WAAS and TACACS

Similar Messages

• AAA and TACACS servers

  Hello All,
  I want to download a free, yet reliable AAA and TACACS servers, can you guide me? Also, I need help with configuring them for study purpose.

  You may download the eval version ACS 4.2.0.124, if you've access to cisco.com
  ACS v4.2.0.124 90-Days Evaluation Software
  eval-ACS-4.2.0.124-SW.zip
  http://tools.cisco.com/squish/9B37e
  Path:
  Cisco.com > Downloads Home > Products > Cloud and Systems Management > Security and Identity Management
  > Cisco Secure Access Control Server Products > Cisco Secure Access Control Server for Windows > Cisco Secure ACS 4.2 for Windows > Secure Access Control Server (ACS) for Windows-4.2.0.124
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• WAAS and IP SLA operation

  we are currently using the IP SLA udp jitter measurement to monitor our voice paths accross the WAN. If we implement a partial WAAS across the same WAN the voice traffic will be acellerated but not the IP SLA jitter measurement. Does this mean that when WAAS is implemented IP SLA is limited in its use?

  Hi Steve,
  The answer to your question depends on 1) how you deploy WAAS and 2) how you use IP SLA.  If you deploy WAAS using WCCP for interception, UDP traffic will never be intercepted.  If the WAAS device is deployed inline, all traffic flows through the WAAS device, so an IP SLA probe using UDP will be subject to WAAS pass-through handling behavior.
  What are you trying to measure with regards to WAAS?
  Zach

• WAAS and Juniper Netscreen Interoperability

  I've been doing a dig on historical posts relating to WAAS deployed through firewalls.
  I am working on a deployment with Juniper Netscreens & ASA5520 sitting between WAE's. IP connectivity is fine. I can ssh to remote device etc. but users cannot login (XP). The login scripts calls upon CIFS etc and I suspect this is being broken through the fw's.
  When I disable WAAS for this flow - it all works fine i.e. users can login and access full set of corporate resources. I suspect the firewalls but would appreciate any leads..
  thanks
  Ajaz

  Hi Ajaz,
  WAAS adds TCP Option 0x21 and increments TCP packet sequence number during TCP handshake. FW needs to be configured to allow
  these changes.
  On the latest PIX/ASA a new command "ip inspect waas" has been added to allow above changes by wae. You might want to check
  Netscreen config guide on command to disable TCP sequence number checking.
  If SSH to Servers is working fine then it might not be FW dropping packets. However to confirm it might be best to use
  tcpdump/tethereal on both WAEs and to sniff the traffic on whether its being dropped along the path by the FW.
  Few questions:
  - Whats the version running on WAEs?
  - Is it only CIFS traffic which is affected? Try disabling CIFS AO if its enabled and then test.
  Hope this helps,
  Best Regards,
  Rahul Vavale

• WAAS and Symantec Vertitas Volume Replicator

  Hi,
  We are forwarding Symantec replication traffic via our WAAS infrastructure over a 20Mb WAN link. The CM appears to register the traffic but does not optimize it at all. Has anyone had any experience with WAAS and Symantec Veritas Volume Replicator (VVR) 4.3?

  I tested with VVR in the lab. VVR default uses UDP and using the nerd knob in the GUI did not force VVR to start using TCP. To get VVR to use TCP, I had to input these commands:
  vrport data 1999-1999
  vrport heartbeat 2000-2000
  or use what ever ports you want to use. The previous answer was asking if you were seeing TCP sessions in the WAE's. This can be seen by telneting to the WAE and issueing a "show tfo connection summary". Can you post the output of that command?

• WAAS and 512 Deployment

  Attach is the Visio as well as config for the India site. The Visio has 2 tabs (POC-WAAS and Proposed-WAAS). The POC (Proof of Concept) tab does not have the spare 3660 installed yet but I plan to do that soon. The "Proposed WAAS" is where we would want to be. However, my question will most likely address POC tab with the preparation to move to the Proposed tab.
  Current assumptions:
  Since we have a Manager in India, we will be getting another Manager in Calif, If so, I would like to setup a Primary/Standby deployment for redundancy.
  Questions:
  1. For Calif Primary WAE, the visio shows a Management interface but do I need a management interface or is it better to go with a standby interface instead as well as use MHSRP?
  2. Since we have a high speed link (4 Mb Internet for VPN in POC but 10mb WAN for proposed), should we tune the buffers to the max? If so how?
  3. Is this a recommend design for California? for India?
  4. Is my configs a recommend configs for California 3660 in POC? If so, what do I need to change in 3825 in Proposed?

