Using Multiple RADIUS servers w/ LEAP & WPA concurrently

Similar Messages

• ISE Not Identifying AD Group Attributes when using Multiple ISE Servers

  So we have multiple ISE Servers with differing personas. I was having an issue with our new ISE setup not identifying AD Group Attributes when using them in Authorization rules.
  We have 2- 3395 appliances running Admin and Monitoring/Troubleshooting Personas and 2- 3395 appliances running as Policy server personas. We are running  v1.1.1.268 with the latest two patches.
  I was unable to pull Active Directory Group Attributes in any of my Authorization rules. After Resyncing all the boxes with the Primary Administration box I was able to do this. There is no bug listings for this occurance nor do we have Smartnet to call support for other reasons. I thought this might be useful to someone who is having the same issue and is unable to figure it out with TAC
  -CC

  Absolutely. All units said in-sync after setting their personas.
  Here is our layout:
  ISE-ADM-01  Admin-Primary, Monitoring-Secondary
  ISE-ADM-02  Admin-Secondary, Monitoring-Primary
  ISE-PDP-01  Policy Only
  ISE-PDP-02  Policy Only
  I synced one at a time starting with ADM-02. After completing the other two boxes. Active Directory Attribs were pulled down when using them in the Ext Group within my Authz rules.
  -CC

• How to configure sendmail to use multiple LDAP servers ?

  Hi everybody!
  I have a sendmail running on Solaris 10 and a LDAP server(192.168.1.9) also running Solaris 10 OS. I have configured the sendmail the following way:
  bash-3.00# ldapclient list
  NS_LDAP_FILE_VERSION= 2.0
  NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=email,dc=reso,dc=ru
  NS_LDAP_BINDPASSWD= {NS1}*********************
  NS_LDAP_SERVERS= 192.168.1.9
  NS_LDAP_SEARCH_BASEDN= dc=email,dc=domain,dc=ru
  NS_LDAP_AUTH= simple
  NS_LDAP_SEARCH_REF= FALSE
  NS_LDAP_SEARCH_SCOPE= sub
  NS_LDAP_SEARCH_TIME= 30
  NS_LDAP_CACHETTL= 43200
  NS_LDAP_PROFILE= default
  NS_LDAP_CREDENTIAL_LEVEL= proxy
  NS_LDAP_BIND_TIME= 10
  I also have another LDAP server (IP 192.168.1.10). It is configured as a replicant of the 192.168.1.9 LDAP server.
  The question is how can i configure sendmail to use both LDAP servers ?
  The man pages explain how to configure ldapclient to use ONE server and what if want to use two or more? All the settings and the profiles the same.
  Thanks in advance =))

  Hi!
  To add LDAP servers to the Solaris ldapclient, you might use the ldapclient command:
  ldapclient manual -v -a defaultServerList="servera.yourdomain.com serverb.yourdomain.com"
  But this is only failover, AFAIK the Solaris ldapclient does not perform loadbalancing by itself.
  But I am not sure about your sendmail programm. Normally, sendmail has its own configuration
  and can be configured to use LDAP e.g. for aliases etc.
  Regards!
  Rainer

• How do you setup a server to use multiple DNS servers that are not connect to each other?

  Is there a way to setup a server that connects to two different domains to use the proper DNS server for name resolution?
  Let say there are two DCs: serverA.subdomaina.domain.com and serverB.subdoamainb.domain.com.  The domains are independent and not connected.  Now you need a common server that is connected to both and need to resolve names from both
  domains.
  Is this possible?
  I have setup a server in a workgroup.  One NIC has the subdomaina.domain.com connection specific suffix and the other nic has the subdomainb.domain.com.  Each NIC has the DNS server listed for the domain it is connected to.
  This configuration will resolve FQDNs of one domain but not the other.  This I believe is due to the fact the server only querys one DNS server and doesn't try the other DNS server.
  Is there any way to make the server try another DNS server, if the first one doesn't have the entry?

  Hi,
  Thank you for posting in Windows Server Forum.
  Here adding to the words of “Tim”, a forwarder is a DNS server on a network used to forward DNS queries for external DNS names to DNS servers outside of that network. You can also forward queries according to specific domain names using conditional forwarders.
  A DNS server on a network is designated as a forwarder by having the other DNS servers in the network forward the queries they cannot resolve locally to that DNS server. You can refer information regarding forwarders and how to configure from beneath link.
  Understanding forwarders
  http://technet.microsoft.com/en-us/library/cc782142(v=ws.10).aspx
  Configure a DNS Server to Use Forwarders
  http://technet.microsoft.com/en-us/library/cc754941.aspx
  Hope it helps!
  Regards.

