WAAS and TACACS
We are trying to get our WAAS environment to authenticate against TACACS and then fall over to local if TACACS is unavailable. For engineer logins everything is working as expected. However we are seeing several thousand failures against the TACACS server from a username of "CMS". This user is not configured in the CM or in TACACS. So we log the failed login and CMS logs into the WAE due to the failover to local mechanism. Looking at packet captures, and debugging aaa on the WAE's it is definitely a CMS user that logs in but shows 127.0.0.1 as its "from" host. I am fairly confident this is automation within the WAE syncing with the CM or vice versa. Does anyone know how to get WAAS and TACACS to work together without a mass amount of login failures? Is there a way this CMS user can be cloned/duplicated on the tacacs server? What is the password for this automation user?
Thanks in advance.
Hi Stan,
WAE can authenticate against TACACS, RADIUS and Central Manager (Local) at any time depending on your configuration.
There are couple of things to keep in mind while configuring TACACS on WAE, on both sides - TACACS adn WAE CM.
On TACACS side:
1. Please make sure to create right username.
2. Please make sure to verify if you are using ASCII password authentication.
3. Try to use less than 15 letters - Alphanumeric TACACS password.
4. Please provide right user level / group level persmissions. This is somewhere under user account properties. Please also make sure to select right user password under user properties.
5. Verify if this user needs level 15 (admin equivalent account).
On WAE CM side:
1. Please make sure to select right authentication method as primary and secondary.
2. Please make sure to enable the check box for authentication methods.
You can verify the failure / successful log events on TACACS server in order to find out if the user is atleast trying to authenticate against TACACS.
I am sure you have looked at this link to find out all the required steps: Configuring TACACS+ Server Settings
Hope this helps.
Regards.
PS: Please mark this as Answered, if this resolves your issue.
Similar Messages
-
Hello All,
I want to download a free, yet reliable AAA and TACACS servers, can you guide me? Also, I need help with configuring them for study purpose.You may download the eval version ACS 4.2.0.124, if you've access to cisco.com
ACS v4.2.0.124 90-Days Evaluation Software
eval-ACS-4.2.0.124-SW.zip
http://tools.cisco.com/squish/9B37e
Path:
Cisco.com > Downloads Home > Products > Cloud and Systems Management > Security and Identity Management
> Cisco Secure Access Control Server Products > Cisco Secure Access Control Server for Windows > Cisco Secure ACS 4.2 for Windows > Secure Access Control Server (ACS) for Windows-4.2.0.124
~BR
Jatin Katyal
**Do rate helpful posts** -
we are currently using the IP SLA udp jitter measurement to monitor our voice paths accross the WAN. If we implement a partial WAAS across the same WAN the voice traffic will be acellerated but not the IP SLA jitter measurement. Does this mean that when WAAS is implemented IP SLA is limited in its use?
Hi Steve,
The answer to your question depends on 1) how you deploy WAAS and 2) how you use IP SLA. If you deploy WAAS using WCCP for interception, UDP traffic will never be intercepted. If the WAAS device is deployed inline, all traffic flows through the WAAS device, so an IP SLA probe using UDP will be subject to WAAS pass-through handling behavior.
What are you trying to measure with regards to WAAS?
Zach -
WAAS and Juniper Netscreen Interoperability
I've been doing a dig on historical posts relating to WAAS deployed through firewalls.
I am working on a deployment with Juniper Netscreens & ASA5520 sitting between WAE's. IP connectivity is fine. I can ssh to remote device etc. but users cannot login (XP). The login scripts calls upon CIFS etc and I suspect this is being broken through the fw's.
When I disable WAAS for this flow - it all works fine i.e. users can login and access full set of corporate resources. I suspect the firewalls but would appreciate any leads..
thanks
AjazHi Ajaz,
WAAS adds TCP Option 0x21 and increments TCP packet sequence number during TCP handshake. FW needs to be configured to allow
these changes.
