Cisco 1113 4.2 maximum RADIUS registers

Hello
My customer has two Cisco ACS 1113 appliances, version ACS-4.2.1.15.10-Fix. They want to know the maximum number of devices that can be registered on RADIUS.
Do you know any document of official Cisco page where such info can be found?
Thanks in advance.

To access network devices for administrative purpose, we have only three methods available :
[1] Telnet : Which uses PAP authentication protocol between client and the NAS device. So the communication between Client and NAS is unencrypted,  and when this information flows from NAS to IAS server gets encrypted using the shared secret key configured on device/IAS server.
[2] SSH : Which uses  public-key cryptography for encrypting information between client and the NAS device, i.e, information sent between client 
and NAS is fully secure. And the communication between NAS and IAS is encrypted using shared secret same as above. Good point on SSH side is that commincation channel is secure all the time.Again the authentication type would remain same that is PAP.
[3] Console:Which is also the same it will not allow to use MSCHAP as there is no need to secure it as you laptop is connected directly to the NAS and then if you are using TACACS it will encrypt the payload .
Summarizing, we cannot use CHAP, MS-CHAP, MS-CHAP V2 for communication between client and NAS device or administrative access.
And the most secure way to administer a  device is to use SSH.
Rgds, Jatin
Do rate helpful post~

Similar Messages

  • Looking for successful auth debug between cisco 1113 acs 4.2 and Active Directory

