TACACS configuration on WAAS

I am trying to configure tacacs on a WAAS device using 4.1.1c. I have configured the tacacs server to allow the user to login using privilege level 7 then the user is required to enable the device and login again to reach privilege level 15.
When ever i login then enable the device I am getting the following error
Error: Wrong Admin Password. Try again...
I can get the user to login straight to level 15 but this doesn't follow our security requriements.
has anyone seen this before or experienced this issue?
Thanks
Matt

Matt,
The current TACACS implementation in WAAS supports command levels 0 and 15. Levels 1-14 are downgraded to 0.
Regards,
Zach

Similar Messages

  • LMS 3.2: Compliance Mngt: ASA tacacs configuration

    Hi there!
    I'm stuck (again *sigh*) with CiscoWorks compliance managment.
    I would like to check our tacacs configuration (ASA):
    aaa-server TACACS+ (inside) host <server1>
    timeout 20
    key <key>
    aaa-server TACACS+ (inside) host <server2>
    timeout 20
    key <key>
    aaa-server TACACS+ (inside) host <server3>
    timeout 20
    key <key>
    I would like to know if there is a timeout and key statement for every tacacs server configured.
    How can this be done with compliance managment ?
    It seems to me, that the compliance mngt can't check for three occurrences of the same line (e.g. key or timeout) ?
    If you have any ideas, please let me know.
    Thanks!
    Holger

    RME doesn't break out all of the sub-modes of the ASA.  Only interfaces are broken out into sub-modes.  To make sure the "inspect sqlnet" and "inspect esmtp" commands aren't in the config, you'd have to check in global mode.

  • TACACS+ configuration for Cisco ASA

    I tired configuring TACACS+ configuration for ASA but unable to complete it. I have ACS 3.3 for all other Cisco Routers and Switches

    Leo,
    I was looking around and come across this post. It's very late, however, wanted to add my inputs for other community members.
    RSA Token/One-Time-Password support available with ASDM only in SINGLE ROUTED MODE. If you are in Single Routed Mode, you can do OTP with ASDM if you are running ASA 8.2+  with ASDM 6.2+.
    If the firewall is running in multi-context and transparent mode. It won't work. Below is the enhancement request that was filed for the same feature to be supported.
    CSCtf23419    ASDM OTP authentication support in multi-context and transparent modes
    With WLC is yet not possible and there is a enhancement request filed.
    CSCuf61598    WLC: Need ability to support multiple sessions via OTP authentication
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • Can someone help me with tacacs+ configuration on 881AP?

    I have tacacs+ configuration working for authenication against CLI and web GUI. Everything is working as one would expect with one exception, from the GUI if I click on the any of the links that takes you to the security pages I get prompted for authenication again. I enter my credentials and nothing happens, eventually I get an access denied. On the ACS server, the AP is in a device group that my account has priv 15 access to. Also on ACS, there are no failed attempts being logged for the activity. Has anyone seen this before and if so I am willing to try anything. I even upgraded to the latest IOS image for this device with the same results.
    Help!!
    Thanks,
    Mark Case | CCNA, CCNAW

    Here are the relevant lines of code, on the http part of the configuration you see; if I change the ip http authentication to local it works fine authenicating against a local account and I can access all portions of the GUI fine. The group csacseT is defined in the configuration; as well as ACL 99. However, when I specify csacseT for ip http aaa login-authenication, I get the following message: "Warning: Authentication list "csacseT" is not defined for LOGIN"
    aaa group server tacacs+ csacseT
    server x.x.x.x
    server x.x.x.x
    aaa authentication login default group csacseT local-case
    aaa authentication login console local-case
    aaa authentication enable default group csacseT enable
    aaa authorization config-commands
    aaa authorization exec default group csacseT local
    aaa authorization reverse-access default group csacseT
    aaa accounting exec default start-stop group csacseT
    aaa accounting commands 15 default start-stop group csacseT
    aaa accounting connection default start-stop group csacseT
    aaa accounting system default start-stop group csacseT
    aaa session-id common
    no ip http server
    ip http access-class 99
    ip http authentication aaa login-authentication csacseT
    ip http secure-server
    I have opened a TAC case, the engineer is as puzzled as I am and is researching. as mentioned, the CLI authenication mechanism is working as expected.

