IP address sent to TACACS server
Setup a TACACS server on out network to control console and telnet access to routers and switches. Most of our remote routers have multiple wan paths to the TACACS servers and may present a different IP address depending on which path is available or least busy. This causes an authentication failure that denies access to the equipment. Is there a way to configure the router to always send a specific address, either a loopback or internal LAN IP?
Hi
FYI,
Device Filter—Filters a network device (AAA client) that acts as a Policy Enforcement Point (PEP) to the end station based on the network device's IP address or name, or the network device group that it belongs to.
The device identifier can be the IP address or name of the device, or it can be based on the network device group to which the device belongs.
The IP address is a protocol-agnostic attribute of type IPv4 that contains a copy of the device IP address obtained from the request:
–In a RADIUS request, if Attribute 4 (NAS-IP-Address) is present, ACS obtains the IP address from Attribute 4; otherwise, if Attribute 32 (NAS-Identifier) is present, ACS obtains the IP address from Attribute 32, or it obtains the IP address from the packet that it receives.
–In a TACACS request, the IP address is obtained from the packet that ACS receives.
Similar Messages
-
VPDN static IP address assign by TACACS server (ACS 2.3 for UNIX)
Is it possible assign static IP address for VPDN users by TACACS server ?
If yes, please give me some ideas how to do it?
thanks,
bmI think that is possible only while using CSACS for windows but not with CSACS for UNIX. Atleast I couldn't find anything in the documentation. (CiscoSecure ACS 2.3 for UNIX User Guide http://www.cisco.com/en/US/products/sw/secursw/ps4911/products_user_guide_book09186a00800eb438.html)
-
Mac Lion won't accept IP address sent from DHCP server
Upgraded to Lion a few days ago. Everything worked for a couple days. Plug in the ethernet cable today and I never get an ip address with DHCP from my router. I have 2 other devices plugged into the router and they get ip addresses normally. Captured the DHCP communication to see if I was getting a valid DHCP offer and I am...it is included. The Lion firewall is disabled. For some reason Lion isn't accepting the DHCP offer. Could this be a bug or maybe something in a cache needs to cleaned out. I connect to several different networks daily and they all work except for this one.
The line in Bold type shows the ip address being offered that never gets accepted by lion.
No. Time Source Destination Protocol Info
26 21.993141 10.19.39.97 255.255.255.255 DHCP DHCP Offer - Transaction ID 0x4e299603
Frame 26 (353 bytes on wire, 353 bytes captured)
Arrival Time: Aug 5, 2011 19:30:01.105566000
[Time delta from previous captured frame: 0.001086000 seconds]
[Time delta from previous displayed frame: 0.001086000 seconds]
[Time since reference or first frame: 21.993141000 seconds]
Frame Number: 26
Frame Length: 353 bytes
Capture Length: 353 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:bootp]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: e8:b7:48:e6:ab:5c (e8:b7:48:e6:ab:5c), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Destination: Broadcast (ff:ff:ff:ff:ff:ff)
Address: Broadcast (ff:ff:ff:ff:ff:ff)
.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
Source: e8:b7:48:e6:ab:5c (e8:b7:48:e6:ab:5c)
Address: e8:b7:48:e6:ab:5c (e8:b7:48:e6:ab:5c)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 10.19.39.97 (10.19.39.97), Dst: 255.255.255.255 (255.255.255.255)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 339
Identification: 0x00fa (250)
Flags: 0x00
0.. = Reserved bit: Not Set
.0. = Don't fragment: Not Set
..0 = More fragments: Not Set
Fragment offset: 0
Time to live: 255
Protocol: UDP (0x11)
Header checksum: 0x882c [correct]
[Good: True]
[Bad : False]
Source: 10.19.39.97 (10.19.39.97)
Destination: 255.255.255.255 (255.255.255.255)
User Datagram Protocol, Src Port: bootps (67), Dst Port: bootpc (68)
Source port: bootps (67)
