Using Cisco TACACS for CSS11501
I currently have an 11501 series CSS and am trying to have authentication use our ACS appliance. I added the config listed below but when running a "show tacacs-server" both servers are listed as dead. I am able to ping both of the ACS servers without issue.
The following is the configuration I have added to the CSS:
virtual authentication primary tacacs
tacacs-server authorize config
tacacs-server authorize non-config
tacacs-server account non-config
tacacs-server account config
tacacs-server 10.10.75.9 49 primary frequency 10
tacacs-server key ****
ip management route 10.10.75.0 255.255.255.192 10.10.253.1
Any help would be greatly appreciated.
Thanks,
-Dennis
Lists the external user databases that CiscoSecure ACS uses to authenticate an unknown user (if the Check the following external user databases option is selected). CiscoSecure ACS attempts authentication using the selected databases one at a time in the order specified.
Users whose accounts were created in the CiscoSecure ACS database when CiscoSecure ACS successfully authenticated them using the Unknown User Policy. When CiscoSecure ACS creates a discovered user, the user account contains only the username, a Password Authentication list setting that reflects the external user database that authenticated the user, and a "Group to which the user is assigned" list setting of Mapped By External Authenticator, which enables group mapping. Using the CiscoSecure ACS HTML interface, you can further configure the user account as needed. For example, after a discovered user is created in CiscoSecure ACS, you can assign user-specific network access restrictions to the discovered user.
http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_user_guide_chapter09186a0080204cf8.html
Similar Messages
-
Using Cisco ACS for Solaris login authentication
Hi all
I am planning to authenticate ssh logins to Solaris 8/9 systems using PAM and radius (while radius is considered the primary solution, tacacs+ could be used, too). The radius/tacacs+ server is provided by a Cisco ACS.
Can anybody out there confirm that the combination "Solaris & PAM & radius/tacacs+ & Cisco ACS" is correctly doing this authentication stuff? Is there anything to specially consider?
Thanks, DavidHard to comment with any certainty but provided the client implementation of RADIUS is sound AND the authentication protocol is one that ACS supports, eg PAP, CHAP, MSCHAP, LEAP, EAP (PEAP/FAST/TLS/GTC/MSCHAP) then should be fine.
-
Out of interest... What do you use Cisco VPN for?
Is it more secure than Activesync for example?
Thanks in advance.
(ps. We run VPN's. Just not sure what the value is for an iPhone)Our employees use VPN to access internal company web sites and our financial system from their iPhone. We also have network adminstrators performing support functions via remote desktop, VNC and via other connections.
ActiveSync, when used with the SSL function enabled, is secure enough for us and we allow access outward facing to the Internet without the need for VPN (we also allow access while connected via VPN). -
Use Cisco CUCM for outbound "call me at" feature on Lync meetings
I'm trying to find a step by step to enable users (non enterprise voice users) to use the dial me at feature in Lync conference meetings. I only want the user to have the ability to tell Lync to dial a number to place that number into the conference call,
the feature is easy to enable but i can't get the routing right between CUCM and Lync. I've looked all around the net but I can't seem to find anything that matches what i'm trying to do, other docs cover enterprise voice and that's out of my scope. Any assistance
here would be nice. ThanksHi,
In Lync Server 2010, it is not supported with “call me at” function for non-Enterprise Voice users.
However, Lync Server 2013 now allows participants that are not Enterprise Voice enabled to initiate dial-out calls from a meeting conference, called “Dial-out Conferencing for non-Enterprise Voice users”.
This can be configured by setting the Conferencing policy to allow this feature (Set-CSConferencingPolicy –AllowNonEnterpriseVoiceUsersToDialOut:$true). After enabling this, then assign a voice policy to the users who need the function.
Best Regards,
Eason Huang
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Eason Huang
TechNet Community Support -
How-to use Cisco DCNM for SAN to manage storage fabric
I recently purchased DCNM for SAN (and LAN), have installed and licensed it. The software is up and running, and I have installed the necessary features & licenses to each of my Nexus 5596UP devices. Unfortunately, I'm not able to make any changes to the fabric from the DCNM SAN client. Am I missing some steps here? Do I need to have fiber connections in place from end points, and the SAN, in order to see/manage the fabric?