  • Reg: Tacacs configuration

    Hi All,
    I m trying to set up AAA authentication of around 300 routers through Cisco TACACS,i installed acs4.2 on a windows 2003 server and put following AAA commands in the router,tacacs server host and key mentioned on trialrouter
    aaa new-model
    aaa authentication login default group tacacs+ local
    aaa authentication login NO_AUTHEN none
    aaa authorization config-commands
    aaa authorization exec default group tacacs+ if-authenticated
    aaa authorization exec NO_AUTHOR none
    aaa authorization commands 1 default group tacacs+ if-authenticated
    aaa authorization commands 1 NO_AUTHOR none
    aaa authorization commands 15 default group tacacs+ if-authenticated
    aaa authorization commands 15 NO_AUTHOR none
    aaa authorization network serial none
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 15 default stop-only group tacacs+
    aaa session-id common
    then i created a user and mentioned a secret key on the acs server,i added this router as AAA client , the router stopped responding to previous login name and password  but was not responding to username defined in the acs,where am i makin a mistake?Kindly help.
    Thanks.

    Hi Anu,
    On Layer 3 device we should have tacacs source interface defined since there are more then one interface. To use the IP address of a specified interface for all outgoing TACACS+  packets, use the ip tacacs source-interface command in global configuration or server-group configuration mode.
    The following example makes TACACS+ use the IP address of subinterface  "s2" for all outgoing TACACS+ packets:
    ip tacacs source-interface s2
    Usage Guidelines
    Use this command to set the IP address of a subinterface for all  outgoing TACACS+ packets. This address is used as long as the interface  is in the up state. In this way, the TACACS+  server can use one IP address entry associated with the network access  client instead of maintaining a list of all IP addresses.
    This command is especially useful in cases where the router has many  interfaces and you want to ensure that all TACACS+ packets from a  particular router have the same IP address.The specified interface must have an IP address associated with it. If  the specified subinterface does not have an IP address or is in a down state, TACACS+ reverts to the default. To  avoid this situation, add an IP address to the subinterface or bring the  interface to the up state.
    If there is still any issue please share the debugs.
    Regards,
    ~JG
    Do rate helpful posts

  • After TACACS configured, Authenticate successfully but not able to go in config mode.

