ASA and RADIUS with Password expiry
We currently have a 3015 doing our VPNs. We are looking to move that to our 5520. RADIUS with password epiry is being used for authentication on the 3015 and we would like to continue to use it. Reading the docs for the ASA I have found conflicting answers as to wether or not the ASA supports this.
Please advise with ANY help.
-Doug
ASA does support this...it is no longer referred to as radius with expiry, it the command is now "password-management".
http://cisco.com/en/US/docs/security/asa/asa72/command/reference/p_72.html#wp1725278
Similar Messages
-
I backed up and encrypted with password but on restore the password does not work. Advice
After a HD failure on my 2009 iMac,, fittgyed new oner, installedf os (tiger), from original disk, restored all documents etc. changed password with disk utility. over 48 hrs re3setting permissions so switched off. all seemed ok. downloaded combined os updates. Now my password does not work. tried rersetting, no go. Terminal does not have rest password on.
Any suggestions please -
IPSEC b/w ASA and Router --- with nat stuff
I need help regarding the following issue..
An asa is connected to a router which is connected to the internet.
A vpn must be established b/w ASA and a router that is over internet . The ASA is not directly connected to the internet. It is connected to a router which nat the Asa outside ip to a static global IP .
All i need to know is that do need any special configs for this . or its the same as if ASA would have been directly connected to the internetIn order to configure a LAN-to-LAN tunnel between a Cisco IOS? router and an Adaptive Security Appliance (ASA), these configurations are required on the ASA:
Configure the crypto ipsec command in Phase 2.
Configure the isakmp policy command.
Configure the nat 0 command and the access-list command in order to bypass NATting.
Configure the crypto-map command.
Configure the tunnel-group DefaultL2LGroup command with group information -
SQL Developer and Access with password issue
I have Windows 7 64bits, Developer Version 2.1.1.64 and Access 2007.
Created a MDB file added 2 tables, enabled de system tables and set a password.
I try to configure connection but it gives a "Not Valid Password" error.
I use on username: Admin
And the password I'd set.
What could be the error?
I unset the password and it works fine.The password I had set was Database password and not user login so maybe there's no hope on this one, for now...
-
User from certificate with Cisco VPN client and ASA (and radius)
Hello,
we are trying to migrate a vpn client connection from GROUP to certificate. We want that client uses the user from the certificate and doesn't ask user, only password. Is it possible? Now, with user certificate, you can connect as another user if you know the user and the password of the other user with your own certifcate.
Thanks!
Santiago.mrbacklash wrote:
Ok with that being said will the MBA 11.6 1.4ghz have the guts to make it run mostly internet based programs over the VPN connection?
I think if you are running apps over the Internet the bottleneck will be the Internet and your VPN bandwidth. Your computer can certainly execute faster than Internet communications.
Besides, Internet or remote applications run on the remote server. All your local computer does is local processing of the data if necessary.
Message was edited by: BobTheFisherman -
Desktop software and problem with password
Hi
My apologizes for my english but it is not my language.
I have a blackberry curve 9300 since 2 years.
I used to work with the blackberry software for mac.
Since some weeks, I have trouble with this program.
The program invite me to enter my password. Normally, I write my password and it works. But, now, I have a second window which ask me a password too. But my password does not work. This window appear constantly and I can not work on my others programs. To use other program I have to disconnect my device and to force out the second program.
In attachment, you will see the window. (I can not insert an image)
How can I stop this program?
I already uninstalled the software but the problem remain.
Can you help me?????Hi morbiteus,
Welcome to the BlackBerry Support Community.
So that I can assist you better, can you please provide the name of the second program you are referring to? Does it open each time you open the BlackBerry Desktop Software?
I look forward to your response.
-FS
Come follow your BlackBerry Technical Team on Twitter! @BlackBerryHelp
Be sure to click Kudos! for those who have helped you.
Click Solution? for posts that have solved your issue(s)! -
7921 and radius . auto password change?
we thought about putting in a radius server to handle the wireless phone security in our multi wan enviroment.
Question .. is there anyway to change the password and not have to revisit all the phones to ener the new password .. in other words, the phones will update themselves ... ?
Otherwise i do not see the advantage of having a radius server over just a strong key... we are using wpa
ThanksYou could use EAP-FAST it will update user passwords automatically.Refer URL
http://cisco.com/en/US/netsol/ns339/ns395/ns176/ns178/netqa09186a00802030dc.html -
FIll in, save and protect with password
ok, here it komes.
i design forms for my users. the form has a pickingslip layout.
my users fill in the form save and send to the customer. BUT
the form has to be protected from applying changes to filled in data.
i just made a test in livecycle. protected the form with a pass word.
then i have to open the pdf in adobe acrobat 8 to enable the save form feature. but then the form is not protected anymore. i also done reverse.
developed form in livecycle, edited the security in acrobat 8 then
enabled the reader extension. pdf remaines unprotected, i do not get
the promt to give in the password11. Charge and Discharge Your Battery Regularly
Your iDevice needs to be fully discharged and recharged at least once a month to operate at maximum efficiency and keep the battery from dying. You’ll also want to make sure that you don’t store the device with a dead battery, as that can also cause the battery to lose charge capability—when your battery dies, make sure to recharge itquickly
The reason that Apple suggests you drain and recharge your battery once a month is not because it affects the life ofthe battery. What it actually does is calibrate the battery sensor, giving you a more accurate reading.
