IP address sent to TACACS server

Similar Messages

• VPDN static IP address assign by TACACS server (ACS 2.3 for UNIX)

  Is it possible assign static IP address for VPDN users by TACACS server ?
  If yes, please give me some ideas how to do it?
  thanks,
  bm

  I think that is possible only while using CSACS for windows but not with CSACS for UNIX. Atleast I couldn't find anything in the documentation. (CiscoSecure ACS 2.3 for UNIX User Guide http://www.cisco.com/en/US/products/sw/secursw/ps4911/products_user_guide_book09186a00800eb438.html)

• Mac Lion won't accept IP address sent from DHCP server

  Upgraded to Lion a few days ago.  Everything worked for a couple days.  Plug in the ethernet cable today and I never get an ip address with DHCP from my router.  I have 2 other devices plugged into the router and they get ip addresses normally.  Captured the DHCP communication to see if I was getting a valid DHCP offer and I am...it is included.  The Lion firewall is disabled.  For some reason Lion isn't accepting the DHCP offer.  Could this be a bug or maybe something in a cache needs to cleaned out.  I connect to several different networks daily and they all work except for this one.
  The line in Bold type shows the ip address being offered that never gets accepted by lion.
  No.     Time        Source                Destination           Protocol Info
       26 21.993141   10.19.39.97           255.255.255.255       DHCP     DHCP Offer    - Transaction ID 0x4e299603
  Frame 26 (353 bytes on wire, 353 bytes captured)
      Arrival Time: Aug  5, 2011 19:30:01.105566000
      [Time delta from previous captured frame: 0.001086000 seconds]
      [Time delta from previous displayed frame: 0.001086000 seconds]
      [Time since reference or first frame: 21.993141000 seconds]
      Frame Number: 26
      Frame Length: 353 bytes
      Capture Length: 353 bytes
      [Frame is marked: False]
      [Protocols in frame: eth:ip:udp:bootp]
      [Coloring Rule Name: UDP]
      [Coloring Rule String: udp]
  Ethernet II, Src: e8:b7:48:e6:ab:5c (e8:b7:48:e6:ab:5c), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
      Destination: Broadcast (ff:ff:ff:ff:ff:ff)
          Address: Broadcast (ff:ff:ff:ff:ff:ff)
          .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
          .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
      Source: e8:b7:48:e6:ab:5c (e8:b7:48:e6:ab:5c)
          Address: e8:b7:48:e6:ab:5c (e8:b7:48:e6:ab:5c)
          .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
          .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
      Type: IP (0x0800)
  Internet Protocol, Src: 10.19.39.97 (10.19.39.97), Dst: 255.255.255.255 (255.255.255.255)
      Version: 4
      Header length: 20 bytes
      Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
          0000 00.. = Differentiated Services Codepoint: Default (0x00)
          .... ..0. = ECN-Capable Transport (ECT): 0
          .... ...0 = ECN-CE: 0
      Total Length: 339
      Identification: 0x00fa (250)
      Flags: 0x00
          0.. = Reserved bit: Not Set
          .0. = Don't fragment: Not Set
          ..0 = More fragments: Not Set
      Fragment offset: 0
      Time to live: 255
      Protocol: UDP (0x11)
      Header checksum: 0x882c [correct]
          [Good: True]
          [Bad : False]
      Source: 10.19.39.97 (10.19.39.97)
      Destination: 255.255.255.255 (255.255.255.255)
  User Datagram Protocol, Src Port: bootps (67), Dst Port: bootpc (68)
      Source port: bootps (67)
      Destination port: bootpc (68)
      Length: 319
      Checksum: 0x038d [validation disabled]
          [Good Checksum: False]
          [Bad Checksum: False]
  Bootstrap Protocol
      Message type: Boot Reply (2)
      Hardware type: Ethernet
      Hardware address length: 6
      Hops: 0
      Transaction ID: 0x4e299603
      Seconds elapsed: 0
      Bootp flags: 0x8000 (Broadcast)
          1... .... .... .... = Broadcast flag: Broadcast
          .000 0000 0000 0000 = Reserved flags: 0x0000
      Client IP address: 0.0.0.0 (0.0.0.0)
      Your (client) IP address: 10.19.39.98 (10.19.39.98)
      Next server IP address: 0.0.0.0 (0.0.0.0)
      Relay agent IP address: 0.0.0.0 (0.0.0.0)
      Client MAC address: Apple_17:fd:5d (c4:2c:03:17:fd:5d)
      Client hardware address padding: 00000000000000000000
      Server host name not given
      Boot file name not given
      Magic cookie: (OK)
      Option: (t=53,l=1) DHCP Message Type = DHCP Offer
          Option: (53) DHCP Message Type
          Length: 1
          Value: 02
      Option: (t=54,l=4) DHCP Server Identifier = 10.19.39.97
          Option: (54) DHCP Server Identifier
          Length: 4
          Value: 0A132761
      Option: (t=51,l=4) IP Address Lease Time = 1 day, 23 hours, 39 minutes, 50 seconds
          Option: (51) IP Address Lease Time
          Length: 4
          Value: 00029E46
      Option: (t=58,l=4) Renewal Time Value = 23 hours, 49 minutes, 55 seconds
          Option: (58) Renewal Time Value
          Length: 4
          Value: 00014F23
      Option: (t=59,l=4) Rebinding Time Value = 1 day, 17 hours, 42 minutes, 16 seconds
          Option: (59) Rebinding Time Value
          Length: 4
          Value: 00024A78
      Option: (t=1,l=4) Subnet Mask = 255.255.255.240
          Option: (1) Subnet Mask
          Length: 4
          Value: FFFFFFF0
      Option: (t=6,l=8) Domain Name Server
          Option: (6) Domain Name Server
          Length: 8
          Value: AB44E278AB46A8B7
          IP Address: 171.68.226.120
          IP Address: 171.70.168.183
      Option: (t=44,l=8) NetBIOS over TCP/IP Name Server
          Option: (44) NetBIOS over TCP/IP Name Server
          Length: 8
          Value: AB443935AD2573BF
          IP Address: 171.68.57.53
          IP Address: 173.37.115.191
      Option: (t=3,l=4) Router = 10.19.39.97
          Option: (3) Router
          Length: 4
          Value: 0A132761
      End Option