  Zach
  After reading the SRND, I believe the best design is to move the 512 to the Cores. Please see the updated Visio and planned configs. Here's my updated requirements:
  1. Calif is hub
  2. All traffic to India (10.2/10.26) should go through the VPN tunnel through (ASA5520)
  3. All traffic to 10.3 and 10.5 should go through WAN via (R-Voice2)
  4. Latency to India is btwn 280 to 340msec and BW is 2mb. Do I also need to be concern with the BDP, L2 redirect(forwarding), and Mask assignments?
  TIA

• WAAS and SSA Baan ERP

  Hi all,
  Anybody how have setup Cisco WAAS and ERP application BAAN?
  I am interesting to setup a full optimization for ERP Baan.
  Jan

  Hi all,
  We found the problem.
  TCP/512 was in Classifier Unix-Remote-Execution and this Classifier was in pt.
  Jan

• WAAS and WCCP - looping packet detected

  Hi,
  Has anyone ran into this senario before. Before anyone answers with "move your WAE off the user subnet", it already has been.
  I have wccp 61 redirect in on the user subnet (gig0/0.83 of a dot1q trunk). The WAE is on gig0/1. Before I apply wccp62 to the serial link, I attempt to telnet from a user pc to the router (same subnet, clients default gateway), and the telnet fails. I get a "looping packet detected" on the router console. It shows the source of the packet as the router (wccp router id actually), and the destination ip of the WAE, but the packet came in gig0/1 (interface connected to wae). Obviously the WAE returned the packet to the router (with the original GRE headers, (router as source)). I thought WCCP would understand this as "don't redirect this traffic to me anymore", but the router, actually tries to route it back down gig0/1 and then sees it as a looping packet. I believe the WAE is returning the encapsulated packet to the router to indicate it doesn't want the flow, and the router is attempting to route the GRE packet, instead of realizing it should remove the GRE header and route the internal packet. Router is IOS 12.4(12) as recommended by my Cisco engineer. 2821 router.
  For kicks, I continue the WCCP setup on the datatcenter side. As expected, it doesn't work. When I apply the WCCP to the datacenter router (only redirecting lab subnet), the entire lab subnet is unreachable via TCP (but icmp still works as expected).
  The WCCP configuration isn't very complex, I can't believe its something I'm doing. I think its a code issue.
  Any advise?

  no "out" anywhere. The LAB router has a WAE list to only allow redirect to the lab WAE. I don't even need the 62 in on the WAN side, just applying 61 in on the LAN side breaks telnet to the router.
  LOOPING PACKET DETECTION:
  from router console
  Feb 27 14:56:32.924: %IP-3-LOOPPAK: Looping packet detected and dropped -
  src=132.242.11.18, dst=153.61.83.70, hl=20, tl=76, prot=47, sport=0, dport=0
  in=GigabitEthernet0/1, nexthop=153.61.83.70, out=GigabitEthernet0/1
  options=none -Process= "IP Input", ipl= 0, pid= 77 -Traceback= 0x410F6978 0x415CC960 0x415CDC60 0x415BBB38 0x415BCF18 0x415BD27C 0x415BD2FC 0x415BD4E8
  Router configuration:
  ip wccp 61 redirect-list REDIRECT-WAAS-SUBNETS-61 group-list remote-waas-box
  interface Loopback0
  ip address 132.242.11.18 255.255.255.255
  h323-gateway voip bind srcaddr 132.242.11.18
  interface GigabitEthernet0/0.83
  description << data vlan 83 >>
  encapsulation dot1Q 83
  ip address 153.61.83.3 255.255.255.192
  ip helper-address 192.127.250.22
  ip helper-address 149.25.1.182
  no ip proxy-arp
  ip wccp 61 redirect in
  standby 83 ip 153.61.83.1
  standby 83 priority 200
  standby 83 preempt
  standby 83 track Serial0/1/0:0.99 100
  interface GigabitEthernet0/1
  description << WHQ LAB CE connection >>
  ip address 153.61.83.65 255.255.255.192
  load-interval 30
  duplex full
  speed 100
  ip access-list standard remote-waas-box
  permit 153.61.83.70
  ip access-list extended REDIRECT-WAAS-SUBNETS-61
  permit ip 153.61.83.0 0.0.0.63 any
  WAE configuration:
  device mode application-accelerator
  primary-interface GigabitEthernet 1/0
  interface GigabitEthernet 1/0
  ip address 153.61.83.70 255.255.255.192
  no autosense
  bandwidth 100
  full-duplex
  exit
  wccp router-list 1 153.61.83.65
  wccp tcp-promiscuous router-list-num 1
  wccp version 2
  wccp slow-start enable

