ASR9k BNG Radius issue
Hi folks.
I'm deploying BNG at ASR9k with IOS XR 4.3.1 and have some problems with RADIUS exchange. My current config is:
radius source-interface Loopback220 vrf default
radius-server host x.y.z.198 auth-port 1812 acct-port 1813
key test
aaa attribute format USERNAME
format-string length 253 "%s" outer-vlan-id
aaa attribute format NAS_PORT_FORMAT
circuit-id plus remote-id separator .
aaa radius attribute nas-port format e SSSSAAPPPPPVVVVVVVVVVVVVVVVVVVVV
aaa radius attribute nas-port-id format NAS_PORT_FORMAT
aaa group server radius BNG
server x.y.z.198 auth-port 1812 acct-port 1813
source-interface Loopback220
aaa accounting subscriber default group BNG
aaa authorization subscriber default group BNG
aaa authentication subscriber default group BNG
aaa authentication ppp default group BNG
dhcp ipv4
vrf INTERNET proxy profile IPV4_GROUP
profile IPV4_GROUP proxy
class INTERNET
match vrf INTERNET
helper-address vrf INTERNET x1.y1.z1.77 giaddr x2.y2.z2.129
limit lease per-remote-id 150
relay information option vpn
relay information option
relay information policy keep
relay information option allow-untrusted
interface TenGigE0/1/0/0.1 proxy profile IPV4_GROUP
Radius server is reachable from BNG with loopback220 source IP address.
interface TenGigE0/1/0/0.1
ipv4 point-to-point
ipv4 unnumbered Loopback200
service-policy type control subscriber IP_POLICY_BASIC
encapsulation dot1q 145 second-dot1q 1960
ipsubscriber ipv4 l2-connected
initiator dhcp
dynamic-template
type ipsubscriber IP_BASIC
ipv4 unnumbered Loopback200
class-map type control subscriber match-any DHCP
match protocol dhcpv4
end-class-map
policy-map type control subscriber IP_POLICY_BASIC
event session-start match-first
class type control subscriber DHCP do-until-failure
10 activate dynamic-template IP_BASIC
20 authorize aaa list default format USERNAME password test
end-policy-map
Radius debug info:
LC/0/1/CPU0:Aug 1 00:19:41.493 FET: radiusd[322]: ENTERING 'handle_nas_req'
LC/0/1/CPU0:Aug 1 00:19:41.493 FET: radiusd[322]: ENTERING 'radiusd_get_nas_identifier'
LC/0/1/CPU0:Aug 1 00:19:41.493 FET: radiusd[322]: ENTERING 'build_radius_pkt'
LC/0/1/CPU0:Aug 1 00:19:41.493 FET: radiusd[322]: EXITTING 'radiusd_get_nas_identifier'
LC/0/1/CPU0:Aug 1 00:19:41.493 FET: radiusd[322]: ENTERING 'build_radius_pkt_from_list'
LC/0/1/CPU0:Aug 1 00:19:41.494 FET: radiusd[322]: ENTERING 'radiusd_get_prepend_nas_id_to_session_id'
LC/0/1/CPU0:Aug 1 00:19:41.494 FET: radiusd[322]: EXITTING 'radiusd_get_prepend_nas_id_to_session_id'
LC/0/1/CPU0:Aug 1 00:19:41.494 FET: radiusd[322]: EXITTING 'build_radius_pkt_from_list'
LC/0/1/CPU0:Aug 1 00:19:41.494 FET: radiusd[322]: EXITTING 'build_radius_pkt'
LC/0/1/CPU0:Aug 1 00:19:41.494 FET: radiusd[322]: ENTERING 'radius_send_request_message'
LC/0/1/CPU0:Aug 1 00:19:41.494 FET: radiusd[322]: ENTERING 'radius_get_next_server'
LC/0/1/CPU0:Aug 1 00:19:41.494 FET: radiusd[322]: Server x.y.z.198/1812/1813 is UP & Quarantined: NO
LC/0/1/CPU0:Aug 1 00:19:41.494 FET: radiusd[322]: radius_get_next_server: Setting the preferred server handle to NULL
LC/0/1/CPU0:Aug 1 00:19:41.494 FET: radiusd[322]: Sending request to x.y.z.198:1812, with retry_limit: 3 and delay: 5
LC/0/1/CPU0:Aug 1 00:19:41.494 FET: radiusd[322]: EXITTING 'radius_get_next_server'
LC/0/1/CPU0:Aug 1 00:19:41.494 FET: radiusd[322]: ENTERING 'radius_set_ident_sock'
LC/0/1/CPU0:Aug 1 00:19:41.494 FET: radiusd[322]: EXITTING 'radius_set_ident_sock'
LC/0/1/CPU0:Aug 1 00:19:41.494 FET: radiusd[322]: ENTERING 'radius_ctx_db_insert_rctx'
LC/0/1/CPU0:Aug 1 00:19:41.494 FET: radiusd[322]: EXITTING (value 1) 'radius_ctx_db_insert_rctx'
LC/0/1/CPU0:Aug 1 00:19:41.494 FET: radiusd[322]: Sending request with id : 14/1347259508
LC/0/1/CPU0:Aug 1 00:19:41.495 FET: radiusd[322]: ENTERING 'send_radius_packet'
LC/0/1/CPU0:Aug 1 00:19:41.495 FET: radiusd[322]: ENTERING 'radius_add_mand_attrs'
LC/0/1/CPU0:Aug 1 00:19:41.495 FET: radiusd[322]: EXITTING 'radius_add_mand_attrs'
LC/0/1/CPU0:Aug 1 00:19:41.495 FET: radiusd[322]: ENTERING 'radius_get_nas_ip_address'
LC/0/1/CPU0:Aug 1 00:19:41.495 FET: radiusd[322]: Calling best local address using daemon address=x.y.z.198
LC/0/1/CPU0:Aug 1 00:19:41.495 FET: radiusd[322]: ENTERING 'get_ip_addr_from_fib'
LC/0/1/CPU0:Aug 1 00:19:41.495 FET: radiusd[322]: Address x.y.z.198 does not have a source address
LC/0/1/CPU0:Aug 1 00:19:41.495 FET: radiusd[322]: Got IP address: 0.0.0.0
LC/0/1/CPU0:Aug 1 00:19:41.495 FET: radiusd[322]: IP source address aaa util format: 0.0.0.0
LC/0/1/CPU0:Aug 1 00:19:41.495 FET: radiusd[322]: EXITTING 'get_ip_addr_from_fib'
LC/0/1/CPU0:Aug 1 00:19:41.495 FET: radiusd[322]: NAS best local address = 0.0.0.0
LC/0/1/CPU0:Aug 1 00:19:41.495 FET: radiusd[322]: EXITTING 'radius_get_nas_ip_address'
LC/0/1/CPU0:Aug 1 00:19:41.495 FET: radiusd[322]: Reencoding NAS-IP prev 0.0.0.0 new 0.0.0.0
LC/0/1/CPU0:Aug 1 00:19:41.495 FET: radiusd[322]: ENTERING 'radius_get_next_server'
LC/0/1/CPU0:Aug 1 00:19:41.495 FET: radiusd[322]: Server x.y.z.198/1812/1813 is UP & Quarantined: NO
LC/0/1/CPU0:Aug 1 00:19:41.495 FET: radiusd[322]: Failed aaa_sg_server_get_next_server with error 'qos-ea' detected the 'fatal' condition 'set exp imposition in egress is not permitted' rc = AFDF1600
LC/0/1/CPU0:Aug 1 00:19:41.495 FET: radiusd[322]: EXITTING 'radius_get_next_server' with error [A247C800] 'Subsystem(1167)' detected the 'fatal' condition 'Code(36)'
LC/0/1/CPU0:Aug 1 00:19:41.495 FET: radiusd[322]: NAS-IP-Address not found, Moving to next server in the server group
LC/0/1/CPU0:Aug 1 00:19:41.495 FET: radiusd[322]: Nas-IP-Address not found, dropping request
LC/0/1/CPU0:Aug 1 00:19:41.495 FET: radiusd[322]: Failed to send the request
Any workaround or recommendation to solve the issue?