Other than that, you done an admirable job of summarizing the Knowledge Base article:
http://www.apple.com/batteries/ipad.html
Best of luck. -
Hi,
If I use 2 asa 5510 with HA in mode A/A or A/P
Is it possible in A/A mode to use one IPS module, except for security problem ?
Or is it preferable to use asa as A/P.
RegardsI think it is possible to have two ASA with HA in mode A/A to use IPS module. The ASA can also be used in mode A/P which is preferable as it has cost advantage.
-
After an exhaustive RTFM session reading the docs on SGD 4.4; Kerberos, etc. and bombing out with password expiry time and time again I was told, in this forum, that there is an "unpublished bug" in the jre that ships with SGD 4.4, breaking AD password expiry. No fix or patch was mentioned.
Before wasting more time, could anyone tell me if there are any other "known issues" with AD password expiry using SGD 4.31? (BTW, it isn't working either).
regards,
-damonthis is correct, there is a bug in Java 1.6 that ships with both 4.31 and 4.40. The fix is in 1.6.0 update 4. Please check http://java.sun.com in the next week or so for details on when the update will be released. Please open a case with Sun Support so that the instructions for upgrading the existing JVM can be provided.
-
Site-to-site vpn with 2 asa and home router
I am trying to establish a site-to-site vpn between 2 ASAs and am able to get the tunnel to establish and can get connectivity from the remote end of the connection to the local side. However, traffic from the local side is not able to get to the remote end. We have 2 ASA 5505 establishing the tunnel, on the remote end there is a linksys home router forwarding all traffic to the ASA outside interface on a private subnet. Our layout is as follows.
Internal Network Local ASA ISP1 ISP2 Remote Router Remote ASA Remote Network
192.168.1.0/24 local-gateway/public ip public ip/192.168.0.1/24 192.168.0.10/10.10.10.254 10.10.10.0/24
10.10.10.0/24 (remote) -> 192.168.1.0/24 (local) works
192.168.1.0/24 (local) -> 10.10.10.0/24 (remote) does not work
Below are the configs of the local and remote asa. any help would be greatly appreaciated.
local-asa
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.6 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Switch
host 192.168.1.5
description 2960-24 Switch
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network Mark_Public
host 76.98.2.63
description Mark Public
object network Mark
subnet 10.10.10.0 255.255.255.0
description Marks Network
object network Mark_routed_subnet
subnet 192.168.0.0 255.255.255.0
access-list outside_access_in extended permit icmp any4 any4 echo-reply
access-list outside_access_in extended permit tcp any object home-app-svr object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit ip object Mark 192.168.1.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object Mark
access-list Home standard permit 192.168.1.0 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-711.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static Mark Mark no-proxy-arp
object network obj_any
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 10.10.10.0 255.255.255.0 24.163.112.1 1
route outside 10.10.10.0 255.255.255.0 76.98.2.63 128
aaa-server Radius protocol radius
aaa-server Radius (inside) host 192.168.1.101
key *****
user-identity default-domain LOCAL
aaa authentication ssh console Radius LOCAL
aaa authentication telnet console Radius LOCAL
aaa authentication enable console Radius LOCAL
aaa authentication http console Radius LOCAL
aaa authentication serial console Radius LOCAL
aaa accounting enable console Radius
aaa accounting serial console Radius
aaa accounting ssh console Radius
aaa accounting telnet console Radius
http server enable
http 192.168.1.0 255.255.255.0 inside
http 66.162.9.0 255.255.255.0 outside
http 76.98.2.63 255.255.255.255 outside
http 10.10.10.0 255.255.255.0 inside
snmp-server host inside 192.168.1.101 community *****
snmp-server location 149 Cinder Cross
snmp-server contact Ted Stout
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change
snmp-server enable traps memory-threshold
snmp-server enable traps interface-threshold
snmp-server enable traps cpu threshold rising
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map0 1 match address outside_cryptomap
crypto map outside_map0 1 set peer 76.98.2.63
crypto map outside_map0 1 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map0 interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=stout-fw
keypair vpn.stoutte.homeip.net
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca trustpoint Home--Server-CA
