Cisco AAA/Identity/Nac :: ACS 5.2 - Primary-secondary Radius Server Configuration

Apr 21, 2013

I have a couple of ACS 5.2 configured as active and backup and I am   doing dot 1x authentication using these servers . I have configured the  switch with the bellow configuration.
 
radius-server host 10.0.10.15 auth-port 1645 acct-port 1646
radius-server host 10.0.10.16 auth-port 1645 acct-port 1646
radius-server key 7 aaaaaaaaaaaaaa
 
please help to understand what will happen in switch
 
1) in case of primary failure
2)in case if primary returns alive .

View 8 Replies


ADVERTISEMENT

Cisco AAA/Identity/Nac :: ACS 5. 2 Secondary Server Is Not Collecting Logs From Primary

Nov 2, 2011

Cisco ACS 5.2 secondary  server is configured as a log collector for both primary and secondary server .Now i am facing problem in log collection from primary server .ACS secondary server is not collecting any logs from primary .

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 Primary / Secondary Same License?

Jan 22, 2012

I have a question about the number of Cisco licenses needed in two cases for ACS 5.3 Virtual Machine.One primary + One secondary : Just one license for all or one license for the primary + another one for the secondary ?One primary + several secondaries : Just one license for all or one license for the primary + just one license for all the secondaries ? 

View 1 Replies View Related

Cisco AAA/Identity/Nac :: Use Two Servers ACS 5.2 In (primary And Secondary) Active?

Jun 16, 2011

it is possible de use two servers ACS 5.2 (primary and secondary) in active/ active? or just in active/ passive?

View 3 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 - Unable To Re-register Secondary To Primary?

Jun 11, 2012

Today I ran a failover test between our primary and secondary ACS systems (ran 'acs stop' on the primary) and in the process decided to promote the secondary while I had the primary down. All was fine until I brought the primary back up and tried to re-register the secondary to it. I get the following error message: I went into System Administration >Operations >Distributed System Management on each and it showed the other device as deregestered, tried to promote from there but it failed too, so I deleted them and tried to register the secondary again. After that didn't work I tried rebooting both but that didn't work either. I know the user/pass I'm using is good and I've tried using both the IP address and the hostname.

ACS/admin# sh app version acs
Cisco ACS VERSION INFORMATION-----------------------------Version : 5.3.0.40.5Internal Build ID : B.839Patches :5-3-0-40-5

View 3 Replies View Related

Cisco AAA/Identity/Nac :: Secondary ACS 5.1 Fails To Deregister After IP Change On Primary

Aug 9, 2011

IP address of Primary had to be changed, to respond to a hardware failure of TACACS server with IP in many device configs.
 
Now the Secondary fails to respond to repeated "Deregister from Primary" requests, even after reload  - apparently because it cannot reach the Primary at its old IP address. 
 
Requesting Deregister in GUI generates pop-up that says,  "This operation will deregister this ACS Instance from the Primary Instance. Management applications on this ACS instance will be restarted and you will be required to login again.  After performing this operation

[code]....

View 1 Replies View Related

Cisco :: Failover Configuration - Allow Primary Link To Fail And Secondary Link To Automatically Pick Up Traffic?

Dec 27, 2012

We have a customer who has a network consisting of two ISPs, one as a primary and the other as a backup. We are trying to create a configuration that would allow the primary link to fail and the secondary link to automatically pick up traffic and begin routing .how to set something like this up. Both routers are non Cisco routers and there for HSRP is out.

View 14 Replies View Related

AAA/Identity/Nac :: 1121 - Add Secondary ACS Server 5.4?

May 29, 2013

My customer has an ACS 1121 version 5.4. Now we want to install a secondary ACS 1121.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 How To Enable Log On Secondary Server

Feb 28, 2013

We are using ACS 5.3 with two servers in a distributed solution.All logs are collected on primary server so when this server fails all logs are lost.How can I enable log on secondary server also?

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.3 Secondary Server Connection With RSA AM 6.1?

Oct 23, 2012

We have 4 ACS 5.3 Servers connected as Primary and Secondary Servers.We use a "RSA SecurID Token Servers" External userdatabase for authentications and are able to sucessfully authenticate (vpn-)users when the requests are send from the primary ACS Server.As soon as a secondary ACS server sends the request to the RSA server the request fails. "Node verification failes"
 
On the RSA Authentication Manager 6.1 Server, we have created a Agent-host wich contains the 3 secondary nodes (FQDN and IP's). The "sdconf.rec" file has been installed on theprimary ACS Server and are automatically (so it looks like) replicated to all ACS Servers.Still none of the secondary server are able to authenticate the users agains the RSA server.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: ACS 5.x RADIUS VSA Configuration?

Dec 3, 2011

I need to configure RADIUS VSA configuration for a my alvarion device. Following are the attributes that need to be configured.
 