a have same problem on 5.1.1 software
aaa accounting system default start-stop group BNG
aaa group server radius BNG
server-private XX.XXX.XXX.8 auth-port 1812 acct-port 1813
key 7 000500140D551F031D324D5A490D000406
source-interface Loopback1
aaa authentication ppp default group BNG
aaa authentication login default local
dynamic-template
type ppp PPP_TPL
ppp authentication chap
ppp ipcp dns 8.8.8.8
ipv4 unnumbered Loopback2
interface Loopback1
ipv4 address 10.254.254.254 255.255.255.255
interface Loopback2
ipv4 address 10.254.254.253 255.255.255.255
interface MgmtEth0/RSP0/CPU0/0
ipv4 address 10.252.0.90 255.255.255.0
interface MgmtEth0/RSP0/CPU0/1
shutdown
interface TenGigE0/0/2/1.556
ipv4 address 10.56.0.1 255.255.255.0
service-policy type control subscriber PPP_PM
pppoe enable bba-group pppoe
encapsulation dot1q 556
aaa attribute format NAS_PORT_FORMAT
circuit-id plus remote-id separator .
aaa radius attribute nas-port format e SSAAPPPPQQQQQQQQQQVVVVVVVVVVUUUU type 32
aaa radius attribute nas-port format e SSAAPPPPQQQQQQQQQQVVVVVVVVVVUUUU
aaa radius attribute nas-port-id format NAS_PORT_FORMAT
aaa accounting subscriber default group BNG
aaa authorization subscriber default group BNG
aaa authentication subscriber default group BNG
pppoe bba-group pppoe
service selection disable
class-map type control subscriber match-any PPP
match protocol ppp
end-class-map
policy-map type control subscriber PPP_PM
event session-start match-first
class type control subscriber PPP do-until-failure
1 activate dynamic-template PPP_TPL
event session-activate match-first
class type control subscriber PPP do-until-failure
1 authenticate aaa list default
end-policy-map
Radius -server sends Access-Accept but on its router it isn't visible
LC/0/0/CPU0:Mar 6 15:48:32.499 : radiusd[327]: RADIUS: Send Access-Request to XX.XXX.XXX.8:1812 id 169, len 220
LC/0/0/CPU0:Mar 6 15:48:32.499 : radiusd[327]: RADIUS: authenticator D3 8C BA E1 87 32 81 3C - E7 47 78 79 20 C1 AC 57
LC/0/0/CPU0:Mar 6 15:48:32.499 : radiusd[327]: RADIUS: Vendor,Cisco [26] 41
LC/0/0/CPU0:Mar 6 15:48:32.499 : radiusd[327]: RADIUS: Cisco AVpair [1] 35 client-mac-address=000e.0c75.b6d9
LC/0/0/CPU0:Mar 6 15:48:32.499 : radiusd[327]: RADIUS: Acct-Session-Id [44] 10 0400003b
LC/0/0/CPU0:Mar 6 15:48:32.499 : radiusd[327]: RADIUS: NAS-Port [5] 6 2701140681
LC/0/0/CPU0:Mar 6 15:48:32.499 : radiusd[327]: RADIUS: NAS-Port-Id [87] 3 .
LC/0/0/CPU0:Mar 6 15:48:32.499 : radiusd[327]: RADIUS: Vendor,Cisco [26] 9
LC/0/0/CPU0:Mar 6 15:48:32.499 : radiusd[327]: RADIUS: cisco-nas-port [2] 3 .
LC/0/0/CPU0:Mar 6 15:48:32.499 : radiusd[327]: RADIUS: User-Name [1] 11 user1
LC/0/0/CPU0:Mar 6 15:48:32.499 : radiusd[327]: RADIUS: Service-Type [6] 6 Framed[0]
LC/0/0/CPU0:Mar 6 15:48:32.500 : radiusd[327]: RADIUS: CHAP-Password [3] 19 *
LC/0/0/CPU0:Mar 6 15:48:32.500 : radiusd[327]: RADIUS: CHAP-Challenge [60] 18 r^K d ^BZ-^E^B^_^S^Xd^U)
LC/0/0/CPU0:Mar 6 15:48:32.500 : radiusd[327]: Unsuppoted attribute.
