L2TP and TACACS+

Hello.
I have PPTP server on my Cisco 3845 router with authentication on freeware TACACS+ server (Linux). TACACS set ACL and IP address for users.
Recently employers decide to migrate to L2TP over IPsec. Moreover old PPTP server should work.
Can I use TACACS server for authenticate L2TP users?
I have config like this on TACACS.
user = user1 {
        chap = cleartext "password"
        member = vpdn
        service = ppp protocol = ip {
        addr = 172.20.20.200
        inacl=2005
Sorry for my Enflish.

Please see the below documnet. This document describes how to configure Layer 2 Tunnel Protocol (L2TP)       with TACACS+. It includes sample configurations for L2TP Access Concentrator       (LAC) TACACS+ servers, L2TP Network Server (LNS) TACACS+ servers, and routers.
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a0080118d5f.shtml

Similar Messages

  • AAA and TACACS servers

    Hello All,
    I want to download a free, yet reliable AAA and TACACS servers, can you guide me? Also, I need help with configuring them for study purpose.

    You may download the eval version ACS 4.2.0.124, if you've access to cisco.com
    ACS v4.2.0.124 90-Days Evaluation Software
    eval-ACS-4.2.0.124-SW.zip
    http://tools.cisco.com/squish/9B37e
    Path:
    Cisco.com > Downloads Home > Products > Cloud and Systems Management > Security and Identity Management
    > Cisco Secure Access Control Server Products > Cisco Secure Access Control Server for Windows > Cisco Secure ACS 4.2 for Windows > Secure Access Control Server (ACS) for Windows-4.2.0.124
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • Can a Cisco 2600 router do PPTP,L2TP, and IPSec?

    General question.

    2600 supports L2TP and PPTP with MPPE with an IP PLUS version, and IPsec with a firewall version.

  • WAAS and TACACS

    We are trying to get our WAAS environment to authenticate against TACACS and then fall over to local if TACACS is unavailable. For engineer logins everything is working as expected. However we are seeing several thousand failures against the TACACS server from a username of "CMS". This user is not configured in the CM or in TACACS. So we log the failed login and CMS logs into the WAE due to the failover to local mechanism. Looking at packet captures, and debugging aaa on the WAE's it is definitely a CMS user that logs in but shows 127.0.0.1 as its "from" host. I am fairly confident this is automation within the WAE syncing with the CM or vice versa. Does anyone know how to get WAAS and TACACS to work together without a mass amount of login failures? Is there a way this CMS user can be cloned/duplicated on the tacacs server? What is the password for this automation user?
    Thanks in advance.

    Hi Stan,
    WAE can authenticate against TACACS, RADIUS and Central Manager (Local) at any time depending on your configuration.
    There are couple of things to keep in mind while configuring TACACS on WAE, on both sides - TACACS adn WAE CM.
    On TACACS side:
    1. Please make sure to create right username.
    2. Please make sure to verify if you are using ASCII password authentication.
    3. Try to use less than 15 letters - Alphanumeric TACACS password.
    4. Please provide right user level / group level persmissions. This is somewhere under user account properties. Please also make sure to select right user password under user properties.
    5. Verify if this user needs level 15 (admin equivalent account).
    On WAE CM side:
    1. Please make sure to select right authentication method as primary and secondary.
    2. Please make sure to enable the check box for authentication methods.
    You can verify the failure / successful log events on TACACS server in order to find out if the user is atleast trying to authenticate against TACACS.
    I am sure you have looked at this link to find out all the required steps: Configuring TACACS+ Server Settings
    Hope this helps.
    Regards.
    PS: Please mark this as Answered, if this resolves your issue.

  • L2tp and pptp...

    hi...in windows server creating lt2p and pptp server is really no brain. how to setup l2tp and pptp in cisco router? tx :)

    hi...in windows server creating lt2p and pptp server is really no brain. how to setup l2tp and pptp in cisco router? tx :)

