AAA &; RADIUS
In a laboratory, when I set the following there is no recording of the show in the switch using telnet/ssh:
AAA new-model
Group AAA authentication login default RADIUS
RADIUS group AAA authorization exec default authenticated if
start-stop radius group AAA accounting exec by default
I have configured the following Cisco on the AAA server AV-pair:
Shell: priv-lvl = 15
When I login via telnet/ssh, there is no problem at all. However, when I connect via the console, I get no priv level? It authenticates me to user exec but not more details.
If anyone has seen this, I would appreciate greatly any help.
Thank you
HII christ
Try this aaa authorization console command
where u set the value of shell or RADIUS ietf att av pair.
Try a brand something the exec button and then set in previll level 15
Concerning
Manish
Tags: Cisco Security
Similar Questions
-
AAA/RADIUS of debugging for a special mac only address
I have a question - is there a way I can debug aaa, RADIUS, communication eap on a switch to a particular mac (endpoint) only address?
Thank you.
EAP authentication
In order to troubleshoot the interaction between the WLC and the authentication server (RADIUS external or internal to the EAP server), use the command debug AAA all turn on, which shows the required details. This command must be used after the client to debug
command and can be combined with other commands to debug as needed (for example, transfer). (Cisco Controller) >debug client 00:00:00:00:00:00 (Cisco Controller) >debug aaa all enable (Cisco Controller) >show debug MAC address ................................ 00:00:00:00:00:00 Debug Flags Enabled: aaa detail enabled. aaa events enabled. aaa packet enabled. aaa packet enabled. aaa ldap enabled. aaa local-auth db enabled. aaa local-auth eap framework errors enabled. aaa local-auth eap framework events enabled. aaa local-auth eap framework packets enabled. aaa local-auth eap framework state machine enabled. aaa local-auth eap method errors enabled. aaa local-auth eap method events enabled. aaa local-auth eap method packets enabled. aaa local-auth eap method state machine enabled. aaa local-auth shim enabled. aaa tacacs enabled. dhcp packet enabled. dot11 mobile enabled. dot11 state enabled dot1x events enabled dot1x states enabled. mobility handoff enabled. pem events enabled. pem state enabled.
-
Hello!
I'm troubleshooting an installation of battery new 3750 x - everything is wonderful save two issues, being the RADIUS. I have reflected the config a another pile of identical work but I am having no love with my DEPARTMENT. Debug RADIUS auth showed this - any ideas?
I tried a few things including specifying my management interface VLAN as source for RADIUS, but it had no effect.
I am running 15.0 (2) SE-IPBASEK9-m
10:22:43: RADIUS: AAA Attr not supported: interface [221] 4
10:22:43: RADIUS: 74 74 [tt]
Thanks for your help
HI John,.
Take a look at this.
AAA group Group1 radius server
Server 10.10.220.130 auth-port 182 acct-port 1813
The RADIUS authehtication listen on port 1812. Try this reconfiguration as below.
AAA group Group1 radius server
ACCT-port of the server 10.10.220.130 auth-port 1812 1813
Concerning
Najaf
Please rate when there is place or useful!
-
privilege level of the AAA RADIUS server control
I had the radius authentication on my switch, but I'm trying to allow two types of connection of users using Windows Active Directory. NetworkUsers that can display the configuration and NetworkAdmins who can do what either. I would like to NetworkAdmins when they log on, go directly to the privilege level 15 but could not get that part to work. Here is my configuration:
Domain controller for Windows 2008 R2 with NPS installed.
RADIUS client: I have the IP address of the switch as well as the key. I selected under the name of the Vendor tab in advance of cisco
Network policies:
NetworkAdmins which has the Group networkadmin in conditions and under settings I have nothing the standard and for the individual seller I have:
Cisco Cisco-AV-pair shell: priv-lvl = 15
My config switch:
AAA new-model
!
!
RADIUS AAA server group MTFAAA
Server name dc-01
Server name dc-02
!
Group AAA authentication login NetworkAdmins local MTFAAA
Group AAA authorization exec NetworkAdmins local MTFAAAdc-01 RADIUS server
address ipv4 10.0.1.10 auth-1645 acct-port of 1646
7 button *.
!
dc-02 RADIUS server
ipv4 10.0.1.11 address auth-1645 acct-port of 1646
7 button *.
!No matter what I do, it is not the default privilege level 15 when I login. All thoughts
You have specified the permission under line vty group? I think it is the authorization exec command. Something like that.