    Hi All,
    I Have Cisco 4710 ACE, and configured TACACS on ACE for authentication and accounting. Configuration paste below.
    I am able to authenticate with ACS server 5.1 but not able to go in config mode of ACE 4710.
    Debug output attached.
    Need help on this.
    tacacs-server key 7 "wwxfeootjv"
    tacacs-server timeout 60
    tacacs-server host 128.9.31.70 key 7 "wwxfeootjv"
    aaa group server tacacs+ TACACS_Group_Server
      server 128.9.31.70
    ntp server 128.9.24.58
    aaa authentication login default group TACACS_Group_Server
    aaa accounting default group TACACS_Group_Server
    Below Logs are coming on Device.
    Sep 19 2010 16:35:55 : %ACE-6-302022: Built TCP connection 0x3853a for vlan1000:172.24.24.70/16477 (172.24.24.70/16477) to vlan1000:128.9.31.70/49 (128.9.31.70/49)
    Sep 19 2010 16:35:55 : %ACE-6-302023: Teardown TCP connection 0x3853a for vlan1000:172.24.24.70/16477 (172.24.24.70/16477) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0
    :00:00 bytes 743 TCP FINs
    Sep 19 2010 16:35:58 : %ACE-6-302022: Built TCP connection 0x38570 for vlan1000:172.24.24.70/16480 (172.24.24.70/16480) to vlan1000:128.9.31.70/49 (128.9.31.70/49)
    Sep 19 2010 16:35:58 : %ACE-6-302023: Teardown TCP connection 0x38570 for vlan1000:172.24.24.70/16480 (172.24.24.70/16480) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0
    :00:00 bytes 742 TCP FINs
    Sep 19 2010 16:37:51 : %ACE-6-302022: Built TCP connection 0x38aff for vlan1000:172.24.24.70/16545 (172.24.24.70/16545) to vlan1000:128.9.31.70/49 (128.9.31.70/49)
    Sep 19 2010 16:37:51 : %ACE-6-302023: Teardown TCP connection 0x38aff for vlan1000:172.24.24.70/16545 (172.24.24.70/16545) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0
    :00:00 bytes 736 TCP FINs
    Sep 19 2010 16:38:21 : %ACE-6-302022: Built TCP connection 0x38c9d for vlan1000:172.24.24.70/16559 (172.24.24.70/16559) to vlan1000:128.9.31.70/49 (128.9.31.70/49)
    Sep 19 2010 16:38:21 : %ACE-6-302022: Built TCP connection 0x38c9f for vlan1000:172.24.24.70/16560 (172.24.24.70/16560) to vlan1000:128.9.31.70/49 (128.9.31.70/49)
    Sep 19 2010 16:38:21 : %ACE-6-302023: Teardown TCP connection 0x38c9d for vlan1000:172.24.24.70/16559 (172.24.24.70/16559) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0
    :00:00 bytes 722 TCP FINs
    Sep 19 2010 16:38:21 : %ACE-6-302023: Teardown TCP connection 0x38c9f for vlan1000:172.24.24.70/16560 (172.24.24.70/16560) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0
    :00:00 bytes 788 TCP FINs
    Sep 19 2010 16:38:29 : %ACE-6-302022: Built TCP connection 0x38ce1 for vlan1000:172.24.24.70/16565 (172.24.24.70/16565) to vlan1000:128.9.31.70/49 (128.9.31.70/49)
    Sep 19 2010 16:38:29 : %ACE-6-302022: Built TCP connection 0x38cff for vlan1000:172.24.24.70/16566 (172.24.24.70/16566) to vlan1000:128.9.31.70/49 (128.9.31.70/49)
    Sep 19 2010 16:38:29 : %ACE-6-302023: Teardown TCP connection 0x38ce1 for vlan1000:172.24.24.70/16565 (172.24.24.70/16565) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0
    :00:00 bytes 661 TCP FINs
    Sep 19 2010 16:38:29 : %ACE-6-302023: Teardown TCP connection 0x38cff for vlan1000:172.24.24.70/16566 (172.24.24.70/16566) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0
    :00:00 bytes 712 TCP FINs
    Sep 19 2010 16:38:29 : %ACE-6-302022: Built TCP connection 0x38cf5 for vlan1000:172.24.24.70/16567 (172.24.24.70/16567) to vlan1000:128.9.31.70/49 (128.9.31.70/49)
    Sep 19 2010 16:38:29 : %ACE-6-302023: Teardown TCP connection 0x38cf5 for vlan1000:172.24.24.70/16567 (172.24.24.70/16567) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0
    :00:00 bytes 724 TCP FINs
    Sep 19 2010 16:39:41 : %ACE-6-302022: Built TCP connection 0x390a1 for vlan1000:172.24.24.70/3883 (172.24.24.70/3883) to vlan1000:128.9.31.70/49 (128.9.31.70/49)
    Sep 19 2010 16:39:41 : %ACE-6-302023: Teardown TCP connection 0x390a1 for vlan1000:172.24.24.70/3883 (172.24.24.70/3883) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0:0
    0:00 bytes 737 TCP FINs
    Sep 19 2010 16:40:20 : %ACE-6-302022: Built TCP connection 0x3929b for vlan1000:172.24.24.70/3902 (172.24.24.70/3902) to vlan1000:128.9.31.70/49 (128.9.31.70/49)
    Sep 19 2010 16:40:20 : %ACE-6-302022: Built TCP connection 0x392ab for vlan1000:172.24.24.70/3903 (172.24.24.70/3903) to vlan1000:128.9.31.70/49 (128.9.31.70/49)
    Sep 19 2010 16:40:20 : %ACE-6-302023: Teardown TCP connection 0x3929b for vlan1000:172.24.24.70/3902 (172.24.24.70/3902) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0:0
    0:00 bytes 722 TCP FINs
    Sep 19 2010 16:40:20 : %ACE-6-302023: Teardown TCP connection 0x392ab for vlan1000:172.24.24.70/3903 (172.24.24.70/3903) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0:0
    0:00 bytes 791 TCP FINs
    Sep 19 2010 16:45:17 : %ACE-6-302022: Built TCP connection 0x3a127 for vlan1000:172.24.24.70/53389 (172.24.24.70/53389) to vlan1000:128.9.31.70/49 (128.9.31.70/49)
    Sep 19 2010 16:45:17 : %ACE-6-302023: Teardown TCP connection 0x3a127 for vlan1000:172.24.24.70/53389 (172.24.24.70/53389) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0
    :00:00 bytes 723 TCP FINs
    Sep 19 2010 16:46:11 : %ACE-6-302022: Built TCP connection 0x3a3b3 for vlan1000:172.24.24.70/53414 (172.24.24.70/53414) to vlan1000:128.9.31.70/49 (128.9.31.70/49)
    Sep 19 2010 16:46:11 : %ACE-6-302022: Built TCP connection 0x3a3c3 for vlan1000:172.24.24.70/53415 (172.24.24.70/53415) to vlan1000:128.9.31.70/49 (128.9.31.70/49)
    Sep 19 2010 16:46:11 : %ACE-6-302023: Teardown TCP connection 0x3a3b3 for vlan1000:172.24.24.70/53414 (172.24.24.70/53414) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0
    :00:00 bytes 722 TCP FINs
    Sep 19 2010 16:46:11 : %ACE-6-302023: Teardown TCP connection 0x3a3c3 for vlan1000:172.24.24.70/53415 (172.24.24.70/53415) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0
    :00:00 bytes 788 TCP FINs
    Sep 19 2010 16:46:23 : %ACE-6-302022: Built TCP connection 0x3a467 for vlan1000:172.24.24.70/53422 (172.24.24.70/53422) to vlan1000:128.9.31.70/49 (128.9.31.70/49)
    Sep 19 2010 16:46:23 : %ACE-6-302022: Built TCP connection 0x3a469 for vlan1000:172.24.24.70/53423 (172.24.24.70/53423) to vlan1000:128.9.31.70/49 (128.9.31.70/49)
    Sep 19 2010 16:46:23 : %ACE-6-302023: Teardown TCP connection 0x3a467 for vlan1000:172.24.24.70/53422 (172.24.24.70/53422) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0
    :00:00 bytes 661 TCP FINs
    Sep 19 2010 16:46:23 : %ACE-6-302023: Teardown TCP connection 0x3a469 for vlan1000:172.24.24.70/53423 (172.24.24.70/53423) to vlan1000:128.9.31.70/49 (128.9.31.70/49) duration 0
    :00:00 bytes 712 TCP FINs
    Regards
    MS.

