IKEv2 AnyConnect and Pool allocation via RADIUS

Similar Messages

• Anyconnect session accounting via radius or syslog ?

  Hi
  Does anyone have a deployed accounting method to log Anyconnect session details ?  Do you do it via a radius server or via logging messages to a syslog server ?
  If so could you assist with appropriate configuration ?  I am looking to log successful and unsuccessful authentications as well as session length, log on and log off times.
  I've been playing around with Anyconnect authenticating to AD via ACS 5.1 but can't seem to get the accounting details I require.  Similarly I have tried to catch appropriate syslog messages but again without much success.
  Many thanks for any input, St.

  What all you have configured for radius accounting on ASA?
  Can you paste the o/p of show run aaa-server and show run tunnel-group
  Basically all you need to define radius server group and call that group under tunnel-group parameters.
  !--- Configure the AAA Server group.
  ciscoasa(config)# aaa-server RAD_SRV_GRP protocol RADIUS
  ciscoasa(config-aaa-server-group)# exit
  !--- Configure the AAA Server.
  ciscoasa(config)# aaa-server RAD_SRV_GRP (inside) host 192.168.1.2
  ciscoasa(config-aaa-server-host)# key secretkey
  ciscoasa(config-aaa-server-host)# exit
  !--- Configure the tunnel group to use the new AAA setup.
  ciscoasa(config)# tunnel-group ExampleGroup1 general-attributes
  ciscoasa(config)#accounting-server-group RAD_SRV_GRP.
  Once done, you can then establish a session and check radius accounting detailed packet on ACS 5.x >> Monitoring and reports > catalog > aaa protocols > radius accounting.
  In case you don't see radius accounting after following the above steps then please turn on the "debug aaa accouting and debug radius on ASA". This way we can check whether ASA is sending the accountinf session details to ACS or not.
  Regards,
  Jatin Katyal
  - Do rate helpful posts -

• AnyConnect and Pre-Shared Keys

  Hello,
  I am extremely new to AnyConnect and VPN, so I have a few questions for you guys. I am trying to configure an AnyConnect Client on Android to connect to my ASA 5505 via IPSEC. It's configured with (I believe) IKEv1 with pre-shared key and group identifier. I think IKEv2 is certificate based only, and I am not using certificates at this time. I can't seem to find any settings in the app to configure it this way... Can the AnyConnect client connect to this type of connection? If so, what may I be missing? I can configure the default VPN client built into Android and it works fine, but I am being told to use the AnyConnect client. If you need more info, let me know, I'm not sure what to put on here to give the info needed to help. Thanks!

  Believe I found my answer:
  Cisco AnyConnect VPN
  Q. I see that the Cisco AnyConnect Secure Mobility Client supports IPsec. Will Cisco AnyConnect Secure Mobility Client work with Cisco VPN 3000 Series concentrators?
  A. No. Cisco VPN 3000 Series concentrators support IPsec/IKEv1. Cisco AnyConnect Secure Mobility Client Version 3.0 and greater supports IPsec/IKEv2 connectivity but not IPsec/IKEv1.
  From http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5743/ps5699/ps10884/qa_c67-712937_ns1049_Networking_Solutions_Q_and_A.html
  If there is a workaround or something, please let me know. If not, oh well!

• Dynamic IP allocation by Radius server

  Hi community,
  Can Cisco Radius server allocation different IP pools for requests from difference source IP addresses but having the same username/ password information? We have multiple GGSNs using dynamic IP allocation by Radius server. In Radius server, we configure username is subscriber's MSISDN. So we face a situation that a subscriber can go through any GGSN but for different GGSN, Radius server return different IP pools, even for the same subscriber. Is it possible?
  Thanks and regards,
  Hieu

