I'm in the throes of configuring my 5520 to supply different group policies based on LDAP group membership. I'm finding that no matter what I do only the default group is applied. I'm sure it'll be a simple fix - but I just can't see it. [code]
View 4 RepliesI have a working ASA 5505 that is used for remote access. It authenticates users via RADIUS (Microsoft AD using two IAS servers), it also authorises users via LDAP and it does some LDAP attribute mapping to get group membership for DAP. This is all working fine however recently I enabled IPv6 to do some testing. I have a /126 subnet on the Inside interface (maps to its equivalent /30 IPv4 subnet) and OSPFv3 running so the ASA has visibility of the internal IPv6 networks. DNS client is enabled in the ASA and all the authentication servers are entered as hostnames. The two RADIUS servers only have A records and the two LDAP servers (Windows DC's) have both A and AAAA records. My plan was to begin test IPv6 on the AnyConnect VPN clients (once I was happy the ASA was working fine with IPv6).
When I initially enabled IPv6 everything continued to work as before, however I had to reboot the ASA today and after it all came back up authorisation stopped working. I did a bit of troubleshooting and the ASA is complaining of not being able to resolve the addresses of the two LDAP servers. From the CLI I can ping the hostnames and the LDAP servers resolve to IPv6 addresses and the RADIUS servers resolve to IPv4 addresses. When I issue the command 'show aaa-server LDAP' (LDAP is the name of the group) I see the servers listed but the address displays 0.0.0.0:
Prior to the reboot both the LDAP servers were showing thier addresses (IPv4) correctly. I can workaround it by disabling IPv6 on the ASA, letting it lookup the (IPv4) addresses of the LDAP servers (so they appear in the 'Server Address:' field above) and then re-enabling IPv6. Strangely deleting and re-adding the servers just with their IPv4 addresses also fails but I haven't fully tested this. I don't know but I think I would have the same behaviour if the RADIUS servers also had AAAA records.
I assume when IPv6 is enabled on the ASA it will perform AAAA lookups as well as A lookups but the LDAP client cannot use IPv6? Just guessing at the moment as I haven't managed to get a LAN capture. [code]
ASA 5520 running 8.2
Is it possible to do static (inside,outside) with the outside address being IPv6 and the inside IPv4?
If yes, is it possible to do this in parallel with an existing static mapping that goes IPv4 to IPv4?
I currently have 3 pcs - one desktop ethernet - one desktop wireless adapter and one laptop wireless. I unplugged the desktop wireless a few nights ago - I have since been on the ethernet desktop fine but when I tried to log on with the laptop wireless - no deal. So I replugged the wireless desktop and then the laptop was o.k. to connect. This doesn't seem normal but I don't know. One unplugged pc on the network shouldn't affect the others should it?
View 3 Replies View RelatedI have a customer who wants to disable cdp on all switches for securtity reasons. The same customer has also LMS 4.0 installed.
When disabling cdp, does it affect the topology services on LMS? Can you still see the topology tab on device manager or the topology map of the entire network?
I recently switched over to a new cable modem/wireless router, which is the Zoom DOCSIS 3.0 (Model: 5350-00-03). Me and my brothers have set up a second router, a Netgear N300 (Model: WNR2000v2), on the other side of the house. After the switch, our data usage has been increasing. I just want to know if having two routers affect more data usage.
View 3 Replies View RelatedI notice that SPI is disabled by default on the DIR-600 (in firmware 2.10 and 2.11 as well).Port forwarding still works with SPI on (use it for BitTorrent).So why is it off by default?Does it slow down things?
View 1 Replies View RelatedI want to configure RBAC for ANM 4,2 using tacacs+ and ACS 5.1 [code]
When the admin user logs in, this policy element is triggerd, but the Role is not sent back.How to configure the Custom Attribute?
I am planning the upgrade of an ASA 5550 Active/Passive cluster from 8.0 to 8.2 according to the "zero downtime upgrade" documentation available in the web.
I do not have another cluster for comprehensive testing, but I executed a simple migration procedure on a tiny 5505 and neither licensing features nor the configuration (the command sintax) were affected by this process. I know this is something to care about if you go to 8.3, but this is not my case.I browsed the release notes of 8.2(5) and no special disclaimer was found by me with respect to this release. So everything should work just fine, but I would like to double check for input with respect to these two subjects:
1.Will the licensed features (vpn, concurrent connections, etc) be preserved?