LC/0/0/CPU0:Mar 6 15:48:32.500 : radiusd[327]: RADIUS: Vendor,Cisco [26] 33
LC/0/0/CPU0:Mar 6 15:48:32.500 : radiusd[327]: RADIUS: Cisco AVpair [1] 27 connect-progress=LCP Open
LC/0/0/CPU0:Mar 6 15:48:32.500 : radiusd[327]: RADIUS: Framed-Protocol [7] 6 PPP[0]
LC/0/0/CPU0:Mar 6 15:48:32.500 : radiusd[327]: RADIUS: NAS-Port-Type [61] 6 PPPoEoVLAN[0]
LC/0/0/CPU0:Mar 6 15:48:32.500 : radiusd[327]: RADIUS: Event-Timestamp [55] 6 1394102897
LC/0/0/CPU0:Mar 6 15:48:32.500 : radiusd[327]: RADIUS: Nas-Identifier [32] 14 asr9k_pppoe
LC/0/0/CPU0:Mar 6 15:48:32.500 : radiusd[327]: RADIUS: NAS-IP-Address [4] 6 XX.XXX.XXX.9
LC/0/0/CPU0:Mar 6 15:48:32.500 : radiusd[327]: Updating last used server
LC/0/0/CPU0:Mar 6 15:48:32.500 : radiusd[327]: EXITTING 'send_radius_packet'
LC/0/0/CPU0:Mar 6 15:48:32.500 : radiusd[327]: Got global deadtime 0
LC/0/0/CPU0:Mar 6 15:48:32.500 : radiusd[327]: Using global deadtime = 0 sec
LC/0/0/CPU0:Mar 6 15:48:32.500 : radiusd[327]: ENTERING 'start_dead_detect_timer'
LC/0/0/CPU0:Mar 6 15:48:32.500 : radiusd[327]: EXITTING 'start_dead_detect_timer'
LC/0/0/CPU0:Mar 6 15:48:32.500 : radiusd[327]: ENTERING 'radius_timer_update'
LC/0/0/CPU0:Mar 6 15:48:32.500 : radiusd[327]: EXITTING 'radius_timer_update'
LC/0/0/CPU0:Mar 6 15:48:32.500 : radiusd[327]: Updated timer thread rad_ident 169 remote_port 1812 remote_addr 0x30fb908c, socket 1342480676 rctx 0x5015b530
LC/0/0/CPU0:Mar 6 15:48:32.500 : radiusd[327]: ENTERING 'radius_timer_set_addl_context'
LC/0/0/CPU0:Mar 6 15:48:32.501 : radiusd[327]: EXITTING 'radius_timer_set_addl_context'
LC/0/0/CPU0:Mar 6 15:48:32.501 : radiusd[327]: ENTERING 'radius_timer_set_addl_context'
LC/0/0/CPU0:Mar 6 15:48:32.501 : radiusd[327]: EXITTING 'radius_timer_set_addl_context'
LC/0/0/CPU0:Mar 6 15:48:32.501 : radiusd[327]: ENTERING 'radius_timer_set_addl_context'
LC/0/0/CPU0:Mar 6 15:48:32.501 : radiusd[327]: EXITTING 'radius_timer_set_addl_context'
LC/0/0/CPU0:Mar 6 15:48:32.501 : radiusd[327]: ENTERING 'radius_timer_set_addl_context'
LC/0/0/CPU0:Mar 6 15:48:32.501 : radiusd[327]: EXITTING 'radius_timer_set_addl_context'
LC/0/0/CPU0:Mar 6 15:48:32.501 : radiusd[327]: Successfully sent packet and started timeout handler for rctx 0x5015b530
LC/0/0/CPU0:Mar 6 15:48:32.501 : radiusd[327]: EXITTING 'radius_send_request_message'
LC/0/0/CPU0:Mar 6 15:48:32.501 : radiusd[327]: EXITTING 'radius_timeout_handler'
LC/0/0/CPU0:Mar 6 15:48:37.508 : radiusd[327]: ENTERING 'radius_timeout_handler'
LC/0/0/CPU0:Mar 6 15:48:37.508 : radiusd[327]: ENTERING 'radius_timer_get_addl_context'
LC/0/0/CPU0:Mar 6 15:48:37.508 : radiusd[327]: ENTERING 'radius_timer_get_addl_context'
LC/0/0/CPU0:Mar 6 15:48:37.508 : radiusd[327]: ENTERING 'radius_timer_get_addl_context'
LC/0/0/CPU0:Mar 6 15:48:37.508 : radiusd[327]: ENTERING 'radius_timer_get_addl_context'
LC/0/0/CPU0:Mar 6 15:48:37.508 : radiusd[327]: Timeout happened for req rad_ident 169 remote_port 1812 remote_addr 0x50 socket 1342480676 rctx 5015b530
LC/0/0/CPU0:Mar 6 15:48:37.508 : radiusd[327]: ENTERING 'radius_ctx_db_get_and_remove_rctx'
LC/0/0/CPU0:Mar 6 15:48:37.508 : radiusd[327]: rctx found is 0x5015b530
LC/0/0/CPU0:Mar 6 15:48:37.508 : radiusd[327]: EXITTING 'radius_ctx_db_get_and_remove_rctx'
LC/0/0/CPU0:Mar 6 15:48:37.508 : radiusd[327]: ENTERING 'radius_send_request_message'
LC/0/0/CPU0:Mar 6 15:48:37.508 : radiusd[327]: Reached retry count for the server 3,Trying to move to next server
LC/0/0/CPU0:Mar 6 15:48:37.508 : radiusd[327]: ENTERING 'radius_get_next_server'
LC/0/0/CPU0:Mar 6 15:48:37.508 : radiusd[327]: Server XX.XXX.XXX28/1812/1813 is UP & Quarantined: NO
LC/0/0/CPU0:Mar 6 15:48:37.508 : radiusd[327]: EXITTING 'radius_get_next_server' with error [A247C800] 'Subsystem(1167)' detected the 'fatal' condition 'Code(36)'
LC/0/0/CPU0:Mar 6 15:48:37.508 : radiusd[327]: EXITTING 'radius_send_request_message' with error [A247C800] 'Subsystem(1167)' detected the 'fatal' condition 'Code(36)'
LC/0/0/CPU0:Mar 6 15:48:37.508 : radiusd[327]: ENTERING 'rad_nas_reply_to_client'
LC/0/0/CPU0:Mar 6 15:48:37.508 : radiusd[327]: rad_nas_reply_to_client: Received response from id : 169,packet type 1
LC/0/0/CPU0:Mar 6 15:48:37.508 : radiusd[327]: rad_nas_reply_to_client: Sending failover message to client
LC/0/0/CPU0:Mar 6 15:48:37.508 : radiusd[327]: EXITTING 'rad_nas_reply_to_client'
LC/0/0/CPU0:Mar 6 15:48:37.508 : radiusd[327]: EXITTING 'radius_timeout_handler'
I tried with group of radius and without it and different source-interface interfaces doesn't help
There are thoughts where to look?
Similar Messages
-
ASR9K BNG and user defined VSAs
Hello All,
I am currently deploying Cisco ASR9K BNG solution and it needs to be integrated with a Cisco ACS 3.3 equipment (yes that old .. going to migrate to new product in the future). There are several specific attributes need that are not on the base config of the ACS 3.3 but it seems that i can configure them manually:
In addition to supporting a set of predefined RADIUS vendors and vendor-specific attributes (VSAs), Cisco Secure ACS supports RADIUS vendors and VSAs that you define. Vendors you add must be IETF-compliant; therefore, all VSAs that you add must be sub-attributes of IETF RADIUS attribute number 26.
This is from the ACS 3.3 configuration manual.
I have never done this user defined VSAs. Anyone has experience with this ? Will this work ?
How can i identify the exact attributes necessary for my implementation to work ?
Thanks!
DavidHi David,
yes that will work.
Radius is very "simple", it defines attributes in teh following format:
attribute-number string representation encoding type.
the encoding type is important, because the value you provide on the string representation fo the attribute
will get encoded in that manner.
For instance a string value of "105" is 3 bytes with chars "1", "0" and "5". the INT encoding of this will be a single byte with value "105", which is the ascii letter "i".