enrollment terminal
subject-name CN=stout-fw,O=home
keypair HOME-SERVER-CA
crl configure
crypto ca trustpoint HOME-SSL
enrollment terminal
fqdn stoutfw.homeip.net
subject-name CN=stoutfw,O=Home
keypair HOME-SSL
no validation-usage
crl configure
crypto ca trustpoint SelfSigned
enrollment self
fqdn stoutfw.homeip.net
subject-name CN=stout-fw
keypair SelfSigned
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment self
fqdn 192.168.1.6
subject-name CN=stout-fw
keypair SelfSigned
crl configure
crypto ca trustpool policy
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable inside
crypto ikev1 enable outside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 20
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.1.5 source inside prefer
ssl trust-point SelfSigned outside
ssl trust-point ASDM_TrustPoint2 inside
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1
username stoutte password 0w8WOxYi69SDg3bs encrypted privilege 15
username stoutte attributes
webvpn
anyconnect keep-installer installed
anyconnect profiles value VPN_client_profile type user
tunnel-group 76.98.2.63 type ipsec-l2l
tunnel-group 76.98.2.63 general-attributes
default-group-policy GroupPolicy1
tunnel-group 76.98.2.63 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
authentication-server-group Radius LOCAL
default-group-policy GroupPolicy_VPN
dhcp-server link-selection 192.168.1.101
tunnel-group VPN webvpn-attributes
group-alias VPN enable
class-map inspection_default
match default-inspection-traffic
remote-asa
: Saved
ASA Version 9.1(1)
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 192.168.0.10 255.255.255.0
ftp mode passive
clock timezone EDT -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name netlab.com
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Ted
subnet 192.168.1.0 255.255.255.0
description Teds Network
object network Ted_Public
host 24.163.116.187
object network outside_private
subnet 192.168.0.0 255.255.255.0
object network NETWORK_OBJ_10.10.10.0_24
subnet 10.10.10.0 255.255.255.0
access-list outside_cryptomap extended permit ip 10.10.10.0 255.255.255.0 object Ted
access-list outside_access_in extended permit icmp any4 any4 echo-reply
access-list outside_access_in extended permit ip object Ted 10.10.10.0 255.255.255.0
access-list outside_access_in extended permit ip object Ted_Public any
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
logging debug-trace
nat (inside,outside) source static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 destination static Ted Ted no-proxy-arp
object network obj_any
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
route outside 192.168.1.0 255.255.255.0 192.168.0.1 1
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 24.163.116.187 255.255.255.255 outside
http 192.168.0.0 255.255.255.0 outside
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto map outside_map2 1 match address outside_cryptomap
crypto map outside_map2 1 set peer 24.163.116.187
crypto map outside_map2 1 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
crypto map outside_map2 interface outside
crypto ikev2 enable outside
crypto ikev2 enable inside
crypto ikev1 enable outside
crypto ikev1 enable inside
ssh 10.10.10.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
dhcpd address 10.10.10.1-10.10.10.20 inside
dhcpd enable inside
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1
username admin password 8Ec7AqG6iwxq6gQ2 encrypted privilege 15
tunnel-group 24.163.116.187 type ipsec-l2l
tunnel-group 24.163.116.187 general-attributes
default-group-policy GroupPolicy1
tunnel-group 24.163.116.187 ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:2f4107de10e7171c3d951745c56b8d01
: end
no asdm history enableI am trying to establish a site-to-site vpn between 2 ASAs and am able to get the tunnel to establish and can get connectivity from the remote end of the connection to the local side. However, traffic from the local side is not able to get to the remote end. We have 2 ASA 5505 establishing the tunnel, on the remote end there is a linksys home router forwarding all traffic to the ASA outside interface on a private subnet. Our layout is as follows.
Internal Network Local ASA ISP1 ISP2 Remote Router Remote ASA Remote Network
192.168.1.0/24 local-gateway/public ip public ip/192.168.0.1/24 192.168.0.10/10.10.10.254 10.10.10.0/24
10.10.10.0/24 (remote) -> 192.168.1.0/24 (local) works
192.168.1.0/24 (local) -> 10.10.10.0/24 (remote) does not work
Below are the configs of the local and remote asa. any help would be greatly appreaciated.