  I'm not sure if the Autonomous APs have the option for AAA Override.  On the WLC, I can go into the BSSID, Security, Advanced, and there's a checkbox that I would check to allow a Radius server to send back the VLAN.
  I did a little research and it looks like the 1300 may give this option but instead is defined as "VLAN Override".  I've found the release notes for 12.3(7)JA5 (not sure what version you're running) that give mention and a link to configuring EAP on page 4: http://www.ciscosystems.ch/en/US/docs/wireless/access_point/1300/release/notes/o37ja5rn.pdf
  Hope this helps

• Authentication via RADIUS : MSCHAPv2 Error 691

  Hello All,
  I am working on setting up authentication into an Acme Packet Net-Net 3820 (SBC) via RADIUS. The accounting side of things is working just fine with no issues. The authentication side of things is another matter. I can see from a packet capture that the access-request
  messages are in fact getting to the RADIUS server at which point the RADIUS server starts communicating with the domain controllers. I then see the chain of communication going back to the RADIUS and then finally back to the SBC. The problem is the response
  I get back is always an access-reject message with a reason code of 16 (Authentication failed due to a user credentials mismatch. Either the user name provided does not match an existing user account or the password was incorrect). This is confirmed by looking
  at the security event logs where I can see events 4625 and 6273. See the events below (Note: The names and IPs have been changed to protect the innocent):
  Event ID: 6273
  Network Policy Server denied access to a user.
  Contact the Network Policy Server administrator for more information.
  User:
  Security ID:
  NULL SID
  Account Name:
  real_username
  Account Domain:
  real_domain
  Fully Qualified Account Name:
  real_domain\real_username
  Client Machine:
  Security ID:
  NULL SID
  Account Name:
  Fully Qualified Account Name:
  OS-Version:
  Called Station Identifier:
  Calling Station Identifier:
  NAS:
  NAS IPv4 Address:
  10.0.0.10
  NAS IPv6 Address:
  NAS Identifier:
  radius1.real_domain
  NAS Port-Type:
  NAS Port:
  101451540
  RADIUS Client:
  Client Friendly Name:
  sbc1mgmt
  Client IP Address:
  10.0.0.10
  Authentication Details:
  Connection Request Policy Name:
  SBC Authentication
  Network Policy Name:
  Authentication Provider:
  Windows
  Authentication Server:
  RADIUS1.real_domain
  Authentication Type:
  MS-CHAPv2
  EAP Type:
  Account Session Identifier:
  Logging Results:
  Accounting information was written to the SQL data store and the local log file.
  Reason Code:
  16
  Reason:
  Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
  Event ID: 4625
  An account failed to log on.
  Subject:
  Security ID:
  SYSTEM
  Account Name:
  RADIUS1$
  Account Domain:
  REAL_DOMAIN
  Logon ID:
  0x3E7
  Logon Type: 3
  Account For Which Logon Failed:
  Security ID:
  NULL SID
  Account Name:
  real_username
  Account Domain:
  REAL_DOMAIN
  Failure Information:
  Failure Reason:
  Unknown user name or bad password.
  Status:
  0xC000006D
  Sub Status:
  0xC000006A
  Process Information:
  Caller Process ID:
  0x2cc
  Caller Process Name:
  C:\Windows\System32\svchost.exe
  Network Information:
  Workstation Name:
  Source Network Address:
  Source Port:
  Detailed Authentication Information:
  Logon Process:
  IAS
  Authentication Package:
  MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
  Transited Services:
  Package Name (NTLM only):
  Key Length:
  0
  This event is generated when a logon request fails. It is generated on the computer where access was attempted.
  The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
  The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
  The Process Information fields indicate which account and process on the system requested the logon.
  The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
  The authentication information fields provide detailed information about this specific logon request.
  - Transited services indicate which intermediate services have participated in this logon request.
  - Package name indicates which sub-protocol was used among the NTLM protocols.
  - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
  So at first glance it would seem that the issue is merely a case of an invalid username or mismatched password. This is further confirmed in the packet capture where I can see the MSCHAPv2 response has an error code of 691 (Access denied because username or
  password, or both, are not valid on the domain). The thing is I know I am using a valid username and I have tried many usernames including new ones I created just for troubleshooting. I don't know how many times I have reset the password in an attempt to ensure
  it is not a mismatch password. I have even made sure to use passwords that are fairly short and contain only letters to ensure there was no terminal encoding issues (we connect to the SBC via SSH clients). I have also done this same thing with the shared secret
  used during communication between the SBC and the RADIUS server. I have tried prefixing the username with the domain name at login (though I don't think that should be necessary). I have also tried using the full UPN of the user to login. I have tried several
  RADIUS testing clients (NTRadPing, RadiusTest, etc.), but they either don't support MSCHAPv2 or only support EAP-MSCHAPv2. I have even created my own client using PHP's PECL RADIUS module. Still it always seems to fail with the MSCHAPv2 authentication with
  an error code of 691. Does anyone have any ideas as to why I always get an invalid username or bad password response when I have done everything possible to ensure that is not the case?
  Here are the specs for our RADIUS configuration:
  Windows Server 2012 R2
  SQL Server 2012 Back End Database for accounting.
  The server has been authorized on the domain and is a member of the "RAS and IAS Servers" group. For which that group does have access to the accounts we are testing with.
  The accounts we are testing with do have the "Control access through NPS Network Policy" option checked under their "Dial-in" property tab.
  RADIUS clients configured to simply match on the IP address which you can see from the events above that it is applying the client friendly name.
  Connection Request Policy: The "SBC Authenication" policy is being applied as seen above. The only condition is a regex expression that does successfully match the friendly name.
  Network Policy: As seen in events above, none are getting applied. For troubleshooting purposes I have created a Network Policy that is set to "1" for the processing order and its only condition is a Day and Time Restriction currently set to any
  time, any day.
  The authentication method is set to only MSCHAPv2 or MSCHAPv2 (User can change password after it has expired). I have tried adding this to just the Network Policy and I have also tried adding this to the Connection Request Policy and setting it to override
  the authentication method of the Network Policy.
  We do have other RADIUS servers in our domain that use PEAP to authenticate wireless clients and they all work fine. However, we need this to work with MSCHAPv2 only (No EAP).
  All other configurations are set to the defaults.
  The only other things of note to consider is the fact that in the events above you can see that the Security ID is "NULL SID". Now I know this is common especially among failed logons but given that this issue is stating an invalid username or
  bad password, perhaps it matters in this case. Also, this server has been rebuilt using the same computer account in Active Directory. I do not know if it would have worked before the rebuild. Essentially we built this server and only got as far as authorizing
  the server to the domain and adding SQL when we decided to separate out the SQL role onto another server. Rather than uninstalling SQL we just rebuilt the machine. However, before reinstalling Windows I did do a reset on the computer account. I don't think
  this should matter but thought I would point it out if there is some weird quirk where reusing the same SID of a previously authorized NPS server would cause an issue.
  All in all it is a fairly basic setup and hopefully I have provided enough information for someone to get an idea of what might be going on. I hope this was the right forum to post this too, I figured there would be a higher number of RADIUS experts here than
  any of the other categories. Apologies if my understanding of this seems a bit basic, after all, when it comes to RADIUS servers I guess you could say I'm the new guy here.

