Adding AAA servers to ACS to use Proxy RADIUS distribution Table

Similar Messages

• Replication overwrites the AAA servers table in the secondary server

  Hi,
  I've configured two ACS servers with replication but i noticed that when the replication takes place it overwrites the AAA servers table configured in the network configuration of the secondary server and that makes the next replication to fail because the two servers have the same configuration of AAA servers, if i uncheck the "Network Configuration Device tables" and the "Network Access Profiles" from the "Database Replication Setup" wich includes the AAA servers table I also missed the replication of the new network devices that are added in the master server.
  Do you know how can i exclude only the AAA servers table from the replication??
  Other thing is that I configured the Outbound replication as "Automatically triggered cascade", I'm not sure if this means that at the exactly moment that there is a change on the primary server it will replicate it to the secondary???? because if that is the case it is not doing it.
  Thanks in advance for your help

  Hi,
  I understand, thanks alot for making that clear!.
  I now have another situation and i was wondering if you can help me, i made some changes in the AAA servers trying to solve this situation but i wasn't able to, so i leave again the servers in the same way that they were configured by the time the replication was working but now it is not, in the master server i get this message:
  ERROR ACS 'LACSLVBCDVAS007' has denied replication request
  and in the second server i get this:
  ERROR Inbound database replication from ACS 'lacslvbcpvas011' denied - shared secret mismatch
  I've checked the same key configured for both and are the same, i've deleted the AAA servers and the configure them again, restart the services but the problem remains, dou you have any idea what this could be??
  Thanks in advance for your help.
  Best Regards,

• Use of proxy distribution table in ACS v4.0

  HI All,
  We are running with Cisco ACS v4.0 AAA server, Here I need the use of Proxy distribution table.
  Why is this required and what is the functionality of it.
  Regards
  Suresh

  Use ACS as Proxy in a distributed enviornment.
  Using proxy, ACS automatically forwards an  authentication requests from AAA clients to AAA servers. After the  request has been successfully authenticated, the authorization  privileges that you configured for the user on the remote AAA server are  passed back to the original ACS, where the AAA client applies the user  profile information for that session.
  Fallback on Failed Connection
  You can configure the order in which ACS checks remote AAA servers if a  failure of the network connection to the primary AAA server occurs. If  an authentication request cannot be sent to the first listed server,  because of a network failure for example, the next listed server is  checked. This checking continues, in order, down the list, until the  AAA servers handles the authentication request. (Failed connections are  detected by failure of the nominated server to respond within a  specified time period. That is, the request is timed out.) If ACS cannot  connect to any server in the list, authentication fails.
  Stripping
  Stripping allows ACS to remove, or strip, the matched character string  from the username. When you enable stripping, ACS examines each  authentication request for matching information.
  Regards,
  Jatin Katyal
  - Do rate helpful posts -

• ACS error, AAA Server is a referenced in the Proxy Distribution Table

  When installing the ACS appliance (4.1) I have an issue where during the setup it prompts for a static address, Gateway, and DNS. This fine and network connectivity is tested during this time and success.
  The issue seems to be fine but that when logging in to the GUI under Network Configuration>AAA servers.
  AAA server AAA server IP address AAA server type
  self 10.10.10.1 CiscoSecure ACS
  ciscoacs 169.254.25.58 CiscoSecure ACS
  Under Network Configuration>Proxy Distribution Table
  Character String AAA Servers Strip Account
  Default ciscoacs no Local
  The 2 questions I have how to stop the 169.x.x.x address or why this is being put into the configuration, and how to delete as the following error is obsvered when trying.
  ACS error when trying to delete..
  “Can not Delete AAA Server, AAA Server is a referenced in the Proxy Distribution Table”
  Many Thanks MJ

  Go to,
  Network configuration > Proxy Distribution Table > (Default).
  swap the entry in this section under tables AAA Server and Forward to > Submit + Restart.
  Then try to delete 169.x.x.x entry.
  Regards,
  Prem

• AAA authentication for networking devices using ACS 4.1 SE

  Hi!!!
  I want to perform AAA authentication for networking devices using ACS 4.1 SE.
  I do have Cisco 4500, 6500,2960, 3750, 3560, ASA, CSMARS, routers (2821) etc in my network. I want to have radius based authentication for the same.
  I want telnet, ssh has,console attempt to be verified by radius server & if ACS goes down then it will be via local enable passwordf.
  For all users i need to have different privilege levels based upon which access will be granted.
  could u plz send me the config that is required to be done in the active devices as well as ACS!!!!

