RADIUS or TACACS Server Recommendations
Can anyone point to a good, inexpensive RADIUS or TACACS server solution that runs on Windows? Cisco ACS is a bit more money than is wanted to part with at the moment.
Thanks in advance. All replies rated.
I guess that is a case only with W2K3STD where number of radius/aaa clients are limited to 50 only.
NPS provides different functionality depending on the edition of Windows Server 2008 that you install:
Windows Server 2008 Enterprise and Windows Server 2008 Datacenter. These server editions include NPS. With NPS in Windows Server 2008 Enterprise and Windows Server 2008 Datacenter, you can configure an unlimited number of RADIUS clients and remote RADIUS server groups. In addition, you can configure a group of RADIUS clients by specifying an IP address range.
Windows Server 2008 Standard. This server edition includes NPS. With NPS in Windows Server 2008 Standard, you can configure a maximum of 50 RADIUS clients and a maximum of two remote RADIUS server groups. You can define a RADIUS client by using a fully qualified domain name or an IP address, but you cannot define groups of RADIUS clients by specifying an IP address range. If the fully qualified domain name of a RADIUS client resolves to multiple IP addresses, the NPS server uses the first IP address returned in the Domain Name System (DNS) query.
~BR
Jatin Katyal
**Do rate helpful posts**
Similar Messages
-
IP address sent to TACACS server
Setup a TACACS server on out network to control console and telnet access to routers and switches. Most of our remote routers have multiple wan paths to the TACACS servers and may present a different IP address depending on which path is available or least busy. This causes an authentication failure that denies access to the equipment. Is there a way to configure the router to always send a specific address, either a loopback or internal LAN IP?
Hi
FYI,
Device Filter—Filters a network device (AAA client) that acts as a Policy Enforcement Point (PEP) to the end station based on the network device's IP address or name, or the network device group that it belongs to.
The device identifier can be the IP address or name of the device, or it can be based on the network device group to which the device belongs.
The IP address is a protocol-agnostic attribute of type IPv4 that contains a copy of the device IP address obtained from the request:
–In a RADIUS request, if Attribute 4 (NAS-IP-Address) is present, ACS obtains the IP address from Attribute 4; otherwise, if Attribute 32 (NAS-Identifier) is present, ACS obtains the IP address from Attribute 32, or it obtains the IP address from the packet that it receives.
–In a TACACS request, the IP address is obtained from the packet that ACS receives. -
LMS 4.0/4.1 as tacacs server
Hi Just a quick one, been looking to consolidate a number of management products and LMS seems to tick nearly all of them off except Tacacs requirement. I've been looking through various LMS Guides and trying to find out if the LMS can act as a tacacs server as I would like to get ride of the current unix system or do I need to use another solution? If so can anyone suggest something that works well with LMS...
Thanks.LMS does not include a TACACS+ or any other AAA server. It is strongly recommended that you do not install one along side the LMS server on the same logical server. The reason for this is that you do not want NMS maintenance to affect your network access. You also want to limit the number of potential attack vectors one could use to compromise your AAA server.
The leading recommendation is to put your AAA application on a dedicated physical server with strict physical and network access restricitions. If that is not possible, at least dedicate a virtual machine for AAA. -
Migrating from Linux based Tacacs+ server to Cisco ACS 1113 appliance
I'm trying to migrate my configuration from a Linux based Tacacs+ server to the Cisco ACS 1113 appliance. Does anyone have any recommendations.
Thanks.Hi
We (extraxi) offer migration and general consultancy for ACS if you need professional help.
www.extraxi.com/contact.htm -
IOS Access Point Bombards TACACS+ Server with Requests
Problem: When using the web GUI to manage an IOS access point such as the AP350, AP1100, or AP1200, and when using TACACS+ to authenticate the HTTP accesses, the access point will send numerous authentication requests to the TACACS+ server for each web page accessed.
Workaround given by cisco was to use single-connection tacacs server.
