VLANs per ACS server

Hi,
I would like to know if the following scenario is possible:
Let users in VLAN A authenticate to ACS A and users in VLAN B authenticate to ACS B.
Any comments welcome.
Regards
Dean

Alternatively, why not have one AAA and make that assign vlan based on some criteria. If a user is already on the network (in a vlan) isnt it a bit late to authenticate?
ACS v4.0 would allow you two select RADIUS profiles based on user group membership AND (for example) the device or any other attribute in the access request.
Darran

Similar Messages

Multiple Vlans Per SSID

Hi
We are just putting in a new Controller - 5500 type
We are using a WCS .
Someone has raised the issue of whether we can have multiple vlans
per SSID - as otherwise we may have very large broadcast domains
due to the overall design being to have Maybe 3 SSIDs
Guest
Staff
Engineering
I think in SWAN we could get away with dynamic vlans.
We would like to have multiple vlans in each SSID to avoid the above.
Can we do this in the new setup.
Kind Regards
Steve

Hi Steve,
yes it works just the same.
Enable AAA override on the controller and have interfaces configured for each vlan. Then the ACS can simply push the vlan depending on the user authentication. Users are then split in separate vlans.
Another way of doing is to group APs. You can have a group of APs serving SSID Guest in vlan 1, Employee in vlan 2 and another group of APs serving the same SSIDs but in vlan 3 and 4. It's "per-user" vlan load balancing or "geographic" vlan load balancing.
However, broadcast domains should not be a major concern in wireless as broadcasts are blocked by default. The WLC will proxy for ARP and DHCP.
Regards,
Nicolas

CSM 4.0.1 is removing ACS Server password and then cannot add a new

Hi,
We just wanted to use CSM 4.0.1 to change ACS Server keyword on a FWSM 3.2(5) but in the transcript I see how he removes the key and then the next statement is to add a 127.0.0.1 ACS Server that I have never defined and that failes because the connection is lost.
Can CSM be used to change the ACS keyword and not loose the connection before changing it? The product allows such a change and does not stop albeit it should now that this is unsuccessful.
Here is the transcript!
Line# 2. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): no snmp-server host fwsm-admin-context xxxx poll community comm1
Received (Thu Dec 16 16:22:14 CET 2010):
Line# 3. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): aaa-server aaa-central (fwsm-admin-context) host xxxx
Received (Thu Dec 16 16:22:14 CET 2010):
Line# 4. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): no key oldkey
Received (Thu Dec 16 16:22:14 CET 2010):
Line# 5. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): exit
Received (Thu Dec 16 16:22:14 CET 2010):
Line# 6. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): no logging host fwsm-admin-context xxxx
Received (Thu Dec 16 16:22:14 CET 2010):
Line# 7. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): ssh timeout 30
Received (Thu Dec 16 16:22:14 CET 2010):
Line# 8. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): ssh version 2
Received (Thu Dec 16 16:22:14 CET 2010):
Line# 9. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): logging buffer-size 1048576
Received (Thu Dec 16 16:22:14 CET 2010):
Line# 10. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): no logging debug-trace
Received (Thu Dec 16 16:22:14 CET 2010):
Line# 11. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): logging trap informational
Received (Thu Dec 16 16:22:14 CET 2010):
Line# 12. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): logging asdm debugging
Received (Thu Dec 16 16:22:14 CET 2010):
Line# 13. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): logging buffered debugging
Received (Thu Dec 16 16:22:14 CET 2010):
Line# 14. (ERROR) Sent (Thu Dec 16 16:22:13 CET 2010): aaa-server aaa-central host 127.0.0.1
Received (Thu Dec 16 16:22:14 CET 2010): ERROR: Interface "(inside)" does not exist. Please specify a valid interface name for this server
! COMMENT: Device reported error here and stopped accepting further commands
! COMMENT: BULK END
Line# 15. (ERROR) Sent (Thu Dec 16 16:22:14 CET 2010): https://xxxx/config?context=admin Received (Thu Dec 16 16:22:14 CET 2010): 24300 : Login failed
Caused by: Authentication failed on device [193.47.16.28]. Check the credentials.
Error: Server returned HTTP response code: 401 for URL: https://xxxx/config?context=admin
I think there are multiple problems, first it removes the key but does not add one and then it wants to add 127.0.0.1 to it and does not use an interface?

I would say that it it the interface problem but not that it had no interface but it had another interface.
The whole interface story is somewhat stupefying for me.
What I wanted to do is to use a single AAA Server definition for all my contexts on a FWSM, due to multiple imports in the beginning I ended up having 40 or so in the objects.
Each interface that we have on a context has a different name and it looks like CSM has a problem with this. We have tried to use interface with wildcards, but you cannot specify something like *context* or *vlan*. For us *context* is inside and *vlan* is outside.
This verification of the AAA Server should be done before trying to deploy and then not having access. Luckily all our contexts had their own AAA connection setup, so I could make changes. Because we have not used the local use for more than 3 years and had 3 weeks to search it. We almost rebooted the FWSM this Sunday (using a maintenance window) but found the password last thursday.

