Assigned by AAA client pool problem

Similar Messages

• Can we assign IPv4 IP address pool to IPv6 VPN Client

  We are planning to enable IPv6 SSL VPN clients, Let me explain the current setup
  We have Cisco ASA firewall used for SSL VPN and Cisco ACS for user authentication and RSA for two factor authentication.
  LAN Server are in IPv4 only..
  Requirement :
  Client (IPv6) --- Cloud (IPv6) ---- Outsite(IPv6) -Cisco ASA - Inside(IPv4) ----- ACS (IPv4) & RSA (IPv4)
  Client with IPv6 internet connectivity connect to SSL VPN with IPv6, Cisco ASA outside interface with IPv6 address will receive the request.
  Qus:
  1. Will Cisco ASA check two factor authentication with ACS and RSA both are in IPv4 address for an IPv6 client ?
  2. Once if authenticated, Cisco ASA can assign IPv4/IPv6 address pool to the client, if i prefer only IPv4 address pool and client will get IPv4 address as tunnel interface IP address. Will it work? Means IPv4 over IPv6 SSL VPN tunnel.
  Thanks
  Sankar

  AFAIR, with SSL we support IPv4 and IPv6 assigned IP addresses, with IPsec IKEv2 we only support IPv4 addressing. 
  Query to AAA servers are separate process, from user<-> headend authentication flow, unless we're talking about IKEv2 with standard EAP methods.

• AAA Server IP Pool based on AAA Client

  Hi,
  I have a scenario where I need to be able to allocate an IP address to a user group from a pool on the AAA server based on the AAA client that the user authenticates against.
  So for example if the user comes in on CPE1 they get assigned an address from Pool A, if they come in on CPE2 they get an address assigned from Pool B.
  Any pointers on how to do this (if possible) would be greatly appreciated.
  Thanks in advance
  Andy

  With ACS v4 you could do this....
  Define your pools and add your devices to their own NDGs. Then define a NAP which is triggered off each NDG. Each NAP can use its own group mapping scheme which each target group using a different IP pool.
  Probably only works when users are external as you need group mapping to make it work.
  A bit cludgy.. but should work.

• Oracle.DataAccess 2.112.1.0 - Connection Pool Problem

  Hi,
  Oracle.DataAccess 2.112.1.0 is having connection pool problem. The no. of TCP connections to Oracle database keep increasing untill the server's session run out of limit. My application created connections, use them, close them, and dispose them properly. When using previous Oracle.DataAccess 2.111.6.20, the no. of TCP connections do not increase.
  My database connection string has "Min Pool Size = 3 and Max Pool Size = 150".
  With 2.111.6.20 version, TCP connection stays at 3.
  With 2.112.1.0, TCP connection keep increasing for every 5 minutes. I've tried to disable Self Tuning, but still can't prevent the connections from increasing.
  Later today, I downloaded Oracle.DataAccess 2.112.1.2 (it comes with ODAC 11.2.0.1.2) and test again, the problem is resolved... no more connection increases... but.... it is only for 32 bit Windows.
  Unfortunately, there is no Oracle.DataAccess 2.112.1.2 for 64 bit Windows Server 2008.
  May I know how can i resolve this problem on 64bit Window installed with Oracle 11g R2 client, which comes with Oracle.DataAccess 2.112.1.0, which has serious problems...(according to this 11.2 ODP.NET causing test runner failures )
  Many thanks for your time and answers!
  Edited by: user1502907 on 04-Sep-2010 23:01

  Hi,
  The only thing that jumps out within your problem description is that connections are being increased every 5 minutes. Are you sure its every 5 minutes and not 3 minutes which is the timing interval used by the Connection Pool facility to perform connection pool maintenance. If this occurs even when the application is idle then you could be running into the following known issue filed against 11.2.0.1.0 and fixed in 11.2.0.1.2.
  Bug 9711600 - CONNECTIONS INCREASE BEYOND MAX POOL SIZE EVERY 3 MINUTE
  This is specific to using the option CommandBehavior.CloseConnection when calling execute reader. Are you using this option and then also closing the connection in code before the datareader object is closed, if so you may be hitting this bug. You can also generate an ODP trace at level 15 of the behavior and if you see negative pool counts, that is also a diagnostic that points to this bug.
  This is fixed in 11.2.0.1.0 Patch 3 or later for x64. If you have support, I recommend you open a service request to verify if this is your issue and if a patch set may help you.
  Regards
  Jenny B.

