How to configure Radius failover in ACS 5.1

Similar Messages

• How to monitor Radius services on ACS 5.4

  Hi All,
  I want to monitor  Radius services of ACS 5.4,  In case of failure any radius service on ACS.
  ACS should send alert to Syslogs  or email notification
  Is there any way to monitor Radius services ? Anyone have any idea how to monitor.
  Regards.

  Hi Narinder,
     I dont think so there is any particular way you can do that, Because ACS 5.x doesnt have any particluar Radius service.
  The services which are available and can be viewed through CLI and GUI are following:
  Database
  Management (ACS management subsystem)
  Ntpd
  Runtime (ACS runtime subsystem)
  View-alertmanager
  View-collector
  View-database
  View-jobmanager
  View-logprocessor
  htt    https://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-ususer/guide/acsuserguide/viewer_sys_ops.html#pgfId-1052845
  Cheers 
  Minakshi

• How to configure RADIUS to give IP address to a PPP client

  I need to configure a RADIUS server, ACS if it's suported, to give a pre-defined IP address to a user connecting through PPP.
  The NAS asks RADIUS for authentication then receives the accept or reject and some parameter that should tell the NAS the IP address the client will be assigned. (I guess it's this way)
  Somebody knows which is this parameter and if it's this easy?
  Thanks

  Yes it also works fine. You may try this also.
  Before configuring the RADIUS NAS-IP-Address Attribute Configurability feature, you must have configured the RADIUS servers or server groups and AAA method lists. To configure the RADIUS NAS-IP-Address Attribute Configurability feature, perform the following steps.
  SUMMARY STEPS
  1. enable
  2. configure terminal
  3. radius-server attribute 4 ip-address
  For further information click this link.
  http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_rad_nas_ip_cfg_ps6350_TSD_Products_Configuration_Guide_Chapter

• How to monitor radius service in ACS 5?

  Hi to all,
  I have an ACS version 5 and the radius authentication is not working, i did a port scan to the ACS and I can't see the radius port open.
  I tried to verify if the radius service is running but i can't find "where to" check that in this ACS 5 version, does anyone know where is that or what should i verify to see what the problem could be??
  I also checked in the monitoring section but there is nothing matching radius authentication.
  Thanks in advance for your help.

  Hi Narinder,
     I dont think so there is any particular way you can do that, Because ACS 5.x doesnt have any particluar Radius service.
  The services which are available and can be viewed through CLI and GUI are following:
  Database
  Management (ACS management subsystem)
  Ntpd
  Runtime (ACS runtime subsystem)
  View-alertmanager
  View-collector
  View-database
  View-jobmanager
  View-logprocessor
  htt    https://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-ususer/guide/acsuserguide/viewer_sys_ops.html#pgfId-1052845
  Cheers 
  Minakshi

• How to configure AAA

  Hi,
  I have some question regarding AAA..
  1)which one is the best?
  a) TACACS+
  b) RADIUS
  2)How to configure AAA in network devices?
  3)How to configure RADIUS/TACACS+ in ACS?
  Please guide in this smatter?
  Thanx
  som

  Hi Som,
  It's not possible to answer your questions in one post.
  You will find the answers to your questions under the following urls:
  AAA:
  http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_aaa_overview_ps6350_TSD_Products_Configuration_Guide_Chapter.html
  RADIUS:
  http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cfg_radius_ps6350_TSD_Products_Configuration_Guide_Chapter.html
  TACACS+:
  http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cfg_tacacs+_ps6350_TSD_Products_Configuration_Guide_Chapter.html
  ACS 4.2:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/configuration/guide/acs42_config_guide.html
  Cheers:
  Istvan

• How to configure ACS 5.2 for policy condition on TACACS+ Service

  In https://supportforums.cisco.com/message/3953175#3953175 thread, I was able to get the ACS 5.2 work with SRX for both SSH CLI and J-Web TACACS+ accounts. However, I found the behavior is different on our production environment. I found our ACS 5.2 was configured authorization rule with condition "TACACS+ Service" = "junos-exec". I don't know how to configure this on my ACS 5.2 Please guide me how to configure this.
  I found there was NO TACACS+ "Authorization Request" when access via J-Web in our production SRX and ACS. However, there were TACACS+ "Authorzation Request" when access via J-Web in our production SRX and ACS. The difference between my lab ACS and production ACS is the authorization rule condition. In my condition, I configure with all "SRX" Device Type. but in our production ACS 5.2, it was configure to TACACS+ Service=junos-exec. so I like to test it in our lab to find out the difference. Thanks.

