Cisco 1113 4.2 maximum RADIUS registers
Hello
My customer has two Cisco ACS 1113 appliances, version ACS-4.2.1.15.10-Fix. They want to know the maximum number of devices that can be registered on RADIUS.
Do you know any document of official Cisco page where such info can be found?
Thanks in advance.
To access network devices for administrative purpose, we have only three methods available :
[1] Telnet : Which uses PAP authentication protocol between client and the NAS device. So the communication between Client and NAS is unencrypted, and when this information flows from NAS to IAS server gets encrypted using the shared secret key configured on device/IAS server.
[2] SSH : Which uses public-key cryptography for encrypting information between client and the NAS device, i.e, information sent between client
and NAS is fully secure. And the communication between NAS and IAS is encrypted using shared secret same as above. Good point on SSH side is that commincation channel is secure all the time.Again the authentication type would remain same that is PAP.
[3] Console:Which is also the same it will not allow to use MSCHAP as there is no need to secure it as you laptop is connected directly to the NAS and then if you are using TACACS it will encrypt the payload .
Summarizing, we cannot use CHAP, MS-CHAP, MS-CHAP V2 for communication between client and NAS device or administrative access.
And the most secure way to administer a device is to use SSH.
Rgds, Jatin
Do rate helpful post~
Similar Messages
-
Looking for successful auth debug between cisco 1113 acs 4.2 and Active Directory
Hello,
Does anyone have a successful authentication debug using cisco 1113 acs 4.2 and Active Directory? I'm not having success in setting this up and would like to see what a successful authentication debug looks. Below is my current situation:
Oct 6 13:52:23: TPLUS: Queuing AAA Authentication request 444 for processing
Oct 6 13:52:23: TPLUS: processing authentication start request id 444
Oct 6 13:52:23: TPLUS: Authentication start packet created for 444()
Oct 6 13:52:23: TPLUS: Using server 110.34.5.143
Oct 6 13:52:23: TPLUS(000001BC)/0/NB_WAIT/46130160: Started 5 sec timeout
Oct 6 13:52:23: TPLUS(000001BC)/0/NB_WAIT: socket event 2
Oct 6 13:52:23: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
Oct 6 13:52:23: T+: session_id 763084134 (0x2D7BBD66), dlen 26 (0x1A)
Oct 6 13:52:23: T+: type:AUTHEN/START, priv_lvl:15 action:LOGIN ascii
Oct 6 13:52:23: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:12 (0xC) data_len:0
Oct 6 13:52:23: T+: user:
Oct 6 13:52:23: T+: port: tty515
Oct 6 13:52:23: T+: rem_addr: 10.10.10.10
Oct 6 13:52:23: T+: data:
Oct 6 13:52:23: T+: End Packet
Oct 6 13:52:23: TPLUS(000001BC)/0/NB_WAIT: wrote entire 38 bytes request
Oct 6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:23: TPLUS(000001BC)/0/READ: Would block while reading
Oct 6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:23: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 16bytes data)
Oct 6 13:52:23: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:23: TPLUS(000001BC)/0/READ: read entire 28 bytes response
Oct 6 13:52:23: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
Oct 6 13:52:23: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
Oct 6 13:52:23: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:10, data_len:0
Oct 6 13:52:23: T+: msg: Username:
Oct 6 13:52:23: T+: data:
Oct 6 13:52:23: T+: End Packet
Oct 6 13:52:23: TPLUS(000001BC)/0/46130160: Processing the reply packet
Oct 6 13:52:23: TPLUS: Received authen response status GET_USER (7)