Thanks in advance!Did you do a fabric discovery ? have you setup proper accounts on the N5k ?
see
http://www.cisco.com/c/en/us/td/docs/switches/datacenter/mds9000/sw/5_2/configuration/guides/fund/DCNM-SAN-LAN_5_2/DCNM_Fundamentals/fmaaa.html -
Call/video not working between Cisco jabber for Windows and VCS control C40s
Hello,
I've been struggling with no luck how to make a call using Cisco Jabber for Windows 9.6.0 registered to CM 8.6.2 with intercluster ICT to another CM 8.6.2 where we have a VCS Control 7.0.2 via GK H225, and all C40s are registered as H.323.
The VCS has interworking between H323 and SIP, however not sure if there is any problem with that. Assuming it is ok, not sure either if I'm facing any interoperability issue because in my remote site I have C40 (H323 registered at VCS and SIP listening mode) and cisco jabber for windows which is SIP based.
If is not possible, would I be able to change my C40 from H323 to SIP at VCS, or have both H323/SIP registered at VCS? If so, will I need to change as well instead of GK I'll have to establish a SIP Trunk between the CM and VCS?
Another thing I do not believe either I would be able to have one VCS connected with two clusters, right?
I'm just trying to find a solution in case my current topology is not compatible, but feel free if you have any better idea to make it work.
Anyway here is what is happening:
When I make a call from my cisco jabber windows to C40 using alias number. The call is being redirected just fine to the C40 and it rings, however when someoene or the auto answer picks it up, the call dropped right away.
However, if I enabled the MTP in my CSF device, the call gets longer before dropping. I was even able to see my jabber " start video" turns green, before was grayed out all the time and the call dropped faster. I hear a fast busy tone.
I'm able to provide SDI traces, logs, diagnostic sip/h323 calls from VCS in order to know for sure if this is an incompatible issue or something I can workaround.
Let me know if someone of you are interested in read these logs or could point me on the right direction.
Thanks!Ok,
I have looked at both logs. I have to mentinon though that you didnt
provide the log that shows the h323 setup between cucm and the VCS. This
is most likely because the call originated from a different cucm than
the ones you provided the logs from.
The call would have orginated from the first cucm in the cucm group of
this trunk: Name=RL_TRUNK_VIDEO
The cucm ip will be : 10.252.53.10.
This is the VCS log that confirms where the h323 request originated
from:
pr 10 22:50:29 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:29,187"
Module="network.h323" Level="DEBUG": Src-ip="10.252.53.10" Src-
port="54000"
Received RAS PDU:
Having said that here is my analysis of the logs that you sent..
Jabber sent an INVITE to CUCM and advertised all the codecs (audio and
video it can support)..
Observer that Jabber says it doesnt support G729 anexB
21:55:16.576 |//SIP/SIPTcp/wait_SdlReadRsp: Incoming SIP TCP message
from 10.223.20.73 on port 54677 index 90661 with 2220 bytes:
[862370,NET]
INVITE sip:[email protected];user=phone SIP/2.0
Via: SIP/2.0/TCP 10.223.20.73:54677;branch=z9hG4bK000029d3
From: "4122107" <sip:[email protected]>;tag=00059a3c78000011000070b0
-00000e65
To: <sip:[email protected]>
Call-ID: [email protected]
Max-Forwards: 70
Date: Fri, 11 Apr 2014 01:55:16 GMT
CSeq: 101 INVITE
User-Agent: Cisco-CSF/9.4.1
m=audio 19252 RTP/AVP 0 8 18 105 104 101
c=IN IP4 10.223.20.73
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:105 G7221/16000
a=fmtp:105 bitrate=24000
a=rtpmap:104 G7221/16000
a=fmtp:104 bitrate=32000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=sendrecv
m=video 28878 RTP/AVP 97
c=IN IP4 10.223.20.73
++++Now lets observer the capabilites exchange during h245 negotiation
between cucm and VCS++++
Here CUCM advertises its caps to VCS (afterreceiving caps from VCS)
Note that G729A, G729AB, G729 is all advertised..
