Appling Policy map via radius ????
Hi all
i have a 7200 VXR router that work as PPPoE NAS with Emerald server as AAA server i need to traffic shape my clinets session with a profile on my radius server that associated with a polciy map on my router i know that this can be done using radius attribute but actually i dont know how to configure it , thanks alot.
Anyone who can help?
Similar Messages
-
Assign QoS Service Policy via RADIUS to Catalyst 45k/37k?
hi,
is there a way to assigen a QoS service policy via Radius to an Caltalyst 4500/3750 Switchport?
in detail, we would like to assign this policy
policy-map SET_EF
class class-default
set dscp ef
to an interface. All traffic should be marked with a defined DSCP value.
This works find when doing it statically with
interface FastEthernet2/1
service-policy input SET_EF
but we would need to assign such a policy via Radius during the 802.1x Authentication. different users should get differnt policies. We use Cisco ACS 5.2 as Radius Server and there actually is a field for
that in the Authorization Profile Common Tasks Configuration. in detail, this uses the cisco-av-pair "sub-policy-In=<policy name>" attribute to assign a service policy to an NAS.
we found also two other attributes "sub-qos-policy-in" and "ip:sub-qos-polcy-in" for that. CCO says that "ip:sub-qos-polcy-in" works with Catalyst 65k (http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/qos.html#wp1926523)
unfortunately this seems to not work on Catalyst 45k and 37k.
In the ACS Logs we can see that these attributes are attached to the Radius Reply, but unfortunately they are ignored by the switch.
it is interesing that when entering "show aaa attributes" on the Catalyst 45k, these attributes are displayd - so for my understanding the switch should understand these attibutes (?)
4503-E#sh aaa attributes
AAA ATTRIBUTE LIST:
Type=1 Name=disc-cause-ext Format=Enum
Type=2 Name=Acct-Status-Type Format=Enum
<snip>
Type=345 Name=sub-policy-In Format=String
Type=346 Name=sub-qos-policy-in Format=String
Type=347 Name=sub-policy-Out Format=String
Type=348 Name=sub-qos-policy-out Format=String
any input is welcome :-))
best reagrdsadditionally to this discussion, i've just opened a service request with TAC.
unfortunately the engineer told me that by now per-User QoS is definitely no supported on this two plattforms but it's listed on the roadmap and will be possibly availabe mid 2012...... -
Radius accounting for QoS pppoe policy-map
Hi folks
I have a radius pushing an AVPAIR ip:sub-qos-policy-out to a virtual template for clients connected to a BRAS through PPPOE.
The AVPAIR is correctly applied to each and every pppoe session but the following link http://www.cisco.com/c/en/us/td/docs/ios/12_2sb/feature/guide/sbbbrs1c.html is indicating that I should be able to push back to the RADIUS some traffic info per class-map/policy map. This would allow some Quota stuff and getting some info about traffic used per customer
From what I have been able to configure, i'm not getting any of this stats back to the RADIUS
the debug radius accounting :
*Mar 12 05:29:00.419: RADIUS/ENCODE(0000000E):Orig. component type = PPPoE
*Mar 12 05:29:00.419: RADIUS/ENCODE(0000000E): Acct-session-id pre-pended with Nas Port = 0/0/3/0
*Mar 12 05:29:00.419: RADIUS(0000000E): Config NAS IP: 0.0.0.0
*Mar 12 05:29:00.419: RADIUS(0000000E): sending
*Mar 12 05:29:00.419: RADIUS/ENCODE: Best Local IP-Address 192.168.38.133 for Radius-Server 192.168.38.131
*Mar 12 05:29:00.419: RADIUS(0000000E): Send Accounting-Request to 192.168.38.131:1813 id 1646/55, len 299
*Mar 12 05:29:00.419: RADIUS: authenticator ED 94 CF EE BD 73 30 7E - 93 07 A4 C3 50 A6 03 DE
*Mar 12 05:29:00.419: RADIUS: Acct-Session-Id [44] 18 "0/0/3/0_00000005"