Oct 6 13:52:30: TPLUS: Queuing AAA Authentication request 444 for processing
Oct 6 13:52:30: TPLUS: processing authentication continue request id 444
Oct 6 13:52:30: TPLUS: Authentication continue packet generated for 444
Oct 6 13:52:30: TPLUS(000001BC)/0/WRITE/46130160: Started 5 sec timeout
Oct 6 13:52:30: T+: Version 192 (0xC0), type 1, seq 3, encryption 1
Oct 6 13:52:30: T+: session_id 763084134 (0x2D7BBD66), dlen 15 (0xF)
Oct 6 13:52:30: T+: AUTHEN/CONT msg_len:10 (0xA), data_len:0 (0x0) flags:0x0
Oct 6 13:52:30: T+: User msg: <elided>
Oct 6 13:52:30: T+: User data:
Oct 6 13:52:30: T+: End Packet
Oct 6 13:52:30: TPLUS(000001BC)/0/WRITE: wrote entire 27 bytes request
Oct 6 13:52:30: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:30: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 16bytes data)
Oct 6 13:52:30: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:30: TPLUS(000001BC)/0/READ: read entire 28 bytes response
Oct 6 13:52:30: T+: Version 192 (0xC0), type 1, seq 4, encryption 1
Oct 6 13:52:30: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
Oct 6 13:52:30: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
Oct 6 13:52:30: T+: msg: Password:
Oct 6 13:52:30: T+: data:
Oct 6 13:52:30: T+: End Packet
Oct 6 13:52:30: TPLUS(000001BC)/0/46130160: Processing the reply packet
Oct 6 13:52:30: TPLUS: Received authen response status GET_PASSWORD (8)
Oct 6 13:52:37: TPLUS: Queuing AAA Authentication request 444 for processing
Oct 6 13:52:37: TPLUS: processing authentication continue request id 444
Oct 6 13:52:37: TPLUS: Authentication continue packet generated for 444
Oct 6 13:52:37: TPLUS(000001BC)/0/WRITE/46130160: Started 5 sec timeout
Oct 6 13:52:37: T+: Version 192 (0xC0), type 1, seq 5, encryption 1
Oct 6 13:52:37: T+: session_id 763084134 (0x2D7BBD66), dlen 16 (0x10)
Oct 6 13:52:37: T+: AUTHEN/CONT msg_len:11 (0xB), data_len:0 (0x0) flags:0x0
Oct 6 13:52:37: T+: User msg: <elided>
Oct 6 13:52:37: T+: User data:
Oct 6 13:52:37: T+: End Packet
Oct 6 13:52:37: TPLUS(000001BC)/0/WRITE: wrote entire 28 bytes request
Oct 6 13:52:37: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:37: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 33bytes data)
Oct 6 13:52:37: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:37: TPLUS(000001BC)/0/READ: read entire 45 bytes response
Oct 6 13:52:37: T+: Version 192 (0xC0), type 1, seq 6, encryption 1
Oct 6 13:52:37: T+: session_id 763084134 (0x2D7BBD66), dlen 33 (0x21)
Oct 6 13:52:37: T+: AUTHEN/REPLY status:7 flags:0x0 msg_len:27, data_len:0
Oct 6 13:52:37: T+: msg: Error during authentication
Oct 6 13:52:37: T+: data:
Oct 6 13:52:37: T+: End Packet
Oct 6 13:52:37: TPLUS(000001BC)/0/46130160: Processing the reply packet
Oct 6 13:52:37: TPLUS: Received Authen status error
Oct 6 13:52:37: TPLUS(000001BC)/0/REQ_WAIT/46130160: timed out
Oct 6 13:52:37: TPLUS(000001BC)/0/REQ_WAIT/46130160: No sock_ctx found while handling request timeout
Oct 6 13:52:37: TPLUS: Choosing next server 101.34.5.143
Oct 6 13:52:37: TPLUS(000001BC)/1/NB_WAIT/46130160: Started 5 sec timeout
Oct 6 13:52:37: TPLUS(000001BC)/46130160: releasing old socket 0
Oct 6 13:52:37: TPLUS(000001BC)/1/46130160: Processing the reply packet
Oct 6 13:52:49: TPLUS: Queuing AAA Authentication request 444 for processing
Oct 6 13:52:49: TPLUS: processing authentication start request id 444
Oct 6 13:52:49: TPLUS: Authentication start packet created for 444()
Oct 6 13:52:49: TPLUS: Using server 172.24.5.143
Oct 6 13:52:49: TPLUS(000001BC)/0/NB_WAIT/46130160: Started 5 sec timeout