• ACE and TACACS+ auth

  I'm having to use the free TACACS+ in an environment to configure authentication for all the network devices.  I have all the routers and switches working just fine, but am having issue with getting the ACE to use TACACS.  I've configured ACE to authenticate to an ACS server by adding the additional shell custom attributes (shell:Admin*Admin default-domain) and this worked fine.  I found in some documentation on TACACS+ that described how to add this similar attribute to the tac_plus.conf file, but it doesn't seem to want to work. My aaa config from the ACE as well as the tac_plus.conf file content below.  I know the AAA is working with this TACACS server as the accounting functions properly.
  ACE AAA
  tacacs-server host 10.1.0.202 key 7 <removed>
  aaa group server tacacs+ TAC_AUTH
    server 10.1.0.202
  aaa authentication login default group TAC_AUTH local
  aaa authentication login console group TAC_AUTH local
  aaa accounting default group TAC_AUTH local
  tac_plus.conf
  # Accounting Logs
  accounting file = /data/tacacs.log
  # Server Key
  key = <removed>
  # ACL
  acl = auth_routers {
                        permit = .*
  # Groups
  group = admin {
      login = file /etc/passwd
      acl = auth_routers
      service = exec {
                       optional shell:Admin = "Admin default-domain"
  # Users
  user = admin1 {
       default service = permit
       member = admin
  user = admin2 {
       default service = permit
       member = admin
  user = admin3 {
       default service = permit
       member = admin

  Anyone?

• Authenticating against RADIUS *AND* TACACS

  G'day...
  Toys:
  Cisco Secure ACS 3.2
  Cisco 1242 Access Points
  I want to authenticate spectralink phones via LEAP (Radius Aironet) and IT staff logging onto the CLI via TACACS+, all off the same ACS Server.
  The only way I have gotten this to work is to setup TWO Network Device Groups, and add the access point in TWICE (with different unique hostnames). One authenticating RADIUS, and the other profile authenticating TACACS.
  Is this the right way to go about it? Why can't I pick two authentication methods under the one AAA Client profile?
  Cheers,
  Andrew.

  Hi,
  The AAA client hostname configured in Cisco Secure ACS is not required to match the hostname configured on a network device, you can assign any name. What is important is the IP Address to allow the device and ACS to communicate via each AAA protocol.
  If your device need to use both TACACS+ and RADIUS to authenticate 2 different users, then your method is right. This is because a device with same name cannot use both AAA methods to authenticate users - different operation. You have to use 2 different names, but running on the same IP on both TACACS+ and RADIUS.
  I am using the same approach to authenticate remote access clients and network admin in my Access Server.
  Rgds,
  AK

• 802.1x and TACACS+

  I use the ACS box mainly for AAA on the switches and routers using tacacs. Now we're looking at the possibility of using 802.1x, my early reading tell me I have to use RADIUS, but I'm using TACACS, can I have ttow different methods of authentication on the same switch/router?
  Any help would be greatly appreciated.
  Thanks.

  Hi ,
  Yes you can have different authentication methods on the same router/switch .
  In case if you need to configure 802.1x you can simply add the 802.1x commands as they will not interfare in the working of your tacacs authentication .
  http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_chapter09186a00801f0a44.html
  If you want to configure radius for login authentication along with exsisting Tacacs then you need to configure method list .
  http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7a8.html#wp1000906
  Regards,
  Puneet

• WAAS and Checkpoint compatibility.