• ISE Could not locate Network Device or AAA Client

  When authenticating using 802.1x and MAB, I recieve an authentication failure with the error 11007(Could not locate Network Device or AAA Client). The root cause that ISE spits back at me is "Could not find the network device or the AAA Client while accessing NAS by IP during authentication." I did pretty much everything by the book except instead of using a loopback interface I used a vlan with a defined ip address.  Could this be causing the problem?
  Here is the config of the port that I'm testing on:
  interface GigabitEthernet1/0/9
   switchport access vlan 9
   switchport mode access
   switchport voice vlan 8
   ip access-group ACL-ALLOW in
   srr-queue bandwidth share 1 30 35 5
   queue-set 2
   priority-queue out
   authentication event fail action next-method
   authentication event server dead action reinitialize vlan 4
   authentication event server dead action authorize voice
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication violation restrict
   mab
   mls qos trust device cisco-phone
   mls qos trust cos
   dot1x pae authenticator
   dot1x timeout tx-period 10
   auto qos voip cisco-phone
   spanning-tree portfast
   service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
  end

  I can ping both the vlan and the endpoint from the ISE.  As far as allowing ISE to speak snmp and RADIUS to the NAD, I have enabled it on the NAD config inside the ISE. I have also double checked the snmp and radius shared passwords.
  I have gotten MAB authentication to work but I am still getting the same error for dot1x authentication. Here are some of the configs on the switch.
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authentication dot1x defualt group radius
  aaa authentication dot1x group group radius
  aaa authorization network default group radius
  aaa accounting dot1x default start-stop group radius
  aaa server radius dynamic-author
  aaa session-id common
  ip radius source-interface TenGigabitEthernet1/0/1
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 6 support-multiple
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 5 tries 3
  radius-server host 10.10.10.47 auth-port 1812 acct-port 1813 test username test key 7 097940581F5412162B464D
  radius-server vsa send accounting
  radius-server vsa send authentication
  dot1x system-auth-control
   authentication order dot1x mab
   authentication priority dot1x mab
   dot1x pae authenticator
   dot1x timeout tx-period 10

• ACS 4.2.1: adding new AAA clients through odbc import

  Hello,
  we have added the user defined vendor RADIUS_HUAWEI to our Cisco ACS 4.2.1  Windows Server.
  Unfortunately there is a problem with importing network devices through odbc  connection using the accountactions table with the action code 220.
  The documentation tells us :
  220
  ADD_NAS
  VN, V1, V2, V3
  Adds a new AAA client (named in VN) with an IP address (V1), shared secret key  (V2), and vendor (V3). Valid vendors are:
  •VENDOR_ID_IETF_RADIUS—For IETF RADIUS.
  •VENDOR_ID_CISCO_RADIUS—For Cisco IOS/PIX RADIUS.
  •VENDOR_ID_CISCO_TACACS—For Cisco TACACS+.
  •VENDOR_ID_AIRESPACE_RADIUS—For Cisco Airespace RADIUS.
  •VENDOR_ID_ASCEND_RADIUS—For Ascend RADIUS.
  •VENDOR_ID_ALTIGA_RADIUS—For Cisco 3000/ASA/PIX 7.x+ RADIUS.
  •VENDOR_ID_AIRONET_RADIUS—For Cisco Aironet RADIUS.
  •VENDOR_ID_NORTEL_RADIUS—For Nortel RADIUS.
  •VENDOR_ID_JUNIPER_RADIUS—For Juniper RADIUS.
  •VENDOR_ID_CBBMS_RADIUS—For Cisco BBMS RADIUS.
  •VENDOR_ID_3COM_RADIUS—For Cisco 3COMUSR RADIUS.
  The new user defined vendor is:
  C:\Program Files\CiscoSecure ACS v4.2\bin>CSUtil.exe -listUDV
  CSUtil v4.2(1.15), Copyright 1997-2009, Cisco Systems Inc
  UDV 0 - RADIUS (RADIUS_HUAWEI)
  Our action code and variables look like:
  A=220
  VN="xxx"
  V1="10.10.10.10"
  V2="blabla"
  V3="VENDOR_ID_RADIUS_HUAWEI"
  Error Code is as following:
  06/22/2010,10:21:12,W03P-3413,ERROR,Parse Error: Reason - Host vendor is unknown   [A=220 UN="" GN="" AI="" VN="xxx" V1="10.10.10.10" V2="blabla"  V3="VENDOR_ID_RADIUS_HUAWEI"]
  Does anybody knows the correct name for the V3-variable to import the network  device in a correct way?
  Best regards
  Torsten Waibel