*Mar 12 05:29:00.419: RADIUS: Framed-Protocol [7] 6 PPP [1]
*Mar 12 05:29:00.419: RADIUS: Framed-IP-Address [8] 6 10.10.10.2
*Mar 12 05:29:00.419: RADIUS: User-Name [1] 9 "olivier"
*Mar 12 05:29:00.419: RADIUS: Vendor, Cisco [26] 35
*Mar 12 05:29:00.419: RADIUS: Cisco AVpair [1] 29 "connect-progress=LAN Ses Up"
*Mar 12 05:29:00.419: RADIUS: Vendor, Cisco [26] 29
*Mar 12 05:29:00.419: RADIUS: Cisco AVpair [1] 23 "nas-tx-speed=10000000"
*Mar 12 05:29:00.419: RADIUS: Vendor, Cisco [26] 29
*Mar 12 05:29:00.419: RADIUS: Cisco AVpair [1] 23 "nas-rx-speed=10000000"
*Mar 12 05:29:00.419: RADIUS: Acct-Session-Time [46] 6 2582
*Mar 12 05:29:00.419: RADIUS: Acct-Input-Octets [42] 6 7232
*Mar 12 05:29:00.419: RADIUS: Acct-Output-Octets [43] 6 7232
*Mar 12 05:29:00.419: RADIUS: Acct-Input-Packets [47] 6 517
*Mar 12 05:29:00.419: RADIUS: Acct-Output-Packets [48] 6 517
*Mar 12 05:29:00.419: RADIUS: Acct-Authentic [45] 6 RADIUS [1]
*Mar 12 05:29:00.419: RADIUS: Acct-Status-Type [40] 6 Watchdog [3]
*Mar 12 05:29:00.419: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
*Mar 12 05:29:00.419: RADIUS: Vendor, Cisco [26] 15
*Mar 12 05:29:00.419: RADIUS: cisco-nas-port [2] 9 "0/0/3/0"
*Mar 12 05:29:00.419: RADIUS: NAS-Port [5] 6 50331648
*Mar 12 05:29:00.419: RADIUS: NAS-Port-Id [87] 9 "0/0/3/0"
*Mar 12 05:29:00.419: RADIUS: Vendor, Cisco [26] 41
*Mar 12 05:29:00.419: RADIUS: Cisco AVpair [1] 35 "client-mac-address=aabb.cc00.6430"
*Mar 12 05:29:00.419: RADIUS: Service-Type [6] 6 Framed [2]
*Mar 12 05:29:00.419: RADIUS: NAS-IP-Address [4] 6 192.168.38.133
*Mar 12 05:29:00.419: RADIUS: Ascend-Session-Svr-K[151] 10
*Mar 12 05:29:00.419: RADIUS: 37 39 38 32 45 41 38 30 [ 7982EA80]
*Mar 12 05:29:00.419: RADIUS: Acct-Delay-Time [41] 6 0
*Mar 12 05:29:00.419: RADIUS(0000000E): Started 5 sec timeout
*Mar 12 05:29:00.419: RADIUS: Received from id 1646/55 192.168.38.131:1813, Accounting-response, len 20
*Mar 12 05:29:00.419: RADIUS: authenticator A7 0E 79 40 C5 B5 CF DC - 09 46 27 48 52 BE 01 7D
What I get in the freeradius log :
Tue Mar 11 22:30:04 2014
Acct-Session-Id = "0/0/3/0_00000005"
Framed-Protocol = PPP
Framed-IP-Address = 10.10.10.2
User-Name = "olivier"
Cisco-AVPair = "connect-progress=LAN Ses Up"
Cisco-AVPair = "nas-tx-speed=10000000"
Cisco-AVPair = "nas-rx-speed=10000000"
Acct-Session-Time = 2646
Acct-Input-Octets = 7428
Acct-Output-Octets = 7428
Acct-Input-Packets = 531
Acct-Output-Packets = 531
Acct-Authentic = RADIUS
Acct-Status-Type = Interim-Update
NAS-Port-Type = Virtual
Cisco-NAS-Port = "0/0/3/0"
NAS-Port = 50331648
NAS-Port-Id = "0/0/3/0"
Cisco-AVPair = "client-mac-address=aabb.cc00.6430"
Service-Type = Framed-User
NAS-IP-Address = 192.168.38.133
X-Ascend-Session-Svr-Key = "7982EA80"
Acct-Delay-Time = 0
Acct-Unique-Session-Id = "523eac6ae326a778"
Timestamp = 1394602204
Request-Authenticator = Verified
user config in the users file on the freeradius server :
olivier Cleartext-Password := "olivier"
Service-Type = Framed-User,
Cisco-AVPair += "ip:addr-pool=pppoepool",
Cisco-AVpair += "ip:sub-qos-policy-out=TEST"
I see that the policy map name is pulled correctly from the radius server and applied to the session :
#sh policy-map session uid 14
SSS session identifier 14 -
Service-policy output: TEST
Class-map: TEST (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
police:
cir 8000 bps, bc 1500 bytes
conformed 0 packets, 0 bytes; actions:
transmit
exceeded 0 packets, 0 bytes; actions:
drop
conformed 0 bps, exceed 0 bps
Class-map: class-default (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
Any input very welcomeCisco sever is working fine. When you do use non-standard or non-RFC requests from your NAS to the AAA server for instance, you have to configure your server accordingly to instruct it how to handle this kind of requests.