  I have seen the same issue with my iOS and Mac OS devices (iPhone and MacBook Pro). I have written my own DHCP server (http://notebook.kulchenko.com/embedded/dhcp-and-dns-servers-with-arduino) and have had troubles getting my devices to connect (Windows Vista and Ubuntu devices connect fine). I suspect that this problem happens because the DHCP Offer message is sent to a broadcast address, even though (at least in my case) the broadcast flag is off in the DHCP Discover message I see.
  Unfortunately you didn't include the Discover message, so I can't tell for sure, but if it indeed has the broadcast flag set to 0, then the server should send the response message using unicast as per DHCP spec (http://www.ietf.org/rfc/rfc2131.txt, section 4.1):
    If the broadcast bit is not set and 'giaddr' is zero and
     'ciaddr' is zero, then the server unicasts DHCPOFFER and DHCPACK
     messages to the client's hardware address and 'yiaddr' address.
  So, it seems like in this case the server may be at fault, even though it would be nice for Mac OS to accept broadcast responses (and would solve my problem too).
  Can someone confirm that Mac OS does not accept broadcast responses to DHCP Discover and DHCP Request messages? Thanks.
  Paul.

• Prime 1.4 - no aaa authentication tacacs+ server

  Anybody know the equivalent command "no aaa authentication tacacs+ server" on PI 1.4. I saw this command on PI 2.2 but I can´t find something similar on 1.4.
  Thanks in advanced.

  Check the following Command line manual for PI 1.4
  http://www.cisco.com/c/en/us/td/docs/wireless/prime_infrastructure/1-4/command/reference/cli14.html
  Apart from that I found this ,let me know if it helps.
  Select a command
      Add TACACS+ Server—See the “Add TACACS+ Server” section.
      Delete TACACS+ Server—Select a server or servers to be deleted, select this command, and click Go to delete the server(s) from the database.
  Add TACACS+ Server
  Choose Administration > AAA > TACACS+ from the left sidebar menu to access this page. From the Select a command drop-down list choose Add TACACS+ Server , and click Go to access this page.
  This page allows you to add a new TACACS+ server to Prime Infrastructure.
      Server Address—IP address of the TACACS+ server being added.
      Port—Controller port.
      Shared Secret Format—ASCII or Hex.
      Shared Secret—The shared secret that acts as a password to log in to the TACACS+ server.
      Confirm Shared Secret—Reenter TACACS+ server shared secret.
      Retransmit Timeout—Specify retransmission timeout value for a TACACS+ authentication request.
      Retries—Number of retries allowed for authentication request. You can specify a value between 1 and 9.
      Authentication Type—Two authentication protocols are provided. Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP).
  Command Buttons
      Submit
      Cancel
  Note • Enable the TACACS+ server with the AAA Mode Settings. See the “Configuring AAA Mode” section.
      You can add only three servers at a time in Prime Infrastructure.