Now Attribute number "26" has string representation "vendor-specific". These attributes are encoded slightly different
attribute 26, vendor code, vendor length, vendor attribute, vendor value.
for Cisco the vendor code is 9, always.
The vendor attribute we have some options, for isntance:
"1" is the cisco-avpair you may well know.
"2" is cisco-nas-port
250 is SSG command code for instance.
In general, all VSA's follow a string encoding.
So if you have the ability to define a new VENDOR specific attribute, they always start with 26, vendorcode and vendor attribute.
IF you like you add a, what we call IETF attribute, that is the first digit (some vendors "stole" some values there like ascend, who was the originator of radius pretty much), they had assigned for instance number 135 for ascend-primary-dns which is encoded as ip address (so 4 octets converted to a ulong value).
Does that clarify your Q at all? In short, yes VSA's are alwyas usable in ANY radius that supprots attribute 26.
regards
xander -
We keep get the following error. And everytime we got this, the clients have been force to re-authentication.
Any idea?
Thanks,
RADIUS server 10.108.32.33:1812 activated on WLAN 1
RADIUS server 10.140.4.9:1812 deactivated on WLAN 1Go to clients. Look up the client by mac address and look at the PEM state. It will tell you why the client is failing ..
DHCP_REQ is meaning there is a DHCP issue
8021x_REQ means it failed auth
You could also turn off exclude as a test, perhaps these clients are a little slow to auth.
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection." -
Hello everybody.
I am having some trouble when lots of users try to connect via Anyconnect on my ASA (5545-X).
At the peak some users complaints they cannot authenticate and I see these messages flaping on logs:
%ASA-2-113022: AAA Marking RADIUS server 1.1.1.1 in aaa-server group SRV-RADIUS1 as FAILED
%ASA-2-113023: AAA Marking RADIUS server 1.1.1.1 in aaa-server group SRV-RADIUS1 as ACTIVE
After a while it get back working normaly and has no more message like that.
Changing the "timeout" parameter (default is 10) to a higher number is a good idea? Or the problem could be at Radius server?
aaa-server SRV-RADIUS1 protocol radius
aaa-server SRV-RADIUS1 (inside) host 1.1.1.1
time-out 20
thnksHi Vitor and sorry for the delayed reply! Your English is just fine! :)
I am glad that changing the "timeout" value have solved the problem.
On your second question: I never had to filter any attributes out of the ASA and I am not sure if it is possible. With that being said, I don't think that the issue was/is with the ASA sending too much logging/Radius info. If you only had around 10 concurrent users during your peak hours then there is no way that they overwhelmed the Radius server :) The fact that the issue went away after changing the "timeout" value leads me to believe that the problem is related to something else. For instance, RTT (round trip delay) between the aaa server and your ASA or link saturation that causes bandwidth starvation which cases the server to timeout in the ASA...just some ideas here :)
I hope this helps!
Thank you for rating helpful posts! -
Hi,
I have been having a lot of issues with clients at a site that have a WLC and use EAP-TLS to an ACS server across the WAN. Most of the issues are roaming related in that the re-authentication time is very long. I have implemented QOS for the RADIUS traffic but they are still reporting problems.
Looking at the logs on the WLC (5.1.151.0) I see messages simliar to this one for all 5 ACS servers.
RADIUS server 10.x.x.x:1645 deactivated in global list
RADIUS server 10.x.x.x:1645 failed to respond to request (ID 65) for client 00:0b:6b:87:54:d2 /user 'unknown'
What concerns me is the word "deactivated". Does this mean that if an unknown client attempts to connect to this wlan and ACS is unable to authenticate it then the ACS server is "disabled" by the WLC?
Is this the case?
ThanksThanks JG,
Just one other question. The message says that the RADIUS server is disabled. Does this mean that it moves on to the next RADIUS server in the list?
(In the logs I can see the WLC cyclng through all the RADIUS servers in quick succession, diabling them as it fails to get a response for the unknown user)
COuld this almost be a denial of serivce style issue.
Thanks -
Dear guys,
I deployed Cisco ISE for Network Access Control. My topology as described as attached image. I configured Cisco ISE as Radius Server for Client Access Control. But, I got some problems such as:
No Accounting Start. (I have configured accouting on Switch 2960).
Radius Request Dropped (attached image). These NAS IP Address are Servers on same subnet with Cisco ISE.
I would greatly appreciate any help you can give me in working this problem.
Have a nice day,
Thanks and Regrads,Sorry for late reply.
Here is my switch config.
Current configuration : 8630 bytes
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Switch
boot-start-marker
boot-end-marker
no logging console
enable password ******************
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting delay-start all
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
aaa accounting network default start-stop group radius
aaa server radius dynamic-author
client A.B.C.D server-key keystrings
aaa session-id common
system mtu routing 1500
vtp mode transparent
ip dhcp snooping
ip device tracking
crypto pki trustpoint TP-self-signed-447922560
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-447922560
revocation-check none
rsakeypair TP-self-signed-447922560
crypto pki certificate chain TP-self-signed-447922560
certificate self-signed 01
xxxxx
dot1x system-auth-control
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
vlan 139,153,401-402,999,1501-1502
interface FastEthernet0/11
switchport access vlan 139
switchport mode access
authentication host-mode multi-auth
authentication open
authentication port-control auto
authentication periodic
authentication timer inactivity 180
authentication violation restrict
mab
interface FastEthernet0/12
switchport access vlan 139
switchport mode access
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize vlan 139
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
interface GigabitEthernet0/1
switchport mode trunk
interface GigabitEthernet0/2
interface Vlan1
no ip address
interface Vlan139
ip address E.F.G.H 255.255.255.0
ip default-gateway I.J.K.L
ip http server
ip http secure-server
ip access-list extended ACL-ALLOW
permit ip any any
ip access-list extended ACL-DEFAULT
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
permit icmp any any
permit tcp any host A.B.C.D eq 8443
permit tcp any host A.B.C.D eq 443
permit tcp any host A.B.C.D eq www
permit tcp any host A.B.C.D eq 8905
permit tcp any host A.B.C.D eq 8909
permit udp any host A.B.C.D eq 8905
permit udp any host A.B.C.D eq 8909
deny ip any any
ip access-list extended ACL-WEBAUTH-REDIRECT
permit tcp any any eq www
permit tcp any any eq 443
deny ip any any
ip radius source-interface Vlan139
snmp-server community keystrings RW
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move
snmp-server host A.B.C.D version 2c keystrings mac-notification
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 5 tries 3
radius-server host A.B.C.D auth-port 1812 acct-port 1813 key STRINGSKEY
radius-server vsa send accounting
radius-server vsa send authentication
line con 0
line vty 5 15
end
My switch version is
WS-2960 12.2(55)SE5 C2960-LANBASEK9-M
I would greatly appreciate any help you can give me in working this problem. -
WLC and windows radius issue and another problem
Hi everyone.
