Privilege mode authentication using Tacacs for Cisco Routers

Similar Messages

• Aaa authentication using tacacs+ for LAP

  WIth Autonomous AP, you can configure aaa authtentication using Tacacs+.
  In lightweight AP, do u have similar function where u authenticate using tacacs+ when u telnet/ssh into the LAP after it is registered to the WLC?
  Rgds
  Eng Wee

  There really isn't anything you can do on the LAP through telnet/ssh.  You can enable TACACS for access to the controller.
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml

• FWSM: AAA authentication using TACACS and local authorization

  Hi All,
  In our setup, we are are having FWSMs running version 3.2.22 and users are authenticating using TACACS (running cisco ACS). We would like to give restricted access ( some show commands ) to couple of users to all devices. We do not want to use TACACS for command authorization.
  We have created users on TACACS and  not allowed "enable" access to them. I have also given those show commands locally on the firewall with privilege level 1. and enabled aaa authorization LOCAL
  Now , those users can successfully login to devices and execute those show commands from priv level 1 except "sh access-list".  I have specifically mentioned this
  "privilege show level 1 mode exec command access-list"  in the config.
  Is there anything i am missing or is there any other way of doing it?
  Thanks.

  You cannot do what you are trying to do. For (default login you need to use the first policy matched.
  you can diversify telnet/ssh with http by  creating different aaa groups.
  But still you will be loging in for telnet users (all of them) using one method.
  I hope it is clear.
  PK

• Use Tacacs+ for Admin auth & Radius for user Auth?

  Can I setup my Aironet 1200 to use TACACS+ for authentication back to the cisco ACS server and RADIUS back to same server for user authentication?
  If I setup a server in Server Manager under Radius, then add that same server as a TACACS+ server, it deletes the RADIUS server, so I assume no.

  dont know about 1200s but you can do this on 1130AGs. Create a aaa group for authentication via radius, and one for tacacs+ then use aaa groups to point console/vty to the tacacs+ aaa group, and EAP authentication to the radius group.
  eg:
  aaa group server radius rad-group
  server x.x.x.x auth-port xxxx acct-port xxxx
  aaa group server tacacs+ admin-access
  server x.x.x.x
  aaa authentication login eap-method group rad-group
  aaa authentication login auth-admin-access group admin-access local
  aaa authorization exec default group admin-access local
  now under the ssid part of the config have:
  dot11 ssid yyyyyy
  authentication open (or whatever method you use) eap eap-method
  under console/vty etc:
  login authentication auth-admin-access
  you need some more stuff like radius and tacacs server keys, but the above should get you started. On 1130AGs dont use aaa auth for http(s), looks like it overloads the aaa server at the moment - see field notices - probably doesnt apply to 1200s.

• About 802.1x port authentication using TACACS+

  Hi
  I have some question. Please help me. Thanks.
  Question1. May I use that 802.1x port authentication using TACACS+
  Question2. Is it true? TACACS+ will not work with 802.1x because EAP is not supported in TACACS+, and there are no plans to get EAP over TACACS+.
  Any help would be greatly appreciated.
  Thanks.

  Thanks to you.
  Where to find the documents about Tacacs+ doesn't support EAP?
  I cast more time and I cannot find the documents.
  Please help me....
  Thanks.

• Facing issue in using SNMPV3 on Cisco Routers

  Hi,
  Actually, i am trying to implement SNMPV3 on Cisco Routers & Switches to manage & monitor these devices in a more secure manner using NMS called Orion (NPM) Network Performance Monitor.
  When i am going to add the node on Orion (NPM), it is showing me an error that the device does not support the interfaces MIB.
  The Routers IOS Version and its feature set is as under:
  Cisco 3800 & 2800 (IOS version 12.4(20)T2 Advance IP Services).
  Configuration as under:
  snmp-server DEPT_GRP V3 auth context DEPT_CTX read DEPT_VIEW
  snmp-server view DEPT_VIEW iso included
  snmp-server view DEPT_VIEW internet included
  snmp-server view DEPT_VIEW interfaces included
  snmp-server view DEPT_VIEW system  included
  snmp-server view DEPT_VIEW chassis included
  snmp-server context DEPT_CTX
  snmp-server user SNMPADMIN DEPT_GRP v3 auth sha cisco123 priv des cisco123
  snmp-server host 213.42.48.158 version 3 auth SNMPADMIN
  At Orion parameters are given as under:
  username :- SNMPADMIN
  SNMPV3 context :- DEPT_CTX
  SNMPV3 Authentication :- SHA1
  SNMPV3 Privacy/Encryption :- DES56
  Password Key :- cisco123 (All the places)
  Kindly help me out and advise me where i am going wrong. Kindly check the configuration above is anything missing in it regarding the SNMPV3 configuration.
  Rgds,
  Ayaz Ali