- Packet Data Flow ID (ID 1, integer16)
- Direction (ID 4, integer8)
- Transport Type (ID 6, integer8)
- UplinkQoSID (ID 7, integer8)
- DownlinkQoSID (ID 8, integer8)

[code]....

I was able to configure the first 6 attributes, how can I add the Sub - TLV's ClassifiedID, Priority, VLAN-ID and Classifier Direction which come under Classifier. Don't see any option for that in ACS 5.x

View 1 Replies View Related

Cisco AAA/Identity/Nac :: N7K Primary Tacacs Server Fail / Won't Switch Over To Another

Jan 23, 2012

Have you ever found the problem that if I set two tacacs server in my N7K and the primary tacacs server fail, won't switch over to another tacacs server.

View 1 Replies View Related

Figure Out Primary And Secondary DNS?

Jun 22, 2011

How can you figure out your primary and secondary DNS? I have a linksys router, and i'm trying to figure out what my primary and secondary DNS are so i can hook up my PS3 online.

View 1 Replies View Related

Cisco AAA/Identity/Nac :: 5508-WLC Using MS NPS As RADIUS Server For EAP-TLS

May 18, 2011

getting a Cisco WLC to work with MS NPS server? We've done it before albeit with differnt code versions.
 
I have a Cisco 5508 WLC running 7.0.116.0 code hosting a WLAN configured for WPA2 with 802.1x for authentication.  I have two Windows NPS servers configured as the RADIUS servers for EAP-TLS authentication. Via debug info on the WLC I can see the 802.1x handshake take place with the wireless client and the WLC as well as a successful transmission of an Authentication Packet from the WLC to one of the RADIUS servers. However on the WLC I see repeated RADIUS server x.x.x.x:1812 deactivated in global list and on the NPS server I'm seeing event log errors indicating "The Network Policy Server discarded the request for a user"  along with the pertinent auth request info that I would expect the NPS server to receive from the WLC.  Based on the WLC debug info I'm never actually getting to the EAP-TLS certificate authentication part. It seems the NPS servers don't like the format of the initial RADIUS authentication request coming from the WLC and so don't respond whcih in turn casues to WLC to switch to the other NPS server which produces the same issue.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: ACS 4.2 / ISE As Standalone RADIUS Server

Apr 7, 2013

Is there any way to set up our ISE to provide Radius instead of acting as Radius Proxy? In our Company we use ACS 4.2 to provide AAA via Tacacs+ and this works proper with all our Cisco-Switches. Now we are testing the ISE 1.1.1 as NAC-Solution.
 
I know how to set up the ISE as 'Radius Proxy', configuring the Sequences and Policies, but till now we are using only Tacacs+ for AAA. The current version of ISE does not support Tacacs+ and I don't want to set up a Radius-enviroment in ACS if not necessary. Somewhere ( I think the specs) I read, the ISE is a merge of ACS and NAC. So in my Opinion there should be a way to provide AAA via Radius on the ISE without ACS and without 'Radius Proxy'.

View 2 Replies View Related

Cisco :: EAP-TLS With Radius Server Configuration (1130AG)

Jan 24, 2013

I am currently trying to get eap-tls user certificate based wireless authentication working. The mismatch of guides im trying to follow has me coming up trumps with success so far.
 
My steps for radius:- (i think this part ive actually got ok) [URL]
 
Steps for the wireless profile on a win 7 client:- this has me confused all over the place [URL]
 
My 1130 Config:-
 
[code]
Current configuration : 3805 bytes
!
! Last configuration change at 11:57:56 UTC Fri Jan 25 2013 by apd

[Code].....

View 14 Replies View Related

Make Secondary Router As Primary?

Apr 25, 2011

I have been having problems when trying to host servers on games, etc.I have 2 routers. A modem router, which is a Thomson router. That is the main one. It has a wire connecting from it, to a D-Link router that is near my Computer, and my brother's one. Then that D-Link router has 2 wires from each port, to mine, and my brother's computer.So, I am trying to host games.I didn't connect to the Thomson one, which is also wireless. I am connected to the wired one (D-Link). When I try to host while connected to it, my brother, and other people can't find the server. My brother and me can find it on LAN, but not Internet.But when I disconnect from the Wired, and connect to the Thomson wireless one, and then when I host, I can find it on INTERNET. Even my brother can. He can connect to it perfectly.

I do not want to connect to the wireless, because then it will cause lag spikes every 5 minutes.So, when I disconnect from the wireless, and connect to the wire, I went into the CMD, and typed in ipconfig. I found out that the Default Gteway is the D-Link IP.When I connect to the wireless, and disconnect the wired, I went into CMD, and then the Default Gateway is the Thomson one, which is the main router.So what I want to do, is use the D-Link router, and that router will have the same IP as my thomson one, so that I can host perfectly with no lag spikes, and using a wired connection.