  Update 1:
  In an attempt to further troubleshoot this issue I have tried bringing up additional servers for testing. Here are the additional tests I have performed.
  Multiple Domains
  I have now tried this in 3 different isolated domains. Both our test and production domains as well as my private home domain which has very little in the way of customizations aside from the modifications made for Exchange and ConfigMgr. All have the same
  results described above.
  VPN Service
  Using Windows Server 2012 R2 we brought up a separate server to run a standard VPN setup. The intent was to see if we could use RADIUS authentication with the VPN and if that worked we would know the issue is with the SBCs. However, before we could even
  configure it to use RADIUS we just attempted to make sure it worked with standard Windows Authentication on the local VPN server. Interestingly, it too fails with the same events getting logged as the RADIUS servers. The client machine being a Windows 8.1
  workstation. Again I point out that we have working RADIUS servers used specifically for our wireless environment. The only difference between those RADIUS servers and the ones I am having problems with is that the working wireless servers are using PEAP instead
  of MSCHAPv2.
  FreeRADIUS
  Now I'm no Linux guru but I believe I have it up and running. I am able to use ntlm_auth to authenticate users when logged on to the console. However, when the radiusd service tries to use ntlm_auth to do essentially the same thing it fails and returns the
  same message I've been getting with the Windows server (E=691). I have the radiusd service running in debug mode so I can see more of what is going on. I can post the debug info I am getting if requested. The lines I am seeing of particular interest however
  are as follows:
  (1) ERROR: mschap : Program returned code (1) and output 'Logon failure (0xc000006d)'
  (1) mschap : External script failed.
  (1) ERROR: mschap : External script says: Logon Failure (0xc000006d)
  (1) ERROR: mschap : MS-CHAP2-Response is incorrect
  The thing to note here is that while we are essentially still getting a "wrong password" message, the actual status code (0xc000006d) is slightly different than what I was getting on the Windows Servers which was (0xc000006a). From this document
  you can see what these codes mean:
  NTSTATUS values . The good thing about this FreeRADIUS server is that I can see all of the challenge responses when it is in debug mode. So if I can wrap my head around how a MSCHAPv2 response is computed I can compare it to see if this is simply a miscomputed
  challenge response. Update: Was just noticing that the 6a code is just the sub-status code for the 6d code. So nothing different from the Windows Servers, I still wonder if there is a computation error with the challenge responses though.
  Currently, I am working on bringing up a Windows Server 2008 R2 instance of a RADIUS server to see if that helps at all. However, I would be surprised if something with the service broke between W2K8 R2 and W2K12 R2 without anyone noticing until now. If this
  doesn't work I may have to open a case with Microsoft. Update: Same results with W2K8 R2.

