PIX 525 aaa authentication with both tacacs and local

Similar Messages

• Authentication providers for TACACS+ and RADIUS

  Does anyone supply WLS 8.1 authentication providers for TACACS+ and/or
  RADIUS?
  Ben

  So in the ACS network config you add 2 NASes (or should that be NASi?)
  One is of type TACACS+, enter the device ip and secret. The other is RADIUS - unless you need to use some vendor specific trickery you could stick with IETF RADIUS to keep it simple. Again enter the IP and the secret.
  Assuming you a have at least 1 user in say, the default group (acs group 0) you then need to do some basic setup. In ACS a single group can have both RADIUS and TACACS+ config :-)
  RADIUS will pretty much default to PPP anyway, but you should still set the Service-Type to Framed and set session timeouts etc.
  With T+ you tick the boxes for the services that are allowed. For SSH login you might have to define a custom service first (under interface config)
  Suggest you first take time to scan through the ACS docs.

• Not Working-central web-authentication with a switch and Identity Service Engine

  on the followup the document "Configuration example : central web-authentication with a switch and Identity Service Engine" by Nicolas Darchis, since the redirection on the switch is not working, i'm asking for your help...
  I'm using ISE Version : 1.0.4.573 and WS-C2960-24PC-L w/software 12.2(55)SE1 and image C2960-LANBASEK9-M for the access.
  The interface configuration looks like this:
  interface FastEthernet0/24
  switchport access vlan 6
  switchport mode access
  switchport voice vlan 20
  ip access-group webauth in
  authentication event fail action next-method
  authentication event server dead action authorize
  authentication event server alive action reinitialize
  authentication order mab
  authentication priority mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  authentication violation restrict
  mab
  spanning-tree portfast
  end
  The ACL's
  Extended IP access list webauth
      10 permit ip any any
  Extended IP access list redirect
      10 deny ip any host 172.22.2.38
      20 permit tcp any any eq www
      30 permit tcp any any eq 443
  The ISE side configuration I follow it step by step...
  When I conect the XP client, e see the following Autenthication session...
  swlx0x0x#show authentication sessions interface fastEthernet 0/24
             Interface:  FastEthernet0/24
            MAC Address:  0015.c549.5c99
             IP Address:  172.22.3.184
              User-Name:  00-15-C5-49-5C-99
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  single-host
       Oper control dir:  both
          Authorized By:  Authentication Server
             Vlan Group:  N/A
       URL Redirect ACL:  redirect
           URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC16011F000000490AC1A9E2
        Acct Session ID:  0x00000077
                 Handle:  0xB7000049
  Runnable methods list:
         Method   State
         mab      Authc Success
  But there is no redirection, and I get the the following message on switch console:
  756005: Mar 28 11:40:30: epm-redirect:IP=172.22.3.184: No redirection policy for this host
  756006: Mar 28 11:40:30: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
  I have to mention I'm using an http proxy on port 8080...
  Any Ideas on what is going wrong?
  Regards
  Nuno

  OK, so I upgraded the IOS to version
  SW Version: 12.2(55)SE5, SW Image: C2960-LANBASEK9-M
  I tweak with ACL's to the following:
  Extended IP access list redirect
      10 permit ip any any (13 matches)
  and created a DACL that is downloaded along with the authentication
  Extended IP access list xACSACLx-IP-redirect-4f743d58 (per-user)
      10 permit ip any any
  I can see the epm session
  swlx0x0x#show epm session ip 172.22.3.74
       Admission feature:  DOT1X
       ACS ACL:  xACSACLx-IP-redirect-4f743d58
       URL Redirect ACL:  redirect
       URL Redirect:  https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
  And authentication
  swlx0x0x#show authentication sessions interface fastEthernet 0/24
       Interface:  FastEthernet0/24
       MAC Address:  0015.c549.5c99
       IP Address:  172.22.3.74
       User-Name:  00-15-C5-49-5C-99
       Status:  Authz Success
       Domain:  DATA
       Oper host mode:  multi-auth
       Oper control dir:  both
       Authorized By:  Authentication Server
       Vlan Group:  N/A
       ACS ACL:  xACSACLx-IP-redirect-4f743d58
       URL Redirect ACL:  redirect
       URL Redirect:  https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
       Session timeout:  N/A
       Idle timeout:  N/A
       Common Session ID:  AC16011F000000160042BD98
       Acct Session ID:  0x0000001B
       Handle:  0x90000016
       Runnable methods list:
       Method   State
       mab      Authc Success
  on the logging, I get the following messages...
  017857: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
  017858: Mar 29 11:27:04: epm-redirect:epm_redirect_cache_gen_hash: IP=172.22.3.74 Hash=271
  017859: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: CacheEntryGet Success
  017860: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: Ingress packet on [idb= FastEthernet0/24] matched with [acl=redirect]
  017861: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Enqueue the packet with if_input=FastEthernet0/24
  017862: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_process ...
  017863: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Not an HTTP(s) packet
  What I'm I missing?