  Hi Joe,
  Thanks for your response. As per your reply, i had removed the context and views which were configured earlier on the router and followed the same instructions as you mentioned in your reply, but i would like to tell you one thing about the configuration that i had done for snmp v3.
  Your configuration is :-
  snmp-server group DEPT_GRP v3 auth read v1default
  snmp-server user SNMPADMIN DEPT_GRP v3 auth sha cisco123 priv des cisco123
  My Configuration is :-
  snmp-server group DEPT_GRP v3 priv read v1default
  snmp-server user SNMPADMIN DEPT_GRP v3 auth sha cisco123 priv des cisco123
  In your configuration, you are using Authentication (Auth) for the SNMP v3 group and if u select auth (Keyword) then you have to only provide authentication method (SHA,MD5) no privacy keys for encryption (DES,AES) in snmp user configuration, otherwise it will give you an error that credential not matched on the host when you try to poll the device.
  In my configuration, I am using privacy (priv) for the SNMP v3 group, thats why i had given both authentication and encryption keys under SNMP user configuration.
  In short, user settings are dependent on the group settings if you are using auth then it only support authentication but no privacy and if you are using priv then it allow both authentication and encryption (privacy).
  Thanks for your support, it really helped me out in solving the issue. Now, i am able to poll my all routers using snmp v3.
  Rgds,
  Ayaz Ali

• WAAS Authentication using TACACS+

  Hi,
  I am trying to use TACACS as the primary method of authentication. The thing is that I configured in WAAS the values required (security word, primary server and secondary server). Also, in Authentication Method I chose TACACS as primary and local as the secondary.
  After that I logged in to the WAAS using my TACACS account and I could enter, but the Navigation Pane is empty. It seems like my account doesn't have permissions to change config, but it is level 15 in TACACS ( I used to change config in Sw and routers).
  I dont know if I am missing a step to config this feature either on the WAAS or the ACS.
  Thanks,

  TACACS really only provides a single "A"  Authentication.
  Are you allowed or not....
  in order to provide Authorization, you need to still create the account in CM. and provide a role and domain in the user config.
  Leave the Local user check box "unchecked" if you plane to use TACACS to Authenticate.
  Im sure there is a way to provide authorization through complex custom attributes but it achieves the same goal via CM. once authenticated.

• How to find useful MIBs for Cisco Devices?

  Hi,
  I am setting up a new Monitoring System (CA Netvoyant). It has some default Cisco monitoring capabilities ( I believe these are soem standard MIBs).  I am wondering how can I add more useful Cisco MIBs for the devices I have in my network. There are thousands of MIBs and it looks like it is not easy at all to find the useful ones.
  For example the MIBs that can give you Emergency and up to warning level information, cpu, memory, interface errors, module failures (in case of Cat 6500), FWSM, BGP, VPN tunnel status notifications. Is there a list of useful MIBs for each device type, like Cat 6500, ASA5540, Cat 3750-E etc depending on IOS Image?
  Any help in setting up the SNMP monitoring system would be really helpful.
  Thanks

  If there is a MIB for it, most SNMP Capable Management servers can poll them.
  This can be such as FHRP states, Routing Peers, ASA Failover status, Seriel numbers for inventory purposes.
  The potential is almost endless, it just depends what you should monitor to ensure you are in the know when your network hiccups.
  Here is a link to the IOS MIB Viewre    
  http://tools.cisco.com/ITDIT/MIBS/MainServlet
  CCNP, CCIP, CCDP, CCNA: Security/Wireless
  Blog: http://ccie-or-null.net/