• Restricting SSIDs using Win2008 Radius Servers

  Hello All,
  I have a customer that wants to restrict SSIDs that groups get based on their AD credentials.  Currently, he is using Windows 2008 Radius Server and AD with Cisco 5508 WLCs.  I found examples that shows this is possible but my question is if I have 2 user groups (teachers and students) in AD and apply a policy for the Radius to send SSID x to teachers and SSID y to students.  Upon successfully authentication, would this deny teachers access to SSID y and students access to SSID x? 
  Thanks in advance for you help!  Any suggestions, comments, or links to documents on how this can be done would be greatly appreciated as well!!

  From my recent memory, this would simply force the client to be placed in the appropriate WLAN ID.  RADIUS will respond with WLAN ID the client should be "placed in", therefore if your "teacher policy (x)" authenticates a user, they will be pushed to WLAN ID , regardless if they connected to WLAN X or Y, presuming they're hitting the same NPS server/policies; and vice versa.
  Bottom line is the network policy on the NPS is going to make the client move to the respective WLAN ID based on the "credentials" authenticated in the respective policy, regardless if they connect to WLAN X or Y.  Make sure AAA override is enabled on each WLAN
  List of VSAs supported on WLC
  http://www.cisco.com/en/US/products/ps6307/products_tech_note09186a0080870334.shtml
  WLAN ID
  —When the WLAN-ID attribute is present in the RADIUS Access Accept, the system applies the WLAN-ID (SSID) to the client station after it authenticates. The WLAN ID is sent by the WLC in all instances of authentication except IPsec. In case of web authentication, if the WLC receives a WLAN-ID attribute in the authentication response from the AAA server, and it does not match the ID of the WLAN, authentication is rejected. Other types of security methods do not do this.
  Taken from
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008082d5b5.shtml#C2
  This is for IAS but the VSAs will all be the same when configured in NPS
  For setting the WLAN-ID on a per-user basis:
  Attribute Name—Airespace-WLAN-Id
  Vendor-assigned attribute number—1
  Attribute Format—Integer/Decimal
  Value—WLAN-ID

• Using multiple SMTP servers but a single Internet Service Provider(ISP)

  Hello Sir,
  I am working on an Enterprise Java Bean Application running on J2EE application server and use JavaMail API to send Emails throu' the application....
  In the J2EE Deploytool the SMTP server is set to "smtp.roltanet.com" provided by ISP....and by connecting to Roltanet we are able to send emails successfully...
  But the problem is.. if i set the SMTP server other than Roltanet,then i get the following error....
  "The exception is javax.mail.SendFailedException: Sending failed;
  nested exception is:
  javax.mail.SendFailedException: Invalid Addresses;nested exception is:
  javax.mail.SendFailedException: 553 sorry, that domain isn't allowed to
  be relayed thru this MTA (#5.7.1)"
  But,I think there is a way in which,even though u are connected to say,Roltanet and use say, VSNL's SMTP server and also have an account on VSNL then, by supplying the VSNL's user id and password ...
  VSNL's SMTP will allow to send emails...even though it is connected to the internet throu Roltanet....
  Is there really a way through it can be done...throu Code or something....
  Can any body help me out with the issue...any suggestion or code samples will suffice....
  Thanks
  Sam

  Java Mail does not provide SMTP functionality. As a result you have to specify a STMP server to use to send emails.
  If you are insterested in obtaining a commercial licese for using an email software module we developed, please contact me. The highlights are:
  - Can send email without specifying a STMP server (SMTP)
  - automatic search for destination STMP server for a given name (for example, yahoo.com)
  - Can construct/read emails in Java object and XML format (POP3, XML)
  - email encoding algorithm is availalbe (for example, Base64, Quoted-Printable, etc.)
  - can talk to news groups and fetch news message (NNTP)
  [email protected]

• WLC 4400 and multiple authentication servers e.g. RADIUS, ACS

  WLC 4400 and multiple authentication servers e.g. RADIUS, ACS
  Can the WCL 4400 be set up to use multiple RADIUS servers? The user accounts for accessing wireless would use a RADIUS server. The administrative accounts for the WLC would reside on an ACS server.

  Yes, that is correct. You can set acs to use both radius and tacacs.
  For this you need to add WLC twice in acs-->network configuration. But you need to keep host name different.
  eg 1) Host name WLC --->IP x.x.x.x -->Auth using -->radius
  2) Host name WLC1--->IP x.x.x.x --->Auth using -->Tacacs.
  You need to set up tacacs commands on WLC along with radius commands.
  Regards,
  ~JG
  Please rate helpful posts

• Multiple Database Servers Question

  Hi,
  Please forgive this ignorant question, but can someone tell
  me how one would go about using multiple database servers?
  Just as there comes a time where one would need more than
  one web server and would need to use a load balancing
  solution, what happens when one would need more than one
  Database Server?
  How does one go about implementing that solution?
  Is there some way to have two database servers carrying the
  same information with some kind of load balancing solution
  in front of it(?) or does one place some tables on one
  Database
  server, and other tables on the other database server?
  (I have no clue as to how things would work.)
  Thanks in advance,
  Joe

  Microsoft SQL allows for clustering of SQL databases, so for
  instance two servers connected to a fileshare and a virtual address
  shared across the two physical boxes. Database connections are made
  to the virtual addres which will then be handled by the active
  node. Becuase a database is ultimately a file(s) on a disk it can
  only be attached to one node at a time so you end up with an
  active/inactive cluster.