  • L2TP and fixed Framed IP Address for VPN user

    Hi,
    I have a running L2TP/IPsec VPN setup with authentification against a radius server (freeradius2 witch mysql). I would like to have some of my VPN users get a fixed IP address instead of the dynamically assigned IP Pool.
    The radius server is returning the correct parameters, I think.
    I hope someone can help me.
    It´s a Cisco 892 Integrated Service Router.
    Router Config:
    =============================================================
    Current configuration : 8239 bytes
    ! Last configuration change at 10:44:26 CEST Fri Mar 30 2012 by root
    version 15.2
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    service internal
    hostname vpngw2
    boot-start-marker
    boot config usbflash0:CVO-BOOT.CFG
    boot-end-marker
    logging buffered 51200 warnings
    enable secret 5 secret
    aaa new-model
    aaa authentication login default local group radius
    aaa authentication login userauthen local group radius
    aaa authentication ppp default group radius local
    aaa authorization exec default local
    aaa authorization network groupauthor local
    aaa accounting delay-start
    aaa accounting update newinfo
    aaa accounting exec default
    action-type start-stop
    group radius
    aaa accounting network default
    action-type start-stop
    group radius
    aaa accounting resource default
    action-type start-stop
    group radius
    aaa session-id common
    clock timezone CET 1 0
    clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
    ip domain name aspect-online.de
    ip name-server 10.28.1.31
    ip inspect WAAS flush-timeout 10
    ip inspect name DEFAULT100 ftp
    ip inspect name DEFAULT100 h323
    ip inspect name DEFAULT100 icmp
    ip inspect name DEFAULT100 netshow
    ip inspect name DEFAULT100 rcmd
    ip inspect name DEFAULT100 realaudio
    ip inspect name DEFAULT100 rtsp
    ip inspect name DEFAULT100 esmtp
    ip inspect name DEFAULT100 sqlnet
    ip inspect name DEFAULT100 streamworks
    ip inspect name DEFAULT100 tftp
    ip inspect name DEFAULT100 tcp
    ip inspect name DEFAULT100 udp
    ip inspect name DEFAULT100 vdolive
    ip cef
    no ipv6 cef
    virtual-profile if-needed
    multilink bundle-name authenticated
    async-bootp dns-server 10.28.1.31
    async-bootp nbns-server 10.28.1.31
    vpdn enable
    vpdn authen-before-forward
    vpdn authorize directed-request
    vpdn-group L2TP
    ! Default L2TP VPDN group
    accept-dialin
      protocol l2tp
      virtual-template 1
    no l2tp tunnel authentication
    license udi pid -K9 sn FCZ
    username root password 7 secret
    ip ssh source-interface FastEthernet8
    ip ssh version 2
    crypto isakmp policy 10
    encr 3des
    authentication pre-share
    group 2
    lifetime 3600
    crypto isakmp key mykey address 0.0.0.0         no-xauth
    crypto ipsec transform-set configl2tp esp-3des esp-sha-hmac
    mode transport
    crypto dynamic-map config-map-l2tp 10
    set nat demux
    set transform-set configl2tp
    crypto map vpnl2tp 10 ipsec-isakmp dynamic config-map-l2tp
    interface BRI0
    no ip address
    encapsulation hdlc
    shutdown
    isdn termination multidrop
    interface FastEthernet0
    no ip address
    spanning-tree portfast
    interface FastEthernet1
    no ip address
    spanning-tree portfast
    <snip>
    interface FastEthernet7
    no ip address
    spanning-tree portfast
    interface FastEthernet8
    ip address 10.28.1.97 255.255.255.0
    ip access-group vpn_to_lan out
    ip nat inside
    ip virtual-reassembly in
    duplex auto
    speed auto
    interface Virtual-Template1
    ip unnumbered GigabitEthernet0
    ip access-group vpn_to_inet_lan in
    ip nat inside
    ip virtual-reassembly in
    peer default ip address pool l2tpvpnpool
    ppp encrypt mppe 128
    ppp authentication chap
    interface GigabitEthernet0
    description WAN Port
    ip address x.x.x.39 255.255.255.0
    ip access-group from_inet in
    ip nat outside
    ip virtual-reassembly in
    duplex auto
    speed auto
    crypto map vpnl2tp
    interface Vlan1
    no ip address
    shutdown
    ip local pool l2tpvpnpool 192.168.252.3 192.168.252.199
    ip local pool remotepool 192.168.252.240 192.168.252.243
    ip forward-protocol nd
    no ip http server
    no ip http secure-server
    ip nat log translations syslog
    ip nat inside source route-map natmap interface GigabitEthernet0 overload
    ip route 0.0.0.0 0.0.0.0 x.x.x.33
    ip access-list extended from_inet
    <snip>
    ip access-list extended nat_clients
    permit ip 192.168.252.0 0.0.0.255 any
    ip access-list extended vpn_to_inet_lan
    <snip>
    ip access-list extended vpn_to_lan
    <snip>
    deny   ip any any log-input
    logging trap debugging
    logging facility local2
    logging 10.28.1.42
    no cdp run
    route-map natmap permit 10
    match ip address nat_clients
    radius-server attribute 8 include-in-access-req
    radius-server host 10.27.1.228 auth-port 1812 acct-port 1813
    radius-server key 7 mykey
    radius-server vsa send accounting
    radius-server vsa send authentication
    control-plane
    mgcp profile default
    banner login ^C
    Hostname: vpngw2
    Model: Cisco 892 Integrated Service Router
    Description: L2TP/IPsec VPN Gateway with Radius Auth
    ^C
    line con 0
    line aux 0
    line vty 0 4
    access-class 23 in
    privilege level 15
    transport input telnet ssh
    line vty 5 15
    access-class 23 in
    privilege level 15
    transport input telnet ssh
    =============================================================
    User Config in Radius (tying multiple attributes):
    =============================================================
    Attribute          | op | Value
    Service-Type       | =  | Framed-User
    Cisco-AVPair       | =  | vpdn:ip-addresses=192.168.252.220
    Framed-IP-Address  | := | 192.168.252.221
    Cisco-AVPair       | =  | ip:addr-pool=remotepool
    =============================================================
    Debug Log from freeradius2:
    =============================================================
    rad_recv: Access-Request packet from host 10.28.1.97 port 1645, id=7, length=100
            Framed-Protocol = PPP
            User-Name = "me1"
            CHAP-Password = 0x01b8b897de00317a75c68ee9ce473cf8b8
            Connect-Info = "100000000"
            NAS-Port-Type = Sync
            NAS-Port = 10007
            NAS-Port-Id = "Uniq-Sess-ID7"
            Service-Type = Framed-User
            NAS-IP-Address = 10.28.1.97
    # Executing section authorize from file /etc/raddb/sites-enabled/default
    +- entering group authorize {...}
    ++[preprocess] returns ok
    [chap] Setting 'Auth-Type := CHAP'
    ++[chap] returns ok
    ++[mschap] returns noop
    ++[digest] returns noop
    [suffix] No '@' in User-Name = "me1", looking up realm NULL
    [suffix] No such realm "NULL"
    ++[suffix] returns noop
    [eap] No EAP-Message, not doing EAP
    ++[eap] returns noop
    [files] users: Matched entry DEFAULT at line 172
    ++[files] returns ok
    [sql]   expand: %{User-Name} -> me1
    [sql] sql_set_user escaped user --> 'me1'
    rlm_sql (sql): Reserving sql socket id: 4
    [sql]   expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'me1'           ORDER BY id
    [sql] User found in radcheck table
    [sql]   expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'me1'           ORDER BY id
    [sql]   expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'me1'           ORDER BY priority
    rlm_sql (sql): Released sql socket id: 4
    ++[sql] returns ok
    ++[expiration] returns noop
    ++[logintime] returns noop
    [pap] WARNING: Auth-Type already set.  Not setting to PAP
    ++[pap] returns noop
    Found Auth-Type = CHAP
    # Executing group from file /etc/raddb/sites-enabled/default
    +- entering group CHAP {...}
    [chap] login attempt by "me1" with CHAP password
    [chap] Using clear text password "test" for user me1 authentication.
    [chap] chap user me1 authenticated succesfully
    ++[chap] returns ok
    Login OK: [me1/<CHAP-Password>] (from client vpngw2 port 10007)
    # Executing section post-auth from file /etc/raddb/sites-enabled/default
    +- entering group post-auth {...}
    ++[exec] returns noop
    Sending Access-Accept of id 7 to 10.28.1.97 port 1645
            Framed-Protocol = PPP
            Framed-Compression = Van-Jacobson-TCP-IP
            Framed-IP-Address := 192.168.252.221
            Cisco-AVPair = "vpdn:ip-addresses=192.168.252.220"
            Service-Type = Framed-User
    Finished request 0.
    Going to the next request
    Waking up in 4.9 seconds.
    rad_recv: Accounting-Request packet from host 10.28.1.97 port 1646, id=19, length=213
            Acct-Session-Id = "00000011"
            Tunnel-Type:0 = L2TP
            Tunnel-Medium-Type:0 = IPv4
            Tunnel-Server-Endpoint:0 = "x.x.x.39"
            Tunnel-Client-Endpoint:0 = "x.x.x.34"
            Tunnel-Assignment-Id:0 = "L2TP"
            Tunnel-Client-Auth-Id:0 = "me1"
            Tunnel-Server-Auth-Id:0 = "vpngw2"
            Framed-Protocol = PPP
            Framed-IP-Address = 192.168.252.9
            User-Name = "me1"
            Cisco-AVPair = "connect-progress=LAN Ses Up"
            Acct-Authentic = RADIUS
            Acct-Status-Type = Start
            Connect-Info = "100000000"
            NAS-Port-Type = Sync
            NAS-Port = 10007
            NAS-Port-Id = "Uniq-Sess-ID7"
            Service-Type = Framed-User
            NAS-IP-Address = 10.28.1.97
            Acct-Delay-Time = 0
    # Executing section preacct from file /etc/raddb/sites-enabled/default
    +- entering group preacct {...}
    ++[preprocess] returns ok
    [acct_unique] Hashing 'NAS-Port = 10007,Client-IP-Address = 10.28.1.97,NAS-IP-Address = 10.28.1.97,Acct-Session-Id = "00000011",User-Name = "me1"'
