Configuring RAS and TACACS+. through ACS.

Hi all,
I have very basic question about
configuring RAS with digital modems
and AAA through TACACS+. I use
command peer default ip address pool OLA under interface Group-Async0 and interface Dialer10
for example. And inside router I configure this pool with some range of
IP addresses...for example
ip local pool OLA 192.168.10.2 192.168.10.127.
And I set AAA through TACACS+.
What should I do next on ACS ? Should I configure this pool of IP addresses on ACS or it is sufficient to do it only on router? Or do this on router is not important ?
Thanks
jl

John
I have configured RAS for dial-in services where we authenticated the dial-in users via TACACS and ACS. I did not have to do anything on ACS about the dial pool. The only thing that I had to do on ACS was to configure it to authenticate users whose authentication request came from that router. (In other words nothing special on ACS just because they were dial-in.) Just be sure that your aaa on the router provides for authenticating ppp.
HTH
Rick

Similar Messages

  • Setting privilege level for logging into ASA through ACS

    Hi!,
    In my environment i implemented AAA for logging into switches, routers, asa etc through ACS which is being configured TACACS+.
    I have set different privilege levels like readonly, readwrite etc into ACS. There are working fine when i try to login into switch or router.
    But in ASA i am unable to restrict the privilege levels of different users.
    Can someone plz guide me with ASA & ACS setting to solve this issue!!!!!

    Hi!!
    I tried this option. It is working fine with routers & switches. But for ASA privilege access it is not functioning.
    I created 3 profiles in "Shared Profiles" & added 1 of them in Group setting & added users to this group with mentioning group authentication. This way i am able to control access to the switches & routers with proper privilege. But the same way when i tried to impolement ASA it's not happening.
    Can u plz check it out...

  • How to do .1x port based network access authentication through ACS

    How to do .1x port based network access authentication through ACS.

    Hi,
    802.1x can authenticate hosts either through the username/password or either via the MAC address of the clients (PC's, Printers etc.). This process is called Agentless Network Access which can be done through Mac Auth Bypass.
    In this process the 802.1x switchport would send the MAC address of the connected PC to the radius server for authentication. If the radius server has the MAC address in it's database, the authentication would be successful and the PC would be granted network access.
    To check the configuration on the ACS 4.x, you can go to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/noagent.html
    To check the configuration on an ACS 5.x, you can go to http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-2/user/guide/acsuserguide/common_scenarios.html#wp1053005
    Regards,
    Kush

  • Juniper MX Regular expressions and user permissions ACS 5.4

    Hi everyone!
    Im having some trouble with regular expressions and permissions on our Juniper MX routers through ACS 5.4, and i would like some insight/help/poitners!!
    We have a team of engineers that should only have read only permissions (important: show configuration) and also be able to just change the description on interfaces.
    Thus far with the following regular expressions set for the shell profile they are going through i have managed the above, however the problem is when an engineer inputs "Show configuration", only the interfaces descriptions configuration is shown! The rest of the configuration will not be printed.
    deny-commands1=.*.
    allow-commands1=configure
    deny-configuration1=.*.
    allow-commands2=interfaces .*. description .*$
    allow-configuration1=interfaces .*. description .*$
    allow-commands2=show configuration.*
    allow-commands3=show configuration
    (some of these regex i know that are not needed, i was just playing around to check everything before posting)
    Any pointers as to why or how to resolve this?
    example output with the above:
    show configuration
    ## Last commit: 2014-01-09 09:34:44 EET by someone
    interfaces {
        xe-0/0/0 {
        xe-0/0/1 {
            description xxxx;
        xe-0/1/0 {
            description xxxx;
        xe-0/1/1 {
            description xxxx;
        xe-0/2/0 {
            disable;
        xe-0/2/1 {
            description xxxx;
        xe-0/3/0 {
            description xxxx;
        xe-0/3/1 {
            description xxxx;
        ae0 {
            description "xxxx";
        ae1 {
            description xxxx;
        demux0 {
        lo0 {
    {master}
    Thanks in advance!
    Spyros

