WLC to RADIUS Source address ?

Hi,
what is the source interface/address the controller uses to communicate with RADIUS server?. can i change it ?
i am waiting for your kind support

Hi,
As far as I know it is MGMT interface or dynamic interface (only if radius server is in the same vlan). I think there is no option to change this behevior.
Cheers
Greg

Similar Messages

  • Radius source-interface not working ?

    I'm running IOS 150-2.SE2 on 3750-X switches.
    In my config, I have the command:
    ip radius source-interface Loopback1
    but all radius requests still have the source IP address of the "nearest" interface, not the loopback interface.
    Interface Loopback1 is up and is pingable from the radius server.
    Any suggestions ?
    Thanks,
    GTG

    The only command I can see for controlling radius source address/interface is that global ip radius source-interface command.
    My full AAA configuration is:
    aaa new-model
    aaa authentication login default group radius local
    aaa authorization exec default group radius if-authenticated
    aaa authorization network default group radius
    aaa accounting exec default start-stop group radius
    aaa accounting system default start-stop group radius
    ip radius source-interface Loopback1
    radius server radius1
    address ipv4 192.168.1.1 auth-port 1812 acct-port 1813
    key 7
    GTG

  • Router Source address for ACS Server

    Does anyone know how to configure a router(MSFC in this case so the same ip address is sent to the ACS server for authenticating. The source address may not always be the same depending on the path taken, If the source address isnt an ip address configured for one of my devices the acs server rejects the attempt and the router defaults to local login. I tried settigng a loopback address and always telnetiing to the loopback address however the source address from the MSFC is not the loopback I have 38 vlans, snd i suppose i could configure thoe ip addresses under a device, however if iI add a vlan then I must remember to add that vlan to ACS. Im sure there is a simpler way to address this, I just cant seem to find the configs needed on the MSFC to make it work.
    Any help will be greatly appreciated.
    Thanks

    Hi,
    Sounds like you need:
    ip tacacs source-interface interface-name
    (or ip radius source-interface interface-name)
    It's recommended to use a loopback interface, so this would give you (assuming loopback0):
    ip tacacs source-interface loopback0
    HTH - plz rate if it does
    Andrew.

  • ISE Deployment - Limit on Radius Sources?

    Greetings, 
    I am planning a change to our ISE deployment, and I am curious if there is a limitation to the number of Radius sources that can be added to the running config on the switches and APs.
    The majority of the switches are 2960 series and the APs are 2602 models.   
    Currently, we have two Radius Sources configured as follows:
    aaa group server radius rad_eap
     server X.X.X.X auth-port 1645 acct-port 1646
     server X.X.X.X auth-port 1645 acct-port 1646
    I need to know if I am able to add a third entry to that list, or if there is a hard limitation I am unaware of.
    Thank You.

    ISE questions will probably get more traction in the Security forum.
    That said, the answer is "it depends". It all depends on your design. Is your third server a Policy Services Node or an Inline Posture Node (IPEP)? Either way, one of those would generally be positioned so as to provide profiling, posture and enforcement services working in conjunction with the Admin server(s). If a server is not part of the overall architecture, it will not.
    All new ISE designs should be based on the Cisco-approved High Level Design (HLD) template. If you follow that and develop your Low Level design based on it, many of the typical questions should be answered.
    Hope this helps.

  • Match source-address and url

    I have an existing policy-map with vip and port 80. Now I need to do:
    1. Match pool of ip address and url /abc then redirect to url /abc1
    2. If url is ok but ip is out of the pool then redirect to url /abc2
    It's probably possible to achieve but I have problem with mixing class maps (L4 and L7). Please advice how to do it.
    Thank you.

    HI Kamil,
    Something like below. Please try and let me know if it helps.
    rserver redirect red
      webhost-redirection www.abc1.com
      inservice
    rserver redirect red1
      webhost-redirection www.abc2.com
      inservice
    serverfarm redirect red
      rserver red
        inservice
    serverfarm redirect red1
      rserver red1
        inservice
    class-map type http loadbalance match-all url
      2 match http url abc
      4 match source-address 2.2.2.2 255.255.255.0
    class-map type http loadbalance match-all url1
      2 match http url abc
     policy-map type loadbalance first-match url
      class url
        serverfarm red
      class url1
        serverfarm red1
      class class-default
        serverfarm xxxx
    Regards,
    Kanwal
    Note: Please mark answers if they are helpful

  • NI XNET in LabView: Transmitting source address along with signal

    Hi all!
    Does anyone know a way to transmit a user-determined source address along with a specific signal (J1939)?  I'm outputting a signal from CVI with nxWriteSignalSinglePoint and reading it with CANalyzer, which says that the source address is NULL (254).  Is there a way to set this or would I have to transmit the whole frame (maybe doing the raw bits format)?  Thanks in advance!

