Cisco Switching/Routing :: 888 - Multiple Tacacs Groups For Different Interfaces On A Router
Feb 24, 2013
i have a question about multiple TACACS Groups. I want to archive the following:
A Cisco 888 is managed by me and a Provider Support Team. Since we both want to access our own TACACS Server, i want to create two TACACS Groups. Is it possible to me, to bind a Tacacs Group to one Interface, and the second TACACS Group to another ? Means that our stuff is connecting to the LAN Interface FastEthernet0 that is applied to the SVI in V LAN 1.
The service technicians from the Provider are connecting to the external Interface or through a possible Lo. (another IP). I do not want to mix our 2 TACACS+ Server and theirs together in one Group. So have anybody tried this before ?
View 8 Replies
ADVERTISEMENT
Jan 24, 2011
I have 2 routers ( Cisco 3845's) both running identical IOS's. Each router has identical 5 networks on it with one network each being different.I have HSRP set up on the identical 5 networks.Your standard Fail over senario.ON one of the routers one network is not seeing the other router in the same network, Will not Ping or traceroute.And HSRP stopped working ( both were thinking they were active. which of course brought the network to a halt. Non of the interfaces has any ACL on them, They are plugged into a Brand new Cisco 3560v2 switch. I have switches out the cables to eliminate that as an issues.
View 1 Replies
View Related
Aug 26, 2012
Is it possible to assign a single ssid to multiple interface groups by assigning the ssid to multiple AP groups?
I have buildings geographically dispersed that are configured with multiple vlans in interface groups so that I can maintain an addressing scheme of dhcp assigned addresses per building. Each building is also further grouped as AP groups. I'd like to know if by assigning the same wlan ssid to each of the AP groups, will I maintain addressing integrity for each building? I'm thinking it will work.
Do the buildings have to be outside AP range of each other to avoid problems?
5508 controller
7.2.110.0 code
6 buildings
6 interface groups
1 ssid
View 4 Replies
View Related
Feb 12, 2013
We have CISCO ASR 1002 router on our DC, I want to enable TACACS on this router.what is the usage of key, we need a separate key for every device? or. [code]
View 9 Replies
View Related
Oct 31, 2012
I have a switch 2960 with 15 multicast groups (for video) and now I am configuring a router 2811 to send two multicast groups to another network.But despite of there is no client sending join yet, the router is joinning in all multicast group, and because of that the router are not standing all the traffic. why the router is joinning in all multicast groups?How could I choose what groups router will join?
Router Config:
ip multicast routing
ip pim bidir-enable
interface f0/0
description Conected to Multicast Source Network
ip address 10.1.1.1 255.255.255.0
ip pim sparse-dense-mode
View 7 Replies
View Related
May 13, 2013
I am trying to build a new network from scratch, I have the WLC 5508 w/ Aironet 3600e APs connected to my Netgear Smart Switches and a Linksys RV082 router that I'm using as my DHCP server with several VLANs for several stuff on my Switches.
I have 2 questions:
1. Can I have 5 Interfaces configured on 5 different VLANs, each SSID on each a different Port:
Port 1: Controller management only=> 192.168.x.x /24
Port 2: SSID 1: WiFi Internal=> 172.16.x.x/12 (Radius Auth with no sharing)
Port 3: SSID 2: WiFi Internal w/ sharing=> 192.168.x.x/24 (Radius Auth with sharing)
Port 4 :SSID 3: WiFi Guest=> 10.0.x.x/8 (Web Auth)
Port 5: SSID 4: WiFi IT=> 192.168.x.x/24 ( Radius or certificate Auth with access to the controller management interface)
2. How can I use the Controller as the DHCP server for all the WiFi traffic, and how should that be configured to work with my other DHCP server?
View 3 Replies
View Related
Aug 13, 2012
I need to bridge 2 subinterfaces; F0/0.301 and F0/0.302 on a single router.The router interfaces with a Cisco 2960 (LAYER-2) switch.QUESTION is, does a Cisco router support bridging on subinterfaces on the same physical interface?Currently this is NOT operational Spaiing-tree on F0/0.301 and F0/0.302 is down, switch side is forwarding for both Vlans.show ip interface brief shows up/down status of F0/0.301, F0/0.301 and BVI6 is down/down?