2. Will the configuration be preserved ?
to what extent gigabit lan port affect speed of internet?
View 1 Replies View RelatedCan i connect about 12 devices (laptops and mobile phones) to a 8 mbps or 16 mbps wifi router?
View 1 Replies View RelatedI work at technical support and I heard a story about a customer that lost his internet connection when there was a high tide. I do not know the details but is it possible that high tide can affect wireless internet signals?
View 2 Replies View RelatedI have had my DIR-655 for a few years now and it has been running fine up until a few months ago.
I haven't changed any features or done some major changes but it started cutting out all network traffic. WiFi drops internet connection but is still connected and both my NAS and my wired computer are also cut off from the network but shows as connected.
The router GUI is not accessible when this happens. The routers leds are lit but for some reason all network activity is dropped. Restarting the router resets everything.
This is rather sporadic but happens at least 2 times a day.
I have disconnected the internet connection and left the "internal" network be up and running and then too I get the network "cut-off" after some time so it is not dependent on my ISP.
I have Hardware Version A2 and am running Firmware Version 1.32NA. I tried to install the 1.35NA and it goes and does something but when it comes back it is still on 1.32NA so the FW upgrade doesn't kick in. Is my hardware too old for it possibly?
I'm using an ASA version 8.4.2 and a Radius Server.
Is-it possible to configure ASA for sending the name of the connection profile to the Radius Server ?
By default, the radius server doesn't receive this information.
After trying for several hours to configure ldap attribute to cisco attribute mapping, I found that special characters are not supported by ldap attribute-map at least on 8.4
Here is the problematic configuration:
ldap attribute-map ldap_memberof_map
map-name memberOf Group-Policy
map-value memberOf
[Code].....
I'm authenticating users against Active Directory and want to also check additionals attributes from LDAP. In ACS 5.3. it was possible to set this up via External Identity Sequence, but in ISE I don't see this possibility. I can set sequence only for authentication, but not for additional attribute retrieval.
When I set a condition in a policy that an LDAP attribute must match with some value, the attribute is not retrieved and autorization ends on default Deny Access.
We have just set up a Secure ACS 5.2 VM to provide authentication for Anyconnect VPN clients. The clients connect to an ASA 5520, which queries the ACS, which in turn queries Active Directory directly. All seemed to work OK, but I noticed it was using PAP. Following some docs, MS-CHAPv2 was enabled via the "Password-management" command. This broke the configuration and the error on the ACS was:
11309 Incorrect RADIUS MS-CHAP v2 attribute Some references suggest that the ASA and ACS should talk MSCHAPv2 without additional config, so I guess it must be the ASA config for the tunnel-group. There are additional secondary authentication and authorisation pages on ASDM, that I suspect might be necessary to use mschap.
I'm configuring a Cisco 7206 NPE-G2 as B-RAS for PPPoE over a Gigabit Ethernet interface. Everything is OK but I'm having problems when i try to pass the framed-route attribute from the RADIUS to assign a /29 sub net to a PPPoE client, the 7206 seems to skip it and no route is installed in the routing table.
This is the configuration:
upgrade fpd auto
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
[code]......
I tried also with Cisco-AVpair ip:route with the same results.
I'm using Cisco ACS 3.3 for RADIUS. How to do I make Vendor-Specific attribute available? (Attribute number 26, format: OctetString) The online help makes reference to it, but does not tell you how to make it available.
View 9 Replies View RelatedIs it possible to send profile name as an Radius atribute during client authentication? I would like to match users depends on profile name to sperate Identity Stores in my ACS. ASA 5540 8.4, anyconnect 3.1.01065, ACS 5.1
View 3 Replies View RelatedIm running 8.3 on a 5505. We've got a few ssh tunnels originating from inside to some place on the internet. It seems these tunnels are closed every n minutes. I've seen two recommendations for altering the timeout values, and what I am interested in is infinite timeout (0) for these SSH tunnels.