• Using ISE guest store via RADIUS

  I have a question concerning the guest store on the ISE.
  I would like to establish a guest portal on a WLC (currently running version 7.0.220.0). The guest network shouldn’t have any connection to the company network. So I can’t redirect to the ISE guest portal and have to use the local portal on the WLC and pass the login data to the ISE via RADIUS. Nevertheless I want to use the guest store on the ISE.
  On the ISE I can only select the internal user store as identity source. But this seems not to include the guest user store.
  Has anyone already implemented a similar solution or any idea how to access the guest store?
  Thanks
  Thomas

  I just created a simple setup and tested the login.
  It doesn't work with a user created as a guest account.
  If I create the user in the normal internal identity store I works fine.
  Might there be a difference between ISE Versions?
  We are currently using Version 1.1.0.665 on a VM for testing purpose.
  This is what the details show:
  11001  Received RADIUS Access-Request
  11017  RADIUS created a new session
  Evaluating Service Selection Policy
  15048  Queried PIP
  15048  Queried PIP
  15004  Matched rule
  Evaluating Identity Policy
  15006  Matched Default Rule
  15013  Selected Identity Store - Internal Users
  24210  Looking up User in Internal Users IDStore - tuser001
  24206  User disabled
  22057  The advanced option that is configured for a failed authentication request is used
  22061  The 'Reject' advanced option is configured in case of a failed authentication request
  11003  Returned RADIUS Access-Reject
  11001  Received RADIUS Access-Request
  11017  RADIUS created a new session
  Evaluating Service Selection Policy
  15048  Queried PIP
  15048  Queried PIP
  15004  Matched rule
  Evaluating Identity Policy
  15006  Matched Default Rule
  15013  Selected Identity Store - Internal Users
  24210  Looking up User in Internal Users IDStore - tuser001
  24212  Found User in Internal Users IDStore
  22037  Authentication Passed
  Evaluating Authorization Policy
  15004  Matched rule
  15016  Selected Authorization Profile - Guest
  11022  Added the dACL specified in the Authorization Profile
  11002  Returned RADIUS Access-Accept

• Cisco 1602i + Authenticating users via RADIUS?