  Pradeep,
  Are you planning MAC authentication for some users while using EAP for others?
  For MAC authentication, just use the following in your AP.
  aaa authentication login mac_methods group radius
  In your AP, select the radius server for mac authentication. You must have already defined your ACS as a radius server.
  In your SSID configuration, under client authentication settings,
  check "open authentication" and also select "MAC Authentication" from the drop-down list.
  If you want both MAC or EAP, then select "MAC Authentication or EAP" from the dropdown.
  Define the mac address as the username and password in ACS. Make sure the format of the mac is without any spaces.
  You will not need to change anything in XP.
  NOTE: XP normally does not require user authentication if machine has already authenticated but it might behave differently. If it does, I can let you know the registry settings to force the behaviour change.
  HTH

• Downsides of using Proxy servers as a storage enabled node

  Hello,
  We are doing some investigation on proxy server configuration, I read "Oracle coherence recommends it's better to use proxy server as storage disabled".
  can anyone explain downside of using proxy server as a storage enabled node?
  Thanks
  Prab

  It seems that I was wrong with my original answer. The proxy uses a binary pass through mode so that if the proxy and cache service are using the same serialization format (de)serialization is largely avoided.
  However, there are other overhead associated with managing potentially unpredictable client work loads, so using proxy server as storage enable node is still discouraged.
  Thanks,
  Wei

• Help AAA Servers Database Replication

  Hi Guys,
  I have 2 AAA Servers Acting as Prim/Backup.
  Recently we were facing some issues with Backup Server, so upgraded the windows to Windows 2008 Server, and reinstalled ACS 4.2
  Now when i try to Replicate every thing from Primary to Secondary. it is not replicating AAA Clients. i can see all the groups / users / Settings replicated. but there are no AAA Clients in Network Configuration.
  Any point i am missing in Replication Configuration????
  Replication Components "Network Configuration Device Tables" already marked.  So whats missing???
  Thanks in advance

  Ok got answer myself....
  in future anyone faces same issue... Just make sure you are using the EXACT SAME Versions on both devices. the Minior version difference will even not work.
  i hade 4.2.1(15) on primary and 4.2.0 on secondary... there was no errors but still not working. after upgrading to same version it worked. !!!

• Dwcs5.5 "use proxy" wont work, help! no connect to BC

  Hi All, just installed dw5.5, I'm using business catalyst and most of the time in the office I have to work using the "Use Proxy, as defined in preferences" tick box selected and all is well. Now when using 5.5 I tick the box and it wont connect, when I come back to the setting I find it has deselected itself, no matter what I do I can't get the new 5.5 to connect to the BC servers so at this stage it's kinda useless, anyone have any ideas
  cheers
  Laz

  Hi All, sorry for the length of time since a reply but I do have a resolution kind of. After posting I attended the Adobe roadshow in Sydney ( OZ ) and actually got to speak to Greg Rewis about the problem. He tried it out on his version of DW 5.5 and bingo, same problem. He said he would speak to the dw dev team and see about a solution. Well a long time passed with no update or sign of an answer till DW cs6 came along (im lucky the bussiness I work for has an upgarde plan from Adobe ) so with cs6 installed, all the ftp problems seem to have gone. In fact there seems to have been a major overhaul to the FTP of DW ( thank goodness ) so i'm guessing that when this fault was added to the list, they were alread in the process of the overhaul.
  So good news if you can shell out for the update, not so good if your stuck on 5.5 ( aint that the world we live in now )
  Cheers all
  Laz

• How to manage VM servers in DMZ through NAT proxy?

  Dear all,
  We need to build some VM servers in DMZ network. And the OVM Manager is located in trust zone (behind DMZ). OVM manager can connect to the DMZ vm servers through NAT proxy. But, there are some errors after I have added the servers.
  In fact, there is no management network for OVM manager. So, I seem no workaround.
  Have you any idea about this deployment?
  Mike

  mtktang wrote:
  We need to build some VM servers in DMZ network. And the OVM Manager is located in trust zone (behind DMZ). OVM manager can connect to the DMZ vm servers through NAT proxy. But, there are some errors after I have added the servers. We do not support Oracle VM Server via NAT, because the Servers get the IP address of the Manager to connect to (and not the NAT'd address). So the API python binding download and notifications will fail. It is very unlikely that this would work.

• "do not use proxy server for local (intranet) addresses" IEM setting

  Hi, i would like to find out where can i find the following setting in GPO which used be found in IEM.
  "do not use proxy server for local (intranet) addresses" Enabled/Disabled
  as currently im setting the IE proxy exception list via GPP, i don't see that option.

