configure AAA (Radius server, access list) There are two devices An access point and cisco 881w. It is necessary to set up authentication through a radius server. You can configure detailed how to do this?
View 3 RepliesI have been given a new project at work, to configure a 881W for wireless capebilities. how to get it to work using local database for the users to authenticate against, but our goal is to authenticate against a radius server that we have in place for existing Juniper AP's.
I have looked at some documentation out there and I cant seem to find what Im looking for. What I need to find out is an example of how to setup a radius server so that the wireless user can authenticate against. I have found some docs on google but those go over radius server setups for logons to the router etc.
here is what I got so far
Building configuration...
Current configuration : 2005 bytes!version 12.4no service padservice timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname 881W_AP!logging rate-limit console 9enable secret 5
[Code].....
We have an ASR 9010 with IOS XR, and we are making the configuration to connect to a tacacs+ server, this tacacs+ server works and is givins service to many other MPLS equipments. We have been following the guide:
Configuring AAA Services on
Cisco ASR 9000 Series Routers
but we have had a lot of troubles, in fact we have loose the administration of the box, at this moment the only lines that are in the ASR900 are: [code]
I have a couple of ACS 5.2 configured as active and backup and I am doing dot 1x authentication using these servers . I have configured the switch with the bellow configuration.
radius-server host 10.0.10.15 auth-port 1645 acct-port 1646
radius-server host 10.0.10.16 auth-port 1645 acct-port 1646
radius-server key 7 aaaaaaaaaaaaaa
please help to understand what will happen in switch
1) in case of primary failure
2)in case if primary returns alive .
I have a Cisco 881W configured for wireless (just a PSK, nothing special). I can get out to the Internet OK and browse to everywhere except my own websites.
It runs on a connection that does not connect directly to my network, but our website is available to the world externally.
Now, from the router a traceroute and ping work fine to our website but from the wireless connection I can get to everywhere else on the web but our website. A traceroute just stars out. I'm using 8.8.8.8 as a DNS server and nslookup resolves the DNS.
I can't set a DNS server or domain server on the ap on the 881W so are there any commands I can use to see what's going on?
Any good link to find how to configure MAB table on acs 5.3? I cannot find one by myself. If it is possible a guide with picture in it.
View 7 Replies View Relatedstep by step ACS 5.1's basic configuration through CLI?
View 2 Replies View RelatedHow to backup the configuration on cisco acs 5.2 and how to restore it , if some thing wrong happened
View 7 Replies View RelatedI need to configure RADIUS VSA configuration for a my alvarion device. Following are the attributes that need to be configured.
- Packet Data Flow ID (ID 1, integer16)
- Direction (ID 4, integer8)
- Transport Type (ID 6, integer8)
- UplinkQoSID (ID 7, integer8)
- DownlinkQoSID (ID 8, integer8)
[code]....
I was able to configure the first 6 attributes, how can I add the Sub - TLV's ClassifiedID, Priority, VLAN-ID and Classifier Direction which come under Classifier. Don't see any option for that in ACS 5.x
Cisco ACS 5.x appliance?How to back up Config?What is best way, via TFTP? COPY Startup-config tftp:?COPY Running-config tftp:?I currently use Solarwinds CatTolls to back my Cisco Switches, can I use this for Cisco ACS also?
View 3 Replies View RelatedI am trying to do a query, according to chapter 4 in the ACS 5.3 Secure Access Control System 5.3
doing a PUT request have a header of Content-Type: application/xml and my payload is: [code] All I want to do is get a list of users who belong to that group?
I want send ACS logs to a syslog server .I have configured syslog under System Administration --> Configuration -->Remote Log Targets .
Name : Syslog Server
IP : x.x.x.x
Port : 514
Facility Code:Local 6
Maximum length :1024
I have open the respective ports also in firewall .But Syslog server is not getting any logs from ACS .I have another log target ,which is ACS secondary server to collect the log from primary and secondary with below config.whch is working fine
Name :Logcollector
IP : x.x.x.x
Port : 20514
Facility Code:Local 6
Maximum length :1024
I'm having trouble getting Tacacs+ to work correctly with ACS5.1 and a simple catalyst 3750 switch.I can authenticate with AAA, however i cannot get a single command to work once i'm in; "Command authorization failed" even on "enable".
Any useful resource that will walk me through the process?