                 Hello,
  Our company recently purchased a Cisco 1602i standalone WAP to replace the WAP4410Ns that we were having issues with.  I am now attempting to configure the RADIUS authentication, as we have a User network and a Guest connection.  The Guest connection works fine, using WPA PSK.  However, I can't seem to get the RADIUS authentication to work.  Reading the documentation has got me a little confused, and I have tried turning on debugging (debug radius authentication, debug aaa) but those show nothing.  Also, in the RADIUS server itself (Windows 2008 R2 NPS), I see nothing in the logs when I try to connect using a device or the "test aaa" command.  Can someone guide me on what I'm doing wrong?  I followed someone's advice on another forum and removed "authentication network-eap" from the SSID (phoenix_2), and now when I attempt to connect with a device it just asks me for a password, it doesn't prompt for a username anymore.  I am very stumped.  Here's the relevant config:
  aaa new-model
  aaa group server radius rad_eap
  server 10.200.5.24
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authorization exec default local
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  clock timezone EST -5 0
  ip cef
  ip domain name gst
  dot11 syslog
  dot11 vlan-name guest vlan 255
  dot11 vlan-name user vlan 140
  dot11 ssid phoenix_2
     vlan 140
     band-select
     authentication open eap eap_methods
     mbssid guest-mode
  dot11 ssid walker_2
     vlan 255
     band-select
     authentication open
     authentication key-management wpa version 2
     mbssid guest-mode
     wpa-psk ascii 7 0353035E535879191B
  interface BVI1
  ip address 10.200.5.70 255.255.255.0
  ip default-gateway 10.200.5.1
  ip forward-protocol nd
  no ip http server
  ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip route 0.0.0.0 0.0.0.0 10.200.140.1
  ip route 0.0.0.0 0.0.0.0 10.200.5.1
  ip radius source-interface BVI1
  access-list 111 permit tcp any any neq telnet
  snmp-server community G!0bal RO
  radius-server attribute 32 include-in-access-req format %h
  radius-server host 10.200.5.24 key 7 01445E510E1C07032A495C0D0B0C011718190D3E2E767863
  radius-server vsa send accounting
  The NPS worked just fine with the WAP4410Ns, not sure why we're having so much trouble with the 1602i. 

  Thanks Rasika, your link worked.  I had the authentication key before, but i removed it while I was trying different things.  My main issue was not applying the list name to the ssid, the documentation did not make it clear that when the radius server is specified using the "radius-server ...." command, that the radius group refers to that command when you configure the group.  Once that clicked, it made sense that the method list name was specifed by the radius group, and that the authentication methods then referred to the radius group.  It was a big question mark in my head how the radius server was applied to the SSID prior to reading your post.
  I haven't tried the "erase startup-config" command yet, I will try that next. 
  Quick question, why are both authentication open and authentication network-eap needed?  I would assume authentication network-eap would suffice, unless the authentication open command refers to the allowed devices and not just authentication via RADIUS?

• Specify pool name in radius reply

  hello all . I have 2 pools of IPs on the router ans have dialup vdpn sessions on it , I need some specific users get from a pool and other users from the other pool. Can I return the pool name in the radius reply when the user is authenticating ? and how ?

  If you look in the group/user setup page of ACS you'll see a section "IP Assignment"
  For each group of users, just select the "Assigned from AAA Client pool" and enter the pool name.
  When users authenticate, ACS will send the pool name back to the device.
  This is protocol independant and to some extent RADIUS vendor independant too in that it knows about IETF, Cisco and Ascend assignment methods.