  I would suggest you to go through the below two link.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/migration/guide/Migration_Configure.html
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/common_scenarios.html

• Configuring NAC 2 in acs 4.0

  How can configuring NAC L3 in acs 4.0?

  Click on the Network Access Profiles button on the left side of the page.
  Next click Add Template Profile button
  Select L3 IP
  This will preconfigure the L3 RAC's and ACL's
  You will need to edit the RAC's and ACL's and configure your posture validation policies

• How to configure ACS to authenticate Modem with radius

  Hi,
  How do I configure ACS to authenticate and authorize modem users with radius. My problem is with authorization(authentication is ok in the debug). Do I need to configure specific Av pairs (006 and 007 in IETF)

  Hi Dominic,
  Are we have Microsoft radius server or ACS?
  Yes, these attributes should be configured.
  006-service-type: login
  007-framed-protocol: PPP
  HTH
  JK

• Cisco NAC: How to configure the NGS as Radius Server & NAC Manager as Raidus Clients !!!

  Hi,
  Kindly let me know that how to configure the NGS (Version 2.0.3) as a Radius Server while NAC Manager (Version 4.8.2) as a Radius Client...
  Moreover,
  1) I want to Create the two User Roles (Guest1 & Guest2) on NGS.
  2) When sponsor will create the users, user will belong to either of roles.
  3) NAC Manager will have an authentication provider (Radius) with the default Role "Deny Role" but users belongs to "User Role = or Group = Guest1" will fall into "Guest1" Role while User Role = or Group = Guest2" will fall into "Guest2" Role.
  I need an assistance to configure this scenario....
  Please advise me.
  BR,
  Mubasher Sultan

  Hi,
  Any idea or suggestion...
  BR,
  Mubasher Sultan

• How to configure Cisco Airespace in Cisco Secure ACS v5.3

  Need some help regarding Cisco Airespace configuration in Cisco Secure ACS v5.3. We're migrating to ACS v5.3 but we're encountering an issue with
  Cisco Airespace. It is only working on ACS4.1 but when we tried to move it to Cisco Secure ACS v5.3, it is not working.

  Ok, we have a legacy Cisco wireless devices called Cisco Airespace and this device is the result of Cisco acquisition of Airespace Wireless Network in 2005. Cisco improve this technology and make it a perfect device for WLAN. Going back to my issue, as I mention we have this device and it is working in our older version of ACS (4.x). Since we have now a latest version of ACS which is 5.3. We wanted to migrate all the device into our latest version of ACS including older version (Airespace). Since this is an older device, I'm thinking that the VSA attributes needs to manually added and create Policy and Access Service specific to Cisco Airespace. I've attached the Dictionaries attributed that I've added and needs some advise if I got the correct value for below item
  Airespace-WLAN-Id
  Airespace-QoS-Level
  Airespace-DSCP
  Airespace-802.1p-Tag
  Airespace-Interface-Name
  Airespace-ACL-Name
  Below link is the configuration guide for Cisco Airespace under ACS 4.x
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080891919.shtml

• Adding RADIUS VSAs on ACS 3.2 SE

  I have tried to add a VSA to enable a Packeteer to authenticate using RADIUS on the ACS.
  Using RDBMS synchronization to import the csv file below.
  SequenceId,Priority,GroupName,Action,ValueName ,Value1,Value2,Value3
  1,1,External,163,26,access=look,2334,1
  The group name is 'External', Action is 163 which corresponds to ADD_RADIUS_ATTR.
  From RDBMS Sychronization Import Definitions (http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs32/user/ag.htm#wp35130)
  To add a vendor-specific attribute (VSA), set VN = "26" and use V2 and V3 as follows:
  •V2 = IETF vendor ID (which in this case is 2334)
  •V3 = VSA attribute ID (1)
  •V1 = In this case 'access=look'
  After a couple of attempts I got the format correct but when I try and import the file I don't get an "INFO" message in the "Reports" section of the ACS indicating that the process was successful. I don't get any message at all, WARNING, ERROR or INFO.
  From the FTP server I can confirm that the file was transferred.
  What I should get is an INFO message similar to:
  08/30/2004 16:27:50 INFO Sync complete: 1 transaction(s) 0 parse error(s) 0 process error(s)
  Any ideas as to what is wrong would be much appreciated.
  Cheers,
  Aylmer.