    You are absolutely right!!  I was doing research online after posting the above.  The correct RADIUS attribute to use is actually CVPN3000/ASA/PIX7.x-Group-Based-Address-Pools.  Then create the pool in ASA, and call that pool's name in ACS under that RADIUS attribute.  Someone explained this perfectly in this community before.  Much appreciate your answer!
    Here's from another post last year:
    ACS  5 does not have the feature of IP pools. Logically its always good to  setup pools locally on vpn server and if you want user to pick ip from  specific local pool you can configure acs to push that attribute.
    On ACS Go to > Policy Elements  -> Network Access ->   Authorization Profiles -> Create ->
    Name of the Policy ->Dictionary Type: Radius-Cisco VPN 3000/ASA/PIX7.x
    Attribute Type : CVPN3000/ASA/PIX7.x-Group-Based-Address-Pools
    Attribute Type: String
    Attribute Value : Static MYPOOL (Name of the Pool which is defined on the ASA)
    Access Policies ->Default Network Access -> Authorization ->  Create -> Under result section call the Authorization p

  • Configuring AAA network client on ACS v5.1 using the same RADIUS atributes from ACS v3.3

    Hello,
    I was wondering if i should use the same RADIUS VSA attribute on ACS v5.1 to authenticate AAA clients as those i was using on my old     ACS v3.3 server.
    Exemple : under ACS v3.3 i was using RADIUS (Cisco Aironet) attribute to authenticate AP & WLC, should i do the same under ACS v5.1 ?
    Best regards.

    Hello,
    When defining AAA client on the new ACS 5.x server you just select TACACS+ or RADIUS. We no longer define the RADIUS "vendor"/"VSA" when creating the AAA Client entry. All AAA client would be defined as RADIUS or TACACS+ only.
    If you were using specific VSA Attributes then you need to send those attributes back configuring Authorization Profiles on the ACS 5.x. You will find the specific VSA attributes there. Refer to the following screenshots:
    And here are the available attributes for the ACS for RADIUS Aironet:

  • Configuring AAA network client on ACS v5.1 using the same atributes from AC

    Hello,
    Actualy i'm new to use ACS v5.1 and i wanted to do the same AAA client configuration as it was configured on my old ACS V3.3 server.
    My old ACS v3.3 AAA clients type are WLC, LAP and Autonomous AP (using RADIUS (Cisco Aironet)) authentication protocol, PIX & a Router (using TACACS+ (Cisco IOS)) authentication protocol.
    I'm using PEAP_MS-CHAP v2 as a RADIUS authentication method.
    Can any one guide me to accomplish this configuration please ?.
    Best regards.
    Posted by WebUser Mourad Lafjer

    Hello,
    When defining AAA client on the new ACS 5.x server you just select TACACS+ or RADIUS. We no longer define the RADIUS "vendor"/"VSA" when creating the AAA Client entry. All AAA client would be defined as RADIUS or TACACS+ only.
    If you were using specific VSA Attributes then you need to send those attributes back configuring Authorization Profiles on the ACS 5.x. You will find the specific VSA attributes there. Refer to the following screenshots:
    And here are the available attributes for the ACS for RADIUS Aironet:

  • AAA and TACACS servers

    Hello All,
    I want to download a free, yet reliable AAA and TACACS servers, can you guide me? Also, I need help with configuring them for study purpose.

    You may download the eval version ACS 4.2.0.124, if you've access to cisco.com
    ACS v4.2.0.124 90-Days Evaluation Software
    eval-ACS-4.2.0.124-SW.zip
    http://tools.cisco.com/squish/9B37e
    Path:
    Cisco.com > Downloads Home > Products > Cloud and Systems Management > Security and Identity Management
    > Cisco Secure Access Control Server Products > Cisco Secure Access Control Server for Windows > Cisco Secure ACS 4.2 for Windows > Secure Access Control Server (ACS) for Windows-4.2.0.124
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • Netflow Generation Appliance (NGA-3240) and authentication with ACS

    I would like to configure this appliance to use ACS authentication.  Right now I use local authentication, but would prefer ACS instead. 
    Both the WebUI and the console are using this local method and I would much prefer it to use ACS instead.
    I get the following prompts:
    [email protected]# ip http tacacs+ enable <ACS IP ADDRESS> en-secret-key <KEY>
    Failed to enable Tacacs+

    Update...
         [email protected]# ip http tacacs+ enable
         Secret key:
         Repeat secret key:
         Successfully enabled Tacacs+
    The problem, I'm faced with now is that after entering the above the WebUI is still not accessible.