• Reg cluster and pooled tables

  hi experts..
  can u pls give the names of some cluster and pooled tables?
  regards
  Sellavel

  Hello,
  Pooled tables can be used to store control data (e.g. screen sequences, program parameters or temporary data). Several pooled tables can be combined to form a table pool. The table pool corresponds to a physical table on the database in which all the records of the allocated pooled tables are stored.
  A001
  A004
  A005
  A006
  A007
  A009
  A010
  A012
  A015
  A016
  A017
  A018
  A019
  A021
  A022
  Cluster tables contain continuous text, for example, documentation. Several cluster tables can be combined to form a table cluster. Several logical lines of different tables are combined to form a physical record in this table type. This permits object-by-object storage or object-by-object access. In order to combine tables in clusters, at least parts of the keys must agree. Several cluster tables are stored in one corresponding table on the database.
  AUAA
  AUAB
  AUAO
  AUAS
  AUAT
  AUAV
  AUAW
  AUAY
  BSEC
  BSED
  BSEG
  BSES
  BSET
  CDPOS
  Vasanth

• Shared Pool Allocation Problem

  Hi everyone,
  When I execute the following statement from my application, it returns the ORA-04031 29080216 byte can not allocate shared pool ("large pool","unknown object","hash-join subh","kllcqc:kllcqslt") error.
  SELECT DISTINCT KULLANICIID, NOVELKULLANICIADI AS "KULLANICIADI" FROM KULLANICIROLLERI
  LEFT OUTER JOIN KULLANICILAR ON KULLANICIROLLERI.KULLANICIID = KULLANICILAR.ID
  WHERE
  KULLANICIROLLERI.AKTIF = '1' AND
  KULLANICILAR.AKTIF = '1' AND
  KULLANICILAR.NOVELKULLANICIADI IS NOT NULL AND
  GECERLIOLDUGUELEMENTTYPENO = 5 AND GECERLIOLDUGUELEMENTID = 1
  But when I look the parameters their values are
  shared_pool_size : 318767104
  large_pool_size : 335544320
  How can I solve that problem.. Actually the parameters seem to be ok..
  Thanks in advance
  OzerK

  Hi,
  Do you resolved problem with sharet pool allocation ?
  I have a same, with ora-4031 error...
  Best,
  Adam
  [email protected]

• Ikev2---- hostname and xml file

  Hi Everyone,
  Ikev2 anyconnect is working fine from PC.
  In PC under c\programs data\profile     xml file has hostname  say anyconnect_ikev2.
  Under ASDM---anyconnect  profile I changed the hostname to say xyz.com.
  Then from PC I tried to connect again and found that connection was established and hostname under xml profile of user PC is changed to xyz.com.
  Need to know how PC was able to connect even though hostname was changed?
  Regards
  MAhesh

  Mahesh,
  The client is connecting based on the HostAddress field of the profile.
  HostName is what is used to populate the drop down list and identify the connection in "plain language". While it is often the FQDN, it does not have to be.
  When a user established the connection one of the things that happens is that any changes in the profile on the ASA are pushed to the user's locally stored profile.

• Assign QoS Service Policy via RADIUS to Catalyst 45k/37k?

  hi,
  is there a way to assigen a QoS service policy via Radius to an Caltalyst 4500/3750 Switchport?
  in detail, we would like to assign this policy
      policy-map SET_EF
       class class-default
         set dscp ef
  to an interface. All traffic should be marked with a defined DSCP value.
  This works find when doing it statically with
      interface FastEthernet2/1
           service-policy input SET_EF
  but we would need to assign such a policy via Radius during the 802.1x Authentication. different users should get differnt policies. We use Cisco ACS 5.2 as Radius Server and there actually is a field for
  that in the Authorization Profile Common Tasks Configuration. in detail, this uses the cisco-av-pair "sub-policy-In=<policy name>" attribute to assign a service policy to an NAS.
  we found also two other attributes "sub-qos-policy-in" and "ip:sub-qos-polcy-in" for that. CCO says that "ip:sub-qos-polcy-in" works with Catalyst 65k (http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/qos.html#wp1926523)
  unfortunately this seems to not work on Catalyst 45k and 37k.
  In the ACS Logs we can see that these attributes are attached to the Radius Reply, but unfortunately they are ignored by the switch.
  it is interesing that when entering "show aaa attributes" on the Catalyst 45k, these attributes are displayd - so for my understanding the switch should understand these attibutes (?)
      4503-E#sh aaa attributes
      AAA ATTRIBUTE LIST:
          Type=1     Name=disc-cause-ext                 Format=Enum
          Type=2     Name=Acct-Status-Type               Format=Enum
      <snip>
          Type=345   Name=sub-policy-In                  Format=String
          Type=346   Name=sub-qos-policy-in              Format=String
          Type=347   Name=sub-policy-Out                 Format=String
          Type=348   Name=sub-qos-policy-out             Format=String
  any input is welcome :-))
  best reagrds