    Hello,
    Does anyone have a successful authentication debug using cisco 1113 acs 4.2 and Active Directory?  I'm not having success in setting this up and would like to see what a successful authentication debug looks.  Below is my current situation:
    Oct  6 13:52:23: TPLUS: Queuing AAA Authentication request 444 for processing
    Oct  6 13:52:23: TPLUS: processing authentication start request id 444
    Oct  6 13:52:23: TPLUS: Authentication start packet created for 444()
    Oct  6 13:52:23: TPLUS: Using server 110.34.5.143
    Oct  6 13:52:23: TPLUS(000001BC)/0/NB_WAIT/46130160: Started 5 sec timeout
    Oct  6 13:52:23: TPLUS(000001BC)/0/NB_WAIT: socket event 2
    Oct  6 13:52:23: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
    Oct  6 13:52:23: T+: session_id 763084134 (0x2D7BBD66), dlen 26 (0x1A)
    Oct  6 13:52:23: T+: type:AUTHEN/START, priv_lvl:15 action:LOGIN ascii
    Oct  6 13:52:23: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:12 (0xC) data_len:0
    Oct  6 13:52:23: T+: user: 
    Oct  6 13:52:23: T+: port:  tty515
    Oct  6 13:52:23: T+: rem_addr:  10.10.10.10
    Oct  6 13:52:23: T+: data: 
    Oct  6 13:52:23: T+: End Packet
    Oct  6 13:52:23: TPLUS(000001BC)/0/NB_WAIT: wrote entire 38 bytes request
    Oct  6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:23: TPLUS(000001BC)/0/READ: Would block while reading
    Oct  6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:23: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 16bytes data)
    Oct  6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:23: TPLUS(000001BC)/0/READ: read entire 28 bytes response
    Oct  6 13:52:23: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
    Oct  6 13:52:23: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
    Oct  6 13:52:23: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:10, data_len:0
    Oct  6 13:52:23: T+: msg:  Username:
    Oct  6 13:52:23: T+: data: 
    Oct  6 13:52:23: T+: End Packet
    Oct  6 13:52:23: TPLUS(000001BC)/0/46130160: Processing the reply packet
    Oct  6 13:52:23: TPLUS: Received authen response status GET_USER (7)
    Oct  6 13:52:30: TPLUS: Queuing AAA Authentication request 444 for processing
    Oct  6 13:52:30: TPLUS: processing authentication continue request id 444
    Oct  6 13:52:30: TPLUS: Authentication continue packet generated for 444
    Oct  6 13:52:30: TPLUS(000001BC)/0/WRITE/46130160: Started 5 sec timeout
    Oct  6 13:52:30: T+: Version 192 (0xC0), type 1, seq 3, encryption 1
    Oct  6 13:52:30: T+: session_id 763084134 (0x2D7BBD66), dlen 15 (0xF)
    Oct  6 13:52:30: T+: AUTHEN/CONT msg_len:10 (0xA), data_len:0 (0x0) flags:0x0
    Oct  6 13:52:30: T+: User msg: <elided>
    Oct  6 13:52:30: T+: User data: 
    Oct  6 13:52:30: T+: End Packet
    Oct  6 13:52:30: TPLUS(000001BC)/0/WRITE: wrote entire 27 bytes request
    Oct  6 13:52:30: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:30: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 16bytes data)
    Oct  6 13:52:30: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:30: TPLUS(000001BC)/0/READ: read entire 28 bytes response
    Oct  6 13:52:30: T+: Version 192 (0xC0), type 1, seq 4, encryption 1
    Oct  6 13:52:30: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
    Oct  6 13:52:30: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
    Oct  6 13:52:30: T+: msg:  Password:
    Oct  6 13:52:30: T+: data: 
    Oct  6 13:52:30: T+: End Packet
    Oct  6 13:52:30: TPLUS(000001BC)/0/46130160: Processing the reply packet
    Oct  6 13:52:30: TPLUS: Received authen response status GET_PASSWORD (8)
    Oct  6 13:52:37: TPLUS: Queuing AAA Authentication request 444 for processing
    Oct  6 13:52:37: TPLUS: processing authentication continue request id 444
    Oct  6 13:52:37: TPLUS: Authentication continue packet generated for 444
    Oct  6 13:52:37: TPLUS(000001BC)/0/WRITE/46130160: Started 5 sec timeout
    Oct  6 13:52:37: T+: Version 192 (0xC0), type 1, seq 5, encryption 1
    Oct  6 13:52:37: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
    Oct  6 13:52:37: T+: AUTHEN/CONT msg_len:11 (0xB), data_len:0 (0x0) flags:0x0
    Oct  6 13:52:37: T+: User msg: <elided>
    Oct  6 13:52:37: T+: User data: 
    Oct  6 13:52:37: T+: End Packet
    Oct  6 13:52:37: TPLUS(000001BC)/0/WRITE: wrote entire 28 bytes request
    Oct  6 13:52:37: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:37: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 33bytes data)
    Oct  6 13:52:37: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:37: TPLUS(000001BC)/0/READ: read entire 45 bytes response
    Oct  6 13:52:37: T+: Version 192 (0xC0), type 1, seq 6, encryption 1
    Oct  6 13:52:37: T+: session_id 763084134 (0x2D7BBD66), dlen 33 (0x21)
    Oct  6 13:52:37: T+: AUTHEN/REPLY status:7 flags:0x0 msg_len:27, data_len:0
    Oct  6 13:52:37: T+: msg:  Error during authentication
    Oct  6 13:52:37: T+: data: 
    Oct  6 13:52:37: T+: End Packet
    Oct  6 13:52:37: TPLUS(000001BC)/0/46130160: Processing the reply packet
    Oct  6 13:52:37: TPLUS: Received Authen status error
    Oct  6 13:52:37: TPLUS(000001BC)/0/REQ_WAIT/46130160: timed out
    Oct  6 13:52:37: TPLUS(000001BC)/0/REQ_WAIT/46130160: No sock_ctx found while handling request timeout
    Oct  6 13:52:37: TPLUS: Choosing next server 101.34.5.143
    Oct  6 13:52:37: TPLUS(000001BC)/1/NB_WAIT/46130160: Started 5 sec timeout
    Oct  6 13:52:37: TPLUS(000001BC)/46130160: releasing old socket 0
    Oct  6 13:52:37: TPLUS(000001BC)/1/46130160: Processing the reply packet
    Oct  6 13:52:49: TPLUS: Queuing AAA Authentication request 444 for processing
    Oct  6 13:52:49: TPLUS: processing authentication start request id 444
    Oct  6 13:52:49: TPLUS: Authentication start packet created for 444()
    Oct  6 13:52:49: TPLUS: Using server 172.24.5.143
    Oct  6 13:52:49: TPLUS(000001BC)/0/NB_WAIT/46130160: Started 5 sec timeout
    Oct  6 13:52:49: TPLUS(000001BC)/0/NB_WAIT: socket event 2
    Oct  6 13:52:49: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
    Oct  6 13:52:49: T+: session_id 1523308383 (0x5ACBD75F), dlen 26 (0x1A)
    Oct  6 13:52:49: T+: type:AUTHEN/START, priv_lvl:15 action:LOGIN ascii
    Oct  6 13:52:49: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:12 (0xC) data_len:0
    Oct  6 13:52:49: T+: user: 
    Oct  6 13:52:49: T+: port:  tty515
    Oct  6 13:52:49: T+: rem_addr:  10.10.10.10
    Oct  6 13:52:49: T+: data: 
    Oct  6 13:52:49: T+: End Packet
    Oct  6 13:52:49: TPLUS(000001BC)/0/NB_WAIT: wrote entire 38 bytes request
    Oct  6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:49: TPLUS(000001BC)/0/READ: Would block while reading
    Oct  6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:49: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 43bytes data)
    Oct  6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
    Oct  6 13:52:49: TPLUS(000001BC)/0/READ: read entire 55 bytes response
    Oct  6 13:52:49: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
    Oct  6 13:52:49: T+: session_id 1523308383 (0x5ACBD75F), dlen 43 (0x2B)
    Oct  6 13:52:49: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:37, data_len:0
    Oct  6 13:52:49: T+: msg:   0x0A User Access Verification 0x0A  0x0A Username:
    Oct  6 13:52:49: T+: data: 
    Oct  6 13:52:49: T+: End Packet
    Oct  6 13:52:49: TPLUS(000001BC)/0/46130160: Processing the reply packet
    Oct  6 13:52:49: TPLUS: Received authen response status GET_USER (7)
    The 1113 acs failed reports shows:
    External DB is not operational
    thanks,
    james