• Alpine: multiple SMTP Servers & Trash folder

  Hi,
  I want to use multiple smtp servers in alpine. I've set a main server via Setup->Configuration (see below) and added another imap Server via Setup->collectionLists. So reading mail is no problem, I can see the different servers / folders in the "Folder List" view (the added dots or slashes after the folder names are a minor problem...).
  In order to send mail via the second server, I've added a rule via Setup->Rules->Roles, so when sending a message, the right smtp server corresponding to the folder where I'm in is chosen.
  BUT alpine always postpones messages to the folder on the main server, even when the message is composed for the second server. The same applies for sent messages: they are always saved on the main server.
  How do I tell alpine to save postponed/sent messages on the right server?
  Current configuration:
  Setup -> Configuration:
  Personal Name = My Name
  User Domain = <No Value Set>
  SMTP Server (for sending) = smtp.server.tld:587/user=USERNAME/tls
  NNTP Server (for news) = <No Value Set>
  Inbox Path = {imap.server.tld:993/user=USERNAME/ssl}INBOX
  Incoming Archive Folders = <No Value Set>
  Pruned Folders = <No Value Set>
  Default Fcc (File carbon copy) = {imap.server.tld:993/user=USERNAME/ssl}Sent
  Default Saved Message Folder = <No Value Set: using "saved-messages">
  Postponed Folder = {imap.server.tld:993/user=USERNAME/ssl}Drafts
  Read Message Folder = <No Value Set>
  Form Letter Folder = <No Value Set>
  Trash Folder = {imap.server.tld:993/user=USERNAME/ssl}Trash
  Literal Signature = <No Value Set>
  Signature File = <No Value Set: using ".signature">
  Feature List =
  Setup->Rules->Roles
  ============ ACTIONS BEGIN HERE =============
  Initialize settings using role : <No Value Set>
  Set From = My name <[email protected]>
  Set Reply-To = <No Value Set>
  Set Fcc = <No Value Set: using "value from fcc-name-rule">
  Set LiteralSig = <No Value Set>
  Set Signature = <No Value Set: using "default (.signature)">
  Set Template = <No Value Set>
  Set Other Hdrs = <No Value Set>
  Use SMTP Server = smtp.2nd-server.tld:25/[email protected]/tls
  Use NNTP Server = <No Value Set>
  Second question: How do I make use of the Trash folder? At present, mails marked for deletion are deleted completely when expunged. How do I move them to Trash folder instead? (of course in the trash folder on the right server...)
  Any hints appreciated -- Thanks!

  mrchi wrote:
  Mail also lists other folders with similar names at the same level as INBOX, which appear to have a mysterious relationship with the real folders on the server. Some are the same as, some not. Are they "local" folders?
  Yes, they're local folders (located in /Users/youruseraccount/Library/Mail/IMAP-account@domain), they're synced and display the contents of the folders on the server, so when you move some message from one folder to the other, the folders on the server will reflect this change.
  Also, to select if you want to keep local copies of the messages or not, you can go to the Advanced properties of the IMAP account in Mail.
  Can I get rid of them and just use Mail to display only what is actually on the server, in the structure it is on the server?
  Nic
  No, you can't get rid of them. Usually you can minimize them under a sort of earth globe icon.

• Using multiple vendors of raidus servers for backup

  is it possible to use ISA server as a primary radius server and steel belt as a backup. if so is there some documentation to use them together

  you could point the controller(s) to multiple AAA Servers but i'd like to point out that the way controller uses them is in a serial manner. That means, unless the first configured AAA server fails, the traffic is not sent to the second AAA server, and so on. therefore, it's not designed to load-balance across multiple AAA serves. Hope that helps.

• WLC with Multiple RADIUS Accounting Servers

  If a WLC has multiple accounting servers defined for a WLAN, will accounting packets be sent to all accounting servers ?
  The operation of authentication servers is that the WLC will only send authentication requests to a single RADIUS server. If that RADIUS server becomes unavailable, then the WLC will start to send authentication requests to the next available RADIUS server in the list configured for the WLAN.
  Is it the same mode of operation for accounting servers? Or, does the WLC send accounting records to all accounting servers that are defined against a WLAN?
  Thanks
  Nigel.