Destination port: bootpc (68)
Length: 319
Checksum: 0x038d [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Bootstrap Protocol
Message type: Boot Reply (2)
Hardware type: Ethernet
Hardware address length: 6
Hops: 0
Transaction ID: 0x4e299603
Seconds elapsed: 0
Bootp flags: 0x8000 (Broadcast)
1... .... .... .... = Broadcast flag: Broadcast
.000 0000 0000 0000 = Reserved flags: 0x0000
Client IP address: 0.0.0.0 (0.0.0.0)
Your (client) IP address: 10.19.39.98 (10.19.39.98)
Next server IP address: 0.0.0.0 (0.0.0.0)
Relay agent IP address: 0.0.0.0 (0.0.0.0)
Client MAC address: Apple_17:fd:5d (c4:2c:03:17:fd:5d)
Client hardware address padding: 00000000000000000000
Server host name not given
Boot file name not given
Magic cookie: (OK)
Option: (t=53,l=1) DHCP Message Type = DHCP Offer
Option: (53) DHCP Message Type
Length: 1
Value: 02
Option: (t=54,l=4) DHCP Server Identifier = 10.19.39.97
Option: (54) DHCP Server Identifier
Length: 4
Value: 0A132761
Option: (t=51,l=4) IP Address Lease Time = 1 day, 23 hours, 39 minutes, 50 seconds
Option: (51) IP Address Lease Time
Length: 4
Value: 00029E46
Option: (t=58,l=4) Renewal Time Value = 23 hours, 49 minutes, 55 seconds
Option: (58) Renewal Time Value
Length: 4
Value: 00014F23
Option: (t=59,l=4) Rebinding Time Value = 1 day, 17 hours, 42 minutes, 16 seconds
Option: (59) Rebinding Time Value
Length: 4
Value: 00024A78
Option: (t=1,l=4) Subnet Mask = 255.255.255.240
Option: (1) Subnet Mask
Length: 4
Value: FFFFFFF0
Option: (t=6,l=8) Domain Name Server
Option: (6) Domain Name Server
Length: 8
Value: AB44E278AB46A8B7
IP Address: 171.68.226.120
IP Address: 171.70.168.183
Option: (t=44,l=8) NetBIOS over TCP/IP Name Server
Option: (44) NetBIOS over TCP/IP Name Server
Length: 8
Value: AB443935AD2573BF
IP Address: 171.68.57.53
IP Address: 173.37.115.191
Option: (t=3,l=4) Router = 10.19.39.97
Option: (3) Router
Length: 4
Value: 0A132761
End OptionI have seen the same issue with my iOS and Mac OS devices (iPhone and MacBook Pro). I have written my own DHCP server (http://notebook.kulchenko.com/embedded/dhcp-and-dns-servers-with-arduino) and have had troubles getting my devices to connect (Windows Vista and Ubuntu devices connect fine). I suspect that this problem happens because the DHCP Offer message is sent to a broadcast address, even though (at least in my case) the broadcast flag is off in the DHCP Discover message I see.
Unfortunately you didn't include the Discover message, so I can't tell for sure, but if it indeed has the broadcast flag set to 0, then the server should send the response message using unicast as per DHCP spec (http://www.ietf.org/rfc/rfc2131.txt, section 4.1):
If the broadcast bit is not set and 'giaddr' is zero and
'ciaddr' is zero, then the server unicasts DHCPOFFER and DHCPACK
messages to the client's hardware address and 'yiaddr' address.
So, it seems like in this case the server may be at fault, even though it would be nice for Mac OS to accept broadcast responses (and would solve my problem too).
Can someone confirm that Mac OS does not accept broadcast responses to DHCP Discover and DHCP Request messages? Thanks.
Paul. -
Prime 1.4 - no aaa authentication tacacs+ server
Anybody know the equivalent command "no aaa authentication tacacs+ server" on PI 1.4. I saw this command on PI 2.2 but I can´t find something similar on 1.4.
Thanks in advanced.Check the following Command line manual for PI 1.4
http://www.cisco.com/c/en/us/td/docs/wireless/prime_infrastructure/1-4/command/reference/cli14.html
Apart from that I found this ,let me know if it helps.
Select a command
Add TACACS+ Server—See the “Add TACACS+ Server” section.
Delete TACACS+ Server—Select a server or servers to be deleted, select this command, and click Go to delete the server(s) from the database.
Add TACACS+ Server
Choose Administration > AAA > TACACS+ from the left sidebar menu to access this page. From the Select a command drop-down list choose Add TACACS+ Server , and click Go to access this page.
This page allows you to add a new TACACS+ server to Prime Infrastructure.
