TACACS and Cisco ACE Load Balancers authentication ?
Is there a need to have user accounts locally on the Cisco ACE Load Balancers as well as the User accounts on TACACS where it is being authenticated ?
Many thanks
Florrie
Yes.
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/security/guide/aaa.html#wpmkr1517596
Similar Messages
-
Cisco ace Load balancer not maintaining session persistence
Hi All,
We have observed from the IIS logs on the internal webservers that loadbalancer is not maintaining session persistence for two specific request for the internal servers.
https://123.xyz.com/Webresource.axd
https://123.xyz.com/ScriptResource.axd
Error
Webresource.axd : 500
Scriptresource.axd: 404
Session persistence is maintained for all other requests hitting loadbalancer.
Issue is observerd on hits for these two specified components. WebResource.axd and ScriptResource.axd are Http Handlers used by ASP.NET and Ajax to add client-side scripting to the outgoing web page.
For e.g /WebResource.axd d=t2GXfySdqWmJ-lZSI0KVbw2&t=634868473645172160 is valid for server 1 and return 200 response but the same request is seen on few other servers where the response is 404 even though load balancer cookie is same. This means that if the request for the both the axd contains a valid decrypter and it connects to the right server then the response seen is 200.
The url passed by the user contains d and t parameters when are unique for each user session.
Solution tried:
Accessed website via another VIP without http redirect rule but could not see difference.
Tried to match machine key across all servers : Failed . Could see the ‘d’ value different for each server.
Load balancer VIP :
x.x.x.x
redirect: http > https
SSL Offload : ON
Poool:
WEB1
WEB2
WEB3
WEB4
WEB5
All servers listening on port 80
sticky config:
sticky ihttp-cookie cookie1 vip-1.1.1.1-80-stickyfarm
cookie insert browser-expire
replicate sticky
serverfarm vip-1.1.1.1_80
sticky http-cookie cookie1 vip-farm:1.1.1.1:443
cookie insert browser-expire
replicate sticky
serverfarm farm:1.1.1.1:443
Has anyone else come across similar issue?
Can you plese check if there is any config on cisco ace that will ensure that session persistence is maintained for these 2 requests.
Thank you for all the help.
regards,
SangramHello Sangram,
We would need simultanous packet traces before and after the ACE to get to the root cause of this issue so I would recommend that you open a cisco tac case for more in depth troubleshooing of this issue.
Joel Lamousnery
CCIE R&S - 36768
Engineer, Customer Support
Technical Services -
T3 Oracle´s proprietary tunneling protocol and Cisco ACE
Does anybody know if it is possible to load balance the T3 Oracle´s proprietary tunneling protocol supported by Oracle Weblogic with Cisco ACE?
TIA,
Claudio UemuraHI Claudio,
I don't know much about T3 protocol, in short you can load balance almost anything really, the issue becomes to how granular and if you can do any intelligent inspection besides source and dest ip and if there are multiple different connections on different ports. These last points sort of decide whether it's worth it.
- If you find the specifics about the connection ( port, type of protocol and type of connection ( long-lived or short lived) you should be able to setup a basic rule to test. A sniffer trace will give you the most information if oracle website does not explain T3 in detail.
- From a quick search there also looks to be a method to encapsulate T3 inside a http packet on weblogic servers, if this were the case then you could do some deep packet inspection with regex etc to get more granular load balancing
http://forums.oracle.com/forums/thread.jspa?threadID=706909
I would think it's defintely worth looking at both options
cheers,
Chris -
Tacacs+ and Cisco 2950 configuration
Hi everyone!
I want to authenticate to my Switch via Tacacs+. It runs fine as long as I define Users and passwords in the /etc/tac-plus/tacacs.conf. But when I try to authenticate against a MySQL DB or the /etc/passwd file, authentication fails.
With the config below, I'm able to login with username fred. In MySQL DB a user 'test' with password ENCRYPT('test') is correctly set up. I use the DB skel which comes with tacacs+ (in Debian it's in /usr/share/docs/tac-plus, manual from http://www.gazi.edu.tr/tacacs/docs/tacacs_db.txt)
My tacacs+ config:
# /etc/tac-plus/tacacs.conf
### TACACS+ Config
# Auth-Key
key = some_key
#default authentication = file /etc/passwd
default authentication = db mysql://user:password@localhost/tacacs/auth?usern&passwd
accounting file = /var/log/tac-plus/account.log
###### USER ######
user = DEFAULT {
default service = permit
#user = DEFAULT {
# service = ppp
# protocol = ip {
# Enable-User
#user = $enable$ {
# login = cleartext test
user = fred {
default service = permit
login = cleartext fred_pw
My Cisco config:
switch#sh ru
Building configuration...
[some info]
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
hostname MySwitch
aaa new-model
aaa group server tacacs+ TACSERV
server 192.168.1.5
aaa authentication login default group TACSERV local line
enable secret secret_enable_pw
username rescue secret secret_rescue_pw
ip subnet-zero
spanning-tree extend system-id
interface FastEthernet0/1
switchport access vlan 180
switchport mode trunk
switchport nonegotiate
no ip address
[some FastEthernet and GigabitEthernet Configuration]
ip default-gateway 192.168.1.1
ip http server
tacacs-server host 192.168.1.5 key some_key
line con 0
exec-timeout 0 0
line vty 5 15
ntp server 192.168.1.60
end
It would be great if someone could help.
Greetings,
FredHi,
I realized that Debian only stores usernames in /etc/passwd - the user's password is stored in /etc/shadow.
I manually edited the passwd file to get the password in. Result: authentication works with /etc/passwd. But when I point to /etc/shadow in the configuration file, authentication doesn't work.
Is there a way to get tacacs+ to use the /etc/shadow properly or to configure Debian not to use /etc/shadow?
The other big problem - authentication against MySQL - doesn't work, yet.
Any Hints?
Thanks,
Fred -
Two isp load balancing on cisco ACE(load balancer)
I don't know much about load balancer(ACE).
Is this is possible to load balance two isp's on load balancer (ACE). If so, how i can do so , any configuration example, or cisco document.Wrong forum, post in "Datacenter". You can move your posting with the Actions panel on the right.
-
SSLVPN with iPhone Anyconnect and Cisco IOS Router, Certificate Authentication failed
Hello,
i have a problem regarding the authentication with a certificate from the iPhone Anyconnect 2.5 Client to a 1802 Cisco Router.
Cisco 1802 Router:
Cisco IOS Software, C180X Software (C180X-ADVENTERPRISEK9-M), Version 15.1(1)T, RELEASE SOFTWARE (fc1)
First i configured SSLVPN with username and password, in this configuration the Anyconnect Client of my iPhone works.
then i enrolled a certificate from my Windows 2008 R2 CA to the Router with the Attributes: Server Authentication and IPSEC
and i enrolled a certificate for my iPhone with Client Authentication and IPSEC
after a bunch of time ( i realy could not find a really good documentation on how to do this) i got it done, in the webvpn context configuration i made this changes here:
no aaa authentication list default
authentication certificate
ca trustpoint CA
as the "SSL VPN Configuration Guide, Cisco IOS Release 15.1M&T" says: if i want only certificate authentication i had to user the "authentication certificate" command and thats it.
as i look into the debugs it seems to me that the Router accepts the certificate of the iPhone, but then i receive a window on the iphone that wants an additional username and password authentication, and no matter what i enter there's always the same dialog coming back..
any ideas what the problem could be???
here is the configuration:
webvpn gateway WEBVPN_GW_OFFICE2
ip interface Dialer0 port 1444
ssl trustpoint CA
inservice
webvpn install svc flash:/webvpn/sslclient-win-1.1.4.179.pkg sequence 1
webvpn install svc flash:/webvpn/anyconnect-win-3.0.4235-k9.pkg sequence 2
webvpn install svc flash:/webvpn/anyconnect-dart-win-2.5.3055-k9.pkg sequence 3
webvpn context WEBVPN_CONTEXT2
secondary-color white
title-color #669999
text-color black
ssl authenticate verify all
policy group WEBVPN_POLICY2
functions svc-enabled
mask-urls
svc address-pool "SSLVPN_OFFICE1"
svc default-domain "domain.internal"
svc keep-client-installed
svc split include 192.168.0.0 255.255.0.0
svc dns-server primary 192.168.53.33
svc dns-server secondary 192.168.53.35
virtual-template 3
default-group-policy WEBVPN_POLICY2
gateway WEBVPN_GW_OFFICE2
authentication certificate
ca trustpoint CA
inservice
here is the debug:
OfficeRouter1# PASSING appctx is [0x89FAFFCC]
Nov 19 22:39:53.507: WV: sslvpn process rcvd context queue event
Nov 19 22:39:53.507: WV: sslvpn process rcvd context queue event
Nov 19 22:39:53.607: WV: sslvpn process rcvd context queue event
Nov 19 22:39:53.607: WV: Entering APPL with Context: 0x86529380,
Data buffer(buffer: 0x86543A40, data: 0x15A07AB8, len: 469,
offset: 0, domain: 0)
Nov 19 22:39:53.607: WV: http request: / with no cookie
Nov 19 22:39:53.607: WV: validated_tp : CA cert_username : matched_ctx :
Nov 19 22:39:53.607: WV: Received appinfo
validated_tp : CA, matched_ctx : ,cert_username :
Nov 19 22:39:53.607: WV: Trustpoint match successful
Nov 19 22:39:53.607: WV: Extracted username: pass: ?
Nov 19 22:39:53.607: WV: Client side Chunk data written..
buffer=0x86543640 total_len=661 bytes=661 tcb=0x8811FE60
Nov 19 22:39:53.607: WV: Appl. processing Failed : 2
Nov 19 22:39:53.607: WV: sslvpn process rcvd context queue event
BueroRouter1# PASSING appctx is [0x89FAEEC4]
Nov 19 22:40:24.028: WV: sslvpn process rcvd context queue event
Nov 19 22:40:24.032: WV: sslvpn process rcvd context queue event
Nov 19 22:40:24.132: WV: sslvpn process rcvd context queue event
Nov 19 22:40:24.132: WV: Entering APPL with Context: 0x86529380,
Data buffer(buffer: 0x86543A40, data: 0x160C4038, len: 469,
offset: 0, domain: 0)
Nov 19 22:40:24.132: WV: http request: / with no cookie
Nov 19 22:40:24.132: WV: validated_tp : CA cert_username : matched_ctx :
Nov 19 22:40:24.132: WV: Received appinfo
validated_tp : CA, matched_ctx : ,cert_username :
Nov 19 22:40:24.132: WV: Trustpoint match successful
Nov 19 22:40:24.132: WV: Extracted username: pass: ?
Nov 19 22:40:24.132: WV: Client side Chunk data written..
buffer=0x86543640 total_len=661 bytes=661 tcb=0x88D11EEC
Nov 19 22:40:24.136: WV: Appl. processing Failed : 2
Nov 19 22:40:24.136: WV: sslvpn process rcvd context queue event
Nov 19 22:40:39.764: WV: sslvpn process rcvd context queue event
Nov 19 22:40:39.880: WV: sslvpn process rcvd context queue event
Nov 19 22:40:39.892: WV: sslvpn process rcvd context queue event
Nov 19 22:40:39.892: WV: Entering APPL with Context: 0x86529380,
Data buffer(buffer: 0x86543A40, data: 0x1616FD38, len: 610,
offset: 0, domain: 0)
Nov 19 22:40:39.892: WV: http request: /webvpn.html with domain cookie
Nov 19 22:40:39.892: WV: validated_tp : cert_username : matched_ctx :
Nov 19 22:40:39.892: WV: Received appinfo
validated_tp : CA, matched_ctx : ,cert_username :
Nov 19 22:40:39.892: WV: Trustpoint match successful
Nov 19 22:40:39.892: WV: Client side Chunk data written..
buffer=0x86543640 total_len=607 bytes=607 tcb=0x88D11EEC
Nov 19 22:40:39.892: WV: Appl. processing Failed : 2
Nov 19 22:40:39.892: WV: sslvpn process rcvd context queue eventhttp://www.cisco.com/en/US/products/ps8411/products_qanda_item09186a00809aec31.shtml
HI,
Refer to
AnyConnect VPN Client FAQ
Q. Is it possible to connect the iPad, iPod, or iPhone AnyConnect VPN Client to a Cisco IOS router?
A. No. It is not possible to connect the iPad, iPod, or iPhone AnyConnect VPN Client to a Cisco IOS router. AnyConnect on iPad/iPhone can connect only to an ASA that runs version 8.0(3).1 or later. Cisco IOS is not supported by the AnyConnect VPN Client for Apple iOS. For more information, refer to the Security Appliances and Software Supported section of the Release Notes for Cisco AnyConnect Secure Mobility Client 2.4, Apple iOS 4.2 and 4.3. -
Cisco ACE - Firewall load balancing
I am using two sets of ACE load balancers for load balancing traffic across two firewalls (firewall load balancing).
The solution works fine. I have a virtual address of 0.0.0.0 in either direction to match traffci going from the internal users to the internet and vice versa.
The problem is that when I try to manage the load-balanced firewalls (either using SSH (or) HTTPS) from outside, then that connection also gets load balanced and when I try to connect to FW1 then sometimes this connection ends up on FW2 and vice versa and the connection gets dropped. I have a workaround in place where i am using a virtual address per firewall to connect to the real IP address of the firewall.