Apr 10 22:50:31 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:31,017"
Module="network.h323" Level="DEBUG": Src-ip="10.252.53.10" Src-
port="45660"
Received H.245 PDU:
value MultimediaSystemControlMessage
::= request : terminalCapabilitySet
capabilityTableEntryNumber 2,
capability receiveAudioCapability :
g729wAnnexB : 6
capabilityTableEntryNumber 3,
capability receiveAudioCapability : g729AnnexAwAnnexB : 6
capabilityTableEntryNumber 4,
capability
receiveAudioCapability : g729 : 6
capabilityTableEntryNumber 5,
capability receiveAudioCapability :
g729AnnexA : 6
++++++
After doing MSD (master slave determination, we move to the OLC phas e..
Here we see that the far end..c40 wants to use G729AB for media++++
Apr 10 22:50:31 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:31,783"
Module="network.h323" Level="DEBUG": Src-ip="10.224.114.11" Src-
port="11163"
Received H.245 PDU:
value MultimediaSystemControlMessage
::= request : openLogicalChannel :
forwardLogicalChannelNumber 1,
forwardLogicalChannelParameters
dataType audioData :
g729AnnexAwAnnexB : 20,
multiplexParameters
h2250LogicalChannelParameters :
+++Next VCS sends G729AB as the codec to use to CUCM+++
Apr 10 22:50:31 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:31,784"
Module="network.h323" Level="DEBUG": Dst-ip="10.252.53.10" Dst-
port="45660"
Sending H.245 PDU:
value MultimediaSystemControlMessage
::= request : openLogicalChannel :
forwardLogicalChannelNumber 1,
forwardLogicalChannelParameters
dataType audioData :
g729AnnexAwAnnexB : 20,
multiplexParameters
h2250LogicalChannelParameters :
++++The next thing we get is an OLC reject from CUCM and this is where
th call drops++
Apr 10 22:50:31 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:31,790"
Module="network.h323" Level="DEBUG": Src-ip="10.252.53.10" Src-
port="45660"
Received H.245 PDU:
value MultimediaSystemControlMessage
::= response : openLogicalChannelReject :
forwardLogicalChannelNumber 1,
cause dataTypeNotSupported : NULL
Apr 10 22:50:31 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:31,790"
Module="network.h323" Level="INFO": Dst-ip="10.224.114.11" Dst-
port="11163"
Detail="Sending H.245 OpenLogicalChannelRejResponse
+++We then receive a call release from cucm with cause code of 47:
resource unavailable++++
Apr 10 22:50:32 TWELDVCS01 tvcs: UTCTime="2014-04-11 01:50:32,365"
Module="network.h323" Level="DEBUG": Src-ip="10.252.53.10" Src-
port="50913"
Received H.225 PDU:
Q931
Message Type: Release
Complete
Call reference flag: Message sent from originating side
Call reference value: 0x7b
Info Element : Cause
Location: Usr
Cause Value: Resource unavailable
Info Element : User User
Length = 22
Suggestions:
Change the region setting between the ICT trunk to VCS and Jabber to use
G711 and test again. -
How can ftp service on non-standard port be load balanced using Cisco ACE.
How can ftp service on non-standard port be load balanced using Cisco ACE.For example ftp service required on tcp 2000 port
Hi Samarjit,
you can do this by specifying the port number in the class map that you create . Please find the below mentioend config guide where you can specify the tcp/udp port , range or ports or even the wild card to match the port.
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/administration/guide/mapolcy.html#wp1318826
Regards
Abijith -
Configuration of Cisco 2911 for Asterisk
Hi all
I use Cisco 2911 for Asterisk phone system communicate with external.
However, sometime I can make call in and out. Sometime, just call in or out. Sometime, cannot make any call.
I think it is the NAT, PAT and ACL in Cisco 2911 problem. This Cisco is also a gateway to internet for users.
Please any advice
Thanks a lot
Here is the configuration:
Router#show run
Building configuration...