My question:
How to implement this command? Is it as below
"tacacs-server host x.x.x.x single-connection port 49 key test".
I've tried using this command but still getting numerous authentication request.
Any help?
regards,
GaneshWe experienced similar problems. We were instructed to use local authentication at the current time. Something about HTTP requiring authentication for each part of the page that accesses data. The configuration line is:
ip http authentication local
The single connection did not help. We were also advised that if we required ACS HTTP authentication to use RADIUS because it scaled better than TACACS and would not be as impacted as TACACS. If neither of these are an option, another workaround is to, disable logging "passed authentications". We tested this and it prevented our ACS server from pegging the cpu, memory and I/O write queues. We opted for local authentication because the lack of "passed authentication" logs impacted our troubleshooting.
Good Luck
Gerry -
Greetings,
We are running UCS Manager 2.1(3c) and are currently using RADIUS authentication to an ACS4 server.
We are in the process of upgrading to ACS5.6 and my question is around the authentication and accounting protocols.
Q: Which is best, or suitable - RADIUS or TACACS?
I know in the past there have been limitations of both protocols for various functions. We have simple needs... 2 levels of RBAC - Full Read-Write access (Administrator as defined in local UCS parlance) and Read-Only (Operations as defined locally on UCS).
Given those parameters, would TACACS be suitable, and will that give sufficient accounting functionality?
Thanks in advance.
Reece...I guess that is a case only with W2K3STD where number of radius/aaa clients are limited to 50 only.
NPS provides different functionality depending on the edition of Windows Server 2008 that you install:
Windows Server 2008 Enterprise and Windows Server 2008 Datacenter. These server editions include NPS. With NPS in Windows Server 2008 Enterprise and Windows Server 2008 Datacenter, you can configure an unlimited number of RADIUS clients and remote RADIUS server groups. In addition, you can configure a group of RADIUS clients by specifying an IP address range.
Windows Server 2008 Standard. This server edition includes NPS. With NPS in Windows Server 2008 Standard, you can configure a maximum of 50 RADIUS clients and a maximum of two remote RADIUS server groups. You can define a RADIUS client by using a fully qualified domain name or an IP address, but you cannot define groups of RADIUS clients by specifying an IP address range. If the fully qualified domain name of a RADIUS client resolves to multiple IP addresses, the NPS server uses the first IP address returned in the Domain Name System (DNS) query.
~BR
Jatin Katyal
**Do rate helpful posts** -
How to configure management authentication on IAP using Tacacs Server?
Requirement:
Instant access points come with default username and password i.e admin/admin. This does not go long way, as the IAP start finding their place in campus and corporate networks.
With many administrators managing and monitoring the clustered IAP networks, TACACS or Active Directory based authentication is more useful.
Solution:
Keep this in view, IAP development teams have integrated TACACS and Radius based management authentication.
Configuration:
Follow the below steps to configure radius authentication in IAP:
Login to IAP web interface
Select "System" from the main menu and then click on "Admin" tab
Under local authentication, select as "Authentication Server"
Under the "Auth Server 1" Select "New Server"
Filling the name, IP address and shared key for Tacacs server and click OK.
