Configuring TACACs Server for Cisco VPN 3000
Does anyone know how to get to the configuration setting to specify a TACACs server?
You need to be very careful when setting
up this thing. If the AAA server is down
for whatever reason, you will NOT be able to
log into the Concentrator again. As far
as the VPn3k console is concerns, it will
let you login with the "admin" account,
even though the AAA is up and running. In
other words, you can login from console
with both "admin" and AAA account at the same
time.
What a mess.
Similar Messages
-
Hi All,
In VPN 3000 concerntrator, I've enabled tftp, telnet, snmp. I've also successfully added the concerntrator into Ciscoworks LMS 4.2.2. All the ports are verified open to Ciscoworks. No question mark shows next to this device in the device management of LMS. However, when I run configuration Achive Job, I always get the following failed message. Can anybody tell me how to to back up the configuration of Cisco VPN 3000 concerntrator in Ciscoworks LMS 4.2.2? Thanks in advance.Sorry, but apparently not. Please see the supported devices table (here).
That table states, among other things:
The following features are not supported:
Network Topology Layer 2 Services
Fault Management
Configuration Deploy Protocols: HTTPS, TELNET, SSH, SCP, TFTP, RCP
Configuration Fetch Protocols: HTTPS, TELNET, SSH, SCP, TFTP, RCP -
Maximum number of local users on a Cisco VPN 3000 Concentrator
Hi,
Do you know if there is a specific maximum number of local users that can be created on a Cisco VPN 3000 Concentrator? If possible, we would like to know the number for the different models.
Thanks in advance for your help!
HarryHi Harry,
Please see table 13-1 for that information, and read Authentication Server Limits paragraph
http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_47/configuration/guide/Usermgt.html#wp1685274
Pls rate any helpful posts
Bst Rgds
Jorge -
Certificate authentication for Cisco VPN client
I am trying to configure the cisco VPN client for certificate authentication on my ASA 5512-X. I have it setup currently for group authentication with shared pass. This works fine. But in order for you to pass pci compliance you cannot allow aggresive mode for ikev1. the only way to disable aggresive mode (and use main mode) is to use certificate authentication for the vpn client. I know that some one out there must being doing this already. I am goign round and round with this. I am missing some thing.
I have tried as I might and all I can get are some cryptic error messages from the client and nothing on the firewall. IE failed to genterate signature, invalid remote signature id. I have tried using different signatures (one built on ASA and bought from Godaddy, and one built from Windows CA, and one self signed).
Can some one provide the instructions on seting this up (asdm or cli). Can this even be done? I would love to just use the AnyConnect client but I believe you need licensing for that since our system states only 2 allowed. Thank you for your help.Dear Doug ,
What is asa code your are running on ASA hardware , for cisco anyconnect you need have Code 8.0 on your hardware with cisco anyconnect essential license enabled .Paste your me show version i will help you whether you need to procure license for your hardware . By default your hardware will be shipped with any connect essential license when you have order your hardware with asa code above 8.0 .
With Any connect essential you are allowed to use upto total VPN peers allowed based on your hardware
1) What is the AnyConnect Essentials License?
The Anyconnect Essentials is a license that allows you to connect up to your 'Total VPN Peers" platform limit with AnyConnect. Without an AnyConnect Essentials license, you are limited to the 'SSLVPN Peers' limit on your device. With the Anyconnect Essentials License, you can only use Anyconnect for SSL - other features such as CSD (Cisco Secure Desktop) and using the SSLVPN portal page for anything other than launching AnyConnect are restricted.
You can see your limits for the various licensing by issuing the 'show version' command on your ASA.
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 750
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 750
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Enabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
Any connect VPN Configuration .
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml -
AnyConnect for Cisco VPN Phone demo license
I want to test VPN Phone in the ASA5520,but "show ver" find the "AnyConnect for Cisco VPN Phone : Disabled", www.cisco.com/go/license i didn't find register AnyConnect for Cisco VPN Phone demo license, how to apply for the demo license??
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 750
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has an ASA 5520 VPN Plus license.Hi there,
Did you try
https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=717
Cheers!
Rob
"Why not help one another on the way" - Bob Marley -
How to configure SMTP server for osb 10.3.1
Hi All,
Can anyone share information on how to configure SMTP server for osb 10.3.1
and then how to send an email from osb 10.3.1
Thanks in Advance!!Thanks a lot!!
I configured the same way. When I am sending email to an account on the same domain as my SMTP server is the sending of email is successful. But its giving error when I am trying to send an emain to an account which is on different domain. It giving error as "Operation has been cancelled"
Please suggest something. -
Configuring Radius server with Cisco MDS - 9606 switch
Need help in configuring Radius server with cisco MDS - 9606
please let me know if any document availablertt min/avg/max/mdev = 0.260/0.327/0.468/0.077 ms
IFCBCCEMCSW2# sh version
Cisco Storage Area Networking Operating System (SAN-OS) Software
TAC support: http://www.cisco.com/tac
Copyright (c) 2002-2008, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software may be covered under the GNU Public
License or the GNU Lesser General Public License. A copy of
each such license is available at
http://www.gnu.org/licenses/gpl.html and
http://www.gnu.org/licenses/lgpl.html
Software
BIOS: version 1.1.0
loader: version 1.2(2)
kickstart: version 3.3(1c)
system: version 3.3(1c)
BIOS compile time: 10/24/03
kickstart image file is: bootflash:/m9500-sf1ek9-kickstart-mz.3.3.1c.bin
kickstart compile time: 5/23/2008 19:00:00 [06/19/2008 23:56:56]
system image file is: bootflash:/m9500-sf1ek9-mz.3.3.1c.bin
system compile time: 5/23/2008 19:00:00 [06/20/2008 00:26:51]
Hardware
cisco MDS 9506 ("Supervisor/Fabric-1")
Intel(R) Pentium(R) III CPU with 1028596 kB of memory.