• I have an Ipad 2 and are having problems sending out emails in one of my email address. I always get a message reading the email was not sent because the server does not allow relaying. This is an email account POP3. I have no such problem with gmail.

  I have an Ipad 2 and are having problems sending out emails in one of my email address. This is a POP3 email Account? I always get a message reading that the email was not sent because the server does not allow relaying. I have no such problem with gmail. What could be the problem and how do I resolve this. Is it about settings?
  Richard.

  Welcome to the Apple community.
  If you are unable to remember your password, security questions, don’t have access to your rescue address or are unable to reset your password for whatever reason, your only option is to contact Apple ID Support, upon speaking to an operator you should explain that your problem is related to your Apple ID, this way you will not be charged for assistance, even if you don’t have an AppleCare plan.
  The operator will take you through some steps you may have already tried, however they need to be sure they have exhausted all usual approaches before trying to reset your account, so you should try to be helpful and show patience with the procedure.
  The operator will need to verify they are speaking to the account holder and may ask you some questions that only the account holder could know, and you will need to answer them if the process is to proceed.
  Once the operator has verified your identity they will send a message through to your device which contains an alpha numeric code, which you will need to read back to them.
  Once this has been completed they will send an email to your iCloud email address after a period of 24 hours, so you should check that mail is enabled in your devices iCloud settings.
  Upon receipt of the email, use the reset link provided to reset your password, after which you should be able to make the adjustments to iCloud that you wish to do.

• I downloaded BBM for iphone. but i cant activate it..its asking server address sent by administrator..but i didnt receive any e-mail..can somebody help me to activate my bbm in iphone?

  I downloaded BBM for iphone. but i cant activate it..its asking server address sent by administrator..but i didnt receive any e-mail..can somebody help me to activate my bbm in iphone?

  I think you downloaded BES10, try downloading the bbm app instead.

• Not able to login to router using ssh when TACACS server is down

  When TACACS server is not reachable router is not allowing the local password to login using ssh. Router's SSH debug says authentication is successful but ssh client gets % Authorization failed meassage and disconnects.
  kindly see below debug output and config
  SSH server end:
  Sep 1 13:25:10.161: SSH1: starting SSH control process
  Sep 1 13:25:10.165: SSH1: sent protocol version id SSH-1.5-Cisco-1.25
  Sep 1 13:25:10.241: SSH1: protocol version id is - SSH-1.5-Cisco-1.25
  Sep 1 13:25:10.241: SSH1: SSH_SMSG_PUBLIC_KEY msg
  Sep 1 13:25:10.397: SSH1: SSH_CMSG_SESSION_KEY msg - length 112, type 0x03
  Sep 1 13:25:10.397: SSH: RSA decrypt started
  Sep 1 13:25:10.925: SSH: RSA decrypt finished
  Sep 1 13:25:10.925: SSH: RSA decrypt started
  Sep 1 13:25:11.165: SSH: RSA decrypt finished
  Sep 1 13:25:11.197: SSH1: sending encryption confirmation
  Sep 1 13:25:11.197: SSH1: keys exchanged and encryption on
  Sep 1 13:25:11.269: SSH1: SSH_CMSG_USER message received
  Sep 1 13:25:11.269: SSH1: authentication request for userid rao
  Sep 1 13:25:16.297: SSH1: SSH_SMSG_FAILURE message sent
  Sep 1 13:25:17.313: SSH1: SSH_CMSG_AUTH_PASSWORD message received
  Sep 1 13:25:17.317: SSH1: authentication successful for rao
  Sep 1 13:25:17.413: SSH1: requesting TTY
  Sep 1 13:25:17.413: SSH1: setting TTY - requested: length 25, width 80; set: le
  ngth 25, width 80
  Sep 1 13:25:17.525: SSH1: SSH_CMSG_EXEC_SHELL message received
  Sep 1 13:25:17.525: SSH1: starting shell for vty
  Sep 1 13:25:25.033: SSH1: Session terminated normally
  SSH Client end Log:
  % Authorization failed.
  [Connection to 10.255.15.2 closed by foreign host]
  COnfig:
  aaa authentication login default group tacacs+ line local
  aaa authentication login NO_AUTH line
  aaa authorization config-commands
  aaa authorization exec default group tacacs+ if-authenticated
  aaa authorization commands 15 default group tacacs+ if-authenticated
  aaa authorization configuration default group tacacs+
  aaa accounting exec default start-stop group tacacs+
  aaa accounting connection default start-stop group tacacs+
  ip domain-name cbi.co.in
  crypto key generate rsa
  ip ssh time-out 60
  ip ssh authentication-retries 3
  line vty 0 4
  password xxxx
  transport input telnet ssh
  Kindly reply your views