AAA Radius Authentication for Remote VPN With ACS Server Across L2L VPN

Hi,
I have an ASA running fine on the network which provide L2L tunnel to remote site and provide Remote VPN for remote access users.
Currently, there is a need for the users to authenticate against an ACS server that located across the L2L VPN tunnel.
The topology is just simple with 2 interfaces on the ASA, inside and outside, and a default route pointing to the ISP IP Address.
I can ping the IP address of the ACS Server (which located at the remote site, IP addr: 10.10.10.56) from the ASA:
ping inside 10.10.10.56
However when I configure the ASA for the AAA group with commands:
aaa-server ACSAuth protocol radius
aaa-server ACSAuth host (inside) 10.10.10.56 key AcsSecret123
Then when I do the show run, here is the result:
aaa-server ACSAuth protocol radius
aaa-server host 10.10.10.56
key AcsSecret123
From what I thought is, with this running config, traffic is not directed to the L2L VPN tunnel
(seems to be directed to the default gateway due to the default route information) which cause failure to do the AAA authentication.
Does anybody ever implement such this thing and whether is it possible? And if yes, how should be the config?
Your help will be really appreciated!
Thanks.
Best Regards,
Jo

AAA is designed to enable you to dynamically configure the type of authentication and authorization you want on a per-line (per-user) or per-service (for example, IP, IPX, or VPDN) basis. You define the type of authentication and authorization you want by creating method lists, then applying those method lists to specific services or interfaces.
http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/schaaa.html

Router Source address for ACS Server

Does anyone know how to configure a router(MSFC in this case so the same ip address is sent to the ACS server for authenticating. The source address may not always be the same depending on the path taken, If the source address isnt an ip address configured for one of my devices the acs server rejects the attempt and the router defaults to local login. I tried settigng a loopback address and always telnetiing to the loopback address however the source address from the MSFC is not the loopback I have 38 vlans, snd i suppose i could configure thoe ip addresses under a device, however if iI add a vlan then I must remember to add that vlan to ACS. Im sure there is a simpler way to address this, I just cant seem to find the configs needed on the MSFC to make it work.
Any help will be greatly appreciated.
Thanks

Hi,
Sounds like you need:
ip tacacs source-interface interface-name
(or ip radius source-interface interface-name)
It's recommended to use a loopback interface, so this would give you (assuming loopback0):
ip tacacs source-interface loopback0
HTH - plz rate if it does
Andrew.

Limitations of Cisco ACS server

I want to ask about limitations of Cisco ACS server 3.3 .
I use ACS server for Radius authentication, and has a limit 80 authentications per second. But at peak time i need 150-200 authentications per second. Is this a software limitaion or changed due to hardware performance?
Can i also solve this problem with a High Availability configuration.

Hi
ACS performance is a very complex issue and depends largely on
1) auth protocol (anything eap is SLOW)
2) backend (anything external is SLOW)
3) server CPU
We did some performance tests a few years ago and could get up to 1000 auths/sec for MSCHAP against internal DB.
AD authentication/group mapping can take several seconds to complete.
ACSs big problem is limited concurrency when authentication time is high. There are some bottlenecks that effectively limit the number of concurrent authentications to 20. This is the max number of tcp/ip connections between CSRadius/CSTacacs and CSAuth. Inside CSRadius there are 50 dedicated authentication threads multiplexing requests over the 20 tcp/ip connections to CSauth. Messages to CSauth are blocking - so 20 simultaneous authentications that took 1 second would cap performance to 20 auths/sec.
EAP-TLS and now EAP-FAST are really really slow becase they send multiple rounds over RADIUS using challenge/response marshalled between the device and the 802.1x supplicant.
Putting ACS onto a quad CPU server wont reduce back-end external db latency or increase concurrency.
The only way to increase performance is to add more servers... and then you'll also have to get into load balancing :(
IMHO Cisco needs to make a low cost "ACS on a blade" and have one in each device. Have the config pushed down from a central database.
Darran

How many concurrent connections that an ACS server version 4.2 latest patch can handle?