    Hi James,
    We get External DB is not operational. Could you confirm if under External Databases > Unknown User           Policy, and verify you have the AD/ Windows database at the top?
    this error means the external server might not correctly configured on ACS external database section.
    Another point is to make sure we have remote agent installed on supported windows server.
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/remote_agent/rawi.html#wp289013
    Also provide the Auth logs from the server running remote agent, e.g.:-
    AUTH 10/25/2007 15:21:31 I 0376 1276 External DB [NTAuthenDLL.dll]:
    Attempting Windows authentication for user v-michal
    AUTH 10/25/2007 15:21:31 E 0376 1276 External DB [NTAuthenDLL.dll]: Windows
    authentication FAILED (error 1783L)
    thanks,
    Vinay

  • Cisco wlc and steel belted radius

    we have cisco wlc controller  that have  two ssid  one for user and one for guest
    we need the  user in ssid 1 take user name and password from  user group in active directory through steel belted radiu
    please send to me any integrated guide between cisco wlc and steel belted radius
    regards

    Hi                                                      Mohammad,
    I am unaware of a specific Steel Belted RADIUS intrgration guide for the WLCs, however the configuration process on the controller will be the same:
    Cisco WLC Configuration Guide 7.0 - Configuring RADIUS:
    http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70sol.html#wp1388328
    You may wish to contact your RADIUS vendor for additional configuration steps on the server.
    Best,
    Drew

  • Reimage cisco 1113 ACS - NIC driver

    HI,
    I tried to re-image a cisco 1113 ACS appliance into windows 2003 and was successful. I suppose to use this for my staging/LAB.My only problem is the NIC cards shows unknown since no appropraite driver was found. Googled for a few days but ends up nothing. Does anybody knows the exact driver? Appreciate anybody's reply.
    Thanks.

    Just for everybody's info.
    I manage to download the NIC driver. It is a Generic Broadcom NetXtreme Gigabit Ethernet.
    Now it is working fine.

  • Cisco 1602i + Authenticating users via RADIUS?