    [acct_unique] Acct-Unique-Session-ID = "1fdd95abea6cfac2".
    ++[acct_unique] returns ok
    [suffix] No '@' in User-Name = "me1", looking up realm NULL
    [suffix] No such realm "NULL"
    ++[suffix] returns noop
    ++[files] returns noop
    # Executing section accounting from file /etc/raddb/sites-enabled/default
    +- entering group accounting {...}
    [detail]        expand: %{Packet-Src-IP-Address} -> 10.28.1.97
    [detail]        expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/radius/radacct/10.28.1.97/detail-20120330
    [detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/10.28.1.97/detail-20120330
    [detail]        expand: %t -> Fri Mar 30 11:20:07 2012
    ++[detail] returns ok
    ++[unix] returns ok
    [radutmp]       expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
    [radutmp]       expand: %{User-Name} -> me1
    ++[radutmp] returns ok
    [sql]   expand: %{User-Name} -> me1
    [sql] sql_set_user escaped user --> 'me1'
    [sql]   expand: %{Acct-Delay-Time} -> 0
    [sql]   expand:            INSERT INTO radacct             (acctsessionid,    acctuniqueid,     username,              realm,            nasipaddress,     nasportid,              nasporttype,      acctstarttime,    acctstoptime,              acctsessiontime,  acctauthentic,    connectinfo_start,              connectinfo_stop, acctinputoctets,  acctoutputoctets,              calledstationid,  callingstationid, acctterminatecause,              servicetype,      framedprotocol,   framedipaddress,              acctstartdelay,   acctstopdelay,    xascendsessionsvrkey)           VALUES             ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',              '%{SQL-User-Name}',              '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',              '%{NAS-Port-Type}', '%S', NULL,              '0', '%{Acct-Authentic}', '%{Connect-Info}',              '', '0', '0',              '%{Called-Station-Id}', '%{Calling-Station-Id}', '',              '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',
    rlm_sql (sql): Reserving sql socket id: 3
    rlm_sql (sql): Released sql socket id: 3
    ++[sql] returns ok
    ++[exec] returns noop
    [attr_filter.accounting_response]       expand: %{User-Name} -> me1
    attr_filter: Matched entry DEFAULT at line 12
    ++[attr_filter.accounting_response] returns updated
    Sending Accounting-Response of id 19 to 10.28.1.97 port 1646
    Finished request 1.
    Cleaning up request 1 ID 19 with timestamp +53
    Going to the next request
    Waking up in 4.9 seconds.
    rad_recv: Accounting-Request packet from host 10.28.1.97 port 1646, id=20, length=407
            Acct-Session-Id = "00000011"
            Tunnel-Type:0 = L2TP
            Tunnel-Medium-Type:0 = IPv4
            Tunnel-Server-Endpoint:0 = "x.x.x.39"
            Tunnel-Client-Endpoint:0 = "x.x.x.34"
            Tunnel-Assignment-Id:0 = "L2TP"
            Tunnel-Client-Auth-Id:0 = "me1"
            Tunnel-Server-Auth-Id:0 = "vpngw2"
            Framed-Protocol = PPP
            Framed-IP-Address = 192.168.252.9
            Cisco-AVPair = "ppp-disconnect-cause=Received LCP TERMREQ from peer"
            User-Name = "me1"
            Acct-Authentic = RADIUS
            Cisco-AVPair = "connect-progress=LAN Ses Up"
            Cisco-AVPair = "nas-tx-speed=100000000"
            Cisco-AVPair = "nas-rx-speed=100000000"
            Acct-Session-Time = 5
            Acct-Input-Octets = 5980
            Acct-Output-Octets = 120
            Acct-Input-Packets = 47
            Acct-Output-Packets = 11
            Acct-Terminate-Cause = User-Request
            Cisco-AVPair = "disc-cause-ext=PPP Receive Term"
            Acct-Status-Type = Stop
            Connect-Info = "100000000"
            NAS-Port-Type = Sync
            NAS-Port = 10007
            NAS-Port-Id = "Uniq-Sess-ID7"
            Service-Type = Framed-User
            NAS-IP-Address = 10.28.1.97
            Acct-Delay-Time = 0
    # Executing section preacct from file /etc/raddb/sites-enabled/default
    +- entering group preacct {...}
    ++[preprocess] returns ok
    [acct_unique] Hashing 'NAS-Port = 10007,Client-IP-Address = 10.28.1.97,NAS-IP-Address = 10.28.1.97,Acct-Session-Id = "00000011",User-Name = "me1"'
    [acct_unique] Acct-Unique-Session-ID = "1fdd95abea6cfac2".
    ++[acct_unique] returns ok
    [suffix] No '@' in User-Name = "me1", looking up realm NULL
    [suffix] No such realm "NULL"
    ++[suffix] returns noop
    ++[files] returns noop
    # Executing section accounting from file /etc/raddb/sites-enabled/default
    +- entering group accounting {...}
    [detail]        expand: %{Packet-Src-IP-Address} -> 10.28.1.97
    [detail]        expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/radius/radacct/10.28.1.97/detail-20120330
    [detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/10.28.1.97/detail-20120330
    [detail]        expand: %t -> Fri Mar 30 11:20:12 2012
    ++[detail] returns ok
    ++[unix] returns ok
    [radutmp]       expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
    [radutmp]       expand: %{User-Name} -> me1
    ++[radutmp] returns ok
    [sql]   expand: %{User-Name} -> me1
    [sql] sql_set_user escaped user --> 'me1'
    [sql]   expand: %{Acct-Input-Gigawords} ->
    [sql]   ... expanding second conditional
    [sql]   expand: %{Acct-Input-Octets} -> 5980
    [sql]   expand: %{Acct-Output-Gigawords} ->
    [sql]   ... expanding second conditional
    [sql]   expand: %{Acct-Output-Octets} -> 120
    [sql]   expand: %{Acct-Delay-Time} -> 0
    [sql]   expand:            UPDATE radacct SET              acctstoptime       = '%S',              acctsessiontime    = '%{Acct-Session-Time}',              acctinputoctets    = '%{%{Acct-Input-Gigawords}:-0}' << 32 |                                   '%{%{Acct-Input-Octets}:-0}',              acctoutputoctets   = '%{%{Acct-Output-Gigawords}:-0}' << 32 |                                   '%{%{Acct-Output-Octets}:-0}',              acctterminatecause = '%{Acct-Terminate-Cause}',              acctstopdelay      = '%{%{Acct-Delay-Time}:-0}',              connectinfo_stop   = '%{Connect-Info}'           WHERE acctsessionid   = '%{Acct-Session-Id}'           AND username          = '%{SQL-User-Name}'           AND nasipaddress      = '%{NAS-IP-Address}' ->            UPDATE radacct SET              acctstoptime       = '2012-03-30 11:20:12',              acctsessiontime    = '5',              acctinputoctets    = '0' << 32 |                                   '5980',              acctoutputoctets   = '0' << 32 |
    rlm_sql (sql): Reserving sql socket id: 2
    rlm_sql (sql): Released sql socket id: 2
    ++[sql] returns ok
    ++[exec] returns noop
    [attr_filter.accounting_response]       expand: %{User-Name} -> me1
    attr_filter: Matched entry DEFAULT at line 12
    ++[attr_filter.accounting_response] returns updated
    Sending Accounting-Response of id 20 to 10.28.1.97 port 1646
    Finished request 2.
    Cleaning up request 2 ID 20 with timestamp +58
    Going to the next request
    Waking up in 0.1 seconds.
    Cleaning up request 0 ID 7 with timestamp +53
    Ready to process requests.
    =============================================================
    Log From Cisco Router:
    =============================================================
    Mar 30 11:20:07 vpngw2 1217: Mar 30 09:21:51.414: RADIUS/ENCODE(00000015):Orig. component type = VPDN
    Mar 30 11:20:07 vpngw2 1218: Mar 30 09:21:51.414: RADIUS: DSL line rate attributes successfully added
    Mar 30 11:20:07 vpngw2 1219: Mar 30 09:21:51.414: RADIUS(00000015): Config NAS IP: 0.0.0.0
    Mar 30 11:20:07 vpngw2 1220: Mar 30 09:21:51.414: RADIUS(00000015): Config NAS IPv6: ::
    Mar 30 11:20:07 vpngw2 1221: Mar 30 09:21:51.414: RADIUS/ENCODE: No idb found! Framed IP Addr might not be included
    Mar 30 11:20:07 vpngw2 1222: Mar 30 09:21:51.414: RADIUS/ENCODE(00000015): acct_session_id: 17
    Mar 30 11:20:07 vpngw2 1223: Mar 30 09:21:51.414: RADIUS(00000015): sending
    Mar 30 11:20:07 vpngw2 1224: Mar 30 09:21:51.418: RADIUS/ENCODE: Best Local IP-Address 10.28.1.97 for Radius-Server 10.27.1.228
    Mar 30 11:20:07 vpngw2 1225: Mar 30 09:21:51.418: RADIUS(00000015): Send Access-Request to 10.27.1.228:1812 id 1645/7, len 100
    Mar 30 11:20:07 vpngw2 1226: Mar 30 09:21:51.418: RADIUS:  authenticator DE 5F 2E 3E EF BF 50 F4 - 49 C3 4F BE 1A 66 72 22
    Mar 30 11:20:07 vpngw2 1227: Mar 30 09:21:51.418: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
    Mar 30 11:20:07 vpngw2 1228: Mar 30 09:21:51.418: RADIUS:  User-Name           [1]   5   "me1"
    Mar 30 11:20:07 vpngw2 1229: Mar 30 09:21:51.418: RADIUS:  CHAP-Password       [3]   19  *
    Mar 30 11:20:07 vpngw2 1230: Mar 30 09:21:51.418: RADIUS:  Connect-Info        [77]  11  "100000000"
    Mar 30 11:20:07 vpngw2 1231: Mar 30 09:21:51.418: RADIUS:  NAS-Port-Type       [61]  6   Sync                      [1]
    Mar 30 11:20:07 vpngw2 1232: Mar 30 09:21:51.418: RADIUS:  NAS-Port            [5]   6   10007
    Mar 30 11:20:07 vpngw2 1233: Mar 30 09:21:51.418: RADIUS:  NAS-Port-Id         [87]  15  "Uniq-Sess-ID7"
    Mar 30 11:20:07 vpngw2 1234: Mar 30 09:21:51.418: RADIUS:  Service-Type        [6]   6   Framed                    [2]
    Mar 30 11:20:07 vpngw2 1235: Mar 30 09:21:51.418: RADIUS:  NAS-IP-Address      [4]   6   10.28.1.97
    Mar 30 11:20:07 vpngw2 1236: Mar 30 09:21:51.418: RADIUS(00000015): Sending a IPv4 Radius Packet
    Mar 30 11:20:07 vpngw2 1237: Mar 30 09:21:51.418: RADIUS(00000015): Started 5 sec timeout
    Mar 30 11:20:07 vpngw2 1238: Mar 30 09:21:51.422: RADIUS: Received from id 1645/7 10.27.1.228:1812, Access-Accept, len 85
    Mar 30 11:20:07 vpngw2 1239: Mar 30 09:21:51.422: RADIUS:  authenticator 25 CD 93 D5 78 2C F4 4F - F2 66 2C 45 8D D4 E1 16
    Mar 30 11:20:07 vpngw2 1240: Mar 30 09:21:51.422: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