  So the WLC would use the priority list for the Radius servers for accouting.
  I have a setup that I need to send accounting to two different servers for different reasons. can this be done on the WLC?
  if not, does anyone know a good forking server for radius accounting?

• Running a Select query against multiple sql servers using SSIS script task.

  Hi Guys,
  I need to fetch data from multiple sql servers using  SSIS scirpt task inside a foreach container.
  is there anyway i can build dynamic sql connections using ssis variables inside SSIS script task in each loop
  Please guide me or refer any blogs so that i will try..
  Thanks in advance.

  Your only options is using .net code, then it will be no different than using a console app in a loop.
  using (SqlConnection connection = new SqlConnection(connectionString))
  connection.Open();
  Console.WriteLine("ServerVersion: {0}", connection.ServerVersion);
  Console.WriteLine("State: {0}", connection.State);
  and so forth for each connection string
  the connection string would come from the ForEach loop
  Arthur My Blog

• Run Admin Server with multiple Managed Servers each using different userid?

  We currently run separate WebLogic domain instances for each business application in a Unix environment. Each one is created using a unix userid unique to that application and which owns all the files and is used to run the process when that particular WebLogic instance is started up. We have run this way for a while.
  I am considering altering our approach to the one that is recommended, i.e. in our Production environment we would run a single Admin instance with numerous managed servers. One issue I'm stuck on is the fact that in our current environment, each application has a different unix userid that owns the files making up the WebLogic domain instance and that WebLogic instance is run under that userid.
  I've investigated and experimented using WebLogic 10.3 preview and WebLogic 10.0, but I haven't been able to determine what I have to do to make each managed server's files and processes belong to a different unix userid, if that is even possible.
  Is there a way, using the recommended approach, where there is a single Admin instance that has multiple managed servers whose files and processes are owned by different unique, unix userids?
  If not, how would you separate access to each of the Managed Servers so that the programmers who maintain them don't have access to Managed Servers that they are not responsible for?
  Thanks for any help or suggestions.....

  Hi:
  I played with this stuff and I found that this will work, without the Location elements:
  <IfModule mod_weblogic.c>
  MatchExpression /app1 WebLogicHost=server1|WebLogicPort=7003
  MatchExpression /app2 WebLogicHost=server2|WebLogicPort=7003
  </IfModule>
  Also this will work too, with no entries inside the IfModule element:
  <Location /app1 >
  SetHandler weblogic-handler
  WebLogicHost server1
  WebLogicPort 7003
  </Location>
  <Location /app2 >
  SetHandler weblogic-handler
  WebLogicHost server2
  WebLogicPort 7003
  </Location>

• Adding AAA servers to ACS to use Proxy RADIUS distribution Table

  Hello,
  I've added two non ACS radius servers (Radiator) to the AAA servers on Network Config, in order to use them on a proxy distribution table.
  I had problems authenticating users through those servers and I did a sniffer trace on the outside interface of the ACS.
  What I saw is that ACS sends packets to the AAA server configured as RADIUS on port 1645, not 1812, the expected standard, and port to which the others servers are listening to. How can I change this behaviour?
  Thanks
  Gustavo

  ACS by default will listen on both ports 1645 and 1812, the two "standard" Radius ports. However, when talking to a proxy server it will only send them on 1645, by default. To change this you have to go into the registry and change it as follows:
  Under [HKEY_LOCAL_MACHINE\SOFTWARE\Cisco\CiscoAAAv3.x\Hosts\\RADIUS] (where is the server you want to send the 1812 reuests to, and note that you may have to add the RADIUS key if it isn't there already), you can add the following:
  "authPort"=dword:0000066e <<---- 1645
  "acctPort"=dword:0000066d <<---- 1646
  "timeout"=dword:00000001
  "single connection"=dword:00000000
  "strip users"=dword:00000000
  You don't need all of them, you can just change the authPort to 1812 (714 in hex) and acctPort to 1813 (0x715) and you should be good to go. Make sure you reboot the server after making the registry changes. Keys are case-sensitive too so make sure you type them in EXACTLY as I've shown above.

• Can I use mulitple Essbase servers if I have multiple Planning web servers?

  Hi,
  can I use mulitple Essbase servers if I have multiple Planning web servers?
  Can I have one Finance Planning application running on one Web server on one Essbase server.
  Have another Operations Planning application running on another Web server on another Essbase box and server?
  Thanks in Advance.

  Hi,
  you can have as many essbase servers as you want, provided they are registered on same shared services. When you create a data source for planning application, you have to provide Essbase server name and login details. You can provide one essbase server in one data source and another essbase server for another.
  Also since Planning is based on RDBMS database, you can have multiple planning web servers pointing to same planning application. You can use load balancer concept as well.
  Let me know if it helps.
  Cheers
  RS