Verification
Logout of the IAP web interface and try logging in using the username and password on TACACS server.I was having troubles with this as well when a customer had an older Aruba Controller and 2 Access Points. We went with a couple IAP-205s and needed LDAP integration. Using the above configuration there were some additional items needed. I found that I needed the DISPLAY NAME of the admin for the Admin-DN. I had created a user with the first name Aruba and the last name LDAP. This made the DISPLAY NAME "Aruba LDAP". This is what needs to be in the CN= for the Admin-DN.I also found there is a difference in using the CN= and OU=Currently our admin account is in the Users group which is a “Container”. Our actual user accounts are stored in an Orginizational Unit with sub OUs as well. So the Admin-DN needed the CN=Users and the Base-DN needed the OU=MyUserOU.For the windows machines I had to download and install the Aruba GTC Shim because the customer was previously using GTC and they were not going to a RADIUS server at the moment. My Android phone and IPHONE did not need any additional addins for the authentication. The windows laptop I am using I needed to manually create a wireless profile with… Security Tab >“Choose a network authentication method:”Microsoft: Protected EAP (PEAP)Settings >Select “Trusted Root Certification Authorities”GeoTrust Global CASelect Authentication Method:EAP-Token (This is the Aruba GTC Shim) This allowed me to use my domain login credentialsUsernamePasswordDomain (This is blank because the Base-DN already has this, if anything is put in here the authentication fails)
-
How have multiple NDGs for same tacacs+ server
I have Secure ACS 4.2 installed. I am using it for vpn access with Radius and tacacs+ access for network device mgmt. I want to setup multiple NDGs but have them all use the same ACS tacacs+ server. How do I do that? Each time I add a new NDG and try to add a AAA server with the same IP and tacacs+ it tells me it overlaps with a current one configured.
You cannot add same device again with same authentication method.
BUT
You can add same device with different authentication method. see the example below
1
Name--->device
IP ----> 1.1.1.1
secret---->xxxxx
Authenticate using --->Radius IETF
2
Name--->device1
IP ----->1.1.1.1
secret ----->x.x.x.x
Authenticate using---->tacacs IOS
Also same device cannot be a part of more then on NDG.
Regards,
~JG
Do rate helpful posts -
Not able to login to router using ssh when TACACS server is down
When TACACS server is not reachable router is not allowing the local password to login using ssh. Router's SSH debug says authentication is successful but ssh client gets % Authorization failed meassage and disconnects.
kindly see below debug output and config
SSH server end:
Sep 1 13:25:10.161: SSH1: starting SSH control process
Sep 1 13:25:10.165: SSH1: sent protocol version id SSH-1.5-Cisco-1.25
Sep 1 13:25:10.241: SSH1: protocol version id is - SSH-1.5-Cisco-1.25
Sep 1 13:25:10.241: SSH1: SSH_SMSG_PUBLIC_KEY msg
Sep 1 13:25:10.397: SSH1: SSH_CMSG_SESSION_KEY msg - length 112, type 0x03
Sep 1 13:25:10.397: SSH: RSA decrypt started
Sep 1 13:25:10.925: SSH: RSA decrypt finished
Sep 1 13:25:10.925: SSH: RSA decrypt started
Sep 1 13:25:11.165: SSH: RSA decrypt finished
Sep 1 13:25:11.197: SSH1: sending encryption confirmation
Sep 1 13:25:11.197: SSH1: keys exchanged and encryption on
Sep 1 13:25:11.269: SSH1: SSH_CMSG_USER message received
Sep 1 13:25:11.269: SSH1: authentication request for userid rao
Sep 1 13:25:16.297: SSH1: SSH_SMSG_FAILURE message sent
Sep 1 13:25:17.313: SSH1: SSH_CMSG_AUTH_PASSWORD message received
Sep 1 13:25:17.317: SSH1: authentication successful for rao
Sep 1 13:25:17.413: SSH1: requesting TTY
Sep 1 13:25:17.413: SSH1: setting TTY - requested: length 25, width 80; set: le
ngth 25, width 80
Sep 1 13:25:17.525: SSH1: SSH_CMSG_EXEC_SHELL message received
Sep 1 13:25:17.525: SSH1: starting shell for vty
Sep 1 13:25:25.033: SSH1: Session terminated normally
SSH Client end Log:
% Authorization failed.
[Connection to 10.255.15.2 closed by foreign host]
COnfig:
aaa authentication login default group tacacs+ line local
aaa authentication login NO_AUTH line
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization configuration default group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
ip domain-name cbi.co.in
crypto key generate rsa
ip ssh time-out 60
ip ssh authentication-retries 3
line vty 0 4
password xxxx
transport input telnet ssh
Kindly reply your viewsI believe that the key to understanding your problem is to recognize the subtle difference between authentication and authorization. The authentication process appears that it does succeed but the authorization process has failed according to your error message:
% Authorization failed.