:
SETUP:
bridge irb
!
!
Interface F0/0
no ip address
[code]....
View 1 Replies
View Related
Sep 17, 2011
I am wondering if xconnect L2TPV3 feature could be done on multiple SVI interfaces on 871 router and 2911 router with built in 8 port switch?Like I need to extend two ethernet interfaces and can I use two SVIs on router built-in switch module on each side?
View 2 Replies
View Related
Aug 16, 2012
I am trying to add WCCP to be configured for websense. My first option seems to be either purchase an IPServices license for the stack of 3750E switches, but i am thinking this will require us to license all three switches in the stack. The second option i am looking at is to do the WCCP configuration on the 2800 router we have on the edge. The problem is both Gig ports are in use, one going to the firewall and the second going to the ISP. My first question would be, which option is better in terms of manging as well as cost of implementing it.The second question is, if WCCP on the router is a better option, what is the add on module i should be looking to get to add the additional ports to hook up the Websense cache.
View 8 Replies
View Related
Oct 24, 2011
As we all know, MS has changed the default workgroup names in different versions of windows. Additionally, you can rename your workgroup anything you like. I have XP, Vista, and Win7 computers, a television, BluRay player, a Wii, two printers, and a NAS with two USB drives attached. All of these -except the Win7- are wired to one of two switches. I have wireless: iPad, the Win7 notebook, Nintendo DSs. I have friend, and non-friend machines (computers, tablets, and phones) that come and go that are wired or wireless. The 3 windows computers all have the same workgroup name. All of my other units do not use workgroup names. I have a router, and two unmanaged switches, and have, on occasion, a second router. The main router, which has wired, and dual band wireless (each with two named wireless networks) nets, sees everything, by name and/or MAC address. Win7 is blind, deaf, and dumb.: it shows its own workgroup name, but no other workgroup name(s) , and, consequently, no unit on these other workgroups. It will show some wired units not in a workgroups - the television, and the printers (not the Wii or NAS). It will not show the wired XP computer! No wireless units either in workgroups or not in workgroups appear. Additionally, Win7 only shows units on its wireless network, not on the other three. The wired units it does show are not on any of the wireless networks, though it lists them on its wireless network.I have left the Homegroup, and terminated the Homegroup services. I have allowed discovery, and unlimited sharing of everything on every computer on the router, and yet the Win7 unit does not share or see well at all.Why?
View 2 Replies
View Related
Mar 23, 2013
I have a task of setting up bandwidth limit on the 2811 router Fastethernet interfaces.The scenario is:We have a 4MB Internet connection and would like to allocate bandwidth usage to users.
Fastethernet 0/0 needs to be set with 256KB output and 2048 input. This is going to be connected to a wireless router. Fastethernet 0/1 needs to be configured with 2048 output.I could also use SDM if that's easier than using CLI.
View 2 Replies
View Related
Oct 4, 2011
I currently have a content group as follows;
content My_Group
add service blade1
add service blade2
add service blade3
vip address 1.2.3.4
advanced-balance arrowpoint-cookie
[code]...
So I have 3 blades which are proxy servers and user go first to an MS ISA server then the VIP of the CSS and then the rules processes them give them a blade and chuck them out onto the Internet.
I want to leave the above rule, but remove one blade create an additional content group with that blade and have it process requests for a particular site so, I would create the following
content My_Group2
add service blade3
vip address 1.2.3.4
advanced-balance arrowpoint-cookie
[code]...
So my question is can I do that having the same VIP's etc so if a request comes in and it matches www.thewebsite.com that the second content rule matches it 'better' and therefore processes it or would it still be caught by the "/*" content group. I don't want to create more VIPS as I have a real ache getting firewall rules done.
View 9 Replies
View Related
Jan 14, 2013
I have multiple campuses and a Central Admin...I've created Groups for all, except I need a few devices within Central to be available to the Campus Admins... (ie..a Cisco WCS System) How do I allow a device to be put into multiple NDG groups?
View 1 Replies
View Related
Jun 10, 2013
We think we have configured the ACE and Tacacs properly as we auth, but are not able to enter into configuration mode.