ACS 5.2 , and I can't find document about how to configure remote access vpn authentication in ACS 5.2.
View 6 Replies View RelatedI am writting in response to MAB issue which I noticed a few days ago and I am still not able to undestand what exactly happend. First of all I would like to say that I configured MAB authentication and according to the MAC the ISE configure a VLAN. All worked well: the test computer can change VLAN based on its MAC. The problem appear when I cut the connection to ISE server. Accourding to configuration the switch authorize the new device to VLAN 11 (critical VLAN) That is fine ! When the ISE server is up again I had a configuration which should reauthorize all ports assign in critical VLAN. But why that is not happend ??? It looks as the switch didn't notice that the RADIUS (ISE) was up and working again. [code]
View 1 Replies View RelatedI encountered some strange issues with one of our appliances in the field. Reinstalled and encountered the strange issues. No errors.. did some memory test and the seagate harddisk test and encountered SMART errors. The device didn't log those errors anywhere.. First reason to check the second harddisk. The appliance is shipped with two so the first thing I was thinking of was RAID. I saw that raid wasn't configured. Try to boot the second harddisk and saw that nothing was on that disk.. so what is the mean reason you got two of those? Got the new machine and try some options to configure RAID.You got two options.. didn't see this before, most of the time you got only one option. Raid driver on or no RAID configuration at all. First tried the intel storage matrix, configured both of the disks for mirror and install the ACS 5.2. The machine boots after installs and rejects the DVD. Result: The installation doesn't boot! Checked the partition with gparted but the partition is active (or flagged as boot) Second option was LSI, got the raid configured for mirror and the installation was also completed. Result: working installation. Tried to test if the installation is still working after removing one of the disks. Appliance is complaining the the RAID is missing one disk (so this works). After that the machine tries to boot, result: no working ACS.
View 1 Replies View RelatedACS and i would like to know how to enable the "Configuration Audit" for someone login to my network devices using their ACS login and i can monitor what they did on it.
ACS Version : 5.2.0.26
I would like to configure limited internet access to olnly a select group of Windows AD users.
I beleive cut-through proxy will allow me to do this, just not sure how to configure it on a Cisco ASA-5510
Are there any recommendations for configuring the VM for the ACS 5.x? What are the required minimum CPU-Cycles to dedicate and also the minimum RAM to dedicate?
View 1 Replies View RelatedWe are a Small company with 400-Users and currently we are using ACS 4.2 at our company.we want to upgrade and use Cisco ISE Appliance instead.
I want to know is there any major changes in configuration between ACS 4.2 and the ISE Latest Verizon.?
Is there any Hardware (Switch or Cisco AP ) compatibility issues with using Cisco ISE. (we are currently using Cisco Cat 3550 and Cisco Aironet 2600 APs with the existing ACS4.2) What ISE Series & what Soft version are the latest so i can order ?
Cisco ISE 1.1.3 is running in standalone mode, when I made any configuration it show me the notification that "Configuration changes has been recorded but remain pending" .
View 1 Replies View RelatedWe have a configuration that work fine but one of the combinations it don´t work. When we connect a guest laptop, the first time work fine. The configuration is when the laptop don´t authenticates with radius, the dhcp server assigned vlan guest and ip guest. The first time was ok. After, We connect a laptop with users authenticates work ok, the radius asigned vlan of users and dhcp server assigned ip users. The problem was when we connect for two time a guest laptop, radius didn´t validate and laptop didn´t negociate ip with dhcp server. In this time, the administrator of dhcp server, tell us that they didn´t see nothing traffic of my mac. and anymore run fine. If Whe change the port of switch , the laptup start working again.
Radius=NPS
Server dhcp: is typical.
Our scenario is with a ip cisco phone. the ip phone don´t have the authentication. The administrator of radius tell us that the configuratation is fine and the configuration of dhcp is fine. When we connect only laptop, everything run ok.
Configuration Port.
interface GigabitEthernet1/0/3
switchport access vlan 202
switchport mode access
[Code]...
I am having the Cisco NAC enviroment (Software Version is 4.9.1) and OOB VG.
We are getting the below and attached Error while deploying on some machines.
"Invalid switch configuration-OOB Error:OOB client "mac/ip" not found."
Some users on same switches are working fine but some are not....
