AAA with RADIUS on ASA

Hey Everyone,
I am configuring AAA with RADIUS on our remote ASA firewalls. This is pretty straight forward, but I have some firewalls that this is not working on. I have upgraded the IOS image on the ASA 5510 to ASA804-K8.BIN on all of them. The strange part is some of them are working and some of them are not working.
Just wondering if anyone else has come across this before and what info do you need to give me an assist.
Thanks in advance,
Kimberly

Hi Kimberly,
just curious: why 8.0.4 and not 8.0.5 ?
What are you using radius for ? What is the radius server? Did you configure all the ASAs on the radius server(s) ? Did you use the correct shared secret?
Is there anything different between the working ASAs and the failing ones? Configuration, location in the network, etc?
If the above doesn't help please post the config of a failing ASA (or at least the relevant parts, and make sure to remove any sensitive data) and the output of:
debug radius
debug aaa authen
debug aaa common 254
You can test just the radius part with the cli command "test aaa-server authentication ..."
hth
Herbert

Similar Messages

ASA , Cisco VPN client with RADIUS authentication

Hi,
I have configured ASA for Cisco VPN client with RADIUS authentication using Windows 2003 IAS.
All seems to be working I get connected and authenticated. However even I use user name and password from Active Directory when connecting with Cisco VPN client I still have to provide these credentials once again when accessing domain resources.
Should it work like this? Would it be possible to configure ASA/IAS/VPN client in such a way so I enter user name/password just once when connecting and getting access to domain resources straight away?
Thank you.
Kind regards,
Alex

Hi Alex,
It is working as it should.
You can enable the vpn client to start vpn before logon. That way you login to vpn and then logon to the domain. However, you are still entering credentials twice ( vpn and domain) but you have access to domain resources and profiles.
thanks
John

ISDN Authorization with RADIUS using ISE 1.1.2

Hi,
I am trying to move my ISDN dialup branches authentication/authorization from old ACS 4.1 to ISE appliance. Before it was through ACS 4.2 with TACACS protocol but now since we are moving to ISE we are moving them to ISE with radius.
Problem is that isdn client gets authenticated and authorized but calls get dropped and they dont able to communicate with HO. IP address is assigned by Head End router to all remote isdn dialing branches..
I have used default "PermitAccess" in authorization policy and authentication policy is also default. I dont understand where I am going wrong as authentication and authorization is sucessful.
aaa authentication ppp default group radius local
aaa authentication network default group radius
aaa accounting network default start-stop group radius
radius-server host 12.18.22.41
radius-server key *****
below is the router configuration for AAA
can any one help in this

CoA is not needed, nor supported for ISDN aaa, i used ACS 3.3 for this a long time ago. I think you should do some debugging if ise does not give you any errors.
try doing some debug aaa / debug radius & deb ppp nego if your calls are authenticated and ip is assigned to the calling router, you should see some disconnect reason in the debug.

Cisco PI 1.3 - Internal Server Error with RADIUS-authentication

Hi,
I have a problem with a Cisco Prime Infrastructure 1.3 (Appliance, fully patched) that I'm trying to authenticate against a Radiator RADIUS-server.
From the RADIUS-server's point of view it looks fine, but I just get an HTTP Status 500 internal error (see attached image) when trying to log in.
I'm not the one managing the RADIUS-server but I got the following debug sent from them:
Wed Oct 30 08:52:06 2013: DEBUG: Packet dump:
*** Received from 10.36.0.132 port 17235 ....
Code:       Access-Request
Identifier: 102
Authentic: REMOVED
Attributes:
        User-Name = "test-user"
        User-Password = REMOVED
        NAS-IP-Address = 10.36.0.132
        Message-Authenticator = REMOVED
Wed Oct 30 08:52:06 2013: DEBUG: Handling request with Handler 'Client-Identifier=/^prime[.]net[.]REMOVED[.]se$/', Identifier 'Network-Prime-AAA'
Wed Oct 30 08:52:06 2013: DEBUG: Deleting session for test-user, 10.36.0.132,
Wed Oct 30 08:52:06 2013: DEBUG: Handling with Radius::AuthUNIX:
Wed Oct 30 08:52:06 2013: DEBUG: Radius::AuthUNIX looks for match with test-user [test-user]
Wed Oct 30 08:52:06 2013: DEBUG: Radius::AuthUNIX ACCEPT: : test-user [test-user]
Wed Oct 30 08:52:06 2013: DEBUG: AuthBy UNIX result: ACCEPT,
Wed Oct 30 08:52:06 2013: DEBUG: Handling with Radius::AuthFILE:
Wed Oct 30 08:52:06 2013: DEBUG: Radius::AuthFILE looks for match with test-user [test-user]
Wed Oct 30 08:52:06 2013: DEBUG: Radius::AuthFILE ACCEPT: : test-user [test-user]
Wed Oct 30 08:52:06 2013: DEBUG: AuthBy FILE result: ACCEPT,
Wed Oct 30 08:52:06 2013: DEBUG: Access accepted for test-user
Wed Oct 30 08:52:06 2013: DEBUG: Packet dump:
*** Sending to 10.36.0.132 port 17235 ....
Code:       Access-Accept
Identifier: 102
Authentic: REMOVED
Attributes:
        cisco-avpair = "NCS:virtual-domain0=ROOT-DOMAIN"
        cisco-avpair = "NCS:role0=Admin"
        cisco-avpair = "NCS:task0=View Alerts and Events"
        cisco-avpair = "NCS:task1=Device Reports"
..the rest of the AV-pairs removed
Does anyone have any idea on what the the problem is, or some tips on how to troubleshoot? (rebooting and ncs stop/start has no impact on the issue)
//Charlie

I ran into a similar issue this morning in my lab. After I issued ncs status - the database service came back as not running. I stop/started the Prime services and it came up. Once all the services were running my WLC imported with no issues. I also deployed another server for another lab and it had issues with the clocking being out of sync.