local-asa
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.6 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
same-security-traffic permit inter-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Switch
host 192.168.1.5
description 2960-24 Switch
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network Mark_Public
host 76.98.2.63
description Mark Public
object network Mark
subnet 10.10.10.0 255.255.255.0
description Marks Network
object network Mark_routed_subnet
subnet 192.168.0.0 255.255.255.0
access-list outside_access_in extended permit icmp any4 any4 echo-reply
access-list outside_access_in extended permit tcp any object home-app-svr object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit ip object Mark 192.168.1.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object Mark
access-list Home standard permit 192.168.1.0 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-711.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static Mark Mark no-proxy-arp
object network obj_any
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 10.10.10.0 255.255.255.0 24.163.112.1 1
route outside 10.10.10.0 255.255.255.0 76.98.2.63 128
aaa-server Radius protocol radius
aaa-server Radius (inside) host 192.168.1.101
key *****
user-identity default-domain LOCAL
aaa authentication ssh console Radius LOCAL
aaa authentication telnet console Radius LOCAL
aaa authentication enable console Radius LOCAL
aaa authentication http console Radius LOCAL
aaa authentication serial console Radius LOCAL
aaa accounting enable console Radius
aaa accounting serial console Radius
aaa accounting ssh console Radius
aaa accounting telnet console Radius
http server enable
http 192.168.1.0 255.255.255.0 inside
http 66.162.9.0 255.255.255.0 outside
http 76.98.2.63 255.255.255.255 outside
http 10.10.10.0 255.255.255.0 inside
snmp-server host inside 192.168.1.101 community *****
snmp-server location 149 Cinder Cross
snmp-server contact Ted Stout
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change
snmp-server enable traps memory-threshold
snmp-server enable traps interface-threshold
snmp-server enable traps cpu threshold rising
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map0 1 match address outside_cryptomap
crypto map outside_map0 1 set peer 76.98.2.63
crypto map outside_map0 1 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map0 interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=stout-fw
keypair vpn.stoutte.homeip.net
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca trustpoint Home--Server-CA
enrollment terminal
subject-name CN=stout-fw,O=home
keypair HOME-SERVER-CA
crl configure
crypto ca trustpoint HOME-SSL
enrollment terminal
fqdn stoutfw.homeip.net
subject-name CN=stoutfw,O=Home
keypair HOME-SSL
no validation-usage
crl configure
crypto ca trustpoint SelfSigned
enrollment self
fqdn stoutfw.homeip.net
subject-name CN=stout-fw
keypair SelfSigned
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment self
fqdn 192.168.1.6
subject-name CN=stout-fw
keypair SelfSigned
crl configure
crypto ca trustpool policy
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable inside
crypto ikev1 enable outside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 20
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.1.5 source inside prefer
ssl trust-point SelfSigned outside
ssl trust-point ASDM_TrustPoint2 inside
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1
username stoutte password 0w8WOxYi69SDg3bs encrypted privilege 15
username stoutte attributes
webvpn
anyconnect keep-installer installed
anyconnect profiles value VPN_client_profile type user
tunnel-group 76.98.2.63 type ipsec-l2l
tunnel-group 76.98.2.63 general-attributes
default-group-policy GroupPolicy1
tunnel-group 76.98.2.63 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
authentication-server-group Radius LOCAL
default-group-policy GroupPolicy_VPN
dhcp-server link-selection 192.168.1.101
tunnel-group VPN webvpn-attributes
group-alias VPN enable
class-map inspection_default
match default-inspection-traffic
remote-asa
: Saved
ASA Version 9.1(1)
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 192.168.0.10 255.255.255.0
ftp mode passive
clock timezone EDT -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name netlab.com
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Ted
subnet 192.168.1.0 255.255.255.0
description Teds Network
object network Ted_Public
host 24.163.116.187
object network outside_private
subnet 192.168.0.0 255.255.255.0
object network NETWORK_OBJ_10.10.10.0_24
subnet 10.10.10.0 255.255.255.0
access-list outside_cryptomap extended permit ip 10.10.10.0 255.255.255.0 object Ted
access-list outside_access_in extended permit icmp any4 any4 echo-reply
access-list outside_access_in extended permit ip object Ted 10.10.10.0 255.255.255.0
access-list outside_access_in extended permit ip object Ted_Public any
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
logging debug-trace
nat (inside,outside) source static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 destination static Ted Ted no-proxy-arp
object network obj_any
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
route outside 192.168.1.0 255.255.255.0 192.168.0.1 1
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 24.163.116.187 255.255.255.255 outside
http 192.168.0.0 255.255.255.0 outside
http 10.10.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto map outside_map2 1 match address outside_cryptomap
crypto map outside_map2 1 set peer 24.163.116.187
crypto map outside_map2 1 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
crypto map outside_map2 interface outside
crypto ikev2 enable outside
crypto ikev2 enable inside
crypto ikev1 enable outside
crypto ikev1 enable inside
ssh 10.10.10.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
dhcpd address 10.10.10.1-10.10.10.20 inside
dhcpd enable inside
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1
username admin password 8Ec7AqG6iwxq6gQ2 encrypted privilege 15
tunnel-group 24.163.116.187 type ipsec-l2l
tunnel-group 24.163.116.187 general-attributes
default-group-policy GroupPolicy1
tunnel-group 24.163.116.187 ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:2f4107de10e7171c3d951745c56b8d01
: end
no asdm history enable -
MS NLB with ASA and Static NAT from PUP to NLB IP
Hi all,
I am trying to get MS NLB up and running. It is almost all working. Below is my physical setup.
ASA 5510 > Cat 3750X >2x ESXi 5.1 Hosts > vSwitch > Windows 2012 NLB Guest VMs.
I have two VMs runing on two different ESXi hosts. They have two vNICs. One for managment and one for inside puplic subnet. The inside puplic subnet NICs are in the NLB cluster. The inside public subnet is NATed on the ASA to a outide public IP.
192.168.0.50 is the 1st VM
192.168.0.51 is the 2nd VM
192.168.0.52 is the cluster IP for heartbeat
192.168.0.53 is the cluster IP for NLB traffic.
0100.5e7f.0035 is the cluster MAC.
The NLB cluster is using MULTICAST
I have read the doumentation for both the ASA and CAT switch for adding a static ARP using the NLB IP and NLB MAC.