• Issue with Authentication using JAAS for coherence

  Hi,
  I have configured security frame work using JAAS for storage enabled node,
  I am using keystore for authenticating the users, Below is the code used for authentication,
      Subject subject;
          try{ subject = Security.login(sUsername, sPassword.toCharArray()); }
          catch (Throwable t){
              subject = null;
              log("Authentication error:");
              log(t); }
          if (subject != null)
              for (Iterator iter = subject.getPrincipals().iterator(); iter.hasNext(); )
                  Principal principal = (Principal) iter.next();
                  log("Principal: " + principal.getName());
          Security.runAs(subject, new PrivilegedAction()
              public Object run()
                  NamedCache cache = CacheFactory.getCache(CACHE_NAME);
                  boolean flag = true;
                  while (flag) {}
                  return null;
              });and i am calling the above class in the callback handler which is defined in coherence operation descriptor.
          <security-config>
                  <enabled system-property="tangosol.coherence.security">true</enabled>
                  <login-module-name>TestCoherence</login-module-name>
                   <access-controller>
                  <class-name>com.tangosol.net.security.DefaultController</class-name>
                          <init-params>
                          <init-param id="1">
                          <param-type>java.io.File</param-type>
                          <param-value>config/keystore.jks</param-value>
                          </init-param>
                          <init-param id="2">
                          <param-type>java.io.File</param-type>
                          <param-value>config/permissions.xml</param-value>
                          </init-param>
                          </init-params>
                   </access-controller>
                   <callback-handler>
                          <class-name>Test</class-name>
                   </callback-handler>
           </security-config>I am using the following command line parameters for bringing up the storage enabled node.
  -Dtangosol.coherence.security.permissions="$CONFIG_PATH/permissions.xml" 
  -Dtangosol.coherence.security.keystore="$CONFIG_PATH/keystore.jks" 
  -Djava.security.auth.login.config="$CONFIG_PATH/login.config" 
  -Dtangosol.coherence.security=trueNow till the callback handler thread is alive, storage enabled node will be up. As soon as the call back handler thread dies. Storage enabled node stops with the following error,
  Exception in thread "main" java.lang.SecurityException: Authentication failed: Error initializing keystore
  at com.tangosol.coherence.component.net.security.Standard.loginSecure(Standard.CDB:36)
  at com.tangosol.coherence.component.net.security.Standard.getTempSubject(Standard.CDB:11)
  at com.tangosol.coherence.component.net.security.Standard.checkPermission(Standard.CDB:18)
  at com.tangosol.coherence.component.net.Security.checkPermission(Security.CDB:11)
  at com.tangosol.coherence.component.util.SafeCluster.ensureService(SafeCluster.CDB:6)
  at com.tangosol.coherence.component.net.management.Connector.startService(Connector.CDB:25)
  at com.tangosol.coherence.component.net.management.gateway.Remote.registerLocalModel(Remote.CDB:8)
  at com.tangosol.coherence.component.net.management.gateway.Local.registerLocalModel(Local.CDB:8)
  at com.tangosol.coherence.component.net.management.Gateway.register(Gateway.CDB:1)
  at com.tangosol.coherence.component.util.SafeCluster.ensureRunningCluster(SafeCluster.CDB:50)
  at com.tangosol.coherence.component.util.SafeCluster.start(SafeCluster.CDB:2)
  at com.tangosol.net.CacheFactory.ensureCluster(CacheFactory.java:948)
  at com.tangosol.net.DefaultConfigurableCacheFactory.ensureService(DefaultConfigurableCacheFactory.java:748)
  at com.tangosol.net.DefaultCacheServer.start(DefaultCacheServer.java:140)
  at com.tangosol.net.DefaultCacheServer.main(DefaultCacheServer.java:61)
  Please let me know where should i pass the credentials to the default cache server for authentication or should i change the any implementation of authentication here.
  Thanks in advance,
  Bhargav

  Bhargav,
  Rather than trying to loop forever in a callback handler try this
  import com.tangosol.net.CacheFactory;
  import com.tangosol.net.DefaultCacheServer;
  import com.tangosol.net.security.Security;
  import javax.security.auth.Subject;
  import java.security.PrivilegedExceptionAction;
  public class SecureCacheServer {
      public static void main(final String[] args) throws Exception {
          LoginContext lc = new LoginContext("Coherence");
          lc.login();      
          Subject subject = lc.getSubject();
          Security.runAs(subject, new PrivilegedExceptionAction() {
              public Object run() throws Exception {
                  DefaultCacheServer.main(args);
                  return null;
  }Then when you start your cache server just use the SecureCacheServer class above rather than DefaultCacheServer
  As the main method of DefaultCacheServer is running in a PrivilegedExceptionAction Coherence will use this identity anywhere it needs to do anything secured.
  I hope the code above compiles OK as it is a modified version of the code I really use.
  Hope this helps
  JK

• Using ACS for Cisco Prime authentication

  I'd like to use our Tacacs server running ACS to be the authentication method for user accounts in Prime, but don't even know where to start with this..
  Any pointers?