  HI you need to import the RADIUS VSA for PAcketeer from their site.
  The link to the steps as shown below is ( might require u to subscribe & login)
  https://packeteer.custhelp.com/cgi-bin/packeteer.cfg/php/enduser/std_adp.php?p_faqid=399&p_created=1046793530&p_sid=gszcDFBh&p_lva=&p_sp=cF9zcmNoPTEmcF9zb3J0X2J5PWRmbHQmcF9ncmlkc29ydD0mcF9yb3dfY250PTImcF9wcm9kcz0wJnBfY2F0cz0wJnBfcHY9JnBfY3Y9JnBfc2VhcmNoX3R5cGU9YW5zd2Vycy5zZWFyY2hfZm5sJnBfcGFnZT0xJnBfc2VhcmNoX3RleHQ9YWNz&p_li=&p_topview=1
  IN any case the same content is copied below:-
  Also the stpes on how to do them is listed here
  Create a User Defined Vendor
  First, you need to create a User Defined Vendor.
  1. Create a text file (packet.ini) and enter the following:
  [User Defined Vendor]
  Name=Packeteer
  IETF Code=2334
  VSA 1=Packeteer-AVPair
  [Packeteer-AVPair]
  Type=STRING
  Profile=OUT
  2. Name the file packet.ini.
  Add the Vendor to the Database
  Next, you need to add the above vendor to the database.
  1. Go to the command prompt, and change the directory to the Cisco Secure utils directory (typically C:\Program Files\CiscoSecure ACS v3.0\Utils).
  2. The instructions below install the vendor into User Defined slot 0. If you have other vendors, you need to change this number to a free slot. To see a list of slots and their assignments, use the csutil -listudv command. For example:
  C:\Program Files\CiscoSecure ACS v3.0\Utils>csutil -listudv
  CSUtil v3.0(2.5), Copyright 1997-2002, Cisco Systems Inc
  UDV 0 - Unassigned
  UDV 1 - Unassigned
  UDV 2 - Unassigned
  UDV 3 - Unassigned
  UDV 4 - Unassigned
  UDV 5 - Unassigned
  UDV 6 - Unassigned
  UDV 7 - Unassigned
  UDV 8 - Unassigned
  UDV 9 - Unassigned
  3. Run csutil -addudv to and add Packeteer to UDV (User Defined Vendor) slot 0 or the next
  open slot.
  C:\Program Files\CiscoSecure ACS v3.0\Utils>csutil -addudv 0 c:\temp\packet.ini
  CSUtil v3.0(2.5), Copyright 1997-2002, Cisco Systems Inc
  Adding or removing vendors requires ACS services to be re-started.
  Please make sure regedit is not running as it can prevent registry
  backup/restore operations
  Are you sure you want to proceed? (y/n)y
  Parsing [c:\temp\packet.ini] for addition at UDV slot [0]
  Stopping any running services
  Creating backup of current config
  Adding Vendor [Packeteer] added as [RADIUS (Packeteer)]
  Adding VSA [Packeteer-AVPair]
  Done
  Checking new configuration...
  New configuration OK
  Re-starting stopped services
  Verify that Packeteer was added.
  C:\Program Files\CiscoSecure ACS v3.0\Utils>
  C:\Program Files\CiscoSecure ACS v3.0\Utils>csutil -listudv
  CSUtil v3.0(2.5), Copyright 1997-2002, Cisco Systems Inc
  UDV 0 - RADIUS (Packeteer)
  UDV 1 - Unassigned
  UDV 2 - Unassigned
  UDV 3 - Unassigned
  UDV 4 - Unassigned
  UDV 5 - Unassigned
  UDV 6 - Unassigned
  UDV 7 - Unassigned
  UDV 8 - Unassigned
  UDV 9 - Unassigned
  4. Return to ACS Admin and select Network Configuration.
  From the main screen select Network Configurtion and add the PacketShaper by supplying the AAA client Hostname, IP address: , Key. Scroll through the Authenticate Using choices and select RADIUS (Packeteer).
  5. From the main screen select User Setup and enter a user name for a Touch or Look access user to the Packet Shaper. Supply the PAP/CHAP password. Leave other fields at defaults and scroll to the bottom
  of the form. Be sure the Packeteer-AVPair box is selected and supply either
  "access=touch" or "access=look" in the available entry space.