ACE-4710 A4(2.3)
View 1 Replies
View Related
May 13, 2012
There is a requirement to configure tacacs and radius on catalyst 3750X (version 15.0) where two vrf exist.Is therer a solution to configure "tacacs-server,host x.x.x.x vrf yyy" ?? I know it is possible to configure under the "aaa group server radius xxx" the command "ip vrf forwarding yyy".Is there anything else for the tacacs-server and radius-server command?
View 2 Replies
View Related
Feb 17, 2012
All ip's and any identifying numbers have been change to protect.
I have a 6500 series switch that for some reason will not authenticate to the tacacs server. When you try, you get a password authentication failure. However, it will let you use the configured username and secret to log in thru ssh. And the enable secret to get into privileged mode. Tacacs key is correct, btw.we will call the server vlan 300 and the admin vlan 400.the tacacs source interface is in vlan 400 and the tacacs server is in vlan 300.
I can ping the tacacs server via the switch, but when i use the source cmd with the ip address of the admin interface vlan, ping will not work. I changed the tactics source interface to vlan 300 (the server vlan) and authentication with the tacacs server works fine. ip routing is turned on. There are entries for both the server vlan subnet and the ad-min vlan subnet in the routing table. There are only standard access-lists, and none of them are blocking packets from getting to the tacacs server via the admin vlan.
I could just leave the source interface on the int vlan for the servers, but I would like to find out why this isn't working. I have 1 other 6500 switch on a different network that is configured exactly the same (except for ip's, keys, and vlans) and am not having any issues with that LAN. I also have 6 other 3700 switches on the network that Im having an issue with, and none of them are having issues with authentication.
View 1 Replies
View Related
Oct 8, 2012
I have a little problem. My customer is using TACP-PLUS ALPHA (F4.0.3.alpha.v9). Well, the same user than have access to another Cisco equipment, with user test1 by sample, can configure anything in the equipment. But in the nexus 5000, el command "show user-account" indicate just the "network-operator" role. Well, I patch this situation with the next commands:
aaa authorization config-commands default group TACSERVER local
aaa authorization commands default group TACSERVER local
Well, when I do a telnet into the nexus, I can shut the interfaces, config and anything. But, when I ingress by console, I can not to configure the interfaces.I understand that the Nexus 5000 the Tacacs configuration is global for VTY and Console (different in the Cisco equipment Routers by sample).
View 1 Replies
View Related
Feb 14, 2013
We are in a warehouse type setting and have data centers on each side of warehouse with 5508 WLC's in each data center. Each side is on its own subnet with routing in between and a different set of SSID's for each set of WLC’s. Are goal is to have the ability to failover in the event that if one data center goes down AP’s will move to the controllers in the other DC and the clients will still be able to operate.
Our thought was to implement mobility groups between the controllers. While I saw documentation on setting this up when the controllers are on the same vlan, I didnt see any setup config when controllers are in different vlans. So I am wondering if mobility groups are even an option for what we want to accomplish. For the most part clients stay on their respected sides of the warehouse and so we are not necessarily needing roaming for clients between controllers in DC1 and DC2. But that does raise another question in that we do have a planned voice wlan that we would like to have the ability to roam between each side of the warehouse. But we have seen ip issues with this. In the past we have had both SSID's setup on each side and ran to issues with clients not renewing their IP address when moving to the controllers on the different subnets.
Can we setup mobility groups between controllers on different vlans/subnets? For failover purposes will mobility groups assist in our setup with 2 DC’s and different subnets/vlans? If the answer is yes we can setup mobility groups between different subnets, is there a way to setup the SSID's on all controllers and have the ability for clients to roam and renew their IP’s when moving to a different controller on a different subnet?
View 3 Replies
View Related
Dec 12, 2011
I am working for an Air Force client and am adding a handful of 5548s into their network. My question is how Tacacs+ is configured. My hands are tied in regards to testing in an operational environment so I want to ensure the configs are correct prior to deployment/maintenance window and avoid any remote issues.
I have read the "Cisco Press - TACACS+" config guide and it was somewhat vague in regards to operational deployment.