  The configuration on the Prime Infrastructure side is minimal:  define the authentication server Prime is to use and select a mode for Prime Infrastructure to use with it.
  Administration > AAA > TACACS+ Servers > add tacacs server.
  Administration > AAA > AAA Mode Settings > tacacs+ and enable fallback to local.
  The bulk of the configuration is on the authentication server side, particularly indefining groups, services and authorization tasks.  This is covered in the "Performing Administrative Tasks" chapter of the Prime Infrastructure Configuration Guide, starting with the topic "Configuring ACS 5.x"
  http://www.cisco.com/en/US/docs/wireless/prime_infrastructure/1.3/configuration/guide/admin.html#wp1595935
  "Configuring ACS 4.x"
  http://www.cisco.com/en/US/docs/wireless/prime_infrastructure/1.3/configuration/guide/admin.html#wp1625896
  https://supportforums.cisco.com/docs/DOC-17909
  In case it doesn't work, please get the logs from the ACS reports and monirtoring for tacacs authentication and error message while accessing cisco prime.
  Jatin Katyal
  - Do rate helpful posts -

• Using TACACS+ for AAA on Cisco ASA

  Hello -
  I have compiled the TACACS+ server software (downloaded from ftp.cisco.com a while ago) und looking for any hints how to configure roles for full access, read-only access for our ASA firewalls. Does anybody have configuration examples for the tacacs+ configuration and the ASA configuration? Any hints are welcome.
  Many thanks in advance!
  Regards,
  Stefan

  Have a look at the attached doc
  Narayan

• Manually start RADIUS, Authentication and groups for Cisco ASAs

  I am testing moving a 10.7 server to 10.8.
  We have used RADIUS to authenticate VPN traffic on our Cisco ASAs in the past.  In the past Server Admin allowed for our ASAs to be added manually to the list of devices using the service.  With Server Admin being removed and the limited funtionality of automated addition of Airports to the system I have no GUI method to get our ASAs into the service.  The ability to tell RADIUS which groups are using the service is no longer available in the GUI as well.
  I have found the clients file in /etc/raddb and added our ASAs to the clients list.  I believe I have done this correctly in accordance with the instructions on the freeRADIUS website.
  I need help with:
  1- I was hoping someone knows how to manually tell RADIUS which groups are permitted to use the service.
  2- Can anyone tell me how to turn on RADIUS?  radiusconfig -start appears to only tell the system to keep it on after a restart if i understand the manual page.
  Thanks

  With David's suggestion I was able to get RADIUS running.  The following assumes that you are comfortable with Terminal and would be able to back up any files you edit.  Here is what I did to our fresh installation of 10.8 Server:
  In Terminal enter "sudo radiusd -Xx" which tries to turn RADIUS on and runs it with full logging of activity in the window.  The last line after this entry should be something similar to "Ready to process records."  In our new installtion there were errors relating to "instantiating" sql and the ready message never came.
  In Terminal enter "sudo pico /etc/raddb/radiusd.conf" and authenticate as needed.  Scroll down in the file to the section where there are "instantiate" items.  I commented out the SQL setup, by putting a # before the line that says "sql".  Save the file by pressing Control-O, press return to save in the default location, and press Control-X to get out of the editor.  I redid step number 1 twice and eventually RADIUS was running.  Removing SQL from RADIUS will assure that problems will arise if you plan to use Server.app to add AirPorts to the network in the future.  OS X Server adds its clients in an SQL database according to the programming notes in the .conf files.  I will only be using our Cisco ASAs so SQL is not relevant to our setup.
  Testing the running RADIUS server was easy as well.  In Terminal enter "sudo pico /etc/raddb/users" and authenticate as needed.  This file contains details for users if you wanted to add them manually to the RADIUS server.  For testing purposes I removed the # before a line referring to a user "steve."  I had to get RADIUS restarted to take up the new information about Steve.  I killed the process using Activity Monitor and reran step number 1.
  In Terminal I opened a new tab and entered "sudo radtest steve testing localhost 0 testing123 -t".  You should get back a positive authentication message.  Switching back to the original tab will show the output of the RADIUS server.
  Reverse the entry in step 3 by adding back the # to comment out the line about steve in the users file.
  RADIUS is now running and authenticating against its own users file.
  Now we need to add our ASAs to the RADIUS server so it knows that it can authenticate for them.  In Terminal enter "sudo pico /etc/raddb/clients.conf".  We added lines for our ASAs, following the samples in the code.  The information in the lines we added included a generic name for each ASA or device needing RADIUS type authentication, its IP address, and the shared secret for device authentication.
  Following David's advice from above I created the RADIUS sacl by entering in Terminal "sudo dseditgroup -q -o create -u <admin user> -P <admin password> -n . com.apple.access_radius".  This created the sacl for the service.  Editing of the associated users and groups permitted to use the service was able to be done in Server.  Be sure to select from the View menu "Show system accounts".  Selecting "Groups" from the left margin of the Server window will show all of the SACLs along with any groups you have created.  The RADIUS sacl can then have groups and users added to it.
  To ensure that RADIUS is running and stays running enter the following in Terminal.  First, "sudo radiusd.conf" will start RADIUS without logging in the Terminal window.  Then, "sudo radiusconfig -start" to tell the system to keep it running and also run after a reboot.
  I made no changes to our ASA settings and found that I was able to authenticate the "Steve" user from the RADIUS test in the ASA.  I was also able to authenticate a user which had been added to the "Users" in Server.  It appears that the ASA will be permitted to authenticate Open Directory users without additional setup.
  I now need to set up our user groups to match those we use in our 10.7 server and add them to the RADIUS SACL and we should be set.
  Once I have everything running properly, I will add a post here to close this discussion.
  If anyone can shorten this procedure please let us know what you suggest.
  -Erich