  • [SOLVED] How to configure prosody and jitsi to work together?

    Hi,
    I want to use prosody to connect several jitsi accounts on different computers on a LAN. I have followed the Prosody page in our wiki to set up Prosody and some user accounts. The service starts and ss -tul indicates that it is listening on the expected ports. I have created the missing key and certificate files expected by the default setup and placed them in /etc/prosody/certs.
    I have created the account foo@localhost using prosodyctl adduser foo@localhost.
    In jitsi I have created an XMPP account (foo@localhost) on the same host as prosody. The account appears but it fails to connect to the server. Jitsi displays error messages on the console which indicates that the server does not support TLS connections even though these are enabled in the prosody configuration file (and lua51-sec is installed).
    I have tried numerous variations of disabling encryption in both prosody and jitsi but I either get the same error message or jitsi simply hangs while trying to connect to the server.
    So far the only thing that I've been able to find that deals specifically with prosody and jitsi is an episode of the Linux Action Show from last year that skimps on the details of the setup. The various online documentation that I've found seems to be for an older version or Prosody (e.g. Host entries in the configuration file).
    Does anyone have a similar setup working with the latest versions of Prosody and Jitsi? If so, please share your configurations.
    edit
    I went through the Prosody wiki page again today and managed to get it working. I think my problem was in misconfigured paths for the SSL server certificates in the VirtualHost section.
    Last edited by Xyne (2014-08-13 00:35:51)

    So, i tried both ways but it still didn't work.
    anrxc: i didn't know i could still prevent DNS leak without privoxy. Privoxy always blocked flash animations and videos (like youtube) here. I'll try to set up this better tomorrow when i have more time.
    By the way, after following your guide, i got this when executing /usr/bin/tor:
    Jan 10 19:29:16.993 [notice] Tor v0.2.1.21. This is experimental software. Do not rely on it for strong anonymity. (Running on Linux x86_64)
    Jan 10 19:29:16.994 [warn] Skipping obsolete configuration option 'Group'
    Jan 10 19:29:16.995 [notice] Initialized libevent version 1.4.12-stable using method epoll. Good.
    Jan 10 19:29:16.995 [notice] Opening Socks listener on 127.0.0.1:9050
    Jan 10 19:29:16.995 [notice] Opening Socks listener on 192.168.0.1:9050
    Jan 10 19:29:16.995 [warn] Could not bind to 192.168.0.1:9050: Cannot assign requested address
    Jan 10 19:29:16.995 [notice] Closing partially-constructed listener Socks listener on 127.0.0.1:9050
    Jan 10 19:29:16.995 [warn] Failed to parse/validate config: Failed to bind one of the listener ports.
    Jan 10 19:29:16.995 [err] Reading config failed--see warnings above.
    Last edited by ILoveJapaneseGirls (2010-01-10 22:00:12)

  • Configuring Outbound and Inbound SMTP mails with SUN Java messaging system

    hi all,
    i am new to Solaris i have deployed SUN java comuunication Suite. How do i configure my messaging server to send outgoing mails through existing gateway and recieve inbound mails from the same gateway?
    Currently my server is connected to the internet directly i am able to send a mail to an external domain for example gmail. Can anyone help me out in understanding the default functioning of external mail routing and how do i point to a gateway?
    Thanks,
    Zafrul

    Hi,
    zkhan wrote:
    i am new to Solaris i have deployed SUN java comuunication Suite. Welcome. Some good resources you should look at are the following:
    http://www.sun.com/bigadmin/hubs/comms/overview/index.jsp
    http://msg.wikidoc.info/
    http://blogs.sun.com/factotum/
    How do i configure my messaging server to send outgoing mails through existing gateway and recieve inbound mails from the same gateway?There is two steps to this.
    To configure outgoing emails to be relayed through a gateway, you need to modify the <msg_base>/config/imta.cnf MTA configuration file and add "deamon <gateway hostname>" to your tcp_local channel configuration e.g.
    ! tcp_local
    tcp_local smtp mx single_sys remotehost inner switchchannel identnonenumeric subdirs 20 maxjobs 7
    pool SMTP_POOL maytlsserver maysaslserver saslswitchchannel tcp_auth missingrecipientpolicy 0
    loopcheck daemon mygateway.com
    tcp-daemonTo allow the gateway system to send emails to your host unconditionally, modify the <msg_base>/config/mappings MTA configuration fail and add the gateway's IP address to the INTERNAL_IP mapping table e.g. (where the gateway has an IP of 1.2.3.4 and your system has an IP of 192.168.1.20)
    INTERNAL_IP
      $(192.168.1.20/24)  $Y
      $(1.2.3.4/32)            $Y
      127.0.0.1  $Y
      *  $NOnce you have done this you will need to rebuild the MTA configuration cache and restart the MTA processes.
    <msg_base>/sbin/imsimta cnbuild
    <msg_base>/sbin/imsimta restart
    Currently my server is connected to the internet directly i am able to send a mail to an external domain for example gmail. Can anyone help me out in understanding the default functioning of external mail routing and how do i point to a gateway?For the understanding, you will need to read-up the manuals. Messaging server is a flexible and powerful product for sending/processing emails, but with that flexibility comes complexity. I suggest you start by reading the Messaging Server Administration Guide:
    http://docs.sun.com/app/docs/doc/819-4428
    Regards,
    Shane.

  • Cross docking and flow throughs

    Hi Gurus,
    Can anyboday send me configuration steps in cross docking and flow through scenarios in is retail.
    thanks in advance.
    Regards,
    PS

    Hi,
    Explore following URL
    Collective Purchase Order
    Bye,
    Muralidhara

  • Pay some expenses through FI and some through payroll

    Friends,
    Couls we configure Travel Management so that we pay some types of expenses through FI and some through payroll.
    Thanks!

    Hi,
    As correctly mentioned, it is impossible to have both integration to payroll and FI. but i guess most of the customers are asking this functionality is for the purpose of tax reporting.
    It is possible to pay the expenses via FI and then activate the payroll schema related to the travel expense to populate it into payroll cluster.(This is pretty much depends on the wage type characteristic of the expense types associated with).
    Hope this helps.

  • OS X 10.4.11 Server - configured name and reverse DNS do not match / DNS

    Hi all,
    I have looked for similar posts but all seem to have different scenarios, hoping to get an answer from someone more experienced than myself before I do anything silly.
    Help much appreciated!
    Scenario:
    We run a 10.4.11 OS X Server on an XServe, hosted at an ISP. ISP provides all DNS services, incl. the reversed DNS entry.
    I am currently only running the following services (based on the display in ServerAdmin):
    AFP
    Firewall
    iChat
    Mail
    QuickTimeStreaming
    Web
    All others (incl. DNS) are grayed out. (As ISP instructed us not to add a DNS service on our box, that's "normal" according to my experiences with dedicated /co-location server hosting).
    We never used changeip after the initial setup, meaning the server's
    Current Hostname = somename.local and
    DNS Hostname = mail.ourdomainname.net
    So in system.log I find this re-occuring entry:
    Jul 8 11:41:22 somename servermgrd: servermgr_dns: configured name and reverse DNS name do not match (somename.local != mail.ourdomainname.net), various services may not function properly - use changeip to repair and/or correct DNS
    Finally, my question:
    As Mail and Web services etc. are currently running OK from what I can tell,
    1) do I HAVE to change this at all?
    2) Would it be much better / why?
    3) Could I change this using the following command
    (111.11.111.1 indicating the server's IP address)
    changeip 111.11.111.1 111.11.111.1 somename.local mail.ourdomainname.net
    4) without running a DNS server on the machine, i.e. DNS service is not required for this to work?
    5) obviously I want to be able to use Server Admin after I issue this command...
    6) can I fall back easily in case this would screw it up, or is there no risk whatsoever doing this in my case?
    THANK YOU so much for any help!