Oct 6 13:52:49: TPLUS(000001BC)/0/NB_WAIT: socket event 2
Oct 6 13:52:49: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
Oct 6 13:52:49: T+: session_id 1523308383 (0x5ACBD75F), dlen 26 (0x1A)
Oct 6 13:52:49: T+: type:AUTHEN/START, priv_lvl:15 action:LOGIN ascii
Oct 6 13:52:49: T+: svc:LOGIN user_len:0 port_len:6 (0x6) raddr_len:12 (0xC) data_len:0
Oct 6 13:52:49: T+: user:
Oct 6 13:52:49: T+: port: tty515
Oct 6 13:52:49: T+: rem_addr: 10.10.10.10
Oct 6 13:52:49: T+: data:
Oct 6 13:52:49: T+: End Packet
Oct 6 13:52:49: TPLUS(000001BC)/0/NB_WAIT: wrote entire 38 bytes request
Oct 6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:49: TPLUS(000001BC)/0/READ: Would block while reading
Oct 6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:49: TPLUS(000001BC)/0/READ: read entire 12 header bytes (expect 43bytes data)
Oct 6 13:52:49: TPLUS(000001BC)/0/READ: socket event 1
Oct 6 13:52:49: TPLUS(000001BC)/0/READ: read entire 55 bytes response
Oct 6 13:52:49: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
Oct 6 13:52:49: T+: session_id 1523308383 (0x5ACBD75F), dlen 43 (0x2B)
Oct 6 13:52:49: T+: AUTHEN/REPLY status:4 flags:0x0 msg_len:37, data_len:0
Oct 6 13:52:49: T+: msg: 0x0A User Access Verification 0x0A 0x0A Username:
Oct 6 13:52:49: T+: data:
Oct 6 13:52:49: T+: End Packet
Oct 6 13:52:49: TPLUS(000001BC)/0/46130160: Processing the reply packet
Oct 6 13:52:49: TPLUS: Received authen response status GET_USER (7)
The 1113 acs failed reports shows:
External DB is not operational
thanks,
jamesHi James,
We get External DB is not operational. Could you confirm if under External Databases > Unknown User Policy, and verify you have the AD/ Windows database at the top?
this error means the external server might not correctly configured on ACS external database section.
Another point is to make sure we have remote agent installed on supported windows server.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/remote_agent/rawi.html#wp289013
Also provide the Auth logs from the server running remote agent, e.g.:-
AUTH 10/25/2007 15:21:31 I 0376 1276 External DB [NTAuthenDLL.dll]:
Attempting Windows authentication for user v-michal
AUTH 10/25/2007 15:21:31 E 0376 1276 External DB [NTAuthenDLL.dll]: Windows
authentication FAILED (error 1783L)
thanks,
Vinay -
Cisco wlc and steel belted radius
we have cisco wlc controller that have two ssid one for user and one for guest
we need the user in ssid 1 take user name and password from user group in active directory through steel belted radiu
please send to me any integrated guide between cisco wlc and steel belted radius
regardsHi Mohammad,
I am unaware of a specific Steel Belted RADIUS intrgration guide for the WLCs, however the configuration process on the controller will be the same:
Cisco WLC Configuration Guide 7.0 - Configuring RADIUS:
http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70sol.html#wp1388328
You may wish to contact your RADIUS vendor for additional configuration steps on the server.
Best,
Drew -
Reimage cisco 1113 ACS - NIC driver
HI,
I tried to re-image a cisco 1113 ACS appliance into windows 2003 and was successful. I suppose to use this for my staging/LAB.My only problem is the NIC cards shows unknown since no appropraite driver was found. Googled for a few days but ends up nothing. Does anybody knows the exact driver? Appreciate anybody's reply.
Thanks.Just for everybody's info.
I manage to download the NIC driver. It is a Generic Broadcom NetXtreme Gigabit Ethernet.
Now it is working fine. -
Cisco 1602i + Authenticating users via RADIUS?