  additionally to this discussion, i've just opened a service request with TAC.
  unfortunately the engineer told me that by now per-User QoS is definitely no supported on this two plattforms but it's listed on the roadmap and will be possibly availabe mid 2012......

• WLC Management Admin via RADIUS

  I am trying to have a management user authenticate via radius and have full admin privileges.
  For a WCS I can simply set the radius attribute of "Cisco-AVPair.attr|Wireless-WCS:role0=Admin" and that user will get full admin rights. I found this doc to grant a user lobby admin:
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080871921.shtml
  but, it is specific to the using the Cisco ACS as a radius server. What attributes do I need to set for a user to get full admin rights to a WLC when authenticating via radius?  Thanks.

  My problem: I have a local management user profile defined on my WLC and it works fine when the Priority Order is set to LOCAL.  When I change the Priority Order to make RADIUS first and LOCAL second, I can't get logged into the WLC using CLI, GUI, or the console.  The last time this happened I had to reset the WLC and start over.  I don't want to do that again, so I need some way to get into the WLC.
  Once I can get back into the WLI would prefer using Active Directory to authenticate the management user but that doesn't seem to work.  My RADIUS acts as a front end for the Active Directory database and works well for many of our Cisco LAN switches andd Routers. Now I'm trying to set up the WLC to authenticate the management user with RADIUS.  I have set the RADIUS (MS IAS) to return two attributes;
  1. Vendor-Specific -Vendor Code 14179, Value=management
  2. Service-Type - Value=Login
  When I try to login using my AD account, the RADIUS server log shows an Access Request record, then an Access-Accept record that makes it appear RADIUS has successfully authenticated the user.  But the login prompt for the GUI comes back as if it has failed.  Same with the CLI login.  Now I can't get logged into the WLC.  How can I get into the box to manage it again?
  Thanks

• NAT Pool Allocation

  I was troubleshooting a connectivity issue for a client and he kept asking me to check the 'NAT pool allocation' on the loadbalancer context.  My company uses a ACE module running software version A5(2.2).  I could find no command such as show nat or show allocation.  Running show xlate does not give me a count but a list of all the translation.
  Can someone explain to me what exactly my client is asking for?

  Hi,
  Perhaps this:
  switch/Admin# show np 1 me-stats -vsocm | include NAT
  NAT[static mapped]:                               0             0
  NAT[static real]:                                 0             0
  NAT[xlate alloc fail]:                            0             0
  NAT[xlate real hit]:                              0             0
  NAT[xlate mapped hit]:                            0             0
  NAT[invalid xlate]:                               0             0
  NAT[dump xlate]:                                  0             0
  NAT[xlate release failed]:                        0             0
  NAT Pool Alloc [fail]:                            0             0
  NAT Pool Alloc [addr]:                            0             0
  NAT Pool Alloc [addr/port]:                       0             0
  NAT Pool Free [addr]:                             0             0
  NAT Pool Free [addr/port]:                        0             0
  NAT Pool Free [orphan IP]:                        0             0
  Drop [Need NAT IPv4-6]:                           0             0
  Drop [Need NAT IPv6-4]:                           0             0
  NAT free no xlate [real addr]:                    0             0
  NAT free no xlate [mapped addr]:                  0             0
  NAT Dynamic Xlate GC Reaped:                      0             0
  NAT Implicit PAT Alloc [fail]:                    0             0
  NAT Implicit PAT Alloc:                           0             0
  NAT Implicit PAT Free:                            0             0
  Based on model, np x  can be 1, 2, 3 and 4.
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.