  Hello,we
  have a new acs appliance (1113) with version 4.2.1.15 and we want to
  authenticate user through ssh from routers with ios xr software.
  unfortunately this doesn't work.Here ist our configuration of the router:##################################################line template VTY
  access-class ingress abcd!tacacs-server host x.x.x.x port 49 single-connectiontacacc-server key 7 test!tacacs source-interface Loopback13!ssh server v2
  ssh timeout 60! AAA config
  aaa accounting exec default start-stop group tacacs+
  aaa accounting network default start-stop group tacacs+
  aaa accounting commands default start-stop group tacacs+
  aaa authorization exec default group tacacs+ none
  aaa authorization commands default group tacacs+ none
  aaa authentication login default group tacacs+ local##################################################does anybody has a solution for this problem?thnx and best regardsTorsten Waibel
  Hi Torsten Waibel,
  For ssh to support you should have a cryptography ios image in router and check the following command in line vty that transpot input ssh under line vty cofiguration.
  If helpful do rate the post
  Ganesh.H

• Denying AAA Clients to a specific user group in ACS v4.1

  Using 4.1 is there a "simple" method of simply denying a usergroup the ability to even login to specific AAA clients? Customer has a telephony group that they want to allow them to telnet and check into all the voice routers, but no other routers, they have the command sets and all that setup but wanted to see if a way to push that group simply to voice routers only ??
  thanks in advance,
  dave

  Hi,
  Why don't you use NAR (Network access restriction)
  Under the network config > simply create one NDG and assign all the voice router under it.
  After that go to the group/user where you want to put this restriction
  You need to check that what are we getting in calling station id. If we are getting ip address then
  [1] To accomplish above we would configure the group with following
  NAR (network access restriction)
  Define IP based Network Access Restriction
  Permitted Calling Point
  AAA client: VOICE NDG created
  Port *
  Src IP Address *
  Subit the changes and try.
  Here is more on configuring Network Access Restriction:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.
  2/user/guide/GrpMgt.html#wp478900
  HTH
  JK
  Plz rate helpful posts-

• Authentication in the chain DUN-AAA client-ACS-NMAS-NDS

  Dears,
  I have installed Novell client on a windows XP.
  I will login my user and my password in NDS via the chain cisco aaa client
  (router cisco 2503)- acs server - nmas.
  For this in the login mask of the novell client, I select Dialup --> login
  using dial-up networking --> the profile of my DUN containing the
  properties of my modem connection --> no location (direct connect).
  When I press OK, it is asking to me the detail of the connection :
  - my username
  - my password
  - my domain
  - my phone number
  I select connect to inititiate the connection. I late the parameter "my
  domain" to empty.
  I see that the novell client is using DUN to dialin the correspondant
  modem.
  I receive the call on my acs aaa client (router cisco 2503)and this aaa
  client is sending the packets to acs server for authentication.
  Then, the ACS server is receiving these packets and resend these to NMAS
  (token radius server external database). Normally NMAS has to authenticate
  the user and password inside the NDS.
  But I receive an error message indicating that the usename and password
  are invalid on the doamin (error code 619).
  I don't understand this error message because there is no domain notion in
  Novell. I can understand that mircosoft needs a domain to authenticate the
  user and password. Because the Novell client dial-up is based on DUN and
  DUN is based microsoft, we need a domain for authenticating the username
  and password.
  Does it mean that I need an Active Directory for authenticating username
  and pasword in the domain ?
  Does it mean that I have to integrate the AD with NDS ?
  Can I use the local AD/SAM of my PC to authenticate the username and the
  password in the domain ?
  If yes, how can I configure the NDS for this ?
  Could you help me as soon as possible ?
  Yours sincerely,
  Olivier MONTEE.