Suggestion 1, alter timeout "conn". Default is 30 minutes, but I suspect this might have a negative impact because no inactive connections would be closed, ever. If it however is recommended to alter, how to set it to "0" (off/unlimited)? timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Suggestion 2, enable a ssh class map which explicitely set the timeout for the ssh connection. Is this recommended? How would I achieve unlimited time? And what about random-sequence-number disabled as seen below, is that really recommended?
class CLASS_MAP_SSH
set connection random-sequence-number disable
set connection timeout idle 48:00:00 reset
set connection decrement-ttl
I'm planning to upgrade Cisco ASA 8.2 to an anyconnect essentials and mobile license. Are there any concerns with some users continuing to utilize the cisco vpn IPSEC client while others migrate to the Anyconnect? I just want to make sure when I upgrade the license that there will not be an immediate requirment to have all users switch to Anyconnect immediately.
View 2 Replies View RelatedWill a Wi-Fi range extender affect (i.e., reduce) the signal of the router? How does the throughput signal compare between where it originates and where it ends?
View 2 Replies View RelatedBasically I want to query Radius for AD group membership and apply a set of Bookmarks based on that group. I would use LDAP, but we have two domains and I need both to be available for login, so I am using ACS 5.3 as a proxy. I saw that using attribute 4242 for DAP for group membership, but what is the Group syntax?
View 1 Replies View RelatedACS 5.3 always sends the class=cacs:xyz attribute in an authentication response. How can I suppress that behaviour? The Cisco Email Security Appliance doesn't support multiple class attributes (defect 49096) and even treats guest users as administrators.
View 2 Replies View Relatedhow to add tacacs custom attribute to ACS 4.2 for Nexus 1000V:shell:roles="network-admin admin-vdc"In the interface configuration I've added new service, service - shell, protocol - tacacs+.In the group settings I've enabled this attribute configuration. And it is not works. Default privilege level is assigned to any user with access allowed.
View 8 Replies View Relatedhow I can determine what attribute is coming up as 'invalid' ?Tried full debug and looked at all the logs - nothing.
View 1 Replies View RelatedCan the quality of my phone line affect the ability of web pages to load? Some times web pages load flawlessly at other times browser says web page found but it refuses to load. I assume that things could get slow if I am downloading various updates in the background. What could be my problem? My phone line is on poles-underground-been spliced and on the end of the line. Seems like when I need to connect I can't.
View 1 Replies View RelatedWe faced with problem after upgrade ASR from 12(2) 33 XNE2. I know that this is an old XE release but our Radius deny authization from ASR with more new XE version. Here is our radius attribute configuretion:
!
radius-server attribute 44 include-in-access-req
radius-server attribute nas-port format d
radius-server host x.x.x.x auth-port 1812 acct-port 1813 non-standard
[Code]....
How can I add in my configuration that ASR send necesserry NAS-Port-Type - VPDN
I couldn't found out any info ((( for radius-server attribute 61 extended
I am doing 802.1X for a user on Cisco 3650 and wanted the Radius Server to return an attribute to set the Duplex setting of the port. with the correct Radius Return Attribute.
View 4 Replies View RelatedI've been experiencing problems with internet speeds at my church and my home. They both have security keys, but many people use it. I was wondering - Is there a free tool to monitor who/which device is taking up all of the bandwidth? Something that kind of points out, "Hey, this guy is really slowing you down". Possibly even (But not necessarily) kill their connection?
View 1 Replies View RelatedI have a Cisco 876 router, I need to connect ethernet WAN link, While configuring IP address am getting below error.
yourname(config)#int f0yourname(config-if)#ip addres 172.30.1.0 1. 255.255.255.0
% IP addresses may not be configured on L2 links.
Mobile devices are saturating our medium sized enterprise network. Examples of these devices are iPhones, iPads, Kindles, Droids, etc When a device is authenticated on our APMobile wireless network and downloads updates, email, or music our Network bandwidth is consumed. Services/Applications are no longer available, such as VoIP. Basically, this is an internal DoS.I have done some research and an example of this problem is an ARP Storm but currently clients obtain IP addresses form our DHCP server, which acts as a proxy for the clients and if effective against deliberate attempts to craft packets that create ARP Storm. In addition we configured the WLC to disable ARPunicast processing via the CLI.The following link is from Cisco's site. It is the ARPstorm that we originally thought was the cause but after more researching we found it wasn't this exact issue - http:[url]....why iPhones frequently take down our network? Could this be a configuration issue with our firewall (Cisco ASA 5520 running version 8.4(2))?
View 1 Replies View Related