Hello,
Our company recently purchased a Cisco 1602i standalone WAP to replace the WAP4410Ns that we were having issues with. I am now attempting to configure the RADIUS authentication, as we have a User network and a Guest connection. The Guest connection works fine, using WPA PSK. However, I can't seem to get the RADIUS authentication to work. Reading the documentation has got me a little confused, and I have tried turning on debugging (debug radius authentication, debug aaa) but those show nothing. Also, in the RADIUS server itself (Windows 2008 R2 NPS), I see nothing in the logs when I try to connect using a device or the "test aaa" command. Can someone guide me on what I'm doing wrong? I followed someone's advice on another forum and removed "authentication network-eap" from the SSID (phoenix_2), and now when I attempt to connect with a device it just asks me for a password, it doesn't prompt for a username anymore. I am very stumped. Here's the relevant config:
aaa new-model
aaa group server radius rad_eap
server 10.200.5.24
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
clock timezone EST -5 0
ip cef
ip domain name gst
dot11 syslog
dot11 vlan-name guest vlan 255
dot11 vlan-name user vlan 140
dot11 ssid phoenix_2
vlan 140
band-select
authentication open eap eap_methods
mbssid guest-mode
dot11 ssid walker_2
vlan 255
band-select
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 0353035E535879191B
interface BVI1
ip address 10.200.5.70 255.255.255.0
ip default-gateway 10.200.5.1
ip forward-protocol nd
no ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip route 0.0.0.0 0.0.0.0 10.200.140.1
ip route 0.0.0.0 0.0.0.0 10.200.5.1
ip radius source-interface BVI1
access-list 111 permit tcp any any neq telnet
snmp-server community G!0bal RO
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.200.5.24 key 7 01445E510E1C07032A495C0D0B0C011718190D3E2E767863
radius-server vsa send accounting
The NPS worked just fine with the WAP4410Ns, not sure why we're having so much trouble with the 1602i.Thanks Rasika, your link worked. I had the authentication key before, but i removed it while I was trying different things. My main issue was not applying the list name to the ssid, the documentation did not make it clear that when the radius server is specified using the "radius-server ...." command, that the radius group refers to that command when you configure the group. Once that clicked, it made sense that the method list name was specifed by the radius group, and that the authentication methods then referred to the radius group. It was a big question mark in my head how the radius server was applied to the SSID prior to reading your post.
I haven't tried the "erase startup-config" command yet, I will try that next.
Quick question, why are both authentication open and authentication network-eap needed? I would assume authentication network-eap would suffice, unless the authentication open command refers to the allowed devices and not just authentication via RADIUS? -
Cisco ISE IPEP and Non Radius Authenticator
Is it possible for a Juniper FW or Aruba Wireless or anything else that does native AD authentication can use an IPEP for policy enforcement without converting the authenticator (juniper / aruba etc…) to a Radius request to a PDP for the IPEP to build the session from?
Does the IPEP simply "sniff" the packets and build a session from that or does it require RADIUS authentication to pass through for the IPEP to function?
I believe RADIUS is required but the client said he was told it is not and the authenticator can pass the traffic through the IPEP even if it authenticates clients by Native AD.
Anyone have any exmaples or traffic flows if this is possible?
Thanks,
Michael WynstonGot my answer and it is as I thought. The iPEP only works if it sees RADIUS requests to a PDP that then provides the iPEP with the policy to enforce.
Have a client migrating from CCA which will natively check AD inline based on seen authentication requests. They were told (not by me) ISE can do that too.
Guess not
Sent from Cisco Technical Support iPhone App -
Cisco ISE with TACACS+ and RADIUS both?
Hello,
I am initiating wired authentication on an existing network using Cisco ISE. I have been studying the requirements for this. I know I have to turn on RADIUS on the Cisco switches on the network. The switches on the network are already programmed for TACACS+. Does anybody know if they can both operate on the same network at the same time?
BobHello Robert,
I believe NO, they both won't work together as both TACACS and Radius are different technologies.
It's just because that TACACS encrypts the whole message and Radius just the password, so I believe it won't work.
For your reference, I am sharing the link for the difference between TACACS and Radius.
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml
Moreover, Please review the information as well.
Compare TACACS+ and RADIUS
These sections compare several features of TACACS+ and RADIUS.
UDP and TCP
RADIUS uses UDP while TACACS+ uses TCP. TCP offers several advantages over UDP. TCP offers a connection-oriented transport, while UDP offers best-effort delivery. RADIUS requires additional programmable variables such as re-transmit attempts and time-outs to compensate for best-effort transport, but it lacks the level of built-in support that a
TCP transport offers:
TCP usage provides a separate acknowledgment that a request has been received, within (approximately) a network round-trip time (RTT), regardless of how loaded and slow the backend authentication mechanism (a TCP acknowledgment) might be.