    Mar 30 11:20:07 vpngw2 1241: Mar 30 09:21:51.422: RADIUS:  Framed-Compression  [13]  6   VJ TCP/IP Header Compressi[1]
    Mar 30 11:20:07 vpngw2 1242: Mar 30 09:21:51.422: RADIUS:  Framed-IP-Address   [8]   6   192.168.252.221
    Mar 30 11:20:07 vpngw2 1243: Mar 30 09:21:51.422: RADIUS:  Vendor, Cisco       [26]  41
    Mar 30 11:20:07 vpngw2 1244: Mar 30 09:21:51.422: RADIUS:   Cisco AVpair       [1]   35  "vpdn:ip-addresses=192.168.252.220"
    Mar 30 11:20:07 vpngw2 1245: Mar 30 09:21:51.422: RADIUS:  Service-Type        [6]   6   Framed                    [2]
    Mar 30 11:20:07 vpngw2 1246: Mar 30 09:21:51.426: RADIUS(00000015): Received from id 1645/7
    Mar 30 11:20:07 vpngw2 1247: Mar 30 09:21:51.438: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
    Mar 30 11:20:07 vpngw2 1248: Mar 30 09:21:51.442: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up
    Mar 30 11:20:07 vpngw2 1249: Mar 30 09:21:51.478: RADIUS/ENCODE(00000015):Orig. component type = VPDN
    Mar 30 11:20:07 vpngw2 1250: Mar 30 09:21:51.478: RADIUS(00000015): Config NAS IP: 0.0.0.0
    Mar 30 11:20:07 vpngw2 1251: Mar 30 09:21:51.478: RADIUS(00000015): Config NAS IPv6: ::
    Mar 30 11:20:07 vpngw2 1252: Mar 30 09:21:51.478: RADIUS(00000015): sending
    Mar 30 11:20:07 vpngw2 1253: Mar 30 09:21:51.478: RADIUS/ENCODE: Best Local IP-Address 10.28.1.97 for Radius-Server 10.27.1.228
    Mar 30 11:20:07 vpngw2 1254: Mar 30 09:21:51.478: RADIUS(00000015): Send Accounting-Request to 10.27.1.228:1813 id 1646/19, len 213
    Mar 30 11:20:07 vpngw2 1255: Mar 30 09:21:51.478: RADIUS:  authenticator 1B E0 A3 DF 16 7F F1 8D - E5 7F BD 88 50 01 73 53
    Mar 30 11:20:07 vpngw2 1256: Mar 30 09:21:51.478: RADIUS:  Acct-Session-Id     [44]  10  "00000011"
    Mar 30 11:20:07 vpngw2 1257: Mar 30 09:21:51.478: RADIUS:  Tunnel-Type         [64]  6   00:
    Mar 30 11:20:07 vpngw2 1258: L2TP                   [3]
    Mar 30 11:20:07 vpngw2 1259: Mar 30 09:21:51.478: RADIUS:  Tunnel-Medium-Type  [65]  6   00:IPv4                   [1]
    Mar 30 11:20:07 vpngw2 1260: Mar 30 09:21:51.478: RADIUS:  Tunnel-Server-Endpoi[67]  16  "x.x.x.39"
    Mar 30 11:20:07 vpngw2 1261: Mar 30 09:21:51.478: RADIUS:  Tunnel-Client-Endpoi[66]  16  "x.x.x.34"
    Mar 30 11:20:07 vpngw2 1262: Mar 30 09:21:51.478: RADIUS:  Tunnel-Assignment-Id[82]  6   "L2TP"
    Mar 30 11:20:07 vpngw2 1263: Mar 30 09:21:51.478: RADIUS:  Tunnel-Client-Auth-I[90]  5   "me1"
    Mar 30 11:20:07 vpngw2 1264: Mar 30 09:21:51.478: RADIUS:  Tunnel-Server-Auth-I[91]  8   "vpngw2"
    Mar 30 11:20:07 vpngw2 1265: Mar 30 09:21:51.478: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
    Mar 30 11:20:07 vpngw2 1266: Mar 30 09:21:51.478: RADIUS:  Framed-IP-Address   [8]   6   192.168.252.9
    Mar 30 11:20:07 vpngw2 1267: Mar 30 09:21:51.478: RADIUS:  User-Name           [1]   5   "me1"
    Mar 30 11:20:07 vpngw2 1268: Mar 30 09:21:51.478: RADIUS:  Vendor, Cisco       [26]  35
    Mar 30 11:20:07 vpngw2 1269: Mar 30 09:21:51.478: RADIUS:   Cisco AVpair       [1]   29  "connect-progress=LAN Ses Up"
    Mar 30 11:20:07 vpngw2 1270: Mar 30 09:21:51.478: RADIUS:  Acct-Authentic      [45]  6   RADIUS                    [1]
    Mar 30 11:20:07 vpngw2 1271: Mar 30 09:21:51.482: RADIUS:  Acct-Status-Type    [40]  6   Start                     [1]
    Mar 30 11:20:07 vpngw2 1272: Mar 30 09:21:51.482: RADIUS:  Connect-Info        [77]  11  "100000000"
    Mar 30 11:20:07 vpngw2 1273: Mar 30 09:21:51.482: RADIUS:  NAS-Port-Type       [61]  6   Sync                      [1]
    Mar 30 11:20:07 vpngw2 1274: Mar 30 09:21:51.482: RADIUS:  NAS-Port            [5]   6   10007
    Mar 30 11:20:08 vpngw2 1275: Mar 30 09:21:51.482: RADIUS:  NAS-Port-Id         [87]  15  "Uniq-Sess-ID7"
    Mar 30 11:20:08 vpngw2 1276: Mar 30 09:21:51.482: RADIUS:  Service-Type        [6]   6   Framed                    [2]
    Mar 30 11:20:08 vpngw2 1277: Mar 30 09:21:51.482: RADIUS:  NAS-IP-Address      [4]   6   10.28.1.97
    Mar 30 11:20:08 vpngw2 1278: Mar 30 09:21:51.482: RADIUS:  Acct-Delay-Time     [41]  6   0
    Mar 30 11:20:08 vpngw2 1279: Mar 30 09:21:51.482: RADIUS(00000015): Sending a IPv4 Radius Packet
    Mar 30 11:20:08 vpngw2 1280: Mar 30 09:21:51.482: RADIUS(00000015): Started 5 sec timeout
    Mar 30 11:20:08 vpngw2 1281: Mar 30 09:21:51.486: RADIUS: Received from id 1646/19 10.27.1.228:1813, Accounting-response, len 20
    Mar 30 11:20:08 vpngw2 1282: Mar 30 09:21:51.486: RADIUS:  authenticator 73 5E 95 46 5B 57 B1 4A - 44 4F 7C 71 F0 26 AA A4
    Mar 30 11:20:12 vpngw2 1283: Mar 30 09:21:56.282: RADIUS/ENCODE(00000015):Orig. component type = VPDN
    Mar 30 11:20:12 vpngw2 1284: Mar 30 09:21:56.282: RADIUS(00000015): Config NAS IP: 0.0.0.0
    Mar 30 11:20:12 vpngw2 1285: Mar 30 09:21:56.282: RADIUS(00000015): Config NAS IPv6: ::
    Mar 30 11:20:12 vpngw2 1286: Mar 30 09:21:56.282: RADIUS(00000015): sending
    Mar 30 11:20:12 vpngw2 1287: Mar 30 09:21:56.282: RADIUS/ENCODE: Best Local IP-Address 10.28.1.97 for Radius-Server 10.27.1.228
    Mar 30 11:20:12 vpngw2 1288: Mar 30 09:21:56.286: RADIUS(00000015): Send Accounting-Request to 10.27.1.228:1813 id 1646/20, len 407
    Mar 30 11:20:12 vpngw2 1289: Mar 30 09:21:56.286: RADIUS:  authenticator 26 7A 27 91 EB 3F 34 C6 - DB 2D 88 F8 B1 A4 C1 12
    Mar 30 11:20:12 vpngw2 1290: Mar 30 09:21:56.286: RADIUS:  Acct-Session-Id     [44]  10  "00000011"
    Mar 30 11:20:12 vpngw2 1291: Mar 30 09:21:56.286: RADIUS:  Tunnel-Type         [64]  6   00:
    Mar 30 11:20:12 vpngw2 1292: L2TP                   [3]
    Mar 30 11:20:12 vpngw2 1293: Mar 30 09:21:56.286: RADIUS:  Tunnel-Medium-Type  [65]  6   00:IPv4                   [1]
    Mar 30 11:20:12 vpngw2 1294: Mar 30 09:21:56.286: RADIUS:  Tunnel-Server-Endpoi[67]  16  "x.x.x.39"
    Mar 30 11:20:12 vpngw2 1295: Mar 30 09:21:56.286: RADIUS:  Tunnel-Client-Endpoi[66]  16  "x.x.x.34"
    Mar 30 11:20:12 vpngw2 1296: Mar 30 09:21:56.286: RADIUS:  Tunnel-Assignment-Id[82]  6   "L2TP"
    Mar 30 11:20:12 vpngw2 1297: Mar 30 09:21:56.286: RADIUS:  Tunnel-Client-Auth-I[90]  5   "me1"
    Mar 30 11:20:12 vpngw2 1298: Mar 30 09:21:56.286: RADIUS:  Tunnel-Server-Auth-I[91]  8   "vpngw2"
    Mar 30 11:20:12 vpngw2 1299: Mar 30 09:21:56.286: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
    Mar 30 11:20:12 vpngw2 1300: Mar 30 09:21:56.286: RADIUS:  Framed-IP-Address   [8]   6   192.168.252.9
    Mar 30 11:20:12 vpngw2 1301: Mar 30 09:21:56.286: RADIUS:  Vendor, Cisco       [26]  59
    Mar 30 11:20:12 vpngw2 1302: Mar 30 09:21:56.286: RADIUS:   Cisco AVpair       [1]   53  "ppp-disconnect-cause=Received LCP TERMREQ from peer"
    Mar 30 11:20:12 vpngw2 1303: Mar 30 09:21:56.286: RADIUS:  User-Name           [1]   5   "me1"
    Mar 30 11:20:12 vpngw2 1304: Mar 30 09:21:56.286: RADIUS:  Acct-Authentic      [45]  6   RADIUS                    [1]
    Mar 30 11:20:12 vpngw2 1305: Mar 30 09:21:56.286: RADIUS:  Vendor, Cisco       [26]  35
    Mar 30 11:20:12 vpngw2 1306: Mar 30 09:21:56.286: RADIUS:   Cisco AVpair       [1]   29  "connect-progress=LAN Ses Up"
    Mar 30 11:20:12 vpngw2 1307: Mar 30 09:21:56.286: RADIUS:  Vendor, Cisco       [26]  30
    Mar 30 11:20:12 vpngw2 1308: Mar 30 09:21:56.286: RADIUS:   Cisco AVpair       [1]   24  "nas-tx-speed=100000000"
    Mar 30 11:20:12 vpngw2 1309: Mar 30 09:21:56.286: RADIUS:  Vendor, Cisco       [26]  30
    Mar 30 11:20:12 vpngw2 1310: Mar 30 09:21:56.286: RADIUS:   Cisco AVpair       [1]   24  "nas-rx-speed=100000000"
    Mar 30 11:20:12 vpngw2 1311: Mar 30 09:21:56.286: RADIUS:  Acct-Session-Time   [46]  6   5
    Mar 30 11:20:12 vpngw2 1312: Mar 30 09:21:56.286: RADIUS:  Acct-Input-Octets   [42]  6   5980
    Mar 30 11:20:12 vpngw2 1313: Mar 30 09:21:56.286: RADIUS:  Acct-Output-Octets  [43]  6   120
    Mar 30 11:20:12 vpngw2 1314: Mar 30 09:21:56.286: RADIUS:  Acct-Input-Packets  [47]  6   47
    Mar 30 11:20:12 vpngw2 1315: Mar 30 09:21:56.286: RADIUS:  Acct-Output-Packets [48]  6   11
    Mar 30 11:20:12 vpngw2 1316: Mar 30 09:21:56.286: RADIUS:  Acct-Terminate-Cause[49]  6   user-request              [1]
    Mar 30 11:20:12 vpngw2 1317: Mar 30 09:21:56.286: RADIUS:  Vendor, Cisco       [26]  39
    Mar 30 11:20:12 vpngw2 1318: Mar 30 09:21:56.286: RADIUS:   Cisco AVpair       [1]   33  "disc-cause-ext=PPP Receive Term"
    Mar 30 11:20:12 vpngw2 1319: Mar 30 09:21:56.286: RADIUS:  Acct-Status-Type    [40]  6   Stop                      [2]
    Mar 30 11:20:12 vpngw2 1320: Mar 30 09:21:56.286: RADIUS:  Connect-Info        [77]  11  "100000000"
    Mar 30 11:20:12 vpngw2 1321: Mar 30 09:21:56.286: RADIUS:  NAS-Port-Type       [61]  6   Sync                      [1]
    Mar 30 11:20:12 vpngw2 1322: Mar 30 09:21:56.286: RADIUS:  NAS-Port            [5]   6   10007
    Mar 30 11:20:12 vpngw2 1323: Mar 30 09:21:56.286: RADIUS:  NAS-Port-Id         [87]  15  "Uniq-Sess-ID7"
    Mar 30 11:20:12 vpngw2 1324: Mar 30 09:21:56.286: RADIUS:  Service-Type        [6]   6   Framed                    [2]
    Mar 30 11:20:12 vpngw2 1325: Mar 30 09:21:56.286: RADIUS:  NAS-IP-Address      [4]   6   10.28.1.97
    Mar 30 11:20:12 vpngw2 1326: Mar 30 09:21:56.286: RADIUS:  Acct-Delay-Time     [41]  6   0
    Mar 30 11:20:12 vpngw2 1327: Mar 30 09:21:56.286: RADIUS(00000015): Sending a IPv4 Radius Packet
    Mar 30 11:20:12 vpngw2 1328: Mar 30 09:21:56.286: RADIUS(00000015): Started 5 sec timeout
    Mar 30 11:20:12 vpngw2 1329: Mar 30 09:21:56.294: RADIUS: Received from id 1646/20 10.27.1.228:1813, Accounting-response, len 20
    Mar 30 11:20:12 vpngw2 1330: Mar 30 09:21:56.294: RADIUS:  authenticator E1 09 A6 6D 91 C6 B1 B3 - 78 00 FF 4F 25 32 C6 B5
    Mar 30 11:20:12 vpngw2 1331: Mar 30 09:21:56.406: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to down
    Mar 30 11:20:12 vpngw2 1332: Mar 30 09:21:56.410: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down
    =============================================================