  Hi,   
  As you notice that when we use GPP Internet Setting item to configure bypass proxy servers, there is no "do not use proxy server for local (intranet) addresses" option in GPP Internet
  Setting item. However, as suggested by zanderol24’s reply, we can use bypass proxy server for local addresses option under
  Proxy server to achieve the same function.
  Best Regards,
  Erin

• WLAN and multiple AAA servers

  Hello,
  Our WLANs are configured with 2 AAA servers. The first authentication server is local, the 2nd authentication server is remote. I noticed that often, the 2nd server is used for the authentication even if the first server is up and available. It looks also that once the authentatication is done on the 2nd server it's stays there. Is there an option to:
  - define server 1 is as the priority for authentication?
  -switch authentication to server 2 when server 1 is not reachable, but switch back to server 1 as soon as server 1 reachable again?
  Thanks

  Hi,
  I asked the question at CiscoNetworker2008.
  In the version 5.0 it will be fixed.
  When the first Radius is reachable again, the authentication will switched back on the first radius server.
  Let see if this will be confirmed in the release notes...
  Brgds.

• OWA isue when using proxy

  Hi all,
  First kindly informed that i used Exchange 2010 sp3 ( i did,'t find my version in the list )
  when the internal users try to access owa by using proxy , thet succeed to login but after about 1 min they probt again to enter credential
  if they disabled proxy everything is working fine
  we use isa 2006 as proxy for internal users
  owa is hosted on 2 cas servers ( DNS round Robin used )

   Hi,
  According to your description, credential is prompted after internal users login OWA with proxy enabled. And as far as I know, the credential issue is most likely caused by the improper authentication method.
  Could you please check your authentication method for OWA? Based on my research, Integrated Authentication is not suitable for people who are connecting via proxy servers:
  http://exchangeserverpro.com/exchange-server-2010-outlook-web-app-authentication-settings/
  Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make
  sure that you completely understand the risk before retrieving any suggestions from the above link.
  If you have any question, please feel free to let me know.
  Thanks,
  Angela Shi
  TechNet Community Support

• Adding AAAA records to DNS manually (Server Manager don't let you add them)