TCP provides immediate indication of a crashed, or not running, server by a reset (RST). You can determine when a server crashes and returns to service if you use long-lived TCP connections. UDP cannot tell the difference between a server that is down, a slow server, and a non-existent server.
Using TCP keepalives, server crashes can be detected out-of-band with actual requests. Connections to multiple servers can be maintained simultaneously, and you only need to send messages to the ones that are known to be up and running.
TCP is more scalable and adapts to growing, as well as congested, networks.
Packet Encryption
RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Other information, such as username, authorized services, and accounting, can be captured by a third party.
TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the header is a field that indicates whether the body is encrypted or not. For debugging purposes, it is useful to have the body of the packets unencrypted. However, during normal operation, the body of the packet is fully encrypted for more secure communications.
Authentication and Authorization
RADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS server to the client contain authorization information. This makes it difficult to decouple authentication and authorization.
TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication solutions that can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. After a NAS authenticates on a Kerberos server, it requests authorization information from a TACACS+ server without having to re-authenticate. The NAS informs the TACACS+ server that it has successfully authenticated on a Kerberos server, and the server then provides authorization information.
During a session, if additional authorization checking is needed, the access server checks with a TACACS+ server to determine if the user is granted permission to use a particular command. This provides greater control over the commands that can be executed on the access server while decoupling from the authentication mechanism.
Multiprotocol Support
RADIUS does not support these protocols:
AppleTalk Remote Access (ARA) protocol
NetBIOS Frame Protocol Control protocol
Novell Asynchronous Services Interface (NASI)
X.25 PAD connection
TACACS+ offers multiprotocol support.
Router Management
RADIUS does not allow users to control which commands can be executed on a router and which cannot. Therefore, RADIUS is not as useful for router management or as flexible for terminal services.
TACACS+ provides two methods to control the authorization of router commands on a per-user or per-group basis. The first method is to assign privilege levels to commands and have the router verify with the TACACS+ server whether or not the user is authorized at the specified privilege level. The second method is to explicitly specify in the TACACS+ server, on a per-user or per-group basis, the commands that are allowed.
Interoperability
Due to various interpretations of the RADIUS Request for Comments (RFCs), compliance with the RADIUS RFCs does not guarantee interoperability. Even though several vendors implement RADIUS clients, this does not mean they are interoperable. Cisco implements most RADIUS attributes and consistently adds more. If customers use only the standard RADIUS attributes in their servers, they can interoperate between several vendors as long as these vendors implement the same attributes. However, many vendors implement extensions that are proprietary attributes. If a customer uses one of these vendor-specific extended attributes, interoperability is not possible.
Traffic
Due to the previously cited differences between TACACS+ and RADIUS, the amount of traffic generated between the client and server differs. These examples illustrate the traffic between the client and server for TACACS+ and RADIUS when used for router management with authentication, exec authorization, command authorization (which RADIUS cannot do), exec accounting, and command accounting (which RADIUS cannot do). -
Cisco router T1 gw voip Radius Radiator
All
I got a cisco router and want to output the radiator,
however I found that the /cgi-bin/radacct.cgi , each call record had generate 4 records...
What is the best method for me to take the one.
00000572 27 Sep 2004 16:39:21 0:00:00 3101 3200 156 80
00000572 27 Sep 2004 16:39:26 0:00:00 3101 3200 156 80
00000572 27 Sep 2004 16:39:31 0:00:00 3101 3200 156 80
00000576 27 Sep 2004 16:39:32 0:00:00 3111 3141 157 80
00000572 27 Sep 2004 16:39:36 0:00:00 3101 3200 156 80
00000576 27 Sep 2004 16:39:37 0:00:00 3111 3141 157 80
00000576 27 Sep 2004 16:39:42 0:00:00 3111 3141 157 80
00000576 27 Sep 2004 16:39:47 0:00:00 3111 3141 157 80Thanks for the link Calvin.
I actually got it to work by just old fashion trial and error. Turned out to be two things:
Microsoft 2008 R2 NPS>Policies>Network Policies>" Wireless Policy I created">Authentication Methods.... CHAP had to be enabled.