Aironet 2702i Autonomous - Web-Authentication with Radius Window 2008

Hi Guys,
I have a problems with case, i have diagrams sample like then : AD(Win2008) - Radius(Win2008) - Aironet 2702i => Use methods Web-Auth for EndUser
This is my Configure file on Aironet 2702i
Aironet2702i#show run
Building configuration...
Current configuration : 8547 bytes
! Last configuration change at 05:08:25 +0700 Fri Oct 31 2014 by admin
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname Aironet2702i
logging rate-limit console 9
aaa new-model
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login default local
aaa authentication login DTSGROUP group radius
aaa authentication login webauth group radius
aaa authentication login weblist group radius
aaa authentication dot1x default group radius
aaa authorization exec default local
aaa session-id common
clock timezone +0700 7 0
no ip source-route
no ip cef
ip admission name webauth proxy http
ip admission name webauth method-list authentication weblist
no ip domain lookup
ip domain name dts.com.vn
dot11 syslog
dot11 activity-timeout unknown default 1000
dot11 activity-timeout client default 1000
dot11 activity-timeout repeater default 1000
dot11 activity-timeout workgroup-bridge default 1000
dot11 activity-timeout bridge default 1000
dot11 vlan-name DTSGroup vlan 46
dot11 vlan-name L6-Webauthen-test vlan 45
dot11 vlan-name NetworkL7 vlan 43
dot11 vlan-name SGCTT vlan 44
dot11 ssid DTS-Group
vlan 46
authentication open eap DTSGROUP
authentication key-management wpa version 2
mbssid guest-mode
dot11 ssid DTS-Group-Floor7
vlan 43
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 013D03104C0414040D4D5B5E392559
dot11 ssid L6-Webauthen-test
vlan 45
web-auth
authentication open
dot1x eap profile DTSGROUP
mbssid guest-mode
dot11 ssid SaigonCTT-Public
vlan 44
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 04480A0F082E424D1D0D4B141D06421224
dot11 arp-cache optional
dot11 adjacent-ap age-timeout 3
eap profile DTSGROUP
description testwebauth-radius
method peap
method mschapv2
method leap
username TRIHM privilege 15 secret 5 $1$y1J9$3CeHRHUzbO.b6EPBmNlFZ/
username ADMIN privilege 15 secret 5 $1$IvtF$EP6/9zsYgqthWqTyr.1FB0
ip ssh version 2
bridge irb
interface Dot11Radio0
no ip address
encryption vlan 44 mode ciphers aes-ccm
encryption vlan 46 mode ciphers aes-ccm
encryption mode ciphers aes-ccm
encryption vlan 43 mode ciphers aes-ccm
encryption vlan 1 mode ciphers aes-ccm
ssid DTS-Group
ssid DTS-Group-Floor7
ssid L6-Webauthen-test
ssid SaigonCTT-Public
countermeasure tkip hold-time 0
antenna gain 0
stbc
mbssid
packet retries 128 drop-packet
channel 2412
station-role root
rts threshold 2340
rts retries 128
ip admission webauth
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 subscriber-loop-control
bridge-group 43 spanning-disabled
bridge-group 43 block-unknown-source
no bridge-group 43 source-learning
no bridge-group 43 unicast-flooding
interface Dot11Radio0.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 subscriber-loop-control
bridge-group 44 spanning-disabled
bridge-group 44 block-unknown-source
no bridge-group 44 source-learning
no bridge-group 44 unicast-flooding
ip admission webauth
interface Dot11Radio0.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 subscriber-loop-control
bridge-group 45 spanning-disabled
bridge-group 45 block-unknown-source
no bridge-group 45 source-learning
no bridge-group 45 unicast-flooding
ip admission webauth
interface Dot11Radio0.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 subscriber-loop-control
bridge-group 46 spanning-disabled
bridge-group 46 block-unknown-source
no bridge-group 46 source-learning
no bridge-group 46 unicast-flooding
interface Dot11Radio1
no ip address
shutdown
encryption vlan 46 mode ciphers aes-ccm
encryption vlan 44 mode ciphers aes-ccm
encryption vlan 1 mode ciphers aes-ccm
encryption vlan 43 mode ciphers aes-ccm
encryption vlan 45 mode ciphers ckip-cmic
ssid DTS-Group
ssid DTS-Group-Floor7
ssid SaigonCTT-Public
countermeasure tkip hold-time 0
antenna gain 0
peakdetect
dfs band 3 block
stbc
mbssid
packet retries 128 drop-packet
channel 5745
station-role root
rts threshold 2340
rts retries 128
interface Dot11Radio1.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio1.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 subscriber-loop-control
bridge-group 43 spanning-disabled
bridge-group 43 block-unknown-source
no bridge-group 43 source-learning
no bridge-group 43 unicast-flooding
interface Dot11Radio1.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 subscriber-loop-control
bridge-group 44 spanning-disabled
bridge-group 44 block-unknown-source
no bridge-group 44 source-learning
no bridge-group 44 unicast-flooding
ip admission webauth
interface Dot11Radio1.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 subscriber-loop-control
bridge-group 45 spanning-disabled
bridge-group 45 block-unknown-source
no bridge-group 45 source-learning
no bridge-group 45 unicast-flooding
ip admission webauth
interface Dot11Radio1.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 subscriber-loop-control
bridge-group 46 spanning-disabled
bridge-group 46 block-unknown-source
no bridge-group 46 source-learning
no bridge-group 46 unicast-flooding
interface GigabitEthernet0
no ip address
duplex auto
speed auto
dot1x pae authenticator
dot1x authenticator eap profile DTSGROUP
dot1x supplicant eap profile DTSGROUP
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface GigabitEthernet0.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 spanning-disabled
no bridge-group 43 source-learning
interface GigabitEthernet0.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 spanning-disabled
no bridge-group 44 source-learning
interface GigabitEthernet0.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 spanning-disabled
no bridge-group 45 source-learning
interface GigabitEthernet0.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 spanning-disabled
no bridge-group 46 source-learning
interface GigabitEthernet1
no ip address
shutdown
duplex auto
speed auto
interface GigabitEthernet1.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface GigabitEthernet1.43
encapsulation dot1Q 43
bridge-group 43
bridge-group 43 spanning-disabled
no bridge-group 43 source-learning
interface GigabitEthernet1.44
encapsulation dot1Q 44
bridge-group 44
bridge-group 44 spanning-disabled
no bridge-group 44 source-learning
interface GigabitEthernet1.45
encapsulation dot1Q 45
bridge-group 45
bridge-group 45 spanning-disabled
no bridge-group 45 source-learning
interface GigabitEthernet1.46
encapsulation dot1Q 46
bridge-group 46
bridge-group 46 spanning-disabled
no bridge-group 46 source-learning
interface BVI1
mac-address 58f3.9ce0.8038
ip address 172.16.1.62 255.255.255.0
ipv6 address dhcp
ipv6 address autoconfig
ipv6 enable
ip forward-protocol nd
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server attribute 32 include-in-access-req format %h
radius server 172.16.50.99
address ipv4 172.16.50.99 auth-port 1645 acct-port 1646
key 7 104A1D0A4B141D06421224
bridge 1 route ip
line con 0
logging synchronous
line vty 0 4
exec-timeout 0 0
privilege level 15
logging synchronous
transport input ssh
line vty 5 15
exec-timeout 0 0
privilege level 15
logging synchronous
transport input ssh
end
This is My Logfile on Radius Win 2008 :
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: S-1-5-21-858235673-3059293199-2272579369-1162
Account Name: xxxxxxxxxxxxxxxx
Account Domain: xxxxxxxxxxx
Fully Qualified Account Name: xxxxxxxxxxxxxxxxxxx
Client Machine:
Security ID: S-1-0-0
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: -
Calling Station Identifier: -
NAS:
NAS IPv4 Address: 172.16.1.62
NAS IPv6 Address: -
NAS Identifier: Aironet2702i
NAS Port-Type: Async
NAS Port: -
RADIUS Client:
Client Friendly Name: Aironet2702i
Client IP Address: 172.16.1.62
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: DTSWIRELESS
Authentication Provider: Windows
Authentication Server: xxxxxxxxxxxxxx
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 66
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
So i will explain problems what i have seen:
SSID: DTS-Group using authentication EAP with RADIUS and it working great (Authentication Type from Aironet to RADIUS is PEAP)
SSID:L6-Webauthen-test using web-auth and i had try to compare with RADIUS but ROOT CAUSE is AUTHENTICATION TYPE from Aironet to RADIUS default is PAP. (Reason Code : 66)
=> I had trying to find how to change Authentication Type of Web-Auth on Cisco Aironet from PAP to PEAP or sometime like that for combine with RADIUS.
Any idea or recommend for me ?
Thanks for see my case