Server Address—IP address of the TACACS+ server being added.
Port—Controller port.
Shared Secret Format—ASCII or Hex.
Shared Secret—The shared secret that acts as a password to log in to the TACACS+ server.
Confirm Shared Secret—Reenter TACACS+ server shared secret.
Retransmit Timeout—Specify retransmission timeout value for a TACACS+ authentication request.
Retries—Number of retries allowed for authentication request. You can specify a value between 1 and 9.
Authentication Type—Two authentication protocols are provided. Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP).
Command Buttons
Submit
Cancel
Note • Enable the TACACS+ server with the AAA Mode Settings. See the “Configuring AAA Mode” section.
You can add only three servers at a time in Prime Infrastructure. -
I have an Ipad 2 and are having problems sending out emails in one of my email address. This is a POP3 email Account? I always get a message reading that the email was not sent because the server does not allow relaying. I have no such problem with gmail. What could be the problem and how do I resolve this. Is it about settings?
Richard.Welcome to the Apple community.
If you are unable to remember your password, security questions, don’t have access to your rescue address or are unable to reset your password for whatever reason, your only option is to contact Apple ID Support, upon speaking to an operator you should explain that your problem is related to your Apple ID, this way you will not be charged for assistance, even if you don’t have an AppleCare plan.
The operator will take you through some steps you may have already tried, however they need to be sure they have exhausted all usual approaches before trying to reset your account, so you should try to be helpful and show patience with the procedure.
The operator will need to verify they are speaking to the account holder and may ask you some questions that only the account holder could know, and you will need to answer them if the process is to proceed.
Once the operator has verified your identity they will send a message through to your device which contains an alpha numeric code, which you will need to read back to them.
Once this has been completed they will send an email to your iCloud email address after a period of 24 hours, so you should check that mail is enabled in your devices iCloud settings.
Upon receipt of the email, use the reset link provided to reset your password, after which you should be able to make the adjustments to iCloud that you wish to do. -
I downloaded BBM for iphone. but i cant activate it..its asking server address sent by administrator..but i didnt receive any e-mail..can somebody help me to activate my bbm in iphone?
I think you downloaded BES10, try downloading the bbm app instead.
-
Not able to login to router using ssh when TACACS server is down
When TACACS server is not reachable router is not allowing the local password to login using ssh. Router's SSH debug says authentication is successful but ssh client gets % Authorization failed meassage and disconnects.
kindly see below debug output and config
SSH server end:
Sep 1 13:25:10.161: SSH1: starting SSH control process
Sep 1 13:25:10.165: SSH1: sent protocol version id SSH-1.5-Cisco-1.25
Sep 1 13:25:10.241: SSH1: protocol version id is - SSH-1.5-Cisco-1.25
Sep 1 13:25:10.241: SSH1: SSH_SMSG_PUBLIC_KEY msg
Sep 1 13:25:10.397: SSH1: SSH_CMSG_SESSION_KEY msg - length 112, type 0x03
Sep 1 13:25:10.397: SSH: RSA decrypt started
Sep 1 13:25:10.925: SSH: RSA decrypt finished
Sep 1 13:25:10.925: SSH: RSA decrypt started
Sep 1 13:25:11.165: SSH: RSA decrypt finished
Sep 1 13:25:11.197: SSH1: sending encryption confirmation
Sep 1 13:25:11.197: SSH1: keys exchanged and encryption on
Sep 1 13:25:11.269: SSH1: SSH_CMSG_USER message received
Sep 1 13:25:11.269: SSH1: authentication request for userid rao
Sep 1 13:25:16.297: SSH1: SSH_SMSG_FAILURE message sent
Sep 1 13:25:17.313: SSH1: SSH_CMSG_AUTH_PASSWORD message received
Sep 1 13:25:17.317: SSH1: authentication successful for rao
Sep 1 13:25:17.413: SSH1: requesting TTY
Sep 1 13:25:17.413: SSH1: setting TTY - requested: length 25, width 80; set: le
ngth 25, width 80
Sep 1 13:25:17.525: SSH1: SSH_CMSG_EXEC_SHELL message received
Sep 1 13:25:17.525: SSH1: starting shell for vty
Sep 1 13:25:25.033: SSH1: Session terminated normally
SSH Client end Log:
% Authorization failed.