Microsoft 2008 R2 NPS>Policies>Network Policies>" Wireless Policy I created">conditions..... delete the friendly name I read I needed to create. This "various RADIUS Clients was not so important to us" (will make sense if you follow link)
I mainly used this link for anyone interested:
http://www.darylhunter.me/blog/2010/06/cisco-ios-fu-7-cisco-radius-windows-server-2008-nps.html -
5508 WLC version 7.6 maximum RADIUS Servers
Hi All,
Is there a maximum limit for RADIUS Servers that we can configure for Authentication under Security TAB in WLC 5508/8500 with version 7.6?
We have 6 RADIUS Servers that needs to be configured for WLAN Client Authentication.
Thanks,
CJIIRC the limit is 16 servers on the WLC. but you can only call up to three under the WLAN itself.
If you need to be able to failover to anything beyond 3, than check the network user box in the AAA server configuration to make it globally available.
HTH,
Steve -
Cisco 1113 ACS 4.2 1113 configure auth. for Infoblox appl.
Hi there,
I have an issue with Cisco ACS and an Infoblox appliance. We want to authenticate users, that login on the Infoblox, via the Cisco ACS. After that the ACS should reply with a passed (RADIUS) authentication and reply with an administrative groupname that the user belongs on the Infoblox. To do this I have to import a VSA to have the option in the ACS to reply with this groupname. On the Infoblox these groups are allready made and this must match the group that the ACS replies.
Now I have imported the VSA and configured an AAA client (infoblox) to use the new RADIUS (VSA) to support the Infoblox. In the groupsetting I've turned on the Infoblox-Group_info attribute and filled in a specific groupname that the authenticated user belongs to. Now here comes the part where the group info is returned, but the Infoblox Appliance gives me a RADIUS error reply message. As I can see in the logs of the ACS the authentication part of the user is fine. So it has to be between the info that the ACS replies with, when the user logs in.
I've attach the VSA and a *.pcap of wireshark to see what's going on.
Can anyone advice of suggest any option that can make this thing work.
With regards,
Richard GosenHalijenn,
Unfortunatly the above solution doesn't do the trick. When I delete the imported VSA, via the attached *.csv, the Infoblox attributes still shows up when I re-add the Infoblox appliance to a network device group en there choose "Radius (Infoblox)" for the authentication. After deleting the VSA I have restarted the ACS SE. The returned acknowledgment from the ACS still presents a malformed packet. When I uncheck the checkbox of the "RADIUS (Infoblox)" attribute in the group settings, then it shows no malformed packet, but no group information is sent either.
Again I have imported the original accountsAction.csv and restarted the SE, but it still returns malformed packets.
Any other possibilities?
Kind regards,
Richard Gosen -
Cisco ACS 4.2 and Radius authentication?
Hi,
I have a Cisco ACS 4.2 installed and using it to authenticate users that log on to switches using TACACS+, when I use local password database, everything is working. But if i try to use external database authentication using a windows 2008 radius server, I have problem that I can only use PAP, not CHAP. Anyone who know if it's possible to use CHAP with external radius authentication?To access network devices for administrative purpose, we have only three methods available :
[1] Telnet : Which uses PAP authentication protocol between client and the NAS device. So the communication between Client and NAS is unencrypted, and when this information flows from NAS to IAS server gets encrypted using the shared secret key configured on device/IAS server.
[2] SSH : Which uses public-key cryptography for encrypting information between client and the NAS device, i.e, information sent between client
and NAS is fully secure. And the communication between NAS and IAS is encrypted using shared secret same as above. Good point on SSH side is that commincation channel is secure all the time.Again the authentication type would remain same that is PAP.
[3] Console:Which is also the same it will not allow to use MSCHAP as there is no need to secure it as you laptop is connected directly to the NAS and then if you are using TACACS it will encrypt the payload .
Summarizing, we cannot use CHAP, MS-CHAP, MS-CHAP V2 for communication between client and NAS device or administrative access.
And the most secure way to administer a device is to use SSH.
Rgds, Jatin
Do rate helpful post~ -
Is CISCO ACS server same as RADIUS server?