Processor Board ID JAB094300ER
bootflash: 250368 kB
slot0: 0 kB -
AnyConnect for Cisco VPN Phone Spanless recording?
I'm looking to add this to my existing ASA5520.
Does AnyConnect for Cisco VPN phone support spanless recording?
If not what options are there?
Thanks,
MikeHi there,
Did you try
https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=717
Cheers!
Rob
"Why not help one another on the way" - Bob Marley -
Support for Cisco VPN "mutual group authentication"
Hi,
Does anyone know of support plans for Cisco VPN mutual group authentication in the built-in VPN client on MacOSX?
Thanks,
JohnI would like to know the answer to this as well.
Thanks,
Josh -
Can't configure tacacs-server port
We're unable to configure a specific port, which is required for our customer for the tacacs-server. One of the devices is a 7604 router running this image -
c7600rsp72043-adventerprisek9-mz.122-33.SRD6.bin. The other device is a 2960 switch with the following image - c2960-lanbasek9-mz.122-35.SE5.bin.
We don't get the option to add a port after the tacacs-server host x.x.x.x command.
Any ideas would be greatly appreciated!
Regards..Hi
Please go through this link, this will be helpful regarding TCSACS Authentication and Fortigate configuration:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/acsuserguide.html -
Migrating from Linux based Tacacs+ server to Cisco ACS 1113 appliance
I'm trying to migrate my configuration from a Linux based Tacacs+ server to the Cisco ACS 1113 appliance. Does anyone have any recommendations.
Thanks.Hi
We (extraxi) offer migration and general consultancy for ACS if you need professional help.
www.extraxi.com/contact.htm -
TACACS+ Authentication For Cisco NAM
Hi All,
I have an cisco ACS v5.1 and also a cisco NAM. Currently, I have configured TACACS+ on the NAM and the ACS v5.1 however when I try to access the NAM, the ACS v5.1 has an error message of "TACACS+ authentication ended with error" and I am not able to access the equipment.
For your information, I have no problem with others equipment TACACS+ authentication with the same ACS.
Please advise.
Thks and RgdsSteven
I would first suggest that you verify that your ACS has an appropriate and correct entry configured for the NAM as a client. Assuming that is correct then I would suggest that you check and verify that the NAM is originating its TACACS requests from the address that you configured for the client on the ACS and that the shared secret is the same on both devices.
If those are correct then I would suggest to look in the Failed Attempts report of ACS and see if it provides a better identification of the problem.
HTH
Rick -
How to configure mail server for subscription
Hi,
I want to test subscription. My problem is how to configure the mail server.
As to my understanding, we need first configure mail server, then the user can choose "Subscribe" in the Details screen of a folder.
My steps are:
1. In KM - CM - Utilities - Channels, specify SMTP server, userId and password.
2. In KM - CM - Utilities - Channel originators, set the Original address for notificator.EMAIL.
3. In KM - Collaboration - Groupware Transport - Mail Transport, specify SMTP server and sent message folder.
After that, when I choose a user and click "Send email", it failed saying "Failed to communicate with SMTP server when sending the email.".
Could anyone tell me what's wrong with my configuration, or what should I do to make subscription work?
Thanks,
RayHi Vineeth,
Thanks for help.
According to your steps:
1. set up a mail transport and making notification and mailing service active.
In System admin - KM - CM - Global services, I've enabled Inbox, Mailing and Notification services.
In KM - CM - Collaboration - Groupware Transport, I've set up a mail transport:
Name: JavaMailTransport
SMTP Server: smtp.yahoo.com
Sent message folder: /documents
System alias name: mytransport
2. Give everyone read permission on notifications in KM.
Where can I set user's permission on notifications? I think you mean folder /etc/notifications, but I don't know how to set permissions.
3. Check if proper id's are maintained in users profile.
How to do this?
Thanks for help~~
Regards,
Ray -
QoS for Cisco TelePresence 3000
What are the QoS requirments for the Cisco TelePresence 3000 connected to a Cisco 6500 running CAToS?
Thanks in Advance.This doc should help you:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a00800c65c9.html -
Configuring Mavericks Server for AUSST 3.0
Could someone please explain to me how to configure an OSX 10.9 server to host updates? I have downloaded all the updates and am now having trouble configuring the server to share out my updates folder. The instructions that Adobe provides are more geared towards Windows servers. Any help would be much appreciated.
Anyone?
Maybe you are looking for
-
merp
-
Upgrade to 8.2 - different versions on different computers
I have an iPhone 3G, which I would like to upgrade to the newest version of the iPhone software (v3.0), via iTunes 8.2. My problem is that I sync with iTunes on two different PCs - one at home (for music) and one at work (for contacts and calendar).
-
My i phone 4 is water damaged and it is working but network not shown so please help me
my i phone 4 is water damaged and it is working but network not shown so please help me
-
when I chose an email address directly, while using firefox browser, it triggers an overflow of tabs, numbering in the hundreds. It makes me have to force quit firefox and I lose whatever I may be doing online. this is consistent for some months and
-
To : Oracle Team.. xmldom.writetoclob is too slow
HI; I had Oracle 8.1.6, Used the xmldom package a lot to manipulate and create xml documents ( all sizes ). then I used xmldom.writetoclob which it was giving a GREAT performance. I UPGRADED ti Oracle 8.1.7 and xmldom.writetoclob is TOO SLOW now, I h