Is there any other way of managing firewalls (which are defined as real-servers) in a FWLB setup.
Attached is the configuration of the external ACE which has the two firewalls defined as the real-servers.
access-list ALL line 8 extended permit ip any any
probe icmp ICMP-Probe
interval 15
passdetect interval 60
rserver host FW1-ASA
ip address 10.11.71.10
inservice
rserver host FW2
ip address 10.11.71.11
inservice
serverfarm host Firewalls
transparent
predictor leastconns
rserver FW1-ASA
inservice
rserver FW2
inservice
serverfarm host Firewalls-NO-LB
rserver FW1-ASA
inservice
serverfarm host Firewalls-NO-LB1
rserver FW2
inservice
sticky ip-netmask 255.255.255.255 address source new-sticky
timeout activeconns
serverfarm Firewalls
This is my workaround for connection to the IP address of the firewalls (for management)
class-map match-any FW-Real
2 match virtual-address 10.11.71.254 any
class-map match-any FW-Real2
2 match virtual-address 10.11.71.253 any
class-map type management match-any Remote-Access
201 match protocol telnet any
202 match protocol http any
203 match protocol https any
204 match protocol ssh any
205 match protocol snmp any
206 match protocol icmp any
class-map match-any fwlb
2 match virtual-address 0.0.0.0 0.0.0.0 any
policy-map type management first-match Remote-Management-Policy
class Remote-Access
permit
policy-map type loadbalance first-match FWLB-No-LB
class class-default
serverfarm Firewalls-NO-LB
policy-map type loadbalance first-match FWLB-No-LB1
class class-default
serverfarm Firewalls-NO-LB1
policy-map type loadbalance first-match FWLB-l7slb
class class-default
serverfarm Firewalls
policy-map multi-match Firewall-No-LB
class FW-Real
loadbalance vip inservice
loadbalance policy FWLB-No-LB
policy-map multi-match Firewall-No-LB1
class FW-Real2
loadbalance vip inservice
loadbalance policy FWLB-No-LB1
policy-map multi-match int70
class fwlb
loadbalance vip inservice
loadbalance policy FWLB-l7slb
interface vlan 70
description "Client side"
ip address 10.11.70.2 255.255.255.0
no icmp-guard
access-group input ALL
access-group output ALL
service-policy input Remote-Management-Policy
service-policy input Firewall-No-LB --> connect to the real IP address of the firewall for management
service-policy input Firewall-No-LB1 --> connect to the real IP address of the firewall for management
service-policy input int70
no shutdown
interface vlan 71
description "Firewall side"
ip address 10.11.71.2 255.255.255.0
mac-sticky enable
no icmp-guard
access-group input ALL
access-group output ALL
service-policy input Remote-Management-Policy
no shutdownHello,
as i know, there is no others ways.
You can only reduce your configuration by puting all your class undert the same policy-map:
policy-map multi-match int70
class FW-Real
loadbalance vip inservice
loadbalance policy FWLB-No-LB
class FW-Real2
loadbalance vip inservice
loadbalance policy FWLB-No-LB1
class fwlb
loadbalance vip inservice
loadbalance policy FWLB-l7slb
interface vlan 70
description "Client side"
ip address 10.11.70.2 255.255.255.0
no icmp-guard
access-group input ALL
access-group output ALL
service-policy input Remote-Management-Policy
service-policy input int70
no shutdown -
ACE 4700 and Cisco ACS aaa authentication
ACE version Software
loader: Version 0.95
system: Version A1(7b) [build 3.0(0)A1(7b)
Cisco ACS version 4.0.1
I am trying to authenticate admin users with AAA authentication for ACE management.
This is what I've done:
ACE-lab/Admin(config)# tacacs-server host 192.168.3.10 key 123456 port 49
warning: numeric key will not be encrypted
ACE-lab/Admin(config)# aaa group server tacacs+ cciesec
ACE-lab/Admin(config-tacacs+)# server ?
<A.B.C.D> TACACS+ server name
ACE-lab/Admin(config-tacacs+)# server 192.168.3.10
can not find the TACACS+ server
specified TACACS+ server not found, please configure it using tacacs-server host ... and then retry
ACE-lab/Admin(config-tacacs+)#
Why am I getting this error? I have full
connectivity between the ACE and the ACS
server. Furthermore, the ACS server
works fine with other Cisco IOS devices.