Please advise.
if not, wats the difference between them?The ACS server suite includes a RADIUS service (and TACACS+).
http://www.cisco.com/en/US/products/sw/secursw/ps5338/index.html
Good Luck
Scott -
Cisco AAA authentication with windows radius server
Cisco - Windows Radius problems
I need to created a limited access group through radius that I can have new network analysts log into
and not be able to commit changes or get into global config.
Here are my current radius settings
aaa new-model
aaa group server radius IAS
server name something.corp
aaa authentication login USERS local group IAS
aaa authorization exec USERS local group IAS
radius server something.corp
address ipv4 1.1.1.1 auth-port 1812 acct-port 1813
key mypassword
line vty 0 4
access-class 1 in
exec-timeout 0 0
authorization exec USERS
logging synchronous
login authentication USERS
transport input ssh
When I log in to the switch, the radius server is passing the corrrect attriubute
***Jan 21 13:59:51.897: RADIUS: Cisco AVpair [1] 18 "shell:priv-lvl=7"
The switch is accepting it and putting you in the correct priv level.
***Radius-Test#sh priv
Current privilege level is 7
I am not sure why it logs you in with the prompt for privileged EXEC mode when
you are in priv level 7. This shows that even though it looks like your in priv exec
mode, you are not.
***Radius-Test#sh run
^
% Invalid input detected at '^' marker.
Radius-Test#
Now this is where I am very lost.
I am in priv level 7, but as soon as I use the enable command It moves me up to 15, and that gives me access to
global config mode.
***Radius-Test#enable
Radius-Test#
Debug log -
Jan 21 14:06:28.689: AAA/MEMORY: free_user (0x2B46E268) user='reynni10'
ruser='NULL' port='tty390' rem_addr='10.100.158.83' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
Now it doesnt matter that I was given priv level 7 by radius because 'enable' put me into priv 15
***Radius-Test#sh priv
Current privilege level is 15
Radius-Test#
I have tried to set
***privilege exec level 15 enable
It works and I am no longer able to use 'enable' when I am at prv level 7, but I also cannot get the commands they will need to work.
Even if I try to do
***privilege exec level 7 show running-config (or other variations)
It will allow you to type sh run without errors, but it doest actually run the command.
What am I doing wrong?
I also want to get PKI working with radius.I can run a test on my radius system, will report back accordingly, as it's a different server than where I am currently located.
Troubleshooting, have you deleted the certificate/network profile on the devices and started from scratch? -
User authentication in Cisco ACS by adding external RADIUS database
Hi,
I would like to configure the below setup:
End user client (Cisco Any connect/VPN client) -> ASA 5500 (AAA client) -> ACS server -> External RADIUS database.
Here ACS server would send the authentication requests to External RADIUS server.So, i have added the external user database (RADIUS token server) in
ACS under External databases.I have added AAA client in Network configuration (selected authenticate using RADIUS(VPN 3000/ASA/PIX 7.0) from the drop down.
Here how do i make ASA recognize that it has to send the request to ACS server. Normally when you use ACS as RADIUS server you can add an AAA server in ASA and test it.But here we are using an external RADIUS server which has been configured in ACS, so how do i make ASA to send the requests to ACS server?
Any help on this would be really grateful to me.
Thanks and Regards,
Rahul.Thanks Ajay,
As you said nothing needs to be done on ASA side, if we are using an external user database for authentication.
Im a newbie to ACS and this is the first time i'm trying to perform a two factor authenticaton in Cisco ACS using external user database.
By two factor authentication i mean, username + password serves as first factor (validated by RADIUS server), username + security code (validated by RADIUS server) serves as second factor.So, during user authentication i enter only username in username field and in "password" field i enter both "password + security code". Our RADIUS server has already been configured with AD as user store, so we dont have to specify AD details in ACS. I have done the following in ACS to perform this two factor authentication.
-> In external user databases, i have added a external RADIUS token server.
-> In unknown user policy , i have added the external data base that i configured in ACS into the selected databases list.
-> under network configuration, i have added the Cisco ASA as AAA client (authenticate using RADIUS (Cisco VPN 3000/ASA/PIX 7.x+)).
Just to check whether user authentication is successful, i launched the ACS webVPN using https://IP:2002, it asked me to enter username and password. So, i entered username and in password field i entered "password + security code". But, the page throws an error saying "login failed...Try again".I cant find any logs in external RADIUS server.
