec", which will check the remote AAA servers in the group "AAASrv" first; if the device receives no response from the remote servers, it will then atempt to validate the credentials via the local user database. Please remember that a deny response from the AAA server is not the same as no reposonse, the device will only check the local user database if an only if it recieves nothing back from the TACACS query.
  Of course, before you create this method list, you need to define the TACACS servers via the "tacacs-server" command, and then add those servers to the group via the "aaa group server" command.
  Below is a cut and paste from the AAA section on one of my devices:
  aaa new-model
  ip tacacs source-interface
  tacacs-server host 10.x.x.x key 7
  tacacs-server host 10.x.x.y key 7
  aaa group server tacacs+ TacSrvGrp
  server 10.x.x.x
  server 10.x.x.y
  aaa authentication login default local
  aaa authentication login TacLogin group TacSrvGrp local
  aaa authorization console
  aaa authorization config-commands
  aaa authorization exec default local
  aaa authorization exec TacAuth group TacSrvGrp local
  aaa authorization commands 0 default local
  aaa authorization commands 0 TacCommands0 group TacSrvGrp local
  aaa authorization commands 1 default local
  aaa authorization commands 1 TacCommands1 group TacSrvGrp local
  aaa authorization commands 15 default local
  aaa authorization commands 15 TacCommands15 group TacSrvGrp local
  aaa accounting exec default start-stop group TacSrvGrp
  aaa accounting commands 15 default start-stop group TacSrvGrp
  aaa session-id common
  Notice that for the various authentication and authorization parameters, there is a named method list as well as a default method list. As per Cisco's documentation, a aaa method list called default (that you explicitly define) will apply to all input methods (con, aux, vty, etc) unless you set a named method list on the particular input line (see below):
  line con 0
  exec-timeout 5 0
  line aux 0
  exec-timeout 5 0
  line vty 0 4
  exec-timeout 15 0
  authorization commands 0 TacCommands0
  authorization commands 1 TacCommands1
  authorization commands 15 TacCommands15
  authorization exec TacAuth
  login authentication TacLogin
  transport input ssh
  For the console and aux inputs, I only ever want to use local credentials for AAA purposes (ie: If I have to connect on an out-of-band interface, something is potentially wrong with the network connectivity), however for the VTY lines (SSH sessions in this instance), I always want to use the TACACS servers first, with local user credentials as a fallback mechanism.
  One thing you need to be VERY mindful of when configuring your devices for AAA is the order of the commands that are entered. It is a relatively simple matter to lock yourself out from the device management if you don't pay close attention to the specific order that the commands are entered. Typically, I will first do a "show user" just to find out which VTY line that I'm connected on, and when I assign the named AAA method lists to the VTY lines, I normally leave the line that I'm on at the default (local), then I open a second session to the device, authenticate using my TACACS credentials, and complete the config on the remaining VTY line.
  Keep in mind that there are some other parameters that you can define at the tacacs-server level (timeout value is a good one to look at) which you can use to enhance the AAA performance somewhat.
  Hope this helps!

• ACS error, AAA Server is a referenced in the Proxy Distribution Table

  When installing the ACS appliance (4.1) I have an issue where during the setup it prompts for a static address, Gateway, and DNS. This fine and network connectivity is tested during this time and success.
  The issue seems to be fine but that when logging in to the GUI under Network Configuration>AAA servers.
  AAA server AAA server IP address AAA server type
  self 10.10.10.1 CiscoSecure ACS
  ciscoacs 169.254.25.58 CiscoSecure ACS
  Under Network Configuration>Proxy Distribution Table
  Character String AAA Servers Strip Account
  Default ciscoacs no Local
  The 2 questions I have how to stop the 169.x.x.x address or why this is being put into the configuration, and how to delete as the following error is obsvered when trying.
  ACS error when trying to delete..
  “Can not Delete AAA Server, AAA Server is a referenced in the Proxy Distribution Table”
  Many Thanks MJ

  Go to,
  Network configuration > Proxy Distribution Table > (Default).
  swap the entry in this section under tables AAA Server and Forward to > Submit + Restart.
  Then try to delete 169.x.x.x entry.
  Regards,
  Prem

• Using multiple vendors of raidus servers for backup

  is it possible to use ISA server as a primary radius server and steel belt as a backup. if so is there some documentation to use them together

  you could point the controller(s) to multiple AAA Servers but i'd like to point out that the way controller uses them is in a serial manner. That means, unless the first configured AAA server fails, the traffic is not sent to the second AAA server, and so on. therefore, it's not designed to load-balance across multiple AAA serves. Hope that helps.