Current configuration : 1981 bytes
! Last configuration change at 20:06:06 UTC Thu Nov 14 2013
! NVRAM config last updated at 15:04:59 UTC Tue Nov 5 2013
! NVRAM config last updated at 15:04:59 UTC Tue Nov 5 2013
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Router
boot-start-marker
boot-end-marker
enable secret 5 xxxxx
no aaa new-model
memory-size iomem 20
no ipv6 cef
ip source-route
ip cef
multilink bundle-name authenticated
crypto pki token default removal timeout 0
license udi pid CISCO2911/K9 sn FTX1603AH9C
interface Embedded-Service-Engine0/0
no ip address
interface GigabitEthernet0/0
description internal-LAN
ip address 172.x.x.x 255.255.0.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
interface GigabitEthernet0/1.1
encapsulation dot1Q 11
ip address 172.16.x.x 255.255.240.0
interface GigabitEthernet0/2
description internet
ip address 50.240.x.x 255.255.255.240
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source list 100 interface GigabitEthernet0/2 overload
ip route profile
ip route 0.0.0.0 0.0.0.0 50.240.x.x
ip route 0.0.0.0 0.0.0.0 172.10.0.30 name ROUTE-VPN-REMOTE
ip route 172.16.240.0 255.255.254.0 172.10.x.x
access-list 100 permit ip 172.10.0.0 0.0.255.255 any
access-list 100 permit ip 172.16.240.0 0.0.0.255 any
access-list 100 permit udp any any range 5004 5090
access-list 100 permit udp any any range 10000 20000
control-plane
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input all
scheduler allocate 20000 1000
endThere are some VSP where they do the NAT. If your VSP (like mine) do the NAT, then you need to globally disable NAT in your Asterisk.
My VSP also recommends I disable ALG on my router.
So you need to ask you VSP. -
Privilege mode authentication using Tacacs for Cisco Routers
I am trying to set up a test environment where I need to be able to be asked for both a username and password while entering enable mode from exec mode on a cisco IOS router. I was told the only way to do that is through Tacacs. But I've not seen any such configuration options on Tacacs in order to set it up right. Has someone ever did a setup like this before. I would appreciate any help on this. Thanks.
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
hostname 2621-3
boot-start-marker
boot system flash c2600-i-mz.123-26.bin
boot-end-marker
logging buffered 5001 debugging
no logging console
no logging monitor
enable password cisco
memory-size iomem 10
clock timezone CST -7
clock summer-time CST recurring
aaa new-model
aaa authentication login default local
aaa authentication enable default group tacacs+
aaa authorization exec default group tacacs+ local
aaa session-id common
ip subnet-zero
ip cef
no ip domain lookup
ip domain name int.voyence.com
ip name-server 192.168.21.5
!key chain jetef
key 10
key-string c1sco
modemcap entry ZOOM
modemcap entry ZOOM
username jeff password 0 jeff
tacacs-server host 192.168.21.230 key cisco
tacacs-server host 10.6.230.32
tacacs-server directed-request
tacacs-server key dakey
line con 0
exec-timeout 15 0
logging synchronous
speed 115200
line aux 0
exec-timeout 15 0
password 7 104D000A0618
logging synchronous
modem InOut
modem autoconfigure discovery
terminal-type monitor
transport input all
stopbits 1
flowcontrol hardware
line vty 0 4
exec-timeout 15 0
password cisco
private
logging synchronous -
Cisco tacacs 5.4 for centos machines
Hello Everyone,
I am a newbie.
I have cisco TACACS 5.4 server installed.
I have few centos machines on my network and I want to use TACACS server to authenticate credentials for centos machines.
There are two types of users on my machines
1) admin
2) operator
Can you please guide me to the tutorial which can help me with authenticating credentials for non cisco products?
ThanksHello Sachin,
As you required a tutorial for authenticating in ACS 5.4, please go through the following link:
http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-4/user/guide/acsuserguide/admin_config.html -
Aaa authentication using tacacs+ for LAP
WIth Autonomous AP, you can configure aaa authtentication using Tacacs+.
In lightweight AP, do u have similar function where u authenticate using tacacs+ when u telnet/ssh into the LAP after it is registered to the WLC?
Rgds
Eng WeeThere really isn't anything you can do on the LAP through telnet/ssh. You can enable TACACS for access to the controller.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml -
Good day,
Has anyone experienced this before? I am using Cisco ACS 5.2. I have a very simple word (no, not cisco ) for my tacacs-server key. I've used the same key within the ACS and on two other Cisco switches, and AAA is working fine between the two switches; however, in setting up the key via the ACS and on a third Cisco switch and using PuTTY, I'm getting the error of "Access Denied. Using keyboard-interactive authentication."