    I found the failure.
    In the cisco config it must be
    aaa authorization network default group radius local
    not
    aaa authorization network groupauthor local

  • ACE and TACACS+ auth

    I'm having to use the free TACACS+ in an environment to configure authentication for all the network devices.  I have all the routers and switches working just fine, but am having issue with getting the ACE to use TACACS.  I've configured ACE to authenticate to an ACS server by adding the additional shell custom attributes (shell:Admin*Admin default-domain) and this worked fine.  I found in some documentation on TACACS+ that described how to add this similar attribute to the tac_plus.conf file, but it doesn't seem to want to work. My aaa config from the ACE as well as the tac_plus.conf file content below.  I know the AAA is working with this TACACS server as the accounting functions properly.
    ACE AAA
    tacacs-server host 10.1.0.202 key 7 <removed>
    aaa group server tacacs+ TAC_AUTH
      server 10.1.0.202
    aaa authentication login default group TAC_AUTH local
    aaa authentication login console group TAC_AUTH local
    aaa accounting default group TAC_AUTH local
    tac_plus.conf
    # Accounting Logs
    accounting file = /data/tacacs.log
    # Server Key
    key = <removed>
    # ACL
    acl = auth_routers {
                          permit = .*
    # Groups
    group = admin {
        login = file /etc/passwd
        acl = auth_routers
        service = exec {
                         optional shell:Admin = "Admin default-domain"
    # Users
    user = admin1 {
         default service = permit
         member = admin
    user = admin2 {
         default service = permit
         member = admin
    user = admin3 {
         default service = permit
         member = admin

    Anyone?

  • Authenticating against RADIUS *AND* TACACS

    G'day...
    Toys:
    Cisco Secure ACS 3.2
    Cisco 1242 Access Points
    I want to authenticate spectralink phones via LEAP (Radius Aironet) and IT staff logging onto the CLI via TACACS+, all off the same ACS Server.
    The only way I have gotten this to work is to setup TWO Network Device Groups, and add the access point in TWICE (with different unique hostnames). One authenticating RADIUS, and the other profile authenticating TACACS.
    Is this the right way to go about it? Why can't I pick two authentication methods under the one AAA Client profile?
    Cheers,
    Andrew.