This is typically done with something called "dictionary", which should be included in your radius server. The server typically decodes all RFC 2865 VSAs (or should), but when a new NAS model is introduced into the network, you can modify it to add any VSAs not appearing in the dictionary, which is your case.
As an example, imagine you want to change the attribute cisco-vsa-port-string to tagged-string, your dictionary will look somethign similar than:
And finally you will have to modify with a text editor, or XML editor and change type="tagged-string" supposing your device comply with RFC 2868. Probably
the AAA server will have to restarted for taking this
changes into account.
Also,since this does apply to all devices for this vendor, you've got other option more, which is define your own dictionary for a specific vendor, or even if you wish for a specific NAS or group or NASes.
In NavisRadius you could associate a dictionary to a
device adding a client-class:
# Client-IP Client-Secret Client-Class
10.0.0.1 secret taos-old
And then specifying the dictionary later in client_properties for this device:
# This file contains information about client classes # and is used to set per-client specific information.
# TAOS Devices in OLD mode with RFC conflicts
taos-old
Client-Dictionary=max_dictionary
# Other devices now, etc.
Hope it helps -
Authentication via RADIUS : MSCHAPv2 Error 691
Hello All,
I am working on setting up authentication into an Acme Packet Net-Net 3820 (SBC) via RADIUS. The accounting side of things is working just fine with no issues. The authentication side of things is another matter. I can see from a packet capture that the access-request
messages are in fact getting to the RADIUS server at which point the RADIUS server starts communicating with the domain controllers. I then see the chain of communication going back to the RADIUS and then finally back to the SBC. The problem is the response
I get back is always an access-reject message with a reason code of 16 (Authentication failed due to a user credentials mismatch. Either the user name provided does not match an existing user account or the password was incorrect). This is confirmed by looking
at the security event logs where I can see events 4625 and 6273. See the events below (Note: The names and IPs have been changed to protect the innocent):
Event ID: 6273
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID:
NULL SID
Account Name:
real_username
Account Domain:
real_domain
Fully Qualified Account Name:
real_domain\real_username
Client Machine:
Security ID:
NULL SID
Account Name:
Fully Qualified Account Name:
OS-Version:
Called Station Identifier:
Calling Station Identifier:
NAS:
NAS IPv4 Address:
10.0.0.10
NAS IPv6 Address:
NAS Identifier:
radius1.real_domain
NAS Port-Type:
NAS Port:
101451540
RADIUS Client:
Client Friendly Name:
sbc1mgmt
Client IP Address:
10.0.0.10
Authentication Details:
Connection Request Policy Name:
SBC Authentication
Network Policy Name:
Authentication Provider:
Windows
Authentication Server:
RADIUS1.real_domain
Authentication Type:
MS-CHAPv2
EAP Type:
Account Session Identifier:
Logging Results:
Accounting information was written to the SQL data store and the local log file.
Reason Code:
16
Reason:
Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
Event ID: 4625
An account failed to log on.
Subject:
Security ID:
SYSTEM
Account Name:
RADIUS1$
Account Domain:
REAL_DOMAIN
Logon ID:
0x3E7
Logon Type: 3
Account For Which Logon Failed:
Security ID:
NULL SID
Account Name:
real_username
Account Domain:
REAL_DOMAIN
Failure Information:
Failure Reason:
Unknown user name or bad password.