• Cisco ISE with both internal and External RADIUS Server

  Hi
  I have ISE 1.2 , I configured it as management monitor and PSN and it work fine
  I would like to know if I can integrate an external radius server and work with both internal and External RADIUS Server simultanously
  So some computer (groupe_A in active directory ) will continu to made radius authentication on the ISE internal radius and other computer (groupe_B in active directory) will made radius authentication on an external radius server
  I will like to know if it is possible to configure it and how I can do it ?
  Thanks in advance for your help
  Regards
  Blaise

  Cisco ISE can function both as a RADIUS server and as a RADIUS proxy server. When it acts as a proxy server, Cisco ISE receives authentication and accounting requests from the network access server (NAS) and forwards them to the external RADIUS server. Cisco ISE accepts the results of the requests and returns them to the NAS.
  Cisco ISE can simultaneously act as a proxy server to multiple external RADIUS servers. You can use the external RADIUS servers that you configure here in RADIUS server sequences. The External RADIUS Server page lists all the external RADIUS servers that you have defined in Cisco ISE. You can use the filter option to search for specific RADIUS servers based on the name or description, or both. In both simple and rule-based authentication policies, you can use the RADIUS server sequences to proxy the requests to a RADIUS server.
  The RADIUS server sequence strips the domain name from the RADIUS-Username attribute for RADIUS authentications. This domain stripping is not applicable for EAP authentications, which use the EAP-Identity attribute. The RADIUS proxy server obtains the username from the RADIUS-Username attribute and strips it from the character that you specify when you configure the RADIUS server sequence. For EAP authentications, the RADIUS proxy server obtains the username from the EAP-Identity attribute. EAP authentications that use the RADIUS server sequence will succeed only if the EAP-Identity and RADIUS-Username values are the same.

• Lightroom 4 crashes when trying to open the slideshow module. I spent over three hours with both Adobe and Apple tech support and we know it is a permission issue but have not been able to get it solved.  It started with the last upgrade to 10.8

  Lightroom 4 crashes when trying to open the slideshow module. I spent over three hours with both Adobe and Apple tech support and we know it is a permission issue but have not been able to get it solved.  It started with the last upgrade to 10.8

  Back up all data.
  This procedure will unlock all your user files (not system files) and reset their ownership and access-control lists to the default. If you've set special values for those attributes on any of your files, they will be reverted. In that case, either stop here, or be prepared to recreate the settings if necessary. Do so only after verifying that those settings didn't cause the problem. If none of this is meaningful to you, you don't need to worry about it.
  Step 1
  If you have more than one user account, and the one in question is not an administrator account, then temporarily promote it to administrator status in the Users & Groups preference pane. To do that, unlock the preference pane using the credentials of an administrator, check the box marked Allow user to administer this computer, then reboot. You can demote the problem account back to standard status when this step has been completed.
  Triple-click the following line to select it. Copy the selected text to the Clipboard (command-C):
  { sudo chflags -R nouchg,nouappnd ~ $TMPDIR.. ; sudo chown -Rh $UID:staff ~ $_ ; sudo chmod -R u+rwX ~ $_ ; chmod -R -N ~ $_ ; } 2> /dev/null
  Launch the Terminal application in any of the following ways:
  ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
  ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
  ☞ Open LaunchPad. Click Utilities, then Terminal in the icon grid.
  Paste into the Terminal window (command-V). You'll be prompted for your login password, which won't be displayed when you type it. You may get a one-time warning not to screw up. If you don’t have a login password, you’ll need to set one before you can run the command. If you see a message that your username "is not in the sudoers file," then you're not logged in as an administrator.
  The command will take a noticeable amount of time to run. Wait for a new line ending in a dollar sign (“$”) to appear, then quit Terminal.
  Step 2 (optional)
  The first step should give you usable permissions in your home folder. This step will restore special attributes set by OS X on some user folders to protect them from unintended deletion or renaming. You can skip this step if you don't consider that protection to be necessary.
  Boot into Recovery by holding down the key combination command-R at startup. Release the keys when you see a gray screen with a spinning dial.
  When the OS X Utilities screen appears, select
  Utilities ▹ Terminal
  from the menu bar. A Terminal window will open.
  In the Terminal window, type this:
  resetpassword
  That's one word, all lower case, with no spaces. Then press return. A Reset Password window will open. You’re not  going to reset a password.
  Select your boot volume ("Macintosh HD," unless you gave it a different name) if not already selected.
  Select your username from the menu labeled Select the user account if not already selected.
  Under Reset Home Directory Permissions and ACLs, click the Reset button.
  Select
   ▹ Restart
  from the menu bar.

• I have an iPhone and iPad. I would like to get my husband an iPhone. Are we able to sync all devices and share info with both iPhones and the iPad, using a single email address?

  I have an iPhone and iPad. I would like to get my husband an iPhone. Are we able to sync all devices and share info with both iPhones and the iPad, using a single email address?