[Connection to 10.255.15.2 closed by foreign host]
COnfig:
aaa authentication login default group tacacs+ line local
aaa authentication login NO_AUTH line
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization configuration default group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
ip domain-name cbi.co.in
crypto key generate rsa
ip ssh time-out 60
ip ssh authentication-retries 3
line vty 0 4
password xxxx
transport input telnet ssh
Kindly reply your viewsI believe that the key to understanding your problem is to recognize the subtle difference between authentication and authorization. The authentication process appears that it does succeed but the authorization process has failed according to your error message:
% Authorization failed.
I see that most of your authorization commands include the parameter if-authenticated. But this command does not:
aaa authorization config-commands
I would suggest that you add the if-authenticated parameter to this command and see if it does not fix your problem.
HTH
Rick -
IOS 15 not working with my TACACS server
Hi All,
I recently made some changes to the way my Tacacs server (ACS4.2) handled groups etc..
This all works fine and when I log onto my devices I get prompted for my credentials, which authenticate against AD. However, since I made these changes none of the devices on IOS 15 now authenticate. I am immediately prompted for a local password rather than a username and password..
I understand that the commands for Tacacs changeda bit in IOS15 but from what I have read and changed I'm still having trouble. Config below from once of the routers I'm having trouble with...
Am I missing something?
aaa new-model
aaa group server tacacs+ ACS1
server name AUTH
aaa authentication login ACS-List group ACS1 local
aaa authorization exec ACS-List group ACS1 local
aaa accounting commands 15 ACS-List
action-type start-stop
group ACS1
aaa session-id common
acacs-server directed-request
tacacs server AUTH
address ipv4 172.x.x.x
key 7 xxxxxxxx
and on my VTY Lines...
privilege level 15
password 7 151619050826222A2F
authorization exec ACS-List
accounting commands 15 ACS-List
accounting exec ACS-List
login authentication ACS-List
length 0
transport input telnet sshI ran those debugs, then tried to login on another telnet session -
Jul 2 15:01:57.278: TPLUS: Queuing AAA Accounting request 1781 for processing
Jul 2 15:01:57.278: TPLUS: processing accounting request id 1781
Jul 2 15:01:57.278: TPLUS: Sending AV task_id=1997
Jul 2 15:01:57.278: TPLUS: Sending AV timezone=SIN
Jul 2 15:01:57.278: TPLUS: Sending AV service=shell
Jul 2 15:01:57.278: TPLUS: Sending AV start_time=1372777317
Jul 2 15:01:57.278: TPLUS: Sending AV priv-lvl=15
Jul 2 15:01:57.278: TPLUS: Sending AV cmd=terminal monitor
Jul 2 15:01:57.278: TPLUS: Accounting request created for 1781(admin)
Jul 2 15:01:57.278: TPLUS: using previously set server 172.x.x.x from group ACS1
Jul 2 15:01:57.278: TPLUS(000006F5)/0/NB_WAIT/3120C74C: Started 5 sec timeout
Jul 2 15:01:57.630: TPLUS(000006F5)/0/NB_WAIT: socket event 2
Jul 2 15:01:57.630: TPLUS(000006F5)/0/NB_WAIT: wrote entire 144 bytes request
Jul 2 15:01:57.630: TPLUS(000006F5)/0/READ: socket event 1
Jul 2 15:01:57.630: TPLUS(000006F5)/0/READ: Would block while reading
Jul 2 15:01:57.990: TPLUS(000006F5)/0/READ: socket event 1
Jul 2 15:01:57.990: TPLUS(000006F5)/0/READ: read 0 bytes
Jul 2 15:01:57.990: TPLUS(000006F5)/0/READ: socket event 1
Jul 2 15:01:57.990: TPLUS(000006F5)/0/READ: errno 254
Jul 2 15:01:57.990: TPLUS(000006F5)/0/3120C74C: Processing the reply packet
Jul 2 15:02:11.658: AAA/BIND(000006F9): Bind i/f
Jul 2 15:02:11.658: AAA/AUTHEN/LOGIN (000006F9): Pick method list 'ACS-List'