    http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/security/guide/aaa.html#wp1411787
    To configure the TACACS+ role and domain settings on Cisco Secure ACS,  perform the following steps:
    Step 1 Go to the Interface Configuration section of the  Cisco Secure ACS HTML interface and access the TACACS+ (Cisco IOS) page.  Perform the following actions:
    a. Under the TACACS+ Services  section of the page, the User column or the Group column depending on  your configuration, check the Shell (exec) check  box.
    b. Under the Advanced Configuration  Options section of the page, check the Display a  window for each service selected in which you can enter customized  TACACS+ attributes check box.
    c. Click Submit.
    Step 2 Go to the Advanced Options page of the Interface  Configuration section of the Cisco Secure ACS HTML interface. Perform  the following actions:
    a. Check the Per-user  TACACS+/RADIUS Attributes check box.
    b. Click Submit.
    Step 3 Go to the User Setup section of the Cisco Secure  ACS HTML interface and double-click the name of an existing user that  you want to define a user profile attribute for virtualization. The User  Setup page appears.
    Step 4 Under the TACACS+ Settings section of the page,  configure the following settings:
    •Check the Shell (exec) check box.
    •Check the Custom  attributes check box.
    •In the text box under the Custom  attributes, enter the user role and associated domain for a specific  context in the following format:
    shell:= ...
    For example, to assign the selected user to the C1 context with the role  ROLE1 and the domain DOMAIN1, enter shell:C1=ROLE1  DOMAIN1.
    You can also substitute an asterisk (*) for the equals sign (=) as  follows:
    shell:* ...
    Use the above shell string if you are also using Cisco IOS command  authorization.
    Step 5 Under the Checking This option Will PERMIT all  UNKNOWN Services section of the page, check the Default  (Undefined) Services check box to permit unknown services.
    Step 6 Click Submit when you finish  configuring the TACACS+ role and domain settings.
    For example, if USER1 is assigned the role ADMIN and the domain  MYDOMAIN1 (where shell:Admin=ADMIN MYDOMAIN1), then one of the following  can occur:
    •If USER1 logs in through the Admin  context, that user is automatically assigned the Admin role and the  MyDomain1 domain.
    •If USER1 logs in through a different  context, that user is automatically assigned the default role  (Network-Monitor) and the default domain (default-domain). In this case,  the user profile attribute is not obtained from the TACACS+ server  during authentication.
    Gilles.

