Primary-secondary radius server configuration
Hi all ,
I have a couple of ACS 5.2 configured as active and backup and I am doing dot 1x authentication using these servers . I have configured the switch with the bellow configuration.
radius-server host 10.0.10.15 auth-port 1645 acct-port 1646
radius-server host 10.0.10.16 auth-port 1645 acct-port 1646
radius-server key 7 aaaaaaaaaaaaaa
please help to understand what will happen in switch
1) in case of primary failure
2)in case if primary returns alive .
thanks in advance ,
Selva
Hi Selva,
You need to post all your AAA config. the above lines show you added the radius servers but it is not necessarily all server will be reached. We need to look into the AAA config to see what server groups are configured and what servers under the groups.
In general, if things are configured correctly:
- If the primary did not reply at all (down, not reachable...etc) the AAA client (switch in your case) will try the next radius server.
- If the primary server replies (with access-reject, error, ...etc) the AAA client (switch in your case) send auth failure to the host.
HTH
Amjad
Rating useful replies is more useful than saying "Thank you"
Similar Messages
-
Primary/secondary RADIUS server
Hey all,
I've been trying to discover for a while how primary and secondary RADIUS servers work on WLC 4400s. If the primary RADIUS server goes down, and the secondary is used, at what point does the controller go back to the primary once it's back up? Does it wait until the secondary goes down, or does it immediately switch back to the primary once it becomes available?
Thanks in advance!
JeffOn 4.2 and previous versions, if the primary goes down, then the secondary is used until the secondary is not available. So if you want to froce the primay to be the radius server to be used, reboot the secondary. Then the tertiary then back to the primary. 5.0 has a feature in which you can set a keep alive so that when the primary comes back up, the primary will be used again. 5.0 code in not a good code version though.
-
When WLC authenticate users with secondary RADIUS server?
Hi Sir,
I'm configuring a WLC4404-100. One of the WLANs points to two RADIUS Servers for Authentication and Accounting (please see attached).
I'd like to know, under what circumstances will the WLC authenticate users against the secondary RADIUS Server (in my case, the ACS with IP address 10.200.67.84)?
Please advise.
Thank you.
B.Rgds,
Lim TSHi,
I navigated to the following on the WLC:
MANAGEMENT -> SNMP -> Trap Logs
I noticed the following SNMP trap:
Fri Dec 8 11:23:21 2006 No Radius Servers Are Responding
I checked the 2nd ACS server, and true, at around the same time 11:23, the 2nd ACS server was authenticating users.
I checked the 1st ACS server; at around the same time 11:23, there wasn't any service suspension or database replication going on. What's the cause of this WLC authenticating with the 2nd ACS server? The network is robust and I don't expect any latency issue. The two RADIUS servers are serving only wireless users, the number is about 120.
On the WLC, I used the default of 2 seconds Retransmit Timeout for both the RADIUS Authentication Servers. Should I fine-tune it to higher value?
Retransmit Timeout - Specify the time in seconds after which the RADIUS authentication request will timeout and a retransmission will be taken up by the controller. You can specify a value between 2 to 30 seconds.
There are Passed Authentications logged on the 1st ACS server after during & after 11:23. So, I suspect the WLC is doing a kind of load-balancing across the two RADIUS servers.
Please advise.
Thank you.
B.Rgds,
Lim TS -
EAP-TLS with Radius Server configuration (1130AG)
Hi All,
Im currently tryign to get eap-tls user certificate based wireless authentication working. The mismatch of guides im trying to follow has me ocming up trumps with success so far, so heres hoping you guys can right me wrongs and put me on the right path again.