I have about 50 routers and layer-3 switches that autheticate via tacacs+. The AAA server used to be on a Linux machine running open-source tacacs+ built by me. I have a perl script that will log into all 50 devices at the same time to collect statistics. This script is multi-threaded. Everything is working fine so far.
I recently out-sourced the AAA function to a 3rd party company, not by my choice. The 3rd party uses Cisco ACS version 4.2 with the latest patch running on Windows 2003 Enterprise Server with 16GB RAM and quad processors with quad-cores, IBM x3650-M2 hardware. The connectivity between the 3rd party and my company is through a DS-3 connection. Maximum bandwidth over this DS-3 connection is less than 10Mbps at most.
I noticed that for the past 3 months I have multiple failures with this perl script due to authentication failure with the ACS server. If I just run the script again a few routers/switches, there are no issues; however, whenever I started the script to log into 50 devices all at the same time, it will fail. If I made the configuration on all routers/switches to point back to the old open-source tacacs+ server, the issue goes away. The minute I switched back to the
new ACS server, the issue came back. If I modified the script to hit one device at a time, it works fine. I think it is the ACS server can not handle a lot
of AAA requests at the same time.
Does anyone know how many concurrent connections that an ACS 4.2, with latest patches on Windows 2003 Enterprise Server with lot of memory and CPU power, can handle? I can't seem to find this anywhere on Cisco website.
Thanks in advance.

No, Im not saying ACS cannot cope.
Concurrency and latency are very different things. ACS CSTacacs can handle many 100s of simple authentications/authorisations per second with users in the internal database. If 1000s of devices all send traffic in the same instant it would take some seconds to work through the backlog of traffic.
Also, worth considering that a limited number of tasks within ACS (or threads) can actually handle a much greater number of "logins" because they are generally multi-message allowing ACS to keep lots of plates spinning.
If users are in an external databases the latency (per authentication) can increase depending on where the users are (eg Windows AD) and if bad enough can have a serious effect on the overall authentication rate. At which point customers normally turn to load balancing.
If your device timeouts are 20 seconds (totally reasonable) I suggest the issue is more likely to be something else... a bug, perhaps specific to v4.2?

How do I create a default account with an ACS Server

Has anyone seen this. I have an ACS Solution engine appliance with Several devices using it for authentication and accounting. It all seems to work great.
When I add a new device (router or switch) i noticed that it will let me login via the acs based authentication even before i even setup the aaa-client account for this device in the acs appliance. I do have the tacacs key and all the appropriate information on the router or switch but i dont have an entry for it in the acs appliance yet. This has puzzled me Where is this default account setup. I have another ACS server (Windows Based) It seems to have a completely different behavior when it encounters an unconfigured AAA-client compared to the ACS Appliance. Can anyone tell me how to configure the ACS server to do the same and where these configuration options exist?
This really concerns me from a security perspective.

Hmm, ACS should not (by default) accept traffic from any old device.
Could it be you have a wild-card IP Addr in your ACS network config somewhere that accidentally includes the new device?
Or possibly a DNS name (instead of an IP Addr) that resolves to the address of the new device?
Try changing the shared secret in the device - you should find you get errors in the Failed Attempts Log.
Also check the Passed Authenications report as this included the ACS network config device name in the Access-Device column.

How enable read only access for ACS server itself

Hi,
We would like to know whether its possible to create a read only access to the ACS server. Currenlty ACS server has a generic login with full admin rights.
We need to create a login to couple of users to log into ACS to check the "Report and Activity" tab. Access to all other tabs should be disabled.
We are using ACS4.0 verison. Please let me know whether its possible.
Thanks
Nachi

Hi,alexchy8
We can make use of 2 PowerShell commands to achieve this goal.
Add-MailboxPermission and Add-MailboxFolderPermission.
Execute the Add-MailboxPermission command to delegate the read permission at mailbox level.
Execute the Add-MailboxFolderPermission command to delegate the required permissions on specific folders inside the mailbox.
You can read the following article as reference:
http://www.exchangedictionary.com/articles/assign-read-only-mailbox-permission-on-exchange-2010-2013-powershell
Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety,
or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.
Best Regards.

What is the recommended number of clients per Mac server? Also what are some recommended specs when purchasing an Apple machine that will have Mac OS X server installed?

What is the recommended number of clients per Mac server? Also what are some recommended specs when purchasing an Apple machine that will have Mac OS X server installed? We have around 300 clients that need to be enroled on the Mac server. I want to know what is the recommended amount of clients a Mac server should contain. Also what are some recommended specs to make sure the server will flawlessly?

Hello cpreasbeck,
Thank you for contacting Apple Support Communities.
I was able to find the following transition guide for Xserve that provides some workload guidance to determine performance when planning a server deployment.
Transition Guide Xserve
http://images.apple.com/xserve/pdf/L422277A_Xserve_Guide.pdf
On page 9, Performance there is a chart that provides maximum numbers of connected users for various activities such as file sharing, mail, web, calendar, directory services and Time Machine and the CPU used as a server (Xserve, Mac Pro, Mac Mini). This information is a bit dated as the referenced software is Snow Leopard Server (OS X 10.6), and the hardware is older also, but it should give you a general idea of what you might need to look for.
Regards,
Jeff D.