I see that most of your authorization commands include the parameter if-authenticated. But this command does not:
aaa authorization config-commands
I would suggest that you add the if-authenticated parameter to this command and see if it does not fix your problem.
HTH
Rick -
IOS 15 not working with my TACACS server
Hi All,
I recently made some changes to the way my Tacacs server (ACS4.2) handled groups etc..
This all works fine and when I log onto my devices I get prompted for my credentials, which authenticate against AD. However, since I made these changes none of the devices on IOS 15 now authenticate. I am immediately prompted for a local password rather than a username and password..
I understand that the commands for Tacacs changeda bit in IOS15 but from what I have read and changed I'm still having trouble. Config below from once of the routers I'm having trouble with...
Am I missing something?
aaa new-model
aaa group server tacacs+ ACS1
server name AUTH
aaa authentication login ACS-List group ACS1 local
aaa authorization exec ACS-List group ACS1 local
aaa accounting commands 15 ACS-List
action-type start-stop
group ACS1
aaa session-id common
acacs-server directed-request
tacacs server AUTH
address ipv4 172.x.x.x
key 7 xxxxxxxx
and on my VTY Lines...
privilege level 15
password 7 151619050826222A2F
authorization exec ACS-List
accounting commands 15 ACS-List
accounting exec ACS-List
login authentication ACS-List
length 0
transport input telnet sshI ran those debugs, then tried to login on another telnet session -
Jul 2 15:01:57.278: TPLUS: Queuing AAA Accounting request 1781 for processing
Jul 2 15:01:57.278: TPLUS: processing accounting request id 1781
Jul 2 15:01:57.278: TPLUS: Sending AV task_id=1997
Jul 2 15:01:57.278: TPLUS: Sending AV timezone=SIN
Jul 2 15:01:57.278: TPLUS: Sending AV service=shell
Jul 2 15:01:57.278: TPLUS: Sending AV start_time=1372777317
Jul 2 15:01:57.278: TPLUS: Sending AV priv-lvl=15
Jul 2 15:01:57.278: TPLUS: Sending AV cmd=terminal monitor
Jul 2 15:01:57.278: TPLUS: Accounting request created for 1781(admin)
Jul 2 15:01:57.278: TPLUS: using previously set server 172.x.x.x from group ACS1
Jul 2 15:01:57.278: TPLUS(000006F5)/0/NB_WAIT/3120C74C: Started 5 sec timeout
Jul 2 15:01:57.630: TPLUS(000006F5)/0/NB_WAIT: socket event 2
Jul 2 15:01:57.630: TPLUS(000006F5)/0/NB_WAIT: wrote entire 144 bytes request
Jul 2 15:01:57.630: TPLUS(000006F5)/0/READ: socket event 1
Jul 2 15:01:57.630: TPLUS(000006F5)/0/READ: Would block while reading
Jul 2 15:01:57.990: TPLUS(000006F5)/0/READ: socket event 1
Jul 2 15:01:57.990: TPLUS(000006F5)/0/READ: read 0 bytes
Jul 2 15:01:57.990: TPLUS(000006F5)/0/READ: socket event 1
Jul 2 15:01:57.990: TPLUS(000006F5)/0/READ: errno 254
Jul 2 15:01:57.990: TPLUS(000006F5)/0/3120C74C: Processing the reply packet
Jul 2 15:02:11.658: AAA/BIND(000006F9): Bind i/f
Jul 2 15:02:11.658: AAA/AUTHEN/LOGIN (000006F9): Pick method list 'ACS-List'
Jul 2 15:02:11.658: TPLUS: Queuing AAA Authentication request 1785 for processing
Jul 2 15:02:11.658: TPLUS: processing authentication start request id 1785
Jul 2 15:02:11.662: TPLUS: Authentication start packet created for 1785()
Jul 2 15:02:11.662: TPLUS: Using server 172.x.x.x