-
AAA + RADIUS on Catalyst switches
The command "Switch (config) - radius... Server. 'doesn´t appear on my catalyst 3500. The catalyst IOS version is c3500xl-c3h2s - mz.120.5.WC5
How do I set the Ip address of the RADIUS server and port!
Concerning
I think I have the same version. As you can see below, the command is there.
#sh worm
Cisco Internetwork Operating System software
(Tm) C3500xl software IOS (C3500xl-C3H2S-M), Version 12.0 (5) WC5, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Updated Wednesday 28 May 02 11:41 by devgoyal
Image text-base: 0 x 00003000, database: 0x0034A3C8
ROM: Bootstrap program is boot loader C3500xl
availability is 40 weeks, 15 hours, 35 minutes
System return to the ROM to reload
System restarted at 23:17:01 PUTS DST Monday, August 19, 2002
System image file is "flash: c3500xl-c3h2s - mz.120 - 5.WC5.bin.
processor of Cisco WS-C3524-XL (PowerPC403) (revision 0 x 01) with 8192K / 1024K bytes
memory.
Card processor ID FAB0513V068, with revision hardware 0 x 00
Last warm-reset Reset
Processor running Enterprise edition software
Control cluster capable switch
Switch to capable cluster member
24 FastEthernet/IEEE 802.3 interfaces
2 gigabit Ethernet/IEEE 802.3 interfaces
32K bytes memory simulated by flash not volatile configuration.
Basic Ethernet MAC address: 00:05: 9B: 93:13:80
Number of the motherboard: 73-3904-11
Power supply part number: 0851-34-02
Motherboard serial number: FAB051240RK
Power supply serial number: PHI050204Z8
Revision number of the model: A0
Model number: WS-C3524-XL-EN
System serial number: FAB0513V068
Configuration register is 0xF
#conf t
Enter configuration commands, one per line. End with CNTL/Z.
(config) #rad
(config) #radius-server?
attribute to customize certain attributes of RADIUS
challenge-noecho data the display echoing is disabled during the Access-Challenge
Configure nas try to download static routes and IP pools at startup
Deadtime time to stop using a server that is not responding
realized application allow the user to specify the radius server to use with [email protected]/ * /'
the host to specify a RADIUS server
encryption key by key shared with radius servers
The first application of RADIUS can be made without asking for a password optional-passwords
Specify the number of attempts the Active Server to retransmit
wait time wait time for a RADIUS server address
configuration of the provider attribute specific VSA
Hope this helps you
Leo
-
AAA RADIUS authentication for the only user group
Hello
I use ACS3.1 and tries to use authentication radius for all network switches in my company.
Meet the im problem now is how to restrict only a user group to access the connection/exec switches? It seems that all user IDS in my acs able to telnet (user access) to the switch (using their login credentials).
I would like to limit still from telnet by using their ID except administrator group.
Counsel on how this is possible.
TKS!
The GBA, you need admin users in their own ACS group separated, leaving other users in their own group also.
Change the group that contains the users you don't want to give access to and under the heading of restricted access network (OAN), in "Group defined Network Access Restrictions", check the "Define based on IP access restrictions", choose "Rejected the call point" and enter switches in the table below (put a * in the port and address).
This prevents standard users authentication to switches. You can add all your switches in a group of network devices (NDG) to this, then you have to add that, in the section NAR rather than adding each switch individually.
-
No remote access after you activate the Radius AAA
Hello
I can't access our catalyst 4006 after activating the AAA for RADIUS. I have install IAS on our domain controller configuration / a catalyst as a Radius client and configured a remote access policy that points to an ad group to allow access to the switch. When I try to connect to catalyst by my user information in AD, it seems to crash after I type my password, asks for the password again, then says access denied. This happens both on the console and through a telnet session. I have included below the configuration of my AAA.
What Miss me?
Tim
(Cisco IOS 12.2 v software (25) EWA14)
AAA new-model
!
RADIUS-server host 10.100.x.x auth-port 1812 acct-port 1813 key xxxxxxxxxx
Server RADIUS ports source-1645-1646
!
AAA Radius Server Group server RADIUS
Server 10.100.x.x auth-port 1812 acct-port 1813
!