  Hello
  Is there such a thing? Can I hope to install a WAE behind a Checkpoint firewall? Should I use tunnel mode udp 4050?
  I´ve run into a paper that suggests using "Wire Mode" on Checkpoint.
  Are there alternatives? Did someone out there have to do anything like this?
  Thanks a lot.
  GG

  Thanks for your replies. The following rules were modified and waas worked just fine.
  Sequence Verifier
  http://www.checkpoint.com/defense/advisories/public/2004/cpai-2004-17.html
  Packet Sanity
  http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1071
  Thanks again
  Guido

• Configuring RAS and TACACS+. through ACS.

  Hi all,
  I have very basic question about
  configuring RAS with digital modems
  and AAA through TACACS+. I use
  command peer default ip address pool OLA under interface Group-Async0 and interface Dialer10
  for example. And inside router I configure this pool with some range of
  IP addresses...for example
  ip local pool OLA 192.168.10.2 192.168.10.127.
  And I set AAA through TACACS+.
  What should I do next on ACS ? Should I configure this pool of IP addresses on ACS or it is sufficient to do it only on router? Or do this on router is not important ?
  Thanks
  jl

  John
  I have configured RAS for dial-in services where we authenticated the dial-in users via TACACS and ACS. I did not have to do anything on ACS about the dial pool. The only thing that I had to do on ACS was to configure it to authenticate users whose authentication request came from that router. (In other words nothing special on ACS just because they were dial-in.) Just be sure that your aaa on the router provides for authenticating ppp.
  HTH
  Rick

• WAAS and WCCP

  Hello ,
  I have many Qs regarding the WAAS implemntation
  1- which better , using inline card or wccp and why ( is there any problem with inline cards ?)
  2- if we have ASA in the network , is there any os version required for the ASA to support tha WAAS, we have impelmnted the waas with wccp between 2 branches, all traffic optimized but there is 2 applications blocked ( not working at all ) , the 2 applications passing via Firewall is there any known reason for that ?
  3- we have cat4500 and it should support wccp to redirect traffic for WAAS , but redirect list is not supported at all, do you know if that for all 4500 platform or for just specific OS or Sup as nothing clear on Cisco regarding this point ( wccp redirect list ).
  Thanks
  Moamen

  Hey Moamen,
  1. I would not say either is better, but there are different applications. Where you need more then a single WAE for scaling and redundancy, I would recommend WCCP. Where you have fairly simple topology, requirements for only one WAE, and/or non-Cisco gear, I would probably recommend In-line. I've done ton's of both and both work really well for interception.
  2. ASA do have a minimum recommend code version. For interoperability with WAAS, you need Cisco ASA/PIX version 7.2.3 or later. In that version, there is the command "inspect waas" to allow for the sequence number jump in optimized traffic, which is why your ASA is blocking the traffic.
  3. The CAT4500 can support WCCP in hardware. The platform hardware only supports ingress interception, L2-redirect, L2-return, mask-assign configs on the WAE and the minimum IOS version I would recommend running would be 12.2(40)SG or later. As you mentioned, there are limitations with the redirect lists, they are NOT supported in any version of IOS, it's a function of the hardware. If you need to exclude traffic, you might want to consider using application policies when using CAT-4500.
  I hope that helps you out.
  Dan

• WAAS and Netflow, traffic reports are inflated unpredictably

  Not sure if anybody has any luck getting Netflow to report correctly when WAAS is in a picture.  We have about 30 sites deployed with WAAS in out of line configuration and every single one of them incorrectly report Netflow traffic to our NetQoS Reporter Analyzer product.  Typically the traffic throughput seems to be inflated several times higher.  We tried every which way to alter the netflow configuration in the router including Egress Netflow but the traffic is still showing higher than actual traffic coming out of a port.  In one site, even the "show interface" command on the router shows 5-minute rate of 16Mbps on a 6Mbps Mulitlink circuit. 

  Hello Thang Lu,
  We have run into this issue with a few customers and here are a some things to consider:
  - If you have 'Flexible' NetFlow enabled: Beware, Flexible NetFlow does not export the flow direction by default you must configure the direction bit to be set for egress flows.  Traditional NetFlow v9 does this automatically.
  - Are you excluding certain protocols in NetQoS?  If you don't do this, some tunnels and VPN connections will be exported twice!
  These are the protocols we exclude by default in Scrutinizer NetFlow Analyzer:
  I hope these suggestions help you.
  Jake