• Web Auth with AAA (RAIDUS) Failure

  Hi Guys,
  We are having an issue with out Web Auth Using AAA Servers. We get the following error: AAA Authentication Failure for UserName:14t.park User Type: WLAN USER, This error is from the Web Interface, I have been looking at the debug settings to see if there is anything that might give me more detail of what is going on but I can see anything under the Web-Auth Debug for AAA Authentication.
  I have checked on our RAIDUS Servers and I can't find any errors relating to Authentication with the NPS.
  Does anyone have any suggestions?

  Machine credentials requires a lookup on the computer OU and that has to be defined on the client side.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Acs se aaa server problem

  HI
  I have installed acs se for peap authenetication in a wireless network .
  however when i install the acs se it shows me 2 profiles (self and deliverance) after initial config in the aaa server window of network configuration .
  The name of the default server is delivernace and its ip is 169.x.x.x which is the default nic ip as u can check it out during the initial startup configuration.
  Pls help me to get this fixed

  Hi.
  The name of the ACS SE listed in AAA Server section is "self".
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/NetCfg.html#wp341780
  "In ACS SE, the name of the machine is listed as self."
  "deliverance1" is the default ACS SE name(hostname).
  Sometimes what happens is, even if we have ACS SE connected to Netowork during initial configuration. And we change the name of the ACS SE from "deliverance1" to something that we want. After changes has been made, on ACS SE, it comes back, and shows the ip 169.x.x.x associated with the new hostname.
  NOTE: I am considering that during initial configuration ACS SE was connected to network. If not, then this is supposed to happen.
  In order to correct this issue, follow following steps:
  [1] On ACS hardware/appliance go to,
  Reports and Activity > Appliance Status Page >
  From "NIC Configuration", copy the IP address of the ACS SE.
  Interface Configuration > Advanced Options > check "Distributed System Settings" > Submit.
  Network Configuration > under "AAA Servers" > Search > type the IP address of the ACS hardware/appliance > Search.
  Note down the "Name" against the Ip address of the ACS SE.
  Now go to, Network Configuration > under "Proxy Distribution Table" > (Default) > make sure that the name that appeared against the Ip address of the ACS Hardware/appliance is in "Forward To" Column, If it is not, move it , and move all other entries under "AAA Servers" column and press "Submit + Restart"
  And delete the entry from the AAA Server section, that is associated with IP address 169.x.x.x
  [2] Now, if you do not want the name that is shown in the Proxy Distribution Table, and want the one that is there in the section,
  System configuration > Appliance Configuration... Hostname section, associated with the correct IP address. Then do this,
  Establish Serial Console connection to ACS SE,
  Issue the command "set hostname " and then reboot the ACS SE by command, "reboot".
  [3] Once ACS SE is backup, go to, Network Configuration > under "Proxy Distribution Table" > (Default) > And make sure that the new name is in "Forward To" Column > Submit + Restart.
  Now, the correct IP address will be associated with the correct hostname.
  Regards.
  Prem

• AAA question on FWSM

  Hi All,
  I've researched this issue and could not find a way to resolve it.
  If one of our ACS servers becomes unavailable the FWSM context marks it as Failed, and disables it. Is there an easy way to re-enable the ACS server on the FWSM context?
  Thanks.
  Jose Ribeiro
  Server Group:    ACS-Servers
  Server Protocol: tacacs+
  Server Address:  xxx.xxx.xxx.xxxh
  Server port:     49
  Server status:   FAILED, Server disabled at 13:04:36 EST Sat Feb 18 2012
  Number of pending requests              0
  Average round trip time                 5ms
  Number of authentication requests       4
  Number of authorization requests        0
  Number of accounting requests           0
  Number of retransmissions               0
  Number of accepts                       1
  Number of rejects                       3
  Number of challenges                    0
  Number of malformed responses           0
  Number of bad authenticators            0
  Number of timeouts                      0
  Number of unrecognized responses        0

  Hi All,
  Thanks for the replies.
  @eduardoaliaga, @Dan-Ciprian Cicioiu - I've configured the firewalls with the 'reactivation-mode timed' but it did not work for aaa-servers already in FAILED status. It worked well if the server failed after the command was issued, but not before.
  @STEVE DUSSAULT - Steve, I had to remove the configuration and add it back in. I know it sounds dumb, but it was the only way I could solve it. I has not able to find a document that would give me any other option. The only thing I found was regarding the 'reactivation-mode' command, but as I explained above it only works if the server fails after the command is issued. Servers that were in failed state did not recover after the command was entered.
  Cheers,
  Jose