  • WAAS Authentication using TACACS+

    Hi,
    I am trying to use TACACS as the primary method of authentication. The thing is that I configured in WAAS the values required (security word, primary server and secondary server). Also, in Authentication Method I chose TACACS as primary and local as the secondary.
    After that I logged in to the WAAS using my TACACS account and I could enter, but the Navigation Pane is empty. It seems like my account doesn't have permissions to change config, but it is level 15 in TACACS ( I used to change config in Sw and routers).
    I dont know if I am missing a step to config this feature either on the WAAS or the ACS.
    Thanks,

    TACACS really only provides a single "A"  Authentication.
    Are you allowed or not....
    in order to provide Authorization, you need to still create the account in CM. and provide a role and domain in the user config.
    Leave the Local user check box "unchecked" if you plane to use TACACS to Authenticate.
    Im sure there is a way to provide authorization through complex custom attributes but it achieves the same goal via CM. once authenticated.

  • CMS gets hang when configure TACACS

    Hi
    I have stack of 2950 switches. I have configure tacacs for login security purpose. but i am facing problem when i open CMS web interface. I am succussfully get authenticated. but its get hang when Discovering network information dialog box comes. If you close that session and reopen again then CMS working fine. Problem is that when I configure Network Access restriction group device for specific user. Then it halt at Discovering Network information. I am using Cisco ACS 3.0. Following my switch config.
    aaa new-model
    aaa authentication login default group tacacs+ local
    aaa authentication enable default group tacacs+ enable
    aaa authorization exec default group tacacs+ if-authenticated
    aaa authorization commands 1 default group tacacs+ if-authenticated
    aaa authorization commands 15 default group tacacs+ if-authenticated.
    The only problem is CMS application getting hang with tacacs configuration . My IOS ver is 12.1(14)EA1A. Please help its very urgent.

    I could not find any bugs related to the issue you are describing. There was one problem where the username/password prompt was appearing again and again which had to do with misconfigurations. Do let me know if you find a solution.