Hi Dhiresh Yadav,
Many thanks for your reply me,
I will explain again for clear my problems.
At this case, i had setup complete SSID DTS-Group use authentication with security as PEAP combine Radius Server running on Window 2008.
I had login SSID by Account create in AD =>  It's work okay with me. Done
Problems occurs when i try to use Web-authentication on Vlan45 With SSID :
dot11 ssid L6-Webauthen-test
vlan 45
web-auth
authentication open
dot1x eap profile DTSGROUP
mbssid guest-mode
After configured on Aironet and Window Radius , i had try to login with Account create in AD by WebBrowser but it Fail ( i have see mini popup said: Authentication Fail" . So i go to Radius Server and search log on EventViewer.
This is My Logfile on Radius Win 2008 :
Network Policy Server denied access to a user.
NAS:
NAS IPv4 Address: 172.16.1.62
NAS IPv6 Address: -
NAS Identifier: Aironet2702i
NAS Port-Type: Async
NAS Port: -
RADIUS Client:
Client Friendly Name: Aironet2702i
Client IP Address: 172.16.1.62
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: DTSWIRELESS
Authentication Provider: Windows
Authentication Server: xxxxxxxxxxxxxx
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 66
Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.
Im think ROOT CAUSE is :
PAP is the default authentication type for web-auth users on Aironet 2702i, so it can't combine with Radius Window 2008 because they just support PEAP (CHAPv1,CHAPv2....) => Please give me a tip how to change Authentication Type from PAP to PEAP for Web Authentication on Aironet

AAA using RADIUS

GOod morning all,
I am trying to configure AAA using RADIUS with ACS 4.1 SE and various Cisco Devices. I have configured the ACS to perform group mapping on personnel who I want to give access privileges. What I would like to do is give that group privilege level 15 and do away with enable passwords. However, I need local level authentication for our console options with enable privileges. Can this be done? Any help would be appreciated.
Dwane