  Using the following webpage http://www.isi.edu/~bmanning/v6DNS.html#named.conf I have been able to get IPv6 name resolution setup, so that clients will use IPv6 for connecting to my server on the LAN when possible (e.g. Mail, iChat, Web).
  This is working well, and the records also display in Server Manager. I have tested add/remove/update to existing records in DNS to make sure the manually added AAAA records don't get wiped out, and they don't .
  NOTE: Put AAAA records above A records. Not sure why, but this prevented a few problems I initially had.
  I haven't had a go at making a reverse lookup zone yet for IPv6, but if/when I do, I shall post here.
  Below is a before -> after of the following files I had to edit, using nano under sudo in Terminal:
  Zone name: test.com
  File: /var/named/zones/db.test.com.zone.apple
  Owner: root:wheel
  *Before AAAA:*
  ;GUID=9ACB60A1-BB9E-496A-BF3F-D23D8BA52DE4
  $TTL 10800
  test.com. IN SOA test.com. admin.test.com (
  2009081800 ;Serial
  86400 ;Refresh
  3600 ;Retry
  604800 ;Expire
  345600 ;Negative caching TTL
  test.com. IN NS test.com.
  test.com. IN A 172.16.0.143
  test.com. IN HINFO "Mac Pro 1.1, 9GB RAM" "Mac OS X Leopard Server 10.5"
  SipuraSPA.test.com. IN A 172.16.0.148
  camera.test.com. IN A 172.16.0.175
  dd-wrt.test.com. IN A 172.16.0.200
  XBMC.test.com. IN A 172.16.0.147
  XBMC.test.com. IN HINFO "Microsoft XBox" "XBox Media Center"
  Office-Mac-mini.test.com. IN A 172.16.0.149
  Office-Mac-mini.test.com. IN HINFO "Mac Mini G4" "Mac OS X Leopard 10.5"
  N95.test.com. IN A 172.16.0.141
  N95.test.com. IN HINFO "Nokia N95 8GB" "Symbian OS"
  switch.test.com. IN A 172.16.0.173
  ucs.test.com. IN A 172.16.0.230
  LinksysPAP.test.com. IN A 172.16.0.152
  wireless.test.com. IN A 172.16.0.131
  trixbox.test.com. IN A 172.16.0.129
  trixbox.test.com. IN HINFO "Dell Precision Workstation" "Trixbox 2.6"
  trixbox.test.com. IN TXT "IP PBX"
  intranet.test.com. IN A 172.16.0.143
  lb.dns-sd.udp IN PTR test.com.
  test.com. IN MX 10 test.com.
  *After AAAA:*
  ;GUID=9ACB60A1-BB9E-496A-BF3F-D23D8BA52DE4
  $TTL 10800
  test.com. IN SOA test.com. admin.test.com (
  2009081800 ;Serial
  86400 ;Refresh
  3600 ;Retry
  604800 ;Expire
  345600 ;Negative caching TTL
  test.com. IN NS test.com.
  test.com. IN AAAA 2002:aaaa:aaaa:0000:0217:f2ff:fe04:35ec
  test.com. IN A 172.16.0.143
  test.com. IN HINFO "Mac Pro 1.1, 9GB RAM" "Mac OS X Leopard Server 10.5"
  SipuraSPA.test.com. IN A 172.16.0.148
  camera.test.com. IN A 172.16.0.175
  dd-wrt.test.com. IN A 172.16.0.200
  XBMC.test.com. IN A 172.16.0.147
  XBMC.test.com. IN HINFO "Microsoft XBox" "XBox Media Center"
  Office-Mac-mini.test.com. IN A 172.16.0.149
  Office-Mac-mini.test.com. IN HINFO "Mac Mini G4" "Mac OS X Leopard 10.5"
  N95.test.com. IN A 172.16.0.141
  N95.test.com. IN HINFO "Nokia N95 8GB" "Symbian OS"
  switch.test.com. IN A 172.16.0.173
  ucs.test.com. IN A 172.16.0.230
  LinksysPAP.test.com. IN A 172.16.0.152
  wireless.test.com. IN A 172.16.0.131
  trixbox.test.com. IN AAAA 2002:aaaa:aaaa:0000:020d:56ff:fe10:deb7
  trixbox.test.com. IN A 172.16.0.129
  trixbox.test.com. IN HINFO "Dell Precision Workstation" "Trixbox 2.6"
  trixbox.test.com. IN TXT "IP PBX"
  intranet.test.com. IN AAAA 2002:aaaa:aaaa:0000:0217:f2ff:fe04:35ec
  intranet.test.com. IN A 172.16.0.143
  lb.dns-sd.udp IN PTR test.com.
  test.com. IN MX 10 test.com.
  I hope this comes in handy for someone.
  Tony

  Tony,
  Be aware that your ;SERIAL directive MUST change if you made changes to the file.
  The <serial-number> directive is a numerical value incremented every time the zone file is altered to indicate it is time for named to reload the zone.
  I do not know for sure, but this might be why the data has not been wiped out or otherwise modified by Named or might have caused or is hiding some of the difficulty you experienced.
  Peter

• Adding Nexus 5596 to ACS v4.2

  Hi.  Does ACS v4.2 support the addition of the Nexus switches?  We have a few new Nexus devices that have been added to ACS, but cannot be accessed successfully.  A msg re: role based authentication is received.  Do I have to do something special in ACS to support this?
  Nexus 5596 v5.1(3)N2(1)
  Thanks!

  Hi Keely
  Please check the following lins about nexus configuration:
  http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/troubleshooting/guide/n5K_ts_sec.html
  http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/sec_aaa.html
  ACS should use cisco-av-pair attribute for nexus devices.
  HTH,
  Alex

• SAP to non-SAP Communication Using Proxy Framwork

  Hi all,
  While searching for the connection option for the B2B collaboration between SAP and non-SAP business system, i found that there are two ways we can do it.
  One using Adapters and another using Proxy Framework.
  In our case We are on SAP Enterprise and non-SAP business partners are using I2, legacy system.
  They are not using Rosettanet PIPS, so I can not use RNIF or any other adapter for the inbound or outbound operation.
  My question is If we use proxy framework, what needs to be done at the non-SAP business system . Do we need to install proxy runtime and how does this proxy runtime will communicate with the application in non-SAP system.
  Thanks in advance

  Hi Ruby,
  You can use proxies for communicating with ABAP 6.20 systems and above and for J2EE applications.
  For B2B communication you would normally use an adapter for example plain HTTP, SOAP or RNIF ...
  An alternative is to install the XI PCK on the partner side. The PCK is essentially a standalone version of the XI Adapter Engine installed locally at the partner. This enables a scenario where XI communicates with the PCK over HTTP and then an adapter (file, JDBC ...) is used to communicate with the legacy system and vice versa.
  rgds Johan