                   Hello,
    Our company recently purchased a Cisco 1602i standalone WAP to replace the WAP4410Ns that we were having issues with.  I am now attempting to configure the RADIUS authentication, as we have a User network and a Guest connection.  The Guest connection works fine, using WPA PSK.  However, I can't seem to get the RADIUS authentication to work.  Reading the documentation has got me a little confused, and I have tried turning on debugging (debug radius authentication, debug aaa) but those show nothing.  Also, in the RADIUS server itself (Windows 2008 R2 NPS), I see nothing in the logs when I try to connect using a device or the "test aaa" command.  Can someone guide me on what I'm doing wrong?  I followed someone's advice on another forum and removed "authentication network-eap" from the SSID (phoenix_2), and now when I attempt to connect with a device it just asks me for a password, it doesn't prompt for a username anymore.  I am very stumped.  Here's the relevant config:
    aaa new-model
    aaa group server radius rad_eap
    server 10.200.5.24
    aaa group server radius rad_mac
    aaa group server radius rad_acct
    aaa group server radius rad_admin
    aaa group server tacacs+ tac_admin
    aaa group server radius rad_pmip
    aaa group server radius dummy
    aaa authentication login eap_methods group rad_eap
    aaa authentication login mac_methods local
    aaa authorization exec default local
    aaa accounting network acct_methods start-stop group rad_acct
    aaa session-id common
    clock timezone EST -5 0
    ip cef
    ip domain name gst
    dot11 syslog
    dot11 vlan-name guest vlan 255
    dot11 vlan-name user vlan 140
    dot11 ssid phoenix_2
       vlan 140
       band-select
       authentication open eap eap_methods
       mbssid guest-mode
    dot11 ssid walker_2
       vlan 255
       band-select
       authentication open
       authentication key-management wpa version 2
       mbssid guest-mode
       wpa-psk ascii 7 0353035E535879191B
    interface BVI1
    ip address 10.200.5.70 255.255.255.0
    ip default-gateway 10.200.5.1
    ip forward-protocol nd
    no ip http server
    ip http secure-server
    ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
    ip route 0.0.0.0 0.0.0.0 10.200.140.1
    ip route 0.0.0.0 0.0.0.0 10.200.5.1
    ip radius source-interface BVI1
    access-list 111 permit tcp any any neq telnet
    snmp-server community G!0bal RO
    radius-server attribute 32 include-in-access-req format %h
    radius-server host 10.200.5.24 key 7 01445E510E1C07032A495C0D0B0C011718190D3E2E767863
    radius-server vsa send accounting
    The NPS worked just fine with the WAP4410Ns, not sure why we're having so much trouble with the 1602i. 

    Thanks Rasika, your link worked.  I had the authentication key before, but i removed it while I was trying different things.  My main issue was not applying the list name to the ssid, the documentation did not make it clear that when the radius server is specified using the "radius-server ...." command, that the radius group refers to that command when you configure the group.  Once that clicked, it made sense that the method list name was specifed by the radius group, and that the authentication methods then referred to the radius group.  It was a big question mark in my head how the radius server was applied to the SSID prior to reading your post.
    I haven't tried the "erase startup-config" command yet, I will try that next. 
    Quick question, why are both authentication open and authentication network-eap needed?  I would assume authentication network-eap would suffice, unless the authentication open command refers to the allowed devices and not just authentication via RADIUS?

  • Cisco ISE IPEP and Non Radius Authenticator

    Is it possible for a Juniper FW or Aruba Wireless or anything else that does native AD authentication can use an IPEP for policy enforcement without converting the authenticator (juniper / aruba etc…) to a Radius request to a PDP for the IPEP to build the session from?
    Does the IPEP simply "sniff" the packets and build a session from that or does it require RADIUS authentication to pass through for the IPEP to function?
    I believe RADIUS is required but the client said he was told it is not and the authenticator can pass the traffic through the IPEP even if it authenticates clients by Native AD.
    Anyone have any exmaples or traffic flows if this is possible?
    Thanks,
    Michael Wynston

    Got my answer and it is as I thought. The iPEP only works if it sees RADIUS requests to a PDP that then provides the iPEP with the policy to enforce.
    Have a client migrating from CCA which will natively check AD inline based on seen authentication requests. They were told (not by me) ISE can do that too.
    Guess not
    Sent from Cisco Technical Support iPhone App

  • Cisco ISE with TACACS+ and RADIUS both?

    Hello,
    I am initiating wired authentication on an existing network using Cisco ISE. I have been studying the requirements for this. I know I have to turn on RADIUS on the Cisco switches on the network. The switches on the network are already programmed for TACACS+. Does anybody know if they can both operate on the same network at the same time?
    Bob