  I believe that the key to understanding your problem is to recognize the subtle difference between authentication and authorization. The authentication process appears that it does succeed but the authorization process has failed according to your error message:
  % Authorization failed.
  I see that most of your authorization commands include the parameter if-authenticated. But this command does not:
  aaa authorization config-commands
  I would suggest that you add the if-authenticated parameter to this command and see if it does not fix your problem.
  HTH
  Rick

• IOS 15 not working with my TACACS server

  Hi All,
  I recently made some changes to the way my Tacacs server (ACS4.2) handled groups etc..
  This all works fine and when I log onto my devices I get prompted for my credentials, which authenticate against AD. However, since I made these changes none of the devices on IOS 15 now authenticate. I am immediately prompted for a local password rather than a username and password..
  I understand that the commands for Tacacs changeda bit in IOS15 but from what I have read and changed I'm still having trouble. Config below from once of the routers I'm having trouble with...
  Am I missing something?
  aaa new-model
  aaa group server tacacs+ ACS1
  server name AUTH
  aaa authentication login ACS-List group ACS1 local
  aaa authorization exec ACS-List group ACS1 local
  aaa accounting commands 15 ACS-List
  action-type start-stop
  group ACS1
  aaa session-id common
  acacs-server directed-request
  tacacs server AUTH
  address ipv4 172.x.x.x
  key 7 xxxxxxxx
  and on my VTY Lines...
  privilege level 15
  password 7 151619050826222A2F
  authorization exec ACS-List
  accounting commands 15 ACS-List
  accounting exec ACS-List
  login authentication ACS-List
  length 0
  transport input telnet ssh

