ASA 5585-X TACACS+/RADIUS Server

All,
Can the ASA 5585-X's act as a AAA TACACS+ and/or RADIUS server for network infrastructure devices?
I've used Cisco Secure ACS for TACACS and RADIUS AAA..
My client has ordered a bunch of them.   They don't have an AAA solution and were just told they will need to implement AAA on network infrastructure devices.
Thanks for any information.
Stephanie

Adding to Jan's correct answer.
The current Cisco RADIUS offerings are either the ACS product (RADIUS and TACACS+) or Identity Services Engine (ISE - RADIUS only). Both are offered in both appliance and VM formats.
Beside NPS on Windows server, there are also open source projects of both RADIUS and TACACS servers available.

Similar Messages

  • Programming tacacs &radius server-keys ?

    I'm having an issue programming the tacacs & radius server-keys. I'm not sure if I missed a step or my use of the syntax. I appreciate any help you can provide. It's a first time for me and I'm attempting to duplicate an existing switch which states server-key 7 <removed>. 
    Thanks
    Roy

    Roy
    I can appreciate that the first time doing this can seem daunting. But it really is not so difficult when you get right down to it.
    The first thing to understand is that in the existing config the key has already been encrypted for storage on the switch. So what you see in the running config is crypto text and not really the exact key.
    You have two options in how to configure your new switch:
    - you could cut and paste the server key from the existing config to the new switch. So you would be inputting the type 7 encrypted key directly to the new switch.
    - you could manually configure the key on the new switch. In this case you would configure
    server-key <key_value>
    where <key_value> is the clear text key to use. If you do this, and assuming that you have configured service password-encryption, then the switch will take the clear text key and will encrypt it for storage on the new switch.
    HTH
    Rick

  • Leap, tacacs+/radius fixed ip (pool)

    dear,
    Is there a way while using leap & mobile ip technology to make it happen when a users becomes associated to an ap (proxy mobile) he always obtains an ip adres from a predefined pool or just one personal ip-adress which we define on our tacacs+/radius server without it having configured statically on the user's computer.
    Purpose is for some external consultants browsing around our wireless network, to home them in a segment behind our firewall using mobile ip, but giving the person an ip-adres based on his credentials (tacacs+/radius server) so based on that we can buld a rulebase on our firewall and allow only restricted access to intra or internet. So what we want is actually a user-to-ip mapping without need to configure it on computer or authenticate multiple times. We have something similar with dial-in routers, but I don't find any documentation if we could do something similar with our wireless infrastructure.
    Any hints or info would be helpfull.
    H.

    No, this can't work - you can't use RADIUS to tell an AP which IP address to give to which client, because the AP is not directly involved in assigning layer 3 addresses to clients. It is (basically) only a layer 2 device.

  • Default Privilege Level for ASA users authenticated by Radius or TACACS when using ASDM

    Hello,
    I'm trying to figure out what the default privilege level is for users that are authenticated to the ASA via a remote authentication server when using the ASDM.
    the command "aaa authentication http console TACACS+ LOCAL" is used in the ASA config.
    The remote server is NOT setting any privilege levels for users.  There are also no aaa authorization commands present in the config.
    So what privilege level do the users receive when they login with the ASDM?  I'm being told that the users receive admin access which includes config write, reboot, and debug.  But I cannot find any documentation stating hte default level.
    Please advise.  And providing links to cisco documentation would be great too.
    Thanks,
    Brendan

    Hi Berendan,
    Hope the below exerpt from document clarifies your query. also i have provided the link to refer.
    About Authorization
    Authorization controls access per user after users authenticate. You can configure the security appliance to authorize the following items:
    •Management commands
    •Network access
    •VPN access
    Authorization controls the services and commands available to each authenticated user. Were you not to enable authorization, authentication alone would provide the same access to services for all authenticated users.
    If you need the control that authorization provides, you can configure a broad authentication rule, and then have a detailed authorization configuration. For example, you authenticate inside users who attempt to access any server on the outside network and then limit the outside servers that a particular user can access using authorization.
    The security appliance caches the first 16 authorization requests per user, so if the user accesses the same services during the current authentication session, the security appliance does not resend the request to the authorization server.
    http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/asdm60/user/guide/usrguide/aaasetup.html
    Regards
    Karthik