    Hi,
    The AAA client hostname configured in Cisco Secure ACS is not required to match the hostname configured on a network device, you can assign any name. What is important is the IP Address to allow the device and ACS to communicate via each AAA protocol.
    If your device need to use both TACACS+ and RADIUS to authenticate 2 different users, then your method is right. This is because a device with same name cannot use both AAA methods to authenticate users - different operation. You have to use 2 different names, but running on the same IP on both TACACS+ and RADIUS.
    I am using the same approach to authenticate remote access clients and network admin in my Access Server.
    Rgds,
    AK

  • 802.1x and TACACS+

    I use the ACS box mainly for AAA on the switches and routers using tacacs. Now we're looking at the possibility of using 802.1x, my early reading tell me I have to use RADIUS, but I'm using TACACS, can I have ttow different methods of authentication on the same switch/router?
    Any help would be greatly appreciated.
    Thanks.

    Hi ,
    Yes you can have different authentication methods on the same router/switch .
    In case if you need to configure 802.1x you can simply add the 802.1x commands as they will not interfare in the working of your tacacs authentication .
    http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_chapter09186a00801f0a44.html
    If you want to configure radius for login authentication along with exsisting Tacacs then you need to configure method list .
    http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7a8.html#wp1000906
    Regards,
    Puneet

  • Configuring RAS and TACACS+. through ACS.

    Hi all,
    I have very basic question about
    configuring RAS with digital modems
    and AAA through TACACS+. I use
    command peer default ip address pool OLA under interface Group-Async0 and interface Dialer10
    for example. And inside router I configure this pool with some range of
    IP addresses...for example
    ip local pool OLA 192.168.10.2 192.168.10.127.
    And I set AAA through TACACS+.
    What should I do next on ACS ? Should I configure this pool of IP addresses on ACS or it is sufficient to do it only on router? Or do this on router is not important ?
    Thanks
    jl

    John
    I have configured RAS for dial-in services where we authenticated the dial-in users via TACACS and ACS. I did not have to do anything on ACS about the dial pool. The only thing that I had to do on ACS was to configure it to authenticate users whose authentication request came from that router. (In other words nothing special on ACS just because they were dial-in.) Just be sure that your aaa on the router provides for authenticating ppp.
    HTH
    Rick

  • WLC s/w v4.1 and TACACS unreachable

    In,
    Cisco WLC_Config Guide_Web & CLI_Release 4.1
    it says,
    "If the TACACS+ authorization server becomes unreachable or unable to authorize, users are unable to log into the controller."
    Does this mean it does not support a fail-safe password like IOS does where the Enable password can be used to get into a router if TACACS+ is unreachable?

    Hi Mark,
    No, the local database is always queried first.
    Please read Chapter 5 and the section on configuring TACACS:
    "You can specify the order of authentication when multiple databases are configured, click Security > Priority Order > Management User. The Priority Order > Management User page will appear."
    It goes on further to explain:
    For Authentication Priority, choose either Radius or TACACS+ to specify which server has priority over the other when the controller attempts to authenticate management users. By default, the local database is always queried first. If the username is not found, the controller switches to the TACACS+ server if configured for TACACS+ or to the RADIUS server if configured for Radius. The default setting is local and then Radius."
    Hope this helps.
    Paul

  • Client initiated L2TP and control channel passwords

    I am building a CVS application for CPEs that use client-initiated tunneling feature. IOS version is 12.4(6)T3. The l2tp-class is
    configured as below:
    l2tp-class l2tpclass1
    password 7 15145D015037812E70
    The password string changes at a regular interval. I have two questions w.r.t the password changes.
    1) Why does it happens? I have not seen this happening on other passwords that use encryption type 7. I could not find any references to this in "L2TP Control Channel Authentication Parameters" documentation.
    2) Is there a way to stop this behavior? Currently there is a diff. generated even though the actual configuration has not changed because of the change in password string.
    Regards,
    - Gaurav

    If you configure "username xxxx password yyyyy" on a system, the encrypted form of the password will in fact change each time you do a "write memory." This is part of a "random seed" that's supposed to make the coded password harder to crack. If the box was actually configured by reading an NV config that contains the "password 7 151E080214382420" form, it should stay that way (basically, the internal format used to store the password is always the form it was "entered" in, and the password is encrypted appropriately (if it's not already encrypted) when you do the "writes.

  • L2tp and vpnclient?

    Hello.
    We have an ASA 5510 up and running since 2 years, with many vpnclients configured.
    Now we want to enable also l2tp.
    I've followed this guide:
    http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bc7540.shtml
    at the end of the configuration steps (I've also upgraded to 8.2.5 as required), l2tp vpns work properly, but vpnclients don't work anymore.
    I've removede crypto map l2tp entry from configuration, and now vpnclients work again.
    I've tried to insert L2TP transform set (3des/sha/transport) into dynamic entry 65535, but l2tp doesn't work anyway.
    Configuration of crypto map now is:
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set L2TP-TS ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    if I configure
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 10 set transform-set L2TP-TS
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    l2tp works, but not vpnclients.
    Anyone has successfully configured both vpn on same asa?
    Thanks
    Daniele