Jul 2 15:02:11.662: TPLUS(000006F9)/0/NB_WAIT/3120C74C: Started 5 sec timeout
Jul 2 15:02:12.014: TPLUS(000006F9)/0/NB_WAIT: socket event 2
Jul 2 15:02:12.014: TPLUS(000006F9)/0/NB_WAIT: wrote entire 38 bytes request
Jul 2 15:02:12.014: TPLUS(000006F9)/0/READ: socket event 1
Jul 2 15:02:12.014: TPLUS(000006F9)/0/READ: Would block while reading
Jul 2 15:02:12.366: TPLUS(000006F9)/0/READ: socket event 1
Jul 2 15:02:12.366: TPLUS(000006F9)/0/READ: errno 254
Jul 2 15:02:12.366: TPLUS(000006F9)/0/3120C74C: Processing the reply packet
Jul 2 15:02:24.474: AAA/AUTHEN/LOGIN (000006F9): Pick method list 'ACS-List'
Jul 2 15:02:24.474: TPLUS: Queuing AAA Authentication request 1785 for processing
Jul 2 15:02:24.474: TPLUS: processing authentication start request id 1785
Jul 2 15:02:24.474: TPLUS: Authentication start packet created for 1785()
Jul 2 15:02:24.474: TPLUS: Using server 172.x.x.x
Jul 2 15:02:24.474: TPLUS(000006F9)/0/NB_WAIT/3120C74C: Started 5 sec timeout
Jul 2 15:02:24.826: TPLUS(000006F9)/0/NB_WAIT: socket event 2
Jul 2 15:02:24.826: TPLUS(000006F9)/0/NB_WAIT: wrote entire 38 bytes request
Jul 2 15:02:24.826: TPLUS(000006F9)/0/READ: socket event 1
Jul 2 15:02:24.826: TPLUS(000006F9)/0/READ: Would block while reading
Jul 2 15:02:25.178: TPLUS(000006F9)/0/READ: socket event 1
Jul 2 15:02:25.178: TPLUS(000006F9)/0/READ: errno 254
Jul 2 15:02:25.178: TPLUS(000006F9)/0/3120C74C: Processing the reply packet -
VPDN static IP address assign by TACACS server (ACS 2.3 for UNIX)
Is it possible assign static IP address for VPDN users by TACACS server ?
If yes, please give me some ideas how to do it?
thanks,
bmI think that is possible only while using CSACS for windows but not with CSACS for UNIX. Atleast I couldn't find anything in the documentation. (CiscoSecure ACS 2.3 for UNIX User Guide http://www.cisco.com/en/US/products/sw/secursw/ps4911/products_user_guide_book09186a00800eb438.html)
-
TACACS+ Server not logging events.
Hi all,
I am having an issue with the tacacs+ server not logging login requests or commands entered. I am running the tac_plus.F4.0.4.alpha release that cisco provides for free on a mandrake 10.1 linux box. I am able to use the server to authenticate logins to the routers but it is not logging those requests.
Here is the config I used on one of our routers.
aaa group server tacacs+ prego
server xxx.xxx.xxx.xxx
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa accounting exec default start-stop group prego
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common
ip subnet-zero
Also here is a sh verion
Cisco Internetwork Operating System Software
IOS (tm) 3700 Software (C3725-IS-M), Version 12.2(15)ZJ3, EARLY DEPLOYMENT RELEASE SOFTWARE (fc2)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Thu 25-Sep-03 22:23 by eaarmas
Image text-base: 0x60008954, data-base: 0x61C2C000
ROM: System Bootstrap, Version 12.2(8r)T2, RELEASE SOFTWARE (fc1)
ROM: 3700 Software (C3725-I-M), Version 12.2(8)T10, RELEASE SOFTWARE (fc1)
PRVGW3725 uptime is 10 weeks, 1 day, 7 hours, 35 minutes
System returned to ROM by power-on
System image file is "flash:c3725-is-mz.122-15.ZJ3.bin"
cisco 3725 (R7000) processor (revision 0.1) with 121856K/9216K bytes of memory.