Please help. Thanks.Thanks. Now I have another problem. I CAN
log into the ACE via tacacs+ account(s).
However, I get error when I try going into
configuration mode:
ACE-lab login: ngx1
Password:
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 1985-2007 by Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
ACE-lab/Admin# conf t
^
% invalid command detected at '^' marker.
ACE-lab/Admin#
The ngx1 account can access other Cisco
routers/switches just fine and can go into
enable mode just fine. Only issue on the ACE.
Any ideas? Thanks. -
With Ajay Kumar and Telmo Pereira
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about configuration and troubleshooting the Cisco Application Control Engine (ACE) load balancer with Cisco expert Ajay Kumar and Telmo Pereira. The Cisco ACE Application Control Engine Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers is a next-generation load-balancing and application-delivery solution. A member of the Cisco family of Data Center 3.0 solutions, the module: Helps ensure business continuity by increasing application availability Improves business productivity by accelerating application and server performance Reduces data center power, space, and cooling needs through a virtualized architecture Helps lower operational costs associated with application provisioning and scaling
Ajay Kumar is a customer support engineer in the Cisco Technical Assistance Center in Brussels, covering content delivery network technologies including Cisco Application Control Engine, Cisco Wide Area Application Services, Cisco Content Switching Module, Cisco Content Services Switches, and others. He has been with Cisco for more than four years, working with major customers to help resolve their issues related to content products. He holds DCASI and VCP certifications.
Telmo Pereira is a customer support engineer in the Cisco Technical Assistance Center in Brussels, where he covers all Cisco content delivery network technologies including Cisco Application Control Engine (ACE), Cisco Wide Area Application Services (WAAS), and Digital Media Suite. He has worked with multiple customers around the globe, helping them solve interesting and often highly complex issues. Pereira has worked in the networking field for more than 7 years. He holds a computer science degree as well as multiple certifications including CCNP, DCASI, DCUCI, and VCP
Remember to use the rating system to let Ajay know if you have received an adequate response.
Ajay and Telmo might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Data Center sub-community discussion forum Application Networking shortly after the event.
This event lasts through July 26, 2013. Visit this forum often to view responses to your questions and the questions of other community members.Hello Krzysztof,
Another set of good/interesting questions posted. Thanks!
I will try to clarify your doubts.
In the output below both resources (proxy-connections and ssl-connections rate) are configured with a min percentage of resources (column Min), while 'Max' is set to equal to the min.
ACE/Context# show resource usage
Allocation
Resource Current Peak Min Max Denied
-- outputs omitted for brevity --
proxy-connections 0 16358 16358 16358 17872
ssl-connections rate 0 626 626 626 23204
Most columns are self explanatory, 'Current' is current usage, 'Peak' is the maximum value reached, and the most important counter to monitor 'Denied' represents the amount of packets denied/dropped due to exceeding the configured limits.
On the resources themselves, Proxy-connections is simply the amount of proxied connections, in other words all connections handled at layer 7 (SSL connections are proxied, as are any connections with layer 7 load balance policies, or inspection).
So in this particular case for the proxy-connections we see that Peak is equal to the Max allocated, and as we have denies we can conclude that you have surpassed the limits for this resource. We see there were 17872 connections dropped due to that.
ssl-connections rate should be read in the same manner, however all values for this resource are in bytes/s, except for Denied counter, that is simply the amount of packets that were dropped due to exceeding this resource.
For your particular tests you have allocated a min percentage and set max equal to min, this way you make sure that this context will not use any other additional resources.
If you had set the max to unlimited during resource allocation, ACE would be allowed to use additional resources on top of those guaranteed, if those resources were available.
This might sound a great idea, but resource planning on ACE should be done carefully to avoid any sort of oversubscription, specially if you have business critical contexts.
We have a good reference for ACE resource planning that contains also description of all resources (this will help to understand the output better):
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/virtualization/guide/config.html#wp1008224
1) When a resource is utilized to its maximum limit, the ACE denies additional requests made by any context for that resource. In other words, the action is to Drop. ACE should in theory silently drop (No RST is sent back to the client). So unless we changed something on the code, this is what you should see.
To give more context, seeing resets with SSL connections is not necessarily synonym of drops. As it is usual to see them during normal transactions.
For instance Microsoft servers are usually ungracefully terminating SSL connections with RESET. Also when there is renegotiation during an SSL transaction you may see RESETS, but this will pass unnoticed for end users.
2) ACE will simply drop/ignore new connections when we reach the maximum amount of proxied connections for that context. Exisiting connections will continue there.