For the ASA I found
http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/mode_fw.html#wp1226249
ASDM
Configuration > Device Management > Advanced > ARP > ARP Static Table
I was able to add my stic ARP just fine.
However, the next step was to enable ARP inspection.
Configuration > Device Management > Advanced > ARP > ARP Inspection
My ASDM does not list ARP Inspection, only has the ARP Static Table area. Not sure about this.
For the CAT Switch I found
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a0080a07203.shtml
I added the both the ARP and Static MAC. For the static MAC I used the VLAN ID of the inside public subnet and the interfaces connected to both ESXi hosts.
On the ASA I added a static NAT for my outside Public IP to my inside pupblic NLB IP and vise versa. I then added a DNS entry for our domain to point to the outside public IP. I also added it to the public servers section allowing all IP traffic testing puproses.
At any rate the MS NLB is working ok. I can ping both the Public IP and the Inside NLB IP just fine from the outside. (I can ping the inside NLB IP becuase I'm on a VPN with access to my inside subnets) The problem is when I go to access a webpade from my NLB servers using the DNS or the Public IP I get a "This Page Can't Be Displyed" messgae. Now while on the VPN if I use the same URL but insied use the NLB IP and not the Public IP it works fine.
So I think there is soemthing wrong with the NATing of the Public to NLB IP even tho I can ping it fine. Below is my ASA Config. I have bolded the parts of Interest.
Result of the command: "show run"
: Saved
ASA Version 8.4(4)9
hostname MP-ASA-1
enable password ac3wyUYtitklff6l encrypted
passwd ac3wyUYtitklff6l encrypted
names
dns-guard
interface Ethernet0/0
nameif outside
security-level 0
ip address 198.XX.XX.82 255.255.255.240
interface Ethernet0/1
description Root Inside Interface No Vlan
speed 1000
duplex full
nameif Port-1-GI-Inside-Native
security-level 100
ip address 10.1.1.1 255.255.255.0
interface Ethernet0/1.2
description Managment LAN 1 for Inside Networks
vlan 2
nameif MGMT-1
security-level 100
ip address 192.168.180.1 255.255.255.0
interface Ethernet0/1.3
description Managment LAN 2 for Inside Networks
vlan 3
nameif MGMT-2
security-level 100
ip address 192.168.181.1 255.255.255.0
interface Ethernet0/1.100
description Development Pubilc Network 1
vlan 100
nameif DEV-PUB-1
security-level 50
ip address 192.168.0.1 255.255.255.0
interface Ethernet0/1.101
description Development Pubilc Network 2
vlan 101
nameif DEV-PUB-2
security-level 50
ip address 192.168.2.1 255.255.255.0
interface Ethernet0/1.102
description Suncor Pubilc Network 1
vlan 102
nameif SUNCOR-PUB-1
security-level 49
ip address 192.168.3.1 255.255.255.0
interface Ethernet0/1.103
description Suncor Pubilc Network 2
vlan 103
nameif SUNCOR-PUB-2
security-level 49
ip address 192.168.4.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
boot system disk0:/asa844-9-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network Inside-Native-Network-PNAT
subnet 10.1.1.0 255.255.255.0
description Root Inisde Native Interface Network with PNAT
object network ASA-Outside-IP
host 198.XX.XX.82
description The primary IP of the ASA
object network Inside-Native-Network
subnet 10.1.1.0 255.255.255.0
description Root Inisde Native Interface Network
object network VPN-POOL-PNAT
subnet 192.168.100.0 255.255.255.0
description VPN Pool NAT for Inside
object network DEV-PUP-1-Network
subnet 192.168.0.0 255.255.255.0
description DEV-PUP-1 Network
object network DEV-PUP-2-Network
subnet 192.168.2.0 255.255.255.0
description DEV-PUP-2 Network
object network MGMT-1-Network
subnet 192.168.180.0 255.255.255.0
description MGMT-1 Network
object network MGMT-2-Network
subnet 192.168.181.0 255.255.255.0
description MGMT-2 Network
object network SUNCOR-PUP-1-Network
subnet 192.168.3.0 255.255.255.0
description SUNCOR-PUP-1 Network
object network SUNCOR-PUP-2-Network
subnet 192.168.4.0 255.255.255.0
description SUNCOR-PUP-2 Network
object network DEV-PUB-1-Network-PNAT
subnet 192.168.0.0 255.255.255.0
description DEV-PUB-1-Network with PNAT
object network DEV-PUB-2-Network-PNAT
subnet 192.168.2.0 255.255.255.0
description DEV-PUB-2-Network with PNAT
object network MGMT-1-Network-PNAT
subnet 192.168.180.0 255.255.255.0
description MGMT-1-Network with PNAT
object network MGMT-2-Network-PNAT
subnet 192.168.181.0 255.255.255.0
description MGMT-2-Network with PNAT
object network SUNCOR-PUB-1-Network-PNAT
subnet 192.168.3.0 255.255.255.0
description SUNCOR-PUB-1-Network with PNAT
object network SUNCOR-PUB-2-Network-PNAT
subnet 192.168.4.0 255.255.255.0
description SUNCOR-PUB-2-Network with PNAT
object network DEV-APP-1-PUB
host 198.XX.XX.XX
description DEV-APP-2 Public Server IP
object network DEV-APP-2-SNAT
host 192.168.2.120
description DEV-APP-2 Server with SNAT
object network DEV-APP-2-PUB
host 198.XX.XX.XX