  I ran those debugs, then tried to login on another telnet session -
  Jul  2 15:01:57.278: TPLUS: Queuing AAA Accounting request 1781 for processing
  Jul  2 15:01:57.278: TPLUS: processing accounting request id 1781
  Jul  2 15:01:57.278: TPLUS: Sending AV task_id=1997
  Jul  2 15:01:57.278: TPLUS: Sending AV timezone=SIN
  Jul  2 15:01:57.278: TPLUS: Sending AV service=shell
  Jul  2 15:01:57.278: TPLUS: Sending AV start_time=1372777317
  Jul  2 15:01:57.278: TPLUS: Sending AV priv-lvl=15
  Jul  2 15:01:57.278: TPLUS: Sending AV cmd=terminal monitor
  Jul  2 15:01:57.278: TPLUS: Accounting request created for 1781(admin)
  Jul  2 15:01:57.278: TPLUS: using previously set server 172.x.x.x from group ACS1
  Jul  2 15:01:57.278: TPLUS(000006F5)/0/NB_WAIT/3120C74C: Started 5 sec timeout
  Jul  2 15:01:57.630: TPLUS(000006F5)/0/NB_WAIT: socket event 2
  Jul  2 15:01:57.630: TPLUS(000006F5)/0/NB_WAIT: wrote entire 144 bytes request
  Jul  2 15:01:57.630: TPLUS(000006F5)/0/READ: socket event 1
  Jul  2 15:01:57.630: TPLUS(000006F5)/0/READ: Would block while reading
  Jul  2 15:01:57.990: TPLUS(000006F5)/0/READ: socket event 1
  Jul  2 15:01:57.990: TPLUS(000006F5)/0/READ: read 0 bytes
  Jul  2 15:01:57.990: TPLUS(000006F5)/0/READ: socket event 1
  Jul  2 15:01:57.990: TPLUS(000006F5)/0/READ: errno 254
  Jul  2 15:01:57.990: TPLUS(000006F5)/0/3120C74C: Processing the reply packet
  Jul  2 15:02:11.658: AAA/BIND(000006F9): Bind i/f
  Jul  2 15:02:11.658: AAA/AUTHEN/LOGIN (000006F9): Pick method list 'ACS-List'
  Jul  2 15:02:11.658: TPLUS: Queuing AAA Authentication request 1785 for processing
  Jul  2 15:02:11.658: TPLUS: processing authentication start request id 1785
  Jul  2 15:02:11.662: TPLUS: Authentication start packet created for 1785()
  Jul  2 15:02:11.662: TPLUS: Using server 172.x.x.x
  Jul  2 15:02:11.662: TPLUS(000006F9)/0/NB_WAIT/3120C74C: Started 5 sec timeout
  Jul  2 15:02:12.014: TPLUS(000006F9)/0/NB_WAIT: socket event 2
  Jul  2 15:02:12.014: TPLUS(000006F9)/0/NB_WAIT: wrote entire 38 bytes request
  Jul  2 15:02:12.014: TPLUS(000006F9)/0/READ: socket event 1
  Jul  2 15:02:12.014: TPLUS(000006F9)/0/READ: Would block while reading
  Jul  2 15:02:12.366: TPLUS(000006F9)/0/READ: socket event 1
  Jul  2 15:02:12.366: TPLUS(000006F9)/0/READ: errno 254
  Jul  2 15:02:12.366: TPLUS(000006F9)/0/3120C74C: Processing the reply packet
  Jul  2 15:02:24.474: AAA/AUTHEN/LOGIN (000006F9): Pick method list 'ACS-List'
  Jul  2 15:02:24.474: TPLUS: Queuing AAA Authentication request 1785 for processing
  Jul  2 15:02:24.474: TPLUS: processing authentication start request id 1785
  Jul  2 15:02:24.474: TPLUS: Authentication start packet created for 1785()
  Jul  2 15:02:24.474: TPLUS: Using server 172.x.x.x
  Jul  2 15:02:24.474: TPLUS(000006F9)/0/NB_WAIT/3120C74C: Started 5 sec timeout
  Jul  2 15:02:24.826: TPLUS(000006F9)/0/NB_WAIT: socket event 2
  Jul  2 15:02:24.826: TPLUS(000006F9)/0/NB_WAIT: wrote entire 38 bytes request
  Jul  2 15:02:24.826: TPLUS(000006F9)/0/READ: socket event 1
  Jul  2 15:02:24.826: TPLUS(000006F9)/0/READ: Would block while reading
  Jul  2 15:02:25.178: TPLUS(000006F9)/0/READ: socket event 1
  Jul  2 15:02:25.178: TPLUS(000006F9)/0/READ: errno 254
  Jul  2 15:02:25.178: TPLUS(000006F9)/0/3120C74C: Processing the reply packet

• TACACS+ Server not logging events.

  Hi all,
  I am having an issue with the tacacs+ server not logging login requests or commands entered. I am running the tac_plus.F4.0.4.alpha release that cisco provides for free on a mandrake 10.1 linux box. I am able to use the server to authenticate logins to the routers but it is not logging those requests.
  Here is the config I used on one of our routers.
  aaa group server tacacs+ prego
  server xxx.xxx.xxx.xxx
  aaa authentication login default group tacacs+ enable
  aaa authentication enable default group tacacs+ enable
  aaa accounting exec default start-stop group prego
  aaa accounting commands 15 default start-stop group tacacs+
  aaa session-id common
  ip subnet-zero
  Also here is a sh verion
  Cisco Internetwork Operating System Software
  IOS (tm) 3700 Software (C3725-IS-M), Version 12.2(15)ZJ3, EARLY DEPLOYMENT RELEASE SOFTWARE (fc2)
  TAC Support: http://www.cisco.com/tac
  Copyright (c) 1986-2003 by cisco Systems, Inc.
  Compiled Thu 25-Sep-03 22:23 by eaarmas
  Image text-base: 0x60008954, data-base: 0x61C2C000
  ROM: System Bootstrap, Version 12.2(8r)T2, RELEASE SOFTWARE (fc1)
  ROM: 3700 Software (C3725-I-M), Version 12.2(8)T10, RELEASE SOFTWARE (fc1)
  PRVGW3725 uptime is 10 weeks, 1 day, 7 hours, 35 minutes
  System returned to ROM by power-on
  System image file is "flash:c3725-is-mz.122-15.ZJ3.bin"
  cisco 3725 (R7000) processor (revision 0.1) with 121856K/9216K bytes of memory.
  Processor board ID JMX0749L1XC
  R7000 CPU at 240Mhz, Implementation 39, Rev 3.3, 256KB L2 Cache
  Bridging software.
  X.25 software, Version 3.0.0.
  SuperLAT software (copyright 1990 by Meridian Technology Corp).
  2 FastEthernet/IEEE 802.3 interface(s)
  2 Serial network interface(s)
  DRAM configuration is 64 bits wide with parity disabled.
  55K bytes of non-volatile configuration memory.
  31360K bytes of ATA System CompactFlash (Read/Write)
  Configuration register is 0x2102
  Any help would be great.
  Thank you
  Joseph Jackson