  Olivier,
  It appears that in the past few days you have not received a response to your posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Do a search of our knowledgebase at http://support.novell.com/search/kb_index.jsp
  - Check all of the other support tools and options available at http://support.novell.com in both the "free product support" and "paid product support" drop down boxes.
  - You could also try posting your message again. Make sure it is posted in the correct newsgroup. (http://support.novell.com/forums)
  If this is a reply to a duplicate posting, please ignore and accept our apologies and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://support.novell.com/forums/

• Issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

  issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

  issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

• Problem Syncing Outlook....says outlook sync client encountered problem

  I have been syncing outlook calendar and contacts from my PC to my iPhone with no problems. I have version 1.1.2 on my iPhone and 7.5 or whatever the latest is on iTunes software. The syncs were fine until recently and now I cant sync and get an error message that says "outlook sync client encountered problem" What could possibly have happened....I read some posts that say to go back to iTunes 7.3 etc....this has to be a common problem....any suggestions.

  Here is an article from the apple support website that might help out.
  http://docs.info.apple.com/article.html?artnum=305845

• How to stop ACS intergated AD users to login in AAA clients(network device)

  I have ACS 4.2 Appliance which is integrated with Active directory.
  AD users are able to login in network devices. Is there any so that I can stop AD user and other local users to login in AAA clinets (network devices).

  These types of configurations are a two-way street. ACS must be configured to actually perform the authentication/authorization, and the AAA clients must also be configured for authentication/authorization. I would look at the AAA client configurations, first.
  What kind of AAA clients are we talking about? Cisco switches, Cisco WLC's? Swicthing gear from other companies?
  For Cisco switches, lines like the following will tell them to use your ACS server for administrative user auth (RADIUS ro TACACS+, respectively):
  aaa group server radius rad_admin
  server xxx.xxx.xxx.xxx
  aaa group server tacacs+ tac_admin
  server xxx.xxx.xxx.xxx
  If your AAA client is a WLC, then you need to uncheck the "Management" box where the RADIUS server is defined for authentication (Security -> AAA -> RADIUS -> Auth).

• Add AAA Client Errors,Shared Secret value must not be blank.

  hello,
  When i add the AAA client to the ACS 4.2 90 eveluation software installed on win2003 std OS with SPk 1 gives the below error when entered the shared secret value then submitting it.
  "Shared Secret value must not be blank"
  what could br the cause?
  Thks
  swami

  This could be related to the browser it sounds like the ACS might not be receiving the Shared Secret from your input.
  The ACS 4.2 does not allow a AAA to be added without a shared secret key.
  CSCsr68278 ACS 4.2 does not allow a blank TACACS+ key
  Make sure that the ACS IP Address is added into your Trusted Sites (IE). You could also try updating to the latest version of Java.