• Clustertable and pooled table

  hi guru
  which type of data is store in cluster table and pooled table?
  what is relation between cluster and pooled table

  Hi,
  . Transparent tables (BKPF, VBAK, VBAP, KNA1, COEP)
  · Allows secondary indexes (SE11->Display Table->Indexes)
  · Can be buffered (SE11->Display Table->technical settings) Heavily updated tables should not be buffered.
  II. Pool Tables (match codes, look up tables)
  · Should be accessed via primary key or
  · Should be buffered (SE11->Display Table->technical settings)
  · No secondary indexes
  · Select * is Ok because all columns retrieved anyway
  III. Cluster Tables (BSEG,BSEC)
  · Should be accessed via primary key - very fast retrieval otherwise very slow
  · No secondary indexes
  · Select * is Ok because all columns retrieved anyway. Performing an operation on multiple rows is more efficient than single row operations. Therefore you still want to select into an internal table. If many rows are being selected into the internal table, you might still like to retrieve specific columns to cut down on the memory required.
  · Statistical SQL functions (SUM, AVG, MIN, MAX, etc) not supported
  · Can not be buffered
  IV. Buffered Tables (includes both Transparent & Pool Tables)
  While buffering database tables in program memory (SELECT into internal table) is generally a good idea for performance, it is not always necessary. Some tables are already buffered in memory. These are mostly configuration tables. If a table is already buffered, then a select statement against it is very fast. To determine if a table is buffered, choose the 'technical settings' soft button from the data dictionary display of a table (SE12). Pool tables should all be buffered.
  "Major difference betwen Standard tables,Pooled tables and Cluster Tables?
  1.A transparent table is a table that stores data directly. You can read these tables directly on the database from outside SAP with for instance an SQL statement.
  2.Transparent table is a one to one relation table i.e. when you create one transparent table then exactly same table will create in data base and if is basically used to store transaction data.
  3.A clustered and a pooled table cannot be read from outside SAP because certain data are clustered and pooled in one field.
  4.One of the possible reasons is for instance that their content can be variable in length and build up. Database manipulations in Abap are limited as well.
  5.But pool and cluster table is a many to one relationship table. This means many pool table store in a database table which is know as table pool.
  6.All the pool table stored table in table pool does not need to have any foreign key relationship but in the case of cluster table it is must. And pool and cluster table is basically use to store application data.
  7.Table pool can contain 10 to 1000 small pool table which has 10 to 100 records. But cluster table can contain very big but few (1 to 10) cluster table.
  8.For pool and cluster table you can create secondary index and you can use select distinct, group for pool and cluster table. You can use native SQL statement for pool and cluster table.
  9.A structure is a table without data. It is only filled by program logic at the moment it is needed starting from tables.
  10.A View is a way of looking at the contents of tables. It only contains the combination of the tables at the basis and the way the data needs to be represented. You actually call directly upon the underlying tables.
  'The table which store information about Structures and Tables are as follows:
  DD02L - table properties
  DD02T - table texts
  DD03L - field properties
  DD03T - field texts
  Creating cluster/pool tables:
  http://help.sap.com/saphelp_nw04/helpdata/en/cf/21f0b7446011d189700000e8322d00/content.htm
  creating transparent tables
  http://help.sap.com/saphelp_nw04/helpdata/en/cf/21eb6e446011d189700000e8322d00/frameset.htm
  Thanks,
  Reward If Helpful.