Status:
0xC000006D
Sub Status:
0xC000006A
Process Information:
Caller Process ID:
0x2cc
Caller Process Name:
C:\Windows\System32\svchost.exe
Network Information:
Workstation Name:
Source Network Address:
Source Port:
Detailed Authentication Information:
Logon Process:
IAS
Authentication Package:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services:
Package Name (NTLM only):
Key Length:
0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
So at first glance it would seem that the issue is merely a case of an invalid username or mismatched password. This is further confirmed in the packet capture where I can see the MSCHAPv2 response has an error code of 691 (Access denied because username or
password, or both, are not valid on the domain). The thing is I know I am using a valid username and I have tried many usernames including new ones I created just for troubleshooting. I don't know how many times I have reset the password in an attempt to ensure
it is not a mismatch password. I have even made sure to use passwords that are fairly short and contain only letters to ensure there was no terminal encoding issues (we connect to the SBC via SSH clients). I have also done this same thing with the shared secret
used during communication between the SBC and the RADIUS server. I have tried prefixing the username with the domain name at login (though I don't think that should be necessary). I have also tried using the full UPN of the user to login. I have tried several
RADIUS testing clients (NTRadPing, RadiusTest, etc.), but they either don't support MSCHAPv2 or only support EAP-MSCHAPv2. I have even created my own client using PHP's PECL RADIUS module. Still it always seems to fail with the MSCHAPv2 authentication with
an error code of 691. Does anyone have any ideas as to why I always get an invalid username or bad password response when I have done everything possible to ensure that is not the case?
Here are the specs for our RADIUS configuration:
Windows Server 2012 R2
SQL Server 2012 Back End Database for accounting.
The server has been authorized on the domain and is a member of the "RAS and IAS Servers" group. For which that group does have access to the accounts we are testing with.
The accounts we are testing with do have the "Control access through NPS Network Policy" option checked under their "Dial-in" property tab.
RADIUS clients configured to simply match on the IP address which you can see from the events above that it is applying the client friendly name.
Connection Request Policy: The "SBC Authenication" policy is being applied as seen above. The only condition is a regex expression that does successfully match the friendly name.
Network Policy: As seen in events above, none are getting applied. For troubleshooting purposes I have created a Network Policy that is set to "1" for the processing order and its only condition is a Day and Time Restriction currently set to any
time, any day.
The authentication method is set to only MSCHAPv2 or MSCHAPv2 (User can change password after it has expired). I have tried adding this to just the Network Policy and I have also tried adding this to the Connection Request Policy and setting it to override
the authentication method of the Network Policy.
We do have other RADIUS servers in our domain that use PEAP to authenticate wireless clients and they all work fine. However, we need this to work with MSCHAPv2 only (No EAP).
All other configurations are set to the defaults.
The only other things of note to consider is the fact that in the events above you can see that the Security ID is "NULL SID". Now I know this is common especially among failed logons but given that this issue is stating an invalid username or
bad password, perhaps it matters in this case. Also, this server has been rebuilt using the same computer account in Active Directory. I do not know if it would have worked before the rebuild. Essentially we built this server and only got as far as authorizing
the server to the domain and adding SQL when we decided to separate out the SQL role onto another server. Rather than uninstalling SQL we just rebuilt the machine. However, before reinstalling Windows I did do a reset on the computer account. I don't think
this should matter but thought I would point it out if there is some weird quirk where reusing the same SID of a previously authorized NPS server would cause an issue.
All in all it is a fairly basic setup and hopefully I have provided enough information for someone to get an idea of what might be going on. I hope this was the right forum to post this too, I figured there would be a higher number of RADIUS experts here than
any of the other categories. Apologies if my understanding of this seems a bit basic, after all, when it comes to RADIUS servers I guess you could say I'm the new guy here.Update 1:
In an attempt to further troubleshoot this issue I have tried bringing up additional servers for testing. Here are the additional tests I have performed.
Multiple Domains
I have now tried this in 3 different isolated domains. Both our test and production domains as well as my private home domain which has very little in the way of customizations aside from the modifications made for Exchange and ConfigMgr. All have the same
results described above.