• Radius Authentication in ACS 5.2 with AD

  Friend,
  I have a questión about radius authenticaction with AD, when I log in into the network with user in AD and I make a mistake in password my radius authenticaction event in ACS 5.2 dont show me this logg. only show the authentication succeeded but dont show me the authentication failed. Maybe i must to enable same service to show the authentiaction failed. The Voice authetication works fine..
  This is the confg in the port of the switch:
  interface FastEthernet0/12
  switchport mode access
  switchport access vlan 2
  switchport voice vlan 10
  authentication port-control auto
  authentication host-mode multi-domain
  authentication violation protect
  authentication event fail action authorize vlan 11
  authentication event fail retry 2 action authorize vlan 11
  authentication event no-response action authorize vlan 11
  authentication periodic
  authentication timer reauthenticate 60
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 10
  dot1x max-reauth-req 3
  spanning-tree portfast
  end
  Vlan 2: DATA
  Vlan 10: VOICE
  Vlan 11: GUEST
  thank...
  Marco

  Hi Marco,
  When you type in the wrong password do you see the login fail on the device you entered it? Depending on how you have configured fallback mechanisms on ACS, an attempt can still be permited eventhough the authentication failed.
  It would be best to take a look at the authentication steps under the RADIUS authentication log for an attempt you beleive should have failed to see what ACS is doing with the request.
  Steve.

• How to configure router to use ip pool on the aaa server for vpn clients

  how to configure router to use ip pool on the aaa server for vpn clients . i want to use vpn clients to connect to the router. authenticate using the aaa server username databse and also use the ip pool cretaed on the aaa server. i am not able to find the command on the router pointing to use the pool created on the aaa server. can u some one help me with this command.
  sebastan

  Hello Sebastan,
  what do you use as AAA server (e.g. ACS with TACACS+ or RADIUS) ?
  Regards,
  GNT

• How to configure sendmail to use multiple LDAP servers ?

  Hi everybody!
  I have a sendmail running on Solaris 10 and a LDAP server(192.168.1.9) also running Solaris 10 OS. I have configured the sendmail the following way:
  bash-3.00# ldapclient list
  NS_LDAP_FILE_VERSION= 2.0
  NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=email,dc=reso,dc=ru
  NS_LDAP_BINDPASSWD= {NS1}*********************
  NS_LDAP_SERVERS= 192.168.1.9
  NS_LDAP_SEARCH_BASEDN= dc=email,dc=domain,dc=ru
  NS_LDAP_AUTH= simple
  NS_LDAP_SEARCH_REF= FALSE
  NS_LDAP_SEARCH_SCOPE= sub
  NS_LDAP_SEARCH_TIME= 30
  NS_LDAP_CACHETTL= 43200
  NS_LDAP_PROFILE= default
  NS_LDAP_CREDENTIAL_LEVEL= proxy
  NS_LDAP_BIND_TIME= 10
  I also have another LDAP server (IP 192.168.1.10). It is configured as a replicant of the 192.168.1.9 LDAP server.
  The question is how can i configure sendmail to use both LDAP servers ?
  The man pages explain how to configure ldapclient to use ONE server and what if want to use two or more? All the settings and the profiles the same.
  Thanks in advance =))

  Hi!
  To add LDAP servers to the Solaris ldapclient, you might use the ldapclient command:
  ldapclient manual -v -a defaultServerList="servera.yourdomain.com serverb.yourdomain.com"
  But this is only failover, AFAIK the Solaris ldapclient does not perform loadbalancing by itself.
  But I am not sure about your sendmail programm. Normally, sendmail has its own configuration
  and can be configured to use LDAP e.g. for aliases etc.
  Regards!
  Rainer

• Osb 11 : How to configure tuxedo business services in a clustered domain.

  Hi,
  We have a platform with a clustered domain Osb ( 1 admin server and 2 managed servers dispatch on several physical servers) and two Tuxedo instances offering the same service exported in 2 different gateways on each Tuxedo instance.
  How to configure a business service with tuxedo transport working on this platform with failover and load balancing ?

  Thanks for the answer but it doesn't work.
  The fact is that we work on OSB 11, not directly in WebLogic.
  And Osb always modify the WTC configuration even if we modify it before in weblogic.
  To define a business service with multiple remote access points and apply a load balancing algorythm, Osb need an URI for each remote access point (not for each imported service).