Upgrading an ACS Server from 5.0 to 5.1

I'wont to upgade my ACS server 5.0.0.21 to 5.1 . I wont to use Active Directory . it's seem that in my curent version AD is not supported !
I try to do it by CLI
what CLi command I use and what patch ?
Thanks !

in the monitoring and report I have this
AAA Protocol > TACACS+ Authentication
Authentication Status :
Pass or Fail
Date :
December 09, 2009
Dec 9,09 11:52:20.200 AM
13029 Requested privilege level too high
admin.ad
switch
Device Type:All Device Types, Location:All Locations
Default Device Admin
AD1
Thanks !

EAP-TLS or PEAP authentication failed during SSL handshake to the ACS serve

We are running the LWAPP (2006 wlc's and 1242 AP's) and using the ACS 4.0 for authentication. Our users are
experiencing an issue, where they are successfully authenticated the first time, however as the number of them is increasing, they're starting to drop the connections and being prompted to re-authenticate. At this point, they are not being able to authenticate again.
We're using PEAP for the authentication and Win XP SP2 clients as the supplicants. The error message that we are seeing on the ACS for that controller is "EAP-TLS or PEAP authentication failed during SSL handshake to the ACS server"...Not sure if this error msg is relevant since we have other WLC's that are working OK and still generating the same error msg on the ACS...
Thanks..

Here are some configs you can try:
config advanced eap identity-request-timeout 120
config advanced eap identity-request-retries 20
config advanced eap request-timeout 120
config advanced eap request-retries 20
save config

WLC 5508 and ACS server

Hi,
Apologies if this has been answered before. I did a search, but unable to find anythimg.
What I would like to do is be able to have a WLC 5508 as the local RADIUS DB and authenticator, but then be able to have an ACS server in a central location as a backup and then replicate between them.
In other words set up groups for my remote sites in the central ACS server, which then replicates only the correct group to the remote sites. This allows less adminstrative overhead, as we just update the central one.
Is this possible and how would I configure the WLC to do this ?
Thanks

Hi,
if I understood your request, you want to replicate user information between an ACS and a WLC right ?
That's impossible.
ACS can only replicate with other ACS running the same version. No other ways of synchronization exists.
Regards,
Nicolas
===
Don't forget to rate answers that you find useful

Not able to install or generate acs server certificate

Hi,
I have one test set-up with one layer 3 switch and one autonomous AP 1131. I have configured one SSID and without any authentication and it was not able to connect successfully.
But now i want to try enable WPA2 enterprise ( Actually , after checking with the test set up , i am going to implement in live set-up where i have to configure WPA2 enterprise so that i would like to go for testing wpa2 enterprise not wpa2 personal ).
I have ACS server 3.0 trial version and installed on windows server 2000 and
on AP 1131 i have configured radius server commands
( aaa- new model and radius server host ... ip address ... key ..... shared secret ... password .. ).
I am confused with certificate which is required to install on acs server but i am not able to generate the certificate or not able to get the certificate from anywhere in acs server option.
how to generate acs server certificate in trial version 3.0 and after generating how to install in acs server and what about client ... will it be same certificate which i need to install in cllient PC's and if yes how to add in client pc's and if not , where will i get cllient certificate ,..
if i buy ACS software which i will be installed windows platform , i will get two certificate ,,,,,,,,, what about acs trial version software .... will i be able to get certificate .......
i am trying to refer so many documents but it could not help me ..
Your help will be appreciative.
Looking for proper information.

Hi,
Thanks for your response ....
obivously , This ACS 3.0 is end of supprt but when i tried to install the acs 4.0 or later , I am not getting an error saying " basic platform should be installed first , that is ACS 3.0 ".
That is the reason i have gone for this edition .
Should i go for upgrading the acs 3.0 to 4.1 or later version ?
if so , will it be possible on trail version ?
please give me your suggestion.

Change network address of acs server

Put in a new backup ACS server and the senior guy put in temp host address. Now
need to change the temp host address to its permanent address but need a little clarification. Do you just change it in the Windows srvr 2003 tcp/ip stack or do you need to change it also inside the CSACS app?? Can't find it in the manuals easily.

Yes you'll need to change ACS config. Just locate the AAA Server entry for the server (in Network Config) and set the ip address to the new value.
Or you can always just enter the server name instead in case the address changes again.
tip: in network config you can enter DNS names instead of ip addresses for devices & aaa servers.

VLANs per ACS server

Similar Messages

Maybe you are looking for