Here is what i found in "Failed attempts" logs under Reports and activities.
Date,Time,Message-Type,User-Name,Group-Name,Caller-ID,Network Access Profile Name,Authen-Failure-Code,Author-Failure-Code,Author-Data,NAS-Port,NAS-IP-Address,Filter Information,PEAP/EAP-FAST-Clear-Name,EAP Type,EAP Type Name,Reason,Access Device,Network Device Group
02/28/2012,00:31:52,Unknown NAS,,,,(Unknown),,,,,10.204.124.71,,,,,,,
02/28/2012,00:41:33,Unknown NAS,,,,(Unknown),,,,,10.204.124.71,,,,,,,
02/28/2012,00:42:18,Unknown NAS,,,,(Unknown),,,,,10.204.124.71,,,,,,,
Filtering is not applied.
Date
Time
Message-Type
User-Name
Group-Name
Caller-ID
Network Access Profile Name
Authen-Failure-Code
Author-Failure-Code
Author-Data
NAS-Port
NAS-IP-Address
Filter Information
PEAP/EAP-FAST-Clear-Name
EAP Type
EAP Type Name
Reason
Access Device
Network Device Group
02/28/2012
00:42:18
Unknown NAS
(Unknown)
10.204.124.71
02/28/2012
00:41:33
Unknown NAS
(Unknown)
10.204.124.71
02/28/2012
00:31:52
Unknown NAS
Am i missing any thing in configuration side with respect to ACS?
Thanks -
[Vision] Measuring the minimum and maximum radius of a particle
Hi all,
I'm currently developing an upgraded vision application that includes a particle sizing measurement using the IMAQ Particle Analysis VI.
Currently I'm using the Equivalent Ellipse Major and Minor axes, which works fairly well but appears to overstate the area of the particles compared to the previous implementation of the software for this system. The original software used a maximum and minium radius measurement using the actual perimiter of the particle rather than an equivalent ellipse.
I'm looking at using Max Feret Diameter and Equivalent Ellipse Minor (Feret) instead, and I was wondering if anyone has any experience with this sort of measurement and can offer some advice? I'm processing up to 100 particles per frame at around 7-8 fps, so I don't know if writing my own LabVIEW code to perform the measurement will be fast enough.
Cheers
Brett Percy
Senior Software Development Engineer
Certified LabVIEW Architect and LabVIEW ChampionHi Bjorn,
I can detect the particles fine, the issue is with the particle size measurement. As you can see from the image, most of the particles are not very round. The previous version of the software caclulated a maxium and minimum radius of the particle, but there doesn't seem to be an exact equivalent in the LabVIEW vision library
Cheers
Brett
Senior Software Development Engineer
Certified LabVIEW Architect and LabVIEW Champion
Attachments:
6.png 1325 KB
Maybe you are looking for
-
Why do my contacts have such large print? How can i reduce the Size?
mmy contacts are appearing in large print, which means I do,not easily see the whole phone number. How can alter the size of the print?
-
Problems printing double-sided PDFs
Hi, When I print any PDF document on any printer as double-sided, the second side always prints upside-down. I am printing from Adobe Acrobat 7.1.0 professional for Windows XP. This is annoying and I need to fix this problem. Suggestions would be gre
-
Invalid Signiture problem with Extension Manager
When I try to load an extension to Dreamweaver CC I get an error saying the extension does not have a valid signiture. I have tried a number of extensions with the same result. Can anyone tell me what I am doing wrong please. Thanks Brian
-
Will X handle 4k from a GH4?
I'm a video pro and long-time FCP7 user and currently limping along with my HMC-150 AVCHD camcorder. But the writing's on the wall that 4k is the next big thang that the mfgr's are pushing. So, if I buy a Panasonic GH4 and shoot 4k will I be able t
-
Cannot make video conference using Cisco TelePresence and Conductor, registered to CUCM
Hello, We've got CUCM 9.1.2, Conductor XC3.0.2 and TP 4.1(1.79). The conductor is configured as ad hoc and as rendezvous on the CUCM, Using secure SIP trunk (TLS) When we try to make a video conference as rendezvous the call is been initiated as audi