    Hello Robert,
    I believe NO, they both won't work together as both TACACS and Radius are different technologies.
    It's just because that TACACS encrypts the whole message and Radius just the password, so I believe it won't work.
    For your reference, I am sharing the link for the difference between TACACS and Radius.
    http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml
    Moreover, Please review the information as well.
    Compare TACACS+ and RADIUS
    These sections compare several features of TACACS+ and RADIUS.
    UDP and TCP
    RADIUS uses UDP while TACACS+ uses TCP. TCP offers several advantages over UDP. TCP offers a connection-oriented transport, while UDP offers best-effort delivery. RADIUS requires additional programmable variables such as re-transmit attempts and time-outs to compensate for best-effort transport, but it lacks the level of built-in support that a
    TCP transport offers:
    TCP usage provides a separate acknowledgment that a request has been received, within (approximately) a network round-trip time (RTT), regardless of how loaded and slow the backend authentication mechanism (a TCP acknowledgment) might be.
    TCP provides immediate indication of a crashed, or not running, server by a reset (RST). You can determine when a server crashes and returns to service if you use long-lived TCP connections. UDP cannot tell the difference between a server that is down, a slow server, and a non-existent server.
    Using TCP keepalives, server crashes can be detected out-of-band with actual requests. Connections to multiple servers can be maintained simultaneously, and you only need to send messages to the ones that are known to be up and running.
    TCP is more scalable and adapts to growing, as well as congested, networks.
    Packet Encryption
    RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Other information, such as username, authorized services, and accounting, can be captured by a third party.
    TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the header is a field that indicates whether the body is encrypted or not. For debugging purposes, it is useful to have the body of the packets unencrypted. However, during normal operation, the body of the packet is fully encrypted for more secure communications.
    Authentication and Authorization
    RADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS server to the client contain authorization information. This makes it difficult to decouple authentication and authorization.
    TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication solutions that can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. After a NAS authenticates on a Kerberos server, it requests authorization information from a TACACS+ server without having to re-authenticate. The NAS informs the TACACS+ server that it has successfully authenticated on a Kerberos server, and the server then provides authorization information.
    During a session, if additional authorization checking is needed, the access server checks with a TACACS+ server to determine if the user is granted permission to use a particular command. This provides greater control over the commands that can be executed on the access server while decoupling from the authentication mechanism.
    Multiprotocol Support
    RADIUS does not support these protocols:
    AppleTalk Remote Access (ARA) protocol
    NetBIOS Frame Protocol Control protocol
    Novell Asynchronous Services Interface (NASI)
    X.25 PAD connection
    TACACS+ offers multiprotocol support.
    Router Management
    RADIUS does not allow users to control which commands can be executed on a router and which cannot. Therefore, RADIUS is not as useful for router management or as flexible for terminal services.
    TACACS+ provides two methods to control the authorization of router commands on a per-user or per-group basis. The first method is to assign privilege levels to commands and have the router verify with the TACACS+ server whether or not the user is authorized at the specified privilege level. The second method is to explicitly specify in the TACACS+ server, on a per-user or per-group basis, the commands that are allowed.
    Interoperability
    Due to various interpretations of the RADIUS Request for Comments (RFCs), compliance with the RADIUS RFCs does not guarantee interoperability. Even though several vendors implement RADIUS clients, this does not mean they are interoperable. Cisco implements most RADIUS attributes and consistently adds more. If customers use only the standard RADIUS attributes in their servers, they can interoperate between several vendors as long as these vendors implement the same attributes. However, many vendors implement extensions that are proprietary attributes. If a customer uses one of these vendor-specific extended attributes, interoperability is not possible.
    Traffic
    Due to the previously cited differences between TACACS+ and RADIUS, the amount of traffic generated between the client and server differs. These examples illustrate the traffic between the client and server for TACACS+ and RADIUS when used for router management with authentication, exec authorization, command authorization (which RADIUS cannot do), exec accounting, and command accounting (which RADIUS cannot do).

  • Cisco router T1 gw voip Radius Radiator

    All
    I got a cisco router and want to output the radiator,
    however I found that the /cgi-bin/radacct.cgi , each call record had generate 4 records...
    What is the best method for me to take the one.
    00000572 27 Sep 2004 16:39:21 0:00:00 3101 3200 156 80
    00000572 27 Sep 2004 16:39:26 0:00:00 3101 3200 156 80
    00000572 27 Sep 2004 16:39:31 0:00:00 3101 3200 156 80
    00000576 27 Sep 2004 16:39:32 0:00:00 3111 3141 157 80
    00000572 27 Sep 2004 16:39:36 0:00:00 3101 3200 156 80
    00000576 27 Sep 2004 16:39:37 0:00:00 3111 3141 157 80
    00000576 27 Sep 2004 16:39:42 0:00:00 3111 3141 157 80
    00000576 27 Sep 2004 16:39:47 0:00:00 3111 3141 157 80