What would be the possibilities and any work around? other than keeping the port shudown for long time means that atleast 10 - 20 secs or more or a PC restart. Customer is not feeling comfortable with the current situation.
i have installed system (Windows Server 2003) and i have configure Active directory for testing and configure one user under it ( TEST01)now on the same machine i have installed Cisco ACS 4.2.i'm trying to Authenticate (TEST01) using ACS but it's not working, i can't even see the logs under EVENTVIWER. simple and easy to configure since both AD and ACS is on the same machine.
View 4 Replies View RelatedI am using ACS5.2 I want user to access the device with all necessary command like show run/ver/int/log… I try to set user privilege using Shell from 1 to 10 but show run doesn't work.
View 15 Replies View RelatedWe have a pair of ACS 4.1 servers (Windows Server 2003 R2). Let's call them ACS1 and ACS2. We don't want either one of them to proxy to any AAA server, including each other. We're using mostly TACACS authentication.
While troubleshooting a general problem, I'm guessing that one of us did this on ACS1:
pressed the Network Configuration button,saw the Proxy Distribution Tableclicked (Default)moved ACS1 from the AAA Servers column to the Forward To column.
So, essentially, we're telling ACS1 to proxy all requests to itself, which doesn't seem to make sense. I don't know for sure whether it should work when configured to "self proxy," but in that state, it does not authenticate anyone and gives merely "Internal error" as the reason.
If I change the configuration so that "ACS2" appears in the Forward To column, and I move "ACS1" back to AAA Servers and restart, ACS1 starts responding correctly to TACACS requests. Of course, ACS1 is just proxying all requests to ACS2, so having two servers isn't doing much good.
I cannot simply remove ACS1 from the Forward To column and leave it empty. The interface complains that it can't forward to zero servers. Of course, on ACS2, there are no servers in the Forward To column, since we never touched the Proxy Distribution Table there.
Is there any way to return the Proxy Distribution Table to its default setup, that is, no servers appear in the "Forward To" column?
We're planning to upgrade to version 4.2 very soon, so this question is mostly academic, unless the same problem exists in 4.2.
For full disclosure, I should mention that the problem we were troubleshooting was loss of connectivity to our Windows Domain Controllers from our ACS servers. We had missed adding some exceptions in our firewalls to allow for four new DCs. As far as we can tell from testing, connectivity to the DCs is now fine. The firewall rules group ACS1 and ACS2 together, so connectivity should be the same, and ACS2 authenticates users correctly.
we Bough new mcs server in order to install ACS 4.1,now acs is running on normal PC and its fully configured , so now i want to back up the acs database and the configuration file in order to install it in the new server so how to do that
View 4 Replies View RelatedRecently I came across a router (Cisco 3845, IOS 12.4) configured for TACACS, one local username and an enable password. Going through the configuration I noticed the router didn't have an enable secret password which I thought was strange. The TACACS config is below, comments regarding the TACACS config and the consequences of not having an enable secret or if there is a need for one.
aaa authentication login default group tacacs+ aaa authentication login no_tacacs enable aaa authorization exec default group tacacs+ aaa authorization commands 1 default group tacacs+ aaa authorization commands 15 default group tacacs+ aaa accounting exec default start-stop group tacacs+ aaa accounting commands 1 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting network default start-stop group tacacs+
I am implementing mGRE with DMVPN so multicast traffic can be delivered to employee homes over Internet, everything worked fine except that I can not configure PIM or ICMP static groups on C881W's mGRE tunnel interface or BVI interface(RIPv2 works on mGRE interface however), configuring "ip multicast-routing" did not give me any errors, do I need license to be about to configure PIM/IGMP? I am running C880data-universalk9.mz.124-20.T5.bin" with license level advsecurity.
View 3 Replies View RelatedI need to patch our ACS server to 4.2.0.124.17 from 4.2.0.124.6. My question is, do I need to apply the same patch to our remote agents? Cisco's documentation only states that both the ACS and the Remote Agents need to be 4.2.0.
View 1 Replies View RelatedI am wanting to generate a signing request for an ACS 5.3 box to send to a Microsoft CA. Is there anyone out there using a MS CA for eap-tls?
View 1 Replies View RelatedI'wont to upgade my ACS server 5.0.0.21 to 5.1 . I wont to use Active Directory . it's seem that in my curent version AD is not supported !
View 12 Replies View RelatedI am looking for any PDF, recomendation, link for best approach for secondary ACS as resiliency.
View 4 Replies View Related