description DEV-APP-2 Public Server IP
object network DEV-SQL-1
host 192.168.0.110
description DEV-SQL-1 Inside Server IP
object network DEV-SQL-2
host 192.168.2.110
description DEV-SQL-2 Inside Server IP
object network SUCNOR-APP-1-PUB
host 198.XX.XX.XX
description SUNCOR-APP-1 Public Server IP
object network SUNCOR-APP-2-SNAT
host 192.168.4.120
description SUNCOR-APP-2 Server with SNAT
object network SUNCOR-APP-2-PUB
host 198.XX.XX.XX
description DEV-APP-2 Public Server IP
object network SUNCOR-SQL-1
host 192.168.3.110
description SUNCOR-SQL-1 Inside Server IP
object network SUNCOR-SQL-2
host 192.168.4.110
description SUNCOR-SQL-2 Inside Server IP
object network DEV-APP-1-SNAT
host 192.168.0.120
description DEV-APP-1 Network with SNAT
object network SUNCOR-APP-1-SNAT
host 192.168.3.120
description SUNCOR-APP-1 Network with SNAT
object network PDX-LAN
subnet 192.168.1.0 255.255.255.0
description PDX-LAN for S2S VPN
object network PDX-Sonicwall
host XX.XX.XX.XX
object network LOGI-NLB--SNAT
host 192.168.0.53
description Logi NLB with SNAT
object network LOGI-PUP-IP
host 198.XX.XX.87
description Public IP of LOGI server for NLB
object network LOGI-NLB-IP
host 192.168.0.53
description LOGI NLB IP
object network LOGI-PUP-SNAT-NLB
host 198.XX.XX.87
description LOGI Pup with SNAT to NLB
object-group network vpn-inside
description All inside accessible networks
object-group network VPN-Inside-Networks
description All Inside Nets for Remote VPN Access
network-object object Inside-Native-Network
network-object object DEV-PUP-1-Network
network-object object DEV-PUP-2-Network
network-object object MGMT-1-Network
network-object object MGMT-2-Network
network-object object SUNCOR-PUP-1-Network
network-object object SUNCOR-PUP-2-Network
access-list acl-vpnclinet extended permit ip object-group VPN-Inside-Networks any
access-list outside_access_out remark Block ping to out networks
access-list outside_access_out extended deny icmp any any inactive
access-list outside_access_out remark Allow all traffic from inside to outside networks
access-list outside_access_out extended permit ip any any
access-list outside_access extended permit ip any object LOGI-NLB--SNAT
access-list outside_access extended permit ip any object SUNCOR-APP-2-SNAT
access-list outside_access extended permit ip any object SUNCOR-APP-1-SNAT
access-list outside_access extended permit ip any object DEV-APP-2-SNAT
access-list outside_access extended permit ip any object DEV-APP-1-SNAT
access-list outside_cryptomap extended permit ip object-group VPN-Inside-Networks object PDX-LAN
pager lines 24
logging asdm informational
mtu outside 1500
mtu Port-1-GI-Inside-Native 1500
mtu MGMT-1 1500
mtu MGMT-2 1500
mtu DEV-PUB-1 1500
mtu DEV-PUB-2 1500
mtu SUNCOR-PUB-1 1500
mtu SUNCOR-PUB-2 1500
mtu management 1500
ip local pool Remote-VPN-Pool 192.168.100.1-192.168.100.20 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any Port-1-GI-Inside-Native
icmp permit any MGMT-1
icmp permit any MGMT-2
icmp permit any DEV-PUB-1
icmp permit any DEV-PUB-2
icmp permit any SUNCOR-PUB-1
icmp permit any SUNCOR-PUB-2
asdm image disk0:/asdm-649-103.bin
no asdm history enable
arp DEV-PUB-1 192.168.0.53 0100.5e7f.0035 alias
arp timeout 14400
no arp permit-nonconnected
nat (Port-1-GI-Inside-Native,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
nat (DEV-PUB-1,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
nat (DEV-PUB-2,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
nat (MGMT-1,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
nat (MGMT-2,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
nat (SUNCOR-PUB-1,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
nat (SUNCOR-PUB-2,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
nat (DEV-PUB-1,outside) source static DEV-PUP-1-Network DEV-PUP-1-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
nat (DEV-PUB-2,outside) source static DEV-PUP-2-Network DEV-PUP-2-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
nat (MGMT-1,outside) source static MGMT-1-Network MGMT-1-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
nat (MGMT-2,outside) source static MGMT-2-Network MGMT-2-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
nat (Port-1-GI-Inside-Native,outside) source static Inside-Native-Network Inside-Native-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
nat (SUNCOR-PUB-1,outside) source static SUNCOR-PUP-1-Network SUNCOR-PUP-1-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
nat (SUNCOR-PUB-2,outside) source static SUNCOR-PUP-2-Network SUNCOR-PUP-2-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
object network Inside-Native-Network-PNAT
nat (Port-1-GI-Inside-Native,outside) dynamic interface
object network VPN-POOL-PNAT
nat (Port-1-GI-Inside-Native,outside) dynamic interface
object network DEV-PUB-1-Network-PNAT
nat (DEV-PUB-1,outside) dynamic interface
object network DEV-PUB-2-Network-PNAT
nat (DEV-PUB-2,outside) dynamic interface