For routers and IOS switches:
aaa new-model
aaa authentication banner *Unauthorized Access Prohibited*
aaa authentication login default group radius
radius-server host 10.10.10.10 (your acs device)
radius-server key cisco123
radius-server configure-nas
username nmg password telnet
aaa authentication ppp dialins group radius local
aaa authentication login nmg local
aaa authorization network default group radius local
aaa accounting network default start-stop group radius
aaa processes 16
line 1 16
login authentication
For CatOS switches:
Set radius-server 10.10.10.10
show radius
set radius key cisco123
set authentication login radius enable
set authentication enable radius enable
show authentication
set radius timeout 5
set radius retransmit 3
set radius deadtime 3
For Pix Firewalls:
aaa authentication ssh console radius LOCAL
aaa authentication telnet console radius LOCAL
aaa-server radgroup protocol RADIUS
max-failed-attempts 2
reactivation-mode depletion deadtime 5
exit
(NOTE: This will depending on the location of the pix firewall)
aaa-server radgroup (inside) host 10.10.10.10
key XXXXXXX
exit
aaa-server radgroup(inside) host 10.10.10.10
key XXXXXX
exit
This is pretty much what we used for configurations on our test. It looks like most of your switches are IOS based so that will be nice for you.
If you are using local authentication, you can create a group and assign the local addresses to that group. What I did in the radius IETF attribute, you ensure that [006] Service-Type is checked and scroll down to Administrative and click Submit & Restart.
Hope this helps some. I had alot of help from Cisco TAC on this.
Dwane

Exec authorization with radius..

Hi guys, i was configuring auth-proxy . i had a
m/c---(inside)router(outside)---internet
now i want that a normal user is not able to get the telnet access of my router, only certain users can have the telnet access fromt the inside. i dont want to use NAR. i want to do this only with radius authorization.
i was looking for controlling the access of the users to the router with the help of radius,
aaa authorization exec default group tacacs+
when i use the above command i knw that i can control the shell access by checking shell box,but when i use the below command
aaa authorization exec default group radius
i was not able to find any particular radius av-pair which can control the exec shell access in respect to the above one.

Hi,
Make use of this,
shell:priv-lvl=15
shell:autocmd=exit
So what will happen with this is, as soon as user tries to log into shell, BOOM!, user will exit out.
NOTE: I have not tried this exactly, but should work, you might be required to use separator, ";" i.e.,
shell:priv-lvl=15;
shell:autocmd=exit
Regards,
Prem

Dynamic VLAN Assignment with RADIUS Server and Aironet Access Points

Hi Guys,
I would like to go for "Dynamic VLAN Assignment with RADIUS Server and Aironet Access Points 1300". I want the AP to broadcast only 1 SSID. The client find the SSID ->put in his user credential->Raudius athentication->assign him to an specific vlan based on his groupship.
The problem here is that I don't have a AP controller but only configurable Aironet Access Points 1300. I can connect to the radius server, but I am not sure how to confirgure the AP's port, radio port, vlan and SSID.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#switch
I go through some references:
3.5 RADIUS-Based VLAN Access Control
As discussed earlier, each SSID is mapped to a default VLAN-ID on the wired side. The IT administrator may wish to impose back end (such as RADIUS)-based VLAN access control using 802.1X or MAC address authentication mechanisms. For example, if the WLAN is set up such that all VLANs use 802.1X and similar encryption mechanisms for WLAN user access, then a user can "hop" from one VLAN to another by simply changing the SSID and successfully authenticating to the access point (using 802.1X). This may not be preferred if the WLAN user is confined to a particular VLAN.
There are two different ways to implement RADIUS-based VLAN access control features:
1. RADIUS-based SSID access control: Upon successful 802.1X or MAC address authentication, the RADIUS server passes back the allowed SSID list for the WLAN user to the access point or bridge. If the user used an SSID on the allowed SSID list, then the user is allowed to associate to the WLAN. Otherwise, the user is disassociated from the access point or bridge.
2. RADIUS-based VLAN assignment: Upon successful 802.1X or MAC address authentication, the RADIUS server assigns the user to a predetermined VLAN-ID on the wired side. The SSID used for WLAN access doesn't matter because the user is always assigned to this predetermined VLAN-ID.
extract from: Wireless Virtual LAN Deployment Guide
http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00801444a1.html
==============================================================
Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller Configuration Example
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#switch
==============================================================
Controller: Wireless Domain Services Configuration
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml
Any help on this issue is appreicated.
Thanks.

I'm not sure if the Autonomous APs have the option for AAA Override. On the WLC, I can go into the BSSID, Security, Advanced, and there's a checkbox that I would check to allow a Radius server to send back the VLAN.
I did a little research and it looks like the 1300 may give this option but instead is defined as "VLAN Override". I've found the release notes for 12.3(7)JA5 (not sure what version you're running) that give mention and a link to configuring EAP on page 4: http://www.ciscosystems.ch/en/US/docs/wireless/access_point/1300/release/notes/o37ja5rn.pdf
Hope this helps

How to create a new user aaa with same rights as existing user bbb ?