VPN Service
Using Windows Server 2012 R2 we brought up a separate server to run a standard VPN setup. The intent was to see if we could use RADIUS authentication with the VPN and if that worked we would know the issue is with the SBCs. However, before we could even
configure it to use RADIUS we just attempted to make sure it worked with standard Windows Authentication on the local VPN server. Interestingly, it too fails with the same events getting logged as the RADIUS servers. The client machine being a Windows 8.1
workstation. Again I point out that we have working RADIUS servers used specifically for our wireless environment. The only difference between those RADIUS servers and the ones I am having problems with is that the working wireless servers are using PEAP instead
of MSCHAPv2.
FreeRADIUS
Now I'm no Linux guru but I believe I have it up and running. I am able to use ntlm_auth to authenticate users when logged on to the console. However, when the radiusd service tries to use ntlm_auth to do essentially the same thing it fails and returns the
same message I've been getting with the Windows server (E=691). I have the radiusd service running in debug mode so I can see more of what is going on. I can post the debug info I am getting if requested. The lines I am seeing of particular interest however
are as follows:
(1) ERROR: mschap : Program returned code (1) and output 'Logon failure (0xc000006d)'
(1) mschap : External script failed.
(1) ERROR: mschap : External script says: Logon Failure (0xc000006d)
(1) ERROR: mschap : MS-CHAP2-Response is incorrect
The thing to note here is that while we are essentially still getting a "wrong password" message, the actual status code (0xc000006d) is slightly different than what I was getting on the Windows Servers which was (0xc000006a). From this document
you can see what these codes mean:
NTSTATUS values . The good thing about this FreeRADIUS server is that I can see all of the challenge responses when it is in debug mode. So if I can wrap my head around how a MSCHAPv2 response is computed I can compare it to see if this is simply a miscomputed
challenge response. Update: Was just noticing that the 6a code is just the sub-status code for the 6d code. So nothing different from the Windows Servers, I still wonder if there is a computation error with the challenge responses though.
Currently, I am working on bringing up a Windows Server 2008 R2 instance of a RADIUS server to see if that helps at all. However, I would be surprised if something with the service broke between W2K8 R2 and W2K12 R2 without anyone noticing until now. If this
doesn't work I may have to open a case with Microsoft. Update: Same results with W2K8 R2. -
Question on the Apple Policy Payment
Hello all,
i'm iphone apps dummy. i really don't know about the terms and condition from apple.
A company I work with is considering to create a e-commerce service apps for iPhone users. My concerns are apple/itunes will charges us when customer buy our product? it's there anyway to avoid the charges 30% payment from apple?
If i use web based 3rd party payment gateway direct to our own website, will apple remove our itunes apps?
Another Issue is will apple allow top up via Iphone apps, don't want to get into the complications with Iphone Apps policy payment? Example, customer will top up as credit on our website, then customer buy our product using our credit on iphone apps? will that legal?
Please send me the link apple policy regarding on the e-commerce payment. thanks so much... i'm dying to look for the policy in apple site.Why cant I post my question on the apple website?
Uh, you did just post a question on the Apple website...
Is this a regular credit card you get a bill for?
Not a prepaid card?
Did you recently get a new card?
See this -> https://support.apple.com/en-us/HT203208 -
Using ISE guest store via RADIUS
I have a question concerning the guest store on the ISE.
I would like to establish a guest portal on a WLC (currently running version 7.0.220.0). The guest network shouldn’t have any connection to the company network. So I can’t redirect to the ISE guest portal and have to use the local portal on the WLC and pass the login data to the ISE via RADIUS. Nevertheless I want to use the guest store on the ISE.
On the ISE I can only select the internal user store as identity source. But this seems not to include the guest user store.
Has anyone already implemented a similar solution or any idea how to access the guest store?
Thanks
ThomasI just created a simple setup and tested the login.
It doesn't work with a user created as a guest account.
If I create the user in the normal internal identity store I works fine.
Might there be a difference between ISE Versions?
We are currently using Version 1.1.0.665 on a VM for testing purpose.