object network MGMT-1-Network-PNAT
nat (MGMT-1,outside) dynamic interface
object network MGMT-2-Network-PNAT
nat (MGMT-2,outside) dynamic interface
object network SUNCOR-PUB-1-Network-PNAT
nat (SUNCOR-PUB-1,outside) dynamic interface
object network SUNCOR-PUB-2-Network-PNAT
nat (SUNCOR-PUB-2,outside) dynamic interface
object network DEV-APP-2-SNAT
nat (DEV-PUB-2,outside) static DEV-APP-2-PUB
object network SUNCOR-APP-2-SNAT
nat (SUNCOR-PUB-2,outside) static SUNCOR-APP-2-PUB
object network DEV-APP-1-SNAT
nat (DEV-PUB-1,outside) static DEV-APP-1-PUB
object network SUNCOR-APP-1-SNAT
nat (SUNCOR-PUB-1,outside) static SUCNOR-APP-1-PUB
object network LOGI-NLB--SNAT
nat (DEV-PUB-1,outside) static LOGI-PUP-IP
object network LOGI-PUP-SNAT-NLB
nat (outside,DEV-PUB-1) static LOGI-NLB-IP
access-group outside_access in interface outside
access-group outside_access_out out interface outside
route outside 0.0.0.0 0.0.0.0 198.145.120.81 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 outside
http 10.1.1.0 255.255.255.0 Port-1-GI-Inside-Native
http 192.168.180.0 255.255.255.0 MGMT-1
http 192.168.100.0 255.255.255.0 Port-1-GI-Inside-Native
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d6f9f8e2113dc03cede9f2454dba029b
: end
Any help would be great! I think the issue is in teh NAT as I am able to access NLB IP from the outside and could not do that before adding the Static ARP stuff.
Thanks,
ChrisAlso If I change to NAT from the public IP to the NLB IP to use either one of the phsyical IPs of the NLB cluster (192.168.0.50 or 51) it works fine when using the public IP. So it's definatly an issue when NATing the VIP of NLB cluster.
Chris -
Cisco ISE with TACACS+ and RADIUS both?
Hello,
I am initiating wired authentication on an existing network using Cisco ISE. I have been studying the requirements for this. I know I have to turn on RADIUS on the Cisco switches on the network. The switches on the network are already programmed for TACACS+. Does anybody know if they can both operate on the same network at the same time?
BobHello Robert,
I believe NO, they both won't work together as both TACACS and Radius are different technologies.
It's just because that TACACS encrypts the whole message and Radius just the password, so I believe it won't work.
For your reference, I am sharing the link for the difference between TACACS and Radius.
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml
Moreover, Please review the information as well.
Compare TACACS+ and RADIUS
These sections compare several features of TACACS+ and RADIUS.
UDP and TCP
RADIUS uses UDP while TACACS+ uses TCP. TCP offers several advantages over UDP. TCP offers a connection-oriented transport, while UDP offers best-effort delivery. RADIUS requires additional programmable variables such as re-transmit attempts and time-outs to compensate for best-effort transport, but it lacks the level of built-in support that a
TCP transport offers:
TCP usage provides a separate acknowledgment that a request has been received, within (approximately) a network round-trip time (RTT), regardless of how loaded and slow the backend authentication mechanism (a TCP acknowledgment) might be.
TCP provides immediate indication of a crashed, or not running, server by a reset (RST). You can determine when a server crashes and returns to service if you use long-lived TCP connections. UDP cannot tell the difference between a server that is down, a slow server, and a non-existent server.
Using TCP keepalives, server crashes can be detected out-of-band with actual requests. Connections to multiple servers can be maintained simultaneously, and you only need to send messages to the ones that are known to be up and running.
TCP is more scalable and adapts to growing, as well as congested, networks.
Packet Encryption
RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Other information, such as username, authorized services, and accounting, can be captured by a third party.
TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the header is a field that indicates whether the body is encrypted or not. For debugging purposes, it is useful to have the body of the packets unencrypted. However, during normal operation, the body of the packet is fully encrypted for more secure communications.
Authentication and Authorization
RADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS server to the client contain authorization information. This makes it difficult to decouple authentication and authorization.
TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication solutions that can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. After a NAS authenticates on a Kerberos server, it requests authorization information from a TACACS+ server without having to re-authenticate. The NAS informs the TACACS+ server that it has successfully authenticated on a Kerberos server, and the server then provides authorization information.