As ACE doesn't respond back, client would simply retransmit, and if he is lucky maybe in the next attempt he will be able to establish the connection.
To overcome the denies, you will definitely have to increase the resource allocation. This of course, assuming you are not reaching any physical limit of the box.
As mentioned setting max as unlimited might work for you, assuming there are a lot of unused resources on the box.
3) If a new connection comes in with a sticky value, that matches the sticky entry of a real server, which is already in MAXCONNS state, then both the ACE module/appliance should reject the connection and that sticky entry would be removed.
The client would at that point reestablish a new connection and ACE would associate a new sticky entry with the flow for a new RSERVER after the loadbalancing decision.
I hope this makes things clearer! Uff...
Regards,
Telmo -
Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance failed
Hi,
I've got a problem with Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance.
ACS4.2 has been configured to use both internal and external database. It's been working fine for a couple or years.
Recently we bought a Cisco 4710 ACE appliance. When I use ACS4.2 internal username and password to login the Cisco 4710 ACE appliance, I have no problem. I can also see the passed authentication log on ACS4.2. However, if I use AD username and password, I couldn't login in. The message is "Login incorrect". I checked the failed attempts log on the ACS4.2, there was no log regarding the failed attempt. My AD username and password works fine on all other cisco routers and switches.
I've posted my AAA configuration of the 4710 ACE below. ACE is running on the latest version A4(1.1). Please help.
tacacs-server key 7 "xxxxxxxxxxxxx"
aaa group server tacacs+ tac_admin
server xx.xx.xx.xx
aaa authentication login default group tac_admin local
aaa authentication login console group tac_admin local
aaa accounting default group tac_adminHi,
Since the ACS is receiving the request.
Could you please ensure that In ACE on every context (including Admin and other) you have following strings:
tacacs-server host x.x.x.x key 7 "xxx"
aaa group server tacacs+ tac_admin
server x.x.x.x
aaa authentication login default group tac_admin local
aaa authentication login console group tac_admin local
aaa accounting default group x.x.x.x
On ACS side for group named "Network Administrators" you should configure in TACACS settting:
1. Shell (exec) enable
2. Privilege level 15
3. Custom attributes:
shell:Admin*Admin default-domain
if you have additional context add next line
shell:mycontext*Admin default-domain
After loging to ACE and issuing sh users command you should see following
User Context Line Login Time (Location) Role Domain(s)
*adm-x Admin pts/0 Sep 21 12:24 (x.x.x.x) Admin default-domain
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you fee your query is resolved. Do rate helpful posts. -
Cisco ISE with TACACS+ and RADIUS both?
Hello,
I am initiating wired authentication on an existing network using Cisco ISE. I have been studying the requirements for this. I know I have to turn on RADIUS on the Cisco switches on the network. The switches on the network are already programmed for TACACS+. Does anybody know if they can both operate on the same network at the same time?
BobHello Robert,
I believe NO, they both won't work together as both TACACS and Radius are different technologies.
It's just because that TACACS encrypts the whole message and Radius just the password, so I believe it won't work.
For your reference, I am sharing the link for the difference between TACACS and Radius.
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml
Moreover, Please review the information as well.
Compare TACACS+ and RADIUS
These sections compare several features of TACACS+ and RADIUS.
UDP and TCP
RADIUS uses UDP while TACACS+ uses TCP. TCP offers several advantages over UDP. TCP offers a connection-oriented transport, while UDP offers best-effort delivery. RADIUS requires additional programmable variables such as re-transmit attempts and time-outs to compensate for best-effort transport, but it lacks the level of built-in support that a
TCP transport offers:
TCP usage provides a separate acknowledgment that a request has been received, within (approximately) a network round-trip time (RTT), regardless of how loaded and slow the backend authentication mechanism (a TCP acknowledgment) might be.
TCP provides immediate indication of a crashed, or not running, server by a reset (RST). You can determine when a server crashes and returns to service if you use long-lived TCP connections. UDP cannot tell the difference between a server that is down, a slow server, and a non-existent server.
Using TCP keepalives, server crashes can be detected out-of-band with actual requests. Connections to multiple servers can be maintained simultaneously, and you only need to send messages to the ones that are known to be up and running.
TCP is more scalable and adapts to growing, as well as congested, networks.
Packet Encryption
RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Other information, such as username, authorized services, and accounting, can be captured by a third party.
TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the header is a field that indicates whether the body is encrypted or not. For debugging purposes, it is useful to have the body of the packets unencrypted. However, during normal operation, the body of the packet is fully encrypted for more secure communications.