  • Integrating AAA Radius-server with Micro-soft IAS for SSH

    Hi,
    I am configuring aaa-server on ASA-5505(Radius) and i am Using microsoft IAS for authentication for SSH connections on ASA, so during " test aaa-server authentication " i getting this message
    ERROR: Authentication Server not responding: AAA decode failure.. server secret mismatch
    All users are there on active  directory  And below are the debug radius and debug aaa authentication.
    ASA# test aaa-server authentication SSH-TULIP-ASA host 172.16.1.10 usern$
    INFO: Attempting Authentication test to IP address <172.16.1.10> (timeout: 12 seconds)
    radius mkreq: 0xd4
    alloc_rip 0xd83bb99c
        new request 0xd4 --> 124 (0xd83bb99c)
    got user 'praveeny'
    got password
    add_req 0xd83bb99c session 0xd4 id 124
    RADIUS_REQUEST
    radius.c: rad_mkpkt
    RADIUS packet decode (authentication request)
    Raw packet data (length = 66).....
    01 7c 00 42 37 a4 0d c2 d3 10 09 0e 2f 3c c5 1a    |  .|.B7......./<..
    4b 28 41 e6 01 0a 70 72 61 76 65 65 6e 79 02 12    |  K(A...praveeny..
    a1 8f e1 ae 58 dd c2 52 d6 37 f7 32 13 3a 1c 71    |  ....X..R.7.2.:.q
    04 06 ac 1e 1e 06 05 06 00 00 00 0e 3d 06 00 00    |  ............=...
    00 05                                              |  ..
    Parsed packet data.....
    Radius: Code = 1 (0x01)
    Radius: Identifier = 124 (0x7C)
    Radius: Length = 66 (0x0042)
    Radius: Vector: 37A40DC2D310090E2F3CC51A4B2841E6
    Radius: Type = 1 (0x01) User-Name
    Radius: Length = 10 (0x0A)
    Radius: Value (String) =
    70 72 61 76 65 65 6e 79                            |  praveeny
    Radius: Type = 2 (0x02) User-Password
    Radius: Length = 18 (0x12)
    Radius: Value (String) =
    a1 8f ERROR: Authentication Server not responding: AAA decode failure.. server secret mismatch
    Tulip-ASA# e1 ae 58 dd c2 52 d6 37 f7 32 13 3a 1c 71    |  ....X..R.7.2.:.q
    Radius: Type = 4 (0x04) NAS-IP-Address
    Radius: Length = 6 (0x06)
    Radius: Value (IP Address) = 172.30.30.6 (0xAC1E1E06)
    Radius: Type = 5 (0x05) NAS-Port
    Radius: Length = 6 (0x06)
    Radius: Value (Hex) = 0xE
    Radius: Type = 61 (0x3D) NAS-Port-Type
    Radius: Length = 6 (0x06)
    Radius: Value (Hex) = 0x5
    send pkt 172.16.1.10/1645
    rip 0xd83bb99c state 7 id 124
    rad_vrfy() : bad req auth
    rad_procpkt: radvrfy fail
    RADIUS_DELETE
    remove_req 0xd83bb99c session 0xd4 id 124
    free_rip 0xd83bb99c
    radius: send queue empty
    Thanks in advance all comments and suggestion are welcome
    Regards,
    Praveen

    Hi,
    RADIUS as a protocol does not support command accounting, ie., logging of commands that a users enters once authenticated to a router/switch. You will need to use TACACS+ for this purpose. The aaa command accounting commands that you used has been removed from IOS since 12.2T. Please take a look at this for details: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCdp57020.
    Thanks,
    Wen

  • Can't authenticate Mac VPN client from RADIUS server

    Hello,
    I'm a real noob here so please bear with me.
    I have been able to configure my PIX 515E to allow VPN connections onto my network, but what I need to do is set up some sort of user authentication to control access at a user level. From what I've read here and in the Configuration Guide I should be able to do this authentication with a RADIUS server. I'm running a Corriente Networks Elektron Security server which has RADIUS server capabilities. It is running on my (inside) interface at IP 192.168.10.26.
    I thought that I had everything configured properly but it never seems to authenticate. I connect, the XAUTH window pops up, I add my username and password as it's configured on my RADIUS server, but when I click OK it just cycles the progress bar at the bottom and eventually times out. The client log doesn't show me anything and the log on the RADIUS server shows me nothing. Any ideas? this seems like it should be simple because I can connect until I attempt to authenticate to the RADIUS server.
    TIA for any direction you can provide me.
    Christine