My steps for radius:- (i think this part ive actually got ok)
http://technet.microsoft.com/en-us/library/dd283091(v=ws.10).aspx
Steps for the wirless profile on a win 7 client:- this has me confused all over the place
http://technet.microsoft.com/en-us/library/dd759246.aspx
My 1130 Config:-
[code]
Current configuration : 3805 bytes
! Last configuration change at 11:57:56 UTC Fri Jan 25 2013 by apd
! NVRAM config last updated at 14:43:51 UTC Fri Jan 25 2013 by apd
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname WAP1
aaa new-model
aaa group server radius RAD_EAP
server 10.1.1.29 auth-port 1812 acct-port 1813
aaa authentication login default local
aaa authentication login EAP_LOGIN group RAD_EAP
aaa authorization exec default local
aaa authorization network default local
aaa session-id common
ip domain name ************
dot11 syslog
dot11 ssid TEST
authentication open eap EAP_LOGIN
authentication network-eap EAP_LOGIN
guest-mode
crypto pki trustpoint TP-self-signed-1829403336
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1829403336
revocation-check none
rsakeypair TP-self-signed-1829403336
quit
username ***************
ip ssh version 2
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
ssid TEST
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
ssid TEST
no dfs band block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 10.1.2.245 255.255.255.0
ip helper-address 10.1.1.27
no ip route-cache
no ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
radius-server host 10.1.1.29 auth-port 1812 acct-port 1813 key **************
radius-server key ************
bridge 1 route ip
line con 0
logging synchronous
transport preferred ssh
line vty 0 4
logging synchronous
transport input ssh
sntp server 130.88.212.143
end
[/code]
and my current debug
[code]
Jan 25 12:00:56.703: dot11_auth_send_msg: sending data to requestor status 1
Jan 25 12:00:56.703: dot11_auth_send_msg: Sending EAPOL to requestor
Jan 25 12:00:56.703: dot1x-registry:registry:dot1x_ether_macaddr called
Jan 25 12:00:56.703: dot11_auth_dot1x_send_id_req_to_client: Client 74de.2b81.56c4 timer started for 30 seconds
WAP1#
Jan 25 12:01:26.698: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TIMEOUT) for 74de.2b81.56c4
Jan 25 12:01:26.698: dot11_auth_dot1x_send_client_fail: Authentication failed for 74de.2b81.56c4
Jan 25 12:01:26.698: dot11_auth_send_msg: sending data to requestor status 0
Jan 25 12:01:26.698: dot11_auth_send_msg: client FAILED to authenticate 74de.2b81.56c4, node_type 64 for application 0x1
Jan 25 12:01:26.699: dot11_auth_delete_client_entry: 74de.2b81.56c4 is deleted for application 0x1
Jan
WAP1#25 12:01:26.699: %DOT11-7-AUTH_FAILED: Station 74de.2b81.56c4 Authentication failed
Jan 25 12:01:26.699: dot11_aaa_upd_accounting: Updating attributes for user: 74de.2b81.56c4
Jan 25 12:01:26.699: dot11_aaa_upd_accounting: Updating attributes for user: 74de.2b81.56c4
Jan 25 12:01:26.699: dot11_auth_client_abort: Received abort request for client 74de.2b81.56c4
Jan 25 12:01:26.699: dot11_auth_client_abort: No client entry to abort: 74de.2b81.56c4 for application 0x1
Jan 25 12:01:27.580: AAA/BIND(000000
WAP1#12): Bind i/f
Jan 25 12:01:27.580: dot11_auth_add_client_entry: Create new client 74de.2b81.56c4 for application 0x1
Jan 25 12:01:27.580: dot11_auth_initialize_client: 74de.2b81.56c4 is added to the client list for application 0x1
Jan 25 12:01:27.581: dot11_auth_add_client_entry: req->auth_type 0
Jan 25 12:01:27.581: dot11_auth_add_client_entry: auth_methods_inprocess: 2
Jan 25 12:01:27.581: dot11_auth_add_client_entry: eap list name: EAP_LOGIN
Jan 25 12:01:27.581: dot11_run_auth_methods: Start aut
WAP1#h method EAP or LEAP
Jan 25 12:01:27.581: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
Jan 25 12:01:27.581: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 74de.2b81.56c4
Jan 25 12:01:27.581: EAPOL pak dump tx
Jan 25 12:01:27.581: EAPOL Version: 0x1 type: 0x0 length: 0x002B
Jan 25 12:01:27.581: EAP code: 0x1 id: 0x1 length: 0x002B type: 0x1
01801670: 0100002B 0101002B ...+...+
01801680: 01006E65 74776F72 6B69643D 54455354 ..networkid=TEST
WAP1#
01801690: 2C6E6173 69643D41 50445741 50312C70 ,nasid=WAP1,p
018016A0: 6F727469 643D30 ortid=0
Jan 25 12:01:27.582: dot11_auth_send_msg: sending data to requestor status 1
Jan 25 12:01:27.582: dot11_auth_send_msg: Sending EAPOL to requestor
Jan 25 12:01:27.582: dot1x-registry:registry:dot1x_ether_macaddr called
Jan 25 12:01:27.583: dot11_auth_dot1x_send_id_req_to_client: Client 74de.2b81.56c4 timer started for 30 seconds
WAP1#
[/code]
Can anyone point me in the right direction with this?
i also dont like it that you can attempt to join the network first before failing
can i have user cert based + psk? and then apply it all by GPO
Thanks for any helpok ive ammdened the wireless profile as suggested
i already have the root ca and a user certificate installed with matching usernames
I had already added the radius device to the NPS server and matched the keys to the AP
now heres the debug im getting, when i check the NPS server, still doesnt look like its getting any requests at all :|
Jan 29 11:53:13.501: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TIMEOUT) for 74de.2b81.56c4
Jan 29 11:53:13.501: dot11_auth_dot1x_send_client_fail: Authentication failed for 74de.2b81.56c4
Jan 29 11:53:13.501: dot11_auth_send_msg: sending data to requestor status 0
Jan 29 11:53:13.501: dot11_auth_send_msg: client FAILED to authenticate 74de.2b81.56c4, node_type 64 for application 0x1
Jan 29 11:53:13.501: dot11_auth_delete_client_entry: 74de.2b81.56c4 is deleted for application 0x1
Jan
WAP1#29 11:53:13.501: dot11_mgr_disp_callback: Received message from Local Authenticator
Jan 29 11:53:13.501: dot11_mgr_disp_callback: Received FAIL from Local Authenticator
Jan 29 11:53:13.501: dot11_mgr_sm_run_machine: Executing Action(BRIDGE,AUTHENTICATOR_FAIL) for 74de.2b81.56c4
Jan 29 11:53:13.502: dot11_mgr_sm_send_client_fail: Authentication failed for 74de.2b81.56c4
Jan 29 11:53:13.502: %DOT11-7-AUTH_FAILED: Station 74de.2b81.56c4 Authentication failed
Jan 29 11:53:13.502: dot11_mgr_disp_auth_abort
WAP1#: Sending abort request for client 74de.2b81.56c4 to local Authenticator
Jan 29 11:53:13.502: dot11_auth_client_abort: Received abort request for client 74de.2b81.56c4
Jan 29 11:53:13.502: dot11_auth_client_abort: No client entry to abort: 74de.2b81.56c4 for application 0x1
Jan 29 11:53:14.619: AAA/BIND(00000019): Bind i/f
Jan 29 11:53:14.619: dot11_mgr_disp_auth_request: Send auth request for client 74de.2b81.56c4 to local Authenticator
Jan 29 11:53:14.619: dot11_auth_add_client_entry: Create new c
WAP1#lient 74de.2b81.56c4 for application 0x1
Jan 29 11:53:14.620: dot11_auth_initialize_client: 74de.2b81.56c4 is added to the client list for application 0x1
Jan 29 11:53:14.620: dot11_auth_add_client_entry: req->auth_type 0
Jan 29 11:53:14.620: dot11_auth_add_client_entry: auth_methods_inprocess: 2
Jan 29 11:53:14.620: dot11_auth_add_client_entry: eap list name: EAP_LOGIN
Jan 29 11:53:14.620: dot11_run_auth_methods: Start auth method EAP or LEAP
Jan 29 11:53:14.620: dot11_auth_dot1x_start: in the dot11
WAP1#_auth_dot1x_start
Jan 29 11:53:14.620: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 74de.2b81.56c4
Jan 29 11:53:14.620: EAPOL pak dump tx
Jan 29 11:53:14.621: EAPOL Version: 0x1 type: 0x0 length: 0x002B
Jan 29 11:53:14.621: EAP code: 0x1 id: 0x1 length: 0x002B type: 0x1
01808560: 0100002B 0101002B 01006E65 74776F72 ...+...+..networ
01808570: 6B69643D 54455354 2C6E6173 69643D41 kid=TEST,nasid=A
01808580: 50445741 50312C70 6F727469 643D30 WAP1,portid=0
Jan 29 11:53
WAP1#:14.621: dot11_auth_send_msg: sending data to requestor status 1
Jan 29 11:53:14.621: dot11_auth_send_msg: Sending EAPOL to requestor
Jan 29 11:53:14.622: dot11_mgr_disp_callback: Received message from Local Authenticator
Jan 29 11:53:14.622: dot11_mgr_disp_callback: Received DOT11_AAA_EAP from Local Authenticator
Jan 29 11:53:14.622: dot11_mgr_sm_run_machine: Executing Action(BRIDGE,AUTHENTICATOR_REPLY) for 74de.2b81.56c4
Jan 29 11:53:14.622: dot11_mgr_sm_send_response_to_client: Forwarding Authenti
WAP1#cator message to client 74de.2b81.56c4
Jan 29 11:53:14.622: EAPOL pak dump tx
Jan 29 11:53:14.622: EAPOL Version: 0x1 type: 0x0 length: 0x002B
Jan 29 11:53:14.622: EAP code: 0x1 id: 0x1 length: 0x002B type: 0x1
01808690: 0100002B 0101002B ...+...+
018086A0: 01006E65 74776F72 6B69643D 54455354 ..networkid=TEST
018086B0: 2C6E6173 69643D41 50445741 50312C70 ,nasid=WAP1,p
018086C0: 6F727469 643D30 ortid=0
Jan 29 11:53:14.623: dot1x-regi -
WPA2 and Radius server configuration
On the page: http://cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008054339e.shtml
is described how to setup a WPA2 and Radius server.
If I follow this, the Radius server does not work. In the document they descibe that I need to use 10.0.0.1 as the IP, but my AP has a 192.168.1.251 address. Even if I enter that adres, or the 10.0.0.1, it does not work.
Normal WPA2 personal, without Radius does work.
I use a 1100 series AP, (AIR-AP1120B-E-K9) with a AIR-MP21G and the firmware of the radio module is 5.90.11.
The IOS version is 12.3(8)JA2.
Does anyone know what to do?
HaikHello,
I understand that. I have given the AP a fixed address, 192.168.1.251. This is outside the DHCP pool, from the router.
Even if I use this address in th Radius configuration, it still does not work. My client (laptop with Intel Pro Wireless 2200 card), detects that there is a Radius server, and asks for a username / password.
But even if I fill it in correctly (copy / paste) it does not work.
So what can be wrong with this configuration?
Haik -
Secondary VTP server configuration
Hi,
1.We are having a 6513 switch currently acting as VTP server.We are having a secondary 6513 switch which we want to configure as secondary vtp server.I wanted to know whether we require any downtime for configuring the secondary vtp server.Will there be any flapping in the network..?
Rgds./SachinSachin,
Just make sure the VTP configuration revision # on the new switch is lower than that of the existing VTP server switch, enter the VTP configuration - VTP mode as server, domain name, password etc - set up the trunk and the new switch would dynamically learn all the VLANs from the existing VTP server. If you do it this way no downtime would be required and there should be no disruption to production traffic.
Have a look at this document to learn more about VTP configuration revision.
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_35_se/configuration/guide/swvtp.html
HTH
Sundar -
Question about RADIUS server configuration with a MacBook Pro
Hello,
I own a modem router which is capable of WPA2 Enterprise and I want to use it with a RADIUS server for authentication and security purposes.
However, I have a few doubts about this.
MY CONFIGURATION:
The modem router would be connected to a fixed PC with Windows and to a MacBook Pro (both with Ethernet)
The RADIUS server would be running on the MacBook Pro (freeRADIUS)
The bold is the issue, that comes when I disconnect the MBP (it's a notebook, so I use it disconnected from the router sometimes).
Supposing the router would have recognized it (correct configuration), it would disconnect from it.
My questions:
Would Wi-Fi be lost in this manner? Or would the modem router automatically switch to another Wi-Fi authentication?
If I reconnected the MBP to the modem router and re-run the RADIUS server, would I need to access the control panel and re-configure the WPA2 Enterprise in order for Wi-Fi to work again?
Thanks in advance,
Tyrexionibus"Full HD 3DD camcorder..." Marketing at it's best.
This is HDV, right? HDV has the same data rate as DV...13.6GB/hour. But because of the MPEG-2 Long GOP format the HDV format employs, it can be a bit tough to edit, but mainly when rendering effects. IT will be slower than DV, and you can't monitor thru the camera like you can with DV, but a simple FW400 drive and Intel Mac will be fine. Better if you can convert to ProRes upon ingest, but then that eats up a LOT more space and requires at least FW800...
http://library.creativecow.net/articles/poisson_chris/hdv-prores.php
Shane -
When trying to login, the message appears "No radius server configured" and the local user does not authenticate. How do I access without rebooting the Switch 6500 with CatOS.
Hi PK.
Thanks for your Attention. You know how to insert a line configuration via SNMP RW "set radius server 10.112.15.21 auth-port 1645 primary"?
I believe this way or can I work around the problem. -
3850 switch configure with radius server
wifi useres authenticate with radius server configure required
Posted by WebUser Raja Sekhar from Cisco Support Community AppKindly check the following links for configuring 802.1x
http://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3.2_0_se/security/configuration_guide/b_sec_1501_3850_cg_chapter_0101.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3.2_0_se/security/configuration_guide/b_sec_1501_3850_cg_chapter_01110.html -
1. Suppose we have mutliple Radius server in a Netowrk. If primary Radius server goes down , how secondary server will come into the picture..
2. Where can we check ,which Radius server is active (Primary or secondary Radius server)
3. Is there any limit like one server can authenticate a number of clients?
Thanks
SriSri,
1) Its the NAS that brings up secondary radius server. First it will try hitting primary radius server and if there is no response it will then try seoncdary radius.
2) On ASA you can use this command to check the server status,
ASA# show aaa-server protocol radius
On IOS
Switch#show aaa servers
RADIUS: id 3, priority 1, host 192.168.26.119, auth-port 1645, acct-port 1646
State: current UP, duration 151040s, previous duration 0s
Dead: total time 0s, count 0
Quarantined: No
Authen: request 6, timeouts 0
Response: unexpected 0, server error 0, incorrect 0, time 190ms
Transaction: success 6, failure 0
Author: request 0, timeouts 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Account: request 0, timeouts 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Elapsed time since counters last cleared: 1d17h33m
RADIUS: id 4, priority 2, host 192.168.1.99, auth-port 1645, acct-port 1646
State: current UP, duration 151040s, previous duration 0s
Dead: total time 0s, count 0
Quarantined: No
Authen: request 0, timeouts 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Author: request 0, timeouts 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Account: request 0, timeouts 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Elapsed time since counters last cleared: 0m
3) I'm not aware of any limit that can be configured on radius. But there are certain paremeters you can set up (That depends on verdor)
Regards,
~JG
Do rate helpful posts -
Hi
I am trying to setup the Radius server on my Mac OSX 10.5.2 server. I have two Airport Extreme 802.11n base stations connected to my network, one which we use normally for wireless access and another that I am using to test and get the Radius Server configured. One has an address of 192.168.10.5 and the other is 192.168.10.6. All my wireless clients can browse the net without any issues.
When I go into Server Admin and select Radius and then Configure Radius Service, I select the default certificate and am then presented with a screen where I add my base stations. Now, the puzzling thing is that both of my base stations appear, but they are showing 169.254.xxx.xxx addresses. So, my first question is why do they show self assigned IPs? Is it because they are being found using Bonjour?
If I then back out of this screen and select the Base Stations icon in the menu, I can click browse and again it shows the AEBSs but again with a self assigned IP. Another interesting point is that if I select my normal base station, in the info below it shows the Ethernet and Airport ID info showing V7.3.1 software version but a picture of the old dome shape Airport Extreme Base Station. If I select the test base station, I get the same info but THE RIGHT PICTURE !
If I then select the test base station and enter the password, it says it's the wrong password, even though I know it's the right one.
I'd like to get past this point, but can't see how to proceed until the IPs are right. What's going on? Any ideas gratefully received.
PaulI have just purchased a new AirPort Extreme to begin testing to rollout wireless using RADIUS on our Mac OS X 10.5 server.
I am having a bit of trouble setting up the actual base station. I too was having the same problem with the IP address showing up on the RADIUS server as self-assigned 169. but noticed that when I changed the Primary RADIUS IP address to something different to the AirPorts Ethernet IP address it showed up correctly. Maybe I am wrong but that's what I think happened.
The problem I am having is this: I have created a wireless RADIUS network. My client was able to log in and connect to the wireless system, but I am not getting any DHCP information from my DHCP server running on Mac OS X Server. What am I doing wrong. What settings should be entered for Primary RADIUS IP Address, Shared Secret, etc. I am a bit confused an Apple hasn't provided technical documentation on this aspect.
Help! -
Cisco ISE: External RADIUS Server
Hi,
I would like to forward RADIUS from PSN to another PSN. I already defined "External RADIUS Servers".
So, how can I use this external RADIUS server to process my request ?
Looking at the user guide but didn't find any information about this setting (For rule based not simple rule)
If anyone use this, please suggest this to me.
Thanks,
PongsatornDefining an External RADIUS Server
The Cisco Cisco ISE can function both as a RADIUS server and as a RADIUS proxy server. When it acts as a proxy server, the Cisco Cisco ISE receives authentication and accounting requests from the network access server (NAS) and forwards them to the external RADIUS server. The Cisco Cisco ISE accepts the results of the requests and returns them to the NAS. You must configure the external RADIUS servers in the Cisco Cisco ISE to enable it to forward requests to the external RADIUS servers. You can define the timeout period and the number of connection attempts.
The Cisco Cisco ISE can simultaneously act as a proxy server to multiple external RADIUS servers. You can use the external RADIUS servers that you configure here in RADIUS server sequences. This External RADIUS Server page lists all the external RADIUS servers that you have defined in Cisco Cisco ISE. You can use the filter option to search for specific RADIUS servers based on the name or description or both.
To create an external RADIUS server, complete the following steps:
Step 1 Choose Administration > Network Resources > External RADIUS Servers.
The RADIUS Servers page appears with a list of external RADIUS servers that are defined in Cisco ISE.
Step 2 Click Add to add an external RADIUS server.
Step 3 Enter the values as described:
•Name—(Required) Enter the name of the external RADIUS server.
•Description—Enter a description of the external RADIUS server.
•Host IP—(Required) Enter the IP address of the external RADIUS server.
•Shared Secret—(Required) Enter the shared secret between Cisco Cisco ISE and the external RADIUS server that is used for authenticating the external RADIUS server. A shared secret is an expected string of text that a user must provide to enable the network device to authenticate a username and password. The connection is rejected until the user supplies the shared secret. The shared secret can be up to 128 characters in length.
•Enable KeyWrap—This option increases RADIUS protocol security via an AES KeyWrap algorithm, to help enable FIPS 140-2 compliance in Cisco ISE.
•Key Encryption Key—This key is used for session encryption (secrecy).
•Message Authenticator Code Key—This key is used for keyed HMAC calculation over RADIUS messages.
•Key Input Format—Specify the format you want to use to enter the Cisco ISE FIPS encryption key, so that it matches the configuration that is available on the WLAN controller. (The value you specify must be the correct [full] length for the key as defined below—shorter values are not permitted.)
–ASCII—The Key Encryption Key must be 16 characters (bytes) long, and the Message Authenticator Code Key must be 20 characters (bytes) long.
–Hexadecimal—The Key Encryption Key must be 32 bytes long, and the Message Authenticator Code Key must be 40 bytes long.
•Authentication Port—(Required) Enter the RADIUS authentication port number. The valid range is from 1 to 65535. The default is 1812.
•Accounting Port—(Required) Enter the RADIUS accounting port number. The valid range is from 1 to 65535. The default is 1813.
•Server Timeout—(Required) Enter the number of seconds that the Cisco Cisco ISE waits for a response from the external RADIUS server. The default is 5 seconds. Valid values are from 5 to 120.
•Connection Attempts—(Required) Enter the number of times that the Cisco Cisco ISE attempts to connect to the external RADIUS server. The default is 3 attempts. Valid values are from 1 to 9.
Step 4 Click Submit to save the external RADIUS server configuration. -
Errors in event log of Secondary DPM server protecting replicas on Primary
Hello again
I have two DPM servers, one situated on-site (primary) and one situated off-site (secondary). Protection jobs seem to be running correctly on both servers in that the jobs complete and I am able to restore data from the backups. I use the primary server
to make the initial backups of critical systems and data (Exchange MDB's etc) and the secondary server to backup those replicas off-site in case of primary site loss or DPM system loss.
The primary server is a physical server and the secondary server is a virtual server. Both DPM servers have their DPM databases stored on one physical SQL server that is in the primary site.
Basically what is happening is that every day our virtual machines are snapshotted (secondary DPM server included) and everyday the snapshot of the secondary DPM server fails. I see the following to entries in the event log of the secondary server.
Error 1:
WARNING
Source: MSDPM
Event ID: 955
The description for Event ID 955 from source MSDPM cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
The consistency check resulted in the following changes to SQL Server Agent schedules: Schedules added: 2 Schedules removed: 2 Schedules updated: 0.
Problem Details:
<ConsistencyCheck><__System><ID>26</ID><Seq>27861</Seq><TimeCreated>22/05/2014 23:01:31</TimeCreated><Source>SchedulerImpl.cs</Source><Line>719</Line><HasError>True</HasError></__System><Tags><JobSchedule
/></Tags></ConsistencyCheck>
the message resource is present but the message is not found in the string/message table
Error 2
ERROR
Source: MSDPM
Event ID: 4212
The description for Event ID 4212 from source MSDPM cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
DpmWriter service encountered an error during PrepareBackup as more than one component is selected for backup in the same snapshot set. Select a single DPM replica for backup and try the operation again.
Problem Details:
<DpmWriterEvent><__System><ID>30</ID><Seq>7</Seq><TimeCreated>23/05/2014 00:30:45</TimeCreated><Source>d:\btvsts\21011\private\product\tapebackup\dpswriter\vssfunctionality.cpp</Source><Line>438</Line><HasError>True</HasError></__System><DetailedCode>4212</DetailedCode></DpmWriterEvent>
the message resource is present but the message is not found in the string/message table
These two events are followed by another event from VMWare Tools everyday
Error 3:
WARNING
Source: VMWare Tools
Event ID: 1000
[ warning] [vmvss:vmvss] CVmSnapshotRequestor::CheckWriterStatus():1536: writer DPM Writer in failed state: res = 0x800423f4, err = 0x1, error =
Has anyone come across this before? Currently I am not quite sure what is going wrong and whether it is actually related to snapshots failing, but I want to try to fix these errors first and see what happens.
RegardsYour ar using VMware for Virtualization?
Are you trying to do an online Backup of the VM, think that will not work?
One thing i wonder, your have installed second DPM if Site one fails or goes done, but SQL for DPM2 is in Site one? try to move SQL to external site for DPM 2
Seidl Michael | http://www.techguy.at |
twitter.com/techguyat | facebook.com/techguyat -
Cisco aironet 2600 series AP configuration with windows 2008 R2 Radius server.
I want to know the configuration of Cisco aironet 2600 series AP with windows 2008 R2 Radius server.
I have
1. AD & DHCP Server
2. Cisco Aironet 2600 Access Point.
I want to connect wifi devices through this AP. Authentication should be through Radius server and AD.Hi ,
Below link should support your requirement
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116584-configure-wirelesslan-00.html
Minimal command : -
AP(config)# aaa new-model
AP(config)# radius-server host 172.20.0.1 auth-port 1645 acct-port 1645 key XXXXXX
AP(config)# radius-server deadtime 10
HTH
Sandy -
RADIUS-3-NOSERVERS: No radius hosts configured or no valid server present in the server group
Hi,
I currently have an C2960 switch with IOS 15.0(2) SE4. To log on the CLI of the switch authentication against a RADIUS server takes place. Accounting is not wanted. The config of the switch is as follows:
aaa new-model
aaa group server radius RADIUSGROUP
server xxx.xxx.xxx.1 auth-port 1812 acct-port 0
server xxx.xxx.xxx.2 auth-port 1812 acct-port 0
aaa authentication login default group RADIUSGROUP local
aaa authentication dot1x default group RADIUSGROUP
aaaauthorization network default group RADIUSGROUP
radius server host xxx.xxx.xxx.1 auth-port 1812 acct-port 0 key 7 [encrypted password]
radius server host xxx.xxx.xxx.2 auth-port 1812 acct-port 0 key 7 [encrypted password]
It works fine, the authentication and the login are successful, but every login generates a message in the logging of the switch:
RADIUS-3-NOSERVERS: No radius hosts configured or no valid server present in the server group
What is going wrong???
Any help would be appreciated.That's going to be something you are going to have to go the cisco TAC with . That looks to be some kind of software bug. Also a feature probably not a lot of people actually use and have knowlwedge about.
Maybe you are looking for
-
how can I plug my wifes phone puged into itunes when mine seems like the primary?
-
Upload an Excel file in CSV format but still error please help?
ORA-20001: Excel load run ddl error: drop table "SDF" ORA-00942: table or view does not exist ORA-20001: Excel load run ddl error: So can anybody help me in this regard !Table or views does not exist! So what should I do in this regard ? Thanks in ad
-
Cant someone help with code below on how I can put 2 dates in two textfields with code below. the fields are named Datefrom and Dateto thanks <?php $country=$_REQUEST['SelectDate']; switch($country) case "1" : Datefrom textfield = Datefrom; Dateto; t
-
I created a files in itunes and changed the titles, I doubled up some of the numbers by accident. I used Adobe bridge to rename the files in sequential order, however when I import them into Itunes it still displays them with the old title. If I get
-
Will this fit on a 2011 MBP 13inch ?
500GB 2.5" Western Digital 'Scorpio BLACK' 7200RPM SATA 9.5mm Notebook HD 16MB Cache. Is it possible to replace the stock hard drive with this hard drive in a MBP 13inch.