Authentication and Authorization
RADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS server to the client contain authorization information. This makes it difficult to decouple authentication and authorization.
TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication solutions that can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. After a NAS authenticates on a Kerberos server, it requests authorization information from a TACACS+ server without having to re-authenticate. The NAS informs the TACACS+ server that it has successfully authenticated on a Kerberos server, and the server then provides authorization information.
During a session, if additional authorization checking is needed, the access server checks with a TACACS+ server to determine if the user is granted permission to use a particular command. This provides greater control over the commands that can be executed on the access server while decoupling from the authentication mechanism.
Multiprotocol Support
RADIUS does not support these protocols:
AppleTalk Remote Access (ARA) protocol
NetBIOS Frame Protocol Control protocol
Novell Asynchronous Services Interface (NASI)
X.25 PAD connection
TACACS+ offers multiprotocol support.
Router Management
RADIUS does not allow users to control which commands can be executed on a router and which cannot. Therefore, RADIUS is not as useful for router management or as flexible for terminal services.
TACACS+ provides two methods to control the authorization of router commands on a per-user or per-group basis. The first method is to assign privilege levels to commands and have the router verify with the TACACS+ server whether or not the user is authorized at the specified privilege level. The second method is to explicitly specify in the TACACS+ server, on a per-user or per-group basis, the commands that are allowed.
Interoperability
Due to various interpretations of the RADIUS Request for Comments (RFCs), compliance with the RADIUS RFCs does not guarantee interoperability. Even though several vendors implement RADIUS clients, this does not mean they are interoperable. Cisco implements most RADIUS attributes and consistently adds more. If customers use only the standard RADIUS attributes in their servers, they can interoperate between several vendors as long as these vendors implement the same attributes. However, many vendors implement extensions that are proprietary attributes. If a customer uses one of these vendor-specific extended attributes, interoperability is not possible.
Traffic
Due to the previously cited differences between TACACS+ and RADIUS, the amount of traffic generated between the client and server differs. These examples illustrate the traffic between the client and server for TACACS+ and RADIUS when used for router management with authentication, exec authorization, command authorization (which RADIUS cannot do), exec accounting, and command accounting (which RADIUS cannot do). -
Integrate Cisco ACE into AAA TACACS+
Dear Community!
I would like to configure Cisco ACE 4710 CLI and WebAmin to use ACS v4.2 TACACS+ authentication and accounting feature. After found a Cisco document, which describes ACE AAA features (http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/security/guide/aaa.html), I have setup all configuration parameters mentioned in this document, everything seems to be OK.
But...
I have a TACACS+ group named "Network Administrators", which has privilege level 15 option enabled, so admins do not have to type enable password when authenticating. After setting up ACE AAA, the prvilege level 15 option stops working, while logging in Cisco routers: after authentication, the user remains in privilege level 1.
Logging in Cisco switches seems to be OK, stepping immediately to level 15 as usual.
I tried upgrading IOS in a router, but no luck...
Does anybody have any experiance about this "bug"?
Thanks in advance!
Regards,
Belabacsi
@ Budapest, HungaryHello Bela
In ACE on every context (including Admin and other) you should have following strings:
tacacs-server host x.x.x.x key 7 "xxx"
tacacs-server host x.x.x.x key 7 "xxx"
aaa group server tacacs+ MYTACACS
server x.x.x.x
server x.x.x.x
aaa authentication login default group MYTACACS local
aaa authentication login console group MYTACACS local
aaa accounting default group x.x.x.x
On ACS side for group named "Network Administrators" you should configure in TACACS settting:
1. Shell (exec) enable
2. Privilege level 15
3. Custom attributes:
shell:Admin*Admin default-domain
if you have additional context add next line
shell:mycontext*Admin default-domain
After loging to ACE and issuing sh users command you should see following
User Context Line Login Time (Location) Role Domain(s)
*adm-x Admin pts/0 Sep 21 12:24 (x.x.x.x) Admin default-domain
Regards,
Stas -
FWSM: AAA authentication using TACACS and local authorization
Hi All,
In our setup, we are are having FWSMs running version 3.2.22 and users are authenticating using TACACS (running cisco ACS). We would like to give restricted access ( some show commands ) to couple of users to all devices. We do not want to use TACACS for command authorization.
We have created users on TACACS and not allowed "enable" access to them. I have also given those show commands locally on the firewall with privilege level 1. and enabled aaa authorization LOCAL
Now , those users can successfully login to devices and execute those show commands from priv level 1 except "sh access-list". I have specifically mentioned this
"privilege show level 1 mode exec command access-list" in the config.
