Have you ever found the problem that if I set two tacacs server in my N7K and the primary tacacs server fail, won't switch over to another tacacs server.
View 1 RepliesMe and my wife just moved into a new apartment and got subscribed to a new broadband provider. They sent us through a cisco router (model no.epc2425) and we created a WPA2-Personel secure network, with encryption type TKIP. I have connected my macbook to it, my iPhone to it, and my wifes samsung netbook (running Windows 7) but I cannot connect my laptop running vista to the internet. I've tried playing around with different network security and could connect to it on WEP but I didn't want to keep it on that and I couldn't connect the net-book. The rest of the security types and encryption types have the same response.The computer connects to the network with an excellent signal, but it is the only computer that cannot connect to the internet through this network. I never had a problem like this with this computer and have tried it on other networks.When I run windows network diagnostics it says 'Cannot communicate with Primary DNS Server (193.150.193.150)'Network diagnostics pinged the remote but did not receive a response.'
When I try to automatically get a new IP setting for network adapter it tries to repair but then says 'there still seems to be a problem with your connection'. Likewise when i click 'reset the network adapter' the repair leads back to cannot communicate with primary DNS server.I have tried a wired connection, router to computer, but as soon as I plug it in I get the message 'Windows has detected and IP address conflict' - and it once again connects to the network but not to the internet.I don't know if this makes any difference, but this is a British computer and I moved to Sweden, obviously using a Swedish ISP..i used to have this problem, you need to set the network adaptor to all automatic, your new cisco router uses uPnP so your IP conflict is probably a result of your unconnected laptop trying to connect to the same IP address as another PC on your network (eg/ 192.168.0.5 would be used by your iPhone, but your laptop has reserved that IP address for itself), to fix this, go to network and sharing center, navigate to adaptor settings on the left pane, right click the wireless card and choose properties>IPv4 properties, set everything to automatic, including all things in other tabs and click advanced and make sure DHCP is enabled on that card.Then reboot and try again.''I had a look at the wireless card (it's Atheros AR5007EG Wireless Network Adapter) and on the IPv4 properties it's already on 'obtain and IP address automatically & obtain DNS server automatically' as well as 'automatic private IP address' in one of the tabs.
I want to configure my ACE so that if a probe fails, it fails over to the backup rserver, BUT it won't failback to the primary rserver until manual intervention is complete. The problem is we don't want an rserver to fail and failover to secondary, then failback to primary, repeat... (flip-flopping). I want to be able to have time to get on the server and find out what may have caused the probes to fail before it fails back.
View 4 Replies View RelatedI see there is a similar post for Nexus 5000 to ACS 5.2. Identical symptoms. The supervisor crashed and switched to secondary. Is there a comparable field for ACS 4.1 that needs to have something in it? 2012 Apr 9 11:07:55 va-core02 %$ VDC-1 %$ %SYSMGR-2-SERVICE_CRASHED: Service "Tacacs Daemon" (PID 9390) hasn't caught signal 11 (core will be saved). 2012 Apr 9 11:07:55 va-core02 %$ VDC-1 %$ %SYSMGR SYSMGR_AUTOCOLLECT_TECH_SUPPORT_LOG: This supervisor will temporarily remain online in order to collect show tech-support. This behavior is configurable via 'system [no] auto-collect tech-support'.
View 2 Replies View RelatedWe have an ASR 9010 with IOS XR, and we are making the configuration to connect to a tacacs+ server, this tacacs+ server works and is givins service to many other MPLS equipments. We have been following the guide:
Configuring AAA Services on
Cisco ASR 9000 Series Routers
but we have had a lot of troubles, in fact we have loose the administration of the box, at this moment the only lines that are in the ASR900 are: [code]
I've been configured my device 6506-9 with TACACS+ server authentication: [code]
but when I tried to access the device only uses authentication local but not uses TACACs (with username/password defined) it can be an error in configuration? in the other devices of network this works properly, only it's wrong in Cat6506-E
I have a cisco nexus 7000 switch and a cisco ACS 5.2. I would like to setup the switch to be able to authenticate users with tacacs+ using RSA secureid tokens when they try to logon to the switch.