View 19 Replies View Related

AAA/Identity/Nac :: Possible To Send VSA From Radius Server To ASA-5505

Oct 26, 2009

Wondering if it's possible to send a VSA from my radius server to my ASA-5505 that will instruct the ASA to use one of several split tunnel lists I have created, based on the user name supplied in the Radius request.For example, I can send a VSA of "ip:inacl#1=permit ..." and the ASA will dynamically create an access-list for that user.Is there a similar VSA for split tunnel?

View 8 Replies View Related

AAA/Identity/Nac :: Turn Cisco 877 Router Into RADIUS Server?

Apr 22, 2011

I was just wondering if it was possible to turn a cisco 887 Router into a RADIUS Server. What i wanted to do was setup my wireless AP to authenticate using RADIUS, but didn't want to setup another server for the purpose.

View 1 Replies View Related

Cisco VPN :: 888 Configure VRF With COOP Having Primary And Secondary Key Servers

Jun 19, 2012

We are trying to configure vrf aware GET VPN with COOP having primary and secondary key servers and also 3 GM routers. All GM routers we use are Cisco 888 and Key servers we use cisco 2911 routers. All GMs crypto maps have been applied into Vlan interface as there's no L3 interface on 888 routers.
 
Always members can form a tunnel with primary KS, we have configured redundancy with secondary key server and listed on each GM primary and secondary KS on GDOI group.
 
The issue we facing is that whenever we shutdown the primary or secondary servers the tunnel is not forming with available KS unless otherwise we mannually clear the crypto session. In another way when primary KS down it doest not fall back to secondary KS and no GM get registered. We have already played with all the timers such as DPD, SA lifetimes, GDOI rekey lifetime etc and also exchanging the keys (import/export) with KS and COOPs but there's no luck. We could see the following message was seen on both KS.
 
[code] 192.168.1.3 is the primary KS and 192.168.1.6 is the secondary KS.I captured attached debug output from 1 GM and secondary KS while I shutdonw the primary KS and also attached is our senario we were trying get work.
 
Also attached is the show output from both KSs when it form a tunnel with GM.

View 2 Replies View Related

Cisco AAA/Identity/Nac :: CiscoSecure ACS V4.2 RADIUS Logs Upload To FTP Server

Apr 24, 2013

I am using CiscoSecure ACS v4.2 appliance, in there any way that RADIUS logs upload to FTP server because it has limitation to store RADIUS logs.

View 15 Replies View Related

Cisco AAA/Identity/Nac :: Configure ACS 5.4 As Radius Server For Network Access

May 1, 2013

I'm trying to configure ACS 5.4 as radius server for network access (PPP connections).In monitoring and reports the users have green color , but the clients cannot send data. Auth method is CHAP/MD5.
 
Allowed protocols are set to CHAP and PAP only.

View 5 Replies View Related

Cisco AAA/Identity/Nac :: MDS 9216i Switch - Nexus 4.27d And RSA Radius Server

Apr 13, 2011

I can authenticate between our MDS 9216i switch and RSA radius server but my role does not come across. The logged in user is a network-operator not admin. In the AV Pair i have defined shell:role*network-admin but it doesnt seem to come across

View 4 Replies View Related

Cisco AAA/Identity/Nac :: Install Radius Server For 2801 Router

Mar 12, 2013

I am trying to install Radius server for a cisco 2801 router. I am not able to configure it properly.

View 2 Replies View Related

Single SSID For Primary And Secondary DD-WRT Wireless Router

Feb 22, 2013

I have more than 5000 sq. ft home and have some dead places other end of the house. Now I am looking for Range Extender/Repeater to boost signal. My primary wireless router is Motorola Surfboard SBG6580 and Secondary Linksys E3000 (planning to update firmware to DD-WRT). So I wanted something such that I can roam between the two routers without switching SSID (use single SSID name for primary and secondary DD-WRT routers) and connect automatically to whichever the best signal (or) strength router. In work place we have same thing like that single wireless SSID name which automatically connect wireless SSID from one end to another end of the building.

View 1 Replies View Related

Cisco Firewall :: 5505s - Secondary ASA Active And Primary Is On Standby

Dec 5, 2011

We have 2 ASA 5505s in a data center at a remote site.
 
Whilst troubleshooting another issue I noticed the below. I don't know much about fail over but this would suggest that the secondary ASA is active and the primary ASA is on standby.
 
if the primary is "active" then how come the secondary is the active ASA? I would have thought that once the primary ASA became active this would assume the "main" role".

[Code] .....