    Hey BLowery,
    Given that this is a more XNET-oriented question, I would recommend asking this type of question on the Embedded Networks forum page rather than the CVI Forum since that's where user dealing with CAN and J1939 reside.
    Embedded Networks Forum:
    http://forums.ni.com/t5/Automotive-and-Embedded-Networks/bd-p/30
    However, if you are wanting to be able to specify the source address manually in the 29-bit extended arbitration ID, as J1939 requires, it wouldn't be too hard, but you can't do it with Signal session. A Signal session uses the CAN database file to determine the ID and parameters of the frame to be sent automatically, and you simply provide the signal data. To be able to edit the ID yourself, a Frame Stream session that doesn't rely on a database would be required, since it would allow you to provide the ID manually.
    I recommend taking a look a this white paper, which shows how to use XNET with the J1939 standard. In the sample code that they provide, there is an example using a Frame Out Stream session which edits the ID manually based on the user's input.
    http://www.ni.com/example/31215/en/
    Regards,
    Ryan

  • AAA Source addressing

    Is their a way to set the source address for TACACS?
    I have about 170 remote sites that I want to use my ACS server (Ver. 3.3) for Autentication/Authorization. I am using 1918 addressing at the remote locations, and at the corporate office. The ACS server is inside the Corporate network, and I am telnetting to the 10.address inside interface of the router at the remote site. It looks for the tacacs server, but does not find it, and fails back to use the local password.
    I can ping the IP address of the tacacs server doing a ping with the source IP of the Inside ethernet, and the IP address of the loopback, on the remote router.

    OK, 16 pages down in the forum, I finally found my answer.
    Use the command:
    ip tacacs source-interface

  • Routing RTSP though Ace but keeping source address information

    Hello
    I am trying to set up load balancing for a Wowza streaming media server.  The problem I have is that some of the media that we will be on the server is not allowed to be watched from other countries.  The server has a modification that can sort this based on the IP address, our ACE is in Routed Mode, so the source address is replaced with a internal one which means that they will be allowed to watch whatever they like. 
    I have tried to look into injecting the original source address in to RTSP but as far as I can see you cant.
    Can anyone help with making the connections from other countries readable thought the ACE?

    Ricardo,
    What is this route ??
    ip route 0.0.0.0 255.255.255.0 10.0.0.1 (VIP address)
    You can't have 0.0.0.0/24.
    You must be missing something ?
    Also, since the vip is part of a vlan with subnet 10.0.0.0/24 you don't need to add a static route to reach that vip.
    It should normally be directly connected to your router.
    With the static route, do you see traffic coming to the ACE module ?
    Does it loadbalance to the server ?
    'show service-policy detail' check the packet counters
    Gilles.

  • Change the source address in socket

    Hi all,
    I need some help here. I need to write a program to forward the UDP message received to another machine.
    The requirement form my boss is that the source ip field must remain the same as when I receive it. However, when I forward the message, the socket will automatically change the source to my machine's address.
    How can I do this? any idea?
    Actually, I am not even sure this can work. A fake source ip address at the IP layer. will this work?
    Please advices. thanks
    Alan

    Have you resolved your problem with change the source address in socket yet ???

  • Imanager source address type Network

    I am trying to add a range of ip address as a filter exception through
    iManagers NBM filter management snap-in. If I add an individual host or
    use "any address" it works fine, however, if I select "Network" as the
    Source Address type (or destination address type), when I click next
    nothing happens (I.E. responds as if next was not clicked).
    I have tried various combinations for the address and subnet, but none
    seem to work. What I THINK belongs there is:
    Network
    10.117.12.0
    255.255.255.0
    Is this a known bug, or am I just missing something obvious? Is there a
    workaround?
    Thanks for any help you can provide.
    BM 3.8sp4 on NW 6.5 sp5 (plus post patches).
    Daryl

    In article <V9WNg.2780$[email protected]>, Caterina
    Luppi wrote:
    > i've the VAGUE recollection of this being reported as a bug.
    >
    I have exactly the same vague recollection, and offer the same excuse
    for not using iManager for filtering!
    Craig Johnson
    Novell Support Connection SysOp
    *** For a current patch list, tips, handy files and books on
    BorderManager, go to http://www.craigjconsulting.com ***

  • How is NTP reply routed when requesting router uses loopback as source address

    The Cisco NTP Best Practices White Paper and DISA STIGs recommend setting the NTP source address to a loopback interface (e.g. "ntp source loopback0").
    But this only seems to work if the requesting (NTP client) router is the default gateway for the NTP server. 
    Specifically, the NTP server will attempt to reply to the requesting router's loopback-based source address (taken from the NTP request packet).  Since that address will always be non-local from the perspective of the NTP server, the NTP server will encapsulate the reply in a Layer 2 frame addressed to its default gateway.  If the gateway was the source of the original NTP request, that should work.  But in most other situations that gateway won't know how to reach a loopback-based address, and will discard the reply.
    I have verified this in tests with routers running both 12.4 and 15.1 releases (and NTP debugging enabled).  When the NTP source is a loopback address, NTP replies never reach the requesting router.  With the default NTP source address (i.e. based on the exit interface) everything works fine.
    Obviously, you could employ workarounds, such as static routes or injecting loopback addresses into your routing protocols.  But that seems uglier than leaving NTP source addresses at their defaults.
    Why is this "best practice" so commonly advocated without mention of some significant caveats regarding routing?  Am I missing something? 
    Thanks,
      Mark

    Michel:
    Thanks for the response.  Actually, I understand what kind of routing workarounds could allow NTP to function in spite of this "best practice."  But I am mystified as to why a Cisco "NTP best practice" paper (http://www.cisco.com/en/US/tech/tk869/tk769/technologies_white_paper09186a0080117070.shtml) and various security policies would call for setting a loopback address as the NTP source when that practice will often cause more problems than it solves.
    The stability of a loopback address is nice when that address is used to uniquely identify the platform for a routing protocol or syslog.  A loopback-based source address can also simplify ACL management, since that address won't change if an interface or link failure forces the router to send traffic from a different interface.  But I keep seeing security configuration guides/policies that call for also using a loopback address as the source for two-way protocols, such as FTP and NTP. That just doesn't make sense to me when you balance the routing implications against the limited security benefits (stable device identification, simplified ACL maintenance, and obfuscation of device addresses).
    I was hoping to learn that some obscure command might allow me to control which NTP exchanges use the loopback-based source address.  For example, the loopback source address would work fine on outgoing NTP broadcasts (and probably in replies from NTP servers).  But I would prefer that NTP client requests use a source address based on the exit interface. That way replies can be routed back to the client without cluttering up routing tables with routes to loopback addresses.
    So far, it looks like I'll need to chalk this up to poor coordination between the network security and network administration communities.
    Thanks again,
      Mark

  • Source address as 0.0.0.0

    We are getting Critical incidents in MARS with source address as 0.0.0.0 What does this mean and what action can be taken ?

    Source address= 0.0.0.0 means that there's no Source IP information. Since there are lots of different
    event types with source address= 0.0.0.0 , then you need to post what the exact event is
    to help you out.

  • Sources addresses need be changed.

    I have a case which is showed in attachments.That is in pix outside interface changed the sourecs addresses as illustrate.How can I config the pix.
    the changed sources addresses doesn't in the same network with the pix outside interface's.

    Hi
    i feel you want to change the source ip of the packets coming from outside world especially from the 3 networks mentioned in ur figure.
    i feel you can make use of ip nat source outside source list command to modify the same.
    But do remember you can configure this up in your router also refer this link for more info on the same..
    http://cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080093f8e.shtml
    regds

  • WRVS4400N - eth0: received packet with own address as source address

    I am using a WRVS4400N as my primary router for a small office.  I get the following message repeated over and over in my logs.  This seems to happen for 2 or 3 days and then it will go away for about a week and then come back.  Does anyone know what is causing this?  The best I can tell I don't have any IP conflicts on the network and most of the time the network has very little traffic other than 2 or 3 computers surfing the web.
    Jan  3 16:48:09  - eth0: received packet with  own address as source address
    Jan  3 16:48:09  - eth0: received packet with  own address as source address
    Jan  3 16:48:15  - eth0: received packet with  own address as source address
    Jan  3 16:48:27  - eth0: received packet with  own address as source address
    Jan  3 16:48:51  - eth0: received packet with  own address as source address

    any news on this issue?
    I am getting more and more messages (20+/day) - hundreds this month.
    Now Coming every 10 minutes - HELP
    eth0: received packet with own address as source address
    Done everything, now waiting for input from Cisco.
    Please, anyone as Cisco got any answers?
    1:38 AM [email protected] WRVS4400N Security Log [6B:C6:FD]
    12:36 AM [email protected] WRVS4400N Security Log [6B:C6:FD]
    2:38 AM [email protected] WRVS4400N Security Log [6B:C6:FD]
    3:38 AM [email protected] WRVS4400N Security Log [6B:C6:FD]
    4:38 AM [email protected] WRVS4400N Security Log [6B:C6:FD]
    5:38 AM [email protected] WRVS4400N Security Log [6B:C6:FD]
    6:38 AM [email protected] WRVS4400N Security Log [6B:C6:FD]
    7:38 AM [email protected] WRVS4400N Security Log [6B:C6:FD]
    8:38 AM [email protected] WRVS4400N Security Log [6B:C6:FD]