  • WAAS Port Channel Configuration

    In the recent weeks we got some reports that CIFS writing performance to NETAPP OnTap 7.3 filer was degraded for WAAS accelerated connections.  NETAPP OnTAP 7.2  and native Microsoft filers were running fine. In our Testlab we could correlate this issue with the port channel setup on  our WAAS devices. With round robin (standard setting) the CIFS writing perforamce was poor. By switching  the port channel loadbalancing to src-dst-ip-port the performance was excellent.
    Is there any known best practices recommendation for port channel configuration on WAAS  devices?
    Many thanks in advance, Peter.

    The best practice depends on your network. Most deployments are fine with the default round robin configuration for port channel on the WAE. But I have encountered some installations where the configuration had to be changed in order to avoid out of order packets causing slow performance (like, if there is a firewall between the WAE and the server).
    Sent from Cisco Technical Support iPhone App

  • Issue with logging to the device after wrongly configured TACACS

    Hell All,
    We are unable to login to the device after we wrongly configured AAA on Cisco 881 Router and unfortunately we have saved the configuration.
    Can you please help to either remove the remove the TACACS configuration or how we can reset the password without erasing the configuration?
    Thanks a lot in advance for your help.
    Regards,
    Thiyagu

    Look for password recovery. Not difficult if you have console access.
    Sent from Cisco Technical Support iPad App

  • TACACS enable password is not working after completing ACS & MS AD integration

    Enable password for (Router, Switches) is working fine if identify source is "Internal Users", unfortunately after completed the integration between ACS to MS AD, and change the Identity source to "AD1" I got the following result
    1. able to access network device (cisco switch) using MS AD username and password via SSH/Telnet.
    2. Enable password is not working (using the same user password configured in MS AD.
    3. When I revert back and change the ACS identity source from "AD1" to "Internal Users" enable password is working fine.
    Switch Tacacs Configuration
    aaa new-model
    aaa authentication login default none
    aaa authentication login ACS group tacacs+ local
    aaa authentication enable default group tacacs+ enable
    aaa authorization exec ACS group tacacs+ local 
    aaa authorization commands 15 ACS group tacacs+ local 
    aaa accounting exec ACS start-stop group tacacs+
    aaa accounting commands 15 ACS start-stop group tacacs+
    aaa authorization console
    aaa session-id common
    tacacs-server host 10.X.Y.11
    tacacs-server timeout 20
    tacacs-server directed-request
    tacacs-server key gacakey
    line vty 0 4
     session-timeout 5 
     access-class 5 in
     exec-timeout 5 0
     login authentication ACS
     authorization commands 15 ACS
     authorization exec ACS
     accounting commands 15 ACS
     accounting exec ACS
     logging synchronous
    This is my first ACS - AD integration experience, hoping to fix this issue with your support, thanks in advance.
    Regards,

    Hi Edward,
    I created a new shell profiles named "root" as the default one "Permit Access" can't be access or modified, underneath the steps I've made.
    1. Create a new shell profile name "root" with max privilege of 15. And then used it in "Default Device Admin/Authorization/Rule-1" shell profile - see attached file for more details.
    2. Telnet the Switch and then Issue "debug aaa authentication" using both "Root Shell" and "Permit Access" applied in Rule-1 profile.
    Note:
    I also attached here the captured screen and debug result for the "shell profiles"