  If you are able to authenticate via TACACS I would believe that this indicates that there is not a problem with your configuration of the TACACS server(s) (addresses are correct, keys are correct, etc) and that the TACACS server recognizes the router ok.
  So I assume that either there is some problem on the router generating the accounting records. Or that there might be a problem on the server and receiving and processing the accounting records.
  As a next step in investigating this issue I suggest that you run two debugs on the router:
  debug aaa accounting
  debug tacacs accounting
  While the debug is running have someone access the router and login, access privilege mode, and execute several commands. Then post any debug output.
  HTH
  Rick

• RADIUS or TACACS Server Recommendations

  Can anyone point to a good, inexpensive RADIUS or TACACS server solution that runs on Windows?  Cisco ACS is a bit more money than is wanted to part with at the moment.
  Thanks in advance.  All replies rated.                  

  I guess that is a case only with W2K3STD where number of radius/aaa clients are limited to 50 only.
  NPS provides different functionality depending on the edition of Windows Server 2008 that you install:
  Windows Server 2008 Enterprise and Windows Server 2008 Datacenter. These server editions include NPS. With NPS in Windows Server 2008 Enterprise and Windows Server 2008 Datacenter, you can configure an unlimited number of RADIUS clients and remote RADIUS server groups. In addition, you can configure a group of RADIUS clients by specifying an IP address range.
  Windows Server 2008 Standard. This server edition includes NPS. With NPS in Windows Server 2008 Standard, you can configure a maximum of 50 RADIUS clients and a maximum of two remote RADIUS server groups. You can define a RADIUS client by using a fully qualified domain name or an IP address, but you cannot define groups of RADIUS clients by specifying an IP address range. If the fully qualified domain name of a RADIUS client resolves to multiple IP addresses, the NPS server uses the first IP address returned in the Domain Name System (DNS) query.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Mail reply address not recognized by server

  On Apple Mail using Road Runner server my replies don't get sent because "the server does not accept my address" as the sender. I can't send new messages either. Incoming mail to the same address works fine. My address is unchanged from when it worked. My device is an Apple Air notebook, new, 11" running 10.9.3 Maverick.

  I still haven't found a solution to this problem. I purchased Office for Mac with Outlook 2011 because my IT guy told me that there were lots of people using Macs and that they used this program. It worked for 3 days and then I encountered the exact same problem. See below.
  Mail could not be received at this time
  The server for account "xxxxx" returned the error "Logon failure: unknown user name or bad password." Your username/password or security settings may be incorrect. Would you like to try re-entering your password?
  I've asked my IT department and they have no idea what's going on. Apparently my IP address doesn't even show up on their servers. Can someone please help me?
  Thanks.
  - Peter

• Tacacs+ server dead issue

  Dear Cisco Guru's,
  tacacs-server host 10.2.100.100
  tacacs-server host 10.2.17.203
  We have 2 tacacs+ servers defined in ACS 5.2. When putting 10.2.100.100 down, tacacs authentication continues to try to authenticate to the dead server,how is this possible ?
  Normal behaviour should be going to the second (10.2.17.203) after the first Tacacs+ server timeout (default 5s).
  Tacacs+ Server            : 10.2.100.100/49
                Socket opens:         15
               Socket closes:         15
               Socket aborts:          0
               Socket errors:          0
             Socket Timeouts:          0
     Failed Connect Attempts:         85
          Total Packets Sent:          0
          Total Packets Recv:          0
  Tacacs+ Server            : 10.2.17.203/49
                Socket opens:        166
               Socket closes:        166
               Socket aborts:          0
               Socket errors:          0
             Socket Timeouts:          0
     Failed Connect Attempts:          0
          Total Packets Sent:        195
          Total Packets Recv:        195
  Many thanks,
  Lieven Stubbe
  Belgian railways