This is what the details show:
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - Internal Users
24210 Looking up User in Internal Users IDStore - tuser001
24206 User disabled
22057 The advanced option that is configured for a failed authentication request is used
22061 The 'Reject' advanced option is configured in case of a failed authentication request
11003 Returned RADIUS Access-Reject
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - Internal Users
24210 Looking up User in Internal Users IDStore - tuser001
24212 Found User in Internal Users IDStore
22037 Authentication Passed
Evaluating Authorization Policy
15004 Matched rule
15016 Selected Authorization Profile - Guest
11022 Added the dACL specified in the Authorization Profile
11002 Returned RADIUS Access-Accept -
Best practice for web servers behind a router (NAT, ACL, policy-map, VLAN)
Hi,
I'm a new Network admin, and I have some configuration questions about my installation (see attachment).
I have 3 web servers behind a router.
Public interface: 3 public ip adresses
Private interface: router on a stick config ( 3 sub-interfaces, 3 different networks, 3 VLAN)
I would to know the best way to redirect http traffic to the right server.
My idea is to map a public address to a private address, via NAT, but I'm not sure for the configuration. I could also redirect via Policy-map and filter by url content.
So if you have some advise for this case, it would be really appreciated.
Thank you.
Chris.Hello Christophe,
As I understand you want 1st that ;
if somebody go to A.local.com from internet then he will redirect to 192.168.1.10 in your internal network.
That means, you need static mapping between your public @ip address and your local ip address.
for this example, your local interface is Fa0/0.1 and I dont your public interface because it is not mention in your diagram. I will suppose S0/0 for public interface.
that is the config for the Web Server1. You can do the same with the remaining servers:
interface fa0/0.1
ip nat inside
interface serial0/0
ip nat outside
ip nat inside source static 192.168.1.10 172.1.2.3
static mapping from local to public.
I suppose you have done the dns mapping in your network and the ISP have done the same in his network.
ip route 171.1.2.3 interface serial0/0
or
ip route 0.0.0.0 0.0.0.0 interface serial0/0.
After these step for each web server, you will get the mapping.
Now you can restrict access to this ip only to http or https protocol on your isp and after on your local network
like
ip access-list extended ACL_WebServer1
permit ip any 192.168.1.10 eq www
deny ip any 192.168.1.10
exit
interface fa0/0.1
ip acess-group ACL_WebServer1 in
no shut
exit
That is the first step.
Second step : you want to filter traffic by url, that means layer 5 to 7 filtering.
I am not sure that it is possible using cisco router with (ZBF + Regex).
Check the first step and let us know !
Please rate and mark as correct if it is the case.
Regards, -
Policy-map going into suspended mode over a GRE
Hi
I have a GRE tunnel over another GRE tunnel. When I apply a nested policy on the Child GRE the policy map does not attach, what is the cause. The sho policy-map int Tux/x showed that it is suspended I am not making a breakthrough here. The hard ware platform is ASR 1001
Thanks
DonDownload RecBoot. You can kick it out of recovery mode with that. You may have an underlying issue though causing that. A restore may be in order.
Check out the new remodeled MacOSG website! 24-hour Apple-related news & support.
MacOSG: An Apple User Group iTunes: MacOSG Podcast Follow us on Twitter: MacOSG -
Can you add one L3-class to two different policy maps ?
Hi Experts;
Requirement is to have requests from outside as well as inside from different vlan Server to our Production Servers.At present all requests are coming from inside vlan via policy-map multi-match L3_XYZ. See Example below
policy-map multi-match L3_XYZ
class L3_PROD
loadbalance vip inservice
loadbalance policy L7_PROD
loadbalance vip icmp-reply active
policy-map multi-match L3_OUTSIDE
class L3_PROD
loadbalance vip inservice
loadbalance policy L7_PROD
loadbalance vip icmp-reply active
Many thanks
RegardsHi Hidayat
yes, class map alone doesn't have any deep meaning and can be reused in many policy maps. Actually policy maps can be reused too, so in your particular example you can put the same policy map on 2 different interfaces. (Sometimes it's a good idea, if requirements are the same for traffic coming from both interfaces or if requirements are diffrent - it's better to create a new one, but class-map definitely can be reused.) -
QoS Atm subinterface to Internet Policy Map Help
I have a 40meg connection to the Internet via 7200 router using ATM ubr. I have been trying to design a Strict priorty for a particular subnet, then a 1 percent Scavenger Class the rest being class default with fair queue and random detect.