We have a problem with a costumer wireless infraestructure which has a WLC using a Windows 2003 radius server. for authentication.
The users can't connet to the SSID from monday. Anything haven't been changed and the configuration is correct.
I think its a client problem because the clients who use Linux can connect.
Any idea?
I have attached a debug dot1x events when a windows client try to connect.
We have another problem with another SSID using local wpa2/pkm/ascii authentication..
This SSID is used for smartphones. The clientes who use Android can connet, the clients who use IPhone can't.
Is this a cospiracy? xD
Thank you for avance.
Best regardsfor the debug you attached, I see the client send an EAPOL start message, after it gets the Identity request. It seems to move beyond that, and then
Jul 30 15:36:47.396: 18:3d:a2:65:bd:54 Processing Access-Reject for mobile 18:3d:a2:65:bd:54
I'd take a look at the IAS logs to see why this particular client was rejected.
HTH,
Steve
Please remember to rate useful posts, and mark questions as answered -
Hi,
This problem below got caught up on another thread with a different problem, thought best to start a new thread for it.
My particular problem here comes from user manipulation via Manage Your Places of the radius of pins. It is slow, it is jerky and it is buggy and what it did some weeks back was jump on one particular pin and expand it to cover the entire world which basically overwrote every other location I had set. Why it would overwrite these without the user changing the settings for said pictures themselves is absolute stupidity, but I digress.
Rebuilding libraries etc. is not going to retract the radius of that circle I am assuming and restore all of the original locations I had. Anyway, I took a deep breath and decided to approach places a little differently and have a lot less specific places. Before I might have had 15 photo locations for a town, now the pics will come under just the town name.
So I have been going through renaming one of the fifteen pins (just from this one town as an example) as the town name, expanding it to cover the area the 15 covered then I delete off the other 14 as places. Time consuming and laborious but I see an eventual sensible outcome from it and in theory quicker to rename all my lost places.
The problem is that the radius issue keeps happening, half a dozen times in the past 3 or 4 days alone and this meant that roughly 2500 pics I had relabelled were once again overwritten with the location of the pin with the expanded radius. And I'm back to square one.
So is there any workaround for this particular Places problem?
Thanks,
C.@Craig,
I am not sure to what extent less specific places "solves" the problem, which seems to be the radius that a pin receives when placed on the map for the first time. It seems to be a value determined by Google, is not displayed in the teeny-weeny Assign a Place... dialog, and cannot be modified until it has or has not overlapped other custom places. So, while the probability of overlap might be somewhat reduced by less specific places, the inconvenience it causes is increased. I have noticed that Google defines a region named "Aletschgletscher" or "Jungfrau Aletsch" (working from memory here), which has a rather large radius due to the very irregular shape of the glacier, and that pins defined for towns in the Obergoms region, e.g., Blitzingen, Niederwald, Oberwald, Ulrichen, etc., often assumed the very large radius of the Aletsch Glacier. Besides, I'm wondering why on earth I should have to modify my use of this feature to accommodate Apple's stupid implementation of it. Nobody in Apple should even consider making the argument that this is how it should work. The legions of problems it causes is well documented in these forums, although, as we all know, Apple "isn't monitoring" them and hence, presumably, is quite unaware of them. And iPhoto 09 implemented Places completely differently -- the interface didn't have the eye-candy and "just magical" appeal of the present one, but it didn't cause the problems we're experiencing with Places in iPhoto 11.
My "solution" to the pin radius problem is:
Enter a character string in "Assign a Place..." and see what iPhoto suggests.
If you are tempted to select a suggestion that is a custom place of yours, do so only if you don't intend to modify its location or name. Doing so will have the same effect as modifying it in Manage My Places!
If you select a place suggested by Google, try to locate it sufficiently far away from other custom places (iPhoto no help here), and give it a name that you can easily recognize and distinguish from Google's suggestions in the future (cf. warning above).
Go directly to Manage My Places, find the new place, judge which existing places it overlaps, and note them down somewhere for the next step. Then reduce its radius and adjust its location.
Go into the Places view and select the new place. In all probability there will be photos at that place that don't belong there. Assign them to the correct place from the list you made in the step above.
Weep and gnash teeth as necessary. Regularly chant: "On a Mac it just works!" Keep stiff upper lip and imagine how much clumsier this must be in Windows.
Regards,
Richard -
Configure IP pool from radius server
Hi, all
My ADSL system's using a ERX-700 (juniper) as a BRAS and 7206 for backup.
Everything is alright except assigning name of pool to BRAS.
ERX-700 use frame-pool attr to provide pool name instead of addr-pool attr as 7206.
IOS can unsupport this attr but I can't configure both attr on radius.
Can you help to overcome this problem
Thanks a lot.This is a radius issue. It does depends on the AAA server you're using how to configure both NASes independently.
For instance, if you would be using NavisRadius product as AAA server to configure which attributes to send back per NAS is really piece of cake:
1) First, you have you to define how to identify separately both NASes, either by IP, technology, by checking the calling-station-id, or whatever.
Supposing you do use IP, which maybe is easier, you do have to define a clients file, for instance:
10.0.0.1 secret_key ERX700
10.0.0.2 secret_key2 Cisco7200
10.0.0.3 secret_key3 AS5800
2) Depending on who's sending the request define what to do next and what attributes send back. With NavisRadius you make this thru a Policy Flow, which is like a set of instructions to configure it, either manually or thru a GUI. Thru this set you could do for instance:
checkClientClass Method-Type="Branch"
Branch-Case = "Cisco7200\tsetIPAdressPoolA"
Branch-Case = "ERX700\tsetIPforERX"
Branch-Case = "AS5800\tsetIpsecService"
Branch-Case = "*\tUnknownClient"
Branch-SelectMode = "KEY"
Branch-SearchKey = "${client.Client-Class}"
3) And finally depending on the tag used go to another method which sends the needed attributes back to the NAS or do whatever you want to do depending on the case.
This is a very brief example, since the product is really flexible and allows many other possibilities, like getting the IP pools from another server, etc.
Good luck! -
802.1X authentication and roaming issues
Hi there,
I have installed about 2 days ago one Cisco WCS 2504 and 11 APs. Everything is doing well regarding to WEP authentication. But I have a Radius Server that is alson running with some issues on wireless:
- Unless I open network settings and click connect on that config I cannot obtain a valid IP Address;
- Roaming is not working also;
FYI the certificate (on radius) has expired
TYNot all these are radius issues
- WPA2 Wlan still ok (144Mbit), but dont know when roaming works (how can I know/change these settings?);
Look at the client adapter as there is usually a roaming aggressiveness option on these devices. Play around with that.
- Radius autenticated with 802.11 Data Encryption on 40 bits Key size connects always at 54Mbps (g) and auto authenticate but dont know when roaming works (how can I know/change these settings?);
802.11n only supports open authentication or WPA2/AES. WEP is not supported so that why you get up to 54mbps.