Assume user bbb already exists in Oracla 10g database.
How can I create a new user aaa with the same rights/permissions as the old user bbb?
Is this procedure/command also working if the old user is user "system" (=dbadmin)?

There is some possibilty to generate a EXPDP dump file which contains only DDL statements related to account and
privileges: EXCLUDE/INCLUDE parameter can help.
For example, following EXPDP statements seem to work with SYSTEM account:
expdp / schemas=system content=metadata_only exclude=table,sequence,package,function,procedure,synonym,,type view dumpfile=DPD:system.dmp logfile=DPD:system.log
Export: Release 10.2.0.2.0 - Production on Thursday, 14 February, 2008 9:41:36
Copyright (c) 2003, 2005, Oracle. All rights reserved.
Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.2.0 - Produc
tion
With the Partitioning, OLAP and Data Mining options
Starting "OPS$XXX"."SYS_EXPORT_SCHEMA_01": /******** schemas=system con
tent=metadata_only exclude=table,sequence,package,function,procedure,synonym,type view dumpfile=DPD:system.dmp logfile=DPD:system.log
Processing object type SCHEMA_EXPORT/USER
Processing object type SCHEMA_EXPORT/SYSTEM_GRANT
Processing object type SCHEMA_EXPORT/ROLE_GRANT
Processing object type SCHEMA_EXPORT/DEFAULT_ROLE
Processing object type SCHEMA_EXPORT/PRE_SCHEMA/PROCACT_SCHEMA
Processing object type SCHEMA_EXPORT/POST_SCHEMA/PROCACT_SCHEMA
Master table "OPS$XXX"."SYS_EXPORT_SCHEMA_01" successfully loaded/unload
ed
Dump file set for OPS$XXX.SYS_EXPORT_SCHEMA_01 is:
C:\TEMP\SYSTEM.DMP
Job "OPS$XXX"."SYS_EXPORT_SCHEMA_01" successfully completed at 09:41:41
impdp / sqlfile=dpd:system.sql dumpfile=DPD:system.dmp logfile=DPD:system.logImport: Release 10.2.0.2.0 - Production on Thursday, 14 February, 2008 9:42:46
Copyright (c) 2003, 2005, Oracle. All rights reserved.
Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.2.0 - Produc
tion
With the Partitioning, OLAP and Data Mining options
Master table "OPS$XXX"."SYS_SQL_FILE_FULL_05" successfully loaded/unload
ed
Starting "OPS$XXX"."SYS_SQL_FILE_FULL_05": /******** sqlfile=dpd:system
.sql dumpfile=DPD:system.dmp logfile=DPD:system.log
Processing object type SCHEMA_EXPORT/USER
Processing object type SCHEMA_EXPORT/SYSTEM_GRANT
Processing object type SCHEMA_EXPORT/ROLE_GRANT
Processing object type SCHEMA_EXPORT/DEFAULT_ROLE
Processing object type SCHEMA_EXPORT/PRE_SCHEMA/PROCACT_SCHEMA
Processing object type SCHEMA_EXPORT/POST_SCHEMA/PROCACT_SCHEMA
Job "OPS$XXX"."SYS_SQL_FILE_FULL_05" successfully completed at 09:42:50and system.sql is:
-- CONNECT OPS$XXX
-- new object type path is: SCHEMA_EXPORT/USER
-- CONNECT SYSTEM
ALTER USER "SYSTEM" IDENTIFIED BY VALUES '970BAA5B81930A40'
TEMPORARY TABLESPACE "TEMP";
-- new object type path is: SCHEMA_EXPORT/SYSTEM_GRANT
GRANT GLOBAL QUERY REWRITE TO "SYSTEM";
GRANT CREATE MATERIALIZED VIEW TO "SYSTEM";
GRANT SELECT ANY TABLE TO "SYSTEM";
GRANT CREATE TABLE TO "SYSTEM";
GRANT UNLIMITED TABLESPACE TO "SYSTEM" WITH ADMIN OPTION;
-- new object type path is: SCHEMA_EXPORT/ROLE_GRANT
GRANT "DBA" TO "SYSTEM" WITH ADMIN OPTION;
GRANT "AQ_ADMINISTRATOR_ROLE" TO "SYSTEM" WITH ADMIN OPTION;
GRANT "MGMT_USER" TO "SYSTEM";
-- new object type path is: SCHEMA_EXPORT/DEFAULT_ROLE
ALTER USER "SYSTEM" DEFAULT ROLE ALL;
-- new object type path is: SCHEMA_EXPORT/PRE_SCHEMA/PROCACT_SCHEMA
BEGIN
sys.dbms_logrep_imp.instantiate_schema(schema_name=>SYS_CONTEXT('USERENV','CURRENT_SCHEMA'), export_db_name=>'BAS002.REGRESS.RDBMS.DEV.US.ORACLE.COM', inst_scn=>'1456160');
COMMIT;
END;
-- new object type path is: SCHEMA_EXPORT/POST_SCHEMA/PROCACT_SCHEMA
BEGIN
SYS.DBMS_AQ_IMP_INTERNAL.CLEANUP_SCHEMA_IMPORT;
COMMIT;
END;
/ These export and import steps don't take into account privileges granted on schema objects belonging to another user likely due to to the EXCLUDE statements.
Message was edited by:
Pierre Forstmann