    Thanks for your suggestion, but it doesn't work
    I've enabled debug, error follows:
    Oct 26 2012 10:36:05: %ASA-7-713236: IP = 217.200.185.232, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 500
    Oct 26 2012 10:36:05: %ASA-7-713906: IP = 217.200.185.232, Oakley proposal is acceptable
    Oct 26 2012 10:36:05: %ASA-7-715049: IP = 217.200.185.232, Received NAT-Traversal RFC VID
    Oct 26 2012 10:36:05: %ASA-7-715049: IP = 217.200.185.232, Received NAT-Traversal ver 03 VID
    Oct 26 2012 10:36:05: %ASA-7-715049: IP = 217.200.185.232, Received NAT-Traversal ver 02 VID
    Oct 26 2012 10:36:05: %ASA-7-715049: IP = 217.200.185.232, Received Fragmentation VID
    Oct 26 2012 10:36:05: %ASA-7-715064: IP = 217.200.185.232, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  False
    Oct 26 2012 10:36:05: %ASA-7-715049: IP = 217.200.185.232, Received DPD VID
    Oct 26 2012 10:36:05: %ASA-7-715028: IP = 217.200.185.232, IKE SA Proposal # 1, Transform # 5 acceptable  Matches global IKE entry # 1
    Oct 26 2012 10:36:05: %ASA-7-713236: IP = 217.200.185.232, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
    Oct 26 2012 10:36:05: %ASA-7-713236: IP = 217.200.185.232, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 228
    Oct 26 2012 10:36:05: %ASA-7-713906: IP = 217.200.185.232, computing NAT Discovery hash
    Oct 26 2012 10:36:05: %ASA-7-713906: IP = 217.200.185.232, computing NAT Discovery hash
    Oct 26 2012 10:36:05: %ASA-7-715048: IP = 217.200.185.232, Send IOS VID
    Oct 26 2012 10:36:05: %ASA-7-715038: IP = 217.200.185.232, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
    Oct 26 2012 10:36:05: %ASA-7-715048: IP = 217.200.185.232, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
    Oct 26 2012 10:36:05: %ASA-7-713906: IP = 217.200.185.232, computing NAT Discovery hash
    Oct 26 2012 10:36:05: %ASA-7-713906: IP = 217.200.185.232, computing NAT Discovery hash
    Oct 26 2012 10:36:05: %ASA-7-713906: IP = 217.200.185.232, Connection landed on tunnel_group DefaultRAGroup
    Oct 26 2012 10:36:05: %ASA-7-713906: Group = DefaultRAGroup, IP = 217.200.185.232, Generating keys for Responder...
    Oct 26 2012 10:36:05: %ASA-7-713236: IP = 217.200.185.232, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304
    Oct 26 2012 10:36:05: %ASA-7-713236: IP = 217.200.185.232, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NOTIFY (11) + NONE (0) total length : 92
    Oct 26 2012 10:36:05: %ASA-7-714011: Group = DefaultRAGroup, IP = 217.200.185.232, ID_IPV4_ADDR ID received
    Oct 26 2012 10:36:05: %ASA-7-715076: Group = DefaultRAGroup, IP = 217.200.185.232, Computing hash for ISAKMP
    Oct 26 2012 10:36:05: %ASA-6-713172: Group = DefaultRAGroup, IP = 217.200.185.232, Automatic NAT Detection Status:     Remote end   IS   behind a NAT device     This   end is NOT behind a NAT device
    Oct 26 2012 10:36:05: %ASA-7-713906: IP = 217.200.185.232, Connection landed on tunnel_group DefaultRAGroup
    Oct 26 2012 10:36:05: %ASA-7-715076: Group = DefaultRAGroup, IP = 217.200.185.232, Computing hash for ISAKMP
    Oct 26 2012 10:36:05: %ASA-7-713236: IP = 217.200.185.232, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
    Oct 26 2012 10:36:05: %ASA-5-713119: Group = DefaultRAGroup, IP = 217.200.185.232, PHASE 1 COMPLETED
    Oct 26 2012 10:36:05: %ASA-7-713121: IP = 217.200.185.232, Keep-alive type for this connection: DPD
    Oct 26 2012 10:36:05: %ASA-7-715080: Group = DefaultRAGroup, IP = 217.200.185.232, Starting P1 rekey timer: 2700 seconds.
    Oct 26 2012 10:36:05: %ASA-7-720041: (VPN-Primary) Sending New Phase 1 SA message (type RA, remote addr 217.200.185.232, my cookie 1EE358C2, his cookie 591DEF02) to standby unit
    Oct 26 2012 10:36:06: %ASA-7-714003: IP = 217.200.185.232, IKE Responder starting QM: msg id = d148be4a
    Oct 26 2012 10:36:06: %ASA-7-713236: IP = 217.200.185.232, IKE_DECODE RECEIVED Message (msgid=d148be4a) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NAT-OA (131) + NAT-OA (131) + NONE (0) total length : 304
    Oct 26 2012 10:36:06: %ASA-7-714011: Group = DefaultRAGroup, IP = 217.200.185.232, ID_IPV4_ADDR ID received
    Oct 26 2012 10:36:06: %ASA-7-713025: Group = DefaultRAGroup, IP = 217.200.185.232, Received remote Proxy Host data in ID Payload:  Address 10.170.18.159, Protocol 17, Port 58636
    Oct 26 2012 10:36:06: %ASA-7-714011: Group = DefaultRAGroup, IP = 217.200.185.232, ID_IPV4_ADDR ID received
    Oct 26 2012 10:36:06: %ASA-7-713024: Group = DefaultRAGroup, IP = 217.200.185.232, Received local Proxy Host data in ID Payload:  Address 89.96.154.130, Protocol 17, Port 1701
    Oct 26 2012 10:36:06: %ASA-7-713906: Group = DefaultRAGroup, IP = 217.200.185.232, L2TP/IPSec session detected.
    Oct 26 2012 10:36:06: %ASA-7-720041: (VPN-Primary) Sending Phase 1 Rcv Delete message (type RA, remote addr 217.200.185.232, my cookie 1EE358C2, his cookie 591DEF02) to standby unit
    Oct 26 2012 10:36:06: %ASA-7-713906: Group = DefaultRAGroup, IP = 217.200.185.232, QM IsRekeyed old sa not found by addr
    Oct 26 2012 10:36:06: %ASA-7-713221: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, checking map = outside_map, seq = 1...
    Oct 26 2012 10:36:06: %ASA-7-713222: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, map = outside_map, seq = 1, ACL does not match proxy IDs src:217.200.185.232 dst:89.96.154.130
    Oct 26 2012 10:36:06: %ASA-7-713221: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, checking map = outside_map, seq = 2...
    Oct 26 2012 10:36:06: %ASA-7-713222: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, map = outside_map, seq = 2, ACL does not match proxy IDs src:217.200.185.232 dst:89.96.154.130
    Oct 26 2012 10:36:06: %ASA-7-713221: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, checking map = outside_map, seq = 3...
    Oct 26 2012 10:36:06: %ASA-7-713222: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, map = outside_map, seq = 3, ACL does not match proxy IDs src:217.200.185.232 dst:89.96.154.130
    Oct 26 2012 10:36:06: %ASA-7-713221: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, checking map = outside_map, seq = 4...
    Oct 26 2012 10:36:06: %ASA-7-713222: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, map = outside_map, seq = 4, ACL does not match proxy IDs src:217.200.185.232 dst:89.96.154.130
    Oct 26 2012 10:36:06: %ASA-7-713221: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, checking map = outside_map, seq = 5...
    Oct 26 2012 10:36:06: %ASA-7-713222: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, map = outside_map, seq = 5, ACL does not match proxy IDs src:217.200.185.232 dst:89.96.154.130
    Oct 26 2012 10:36:06: %ASA-7-713221: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, checking map = outside_map, seq = 6...
    Oct 26 2012 10:36:06: %ASA-7-713222: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, map = outside_map, seq = 6, ACL does not match proxy IDs src:217.200.185.232 dst:89.96.154.130
    Oct 26 2012 10:36:06: %ASA-7-713221: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, checking map = outside_map, seq = 7...
    Oct 26 2012 10:36:06: %ASA-7-713222: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, map = outside_map, seq = 7, ACL does not match proxy IDs src:217.200.185.232 dst:89.96.154.130
    Oct 26 2012 10:36:06: %ASA-7-713221: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, checking map = outside_map, seq = 8...
    Oct 26 2012 10:36:06: %ASA-7-713222: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, map = outside_map, seq = 8, ACL does not match proxy IDs src:217.200.185.232 dst:89.96.154.130
    Oct 26 2012 10:36:06: %ASA-7-713221: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, checking map = outside_map, seq = 9...
    Oct 26 2012 10:36:06: %ASA-7-713222: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, map = outside_map, seq = 9, ACL does not match proxy IDs src:217.200.185.232 dst:89.96.154.130
    Oct 26 2012 10:36:06: %ASA-7-713221: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, checking map = outside_map, seq = 10...
    Oct 26 2012 10:36:06: %ASA-7-713222: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, map = outside_map, seq = 10, ACL does not match proxy IDs src:217.200.185.232 dst:89.96.154.130
    Oct 26 2012 10:36:06: %ASA-7-713221: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, checking map = outside_map, seq = 11...
    Oct 26 2012 10:36:06: %ASA-7-713222: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, map = outside_map, seq = 11, ACL does not match proxy IDs src:217.200.185.232 dst:89.96.154.130
    Oct 26 2012 10:36:06: %ASA-7-713221: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, checking map = outside_map, seq = 12...
    Oct 26 2012 10:36:06: %ASA-7-713222: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, map = outside_map, seq = 12, ACL does not match proxy IDs src:217.200.185.232 dst:89.96.154.130
    Oct 26 2012 10:36:06: %ASA-7-715059: Group = DefaultRAGroup, IP = 217.200.185.232, Selecting only UDP-Encapsulated-Tunnel and  UDP-Encapsulated-Transport modes defined by NAT-Traversal
    Oct 26 2012 10:36:06: %ASA-7-715059: Group = DefaultRAGroup, IP = 217.200.185.232, Selecting only UDP-Encapsulated-Tunnel and  UDP-Encapsulated-Transport modes defined by NAT-Traversal
    Oct 26 2012 10:36:06: %ASA-7-715059: Group = DefaultRAGroup, IP = 217.200.185.232, Selecting only UDP-Encapsulated-Tunnel and  UDP-Encapsulated-Transport modes defined by NAT-Traversal
    Oct 26 2012 10:36:06: %ASA-7-715059: Group = DefaultRAGroup, IP = 217.200.185.232, Selecting only UDP-Encapsulated-Tunnel and  UDP-Encapsulated-Transport modes defined by NAT-Traversal
    Oct 26 2012 10:36:06: %ASA-7-715059: Group = DefaultRAGroup, IP = 217.200.185.232, Selecting only UDP-Encapsulated-Tunnel and  UDP-Encapsulated-Transport modes defined by NAT-Traversal
    Oct 26 2012 10:36:06: %ASA-7-715059: Group = DefaultRAGroup, IP = 217.200.185.232, Selecting only UDP-Encapsulated-Tunnel and  UDP-Encapsulated-Transport modes defined by NAT-Traversal
    Oct 26 2012 10:36:06: %ASA-7-715059: Group = DefaultRAGroup, IP = 217.200.185.232, Selecting only UDP-Encapsulated-Tunnel and  UDP-Encapsulated-Transport modes defined by NAT-Traversal
    Oct 26 2012 10:36:06: %ASA-7-715059: Group = DefaultRAGroup, IP = 217.200.185.232, Selecting only UDP-Encapsulated-Tunnel and  UDP-Encapsulated-Transport modes defined by NAT-Traversal
    Oct 26 2012 10:36:06: %ASA-7-715059: Group = DefaultRAGroup, IP = 217.200.185.232, Selecting only UDP-Encapsulated-Tunnel and  UDP-Encapsulated-Transport modes defined by NAT-Traversal
    Oct 26 2012 10:36:06: %ASA-7-715059: Group = DefaultRAGroup, IP = 217.200.185.232, Selecting only UDP-Encapsulated-Tunnel and  UDP-Encapsulated-Transport modes defined by NAT-Traversal
    Oct 26 2012 10:36:06: %ASA-7-715059: Group = DefaultRAGroup, IP = 217.200.185.232, Selecting only UDP-Encapsulated-Tunnel and  UDP-Encapsulated-Transport modes defined by NAT-Traversal
    Oct 26 2012 10:36:06: %ASA-7-713066: Group = DefaultRAGroup, IP = 217.200.185.232, IKE Remote Peer configured for crypto map: SYSTEM_DEFAULT_CRYPTO_MAP
    Oct 26 2012 10:36:06: %ASA-5-713904: Group = DefaultRAGroup, IP = 217.200.185.232, All IPSec SA proposals found unacceptable!
    Oct 26 2012 10:36:06: %ASA-7-713906: Group = DefaultRAGroup, IP = 217.200.185.232, sending notify message
    Oct 26 2012 10:36:06: %ASA-7-713906: Group = DefaultRAGroup, IP = 217.200.185.232, constructing ipsec notify payload for msg id d148be4a
    Oct 26 2012 10:36:06: %ASA-7-713236: IP = 217.200.185.232, IKE_DECODE SENDING Message (msgid=949acedb) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
    Oct 26 2012 10:36:06: %ASA-3-713902: Group = DefaultRAGroup, IP = 217.200.185.232, QM FSM error (P2 struct &0xd8819da8, mess id 0xd148be4a)!
    Oct 26 2012 10:36:06: %ASA-7-715065: Group = DefaultRAGroup, IP = 217.200.185.232, IKE QM Responder FSM error history (struct &0xd8819da8)  , :  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
    Oct 26 2012 10:36:06: %ASA-7-713906: Group = DefaultRAGroup, IP = 217.200.185.232, sending delete/delete with reason message
    Oct 26 2012 10:36:06: %ASA-3-713902: Group = DefaultRAGroup, IP = 217.200.185.232, Removing peer from correlator table failed, no match!
    Oct 26 2012 10:36:06: %ASA-7-713906: Group = DefaultRAGroup, IP = 217.200.185.232, IKE SA MM:1ee358c2 rcv'd Terminate: state MM_ACTIVE  flags 0x00010042, refcnt 1, tuncnt 0
    Oct 26 2012 10:36:06: %ASA-7-713906: Group = DefaultRAGroup, IP = 217.200.185.232, IKE SA MM:1ee358c2 terminating:  flags 0x01010002, refcnt 0, tuncnt 0
    Oct 26 2012 10:36:06: %ASA-7-713906: Group = DefaultRAGroup, IP = 217.200.185.232, sending delete/delete with reason message
    Oct 26 2012 10:36:06: %ASA-7-713236: IP = 217.200.185.232, IKE_DECODE SENDING Message (msgid=ce2eb537) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
    Oct 26 2012 10:36:06: %ASA-5-713259: Group = DefaultRAGroup, IP = 217.200.185.232, Session is being torn down. Reason: Phase 2 Mismatch
    Oct 26 2012 10:36:06: %ASA-4-113019: Group = DefaultRAGroup, Username = , IP = 217.200.185.232, Session disconnected. Session Type: IKE, Duration: 0h:00m:01s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch

  • AAA and TACACS on everything BUT NOT console

    Would like to enable login authentication AND enable authentication on VTY but NOT console. Console should authenticate locally for both user and privilige modes ... I can't seem to seperate the 'enable' piece ... any thoughts?

    I do not think you can separate method list for
    the enable piece. I've asked Cisco about this
    in the past and they told me that it is not
    possible. You can have a different method list
    for the console for the "exec" mode but not
    the enable or privilege mode. It is either
    "tacacs" or "enable" or some other
    combinations but not a separate method list for "enable" by itself. Maybe cisco added
    this new feature in 12.4. I've my my testing
    on both 12.2T and 12.3T and, IMHO, it is not
    possible to separate the enable piece. Here
    is my config:
    username cisco password cisco
    enable secret cisco
    aaa authentication login notac local
    aaa authentication login VTY group tacacs+ local
    aaa authentication login web local enable
    aaa authentication enable default group tacacs+ enable
    aaa authorization console
    aaa authorization config-commands
    aaa authorization exec notac none
    aaa authorization exec VTY group tacacs+ if-authenticated none
    aaa authorization commands 0 VTY group tacacs+ if-authenticated none
    aaa authorization commands 1 VTY group tacacs+ if-authenticated none
    aaa authorization commands 15 VTY group tacacs+ if-authenticated none
    aaa authorization network VTY group tacacs+ if-authenticated none
    aaa accounting exec TAC start-stop group tacacs+
    aaa accounting exec VTY start-stop group tacacs+
    aaa accounting commands 0 TAC start-stop group tacacs+
    aaa accounting commands 0 VTY start-stop group tacacs+
    aaa accounting commands 1 TAC start-stop group tacacs+
    aaa accounting commands 1 VTY start-stop group tacacs+
    aaa accounting commands 10 TAC start-stop group tacacs+
    aaa accounting commands 15 TAC start-stop group tacacs+
    aaa accounting commands 15 VTY start-stop group tacacs+
    aaa accounting network VTY start-stop group tacacs+
    aaa accounting connection TAC start-stop group tacacs+
    aaa session-id common
    line con 0
    exec-timeout 0 0
    authorization exec notac
    accounting commands 0 VTY
    accounting commands 1 VTY
    accounting commands 15 VTY
    accounting exec VTY
    logging synchronous
    login authentication notac
    line vty 0 15
    exec-timeout 0 0
    authorization commands 0 VTY
    authorization commands 1 VTY
    authorization commands 15 VTY
    authorization exec VTY
    accounting commands 0 VTY
    accounting commands 1 VTY
    accounting commands 15 VTY
    accounting exec VTY
    login authentication VTY

  • VRF and TACACS

    Our management network is via VRF, the ip addess of the ACS also exists in the VRF. After the configuration, the ACS seems doesnt work and there is no reports on the ACS. Below is the configuration. Your help is appreciated!
    client: int vlan 10
    ip add 192.168.1.233
    ip vrf forwarding Virtual
    aaa authentication login new group tacacs+ local
    aaa authorization exec new group tacacs+ local
    aaa authorization commands 15 new group tacacs+ local
    ip tacacs source-interface vlan 10
    tacacs-server host 192.168.1.240
    tacacs-server key key
    lin vty 0 4
    authorization commands 15 new
    authorization exec new
    login authentication new
    I can ping from the source interface to the ACS via VRF.
    Thank you!

    Can you share the config?
    Depending on your setup/design, pls check the following configig guide & sample for TACACS+ with VRF:
    http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00806996cc.html
    HTH
    AK

Maybe you are looking for

  • Audio Clicking and broken up when playing back from timeline

    Can anyone please give me some advice about a possible solution to a continuing audio problem I am having when using the Tascam Fireone with Final Cut Pro 5.1.4. (Fireone working well with Logic 7 on the same machine) The Symptoms are as follow: When

  • Looking for a way to switch views using Javascript

    Hi ! I'm currently studying Acrobat 3D. <br /><br />I've got a PDF document with a 3D Annotation, which was imported from a U3D file. I defined 3 views : "initial", "front" and "top".<br /><br />My problem is that I'm looking for a way to switch view

  • When I try to open, I get 404 Not Found.

    When I try to open Mozilla, I only get 404 NOT FOUND and in a seperate tab some advertising. What is wrong and how do I fix it. I uninstalled Mozilla and re-installed and I still get the same problem. == User Agent == Mozilla/4.0 (compatible; MSIE 8.

  • Best practice: Saving form data

    Hello, I'm new to the JSP technology. To get some experience I built my own little shoutbox "application" where you can insert your name and a message and if you click on "submit" your message appears at the top of the page. Older messages also appea

  • Xml bursting

    Hi , I need to understand the concept of xml bursting.So can anyone suggest me a  link or document? Thanks