My basic NX-OS configs are as follows:
- feature tacacs+- tacacs-server key 7 "002A52xxxxxxxxxxxxxxxx8"- tacacs-server host 128.xx.xx.xx timeout 10- tacacs-server host 128.xx.xx.xx timeout 10- tacacs-server directed-request
When I try to set the following command string, aaa authentication login default group tacacs+ local, the NX-OS asks me the input a "server group name". There are no server groups configured. Do I need them? Can I get by without configuring a group name because the client probably will not.
The Cisco IOS devices are configured with normal aaa authentication/authorization parameters. Also, do the VTY ports default to sshv2 and the correct tacacs+ parameters with the "transport input ssh" command (not available)?
View 3 Replies
View Related
Mar 9, 2010
Is it possible to have multiple dhcp pools for multiple VLANs? The switch is a 6509 and/or 4506 catalyst. I don't want to use server-based products.
View 5 Replies
View Related
May 6, 2012
I got the error in object when I try to add a new HSRP group in new vlan.All the HSRP group has the same HSRP group the 2.another way to provide clients's default gateway redundancy for each Vlan intead to use the HSRP?
View 4 Replies
View Related
May 29, 2013
I have started to use ip extended access-lists on several 3750X-switches to filter inbound and outbond traffic on the VLANs. But it seems that the use of object-groups is not supported, is this correct? Is it really no way to group different ip-addresses into groups and then use these groups in the access-lists?
I am running sw version 15.0(1)SE2.
View 1 Replies
View Related
May 17, 2012
the following information before:
Switch: WS-C3750X-48P (Stack with 2 Members)
IOS: 12.2(58)SE2
Lic: IPBASEK9
uptime: rebooted this night
[code]....
Since i added another Member to the Stack, i'm facing the following problem:When i login with my tacacs user account, i will not be asked for the password.The same thing is for the tacacs account of my colleague, after entering the username he is logged in.It seems for me, that the passwords are cached only for this Switch.
View 3 Replies
View Related
Oct 13, 2011
I am trying configure tacacs authentication for http in Cisco 2960 with IOS 15.0.1.SE. [code] But the device is not authenticating. It ask the credentials (user and pass) but not authenticates.
View 7 Replies
View Related
Feb 15, 2011
We have multiple RA VPN groups on a 3845 router.RADIUS authentication is currently happening between the 3845 and a single Windows 2008 server. We have a specific windows group that AD users are members of, and they are allowed to connect via VPN.
I'm creating a new RA VPN Group, which should only allow different AD users. Is it possible to create another RADIUS association to the same server, or do I need to authenticate against a different Windows server?
View 1 Replies
View Related
Nov 24, 2010
I understand on older IOS codes If the same hsrp group number is assigned to multiple standby groups, it creates a non-unique MAC address. Is this true on newer codes like 12.2(52)SE for 3750 & 3560?
View 4 Replies
View Related
Dec 10, 2012
I have Nexus 7K installations in 2 locations. Both of them have multiple VDCs. In default VDC there are continous tacacs error message though tacacs is not configured. The requests are from various public IPs where thsi VDC is not exposed to Internet at all. What would be t he cause of it?
%AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user root from 195.2.219.2
2012 Dec 11 16:25:28 IDC-FBDTB-AMR2-CN7K-01 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user nagios from 67.78.206.226
- sshd[25797]
2012 Dec 11 16:25:34 IDC-FBDTB-AMR2-CN7K-01 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user nagios from 67.78.206.226
- sshd[25799]
[code]....
View 1 Replies
View Related
Jul 10, 2012
Any switch that supports 4096 multicast groups?I am working on a system that includes over a dozen catalyst 2960 switches. The customer has pointed out the 2960 switch does not satisfy the requirement to support 4096 multicast groups (even though it is more than adequate for the number of active multicast groups). It looks like the 3560 supports more multicast groups than the 2960, but is still far less than the requirement.
View 1 Replies
View Related
May 4, 2011
I'm working with a 1113 ACS device running the 4.2.0.124 software. I'm trying to get multiple network device groups to use an existing Remote Agent set up for authentication against our Windows domain. For instance, we want our infrastructure switches to authenticate agains the local Active Directory and our WLC to authenticate users agains the same Active Directory. When I try and set both network device groups to use the same remote agent, it fails and reports either the host name is already in use or the IP address overlaps with an existing remote agent.