  • Best practice with WCCP flows for WAAS

    Hi,
    I have a WAAS SRE 910 module in a 2911 router that intercepts packets from this router with WCCP.
    All packets are received by external interface (gi 2/0, connected to a switch with port configured in WCCP vlan), and are sent back to the router via internal interface (gi 1/0 directly connected to the router) :
    WAAS# sh interface gi 1/0
    Internet Address                    : 10.0.1.1
    Netmask                             : 255.255.255.0
    Admin State                         : Up
    Operation State                     : Running
    Maximum Transfer Unit Size          : 1500
    Input Errors                        : 0
    Input Packets Dropped               : 0
    Packets Received                    : 20631
    Output Errors                       : 0
    Output Packets Dropped              : 0
    Load Interval                       : 30
    Input Throughput                    : 239 bits/sec, 0 packets/sec
    Output Throughput                   : 3270892 bits/sec, 592 packets/sec
    Packets Sent                        : 110062
    Auto-negotiation                    : On
    Full Duplex                         : Yes
    Speed                               : 1000 Mbps
    WAAS# sh interface gi 2/0
    Internet Address                    : 10.0.2.1
    Netmask                             : 255.255.255.0
    Admin State                         : Up
    Operation State                     : Running
    Maximum Transfer Unit Size          : 1500
    Input Errors                        : 0
    Input Packets Dropped               : 0
    Packets Received                    : 86558
    Output Errors                       : 0
    Output Packets Dropped              : 0
    Load Interval                       : 30
    Input Throughput                    : 2519130 bits/sec, 579 packets/sec
    Output Throughput                   : 3431 bits/sec, 2 packets/sec
    Packets Sent                        : 1580
    Auto-negotiation                    : On
    Full Duplex                         : Yes
    Speed                               : 100 Mbps
    The default route configured in WAAS module is 0.0.0.0/0 to 10.0.1.254 (router interface).
    Would it be better that packets leave WAAS module by the external interface (in place of the internal interface) ?
    Is there a best practice recommended by Cisco on this ?
    Thanks.
    Stéphane

    Hi Stephane,
    We usually advise the following in such scenario with an internal module:
    "ip wccp 61 redirect in" the LAN interface.
    "ip wccp 61 redirect in" on the WAN one.
    "ip wccp redirect exclude in" on the internal interface between the WAAS and the router.
    That way, we are sure that no loops are created because of the WCCP redirection.
    Regards,
    Nicolas

  • Tacacs+ Config Issues

    3750 IOS 15.0(2)SE4 tacacs when issuing tacacs-server host X.X.X.X I receive "the cli will be deprecated soon" please advise

    The syntax structure of the AAA commands for both Radius and TACACS+ are being changed with the newer code. Take a look at this link for some examples:
    http://slaptijack.com/networking/new-style-tacacs-configuration/
    Hope this helps!
    Thank you for rating helpful posts! 

  • Prime Infrastructure 2.x tacacs+ with radiator

    Trying to setup Prime Infrastructure 2.x (2.2) to use Tacacs+.  The Tacacs service is running on a Linux server running Radiator(4.12).  With Radius and Radiator all we needed to do is define the user group and all the tasks associated with that group were inherited.  
    When configuring the TACACs configuration files have tried various permutations of adding the cisco-avpair(cisco-av-pair) reply attrs on authentication and/or authorization. When defining the group or using the individual tasks I get the following error message:
    "no authorization information found for remote authenttication user. please check the correctness of the associated task(s) and Virtual Domain(s) in the remote server"
    <ServerTACACSPLUS>
        Key SECRET
        Port 49
        GroupMemberAttr OSC-Authorize-Group
        # General Authorization rule format:
       AuthorizeGroup core-group permit protocol=HTTP service=NCS {cisco-av-pair="virtual-domain0=ROOT-DOMAIN" cisco-av-pair="role0=Super Users" }
    </ServerTACACSPLUS>

    It's not yet supported. Cisco doesn't generally publish roadmaps publicly for future support. The best you can do via public sources is to continue to watch the Supported Devices lists for updates.
    As of right now, here is a list of the current data center switches supported (in PI 2.1):
    Cisco Nexus 6004 Switch
    Cisco Nexus 5596T Switch
    Cisco Nexus 5010 Switch
    Cisco Nexus 5020 Switch
    Cisco Nexus 5020T Switch
    Cisco Nexus 7000 10-Slot Switch
    Cisco Nexus 7000 18-Slot Switch
    Cisco Nexus 1000V Series Switches
    Cisco Nexus 1010 Virtual Services Appliance
    Cisco Nexus 4001I Switch Module for IBM BladeCenter
    Cisco Nexus 4005I Switch Module for IBM BladeCenter
    Cisco Nexus 5548P Switch
    Cisco Nexus 5548UP Switch
    Cisco Nexus 5596UP Switch
    Cisco Nexus 3064 Switch
    Cisco Nexus 3048 Switch
    Cisco Nexus 3016 Switch
    Cisco Nexus 7000 9-Slot Switch
    Cisco Nexus 9500 Switch
    Cisco Nexus 3548 Switch