Jul 2 15:02:11.658: TPLUS: Queuing AAA Authentication request 1785 for processing
Jul 2 15:02:11.658: TPLUS: processing authentication start request id 1785
Jul 2 15:02:11.662: TPLUS: Authentication start packet created for 1785()
Jul 2 15:02:11.662: TPLUS: Using server 172.x.x.x
Jul 2 15:02:11.662: TPLUS(000006F9)/0/NB_WAIT/3120C74C: Started 5 sec timeout
Jul 2 15:02:12.014: TPLUS(000006F9)/0/NB_WAIT: socket event 2
Jul 2 15:02:12.014: TPLUS(000006F9)/0/NB_WAIT: wrote entire 38 bytes request
Jul 2 15:02:12.014: TPLUS(000006F9)/0/READ: socket event 1
Jul 2 15:02:12.014: TPLUS(000006F9)/0/READ: Would block while reading
Jul 2 15:02:12.366: TPLUS(000006F9)/0/READ: socket event 1
Jul 2 15:02:12.366: TPLUS(000006F9)/0/READ: errno 254
Jul 2 15:02:12.366: TPLUS(000006F9)/0/3120C74C: Processing the reply packet
Jul 2 15:02:24.474: AAA/AUTHEN/LOGIN (000006F9): Pick method list 'ACS-List'
Jul 2 15:02:24.474: TPLUS: Queuing AAA Authentication request 1785 for processing
Jul 2 15:02:24.474: TPLUS: processing authentication start request id 1785
Jul 2 15:02:24.474: TPLUS: Authentication start packet created for 1785()
Jul 2 15:02:24.474: TPLUS: Using server 172.x.x.x
Jul 2 15:02:24.474: TPLUS(000006F9)/0/NB_WAIT/3120C74C: Started 5 sec timeout
Jul 2 15:02:24.826: TPLUS(000006F9)/0/NB_WAIT: socket event 2
Jul 2 15:02:24.826: TPLUS(000006F9)/0/NB_WAIT: wrote entire 38 bytes request
Jul 2 15:02:24.826: TPLUS(000006F9)/0/READ: socket event 1
Jul 2 15:02:24.826: TPLUS(000006F9)/0/READ: Would block while reading
Jul 2 15:02:25.178: TPLUS(000006F9)/0/READ: socket event 1
Jul 2 15:02:25.178: TPLUS(000006F9)/0/READ: errno 254
Jul 2 15:02:25.178: TPLUS(000006F9)/0/3120C74C: Processing the reply packet -
TACACS+ Server not logging events.
Hi all,
I am having an issue with the tacacs+ server not logging login requests or commands entered. I am running the tac_plus.F4.0.4.alpha release that cisco provides for free on a mandrake 10.1 linux box. I am able to use the server to authenticate logins to the routers but it is not logging those requests.
Here is the config I used on one of our routers.
aaa group server tacacs+ prego
server xxx.xxx.xxx.xxx
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa accounting exec default start-stop group prego
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common
ip subnet-zero
Also here is a sh verion
Cisco Internetwork Operating System Software
IOS (tm) 3700 Software (C3725-IS-M), Version 12.2(15)ZJ3, EARLY DEPLOYMENT RELEASE SOFTWARE (fc2)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Thu 25-Sep-03 22:23 by eaarmas
Image text-base: 0x60008954, data-base: 0x61C2C000
ROM: System Bootstrap, Version 12.2(8r)T2, RELEASE SOFTWARE (fc1)
ROM: 3700 Software (C3725-I-M), Version 12.2(8)T10, RELEASE SOFTWARE (fc1)
PRVGW3725 uptime is 10 weeks, 1 day, 7 hours, 35 minutes
System returned to ROM by power-on
System image file is "flash:c3725-is-mz.122-15.ZJ3.bin"
cisco 3725 (R7000) processor (revision 0.1) with 121856K/9216K bytes of memory.
Processor board ID JMX0749L1XC
R7000 CPU at 240Mhz, Implementation 39, Rev 3.3, 256KB L2 Cache
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
2 FastEthernet/IEEE 802.3 interface(s)
2 Serial network interface(s)
DRAM configuration is 64 bits wide with parity disabled.
55K bytes of non-volatile configuration memory.
31360K bytes of ATA System CompactFlash (Read/Write)
Configuration register is 0x2102
Any help would be great.
Thank you
Joseph JacksonIf you are able to authenticate via TACACS I would believe that this indicates that there is not a problem with your configuration of the TACACS server(s) (addresses are correct, keys are correct, etc) and that the TACACS server recognizes the router ok.