On the latest PIX/ASA a new command "ip inspect waas" has been added to allow above changes by wae. You might want to check
Netscreen config guide on command to disable TCP sequence number checking.
If SSH to Servers is working fine then it might not be FW dropping packets. However to confirm it might be best to use
tcpdump/tethereal on both WAEs and to sniff the traffic on whether its being dropped along the path by the FW.
Few questions:
- Whats the version running on WAEs?
- Is it only CIFS traffic which is affected? Try disabling CIFS AO if its enabled and then test.
Hope this helps,
Best Regards,
Rahul Vavale -
WAAS and Symantec Vertitas Volume Replicator
Hi,
We are forwarding Symantec replication traffic via our WAAS infrastructure over a 20Mb WAN link. The CM appears to register the traffic but does not optimize it at all. Has anyone had any experience with WAAS and Symantec Veritas Volume Replicator (VVR) 4.3?I tested with VVR in the lab. VVR default uses UDP and using the nerd knob in the GUI did not force VVR to start using TCP. To get VVR to use TCP, I had to input these commands:
vrport data 1999-1999
vrport heartbeat 2000-2000
or use what ever ports you want to use. The previous answer was asking if you were seeing TCP sessions in the WAE's. This can be seen by telneting to the WAE and issueing a "show tfo connection summary". Can you post the output of that command? -
Attach is the Visio as well as config for the India site. The Visio has 2 tabs (POC-WAAS and Proposed-WAAS). The POC (Proof of Concept) tab does not have the spare 3660 installed yet but I plan to do that soon. The "Proposed WAAS" is where we would want to be. However, my question will most likely address POC tab with the preparation to move to the Proposed tab.
Current assumptions:
Since we have a Manager in India, we will be getting another Manager in Calif, If so, I would like to setup a Primary/Standby deployment for redundancy.
Questions:
1. For Calif Primary WAE, the visio shows a Management interface but do I need a management interface or is it better to go with a standby interface instead as well as use MHSRP?
2. Since we have a high speed link (4 Mb Internet for VPN in POC but 10mb WAN for proposed), should we tune the buffers to the max? If so how?
3. Is this a recommend design for California? for India?
4. Is my configs a recommend configs for California 3660 in POC? If so, what do I need to change in 3825 in Proposed?Zach
After reading the SRND, I believe the best design is to move the 512 to the Cores. Please see the updated Visio and planned configs. Here's my updated requirements:
1. Calif is hub
2. All traffic to India (10.2/10.26) should go through the VPN tunnel through (ASA5520)
3. All traffic to 10.3 and 10.5 should go through WAN via (R-Voice2)
4. Latency to India is btwn 280 to 340msec and BW is 2mb. Do I also need to be concern with the BDP, L2 redirect(forwarding), and Mask assignments?
TIA -
Hi all,
Anybody how have setup Cisco WAAS and ERP application BAAN?
I am interesting to setup a full optimization for ERP Baan.
JanHi all,
We found the problem.
TCP/512 was in Classifier Unix-Remote-Execution and this Classifier was in pt.
Jan -
WAAS and WCCP - looping packet detected
Hi,
Has anyone ran into this senario before. Before anyone answers with "move your WAE off the user subnet", it already has been.
I have wccp 61 redirect in on the user subnet (gig0/0.83 of a dot1q trunk). The WAE is on gig0/1. Before I apply wccp62 to the serial link, I attempt to telnet from a user pc to the router (same subnet, clients default gateway), and the telnet fails. I get a "looping packet detected" on the router console. It shows the source of the packet as the router (wccp router id actually), and the destination ip of the WAE, but the packet came in gig0/1 (interface connected to wae). Obviously the WAE returned the packet to the router (with the original GRE headers, (router as source)). I thought WCCP would understand this as "don't redirect this traffic to me anymore", but the router, actually tries to route it back down gig0/1 and then sees it as a looping packet. I believe the WAE is returning the encapsulated packet to the router to indicate it doesn't want the flow, and the router is attempting to route the GRE packet, instead of realizing it should remove the GRE header and route the internal packet. Router is IOS 12.4(12) as recommended by my Cisco engineer. 2821 router.