Processor board ID JMX0749L1XC
R7000 CPU at 240Mhz, Implementation 39, Rev 3.3, 256KB L2 Cache
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
2 FastEthernet/IEEE 802.3 interface(s)
2 Serial network interface(s)
DRAM configuration is 64 bits wide with parity disabled.
55K bytes of non-volatile configuration memory.
31360K bytes of ATA System CompactFlash (Read/Write)
Configuration register is 0x2102
Any help would be great.
Thank you
Joseph JacksonIf you are able to authenticate via TACACS I would believe that this indicates that there is not a problem with your configuration of the TACACS server(s) (addresses are correct, keys are correct, etc) and that the TACACS server recognizes the router ok.
So I assume that either there is some problem on the router generating the accounting records. Or that there might be a problem on the server and receiving and processing the accounting records.
As a next step in investigating this issue I suggest that you run two debugs on the router:
debug aaa accounting
debug tacacs accounting
While the debug is running have someone access the router and login, access privilege mode, and execute several commands. Then post any debug output.
HTH
Rick -
Can't configure tacacs-server port
We're unable to configure a specific port, which is required for our customer for the tacacs-server. One of the devices is a 7604 router running this image -
c7600rsp72043-adventerprisek9-mz.122-33.SRD6.bin. The other device is a 2960 switch with the following image - c2960-lanbasek9-mz.122-35.SE5.bin.
We don't get the option to add a port after the tacacs-server host x.x.x.x command.
Any ideas would be greatly appreciated!
Regards..Hi
Please go through this link, this will be helpful regarding TCSACS Authentication and Fortigate configuration:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/acsuserguide.html -
I am trying to setup our cisco NAM's to authenticate against our open source tac_plus server. I see traffic on port 49 between the NAM and server but I keep on getting an invalid username/password error. I do not see any invalid logon attemps in our tacacs log.
The tacacs server running and I am able to authenticate against it when I am logging onto our routers and switches. I have created the following group for NAM authentication on the server ("namuser" is able to log onto our routers/switches):
group = nam {
cmd = web { permit capture
permit system
permit collection
permit account
permit alarm
permit view }
user = namuser {
member = nam
login = pam tac_plusswitch config
aaa new-model
aaa authentication username-prompt login:
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization commands 15 default group tacacs+ local
tacacs-server host x.x.x.x
tacacs-server directed-request
tacacs-server key ******** -
Configuring TACACs Server for Cisco VPN 3000
Does anyone know how to get to the configuration setting to specify a TACACs server?
You need to be very careful when setting
up this thing. If the AAA server is down
for whatever reason, you will NOT be able to
log into the Concentrator again. As far
as the VPn3k console is concerns, it will
let you login with the "admin" account,
even though the AAA is up and running. In
other words, you can login from console
with both "admin" and AAA account at the same
time.
What a mess.
Maybe you are looking for
-
Sorry I searched as much as I could. I have a wireless router WRT54GX2 and have 2 laptops that I use. Recently one of the laptops has started taking anywhere from 2 - 5 minutes to connect to the router, sometimes I have to restart completely. My ot
-
My iphone 3gs keeps turning its self off
it keeps turning its self on but wen i put it on the gharger it works perfectly
-
I have an iPAD2 and an iPAD mini and tried to upgrade to IOS 7.0.6 but both froze and I had to restore to factory setting (backup also did not work!). I was able to get most of my purchased books and apps from iTUNES (through my computer) but lost al
-
Add pages to wiki with scripts
Hello, I just upgraded to OS X Lion Server. Does anyone know how to script the creation pages in the wiki (say from a database)? I have several hundred to add, and doing so manually isn't an option. Thanks, Werner
-
Re: Exporting Gradient Overlays w/ Transparency
I am currently using photoshop CS5, I have a layer that is a vector mask over a solid color. The fill of the layer is black, so when i set it to screen it's transparent. I then have a gradient overlay effect applied to the layer that fades from a sol