    Thanks for the link Calvin.
    I actually got it to work by just old fashion trial and error.  Turned out to be two things:
    Microsoft 2008 R2 NPS>Policies>Network Policies>" Wireless Policy I created">Authentication Methods....  CHAP had to be enabled.
    Microsoft 2008 R2 NPS>Policies>Network Policies>" Wireless Policy I created">conditions.....   delete the friendly name I read I needed to create.  This "various RADIUS Clients was not so important to us" (will make sense if you follow link)
    I mainly used this link for anyone interested:
    http://www.darylhunter.me/blog/2010/06/cisco-ios-fu-7-cisco-radius-windows-server-2008-nps.html

  • 5508 WLC version 7.6 maximum RADIUS Servers

    Hi All,
    Is there a maximum limit for RADIUS Servers that we can configure for Authentication under Security TAB in WLC 5508/8500 with version 7.6?
    We have 6 RADIUS Servers that needs to be configured for WLAN Client Authentication. 
    Thanks,
    CJ

    IIRC the limit is 16 servers on the WLC.  but you can only call up to three under the WLAN itself.
    If you need to be able to failover to anything beyond 3, than check the network user box in the AAA server configuration to make it globally available.
    HTH,
    Steve

  • Cisco 1113 ACS 4.2 1113 configure auth. for Infoblox appl.

    Hi there,
    I have an issue with Cisco ACS and an Infoblox appliance. We want to authenticate users, that login on the Infoblox, via the Cisco ACS. After that the ACS should reply with a passed (RADIUS) authentication and reply with an administrative groupname that the user belongs on the Infoblox. To do this I have to import a VSA to have the option in the ACS to reply with this groupname. On the Infoblox these groups are allready made and this must match the group that the ACS replies.
    Now I have imported the VSA and configured an AAA client (infoblox) to use the new RADIUS (VSA) to support the Infoblox. In the groupsetting I've turned on the Infoblox-Group_info  attribute and filled in a specific groupname that the authenticated user belongs to. Now here comes the part where the group info is returned, but the Infoblox Appliance gives me a RADIUS error reply message. As I can see in the logs of the ACS the authentication part of the user is fine. So it has to be between the info that the ACS replies with, when the user logs in.
    I've attach the VSA and a *.pcap of wireshark to see what's going on.
    Can anyone advice of suggest any option that can make this thing work.
    With regards,
    Richard Gosen

    Halijenn,
    Unfortunatly the above solution doesn't do the trick. When I delete the imported VSA, via the attached *.csv, the Infoblox attributes still shows up when I re-add the Infoblox appliance to a network device group en there choose "Radius (Infoblox)" for the authentication. After deleting the VSA I have restarted the ACS SE. The returned acknowledgment from the ACS still presents a malformed packet. When I uncheck the checkbox of the "RADIUS (Infoblox)" attribute in the group settings, then it shows no malformed packet, but no group information is sent either.
    Again I have imported the original accountsAction.csv and restarted the SE, but it still returns malformed packets.
    Any other possibilities?
    Kind regards,
    Richard Gosen

  • Cisco ACS 4.2 and Radius authentication?

    Hi,
    I have a Cisco ACS 4.2 installed and using it to authenticate users that log on to switches using TACACS+, when I use local password database, everything is working. But if i try to use external database authentication using a windows 2008 radius server, I have problem that I can only use PAP, not CHAP. Anyone who know if it's possible to use CHAP with external radius authentication?

    To access network devices for administrative purpose, we have only three methods available :
    [1] Telnet : Which uses PAP authentication protocol between client and the NAS device. So the communication between Client and NAS is unencrypted,  and when this information flows from NAS to IAS server gets encrypted using the shared secret key configured on device/IAS server.
    [2] SSH : Which uses  public-key cryptography for encrypting information between client and the NAS device, i.e, information sent between client 
    and NAS is fully secure. And the communication between NAS and IAS is encrypted using shared secret same as above. Good point on SSH side is that commincation channel is secure all the time.Again the authentication type would remain same that is PAP.
    [3] Console:Which is also the same it will not allow to use MSCHAP as there is no need to secure it as you laptop is connected directly to the NAS and then if you are using TACACS it will encrypt the payload .
    Summarizing, we cannot use CHAP, MS-CHAP, MS-CHAP V2 for communication between client and NAS device or administrative access.
    And the most secure way to administer a  device is to use SSH.
    Rgds, Jatin
    Do rate helpful post~

  • Is CISCO ACS server same as RADIUS server?

    Please advise.
    if not, wats the difference between them?