- Radius with 802.11 Data Encryption with none key size, doesnt authenticate connects 144Mbit but doesnt acquire IP Address
You have a configuration issue either in the WLC or the switch.
Sent from Cisco Technical Support iPhone App -
IOS XR 5.1.1 PPPoE Multicast BUG
At connection of PPPoE of users at first everything works but after a while mistakes begin
and everything ceases to work
RP/0/RSP0/CPU0:Apr 24 10:37:11.280 : pim[1160]: [11] Skipping set on Interface Bundle-Ether100.10.pppoe11180, vrf id/drop id 0x0/0x0 pim_vrf 0x60000000 group_joined 0 0, handle 0x1c8e0
RP/0/RSP0/CPU0:Apr 24 10:37:11.280 : pim[1160]: [11] Skipping reset on Interface Bundle-Ether100.10.pppoe11180, vid 0/0 group_joined 0 0, handle 0x1c8e0
RP/0/RSP0/CPU0:Apr 24 10:37:25.630 : pim[1160]: [11] Skipping set on Interface Bundle-Ether100.10.pppoe11181, vrf id/drop id 0x0/0x0 pim_vrf 0x60000000 group_joined 0 0, handle 0x1c960
RP/0/RSP0/CPU0:Apr 24 10:37:25.630 : pim[1160]: [11] Skipping reset on Interface Bundle-Ether100.10.pppoe11181, vid 0/0 group_joined 0 0, handle 0x1c960
Config
interface Bundle-Ether100.10
service-policy type control subscriber PPP_PM
pppoe enable bba-group intersat
encapsulation ambiguous dot1q any
interface Bundle-Ether100.445
description IPTV-in
ipv4 address 10.45.45.2 255.255.255.0
encapsulation dot1q 445
interface Loopback1
ipv4 address 10.254.254.254 255.255.255.255
ipv4 access-list IPTV
10 permit ipv4 239.10.0.0 0.0.255.255 any
20 permit ipv4 239.12.0.0 0.0.255.255 any
30 permit ipv4 239.195.0.0 0.0.255.255 any
50 permit ipv4 224.0.0.0 0.0.0.255 any
70 permit ipv4 229.0.0.0 0.0.255.255 any
ipv4 access-list IPTV2
10 permit ipv4 238.0.0.0 0.255.255.255 any
dynamic-template
type ppp PPP_TPL
ppp authentication chap pap
keepalive 120
ppp timeout absolute 60000
ppp ipcp peer-address pool POOL
timeout idle 60
accounting aaa list default type session periodic-interval 600
ipv4 unnumbered Loopback1
multicast ipv4 passive
igmp query-interval 60
igmp query-max-response-time 4
multicast-routing
address-family ipv4
interface Bundle-Ether100.10
enable
interface Bundle-Ether100.445
enable
pppoe bba-group intersat
service selection disable
class-map type control subscriber match-any PPP
match protocol ppp
end-class-map
policy-map type control subscriber PPP_V
event session-start match-first
class type control subscriber PPP do-until-failure
1 activate dynamic-template PPP_HW
event session-activate match-first
class type control subscriber PPP do-until-failure
1 authenticate aaa list default
end-policy-map
policy-map type control subscriber PPP_PM
event session-start match-first
class type control subscriber PPP do-until-failure
1 activate dynamic-template PPP_TPL
event session-activate match-first
class type control subscriber PPP do-until-failure
1 authenticate aaa list default
end-policy-map
router pim
address-family ipv4
rp-address 10.42.42.2 IPTV2
rp-address 10.66.202.2 IPTV
neighbor-filter 1
interface Loopback1
disable
interface Bundle-Ether100.10
disable
reset of process of pim doesn't help if to disconnect
all users about everything will be reconnected starts working, at connection of several users works but then again ceases
RP/0/RSP0/CPU0:ASR9K-BNG#sh igmp groups
Thu Apr 24 10:42:13.125 YEKT
IGMP Connected Group Membership
Group Address Interface Uptime Expires Last Reporter
224.0.0.2 Bundle-Ether100.445 23:44:55 never 10.45.45.2
224.0.0.13 Bundle-Ether100.445 23:44:55 never 10.45.45.2
224.0.0.22 Bundle-Ether100.445 23:44:55 never 10.45.45.2
224.0.1.40 Bundle-Ether100.445 23:36:47 never 10.45.45.2
239.10.11.3 Bundle-Ether100.10.pppoe11174 00:05:26 00:01:53 10.2.3.177
239.10.11.6 Bundle-Ether100.10.pppoe11174 00:06:36 00:01:55 10.2.3.177
239.10.19.5 Bundle-Ether100.10.pppoe11174 00:06:36 00:01:55 10.2.3.177
239.255.255.250 Bundle-Ether100.10.pppoe11178 00:06:05 00:01:08 10.2.3.50
224.0.0.252 Bundle-Ether100.10.pppoe11179 00:06:02 00:01:14 10.2.3.138
238.1.2.1 Bundle-Ether100.10.pppoe11198 00:03:39 00:01:11 10.2.3.51
239.195.0.1 Bundle-Ether100.10.pppoe11199 00:03:40 00:01:32 10.2.3.47
RP/0/RSP0/CPU0:ASR9K-BNG#sh pim neighbor
Thu Apr 24 10:42:38.598 YEKT
PIM neighbors in VRF default
Flag: B - Bidir capable, P - Proxy capable, DR - Designated Router,
E - ECMP Redirect capable
* indicates the neighbor created for this router
Neighbor Address Interface Uptime Expires DR pri Flags
10.45.45.1 Bundle-Ether100.445 00:08:37 00:02:46 1
10.45.45.2* Bundle-Ether100.445 00:08:41 00:01:43 1 (DR) B P
10.254.254.254* Bundle-Ether100.10.pppoe11177 00:06:39 00:01:41 1 (DR) B P E
10.254.254.254* Bundle-Ether100.10.pppoe11174 00:07:03 00:01:18 1 (DR) B P E
10.254.254.254* Bundle-Ether100.10.pppoe11178 00:06:30 00:01:17 1 (DR) B P E
10.254.254.254* Bundle-Ether100.10.pppoe11179 00:06:27 00:01:22 1 (DR) B P E
10.254.254.254* Bundle-Ether100.10.pppoe11182 00:06:08 00:01:35 1 (DR) B P E
10.254.254.254* Bundle-Ether100.10.pppoe11183 00:06:09 00:01:37 1 (DR) B P E
10.254.254.254* Bundle-Ether100.10.pppoe11176 00:06:56 00:01:28 1 (DR) B P E
10.254.254.254* Bundle-Ether100.10.pppoe11187 00:05:54 00:01:32 1 (DR) B P E
10.254.254.254* Bundle-Ether100.10.pppoe11184 00:06:05 00:01:22 1 (DR) B P E