View 1 Replies View RelatedRunning ACS 5.1 appliance, and am seeing slow repsonse on TACACS authentications due to the ACS trying to reach overseas AD servers and failing. Is there any way to configure a /etc/host/ file locally on the ACS in order to force the appliance to use specific AD servers for authentication? As I understand the process currently, the ACS appliance will query the top-level domain and get a list of all the AD servers in DNS. In my case, this would include the AD servers overseas that we do not want to use.
View 1 Replies View RelatedI have two Nexus 5520 running 5.0(3)N1(1c).
I have both boxes heading off to ACS for TACACS lo gin authentication and for command authorization. When I first set things up everything works fine. I have a shell profile configured in ACS with Cisco-av-pair*shell:roles="network-admin" to set the network-admin role. I even have command sets configured to deny the use of configure terminal as I am using switch configuration profiles. Everything runs fine. User lo gins are authenticated by ACS and users have the correct command set applied to them.
The problem comes when I make a change to a shell profile in ACS. Even something as simple as changing the name of a shell profile causes the 5520's to crash as soon as I try to log on. If I unplug the management link so that the TACACS server is unavailable I can log on fine with the local admin user.
The NEXUS console reports this error. (amongst many others)
EDNAM-NEXUS-2 %$ VDC-1 %$ %SYSMGR-2-SERVICE_CRASHED: Service "Tacacs Daemon" (PID 4331) hasn't caught signal 11 (core will be saved).
A show system reset-reason shows:
EDNAM-NEXUS-2# sh system reset-reason
----- reset reason for Supervisor-module 1 (from Supervisor in slot 1) ---
1) At 389 usecs after Wed Jan 18 12:32:49 2012
Reason: Reset triggered due to HA policy of Reset
Service: Tacacs Daemon hap reset
Version: 5.0(3)N1(1c)
Could this be a bug with Nexus/ACS?
I have a couple of ACS 5.2 configured as active and backup and I am doing dot 1x authentication using these servers . I have configured the switch with the bellow configuration.
radius-server host 10.0.10.15 auth-port 1645 acct-port 1646
radius-server host 10.0.10.16 auth-port 1645 acct-port 1646
radius-server key 7 aaaaaaaaaaaaaa
please help to understand what will happen in switch
1) in case of primary failure
2)in case if primary returns alive .
Cisco ACS 5.2 secondary server is configured as a log collector for both primary and secondary server .Now i am facing problem in log collection from primary server .ACS secondary server is not collecting any logs from primary .
View 2 Replies View RelatedWeb auth redirect URL gets dropped if stateful firewall is between webauth host and switch management interface. Aaron at Cisco live london kinda hinted about maybe Cisco working on this ? We can't disable stateful inspection. Is there any other solutions or workarounds ?
"Although this approach introduces additional hops in the return path from the switch to the host, it produces negligible load on the default router and intervening infrastructure since only the WebAuth traffic from the switch to the host follows this path. In campus designs that do not use SVIs on the data VLAN,6 a default route is typically already configured. In this case, no additional configuration is required to support WebAuth.
However, problems may arise in the case in which traffic to the default router is bridged through a stateful firewall. The original SYN packet in the TCP handshake is consumed by the access switch, so the first packet that the firewall sees is the SYN-ACK packet from the access switch. Stateful firewalls typically drop SYN-ACK packets if they have not seen the original SYN packet.In this case, you will need to turn off stateful inspection for ports 80 and 443 on the firewall."
We have found that only Cisco 1231 WAP are exhibiting this behaviour. Their Primary WLAN controller is Cisco1 WLC but they fail to register to Primary WLC and fall back to Cisco2 WLC. After about 200 sec , they attempt to connect to Primary WLC once again and fail. The whole cycle is repeated every 250 seconds.
View 3 Replies View RelatedWe have two Cisco 2960 TT-L switches. I'd like to reduce single points of failure and have dual servers for most tasks. For example, two firewall servers and two web servers. Should one server fail the other will act as a failover.I'd like to extend the redundancy to the switches, and am thinking of connecting one web server to one switch, and one to the other. In the event a switch failed a set of servers would still run, and be able to talk to each other.I'd like to run two VLANs, one for the LAN, and one of the WAN, and connect the two VLANs on each of the switches with the associated VLAN on the other switch.
View 3 Replies View RelatedWe have a customer who has a network consisting of two ISPs, one as a primary and the other as a backup. We are trying to create a configuration that would allow the primary link to fail and the secondary link to automatically pick up traffic and begin routing .how to set something like this up. Both routers are non Cisco routers and there for HSRP is out.
View 14 Replies View RelatedI have a Cisco ASA (8.2) setup with remote access for my users using Cisco VPN client. The authentication is passed off to my ACS 5.3 which then checks with AD. What I've done so far is create Access Policy rule where I define specifically the Location and NDG where the ASA is and then a DenyAllCommands command set. This should pass authentications just fine but this also gives those users the ability to remote connect directly into the ASA and login successfully. Even though there is a Deny Commands there I still would prefer they get Access Denied as a message. If I do a Deny Access on the ShellProfile then this stops the login authentication altogether.
View 2 Replies View RelatedI think i've got everything set up to authenticate against AD for Tacacs+ device logins. When i check the logs, i see:"24408 User authentication against Active Directory failed since user has entered the wrong password". This leads me to believe that it is checking AD correctly, however if i enter the password correctly for the same AD user, there is no log at all...no pass, no fail.
If i look at the Tacacs debugs on the switch, i see the following:May 25 10:55:07.927 CDT: TAC+: ver=192 id=874699084 received AUTHEN status = ERRORMay 25 10:55:09.932 CDT: TAC+: send abort reason=Unknown
Obviously the switch is communicating to ACS, and ACS is passing info back to the switch. ACS also appears to be communicating effectively with AD since it knows when i put in an incorrect password for the specific user.
I can authenticate between our MDS 9216i switch and RSA radius server but my role does not come across. The logged in user is a network-operator not admin. In the AV Pair i have defined shell:role*network-admin but it doesnt seem to come across
View 4 Replies View RelatedI tried to configure TACACS+ authentication / authorization for NCS via ACS 4.2. For that I followed the configuration guide:
1. Configured the service for NCS with HTTP (see attachment)
2. Added the tasks to the user (see attachment)
When I try to login on the NCS it fails, in the logs on the NCS I see the following lines:
09/14/11 16:53:03.333 TRACE [system] [http-443-7] [TACACS+ AAAModule] Creating authorization socket - To Server: 192.168.49.14 - For User: netadmin
09/14/11 16:53:03.335 TRACE [system] [http-443-7] [TACACS+ AAAModule] Sending authorization request packet - To Server: 192.168.49.14 - For User: netadmin
09/14/11 16:53:03.336 TRACE [system] [http-443-7] [TACACS+ AAAModule] Receiving authorization response packet - From Server: 192.168.49.14 - For User: netadmin
[code].....
I found that TACACS should be available for network access with ACS 5.2:(url) But when I'm trying to create Rule tu allow PPP authentication against TACACS server I get error.
View 2 Replies View RelatedI am running ACS 4.1.1.23 on a Microsoft server and I am trying to get TACACS to work with two Linux servers. The servers are capable of TACACS, are using port 49 and have the correct shared secret. I believe I do not have the devices configured properly on the ACS side. These 2 servers currently are using RADIUS and we are getting bit by the bug where the ACS application will start rejecting RADIUS authentication requests but still accept TACACS requests.
View 6 Replies View RelatedI am setting up reports for tacacs accounting on ACS 5.3. However, accounting only seems to work after entering enable mode on the switch. I would like to see all commands, even the enable command when in privlage 1 mode.
View 2 Replies View RelatedI can get it to authenticate. But I've read some posts on ACS 4.2 and authorization, but I don't find anything similar.I want to control down to what commands the authenticated user can run. I want the defintion to come from the ACS server, or at least control it from the ACS server. I want to minimize the changes on the JunOS side,but if it can't be easily done, I'll change the JunOS side.
View 10 Replies View RelatedACS 5.3 configured with two rules, 1 rule for standard level 15 access for the Network Engineers and a 2nd rule to allow some limited access to switches: The limited access account has enough command set access to change the vlan on a switchport, so Configure Terminal, Interface FAx/x and switchport access vlan x.
Switch configuration:
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa session-id common
Everything works well and the limited access users can only perform the commands i've setup.
Problem:The problem i've encountered is when one of the network engineers makes a change that would stop the device from being able to see the ACS server it stops allowing any commands to be typed in the router/switch. Additionally if you then connect to the device and login with the local username and password the device then waits for it to hit the TACACS server timeout for every command you enter. This is obviously very slow and painful for the engineer.