So I assume that either there is some problem on the router generating the accounting records. Or that there might be a problem on the server and receiving and processing the accounting records.
As a next step in investigating this issue I suggest that you run two debugs on the router:
debug aaa accounting
debug tacacs accounting
While the debug is running have someone access the router and login, access privilege mode, and execute several commands. Then post any debug output.
HTH
Rick -
RADIUS or TACACS Server Recommendations
Can anyone point to a good, inexpensive RADIUS or TACACS server solution that runs on Windows? Cisco ACS is a bit more money than is wanted to part with at the moment.
Thanks in advance. All replies rated.I guess that is a case only with W2K3STD where number of radius/aaa clients are limited to 50 only.
NPS provides different functionality depending on the edition of Windows Server 2008 that you install:
Windows Server 2008 Enterprise and Windows Server 2008 Datacenter. These server editions include NPS. With NPS in Windows Server 2008 Enterprise and Windows Server 2008 Datacenter, you can configure an unlimited number of RADIUS clients and remote RADIUS server groups. In addition, you can configure a group of RADIUS clients by specifying an IP address range.
Windows Server 2008 Standard. This server edition includes NPS. With NPS in Windows Server 2008 Standard, you can configure a maximum of 50 RADIUS clients and a maximum of two remote RADIUS server groups. You can define a RADIUS client by using a fully qualified domain name or an IP address, but you cannot define groups of RADIUS clients by specifying an IP address range. If the fully qualified domain name of a RADIUS client resolves to multiple IP addresses, the NPS server uses the first IP address returned in the Domain Name System (DNS) query.
~BR
Jatin Katyal
**Do rate helpful posts** -
Mail reply address not recognized by server
On Apple Mail using Road Runner server my replies don't get sent because "the server does not accept my address" as the sender. I can't send new messages either. Incoming mail to the same address works fine. My address is unchanged from when it worked. My device is an Apple Air notebook, new, 11" running 10.9.3 Maverick.
I still haven't found a solution to this problem. I purchased Office for Mac with Outlook 2011 because my IT guy told me that there were lots of people using Macs and that they used this program. It worked for 3 days and then I encountered the exact same problem. See below.
Mail could not be received at this time
The server for account "xxxxx" returned the error "Logon failure: unknown user name or bad password." Your username/password or security settings may be incorrect. Would you like to try re-entering your password?
I've asked my IT department and they have no idea what's going on. Apparently my IP address doesn't even show up on their servers. Can someone please help me?
Thanks.
- Peter -
Tacacs+ server dead issue
Dear Cisco Guru's,
tacacs-server host 10.2.100.100
tacacs-server host 10.2.17.203
We have 2 tacacs+ servers defined in ACS 5.2. When putting 10.2.100.100 down, tacacs authentication continues to try to authenticate to the dead server,how is this possible ?
Normal behaviour should be going to the second (10.2.17.203) after the first Tacacs+ server timeout (default 5s).
Tacacs+ Server : 10.2.100.100/49
Socket opens: 15
Socket closes: 15
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 85
Total Packets Sent: 0
Total Packets Recv: 0
Tacacs+ Server : 10.2.17.203/49
Socket opens: 166
Socket closes: 166
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 0
Total Packets Sent: 195
Total Packets Recv: 195
Many thanks,
Lieven Stubbe
Belgian railwaysRichard, Kashif,
1) 10.2.100.100 is a dummy IP to be sure we have a correct test scenario :
tacacs-server host 10.2.100.100
tacacs-server host 10.2.17.203
2) We have defined 2 testswitches with this config :
C3560 (12.2(53))
C3750 (12.2(55))
with our 3560, it hits the timeout counter of 5s of the dead tacacs server, once logged in, all other tacacs commands are treated by 10.2.17.203
Failed connect attemps raises by 1
with our 3750, with each tacacs command, it hits the timeout counter of 5s of the dead tacacs server everytime, before going to the 10.2.17.203, so all commands are executed but each time with a timeout delay of 5s.
Failed connect attemps raises by number of tacacs commands typed
Many thanks,
Lieven Stubbe
Belgian Railways -
How to configure management authentication on IAP using Tacacs Server?