10.254.254.254* Bundle-Ether100.10.pppoe11189 00:05:34 00:01:19 1 (DR) B P E
10.254.254.254* Bundle-Ether100.10.pppoe11188 00:05:38 00:01:31 1 (DR) B P E
10.254.254.254* Bundle-Ether100.10.pppoe11194 00:05:20 00:01:34 1 (DR) B P E
10.254.254.254* Bundle-Ether100.10.pppoe11190 00:05:34 00:01:40 1 (DR) B P E
10.254.254.254* Bundle-Ether100.10.pppoe11196 00:04:54 00:01:25 1 (DR) B P E
10.254.254.254* Bundle-Ether100.10.pppoe11198 00:04:25 00:01:19 1 (DR) B P E
10.254.254.254* Bundle-Ether100.10.pppoe11193 00:05:24 00:01:21 1 (DR) B P E
10.254.254.254* Bundle-Ether100.10.pppoe11202 00:04:00 00:01:26 1 (DR) B P E
10.254.254.254* Bundle-Ether100.10.pppoe11199 00:04:14 00:01:31 1 (DR) B P E
10.254.254.254* Bundle-Ether100.10.pppoe11201 00:04:05 00:01:37 1 (DR) B P E
10.254.254.254* Bundle-Ether100.10.pppoe11200 00:04:08 00:01:18 1 (DR) B P E
10.254.254.254* Bundle-Ether100.10.pppoe11207 00:03:24 00:01:34 1 (DR) B P E
10.254.254.254* Bundle-Ether100.10.pppoe11203 00:03:59 00:01:41 1 (DR) B P E
10.254.254.254* Bundle-Ether100.10.pppoe11206 00:03:50 00:01:42 1 (DR) B P E
10.254.254.254* Bundle-Ether100.10.pppoe11218 00:00:32 00:01:24 1 (DR) B P E
10.254.254.254* Bundle-Ether100.10.pppoe11216 00:00:59 00:01:36 1 (DR) B P E
10.254.254.254* Bundle-Ether100.10.pppoe11217 00:00:50 00:01:17 1 (DR) B P E
10.254.254.254* Bundle-Ether100.10.pppoe11167 00:07:30 00:01:24 1 (DR) B P E
10.254.254.254* Bundle-Ether100.10.pppoe11168 00:07:29 00:01:40 1 (DR) B P E
10.254.254.254* Bundle-Ether100.10.pppoe11169 00:07:29 00:01:16 1 (DR) B P E
10.254.254.254* Bundle-Ether100.10.pppoe11170 00:07:26 00:01:40 1 (DR) B P E
10.254.254.254* Bundle-Ether100.10.pppoe11171 00:07:24 00:01:16 1 (DR) B P E
RP/0/RSP0/CPU0:ASR9K-BNG#sh pppoe sum per-access-interface
Thu Apr 24 10:43:10.141 YEKT
0/RSP0/CPU0
COMPLETE: Complete PPPoE Sessions
INCOMPLETE: PPPoE sessions being brought up or torn down
Interface BBA-Group READY TOTAL COMPLETE INCOMPLETE
BE100.10 intersat Y 31 31 0
TOTAL 1 31 31 0
With what it can be connected?Hello Vladimir
I have also the same problem with my asr 9001 i release 5.1.1
My configuration is same as yours.
To understand the problem for troubleshoot (if someone have an idea for us), I've done some additionnal investigations and here are the results:
Session pppoe up (show subs ses xxx):
PPPoE:PTA BE10.164.pppoe1459 AC 192.168.192.6 (default)
PPPoE:PTA BE10.164.pppoe1469 AC 192.168.192.4 (default)
These 2 sessions are playing mcast stream 239.58.203.0:
show igmp group
239.58.203.0 Bundle-Ether10.164.pppoe1459 07:22:38 00:01:18 192.168.192.6
239.58.203.0 Bundle-Ether10.164.pppoe1469 00:00:23 00:01:54 192.168.192.4
Show mrib route
(10.23.1.51,239.58.203.0) RPF nbr: 10.23.1.154 Flags:
Up: 09:20:59
Incoming Interface List
GigabitEthernet0/0/1/2.224 Flags: A, Up: 09:20:59
Outgoing Interface List
Bundle-Ether10.164.pppoe1459 (0/0/CPU0) Flags: F NS, Up: 07:25:40
Bundle-Ether10.164.pppoe1469 (0/0/CPU0) Flags: F NS, Up: 00:02:04
If pppoe1469 zap to another channel (239.52.15.24), source 239.58.203.0 disappear on "Outgoing Interface List" (normal state), But the next stream chosen (239.52.15.24) doesn't work, and we have following output:
(10.23.1.51,239.58.203.0) RPF nbr: 10.23.1.154 Flags:
Up: 09:20:59
Incoming Interface List
GigabitEthernet0/0/1/2.224 Flags: A, Up: 09:20:59
Outgoing Interface List
Bundle-Ether10.164.pppoe1459 (0/0/CPU0) Flags: F NS, Up: 07:25:40
(10.23.1.5,239.52.15.24) RPF nbr: 10.23.1.154 Flags:
Up: 00:07:04
Incoming Interface List
GigabitEthernet0/0/1/2.224 Flags: A, Up: 00:07:04
Outgoing Interface List
Bundle-Ether10.164.pppoe1469 Flags: F NS, Up: 00:00:29
If pppeo1469 zap again to previous stream (2039.58.203.0), I have following output:
(10.23.1.51,239.58.203.0) RPF nbr: 10.23.1.154 Flags:
Up: 09:23:01
Incoming Interface List
GigabitEthernet0/0/1/2.224 Flags: A, Up: 09:23:01
Outgoing Interface List
Bundle-Ether10.164.pppoe1459 (0/0/CPU0) Flags: F NS, Up: 07:27:42
Bundle-Ether10.164.pppoe1469 Flags: F NS, Up: 00:04:05
At this state:
* pppoe1459 is still steaming 239.58.203.0 (as I didn't touch it until...)
* and pppoe1469 do not stream 239.58.203.0
If I compare both sessions on outgoing list, i can see difference (O/O/CPU0 which is ASR9001-Line Card on pppoe1459 only).
So my understanding is that once the stream is "removed" from a LC for a specific access, the system cannot play it anymore for this access. The only way is to disconnect/reconnect again pppoe session.
I've found a excellent Cisco live presentation from Xander Thuijs about multicast on asr9k, but i didn't found an issue.
So any idea is welcome...
Jean-paul -
Hi,
We are seeing our wired devices on our Packetfence controlled network being prompted for credentials each time they are plugged in/turned on/rebooted, and often the credentials are being rejected.
Radius debug logs show that Access-Accept is being sent to the device, but the device is not ever getting onto the network.
Enabling debug on my Cisco 2960 test switch I can see the error below:
%DOT1X_SWITCH-5-ERR_ADDING_ADDRESS: Unable to add address
The reason I don’t think that this is a packetfence/radius issue is that we’re not having any issues with wireless clients.