WLC- dynamic Vlan assignment with Radius

Hello, we would like to use this feature in our company and because of that I am now testing it. But I found one problem.
I created one testing SSID and two Vlans on WLC. On ACS I use an IETF atributes (064,065,081) for my account and I am changing Vlan ID (081) during testing.
It works with LEAP but when I use PEAP-GTC (which we use commonly in our company) the ip address is not assigned properly (ip which was assigned before remains).
Could you please help me?

There is good document which explains how to configure Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller. This will help you. You will find the document at http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml

NAC guest server with RADIUS authentication for guests issue.

Hi all,
We have just finally successfully installed our Cisco NAC guest server. We have version 2 of the server and basically the topology consists of a wism at the core of the network and a 4402 controller at the dmz, then out the firewall, no issues with that. We do however have a few problems, how can we provide access through a proxy without using pak files obviously, and is there a way to specify different proxies for different guest traffic, based on IP or a radius attribute etc.
The second problem is more serious; refer to the documentation below from the configuration guide for guest nac server v2. It states that hotspots can be used and the Authentication option would allow radius authentication for guests, I’ve been told otherwise by Cisco and they say it can’t be done, has anyone got radius authentication working for guests.
https://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_hotspots.html
-----START QUOTE-----
Step 7 From the Operation mode dropdown menu, you can select one of the following methods of operation:
•Payment Provider—This option allows your page to integrate with a payment providing billing system. You need to select a predefined Payment Provider from the dropdown. (Refer to Configuring Payment Providers for details.) Select the relevant payment provider and proceed to Step 8.
•Self Service—This option allows guest self service. After selection proceed to Step 8.
•Authentication—This option allows RADIUS authentication for guests. Proceed to Step 9.
----- END QUOTE-----
Your help is much appreciated on this, I’ve been looking forward to this project for a long time and it’s a bit of an anti climax that I can’t authenticate guests with radius (We use ACS and I was hoping to hook radius into an ODBC database we have setup called open galaxy)
Regards
Kevin Woodhouse

Well I will try to answer your 2nd questions.... will it work... yes. It is like any other radius server (high end:)) But why would you do this for guest.... there is no reason to open up a port on your FW and to add guest accounts to and worse... add them in AD. Your guest anchor can supply a web-auth, is able to have a lobby admin account to create guest acounts and if you look at it, it leaves everything in the DMZ.
Now if you are looking at the self service.... what does that really give you.... you won't be able to controll who gets on, people will use bogus info and last but not least.... I have never gotten that to work right. Had the BU send me codes that never worked, but again... that was like a year ago and maybe they fixed that. That is my opinion.