AAA authentication login default group local line Radius servers
the AAA authentication enable default group, select Radius servers
Authentication servers-Radius AAA dot1x default group
Group AAA authorization exec default for authenticated if Radius servers
Group AAA authorization network default Radius servers
AAA dot1x default arrhythmic accounting Radius Servers group
AAA accounting by default start-stop group Radius servers directly
!
line vty 0 4
by default the authentication of connection
Tim
I think that the immediate problem is that the source address of your switch ussed is not address who is pregnant with Ray. The Radius Server is 10.100.182.250 and it is in the subnet of the interface vlan 182. If the address of the interface vlan 182 will be the source address of the Radius request. Difficulty which is to use the command of source ip range address and specify the address at which you want the switch to be used. Of course, in the short term, it would be easier to change the Radius Server to wait 10.100.182.2 as the address of the customer.
HTH
Rick
-
Setup
Cisco Catalyst 2960-S running 15.0.2 - SE8
Under Centos freeRadius 6.4 RADIUS server
Client (supplicant) running Windows 7
When Windows client is connected to the port (port 12 in my setup) with authentication of 802. 1 x active switch, show of Wireshark that catalyst sends ask EAP and the client responds with EAP response. But it made not the request to the Radius server. The RADIUS test utility 'aaa RADIUS testuser password new-code test group' works.
Here is my config running. Any advice would be greatly appreciated.
#show running mySwitch-
mySwitch #show running-config
Building configuration...Current configuration: 2094 bytes
!
version 12.2
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname myswitch
!
boot-start-marker
boot-end-marker
!
activate the password secret 5 $1$ Z1z6$ kqvVYRQdVRZ0h8aDTV5DR0 enable password!
!
!
AAA new-model
!
!
AAA dot1x group group radius aaa accounting dot1x default start-stop radius authentication group!
!
!
AAA - the id of the joint session
1 supply ws-c2960s-24ts-l switch
!
!
!
!
!
control-dot1x system-auth
pvst spanning-tree mode
spanning tree extend id-system
!
!
!
!
internal allocation policy of VLAN no ascendant interface FastEthernet0 no stop ip address!
GigabitEthernet1/0/1 interface
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
switchport mode access
Auto control of the port of authentication
dot1x EAP authenticator
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
IP 10.1.2.12 255.255.255.0
!
IP http server
IP http secure server
activate the IP sla response alerts
recording of debug trap
10.1.2.1 host connection tcp port 514 RADIUS-server host 10.1.2.1 transport auth-port 1812 acct-port 1646 timeout 3 retransmit testing123 key 3.
Line con 0
line vty 0 4
password password
line vty 5 15
password password
!
endinterface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20Have you run wireshark on the server because the request to switch? If so you make sure that there is a response from the server? For Windows network POLICY Server (I've never tried Centos), you must ensure that the request is related to a policy which then authenticates, or denies access. Usually, it is a matter of such attributes and the seller.
Regarding the configuration, it seems a bit out of the AAA. Try to remove the:
line "aaa dot1x group service radius authentication" and this by using instead:
"aaa dot1x default radius authentication group". After the dot1x word you are supposed to provide a list of the authentication or the default Word if you do not want to use a list.
-
How this command works "activate the aaa group by default RADIUS authentication? I served my Radius Cisco Secure ACS 4.2 server but I can not connect... Y does it have someone here can give me a understanding on this command? Need this for my CCNA security exam... Help, please...
Additional information:
IETF Radius attributes: NAS calls
Here is my config on R1:
!
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
hostname R1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$e.TZ$EXkOaZ0rkd/GBGLA/8GrD/
!
AAA new-model
!
!
the AAA authentication enable default group RADIUS
!
!
AAA - the id of the joint session
!
!
resources policy
!
memory iomem size 5
IP cef
!
!
!
!
no ip domain search
IP domain name aida.com
property intellectual ssh version 2
!
!
username mark password privilege 15 7 110418171C
username 050A081B29434010 password 7 anthony
!
interface Loopback1
IP 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
IP 192.168.5.1 255.255.255.248
automatic duplex
automatic speed
!
interface FastEthernet0/1
IP 10.10.10.1 255.255.255.252
automatic duplex
automatic speed
!
Router eigrp 100
1.1.1.1 to network 0.0.0.0
Network 10.10.10.0 0.0.0.3
network 192.168.5.0 0.0.0.7
No Auto-resume
!
!
!
no ip address of the http server
no ip http secure server
!
!