I hope someone can help.
Jamie.Thanks for the reply.
I looked at the MAC address table but it isn't full. I think that error may be a "red herring" because I have debug running on another switch and a user just had the same problem but the "%DOT1X_SWITCH-5-ERR_ADDING_ADDRESS: Unable to add address" didn't appear???
cadet alain wrote:Hi,http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_46_se/system/message/msg_desc.html#wp532108RegardsAlainDon't forget to rate helpful posts. -
%MGBL-exec-3-ACCT_ERR
hi, is there anybody knows about "%MGBL-exec-3-ACCT_ERR"? My client came across this error few days ago. The error followed with "main: command accounting failed - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request' ". going through the logs I found out that few users tried to do the SSHD to ASR device but authentication failed.
"%SECURITY-SSHD-4-INFO_FAILURE "
"Failed authentication attempt by user 'lablablab' from '1.18.3.41' on 'vty0' "
I just want to know about this error and the reasons are resulted of generating these logs?
Cheers
Bruceit is a fresh installation and the device is not connnected to ny network yet.
I am facing below problem in one of ASR 9010 router while configuring . I am unable to config anything after entering any command this error shows up
RP/0/RSP0/CPU0:hostname(config)#interface TenGigE0/1/0/0
RP/0/RSP0/CPU0:Jan 15 12:48:41.186 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed - - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
RP/0/RSP0/CPU0:(config-if)# description # TO-Remote_site
RP/0/RSP0/CPU0:hostname(config-if)#RP/0/RSP0/CPU0:Jan 15 12:48:41.263 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed - - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
RP/0/RSP0/CPU0:hostname(config-if)#commit
Thu Jan 15 12:48:50.521 IST
RP/0/RSP0/CPU0:Jan 15 12:48:50.521 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed - - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
it is not allowing even to commit any change
and I am unable to find any online solutions for this.
please help
following packages are active right now
disk0:asr9k-doc-px-4.3.4
disk0:asr9k-fpd-px-4.3.4
disk0:asr9k-k9sec-px-4.3.4
disk0:asr9k-mcast-px-4.3.4
disk0:asr9k-mgbl-px-4.3.4
disk0:asr9k-bng-px-4.3.4
disk0:asr9k-mini-px-4.3.4
disk0:asr9k-mpls-px-4.3.4
PS: please tell what more output are needed so that this problem can be solved. -
CSCtg09895 - percentMGBL-exec-3-ACCT_ERR main: command accounting failed
Dear fellows,
I am facing below problem in one of ASR 9010 router while configuring . I am unable to config anything after entering any command this error shows up
RP/0/RSP0/CPU0:hostname(config)#interface TenGigE0/1/0/0
RP/0/RSP0/CPU0:Jan 15 12:48:41.186 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed - - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
RP/0/RSP0/CPU0:(config-if)# description # TO-Remote_site
RP/0/RSP0/CPU0:hostname(config-if)#RP/0/RSP0/CPU0:Jan 15 12:48:41.263 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed - - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
RP/0/RSP0/CPU0:hostname(config-if)#commit
Thu Jan 15 12:48:50.521 IST
RP/0/RSP0/CPU0:Jan 15 12:48:50.521 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed - - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
it is not allowing even to commit any change
and unable to find any online solutions for this.
please help
following packages are active right now
disk0:asr9k-doc-px-4.3.4
disk0:asr9k-fpd-px-4.3.4
disk0:asr9k-k9sec-px-4.3.4
disk0:asr9k-mcast-px-4.3.4
disk0:asr9k-mgbl-px-4.3.4
disk0:asr9k-bng-px-4.3.4
disk0:asr9k-mini-px-4.3.4
disk0:asr9k-mpls-px-4.3.4it is a fresh installation and the device is not connnected to ny network yet.
I am facing below problem in one of ASR 9010 router while configuring . I am unable to config anything after entering any command this error shows up
RP/0/RSP0/CPU0:hostname(config)#interface TenGigE0/1/0/0
RP/0/RSP0/CPU0:Jan 15 12:48:41.186 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed - - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
RP/0/RSP0/CPU0:(config-if)# description # TO-Remote_site
RP/0/RSP0/CPU0:hostname(config-if)#RP/0/RSP0/CPU0:Jan 15 12:48:41.263 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed - - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
RP/0/RSP0/CPU0:hostname(config-if)#commit
Thu Jan 15 12:48:50.521 IST
RP/0/RSP0/CPU0:Jan 15 12:48:50.521 IST: config[65887]: %MGBL-CONFIGCLI-3-AAA_ERR : Failed to execute a AAA operation - Command accounting failed - - 'LOCALD' detected the 'fatal' condition 'No available method was able to process the request'
it is not allowing even to commit any change
and I am unable to find any online solutions for this.
please help
following packages are active right now
disk0:asr9k-doc-px-4.3.4
disk0:asr9k-fpd-px-4.3.4
disk0:asr9k-k9sec-px-4.3.4
disk0:asr9k-mcast-px-4.3.4
disk0:asr9k-mgbl-px-4.3.4
disk0:asr9k-bng-px-4.3.4
disk0:asr9k-mini-px-4.3.4
disk0:asr9k-mpls-px-4.3.4
PS: please tell what more output are needed so that this problem can be solved. -
Border radius & flash video player issue
Border radius & flash issue - PFA screenshot
http://72.29.76.194/~designs/firefox-flash-border-radius/border-radius-flash-firefox.png
When I overlay a div with a border radius over a flash object, the corners are being cut as much as the size of border box.
Firefox 23.0.1[https://support.mozilla.org/en-US/questions/971344 Screenshot of the issue]
Maybe you are looking for
-
Safari back swipe not working in 10.9.1 update
I just updated my iMac to the newest version of Mavericks, 10.9.1. Now, when in Safari, if I try to swipe back to the previous page, it starts to move the page like it usually does, but it stops about half an inch into moving back to the previous pa
-
Ntoskrln.exe blue screen...!!!!
Hi Im one of those who have constant problem with freezing up. This is what happens. In game, it freezes, then when restarting. this message appears: adress. 804518CE base at 80400000 datestamp 3d366b8b ntoskrln.exe I have disconnected one of the cd-
-
Can this be solved by a nested query?
Hello, Can anybody help me? Thanks a lot. We have a test system that test production units, and output data to the TestData table in the database. The TestData table schema is like the follows. For each unit, it may pass the test system for multiple
-
Help Installing Adobe acrobat XI
During my install I keep getting a failed install This is the error I get. Any help out there Exit Code: 7 Please see specific errors below for troubleshooting. For example, ERROR: -------------------------------------- Summary ----------------------
-
How do I replace SendNow in Outlook with Adobe Send?
I wish to change the parameters from the older version of SendNow to Send within my Outlook account. How is this done?