    Hi Jonas
    If port 443 is already being used on the same box as KMS then it will complain and probably not start the service? I've seen this with LDAP port 636. This is when Kerio is installed on a server configured as an OD Master. Clearly the port can't be used by both servers.
    It might be easier to change the port your sites are currently using to something else? Although don't do anything yet. Pose the question to Kerio Support and see what advice they offer.
    Yes moving the mail to a local folder on the mail client will do it.
    Is Kerio going on the same box? If its a different box (presumably different IP address?) Then what you can do is to port forward to the new server's IP address instead of disabling it. This way while you are bringing the new server on line users can still send mail right up until the time you give instructions on changing their inbound/outbound mail server details. Of course they won't be able to receive but if you time it right they may not even get an error message? Depends on what their schedules are.
    If it was me I would choose IMAP every time. As the mail admin you have full control and a central location for easy backup. KMS has a built in archiving feature that makes this a simple process. This is an easier option than going round individual client machines and making sure mail held locally in POP accounts are backed up. Besides there is always someone who falls through the loop and I'm not taking into account drive failures. It makes good sense anyway as there is talk of legislation being introduced to make this a requirement for businesses who run their own mail servers. This is certainly true for certain parts of the US and what usually happens there is generally taken up in the UK and most parts of Europe.
    Kerio's WebMail Client means users don't even have to have their own computer. Just as long as they have access to one that has access to the internet they can send/receive mail. No need for dedicated mail applications such as Apple Mail, Thunderbird, Entourage etc. How mail is uses remains consistent for all users.
    Yes. I did this not so long ago with Leopard's built in Mail Server. I sent an e-mail defining a time when no inbound mail would be received. Disabled port forwarding for SMTP port 25 and approx 30 minutes after that another mail stating no outbound mail should be sent. Once everything was swopped over (we were changing from a G4 10.4 server to a G5 10.5 Server) port 25 was enabled, new server brought online and everyone was mailing again with no appreciable downtime.
    These boxes were to have the same IP address hence the slightly different approach.
    Does this help?
    Tony

  • How can I get authentication and authorization through OS X open directory with the Sun ZFS STOR ZS3-2

    how can I get authentication and authorization through OS X open directory with the Sun ZFS STOR ZS3-2
    I have configure NFS, I need help configuring the share that I created in the Sun ZFS STOR ZS3-2 to connect with the OS X Open Directory

    Hi,
        You may  try checking the help page for ldap configuration :
    https://<Appliance_IP>:215/wiki/index.php/Configuration:Services:LDAP
    ZFS Storage supports LDAP, NIS, AD as directory service.
    Hope Open Directory is also based on LDAP and may work in similar fashion.
    Thanks
    Nitin

  • Configuring PCR for MSS through ISR

    Hi All,
    I am starting from scratch, I have an understanding how ISR works, but need some document/wiki/pdf on understanding step by step on how to Configuring PCR for MSS through ISR and Adobe forms.
    Basically I need to configure PCR scenarios in MSS in backend and then link them to adobe forms.
    Please help.

    You will get PCR guide from Service market place and link for ISR cook book can be found in this forum.
    Kindly search this forum. There are plenty of good links already posted in this forum.
    Good luck for your configuration and development If you come across any issues, please do raise after searching the forum.
    - anto.

Maybe you are looking for

  • Connected macbook pro to rca tv and not working

    i have a late 2011 macbook pro. i've tried connecting it up to my old tv by.. minidisplay port -> vga -> tv/pc converter to RCA. i get a signal on my macbook pro picking up my tv but on the tv i get tons of moving/flickering lines sometimes with a sl

  • I have connected to itunes on my pc

    I have connected my Own & New Iphone 5S Gold to itunes on my windows PC for the first time & clicked on Restore the previous Backup,, & Unfortunately my brothers old forgotten apple id which is unverified ,, & it locked into settings of my iphone 5S

  • ESS/MSS Logon problems

    Hi all, I have configured ESS/MSS and the works using the config docs provided in this forum. The problem I am having is as follows: I have a user in ECC5 - ESS_USER1 The same is created on Portal - ESS_USER1 The logon works fine.... But if I logon t

  • Regarding ESS iviews

    Hi all,         I created externally all reuired JCO's for ESS business package (ESS BP 1.0 and EP 7.0). created JCO's SAP_R3_HumanResources SAP_R3_HumanResources_MetaData SAP_R3_Financials SAP_R3_Financials_MetaData SAP_R3_SelfServiceGenerics SAP_R3

  • Can the time machine be accessed remotely over the internet?

    Hi, I am thinking about purchasing the time machine. Can the hard drive on the time machine be accessed remotely over the internet?