    The ACS server suite includes a RADIUS service (and TACACS+).
    http://www.cisco.com/en/US/products/sw/secursw/ps5338/index.html
    Good Luck
    Scott

  • Cisco AAA authentication with windows radius server

    Cisco - Windows Radius problems
    I need to created a limited access group through radius that I can have new network analysts log into
    and not be able to commit changes or get into global config.
    Here are my current radius settings
    aaa new-model
    aaa group server radius IAS
     server name something.corp
    aaa authentication login USERS local group IAS
    aaa authorization exec USERS local group IAS
    radius server something.corp
     address ipv4 1.1.1.1 auth-port 1812 acct-port 1813
     key mypassword
    line vty 0 4
     access-class 1 in
     exec-timeout 0 0
     authorization exec USERS
     logging synchronous
     login authentication USERS
     transport input ssh
    When I log in to the switch, the radius server is passing the corrrect attriubute
    ***Jan 21 13:59:51.897: RADIUS:   Cisco AVpair       [1]   18  "shell:priv-lvl=7"
    The switch is accepting it and putting you in the correct priv level.
    ***Radius-Test#sh priv
       Current privilege level is 7
    I am not sure why it logs you in with the prompt for  privileged EXEC mode when
    you are in priv level 7. This shows that even though it looks like your in priv exec
    mode, you are not.
    ***Radius-Test#sh run
                    ^
       % Invalid input detected at '^' marker.
       Radius-Test#
    Now this is where I am very lost.
    I am in priv level 7, but as soon as I use the enable command It moves me up to 15, and that gives me access to
    global config mode.
    ***Radius-Test#enable
       Radius-Test#
    Debug log -
    Jan 21 14:06:28.689: AAA/MEMORY: free_user (0x2B46E268) user='reynni10'
    ruser='NULL' port='tty390' rem_addr='10.100.158.83' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
    Now it doesnt matter that I was given priv level 7 by radius because 'enable' put me into priv 15
    ***Radius-Test#sh priv
       Current privilege level is 15
       Radius-Test#
    I have tried to set
    ***privilege exec level 15 enable
    It works and I am no longer able to use 'enable' when I am at prv level 7, but I also cannot get the commands they will need to work.
    Even if I try to do
    ***privilege exec level 7 show running-config (or other variations)
    It will allow you to type sh run without errors, but it doest actually run the command.
    What am I doing wrong?
    I also want to get PKI working with radius.

    I can run a test on my radius system, will report back accordingly, as it's a different server than where I am currently located.
    Troubleshooting, have you deleted the certificate/network profile on the devices and started from scratch?

  • User authentication in Cisco ACS by adding external RADIUS database

    Hi,
    I would like to configure the below setup:
    End user client (Cisco Any connect/VPN client) -> ASA 5500 (AAA client) -> ACS server -> External RADIUS database.
    Here ACS server would send the authentication requests to External RADIUS server.So, i have added the external user database (RADIUS token server) in
    ACS under External databases.I have added AAA client in Network configuration (selected authenticate using RADIUS(VPN 3000/ASA/PIX 7.0) from the drop down.
    Here how do i make ASA recognize that it has to send the request to ACS server. Normally when you use ACS as RADIUS server you can add an AAA server in ASA and test it.But here we are using an external RADIUS server which has been configured in ACS, so how do i make ASA to send the requests to ACS server?
    Any help on this would be really grateful to me.
    Thanks and Regards,
    Rahul.