The question is:
Can I have multiple network device groups use the same remote agent? Or do I have to install the remote agent software on separate Windows servers in order to have different types of devices authenticate against the Windows AD?
View 1 Replies
View Related
Apr 18, 2013
I have a pair of OLD Cat6500's running CatOS:
WS-C6509 Software, Version NmpSW: 7.6(16)
Copyright (c) 1995-2005 by Cisco Systems
NMP S/W compiled on Dec 22 2005, 16:37:19
System Bootstrap Version: 7.1(1)
System Boot Image File is 'bootflash:cat6000-sup2k8.7-6-16.bin'
System Configuration register is 0x2
I know these are no longer supported, but I have to ready them for migration. Recently a problem began with these switches. What happens is that when I telnet to them, I cannot authenitcate via TACACS. This works fine for all our other IOS equipment, just not for these 2 switches. The error is:" % Error in authentication" and then I get kicked back to the login prompt.
The odd thing is that when I connect to the switch via the console port, I can authenticate fine with TACACS.
CMS> /c 14
[Code].....
View 2 Replies
View Related
Mar 7, 2013
I have an ASA connected to 2 ISPs.I am using object tracking for the default route so only 1 path is used at a time. I have a L2L VPN setup going out interface A. I would like to configure a 2nd VPN going out interface B with identical parameters.
(ASA software 8.2)
crypto map PATH_A 1 match address outside_1_cryptomap
crypto map PATH_A 1 set peer 10.1.1.1
crypto map PATH_A 1 set transform-set ESP-AES-128-SHA
crypto map PATH_A 1 set security-association lifetime seconds 28800
crypto map PATH_A 1 set security-association lifetime kilobytes 4608000
crypto map PATH_A 1 set reverse-route
[code]....
View 2 Replies
View Related
Oct 26, 2012
I have a site that is very dense, but not high throughput. I have 4x48 port switches all 3560 and 1 2851 router. The switches are pretty much full to the brim but the site is never completly lit, they just like to move around a lot. However i wanted to provide this site with as much redundnace as possible. So my first thought was to build redundant pathing with the switches so that they could loose a switch and not have a single point of failure. So therefore I built a ring. SW1 to SW2, SW2 to SW3, SW3 to SW4, SW4 to SW1. To make this even more redundant against port hardware failure, i used two uplinks for each and built an etherchannel. is it good practice to use Etherchannel and Spanning Tree together?So i now have a good redundant LAN switching topology. I have multiple VLANs at the site so I am using Rapid-PVST. I did not set priorities on the switches as I don't think that is really truly necessary, but correct me if I am wrong!Ok so next step is to make sure that my WAN connection for all of these switches is redundant. I have a 2851 router, with 1 of the built in interfaces dedicated to our ethernet hand-off WAN connection (MPLS in this case using BGP routing). The other would be used as an uplink. I also got an additional card for the Router so that i can have redudant local LAN connections. I then built up some IRB bridges so that I could uplink the Router to SW1 and SW3. Is it good practice to use IRB Bridging on a Router to provide redundancy?So at this site i have the first part running, and it works pretty well but I have had 1 strage issue, which has to do with after a failure and re-convergence of spanning-tree, it seems that DHCP starts failing to work. I actually had to go into each of my switches make a dummy VLAN interface and put on helper-addresses to get them to work. They are not L3 switches (programatically speaking) so they should just forward the broadcast packet onto the router, which DOES have the helper-addresses programmed,Also at another site I have the bridge router setup configured, just without so many switches, and no etherchannel between the switches. This seems to work flawlessly, but the site is very small so performance issues would be difficult to spot since they are just thin-clients coming back to a Citrix server over a single T1.
View 1 Replies
View Related
Apr 1, 2013
If I have a PI 1.2 system that has multiple interfaces configured I can upgrade to PI 1.3 and both interfaces remain and I can see both under the admin webpage under appliance interfaces. But if I do a fresh install of PI 1.3 I can only configure one interface. The commands fail from the cli to configure anything but gigabitethernet 0. Are multiple interfaces not supported in PI?
View 2 Replies
View Related