Is there anything i am missing or is there any other way of doing it?
Thanks.You cannot do what you are trying to do. For (default login you need to use the first policy matched.
you can diversify telnet/ssh with http by creating different aaa groups.
But still you will be loging in for telnet users (all of them) using one method.
I hope it is clear.
PK -
TCP SYNSEEN with load balancing Cisco ACE 4710
I have a Cisco ACE 4710 load balancing the traffic to two proxy servers, the configuration is the same since December 2012, but yesterday it stated to show SYNSEEN in the show conn command, and the hosts cannot browse. I think that means that the three-way-handshake is not complete.
If I bypass the ACE the hosts can browse without problems.
I have tested with another ACE appliance and the same configuration but the behaviour is the same.
I need help as soon as possible,
thanks,
I've attached the Show conn, show conn detail and show run.Hi Cesar,
Thank you for your answer,
The issue was solved,
We were running an A3 software version, it seems to have a Bug so it doesn't show the NAT commands in the "show run", so when we made the configuration backup we didn't noticed it.
The ACE reloaded because an electrical failure so it losted the NAT config.
We just upgraded to an A4 version and also added a NAT/PAT to enable the communication between the Clients and the Proxy.
Regards, -
Urgent!!! Cisco ACE and asymetric routing assistance needed
I am wondering if someone can give me pointers on the cisco ACE
and asymetric routes. I've attached the diagram:
-Cisco IOS IP address is 192.168.15.4/24 and 4.1.1.4/24
-Firewall External interface is 192.168.15.1/24,
-Firewall Internal interface is 192.168.192.1/24,
-F5_BigIP External interface is 192.168.192.4/24,
-F5_BigIP Internal interface is 192.168.196.1/24 and 192.168.197.1/24,
-host_y has IP addresses of 192.168.196.10/24 and 192.168.197.10/24,
-Checkpoint has static route for 192.168.196.0/24 and 192.168.197.0/24
pointing to the F5_BigIP,
-host_y is dual-home to both VLAN_A and VLAN_B with the default
gateway on host_y pointing to VLAN_A which is 192.168.196.1,
-host_x CAN ssh/telnet/http/https to both of host_y IP addresses
of 192.168.196.10 and 192.168.197.10.
In other words, from host_x, when I try to connect to host_y
via IP address of 192.168.197.10, the traffics will go through VLAN_B
but the return traffics will go through VLAN_A. Everything
is working perfectly for me so far.
Now customer just replaces the F5_BigIP with Cisco ACE. Now,
I could not get it to work with Asymetric route with Cisco ACE. In
other words, from host_x, I can no longer ssh or telnet to host_y
via IP address of 192.168.197.10.
Anyone knows how to get asymetric route to work on Cisco ACE?
Thanks in advance.That won't work because ACE uses the vlan id to distinguish between flows.
So when the response comes back on a different vlan, ACE can't find the flow it belongs to and it drops it.
Even if we could force it to accept the packet, ACE would then try to create a new flow for this packet and it will collide with the flow already existing on the frontend.
You would need to force your host to respond on the same vlan the traffic came in.
This could be done with client nat on ACE using different nat pool.
Gilles.
Maybe you are looking for
-
Migration report to move BP and OneOrder texts to def. lang (Note 1155979)
Hello CRM Colleagues, with the procedure described in SAP Note 1155979 "Other users cannot display an entry in the text field" in SAP CRM 6.0 and higher you can define a default language in table COMC_TEXT_COMLNG that will be used for language-indepe
-
Alright, in detail, I haven't used Firefox for a while because my old version stopped working. Not sure what happened to it or why but, long story short, I ended up going back to IE(ugh) and never looked back. Sometime later, an update was installed
-
Export in Excel- always first row blank
hi, if i export in excel file always i am getting first row as blank with line. how can i eliminate this row.
-
Trying to connect a home computer using Outlook 2013 to my business Exchange server 2010.
I have a new Dell XPS with Outlook 2013 installed and the native email client installed. I was able to enter in my exchange 2010 credentials to the native email client and it worked. when I try to enter the credentials for Outlook 2013 I received an
-
Hi I have a 3 fields Quantity | Price | Total Price=Quantity*Price 2 | 3 | 6 3 | 4 | 12 I have another field A where i need the total of the 'Total Price'.....i.e 6+12=18 Quantity , Price and Total Price fields are in the child entity ......whereas t