RADIUS-server host 172.16.178.3 auth-port 1645 acct-port 1646 borders 7 xxxxxxxxxxxxxxxxxxxxxxxxxxx
!
!
!
control plan
!
!
Line con 0
exec-timeout 0 0
Synchronous recording
line to 0
line vty 0 4
local connection
entry ssh transport
!
!
end
Hi Bro
The command 'aaa activate by default group radius authentication' means your enable password, you want the router to make reference to the ACS server and obtain the credentials.
Another example, the command 'aaa radius of group by default authentication enable enable' means your enable password, you want the router to make reference to the ACS server and obtain the credentials. In case your ACS is down, you want the router to see the local enable password and get the credentials.
I saw what you are trying to achieve and you can do this on the SHELF as well, but I personally prefer GANYMEDE + where possible.
!
AAA new-model
!
AAA authentication login default local radius group
AAA authentication enable default group enable RADIUS
AAA authorization exec default local
!
RADIUS-server host 10.0.0.100 auth-port 1645 acct-port 1646 cisco123 keys
Note: $enab15$, this is because you do not have configured aaa authorization orders. You can add a fictitious user name $enab15$ in your ACS or you could paste the following commands below into your router.
username admin privilege 15 password 0 cisco123
operator privilege 7 password cisco123 0 username
P/S: Please rate this comment, if you find this feedback useful :-)
-
DHCP Radius account management
We tried to apply DHCP using RADIUS accounting. All of the configuration made as in http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a00801543c7.html
but it seems that appointed accountant lists do not work att.
I.e.
Group of power for the RADIUS-GROUP1 RGROUP-1 AAA accounting network
IP dhcp WIRELESS-POOL pool
accounting RADIUS-GROUP1
does not. How can I properly configure DHCP accounting? An example of work?
PS: 7206, c7200 - is - mz.123 - 16.bin
In this network of Accountants order aaa RADIUS-arrhythmic GROUP1 group RGROUP-1 tent with various options instead of the word network. See the following URL for more information
-
I have a PIX with the following configuration:
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + (inside) host 192.168.1.1 77777 timeout 5
RADIUS Protocol RADIUS AAA server
AAA-RADIUS (inside) host 192.168.1.1 Server 77777 timeout 10
AAA-server local LOCAL Protocol
AAA authentication GANYMEDE serial console +.
AAA authentication enable console GANYMEDE +.
order of AAA for authorization GANYMEDE +.
AAA accounting correspond to aaa_acl inside RADIUS
Everything works fine when the RADIUS server is available. When he is not available, I can log in with the username "PIX" and "password". The problem is, once I connected, I can't get permission to execute orders. Does anyone know of a command that is similar to the "if-certified" for routers that I can use?
There is no method of backup for authorization for the PIX. As you know, if the RADIUS server is down, you can connect with "pix" and the password enable, but it doesn't help a permission. The only thing you can do is wait the GANYMEDE server back to the top. I'm sorry.
-
AAA w/RSA: "any type of permission...". »
I've set up a router and a switch to AAA using a server RADIUS of RSA. Both are RSA 'Agent hosts' with identical configurations. Router (2621XM/EntServ Version 12.4 (18)) and switch (3560-24PS/IPBase - 12.2 (25) SEB2) have identical configs AAA, and RADIUS/RSA is very well regarding the access code will be accepted. But the switch won't let me:
**********************
User name:
Password:
PASSWORD accepted
% Failed authorization.
**************************
When I do "deb radius authentication" on each, the outputs are the same until the last 2 lines. The router that works says:
000055.: Jan 16 12:22:51 CEST: RADIUS (00000005): receipt of id 1645/3
000056:. Jan 16 12:22:51 IS: RADIUS/DECODE: fragments of response Message, 19, total 19 bytes
But the switch says:
000284: Jan 16 12:20:47 UTC: RADIUS: saved the authorization for user 3030220 to 3034440 data
000285: Jan 16 12:20:47 UTC: RADIUS: no type of permission for the user.
The only other difference I can think of is that I use ssh for router and switch telent (IPBase apparently no habla "crypto", I could use another IOS I think.)
Any clue? TIA
Paul
If I were you, I would like to 'disable' permission
on the catalyst 3560. I n an identical
Setup like yours on mine Catalyst 2960 and it
works very well. See below:
[[email protected] / * / root] # telnet 192.168.0.5
192.168.0.5 by train...
Connected to 192.168.0.5 (192.168.0.5).