For kicks, I continue the WCCP setup on the datatcenter side. As expected, it doesn't work. When I apply the WCCP to the datacenter router (only redirecting lab subnet), the entire lab subnet is unreachable via TCP (but icmp still works as expected).
The WCCP configuration isn't very complex, I can't believe its something I'm doing. I think its a code issue.
Any advise?no "out" anywhere. The LAB router has a WAE list to only allow redirect to the lab WAE. I don't even need the 62 in on the WAN side, just applying 61 in on the LAN side breaks telnet to the router.
LOOPING PACKET DETECTION:
from router console
Feb 27 14:56:32.924: %IP-3-LOOPPAK: Looping packet detected and dropped -
src=132.242.11.18, dst=153.61.83.70, hl=20, tl=76, prot=47, sport=0, dport=0
in=GigabitEthernet0/1, nexthop=153.61.83.70, out=GigabitEthernet0/1
options=none -Process= "IP Input", ipl= 0, pid= 77 -Traceback= 0x410F6978 0x415CC960 0x415CDC60 0x415BBB38 0x415BCF18 0x415BD27C 0x415BD2FC 0x415BD4E8
Router configuration:
ip wccp 61 redirect-list REDIRECT-WAAS-SUBNETS-61 group-list remote-waas-box
interface Loopback0
ip address 132.242.11.18 255.255.255.255
h323-gateway voip bind srcaddr 132.242.11.18
interface GigabitEthernet0/0.83
description << data vlan 83 >>
encapsulation dot1Q 83
ip address 153.61.83.3 255.255.255.192
ip helper-address 192.127.250.22
ip helper-address 149.25.1.182
no ip proxy-arp
ip wccp 61 redirect in
standby 83 ip 153.61.83.1
standby 83 priority 200
standby 83 preempt
standby 83 track Serial0/1/0:0.99 100
interface GigabitEthernet0/1
description << WHQ LAB CE connection >>
ip address 153.61.83.65 255.255.255.192
load-interval 30
duplex full
speed 100
ip access-list standard remote-waas-box
permit 153.61.83.70
ip access-list extended REDIRECT-WAAS-SUBNETS-61
permit ip 153.61.83.0 0.0.0.63 any
WAE configuration:
device mode application-accelerator
primary-interface GigabitEthernet 1/0
interface GigabitEthernet 1/0
ip address 153.61.83.70 255.255.255.192
no autosense
bandwidth 100
full-duplex
exit
wccp router-list 1 153.61.83.65
wccp tcp-promiscuous router-list-num 1
wccp version 2
wccp slow-start enable -
I'm having to use the free TACACS+ in an environment to configure authentication for all the network devices. I have all the routers and switches working just fine, but am having issue with getting the ACE to use TACACS. I've configured ACE to authenticate to an ACS server by adding the additional shell custom attributes (shell:Admin*Admin default-domain) and this worked fine. I found in some documentation on TACACS+ that described how to add this similar attribute to the tac_plus.conf file, but it doesn't seem to want to work. My aaa config from the ACE as well as the tac_plus.conf file content below. I know the AAA is working with this TACACS server as the accounting functions properly.
ACE AAA
tacacs-server host 10.1.0.202 key 7 <removed>
aaa group server tacacs+ TAC_AUTH
server 10.1.0.202
aaa authentication login default group TAC_AUTH local
aaa authentication login console group TAC_AUTH local
aaa accounting default group TAC_AUTH local
tac_plus.conf
# Accounting Logs
accounting file = /data/tacacs.log
# Server Key
key = <removed>
# ACL
acl = auth_routers {
permit = .*
# Groups
group = admin {
login = file /etc/passwd
acl = auth_routers
service = exec {
optional shell:Admin = "Admin default-domain"
# Users
user = admin1 {
default service = permit
member = admin
user = admin2 {
default service = permit
member = admin
user = admin3 {
default service = permit
member = adminAnyone?