Requirement:
Instant access points come with default username and password i.e admin/admin. This does not go long way, as the IAP start finding their place in campus and corporate networks.
With many administrators managing and monitoring the clustered IAP networks, TACACS or Active Directory based authentication is more useful.
Solution:
Keep this in view, IAP development teams have integrated TACACS and Radius based management authentication.
Configuration:
Follow the below steps to configure radius authentication in IAP:
Login to IAP web interface
Select "System" from the main menu and then click on "Admin" tab
Under local authentication, select as "Authentication Server"
Under the "Auth Server 1" Select "New Server"
Filling the name, IP address and shared key for Tacacs server and click OK.
Verification
Logout of the IAP web interface and try logging in using the username and password on TACACS server.I was having troubles with this as well when a customer had an older Aruba Controller and 2 Access Points. We went with a couple IAP-205s and needed LDAP integration. Using the above configuration there were some additional items needed. I found that I needed the DISPLAY NAME of the admin for the Admin-DN. I had created a user with the first name Aruba and the last name LDAP. This made the DISPLAY NAME "Aruba LDAP". This is what needs to be in the CN= for the Admin-DN.I also found there is a difference in using the CN= and OU=Currently our admin account is in the Users group which is a “Container”. Our actual user accounts are stored in an Orginizational Unit with sub OUs as well. So the Admin-DN needed the CN=Users and the Base-DN needed the OU=MyUserOU.For the windows machines I had to download and install the Aruba GTC Shim because the customer was previously using GTC and they were not going to a RADIUS server at the moment. My Android phone and IPHONE did not need any additional addins for the authentication. The windows laptop I am using I needed to manually create a wireless profile with… Security Tab >“Choose a network authentication method:”Microsoft: Protected EAP (PEAP)Settings >Select “Trusted Root Certification Authorities”GeoTrust Global CASelect Authentication Method:EAP-Token (This is the Aruba GTC Shim) This allowed me to use my domain login credentialsUsernamePasswordDomain (This is blank because the Base-DN already has this, if anything is put in here the authentication fails)
-
I cannot send email from my ipad. Getting address is rejected from server message.
I cannot send email from my ipad. Getting address is rejected from server message.
Check the outgoing mail server setting. Make sure that your username and password are in there.
Settings>Mail, Contacts, Calendars>Your email account>Account>Outgoing mail server - tap the server name next to SMTP and check in the primary server and make sure your username and password are entered and correct - even if it says that the password is optional. -
Hello. I am using an Android cell phone and, though the phone sees my home server name and accepts my password, it won't connect. I understand that I may have to add my phone's Wi-Fi Mac address to my home server in order for it to allow my phone access, but I have no idea how I might do that. Could someone help me with this? Thank you.
Tdalso wrote:
How do I add a phone number so I can use either my US or Canadian number (depending on where I am) with iMessage and Facetime on both my iPhones?
You need to log out of iMessage and Facetime, make sure your number is correct in Settings/General/About, then log back in again to send a new activation request.
Maybe you are looking for
-
Gr in more than one batch for 1 prd ord
Hi Gurus I have a tipical problem. We have batch creation at the time of order release. Now some times due to some process error we recevie output with different characterstics so the whole output cannot be said as one batch. Is is possible now to do
-
How to customize the images before upload to KM
hai everybody i want to know how to customize the images before uploading into KM.if anybody know reply.thanks in advance
-
IMac G4/800 in FireWire Target Disk Mode shuts down, hard drive hopeless?
I have found myself in possession of a 12 year-old iMac G4/800. The machine looks stock and was nice and full of dust when I took it apart, so I'm going to assume nothing has been upgraded on it. The person who the computer belongs to has had issues
-
Twinax cable compatibility with 2960X
Hi, I'm trying to connect WS-C2960X-48FPD-L with WS-C4500X-40X-ES via SFP-H10GB-ACU10M (Twinax cable). On 2960X I'm running 15.0(2)EX5 & on C4500X IOS XE 03.06.01.E, now where I use twinax cable on 2960X I get invalid gbic error and port gets er
-
MF4770n Linux Printing Over Wired Ethernet
Having a problem printing from Linux over the wired network to my MF4770n. CUPS finds the printer over the network just fine (I've tried all 3 connection options offered). CUPS reports the test prints finished OK. The printer wakes up from sleep and