[Escape character is ' ^]'.
C
*****************
User access audit
Username: test4
Password:
Enter your new PIN, containing 4-8 digit.
or
to cancel the procedure of the new PIN:
Please re - enter new PIN code:
Wait for the code on your card to change, and then sign in with the new PIN code
Enter the PASSWORD:
C2960 #sh worm
Cisco IOS software, software C2960 (C2960-LANBASEK9-M), Version 12.2 (25) SEE4, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Updated Tuesday 16 July 07 02:53 by myl
Image text-base: 0 x 00003000, database: 0x00CC0000
ROM: Bootstrap program is C2960 boot loader
BOOTLDR: C2960 Boot Loader (C2960-HBOOT-M) 12.2 (25r) the SEE1, release SOFTWARE (fc1)
C2960 uptime is 2 weeks, 6 days, 14 hours, 10 minutes
System to regain the power ROM
System restarted at 23:20:30 GMT Wednesday, December 26, 2007
System image file is "flash: c2960-lanbasek9 - mz.122 - 25.SEE4.bin".
This product contains cryptographic features and is under the United States
States and local laws governing the import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third party approval to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. laws and local countries. By using this product you
agree to comply with the regulations and laws in force. If you are unable
to satisfy the United States and local laws, return the product.
A summary of U.S. laws governing Cisco cryptographic products to:
http://www.Cisco.com/WWL/export/crypto/tool/stqrg.html
If you need assistance please contact us by mail at
processor of WS-C2960G-24TC-L (PowerPC405) Cisco (revision B0) with 61440K / 4088K bytes of memory.
Card processor ID FOC1036X0F1
Last reset of tension
2 virtual Ethernet interfaces
24 gigabit Ethernet interfaces
Password recovery mechanism is activated.
64K bytes of memory simulated by flash not volatile configuration.
Basic Ethernet MAC address: 00:19:55:1 B: D6:00
Number of the motherboard: 73-10015-05
Power supply part number: 341-0098-02
Motherboard serial number: FOC10352NF2
Power supply serial number: AZS103402ZF
Revision number of the model: B0
Motherboard revision number: B0
Model number: WS-C2960G-24TC-L
System serial number: FOC1036X0F1
Top Assembly part number: 800-26673-02
Top of page revision number of the Assembly: C0
Version ID: V02
CLEI Code number: COM3G00BRA
Revision number of hardware consulting: 0x01
SW Version SW Image model switch ports
------ ----- ----- ---------- ----------
* 1 WS-C2960G-24TC-L 12.2 24 (25) SEE4 C2960-LANBASEK9-M
Configuration register is 0xF
C2960 #sh run | AAA Inc.
AAA new-model
AAA RADIUS local group authentication connection test
AAA authentication login test1 group Ganymede + local
AAA authentication login notac local
Group AAA dot1x default authentication RADIUS
AAA - the id of the joint session
C2960 #.
CCIE Security
-
Hello
I have 802.1 x and MAB configured. I added a second ACS server and added the definition of the switch.
My problem is that the ACS works well when it is set as primary option in the switch. But when it is configured as the backup and I force a failure on the primary, he does not try to use backup ACS th.Can my configuration below, someone please give me some pointers?
Thank you
AAA radius rrrr server group
private server 10.4.25.117 auth-port 1645 acct-port 1646 borders 7 01100F175804575D72
private server 10.4.25.114 auth-port 1645 acct-port 1646 borders 7 01100F175804575D72
radius of the IP source-interface Vlan200
!
AAA new-modelAAA dot1x of default authentication group rrrr
AAA authorization exec default local authenticated by FIS
AAA authorization network default group rrrr
AAA accounting dot1x default start-stop rrrr groupinterface FastEthernet0/1
switchport access vlan 200
switchport mode access
switchport voice vlan 2
authentication-sense in
authentication event failure action allow vlan 100
action of death event authentication server allow vlan 100
no response from the authentication event action allow vlan 100
multi-domain of host-mode authentication
authentication order dot1x mab
Auto control of the port of authentication
protect the violation of authentication
MAB
dot1x EAP authenticator
dot1x quiet-period of waiting 3
dot1x tx-period 4
spanning tree portfastHi Tiago,
The fix was set up the following:
restransmit RADIUS server 2
radius0server timeout 3
to allow the transition to the secondary ACS server before starting methods. He was trying to authenticate before it move on to the second ACS.