-
Authenticating against RADIUS *AND* TACACS
G'day...
Toys:
Cisco Secure ACS 3.2
Cisco 1242 Access Points
I want to authenticate spectralink phones via LEAP (Radius Aironet) and IT staff logging onto the CLI via TACACS+, all off the same ACS Server.
The only way I have gotten this to work is to setup TWO Network Device Groups, and add the access point in TWICE (with different unique hostnames). One authenticating RADIUS, and the other profile authenticating TACACS.
Is this the right way to go about it? Why can't I pick two authentication methods under the one AAA Client profile?
Cheers,
Andrew.Hi,
The AAA client hostname configured in Cisco Secure ACS is not required to match the hostname configured on a network device, you can assign any name. What is important is the IP Address to allow the device and ACS to communicate via each AAA protocol.
If your device need to use both TACACS+ and RADIUS to authenticate 2 different users, then your method is right. This is because a device with same name cannot use both AAA methods to authenticate users - different operation. You have to use 2 different names, but running on the same IP on both TACACS+ and RADIUS.
I am using the same approach to authenticate remote access clients and network admin in my Access Server.
Rgds,
AK -
802.1x and TACACS+
I use the ACS box mainly for AAA on the switches and routers using tacacs. Now we're looking at the possibility of using 802.1x, my early reading tell me I have to use RADIUS, but I'm using TACACS, can I have ttow different methods of authentication on the same switch/router?
Any help would be greatly appreciated.
Thanks.Hi ,
Yes you can have different authentication methods on the same router/switch .
In case if you need to configure 802.1x you can simply add the 802.1x commands as they will not interfare in the working of your tacacs authentication .
http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_chapter09186a00801f0a44.html
If you want to configure radius for login authentication along with exsisting Tacacs then you need to configure method list .
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7a8.html#wp1000906
Regards,
Puneet -
WAAS and Checkpoint compatibility.
Hello
Is there such a thing? Can I hope to install a WAE behind a Checkpoint firewall? Should I use tunnel mode udp 4050?
I´ve run into a paper that suggests using "Wire Mode" on Checkpoint.
Are there alternatives? Did someone out there have to do anything like this?
Thanks a lot.
GGThanks for your replies. The following rules were modified and waas worked just fine.
Sequence Verifier
http://www.checkpoint.com/defense/advisories/public/2004/cpai-2004-17.html
Packet Sanity
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1071
Thanks again
Guido -
Configuring RAS and TACACS+. through ACS.
Hi all,
I have very basic question about
configuring RAS with digital modems
and AAA through TACACS+. I use
command peer default ip address pool OLA under interface Group-Async0 and interface Dialer10
for example. And inside router I configure this pool with some range of
IP addresses...for example
ip local pool OLA 192.168.10.2 192.168.10.127.
And I set AAA through TACACS+.
What should I do next on ACS ? Should I configure this pool of IP addresses on ACS or it is sufficient to do it only on router? Or do this on router is not important ?
Thanks
jlJohn
I have configured RAS for dial-in services where we authenticated the dial-in users via TACACS and ACS. I did not have to do anything on ACS about the dial pool. The only thing that I had to do on ACS was to configure it to authenticate users whose authentication request came from that router. (In other words nothing special on ACS just because they were dial-in.) Just be sure that your aaa on the router provides for authenticating ppp.
HTH
Rick -
Hello ,
I have many Qs regarding the WAAS implemntation
1- which better , using inline card or wccp and why ( is there any problem with inline cards ?)
2- if we have ASA in the network , is there any os version required for the ASA to support tha WAAS, we have impelmnted the waas with wccp between 2 branches, all traffic optimized but there is 2 applications blocked ( not working at all ) , the 2 applications passing via Firewall is there any known reason for that ?