• Client pool of connections to R/3

  Hi,
  I'm using this function to create a client pool:
  JCO.addClientPool(C_CLIENTPOOL_NAME,
  C_CLIENTPOOL_MAX_CONNECTIONS, C_ABAP_CLIENT, C_ABAP_USER,
  C_ABAP_PWD, C_ABAP_LANG, C_ABAP_HOST, C_ABAP_SYSTEMNR);
  Is there a way to avoid this pool being created by code in my application?
  Is there some tool to define client pools as you can define JCo connections in the J2EE Content Administrator?
  Or is it considered safe practice to have a plaintext password in the source code of an application?
  Thanks,
  Jeroen

  Hi
  You can use the property file for access the username and pasword.
  See this samples and help for webdynpro
  https://www.sdn.sap.com/irj/sdn/downloaditem?rid=/library/uuid/f0b0e990-0201-0010-cc96-d7ecd2e51715
  Kind Regards
  Mukesh

• JCO Client Pool

  Hi All,
          I have a situation where I'm supposed to initialize JCO Client pool at server startup(Weblogic 8.1). Could someone please let me know how to achieve this.
         Any pointers to documentation or sample startup servlet code would also be of great help!
  Regards,
  Chaitanya

  Abhilash,
  Thank you very much for the prompt response.
  <i>The better approach is write your own classe where all JCO related logic is maintained. And use that class to initialilze the pool in servlet and to get connection and release connection.</i>
  I couldn't get the gist of this, are we trying to invoke a startup servlet from an external class? My idea is to do as follows:
  1. Create a servlet that is intialized on server startup.
  2. In the init method initialize JCO client pool.
  3. Write a backend class something like <MyApp>BackendR3 and have a getConnection() inside.
      My question was, <b>could I directly use JCo.getClient method? in the backend class</b>.
  4. If yes, am I supposed to add a JCo jar during weblogic startup explicity or could it simply reside in web-inf/lib
  Thanks again,
  Chaitanya
  Message was edited by:
          chaitanya hazari

• Client  deletion Problem - Urjent..

  Hi Experts,
  There is an existing DEV-QA-PRD environment. There is a need to have a complete Configuration copy of PRD in DEV2 system, which will be used to build another Production Stream (DEV2, QA2, PRD2) for another project.
  When we are deleting client ,below  Problems we have facing :
  1) Production equivalent client (4 TB of data) is taking too much time while deleting tables (step 4 in the diagram below).
  2) Of the total 34,882 tables, 34,855 tables took almost 7-8 days to delete.
  3) Last 30-35 tables are taking a lot of time to delete, these are probably the largest tables in the system
  4) Tables EDIDS and CDCLS are currently being deleted for the last 3-4 days
  5) Adding more processes to the Dev2 system is not helping either.
  6) At the current rate, these tables will take another 1.5-2 weeks, which seems to be a long time
  7) Some more tables which took more time were SWWLOGHIST, IDOCREL, SRRELROLES
  Other information:
  1) Operating System used  for the ECC 5.0 is: Tru64 / HP, Oracle 9i DB (List of Service packs and Patches are attached)
  2) Production system has data worth approx. 4TB
  3) No Data Archiving has been done since the inception of the system
  I need your Suggestions and Comments on this ---its urjent
  Points will rewarded for suitable answers
  Regards
  Prabhu

  Hi Prabhakar
  Any other comments Plz...
  Ok, you wanted it )) here is mine
  so far:
  - you copied your huge database (where you don't delete / archive old data) to the new server
  - you are now deleting row by row all that data
  - you will end up having a still huge but empty database, because the tables / tablespaces won't shrink after the client deletion
  This does not make any sense to me, am i missing something :(((
  Are there other clients in the prod system, which you keep?
  @ Markus: i don't think they have 100+ gb memory to cache their huge tables in the sga
  I guess the client deletion has something like a MAX ROWS COMMIT limit to prevent undo overflow. If this number is for example 100'000 rows, then you have to execute 100 delete statements (-> 100 full scans) on a 10mio row table. This of course is taking ages. Even worse it gets slower and slower, because the first delete up to 100'000 rows gets the first blocks, the second scans the same blocks, but they are empty now, so it has to scan further, and so on...
  Best regards
  Michael
  Update: i recall there was a sap note somewhere, i just checked, here it is:
  365304 - CC-ADMIN: Reports for deleting tables
  Edited by: mho on Jan 8, 2008 2:40 PM