  • Source address for FXS port

    My confusion is about the source address that voice packets assume for a FXS port in a Ciso router.
    I am pasting relevant configuration from 2 routers below.
    For the 1st router I have the session targets in the dial peer config as the loopback addresses but the QoS is working using a access-list where the source address is the serial ip.
    While in the other router I am getting no packet matches for either the loopback ip or the serial ip.
    ROUTER 1
    class-map shell_voip
    match access-group 170
    policy-map shell_voip
    class shell_voip
    priority 64
    class class-default
    fair-queue
    random-detect
    interface Loopback0
    ip address 10.66.12.25 255.255.255.255
    interface Multilink101
    mtu 100
    bandwidth 1544
    ip address 10.66.50.14 255.255.255.252
    no ip mroute-cache
    load-interval 30
    service-policy output shell_voip
    no cdp enable
    ppp multilink
    ppp multilink fragment-delay 20
    ppp multilink interleave
    multilink-group 101
    access-list 170 permit udp host 10.66.50.14 range 16000 35000 any range 16000 35000
    access-list 170 permit tcp any eq 1720 any
    access-list 170 permit tcp any any eq 1720
    voice-port 2/0
    cptone IN
    voice-port 2/1
    input gain -6
    cptone IN
    dial-peer voice 1 pots
    destination-pattern 40
    port 2/0
    dial-peer voice 100 voip
    destination-pattern 10
    session target ipv4:10.129.67.105
    dial-peer voice 2 pots
    destination-pattern 99
    port 2/1
    dial-peer voice 102 voip
    destination-pattern 11
    session target ipv4:10.129.67.105
    ROUTER 2
    no voice hpi capture buffer
    no voice hpi capture destination
    class-map match-all Vsp_voice
    match access-group 160
    policy-map Vsp_voip
    class Vsp_voice
    priority 32
    class class-default
    fair-queue
    random-detect
    interface Loopback0
    ip address 10.65.10.121 255.255.255.248
    interface Multilink60
    ip address 10.65.50.246 255.255.255.252
    service-policy output Vsp_voip
    load-interval 30
    no cdp enable
    ppp multilink
    ppp multilink fragment delay 10
    ppp multilink interleave
    ppp multilink group 60
    access-list 160 permit udp host 10.65.50.246 range 16000 35000 any range 16000 35000
    access-list 160 permit tcp any eq 1720 any
    access-list 160 permit tcp any any eq 1720
    voice-port 2/0
    cptone IN
    voice-port 2/1
    cptone IN
    dial-peer cor custom
    dial-peer voice 9 pots
    destination-pattern 1101
    port 2/0
    dial-peer voice 10 pots
    destination-pattern 1102
    port 2/1
    dial-peer voice 5 voip
    destination-pattern 8901
    session target ipv4:10.196.3.57
    dial-peer voice 6 voip
    destination-pattern 8902
    session target ipv4:10.196.3.57

    You may want to refer to the following link.
    http://www.cisco.com/en/US/products/sw/iosswrel/ps1834/products_feature_guide09186a0080080115.html
    Your dial peers are using H.323, your source will be what ever interface is used to exit the router as determined by the routing table.
    You could also use a debug IP packet to have a look at your source and destination if you are unsure.
    For this case you may want to just apply:
    h323-gateway voip bind srcaddr 10.66.12.25 on Router 1 and h323-gateway voip bind srcaddr 10.65.10.121 to Router 2. Rememeber to put them under the loopback interface.

Maybe you are looking for

  • How can I tell if an executable is already running?

    I'm writing a rather large LabWindows/CVI program, and occasionally will triple-click on the desktop icon, starting two copies of it. Is there some way to tell if a program is already running, so that the second copy can shut itself off? Solved! Go t

  • SQL Server 2008 R2 { An Error occured when attaching database(s) }

    Hello Guys! I just installed SQL Server 2008 R2 a couple of days ago, on the first day use i can attach database(.mdf) with out any problem. on the day 2, i keep getting this error: http://img515.imageshack.us/img515/14/1212i.png TITLE: Microsoft SQL

  • Slideshow Exported to QuickTime Won't Play Music

    I also posted this to the QuickTime forum, since I wasn't sure where it quite fit. I created a slideshow using my iPhoto 5.0.4 then exported it to a movie as Quicktime, with music. It plays beautifully on my machine. I burned it to a CD and sent it t

  • Generating hlp files in RoboHelp HTML

    Is it possible to generate .hlp files from RoboHelp HTML version 9? We're generating help files for an older program that only uses .hlp or .chm files. I've only been able to generate .hlp files from RoboHelp for Word, and I don't really want to use

  • Executing SQL command in OMB PLUS

    How can we execute sqlplus commands in OMB PLus command prompt ?