3- we have cat4500 and it should support wccp to redirect traffic for WAAS , but redirect list is not supported at all, do you know if that for all 4500 platform or for just specific OS or Sup as nothing clear on Cisco regarding this point ( wccp redirect list ).
Thanks
MoamenHey Moamen,
1. I would not say either is better, but there are different applications. Where you need more then a single WAE for scaling and redundancy, I would recommend WCCP. Where you have fairly simple topology, requirements for only one WAE, and/or non-Cisco gear, I would probably recommend In-line. I've done ton's of both and both work really well for interception.
2. ASA do have a minimum recommend code version. For interoperability with WAAS, you need Cisco ASA/PIX version 7.2.3 or later. In that version, there is the command "inspect waas" to allow for the sequence number jump in optimized traffic, which is why your ASA is blocking the traffic.
3. The CAT4500 can support WCCP in hardware. The platform hardware only supports ingress interception, L2-redirect, L2-return, mask-assign configs on the WAE and the minimum IOS version I would recommend running would be 12.2(40)SG or later. As you mentioned, there are limitations with the redirect lists, they are NOT supported in any version of IOS, it's a function of the hardware. If you need to exclude traffic, you might want to consider using application policies when using CAT-4500.
I hope that helps you out.
Dan -
WAAS and Netflow, traffic reports are inflated unpredictably
Not sure if anybody has any luck getting Netflow to report correctly when WAAS is in a picture. We have about 30 sites deployed with WAAS in out of line configuration and every single one of them incorrectly report Netflow traffic to our NetQoS Reporter Analyzer product. Typically the traffic throughput seems to be inflated several times higher. We tried every which way to alter the netflow configuration in the router including Egress Netflow but the traffic is still showing higher than actual traffic coming out of a port. In one site, even the "show interface" command on the router shows 5-minute rate of 16Mbps on a 6Mbps Mulitlink circuit.
Hello Thang Lu,
We have run into this issue with a few customers and here are a some things to consider:
- If you have 'Flexible' NetFlow enabled: Beware, Flexible NetFlow does not export the flow direction by default you must configure the direction bit to be set for egress flows. Traditional NetFlow v9 does this automatically.
- Are you excluding certain protocols in NetQoS? If you don't do this, some tunnels and VPN connections will be exported twice!
These are the protocols we exclude by default in Scrutinizer NetFlow Analyzer:
I hope these suggestions help you.
Jake
Maybe you are looking for
-
Dreamweaver 8 won't display long docs
I update an online catalog and usually start with one very long HTML document -- nothing fancy, no tags except <P> -- but I've got about 3000 paragraphs of one line each in that document, which I use to cut and paste updates to other html docs. The p
-
Error : no_adapter_engine_found: Unable to find Adapter Engine
Hi All: I applied SP 20 in XI 3.0 (from SP9), but when I test the File to File scenario I am getting an Error : *no_adapter_engine_found: Unable to find Adapter Engine* in SXMB_MONI. Here it the complete Error log <?xml version="1.0" encoding="UTF-8"
-
Need graphic to load when door opens
I had this working at one time but having a problem with adding a graphic display when the door starts to open. A button initiates the door to open, here is the script. the second part is where it fails, anyone help please. on (release) { tellTarget
-
Windows service pack 2 and Oracle10g Enterprise manager access problem
I have problem accessing the OEM-page from a computer other than the one Oracle10g is installed on. I suspect the Windows XP SP2 is blocking me from making the connection from and external computer. Hence I need to unblock the .exe file. But what is
-
"ADFC-0619: Authorization check failed" on standalone WLS10.3.2
Hi, After migrating from 11.1.1.1.0 to 11.1.1.2.0 we run into the following authorization problem: ADFC-0619: Authorization check failed: 'pages/UIShell.jspx' 'VIEW'. (as popup, logging at debug level doesn't give more info) This error occurs after t