Question:Is there a way to set this up so the engineer logging in with full Level 15 access doesn't have to have each command authorized by the ACS server but still allow the limited access accounts to be able to make interface changes?
So far i managed my switches with TACACS+, however now i've to deploy 802.1X, requiring RADIUS only. For what i know, ACS (i'm using 4.2) allows to define a device using only TACACS or RADIUS, but not both. Do i am right? Or there is a way to define an AAA client to communicate with the same ACS using both the protocols?
Supposing i am right, i was then considering the following options: - configure all of the switches to use radius for any service (authentication, authorization etc ec) This simplifies the task, but i lose the TACACS+ services for the switches. Is this a big loss?
- configure the L3 switches to use a second Loopback, just for RADIUS services. This would allow to still use the TACACS+ but would require a new network just for the RADIUS service; furthermore L2 switches doesn't support two IP addresses and would require anyway a migration to RADIUS.
A considerable administrative overhead, in other words. I'm not willing to deploy a second RADIUS (ACS, Windows, whatever), in this moment.
The key point is this: reading around i see Cisco documentation recommending always to use TACACS+ for management, but in this situation is not possibile. In general, every time the device has a role of network admission (switch or access-point) RADIUS seems to be the protocol of choice. Moving to RADIUS would have some major drawback or only a change in the communication protocol? (I know the difference between TACACS+ and RADIUS: tcp vs udp, encryption of the whole packet vs encryption of only the password).
I want to setup two factor authentication via ACS 5.2 TACACS+ without having to use a token (such as that by RSA). Is there a way to do it?
More info:
Users from unconnected AD domains will be connecting to the routers and switches.There is a certificate server available to generate certificates.SSHv2 is the current login protocol.
Noticed tacacs authorization logs when you change password for a user ?? in authorization logs I can see the new password but same I can not see in accounting logs ? is it a normal behaviour ?? or do we need to do something to hide the password in authorization logs ?
For example if i type command username xyz priv 15 secret cisco 123
I see this command in accounting logs as uername xyz oriv 15 secret *** where as in tacacs authorization logs it shows username xyz priv 15 secret cisco 123
I am trying to access an ASA 5545 using TACACS+. I have the ASA configured as follows:
aaa-server tacacs+ protocol tacacs+
aaa-server tacacs+ (inside) host 10.x.x.x
[code]....
I have added the ASA in ACS with the correct IP and the correct key. When I try to test the authentication via test aaa-server authentication tacacs+ host 10.x.x.x username Cisco password Cisco, I get:
ERROR: Authentication Server not responding: No error.
I have several 2950 switches that I cannot get to work with TACACS. I'm using the same config for these that I am using for other cisco switches. [code]
View 1 Replies View RelatedI have ACS 5.2 and JUNOS 10.6.x I setup 2 classes eng-class and ops-class with read/write and read-only permission here is my configuration on JUNOS
set system login class eng-class idle-timeout 15
set system login class eng-class permissions all
set system login user engineer full-name “Regional-Engineering”
set system login user engineer uid 2001
set system login user engineer class eng-class
set system login user engineer authentication plain-text-password xxxxxxx
[code]....
I have 2 separate Authorization policies for engineer and operator group.Result,
1. engineering group is working fine.
2. the operator group its not working im unable to login to device under this group "authentication failed" but on the ACS logs its successfully authenticated.
3. Web authentication is not also working for bot group.
IS there a way to stop the Radius/Tacacs service in ACS 5.2 from the GUI ?
View 6 Replies View Relatedwe have a ACS server V4 installed on W2003 server ,when we make a telnet to an equipement on the wan the authentication pass on the first connexion ,but when we telent to a switch on the lan the first connxion fails and we need to retry to login .when i check the field attempt log on the ACS i dont find the field attempt.i find this issue in ALL switch on the LAN ,from the switch i can ping the the ACS server .this problem appear frequently?
View 1 Replies View RelatedI've set up my 5540 ASA to accounting commands on TACACS+.Every moviment done through ASDM is logged on TACACS+ by this form: cmd=perfmon interval 10.What does that mean?Why doesn't it record the exaclty command I'd issued?
View 1 Replies View Related