• Video/Voice Conference -8 Error Explained for Cisco Routers

  I cannot tell you how long I have spent trying to figure out this problem. We have a bunch of macs sitting behind a NATed Cisco 2811 router, and iChat will just never work, throwing the good ole' -8 error.
  Having a good understanding of SIP, I decided to get down an dirty with the investigation of why iChat doesn't work behind some routers, while it does on others.
  iChat uses SIP, but as I have found, Apple's implementation of it does not completely honor the RFC. This is the root cause of iChat not working behind enterprise grade routers that have SIP ALG activated (details later).
  Apple uses its own flavor of NAT traversal: SNATMAP. This is an Apple service that is utilized every time a video/voice conference is created from iChat. For those of you familiar with SIP, SNATMAP essentially performs the same function as a STUN server. This service abstracts the port specifications necessary to get around NATs to a server on the public Internet.
  With some routers, this SNATMAP seems to work fine. With others, not so much. I honestly don't have too deep of an understanding of SNATMAP so I cannot get into too much detail as to why it doesn't work with some routers. If anyone knows, please chime in!
  I can, however, clearly indicate why it doesn't work behind routers that have a SIP ALG, which essentially has the intelligence to pick apart to SIP packet to make them NAT friendly. Basically, there is a portion of SIP packets called the SDP (Session Description Protocol) that provides all of the information necessary to set up the voice and video stream. The SIP RFC calls for this section to include information like the connection IP address, port, video codec, audio codec, etc. HOWEVER, Apple's implementation of iChat DOES NOT INCLUDE THE PORT IN THE SDP. Therefore, when a SIP ALG tries to intelligently convert the port, it isn't there to change. Even if it does manage to insert a port number into the SDP, the iChat client receiving the SIP packet doesn't respect that port number and just dumbly sends the request back to the default SIP port (5060).
  Here is a little flow of the process:
  1. A SIP packet is sent out from iChat to the cisco router
  2. Cisco intercepts the packet, changes the private IP address of my computer to the public IP address of the interface, and changes the port to one that it assigns on the public interface. So, basically the SIP packet enters the cisco with the SDP info like 192.168.100.137:5060 and leaves the Cisco like <public IP>:1877.
  3. On the receiving end, the SIP packet and SDP section is read with our DSL connection's public IP address, so when it tries to make contact back, requests are sent to the DSL public IP address and not an unrouteable private IP. Also, it sends to the port specified in the SDP section.
  4. When a packet comes in from the peer, the destination is something like <public IP>:1877. The cisco NAT translation table remembers that things destined to port 1877 should be converted to 192.168.100.137 on port 5060. The SDP section of the SIP packet is modified and things are peachy.
  5. This happens back and forth for all SIP messages that traverse the NAT.
  iChat is not SIP RFC compliant which is why we are having these natting issues. iChat does not specify a port in the SDP portion of the SIP messages it is sending out: a big no-no. Therefore, when the recipient iChat is sending back its requests to 207.182.233.32, it is sending it to port 5060 instead of assigned port 1877. The public port 5060 is blocked, and is not routed to any specific computer, resulting in a timeout. Here is the Cisco output 'debug ip nat sip'
  001892: .Oct 2 22:53:04.108 PCTime: NAT: SIP: [0] processing INVITE message
  001893: .Oct 2 22:53:04.108 PCTime: NAT: SIP: [0] register:0 door_created:0
  001894: .Oct 2 22:53:04.108 PCTime: NAT: SIP: [0] translated embedded address 192.168.100.138-><public IP>
  001895: .Oct 2 22:53:04.108 PCTime: NAT: SIP: [0] No port present. Use new port 5060->1210
  As you can see, it is processing the INVITE request and translating the internal IP address to the public one.
  However, it reports no port present, meaning that the port specification in the SDP section of the SIP packet is not present. It does a port translation because it feels obligated to, but iChat doesn't respect that on the other end and sends to 5060 anyway which is not mapped to any specific internal IP addess, so, alas, it doesn't work.
  Now, that being, said, this explains why iChat doesn't work behind SIP ALGs. However, if you are able to disable the SIP ALG (on cisco: 'no ip nat service sip udp 5060'), it still doesn't work. With the ALG turned off, the SDP translations don't occur, but for some reason SNATMAP still doesn't work either. I am thinking that could be due to a nat issue, but I haven't figured that out yet. Anyone's insight would be appreciated!
  Hope this helps anyone out there seeking help / console with iChat Error -8 issues behind an enterprise grade router.
  Hopefully we can figure out why iChat's SNATMAP implementation doesn't work with a Cisco NAT next...

  Hi
  Ok for the Homehub's.
  UPnP should be enabled.
  Set the Quicktime streaming setting, goto sys prefs/quicktime/streaming/streaming speed, set to 1.5mbps(dont use automatic)
  In ichats prefs click on video and change bandwidth limit to NONE.
  Goto to sys prefs/sharing/firewall and turn on(dont add any ports for ichat, leave anything that is ticked ticked).
  Restart ichat.
  And try connecting to me defcom1 .mac account.
  Tony

• Remote Command Tool for Cisco Routers/Switches

  Is anyone aware of any tools or scripts out there which allow preconfigured commands to be remotely run again Cisco Router/Switches and display the output result?
  I'm looking for a tool which I can give our Service Desk personnel that will allow them to select from a list of commands enter a target IP Address of a router/switch and then the tool will display the vlan table or the running config of a particular switch-port so they can see if its configured on the correct data vlan or its missing its voice vlan etc.
  For example a Service Desk Operator needs to check what vlan a switch-port is on. So they open the tool, enter the switches IP address and the port number and select an option like "display a switch-ports vlan" and the tool will login into the switch in the background run a show command on the switch and then output the result.
  Thanks.

  Check out rConfig. You will be able to run multiple instances of it i.e. one instance for your standard configuration backups and another for more specific configuration downloads info like show vlan bri commands etc for service desk staff to view.
  You could also use the IOS menu function and create menus or role based access on each of your devices for your users.
  Regards
  Stephen
  ==========================
  http://www.rConfig.com 
  A free, open source network device configuration management tool, customizable to your needs!
  - Always vote on an answer if you found it helpful

• Use cases for Cisco HWIC-3G for WWAN

  We are exploring the option of using WWAN via the HWIC-3G cards for a backup to our T1 MPLS circuits. I would like some feedback on how the cards and the WWAN 3G service is working for others. Is anybody seeing decent response times in the 150-100ms range?

  Make sure that here is the restrictions for Configuring the 3G Wireless HWIC
  The following restrictions apply to configuring the Cisco Wireless HWICs:
  • Data connection can be originated only by the 3G wireless HWIC. Remote dial-in is not supported.
  • Throughput-due to the shared nature of wireless communications, the experienced throughput varies depending on the number of active users or congestion in a given network.
  • Cellular networks have higher latency compared to wired networks. Latency rates depend on the technology and carrier. Latency may be higher because of network congestion.
  • VoIP is not currently supported.
  • Any restrictions that are a part of the terms of service from your carrier.