  • Cisco Prime Infrastructure 1.3 Tacacs+ authorization problem

    Hello,
    We are having trouble setting our new installation of Cisco PI 1.3 to work with Tacacs+ configured on ACS 4.2.
    We have followed procedure explained in Cisco PI 1.3 configuration guide and in Tacacs+ logs we can see that we have successful authentification but authorization is unsuccessful:
    21/05/2013,16:36:44,Authen OK,pradoicic,admins,192.168.187.109,,192.168.187.109,wifi-prime-p-vm01,AP,ACS1AERO,1,,,192.168.187.109,No Filters activated.,,,No,
    21/05/2013,16:36:44,Author failed,pradoicic,admins,192.168.187.109,,Service denied,protocol=HTTP service=NCS,NCS HTTP,192.168.187.109,wifi-prime-p-vm01,AP
    We have added user group into ACS as is explained in configuration gude and we have also tried to add virtual domain at the beggining or at the and of the list but that didn't solve our problem.
    Is there anything that we can do in order to make Cisco PI to authentificate users using Tacacs+?
    Any help in finding solution for this problem will be very appreciated.
    Regards,
    Jelena

    Hi,
    On the Cisco PI side we have:
    1. Added Tacacs+ server under Administration > AAA > TACACS+
        We have entered all required parameters
    2. Enabled AAA Tacacs+ mode under Administration > AAA > AAA Mode and we have choosed on auth failure or no server response oprion.
    On the ACS side:
    1. Under Network Configuration > New Entry we have added Cisco PI
    2.  Under Interface Configuration >TACACS+ (Cisco IOS) > New Services >
    we have added Prime and HTTP (we have checked box infront of these service).
    3. Under Group Setup > Edit Settings > prime HTTP service we have added custom attributes that we have copied from Cisco PI Admin group. We have also exported virtual domain information from Prime and have imported them on the beggining of the custom attributes and we have also tried to place that virtual domain information on the end but we have the same behavior.
    For some reason ACS doesn't know how to return authorization information.
    Regards,
    Jelena

Maybe you are looking for

  • CRM Survey additonal mandantory conditions

    Hello, the survey builder in CRM 5.0 allows to specify simple input fields or text-fields as mandantory, in order to ensure that the fields are going to be filled. But how you can you ensure, that radio buttons oder list boxes are mandantory as well?

  • Layer transform lag solved by turning off layer thumbnails

    I was looking into why layer transforms was lagging this morning and found some results in the pshop cs6 beta threads, one user suggested hiding the layers panel / swapping with channels. I did that and it was faster, then I thought maybe it was the

  • Installing iWork 08 on new iMac - white on white

    Hi, yesterday my new iMac arrived and I spend till now to install all the programs. All works fine, VMWare Fusion, Master Collection, Microsoft Office. I installed the iWork08 I used on the "old" iMac. With success. But when I open numbers or pages,

  • Multicam keeps locking up after 12 minutes of perfection!

    I'm having the weirdest problem with FCP's new multicam feature which I can't figure out if its a hardware limitation or a software problem..... I've got 3 angles captured via OfflineRT, and I'm editing as if trying to make a "live" switch of the foo

  • How can I open and read an attached in email which is .wmv?

    When I receive a mail on my Ipad 3 with an attachment having the extension .wmv  I just cannot open the attachment or the the operation of opening never ends. Which Apple software should be added to the ipad 3?