    If it helps, here is my config with a some of the non-related bits deleted:
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet2 auto
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 DMZ security50
    enable password ********* encrypted
    passwd ******* encrypted
    hostname pixfirewall
    domain-name acme.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol http 80
    fixup protocol http 82
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    access-list inside_outbound_nat0_acl permit ip any 192.168.10.0 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip host 192.168.10.26 192.168.10.192 255.255.255.224
    access-list inside_outbound_nat0_acl permit ip host 192.168.10.69 192.168.10.192 255.255.255.224
    access-list outside_cryptomap_dyn_20 permit ip any 192.168.10.0 255.255.255.0
    access-list outside_cryptomap_dyn_40 permit ip any 192.168.10.192 255.255.255.224
    mtu outside 1500
    mtu inside 1500
    mtu DMZ 1500
    ip address outside 207.XXX.XXX.130 255.255.255.0
    ip address inside 192.168.10.1 255.255.255.0
    ip address DMZ 192.168.100.1 255.255.255.0
    multicast interface inside
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool CBI_VPN_Pool 192.168.10.201-192.168.10.220
    pdm location 192.168.10.50 255.255.255.255 inside
    pdm group CBI_Servers inside
    pdm logging warnings 100
    pdm history enable
    arp timeout 14400
    global (outside) 200 interface
    global (DMZ) 200 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 200 192.168.10.0 255.255.255.0 0 0
    static (inside,outside) 207.XXX.XXX.150 192.168.10.27 netmask 255.255.255.255 0 0
    static (inside,outside) 207.XXX.XXX.132 192.168.10.26 dns netmask 255.255.255.255 0 0
    access-group 100 in interface outside
    route outside 0.0.0.0 0.0.0.0 207.XXX.XXX.129 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server radius-authport 1812
    aaa-server radius-acctport 1812
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server RADIUS (inside) host 192.168.10.26 ************* timeout 10
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.10.3 255.255.255.255 inside
    no floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
    crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
    crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map client authentication RADIUS
    crypto map outside_map interface outside
    crypto map inside_map interface inside
    isakmp enable outside
    isakmp nat-traversal 3600
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpngroup Test_VPN address-pool CBI_VPN_Pool
    vpngroup Test_VPN dns-server 142.77.2.101 142.77.2.36
    vpngroup Test_VPN default-domain acme.com
    vpngroup Test_VPN idle-time 1800
    vpngroup Test_VPN authentication-server RADIUS
    vpngroup Test_VPN user-authentication
    vpngroup Test_VPN user-idle-timeout 1200
    vpngroup Test_VPN password ********
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.10.100-192.168.10.254 inside
    dhcpd dns 142.77.2.101 142.77.2.36
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside

  • Radius server issue

    Hello all,
    I have configured a radius server on my sbs2008 server.  I am able to test it from the ASA successfully, however when I try to login with the Anyconnect client I get a login failed.  When I check the logs I see that the VPN is trying to authenitcate against the Local database and not my RADIUS server evern though I have authentication-server-group set.  I have also restarted the asa thinking that was the issue.  
    Here is my config:
    webvpn
    port 444
    enable outside
    svc image disk0:/anyconnect-win-3.1.03103-k9.pkg 1
    svc enable
    group-policy DfltGrpPolicy attributes
    vpn-tunnel-protocol IPSec l2tp-ipsec
    group-policy OAC internal
    group-policy OAC attributes
    wins-server value 192.168.2.2
    dns-server value 192.168.2.2
    vpn-tunnel-protocol svc webvpn
    group-lock value OAC
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value OAC
    default-domain value OAC.LOCAL
    tunnel-group OAC type remote-access
    tunnel-group OAC general-attributes
    address-pool vpnpool
    authentication-server-group OAC
    default-group-policy OAC
    Thank you for any help,
    Leon

    Leon,
    Looks like your connection is falling on DefaultWebvpn tunnel group. You need to define group list so as to choose
    OAC as tunnel group for connection. Here is what needs to be configured:
    webvpn
    tunnel-group-list enable
    tunnel-group OAC webvpn-attributes
    group-alias OAC enable
    Users will connect to correct OAC tunnel group to get authentocated from radius server.
    Regards,
    Varinder
    P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users