  Richard, Kashif,
  1) 10.2.100.100 is a dummy IP to be sure we have a correct test scenario :
  tacacs-server host 10.2.100.100
  tacacs-server host 10.2.17.203
  2) We have defined 2 testswitches with this config :
  C3560 (12.2(53))
  C3750 (12.2(55))
  with our 3560, it hits the timeout counter of 5s of the dead tacacs server, once logged in, all other tacacs commands are treated by 10.2.17.203
  Failed connect attemps raises by 1
  with our 3750, with each tacacs command, it hits the timeout counter of 5s of the dead tacacs server everytime, before going to the 10.2.17.203, so all commands are executed but each time with a timeout delay of 5s.
  Failed connect attemps raises by number of tacacs commands typed
  Many thanks,
  Lieven Stubbe
  Belgian Railways

• How to configure management authentication on IAP using Tacacs Server?

  Requirement:
  Instant access points come with default username and password i.e  admin/admin.  This does not go long way, as the IAP start finding their place in campus and corporate networks.
  With many administrators managing and monitoring the clustered IAP networks, TACACS or Active Directory based authentication is more useful.
  Solution:
  Keep this in view, IAP development teams have integrated TACACS and Radius based management authentication. 
  Configuration:
  Follow the below steps to configure radius authentication in IAP:
  Login to IAP web interface
  Select "System" from the main menu and then click on "Admin" tab
  Under local authentication, select as "Authentication Server"
  Under the "Auth Server 1" Select "New Server"
  Filling the name, IP address and shared key for Tacacs server and click OK.
  Verification
  Logout of the IAP web interface and try logging in using the username and password on TACACS server.

  I was having troubles with this as well when a customer had an older Aruba Controller and 2 Access Points. We went with a couple IAP-205s and needed LDAP integration. Using the above configuration there were some additional items needed. I found that I needed the DISPLAY NAME of the admin for the Admin-DN. I had created a user with the first name Aruba and the last name LDAP. This made the DISPLAY NAME "Aruba LDAP". This is what needs to be in the CN= for the Admin-DN.I also found there is a difference in using the CN= and OU=Currently our admin account is in the Users group which is a “Container”. Our actual user accounts are stored in an Orginizational Unit with sub OUs as well. So the Admin-DN needed the CN=Users and the Base-DN needed the OU=MyUserOU.For the windows machines I had to download and install the Aruba GTC Shim because the customer was previously using GTC and they were not going to a RADIUS server at the moment. My Android phone and IPHONE did not need any additional addins for the authentication.  The windows laptop I am using I needed to manually create a wireless profile with… Security Tab >“Choose a network authentication method:”Microsoft: Protected EAP (PEAP)Settings >Select “Trusted Root Certification Authorities”GeoTrust Global CASelect Authentication Method:EAP-Token (This is the Aruba GTC Shim) This allowed me to use my domain login credentialsUsernamePasswordDomain (This is blank because the Base-DN already has this, if anything is put in here the authentication fails)

• I cannot send email from my ipad. Getting address is rejected from server message.

  I cannot send email from my ipad. Getting address is rejected from server message.

  Check the outgoing mail server setting. Make sure that your username and password are in there.
  Settings>Mail, Contacts, Calendars>Your email account>Account>Outgoing mail server - tap the server name next to SMTP and check in the primary server and make sure your username and password are entered and correct - even if it says that the password is optional.

• How do I add my phone's Wi-Fi Mac address to my home server so that I can use my home Wi-Fi with my phone?

  Hello. I am using an Android cell phone and, though the phone sees my home server name and accepts my password, it won't connect. I understand that I may have to add my phone's Wi-Fi Mac address to my home server in order for it to allow my phone access, but I have no idea how I might do that. Could someone help me with this? Thank you.

  Tdalso wrote:
  How do I add a phone number so I can use either my US or Canadian number (depending on where I am) with iMessage and Facetime on both my iPhones?
  You need to log out of iMessage and Facetime, make sure your number is correct in Settings/General/About, then log back in again to send a new activation request.