  Thanks for that. He is one of the last holdouts in IT so an email address for him would just mean I have 2 to check so that is what I am trying to avoid as we move into retirement:)

• Sending emails with both body and attachment to multiple recipients

  I have a requirement to send email with body and attachment to multiple recipients.
  Body of the email is a standard text. It is a proxy-to-mail scenario.
  Here is what I've done: (I'm using PI 7.11)
  One mapping from Source to Target structure (format of the attachment text file)
  Second mapping from Target Structure to Mail Package format.
  In the second mapping I'm concatenating the output of first step into "Content" of the Mail Package.
  "XIPAYLOAD" is the message protocol used.
  The "Keep attachments" option in the Mail adapter allows only to send "Content" as attachment or as body of the email.
  How to send an email with both content and text?
  The other problem is even with using ASMA, I can't send email to multiple recipients. I can only do CC and TO for 1 person each - a total of 2. Although I can resolve this by creating mailing lists, it is better if this can be addressed in PI.
  Thanks for any input you can provide!
  Edited by: crazylad on Jan 18, 2012 3:39 PM

  Thank you for your response Mikael.
  For the first question, I was able to find the solution in the following blog:
  XI Mail Adapter : Dynamically building attachment and message body content using a simple UDF
  (I just needed to search with the right set of key words )
  The key is to set the "Content Encoding" as "None" in the mail adapter. If this is not done, the mail will be sent with an attachment - untitled.bin containing both the mail body and the attachment text. Also, don't forget to check the "Keep Attachments" checkbox in the mail adapter.
  Multiple recipients could be added by separating the email IDs with a Comma. I have used ASMA to set the recipients.

• External hard drive use with both Mac and Windows

  I know that you can't use an iPod (through iTunes) with both Mac and Windows, but can you still use it as an external hard drive with both operating systems?

  Yes, if the iPod is in Windows format. Mac OS X can read and write Windows formatted iPods, but Windows can't access Mac formatted disks unless special software is installed.
  (9844)

• In Creative Cloud, does the $9.99/month Individual Photography plan come with BOTH Lightroom and Photoshop CC?

  In Creative Cloud, does the $9.99/month Individual Photography plan come with BOTH Lightroom and Photoshop CC?  It is not very clear on the home page.  It shows both and mentions both, but doesn't specifically say BOTH come with the monthly $9.99/month plan.  Can somebody clarify?

  Special Photography Plan
  http://helpx.adobe.com/photoshop/kb/differences-photoshop-creative-cloud-photography.html

• Form report with both edit and column link

  hi experts,
  How can we create form report with both edit and column link. Ie, the form should have both the Edit link and column link. When we click on the edit link(in page1) it should go for the page2 and the page2 should display the corresponding row fields which should be editable. but when i click the column link it should bring me to the next page but the corresponding values of the column should not be editable.
  Regars,
  KK

  hi,
  Here i have achieved this by making the column link and page navigation.

• How can I hook up an epson scanner (2480/2580) via USB/Firewire hub- APEBS and be able to operate the scanner with both laptop and desktop computer?

  My Artisan50 works in this configuration currently!

  You can't scan to a device connected to the base station's USB port. Devices other than computers with both USB and FireWire ports don't provide any crossover between the technologies unless specifically noted in their description.
  (58440)

• I have a MacBookPro5,5 how do i connect it to my hdtv WITH BOTH AUDIO AND VIDEO? and where can i buy this cable(s)?

  i have a MacBookPro5,5 how do i connect it to my hdtv WITH BOTH AUDIO AND VIDEO? and where can i buy this cable(s)?

  thank you roger. i have attempted to connect my mbp now 3 times (all different ways with different cables purchased) but unfortunately no success. i understand that with me having an older mbp it can be a challenge. i have found this page http://www.wikihow.com/Connect-a-Macbook-to-a-TV but with my unsuccessful history, i have become skeptical. i will try your suggestion and let you know. thank you again.

• My PC crashed with both CS6 and Lightroom 4. .

  My PC crashed with both CS6 and Lightroom 4. . .I purchased a Mac Pro.  Can I download the Mac versions of both programs and use my currenct serial numbers?

  You can with Lightroom, but not (as far as I know) with Photoshop. You ought to get in touch with Adobe's customer service people and see if you can "sidegrade" to Mac for a relatively small fee.
  Hal

• HT1689 I just upgraded to iTunes 11 and now I get a "itunes cannot connect with this ........ Could not allocate a resource. Happens with both ipad and iPhone. Any thoughts on how to resolve this issue?

  I just upgraded to iTunes 11 and now I get a "itunes cannot connect with this ........ Could not allocate a resource. Happens with both ipad and iPhone. Any thoughts on how to resolve this issue?

  Same for me with Iphone 5 and IOS 7 on mac pro. Install ITunes 11.1 and after reboot nothing work. Work only with Mac Pro in safe mode.
  I have uninstalled Wi-fi-sync1.0 app from MacPro and Itunes sync well with iphone.

• How do  create a slide show with both video and photos in elements 12

  how do  create a slide show with both video and photos in elements 12

  Hi Brian
  You can batch process a set of prepared slides from Full Edit (see image) using:
  File >> Process Multiple Files
  In the PMF dialog you can choose filename, date, or description (caption)
  Make sure you choose a separate destination folder to your source folder so as tot to permanently overwrite your originals.
  Click image to view