I've re-entered the simple tacacs key multiple times within the ACS and on the switch making sure to not fat finger or misspell it.
I don't think there is a problem with the AAA setup I have within the switches as all of the AAA configs are the same on every switch we have.
Any other possible ideas anyone can suggest?
Cliffs:
-tacacs-server key is a simple key and is the same for every switch and within ACS
-AAA config is the same on every switch, so I do not believe it to be a AAA config issue
-Running config on switch that is not working is pretty much the same as the other two working switches
Any advice is greatly appreciated.
Thanks,
YHi, and thank you for your reply back; however, when I got into the Authentication logs, I see nothing, like it's not even logging the failed attempts.
-
Use Tacacs+ for Admin auth & Radius for user Auth?
Can I setup my Aironet 1200 to use TACACS+ for authentication back to the cisco ACS server and RADIUS back to same server for user authentication?
If I setup a server in Server Manager under Radius, then add that same server as a TACACS+ server, it deletes the RADIUS server, so I assume no.dont know about 1200s but you can do this on 1130AGs. Create a aaa group for authentication via radius, and one for tacacs+ then use aaa groups to point console/vty to the tacacs+ aaa group, and EAP authentication to the radius group.
eg:
aaa group server radius rad-group
server x.x.x.x auth-port xxxx acct-port xxxx
aaa group server tacacs+ admin-access
server x.x.x.x
aaa authentication login eap-method group rad-group
aaa authentication login auth-admin-access group admin-access local
aaa authorization exec default group admin-access local
now under the ssid part of the config have:
dot11 ssid yyyyyy
authentication open (or whatever method you use) eap eap-method
under console/vty etc:
login authentication auth-admin-access
you need some more stuff like radius and tacacs server keys, but the above should get you started. On 1130AGs dont use aaa auth for http(s), looks like it overloads the aaa server at the moment - see field notices - probably doesnt apply to 1200s. -
Configuring Cisco Router for use with Syslog Server
Configuring Cisco Router for use with Syslog Server:
Does anyone know of a good doc for this?
-AshleyStart with that one: http://security-planet.de/wp-content/uploads/2008/12/logging-ios.pdf
And if you need more informations, just ask what you want to achieve.
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni -
How to Use Cisco 3660 or 3745 router for FAx
I want to use Cisco 3660 Router or 3745 Router for Receiving FAX on email. I have NM-2CE1T1-PRI which supports E1 R2 signalling on 3660 and 3745 both. What are the additional hardware requires? Kindly Help.
Hi,
You could use T.37 Store and forward fax which has the feature called Onramp faxing.
On-ramp faxing, in which a voice gateway that handles incoming calls from a standard fax machine or the PSTN converts a traditional Group 3 fax to an e-mail message with a Tagged Image File Format (TIFF) attachment. The fax e-mail message and attachment are handled by an e-mail server while traversing the packet network and can be stored for later delivery or delivered immediately to a PC or to an off-ramp gateway. Below URL is for detaield config.
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide_chapter09186a00800b5dcf.html
You would not require any extra hardware for the same.
Thanks
GS
Maybe you are looking for
-
Hi Gurus We have a scenrio like while creating purhcase requisition , purchase order and GR material is unknown . After making GR using some material code, material is immediately converted to common material code and is consumed . The invoice will d
-
Can I get Bi lingual interface having 2 languages on my iPhone
I use language preferences I wonder if I can get 2 languages side by side on the user interface I have a serious question for my research. If you had Arabic and another language side by side on computer user interface Edit menu example: Eng ا
-
How do I make the audio files on my site download?
Hi In my site there are links to some audio files. When click the links in chrome or firefox, the audio files start playing straight away. In opera the files download. Internet explorer opens the files in windows media player. How can I make it so th
-
The Best Tool For Multiple Animated Objects
Hi, I am expirimenting with Flash Web Sites, and I would like suggestions as to a starting point for my project, and I am assuming a Flash website is where I would start. Basically, If I were to open up a web page, I would like to see multiple animat
-
SAP mibs and Systems Insight Manager (SIM)
I'm trying to get our CCMS to send SNMP traps to our SIM (Systems Insight Manager) server. The SAP side of the setup is pretty straight forward. The SIM side, however, is not so clean. Hopefully someone has had experience with this, and can either po