License with anyconnect on asa 5520

Dear All,
We have a single ASA 5510 with version 7.2 (3) in our network and configured many IPSEC site to site, IPSEC - remote access vpn and webvpn with SSL. Everything is working well.
ASA-5510# sh ver
Cisco Adaptive Security Appliance Software Version 7.2(3)
Device Manager Version 5.2(2)
Compiled on Wed 15-Aug-07 16:08 by builders
System image file is "disk0:/asa723-k8.bin"
Config file at boot was "startup-config"
ASA-5510-1 up 86 days 11 hours
Hardware:   ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CNlite-MC-Boot-Cisco-1.2
                             SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
                             IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: Ethernet0/0         : address is 0027.0d38.034e, irq 9
1: Ext: Ethernet0/1         : address is 0027.0d38.034f, irq 9
2: Ext: Ethernet0/2         : address is 0027.0d38.0350, irq 9
3: Ext: Ethernet0/3         : address is 0027.0d38.0351, irq 9
4: Ext: Management0/0       : address is 0027.0d38.0352, irq 11
5: Int: Internal-Data0/0    : address is 0000.0001.0002, irq 11
6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs               : 100
Inside Hosts                : Unlimited
Failover                    : Active/Active
VPN-DES                     : Enabled
VPN-3DES-AES                : Enabled
Security Contexts           : 2
GTP/GPRS                    : Disabled
VPN Peers                   : 250
WebVPN Peers                : 25
This platform has an ASA 5510 Security Plus license.
===============================================================================================
As business improves we are now planning to upgrade our ASA 5510 to ASA 5520 ( 02 nos ver 8.2(5).     With the new ASA 5520 we would be planning to buy Any connect vpn license as well.
Finally we will need on the ASA 5520 IPSEC site to site vpn, IPSEC - remote access vpn , clientless vpn with SSL & Any connect vpn license. What are the licences should i purchase inorder to have all the above services on the box with version 8.2(5) ?
suppose if i need to have cisco desktop software which is the license i should have along with other services?
Thanks in advance

I am just away from office .. Will provide same tomorrow...
Meanwhile "L-ASA-SSL-50=ASA 5500 SSL VPN 50 Premium User License" this is the licence i have procured from cisco. I would need
both Anyconnect vpn & SSL clientless should be working on the system. Hope i would acheive with the above license.
Below is the output i got when generated the Licence key. please clarrify. thanks in advance
Failover                        : Enabled
Encryption-DES                  : Enabled
Encryption-3DES-AES             : Enabled
Security Contexts               : 2
GTP/GPRS                        : Disabled
AnyConnect Premium Peers        : 50
Other VPN Peers                 : 750
Advanced Endpoint Assessment    : Disabled
AnyConnect for Mobile           : Disabled
AnyConnect for Cisco VPN Phone : Disabled
Shared License                  : Disabled
UC Phone Proxy Sessions         : Default
Total UC Proxy Sessions         : Default
AnyConnect Essentials           : Disabled
Botnet Traffic Filter           : Disabled
Intercompany Media Engine       : Disabled

FlexConnect & ISE ACLs - AAA Overide/RADIUS NAC

Hi Chaps,
I have 3 ACLs configured on a WLC for CWA, Corp and Guest users. On local mode APs, theses are called up using the Airespace fields in the ISE policies dependant on what rule is hit.
ACL-WEBAUTH-REDIRECT
ACL-PERMIT-CORP-TRAFFIC
ACL-PERMIT-GUEST-TRAFFIC
Will FlexConnect APs call up the ACLs in the same way as a local mode as the WLAN will be AAA Override/RADIUS NAC or will FC ACLs be required.
Cheers,
N

I believe you need to create Flex ACLs on the fWLC. These Flex ACLs can be called the same as regular ACLs so in ISE you wouldnt have to change the auth profile.

3850 switch configure with radius server

wifi useres authenticate with radius server configure required
Posted by WebUser Raja Sekhar from Cisco Support Community App

Kindly check the following links for configuring 802.1x
http://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3.2_0_se/security/configuration_guide/b_sec_1501_3850_cg_chapter_0101.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3.2_0_se/security/configuration_guide/b_sec_1501_3850_cg_chapter_01110.html

How to configure ACS to authenticate Modem with radius

Hi,
How do I configure ACS to authenticate and authorize modem users with radius. My problem is with authorization(authentication is ok in the debug). Do I need to configure specific Av pairs (006 and 007 in IETF)

Hi Dominic,
Are we have Microsoft radius server or ACS?
Yes, these attributes should be configured.
006-service-type: login
007-framed-protocol: PPP
HTH
JK

AAA with RADIUS on ASA

Similar Messages

Maybe you are looking for