I can build the classes and policy maps yet the service-policy will not allow and inbound or outbound placement on the sub-interface. Any help on this would be most appreciated.
Thanks
JasonThat's correct, CBWFQ or LLQ is not supported on the PVC configured as UBR ATM class of service because of the nature of UBR service, there is no guarantee that any traffic will get through, the actual traffic rate can be anything.
Some documentation mention that this is not supported, here is one for 12.4T train:
"CBWFQ is supported on variable bit rate (VBR) and available bit rate (ABR) ATM connections. It is not supported on unspecified bit rate (UBR) connections."
http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/congstion_mgmt_oview_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1001237
Regards,
Raphael -
I read that "Only one policy map can be applied to a specific interface". What if you alreay using the default policy map and want to create one for you AIP-SSM and one for the current ACL?
The default policy map is the "global" policy-map. If you want to send the traffic on all interfaces, through the SSM module, you dont need to create a new policy-map, you only need to create the class mathing the traffic you need to send via SSM module. Then you can include this class also in the policy-map applied globally.
With above said, assuming you have default policy-map config, if I implement following commands to divert all traffic via SSM module:
access-list ips-acl permit ip any any
class-map ips-class
match access-list ips-acl
policy-map global_policy
class ips-class
ips inline fail-open
Thus final policy-map configuration would look like:
policy-map global_policy
class inspection_default
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
class ips-class
ips inline fail-open
service-policy global_policy global
Alternatively, I cann apply the ips class to altogether a new policy-map but I cant apply this policy-map globally. I can apply the new policy-map to a particular interface though.
Hope that helps.
Regards,
Vibhor. -
Is there a policy map difference from 8.0 to 9.0?
We have been testing blocking a few select websites (no web filtering yet) with some of our smaller location ASA's. Following the document at:
https://supportforums.cisco.com/docs/DOC-1268
I have been successful at sites which run ASA's with version 8.0 of the IOS on them, but not with 9.0. With 9.0 (2) it appears that when you institute the policy map to make it take effect, it blocks all web traffic, not just the ones specified.
So, I guess I'm asking, is there that large of a difference between 8.0 and 9.0 that would cause this to no longer work properly?You went to the same page I did 7 hours ago. Use the "FILES TYPE EDIT" solution and follow almost all of the instructions...Edit FIREFOX URL, HYPERTEXT TRANSFER PROTOCOL and HYPERTEXT TRANSFER PROTOCOL WITH PRIVACY....It isn't necessary to take the step of "unchecking the "DDE BOX", just follow the instructions to delete the characters in the "DDE Message Box" and the problem is fixed. If you uncheck the "DDE BOX", as instructed, it may come back to bite you.
Thank you for helping,
Sel Warren -
Disk format GPT and Apple Partition Map Upgrade questions
I was told that switching to the new computer with snow leopard that I would need to reformat my drives from my G5 to GPT (GUID Partition Table) from Apple Partition Map (APM) to get time machine to work (see http://discussions.apple.com/thread.jspa?threadID=2706634&tstart=0)
<<Intel Macs boot to either, but PPC Macs only boot to APM. Intel Mac software (OS) installer only want to install and update to GPT, so if you want to use existing drives to install OS X SL to, you will need to reformat the drive.>>
Disk utility is only giving me Mac OS Extended options, which I thought was my drive format already. So what do I do now? do I erase those drives or what? I'd rather not if I don't need to.Hi-
The Erase window only offers the formatting scheme.
The Partition Tab offers the selection of GPT or APM partitioning scheme.
You don't have to partition beyond one partition if you don't want to.
Just make sure GPT is selected and the apply. -
Can I keep my Lightroom 3 catalog on a PowerMac hard drive with Apple Partition Map
I want to keep my LR3 catalog on a HD in my Power Mac (Intel chip) that I had formatted and used to store my pre-LR3 photo folders on my G5 tower. The 1TB drive is half full, and was formatted as an Apple Partition Map. On swapping the drive into an empty bay in my Power Mac, I can open photos saved on the drive, although I can't seem to rename them. I created my brand new LR3 catalog on the drive as well, but haven't done anything other than import the LR3 catalog I had already created and exported from my MacBook. Other than the drive not being bootable on my Intel Power Mac, are there any risks to managing my LR3 catalog from this drive? Or should I only keep my LR3 catalog on a GUID partitioned drive?