  • VPN Tunnel w/ 802.1X port authentication against remote RADIUS server

    I have a Cisco 892 setup as a VPN client connecting to an ASA 5515-X.  The tunnel works fine and comes up if theirs correct traffic.  I have two RADIUS servers I want to use certificate based authentication to, that are located behind the ASA 5515-X.
    If I connect a computer that has the correct certificates to ports FA0 through 3, authentication won't work.  I'll see the following.  This happens even if the VPN tunnel is established already by doing something such as connecting a VOIP phone.  No entrys are located in the RADIUS logs, and I also cannot ping the RADIUS servers from VLAN10.
    *Jan 30 19:46:01.435: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.1.100:1812,1813 is not responding.
    *Jan 30 19:46:01.435: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.1.100:1812,1813 is being marked alive.
    *Jan 30 19:46:21.659: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.26.10:1812,1813 is not responding.
    *Jan 30 19:46:21.659: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.26.10:1812,1813 is being marked alive.
    If I connect a second PC to an interface with 802.1X disabled, such as FA6, the VPN tunnel will establish itself correctly.  In this situation, I can ping the RADIUS servers from VLAN10.  If I go ahead and connect another PC with correct certificates to a port with 802.1X enabled such as port FA0 through 3, then 802.1X will suceed.
    Current configuration : 6199 bytes
    ! Last configuration change at 15:40:11 EST Mon Feb 3 2014 by
    version 15.2
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname router1
    boot-start-marker
    boot-end-marker
    aaa new-model
    aaa local authentication default authorization default
    aaa authentication login default local
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    aaa session-id common
    clock timezone EST -5 0
    clock summer-time EDT recurring
    ip cef
    ip dhcp pool pool
    import all
    network 192.168.28.0 255.255.255.248
    bootfile PXEboot.com
    default-router 192.168.28.1
    dns-server 192.168.26.10 192.168.1.100 8.8.8.8 4.2.2.2
    domain-name domain.local
    option 66 ip 192.168.23.10
    option 67 ascii PXEboot.com
    option 150 ip 192.168.23.10
    lease 0 2
    ip dhcp pool phonepool
    network 192.168.28.128 255.255.255.248
    default-router 192.168.28.129
    dns-server 192.168.26.10 192.168.1.100
    option 150 ip 192.168.1.132
    domain-name domain.local
    lease 0 2
    ip dhcp pool guestpool
    network 10.254.0.0 255.255.255.0
    dns-server 8.8.8.8 4.2.2.2
    domain-name local
    default-router 10.254.0.1
    lease 0 2
    no ip domain lookup
    ip domain name remote.domain.local
    no ipv6 cef
    multilink bundle-name authenticated
    license udi pid CISCO892-K9
    dot1x system-auth-control
    username somebody privilege 15 password 0 password
    redundancy
    crypto isakmp policy 1
    encr aes 256
    authentication pre-share
    group 5
    crypto isakmp key secretpassword address 123.123.123.123
    crypto ipsec transform-set pix-set esp-aes 256 esp-sha-hmac
    mode tunnel
    crypto map pix 10 ipsec-isakmp
    set peer 123.123.123.123
    set transform-set pix-set
    match address 110
    interface BRI0
    no ip address
    encapsulation hdlc
    shutdown
    isdn termination multidrop
    interface FastEthernet0
    switchport access vlan 10
    switchport voice vlan 11
    no ip address
    authentication port-control auto
    dot1x pae authenticator
    spanning-tree portfast
    interface FastEthernet1
    switchport access vlan 10
    switchport voice vlan 11
    no ip address
    authentication port-control auto
    dot1x pae authenticator
    spanning-tree portfast
    interface FastEthernet2
    switchport access vlan 10
    switchport voice vlan 11
    no ip address
    authentication port-control auto
    dot1x pae authenticator
    spanning-tree portfast
    interface FastEthernet3
    switchport access vlan 10
    switchport voice vlan 11
    no ip address
    authentication port-control auto
    dot1x pae authenticator
    spanning-tree portfast
    interface FastEthernet4
    switchport access vlan 10
    switchport voice vlan 11
    no ip address
    spanning-tree portfast
    interface FastEthernet5
    switchport access vlan 12
    switchport voice vlan 11
    no ip address
    spanning-tree portfast
    interface FastEthernet6
    switchport access vlan 10
    switchport voice vlan 11
    no ip address
    spanning-tree portfast
    interface FastEthernet7
    switchport access vlan 10
    switchport voice vlan 11
    no ip address
    authentication port-control auto
    dot1x pae authenticator
    spanning-tree portfast
    interface FastEthernet8
    no ip address
    shutdown
    duplex auto
    speed auto
    interface GigabitEthernet0
    ip address dhcp
    ip nat outside
    ip virtual-reassembly in
    duplex auto
    speed auto
    crypto map pix
    interface Vlan1
    no ip address
    interface Vlan10
    ip address 192.168.28.1 255.255.255.248
    ip nat inside
    ip virtual-reassembly in
    interface Vlan11
    ip address 192.168.28.129 255.255.255.248
    interface Vlan12
    ip address 10.254.0.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly in
    ip forward-protocol nd
    ip http server
    ip http authentication local
    ip http secure-server
    ip nat inside source list 101 interface GigabitEthernet0 overload
    ip route 0.0.0.0 0.0.0.0 dhcp
    ip radius source-interface Vlan10
    ip sla auto discovery
    access-list 101 deny   ip 192.168.28.0 0.0.0.255 192.168.0.0 0.0.255.255
    access-list 101 permit ip 192.168.28.0 0.0.0.255 any
    access-list 101 permit ip 10.254.0.0 0.0.0.255 any
    access-list 110 permit ip 192.168.28.0 0.0.0.255 192.168.0.0 0.0.255.255
    access-list 110 permit ip 192.168.29.0 0.0.0.255 192.168.0.0 0.0.255.255
    radius-server host 192.168.1.100 auth-port 1812 acct-port 1813 key secretkey
    radius-server host 192.168.26.10 auth-port 1812 acct-port 1813 key secretkey
    control-plane
    mgcp profile default
    line con 0
    line aux 0
    line vty 0 4
    transport input all
    ntp source FastEthernet0
    ntp server 192.168.26.10
    ntp server 192.168.1.100
    end

    I have 802.1X certificate authentication enabled on the computers.  As described in my post above, authentication will work if theirs another device on the same VLAN that is connected to a port that bypasses authentication.  It seems like I have a chicken and egg scenario, a device needs to be sucessfully connected to VLAN10 before the router will use it's VLAN10 interface to communicate with my remote RADIUS server.

  • Radius server for 802.1x port authentication

    Does anybody know if CiscoSecure for Unix version 2.3.6.2 can be used as a Radius server for 802.1x port authentication? I know the Windows version will do this and can be configured to assign a user to a specific VLAN, but can the UNIX software do the same?
    Thanks

    Check connectivity between the PIX and the server.
    If the server is outside the PIX, verify that it is specified in the (if_name) parameter of the aaa-server command. In the example below, the (if_name) parameter represents outside.
    aaa-server group_tag (if_name) host server_ip key timeout 5
    If you are using TACACS+, verify that the PIX and server are communicating on the same port (Transmission Control Protocol (TCP)/49).
    If you are using RADIUS, verify that the PIX and server are communicating on User Datagram Protocol (UDP) port 1645. Or, if the RADIUS server is using port 1812, verify that the PIX is using software version 6.0 or later, and then issue the aaa-server radius-authport 1812 command to specify port 1812.
    Ensure that the secret key is correct.
    Check the server logs for failed attempts. All servers have some kind of logging function.

  • WPA2-Enterprise + EAP (PEAP) and 802.1x to authenticate to RADIUS server NPS

    I need to connect my iPhone and my iPad to the corporate wireless network using WPA2-Enterprise and 802.1x to authenticate against a RADIUS server with my corporate user. What is the procedure to configure the clients? Certificates is not necessary on the client. Radius server is a NPS of Microsoft and the WLC is a 5508 of Cisco.
    thanks !!!

    WPA and WPA2 are all actually interim protocols that are used until the standardization of IEEE 802.11i standard. Wi-fi appliance decided that ratification and standardization of 802.11i standards will take more time. So, they came up with WPA.
    Now, WPA2 is advanced version of WPA. WPA2 uses AES as encryption algorithm. Whereas, WPA use TKIP as encryption mode which in turn uses RC4 encryption algorithm.
    WPA and WPA2 are actually are of 2 types respectively.
    WPA/WPA2-PSK - This is mainly for small offices. This uses Pre-Shared Key for authentication.
    WPA/WPA2 -Enterprise - This uses a RADIUS Server for authentication. This is an extension to 802.1x authentication. But this uses stronger encryption scheme(WPA uses RC4 and WPA2 uses AES).
    Any authentication mechanism that involves a separation authentication server for authentication like ACS server is called 802.1x authentication.
    EAP stands for Extensible Authentication Protocol. It refers to the type or method of 802.1x Authentication by the RADIUS/Tacacs server. A RADIUS server can authenticate a wireless client with various EAP methods.
    LEAP is one type of EAP. It uses username and password for authenticating wireless clients. LEAP is cisco proprietory.
    There are also EAP types which uses other user credentials like Certificates, SIM etc for authentcation.
    The following document might clarify your doubts.
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_q_and_a_item09186a00805e8297.shtml

  • New command for radius-server source-ports

    I am trying to find the new command fro radius-server source-ports 1645-1646 since it appears to be depricated.  We use tacacs so we do not have the radius server specified but we do need to put in the ports.  Can someone please tell me the new command for radius-server source-ports?
    Thanks

    Both of the links that Peter posted are interesting and helpful. I would like to take a slightly different approach in answering your question.
    In every version of IOS there are certain commands that get inserted into running-config when a particular feature is activated. It looks like in your version the radius-server source-ports is one of those commands. I do not think it is anything that you should be concerned about.
    And I do not believe that having the radius-server source-ports command would prevent TACACS from working. I believe that there is likely to be some fault in your configuration. If you would post the aaa parts of the config then maybe we could see what the problem is.
    In my experience configuring aaa some of the common problems include not correctly identifying the TACACS server, not having exactly the same key configured on the Cisco device and the TACACS server, not having connectivity to the TACACS server (can the Cisco device ping the server, and can the server ping the device), or errors in the authentication or authorization prameters specified.
    Post some information and we will see what we can do.
    HTH
    Rick

  • RADIUS Server High Availability?

    Hi,
    I have two RADIUS servers in my network (one to be the failover serv) and one of them has been having problems, the server is not getting down but the radius service is getting crashed. Don't know why the failover server doesn't respond the authentication for the users if the books said that this is something automatic.
    Is there one command to allow the switch to recognize if the service is down in one of the radius servers and automatically use the other one to authenticate the users?.
    tks

    Hi,
    In switches you need to configure two radius server with secret key along with,so as per the sequence in the IOS the request will directed to radius servers.
    Below will the command to configure tacas/radius server in switches
    tacacs-server host 10.1.x.x
    tacacs-server host 10.2.x.x
    Hope that help out your query !!
    Regards
    Ganesh.H

  • 1602i standalone AP cannot ping RADIUS server

    I have a new 1602i standalone AP trying to use RADIUS authentication.  For some reason the 1602 cannot ping the RADIUS server, but will get a response from other devices.  Both are on the same subnet, the new one at .213 and the RADIUS at .209.
    AP6#ping xxx.xx.120.209
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to xxx.xx..120.209, timeout is 2 seconds:
    Success rate is 0 percent (0/5)
    AP6#ping xxx.xx.120.217
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to xxx.xx..120.217, timeout is 2 seconds:
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
    The RADUIS server is able to ping the new AP successfully.
    AP1#ping xxx.xx.120.213
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to xxx.xx.120.213, timeout is 2 seconds:
    Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/3 ms
    Any thoughts to why that AP is unable to ping that one particular client?  Other APs are successfully contacting it for RADIUS authentication.

    version 15.2
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    hostname AP6
    logging rate-limit console 9
    enable secret 5 xxxxxxxxxxxx
    aaa new-model
    aaa group server radius rad_eap
     server xxx.xx.120.209 auth-port 1812 acct-port 1813
    aaa group server radius rad_mac
    aaa group server radius rad_acct
    aaa group server radius rad_admin
    aaa group server tacacs+ tac_admin
    aaa group server radius rad_pmip
    aaa group server radius dummy
    aaa authentication login eap_methods group rad_eap
    aaa authentication login mac_methods local
    aaa authorization exec default local
    aaa accounting network acct_methods start-stop group rad_acct
    aaa session-id common
    clock timezone -0500 -5 0
    clock summer-time -0400 recurring
    no ip routing
    no ip cef
    dot11 syslog
    dot11 ssid xxx.xx
       authentication open eap eap_methods
       authentication network-eap eap_methods
       authentication key-management wpa
    crypto pki token default removal timeout 0
    username Cisco privilege 15 password 7 xxxxx
    bridge irb
    interface Dot11Radio0
     no ip address
     no ip route-cache
     encryption mode ciphers tkip
     ssid  MANH
     antenna gain 0
     stbc
     beamform ofdm
     station-role root
     bridge-group 1
     bridge-group 1 subscriber-loop-control
     bridge-group 1 spanning-disabled
     bridge-group 1 block-unknown-source
     no bridge-group 1 source-learning
     no bridge-group 1 unicast-flooding
    interface Dot11Radio1
     no ip address
     no ip route-cache
     shutdown
     antenna gain 0
     dfs band 3 block
     channel dfs
     station-role root
     bridge-group 1
     bridge-group 1 subscriber-loop-control
     bridge-group 1 spanning-disabled
     bridge-group 1 block-unknown-source
     no bridge-group 1 source-learning
     no bridge-group 1 unicast-flooding
    interface GigabitEthernet0
     no ip address
     no ip route-cache
     duplex auto
     speed auto
     bridge-group 1
     bridge-group 1 spanning-disabled
     no bridge-group 1 source-learning
    interface BVI1
     ip address dhcp client-id GigabitEthernet0
     no ip route-cache
    ip forward-protocol nd
    ip http server
    no ip http secure-server
    ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
    ip radius source-interface BVI1
    snmp-server view dot11view ieee802dot11 included
    snmp-server community  RW
    snmp-server chassis-id AP6
    snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
    snmp-server enable traps tty
    snmp-server enable traps entity
    snmp-server enable traps disassociate
    snmp-server enable traps deauthenticate
    snmp-server enable traps authenticate-fail
    snmp-server enable traps dot11-qos
    snmp-server enable traps switch-over
    snmp-server enable traps rogue-ap
    snmp-server enable traps wlan-wep
    snmp-server enable traps config-copy
    snmp-server enable traps config
    snmp-server enable traps syslog
    snmp-server enable traps cpu threshold
    snmp-server enable traps aaa_server
    snmp-server host .0.39 public
    radius-server local
      user user1 nthash 7
    radius-server attribute 32 include-in-access-req format %h
    radius-server host xxx.xx.120.209 auth-port 1812 acct-port 1813 key 7
    radius-server vsa send accounting
    bridge 1 route ip
    line con 0
    line vty 0 4
     transport input all
    sntp server xxx.xx.0.11
    sntp broadcast client
    end

  • WIndows Radius Server

    Hi,
    We are using windows 2000 IAS server radius server.
    We have Catalyst 4500 in our network.
    Requirement is to enable command level accounting using windows radius server (IAS).
    Pls suggest with sample config.
    Regards

    Hi,
    I believe command level accounting is supported in tacacs only however i am not sure about IAS server. you can check on this webpage
    Happy New Year To ALL

  • Changing RADIUS Server

    We have an AS5300 and a Radius server. We are changing the Radius server. Besides changing the IP address of the Radius server on the AS5300, is there anything else that we need to do? Thanks.

    I dont think so, just specify the new IP and you are good to go.
    check the following example:
    aaa authentication login default group radius local
    aaa authorization exec default group radius local
    aaa authorization command 2 default group tacacs+ if-authenticated
    radius-server host 172.16.71.146 auth-port 1645 acct-port 1646
    radius-server attribute 44 include-in-access-req
    radius-server attribute 8 include-in-access-req
    So, unless you are changing port or other parameters, changing the IP will do the job.
    HTH,
    please rate all posts.
    Vlad

Maybe you are looking for

  • Find a filename in a folder with aperture databases (or files)

    hi, I guess it has been asked before. Is there a way with OSX 10.6.8. to search a folder with about 20 aperture files (or databases) for a single filename? I am not searching for duplicates (so Tidyup or Duplicate Annihilator don't work for this), bu

  • I bought a macbook air

    and it has the guys app store info on it... how can i change it....?

  • Can I install iLife 06 and 08 on two diff macs?

    I have the pre'08 iLife on both my G5 and my Macpro, and all my iweb sites were created on my Macpro. Can install '08 and the updates on my G5 without affecting the domain sites created on my Macpro?

  • LOV Event Capturing

    Hi OAF Gurus, We have requirement to capture LOV events progammatically but on the way I am facing one issue while capturing LOV event. Actually lovValidate event works as per its functionality and it gets captured when user enter value into th efiel

  • Using hp simple save on mbp

    using hp simple save on mbp