During a session, if additional authorization checking is needed, the access server checks with a TACACS+ server to determine if the user is granted permission to use a particular command. This provides greater control over the commands that can be executed on the access server while decoupling from the authentication mechanism.
Multiprotocol Support
RADIUS does not support these protocols:
AppleTalk Remote Access (ARA) protocol
NetBIOS Frame Protocol Control protocol
Novell Asynchronous Services Interface (NASI)
X.25 PAD connection
TACACS+ offers multiprotocol support.
Router Management
RADIUS does not allow users to control which commands can be executed on a router and which cannot. Therefore, RADIUS is not as useful for router management or as flexible for terminal services.
TACACS+ provides two methods to control the authorization of router commands on a per-user or per-group basis. The first method is to assign privilege levels to commands and have the router verify with the TACACS+ server whether or not the user is authorized at the specified privilege level. The second method is to explicitly specify in the TACACS+ server, on a per-user or per-group basis, the commands that are allowed.
Interoperability
Due to various interpretations of the RADIUS Request for Comments (RFCs), compliance with the RADIUS RFCs does not guarantee interoperability. Even though several vendors implement RADIUS clients, this does not mean they are interoperable. Cisco implements most RADIUS attributes and consistently adds more. If customers use only the standard RADIUS attributes in their servers, they can interoperate between several vendors as long as these vendors implement the same attributes. However, many vendors implement extensions that are proprietary attributes. If a customer uses one of these vendor-specific extended attributes, interoperability is not possible.
Traffic
Due to the previously cited differences between TACACS+ and RADIUS, the amount of traffic generated between the client and server differs. These examples illustrate the traffic between the client and server for TACACS+ and RADIUS when used for router management with authentication, exec authorization, command authorization (which RADIUS cannot do), exec accounting, and command accounting (which RADIUS cannot do). -
DirSync with Password Sync - Account Expiry
Hi All,
New to Office 365 - Hence a basic question.
We have been exploring various DirSync options and considering DirSync with password sync at the moment.
The msdn documentation suggests DirSync with Password sync sets the account expiry to 'Never Expire'.
I understand we can also set account expiry for all tenant user accounts through Set-MsolPasswordPolicy cmdlet.
If I use this cmdlet for setting expiry to say 90 days, will password sync overwrite the account expiry to 'Never expire' on next synchronization?
Please advise.
Regards,
Ajay SuriIf you don't check the "Enable Password Sync"
checkbox, then the Azure password policies would apply, of course.
The attributes included in DirSync are listed
here.
Yes, when you use Dirsync, all attributes are mastered on-prem. This doesn't apply to passwords unless you check the box in #1. Also, this doesn't apply to objects created in Azure manually (i.e. ones that weren't/aren't synced).
Mike Crowley | MVP
My Blog --
Planet Technologies -
TACACS auth and RADIUS accounting with ACS
I am having RADIUS accounting issues with an ASA 5520 that uses TACACS for authentication. Both are hosted on the same ACS server. I can send RADIUS info to my Microsoft IAS box but get Syslog ID 113022 errors when trying to send to the ACS RADIUS. A packet capture shows the RADIUS accounting request getting to the ACS box (Windows Server 2003 R2) but syslog shows failedauth. Any ideas?
Thank you for the response. I did verify the syslog explanation you gave below and the AAA server is online as TACACS message are getting to it. My configuration for the ASA for RADIUS is as follows
Server Group - RADIUS
Protocol - RADIUS
Accounting Mode - Simultaneous
Reactivation Mode - Timed
Max Failed attempts - 3
Two servers in the Server Group
ACS - Not working
Microsoft IAS - Working
I have tried removing the IAS server and changing the accounting mode to single and still getting auth failures.
ACS is configured as follows
Network Configuration
AAA Clients - ASA authenticate using TACACS+
AAA Servers - None listed. When I tried to add the ACS machine the error said the server already existed (In another Network Device Group)
Maybe you are looking for
-
If Itunes 10 is Not Opening for you:
As per advice I received from "JollyGiant" uninstall flip4mac and magically: No problems (it resolved my longer iPhoto problem too!) d
-
Qty block against CT3 form for Deemed Export order
Hi, Can we link sales order & CT3 form, purpose is that for deemed export order customer is giving new PO & new CT3. So want to make block sales order against CT3. Pl. help to solve this issue. Thanks
-
Envelope distort to center of the object only possible?
Envelope distort to center of the object only possible? Okay, can anyone please give me a hint how to achieve the effect shown in the image? If not with Illustrator what software can do this effect? It's like an envelope distort but like the object (
-
Can't connect to Update Server - help!
I un-installed and re-installed Snow Leopard, but now I can't connect to the update server, or even re-install properly from a Time Machine backup. When I try it says the updates can't be saved or can't connect to the update server - check your inter
-
Hi experts, I want to delete Characteristics form Class , when I enter the details such as Class, Class Type, Change Number the deletion icon on the screen is Greyed out i.e. Disabled When I try to delete the Characteristics through program RMCLMDEL