This HD is not of course my startup drive, but only to be used to store my photos.Oops, I should have used "Mac Pro" to describe my Intel machine, not "Power Mac"
-
IKEv2 AnyConnect and Pool allocation via RADIUS
I am configured a CSR1000V (03.09.00a.S.153-2.S) for AnyConnect with IKEv2. I am storing username and IKEv2 authorization policy on the RADIUS server. Clients are dropped into their own iVRFs through RADIUS attributes passed back to the NAS.
e.g. in FreeRadius (2.1.12), the following is defined (home is the 'group') in username@group format.
home Cleartext-Password := "cisco"
Cisco-AVPair += "ip:interface-config=vrf forwarding CUST-A",
Cisco-AVPair += "ip:interface-config=ip unnumbered loopback100",
Framed-Pool = "CUST-A-POOL"
matt@home Cleartext-Password := "test123"
Group and user authorization information is then merged and cloned onto the virtual template:
crypto ikev2 name-mangler EXTRACT-GROUP
eap suffix delimiter @
crypto ikev2 profile FlexVPN-IKEv2-Profile-1
match fvrf IPSEC-FVRF
match identity remote key-id FlexAnyConnect
identity local dn
authentication remote eap query-identity
authentication local rsa-sig
pki trustpoint cacert.org
dpd 60 2 on-demand
aaa authentication eap FlexVPN-AuthC-List1
aaa authorization group eap list FlexVPN-AuthZ-List-1 name-mangler EXTRACT-GROUP
aaa authorization user eap cached
virtual-template 1
interface Virtual-Template1 type tunnel
no ip address
tunnel mode ipsec ipv4
tunnel vrf IPSEC-FVRF
tunnel protection ipsec profile FlexVPN-IPsec-Profile-1
However, it appears that the RADIUS attribute specifying the pool is ignored; I can see the RADIUS attribute (IETF 88) passed back to the NAS in the RADIUS debugs:
*Aug 16 21:36:39.384 BST: RADIUS: Framed-IP-Pool [88] 13 "CUST-A-POOL"
However, the crypto debugs state that an IP address cannot be assigned:
*Aug 16 21:36:39.435 BST: IKEv2:Failed to allocate IP addr
<snip>
Payload contents:
AUTH NOTIFY(INTERNAL_ADDRESS_FAILURE)
If the Framed-Pool is removed and a Framed-IP-Address defined instead for the user, then the address is assigned. The CUST-A-POOL is defined locally on the NAS. Is there anything I am missing? Can any more detailed debugs be generated?
Cheers,
MattMarcin,
Thank you for your response; sending "ipsec:addr-pool" does work. I did a bug scrape, but didn't find this (if I try to view it in the new Bug Tool, I get "Insufficient Permissions to View Bug"), but it was possible to paste the Bug ID into the old Bug Toolkit to get the detail.
As an aside, I also found that "include-local-lan" doesn't appear to work with IKEv2 AnyConnect and isn't likely to be fixed; according to CSCud65859, the workaround is to use split-tunneling ("ipsec:route-set=prefix prefix/len").
Cheers,
Matt
Maybe you are looking for
-
I keep getting "error during rendering/encoding of menus/slideshows" message. I have been burning DVD's in exactly the same way for the past 12 months and mostly on my MacBook which is 3 years old. Obviously I'm using iDVD. I purchased an iMac abo
-
CO-PA Automatic Account Assignmet
Dear Co Experts, I created accrual condition in pricing procedure. In my company only costing based co-pa is active.When i do billing system is flashing KI183 error(creation of prof.seg to primary cost elements is not advisable in costing based co-pa
-
Problem in deleting the transport request number
Hi All, I have created a TR for a program.When i made an attempt to delete the TR(not yet released) using the Tcode se10 its displaying a message saying that the request cant be deleted as it contains the locked objects.Could anybody guide me in this
-
Bought new computer, Logged in, so where are my purchased songs?
I finally was able to authorize and log into my account but my already purchased songs do not show up. Where are they and how do I get them back?
-
HI, Pls provide all the MM related Mass Mainteance trans. codes like ; Material - MM17 Vendor - XK99 .. .