    Thanks Ajay,
    As you said nothing needs to be done on ASA side, if we are using an external user database for authentication.
    Im a newbie to ACS and this is the first time i'm trying to perform a two factor authenticaton in Cisco ACS using external user database.
    By two factor authentication i mean, username + password serves as first factor (validated by RADIUS server), username + security code (validated by RADIUS server) serves as second factor.So, during user authentication i enter only username in username field and in "password" field i enter both "password + security code". Our RADIUS server has already been configured with AD as user store, so we dont have to specify AD details in ACS. I have done the following in ACS to perform this two factor authentication.
    -> In external user databases, i have added a external RADIUS token server.
    -> In unknown user policy , i have added the external data base that i configured in ACS into the selected databases list.
    -> under network configuration, i have added the Cisco ASA as AAA client (authenticate using RADIUS (Cisco VPN 3000/ASA/PIX 7.x+)).
    Just to check whether user authentication is successful, i launched the ACS webVPN using https://IP:2002, it asked me to enter username and password. So, i entered username and in password field i entered "password + security code". But, the page throws an error saying "login failed...Try again".I cant find any logs in external RADIUS server.
    Here is what i found in "Failed attempts" logs under Reports and activities.
    Date,Time,Message-Type,User-Name,Group-Name,Caller-ID,Network Access Profile Name,Authen-Failure-Code,Author-Failure-Code,Author-Data,NAS-Port,NAS-IP-Address,Filter Information,PEAP/EAP-FAST-Clear-Name,EAP Type,EAP Type Name,Reason,Access Device,Network Device Group
    02/28/2012,00:31:52,Unknown NAS,,,,(Unknown),,,,,10.204.124.71,,,,,,,
    02/28/2012,00:41:33,Unknown NAS,,,,(Unknown),,,,,10.204.124.71,,,,,,,
    02/28/2012,00:42:18,Unknown NAS,,,,(Unknown),,,,,10.204.124.71,,,,,,,
    Filtering is not applied.
    Date
    Time
    Message-Type
    User-Name
    Group-Name
    Caller-ID
    Network Access Profile Name
    Authen-Failure-Code
    Author-Failure-Code
    Author-Data
    NAS-Port
    NAS-IP-Address
    Filter Information
    PEAP/EAP-FAST-Clear-Name
    EAP Type
    EAP Type Name
    Reason
    Access Device
    Network Device Group
    02/28/2012
    00:42:18
    Unknown NAS
    (Unknown)
    10.204.124.71
    02/28/2012
    00:41:33
    Unknown NAS
    (Unknown)
    10.204.124.71
    02/28/2012
    00:31:52
    Unknown NAS
    Am i missing any thing in configuration side with respect to ACS?
    Thanks

  • [Vision] Measuring the minimum and maximum radius of a particle

    Hi all,
    I'm currently developing an upgraded vision application that includes a particle sizing measurement using the IMAQ Particle Analysis VI.
    Currently I'm using the Equivalent Ellipse Major and Minor axes, which works fairly well but appears to overstate the area of the particles compared to the previous implementation of the software for this system.  The original software used a maximum and minium radius measurement using the actual perimiter of the particle rather than an equivalent ellipse.
    I'm looking at using Max Feret Diameter and Equivalent Ellipse Minor (Feret) instead, and I was wondering if anyone has any experience with this sort of measurement and can offer some advice?  I'm processing up to 100 particles per frame at around 7-8 fps, so I don't know if writing my own LabVIEW code to perform the measurement will be fast enough.
    Cheers
    Brett Percy
    Senior Software Development Engineer
    Certified LabVIEW Architect and LabVIEW Champion

    Hi Bjorn,
    I can detect the particles fine, the issue is with the particle size measurement.  As you can see from the image, most of the particles are not very round.  The previous version of the software caclulated a maxium and minimum radius of the particle, but there doesn't seem to be an exact equivalent in the LabVIEW vision library
    Cheers
    Brett
    Senior Software Development Engineer
    Certified LabVIEW Architect and LabVIEW Champion
    Attachments:
    6.png ‏1325 KB

Maybe you are looking for

  • Why do my contacts have such large print? How can i reduce the Size?

    mmy contacts are appearing in large print, which means I do,not easily see the whole phone number. How can alter the size of the print?

  • Problems printing double-sided PDFs

    Hi, When I print any PDF document on any printer as double-sided, the second side always prints upside-down. I am printing from Adobe Acrobat 7.1.0 professional for Windows XP. This is annoying and I need to fix this problem. Suggestions would be gre

  • Invalid Signiture problem with Extension Manager

    When I try to load an extension to Dreamweaver CC I get an error saying the extension does not have a valid signiture.  I have tried a number of extensions with the same result. Can anyone tell me what I am doing wrong please. Thanks Brian

  • Will X handle 4k from a GH4?

    I'm a video pro and long-time FCP7 user and currently limping along with my HMC-150 AVCHD camcorder.  But the writing's on the wall that 4k is the next big thang that the mfgr's are pushing.  So, if I buy a Panasonic GH4 and shoot 4k will I be able t

  • Cannot make video conference using Cisco TelePresence and Conductor, registered to CUCM

    Hello, We've got CUCM 9.1.2, Conductor XC3.0.2 and TP 4.1(1.79). The conductor is configured as ad hoc and as rendezvous on the CUCM, Using secure SIP trunk (TLS) When we try to make a video conference as rendezvous the call is been initiated as audi