Thanks for your help.
-
What do I have to apply RADIUS server?
We intend to implement server GANYMEDE +.
I need to know what exactly I need to set up this server? what I have to buy GANYMEDE + appliance based provider or I can just buy the software and install it on one of my new or existing server. is there any software to open source very good that I can use? What advantages and disadvantages of each options?
I'm the management of hundreds of routers and switches on our society and on customer sites via internet.
one last question: is Cisco ACS 5.5 material or can be installed in any server?
I know it's very long or issues, but I know that you are very friendly and nice people :)
1.] most of the large company or class operator network device manufacturers supported by GANYMEDE. Some providers that are supported on the GANYMEDE Protocol + are: Adtran, Alcatel/Lucent, Arbor, Aruba, Brocade/Foundry, Cisco/Linksys, Ericsson/Redback, Extreme, Fortinet, HP/3Com, Huawei, Juniper, Netgear, Nortel and others. However, I personally would say ACS 5.x
Source - http://tacacs.net/faq.asp
2.] cisco Secure ACS 5.5 is available as a closed and hardened based on Linux SNS 3415/3495 device or as an image for VMware ESX/ESXi 5.0/5.1operating system.
Cisco Secure ACS 5.5 supports two distinct protocols for authentication, authorization and accounting (AAA): RADIUS access control network and GANYMEDE + to access network device control.
3.] for more information about the product and the license, you must go through the links listed below.
Kind regards
Jatin kone
* Does the rate of useful messages *.
-
The AAA authentication and VRF-Lite
Hello!
I encountered a strange problem, when you use authentication Radius AAA and VRF-Lite.
The setting is as follows. A/31 linknet is configured between PE and THIS (7206/g1 and C1812), where the EP sub-si is part of a MPLS VPN and VRF-Lite CE uses to maintain separate local services (where more than one VPN is used..).
Access to the this, via telnet, console etc, will be authenticated by our RADIUS servers, based on the following configuration:
--> Config start<>
AAA new-model
!
!
Group AA radius RADIUS-auth server
Server x.x.4.23 auth-port 1645 acct-port 1646
Server x.x.7.139 auth-port 1645 acct-port 1646
!
AAA authentication login default group auth radius local
enable AAA, enable authentication by default group RADIUS-auth
...
touch of 1646-Server RADIUS host x.x.4.23 auth-port 1645 acct-port
touch of 1646-Server RADIUS host x.x.7.139 auth-port 1645 acct-port
...
source-interface
IP vrf 10 RADIUS ---> Config ends<>
The VRF-Lite instance is configured like this:
---> Config start<>
VRF IP-10
RD 65001:10
---> Config ends<>
Now - if I remove the configuration VRF-Lite and use global routing on the CE (which is OK for a simple vpn installation), AAA/RADIUS authentication works very well. "" When I activate transfer ip vrf "10" on the interface of the outside and inside, AAA/RADIUS service is unable to reach the two defined servers.
I compared the routing table when using VRF-Lite and global routing, and they are identical. All roads are correctly imported via BGP, and the service as a whole operates without problem, in other words, the AAA/RADIUS part is the only service does not.
It may be necessary to include a vrf-transfer command in the config of Group server as follows:
AAA radius RADIUS-auth server group
Server-private x.x.x.x auth-port 1645 acct-port
1646 key ww
IP vrf forwarding 10
See the document below for more details:
http://www.Cisco.com/en/us/partner/docs/iOS/12_4/secure/configuration/guide/hvrfaaa.html
Maybe you are looking for
-
Satellite A50-532: battery not
Hello I have can´t the battery of my laptop yesterday.The LED´s that shines during the loading of doesn´t to shine... That's happened? What wrong?Is it the charger or the battery? or something else...? THX
-
DAQmx PDM, add the external value to the log file
Hello I would like to know if it is possible to permanently add an external double value to the TDMS file that is created by the DAQmx Configure logging (PDM) VI? Thus, for example, I collect double data of 8 channels, DAQmx, speed of 1 Hz (analog do
-
How can I take screenshots using the liquid z410?
Hello to everyone.I use my new phone for a few days, and I can't find the option to the a picture of the screen, you could help me please?
-
I want to rest my DPI at the moment, it is 192 and I think it means much. When I stay at 120 and resart my computer it goes back to 192. Please tell me what to do.
-
I am able to use the 2 codes off a purchase xperia Lounge?