View 7 Replies View Related

Cisco :: Setting Up Primary And Secondary 5508 Using Redundancy Port

May 15, 2013

Management purchased a HA package from Cisco consisting of 2 5508's with pre installed 500 users license on the Primary WLC and none on the secondary WLC. We have 5508's already so I am familiar with setting them up and so forth. What I am not familiar with is setting them up using HA for failover and license sharing. I've looked and looked and can't find documentation online showing how to set this up. I have found some but nothing that is complete. I have spent 2 days spinning my wheels.

View 2 Replies View Related

Cisco VPN :: 5520 - Primary And Secondary ASAs / L2L Tunnels Not Responding?

Apr 12, 2011

I have a pair of ASA5520s in active/active failover - this works fine.  Both primary and secondary ASAs are running 8.2(2) code.I  have a 30-day temp 50 seat SSL license that I applied to the primary.  I then started having problems with L2L tunnels.
 
I noted that if the 'show crypto isakmp sa' state for an L2L was MM_STANDBY, then the remote protected net could not reach my side.  However, I could ping across to the other side at which time the state changed to MM_ACTIVE as I would expect and the remote could then reach my side.
 
I believe this results from the differences between the two licenses.  When I applied the 50 seat SSL lic. it disabled failover, but I was willing to risk that for a few days to do show my customer the benifits of SSL connectivity.  Note license differences.  Is this causing the MM_STANDBY IKE issue and if so can I overcome it and use the 50 SSL VPN Peers lic.

[code]...

View 3 Replies View Related

Cisco AAA/Identity/Nac :: 5510 / Failed To Privilege Mode When Authenticated By Radius Server

Aug 26, 2007

I tried to authenticate and authorized Nokia/checkpoint Nortel/AD3 and Nortel 5510 platform using an 4.1 for windows ACS. the ACCESS-REQUEST is well processed bi the radius server wich send ACCESS-ACCEPT to the AAA Client (ie NORTEL or NOKIA), but i'have got privilege access denied on the Client side. RADIUS IETF Dictionnary is used for every device. all others Cisco Devices authenticate and are well authorized.

View 3 Replies View Related

Cisco AAA/Identity/Nac :: 5510 Assigning A User Group Using RSA Secure ID RADIUS Server

Feb 3, 2007

We have several ASA 5510 firewalls which are being used as VPN gateways.RSA SecurID is the authentication mechanism using native SDI connectivity. No ACS server is being used.Is it possible to assign user Group and other attributes (such as ACL), using the SecurID RADIUS server? I know this is what the Cisco ACS is for, but is it possible using the RSA RADIUS server itself?

View 11 Replies View Related

Cisco Switching/Routing :: C6509 - Broadcast Not Working Between Primary And Secondary IP Address

May 11, 2012

I have recently configured secondary ip address on LAN Interface of Cisco C6509.. We have some application which needs to use broadcast traffic communication to communicate with client... Broadcast is working within subnet    & also working from broadcast server to primary subnet. But not working from secondary subnet.. I have checked broadcast within secondary IP range & it's working fine...  Secondary not working broadcast with primary and also with broadcast server... broadcast address is different for these subnet but both should be communicate since configured on same interface... When I went through Cisco website found that command "ip directed broadcast" which will pass broadcast to different subnet... But I'm not sure whether any other impact if I enable that command on particular Ethernet interface...

View 6 Replies View Related

Cisco Firewall :: ASA 5505 - Dual ISP SLA Track With Primary PPOE Secondary DHCP

Aug 25, 2011

Cisco ASA 5505 Security Plus 1 link with PPOE dialup for internet access
 
desirable situation: Primary link with a PPOE dialup Secondary Link with DHCP address Asignment
 
Problem: i want to configure Dual ISP Failover modus, but the problem exist when i configure  the ip sla syntax it looks good in the running config. but after a reload the secondary line becomes primary
 
It looks like the ppoe client authentication is busy when the ip sla tracking mechanism becomes active. can i tweak the settings that the ip sla tracking mechanism starts later?
 
What i the correct config for Dual ISP setup with primary PPOE and secondary DHCP

View 1 Replies View Related

Cisco AAA/Identity/Nac :: 3550 Switch - Radius Server Source Ports 1645 - 1646?

Apr 20, 2005

I am configuring TACACS Authentication on Cisco 3550 switch .It has Version 12.2(25)SEA IOS image. A strange thing is happening, whenver I am enabling AAA new-model on this switch, and then after enabling I see ruuning-config . It shows me this
 
tacacs-server host x.x.x.x
tacacs-server host x.x.x.x
no tacacs-server directed-request
tacacs-server key 7 xxxxxx
radius-server source-ports 1645-1646
 
* included here to hide the specific information I dint specified any RADIUS server , why it is showing me radius-server source-ports 1645-1646 after enabling AAA New-Model As soon as i give "no aaa new-model", this parameter also vanishes. I think this is the only reason I am not able to do tacacs authentication.

View 9 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved