AAA-server reset
In Cisco Doc: http://www.cisco.com/en/US/customer/docs/security/asa/asa80/command/reference/a1.html#wp1510772
the command:
AAA-server host 192.168.125.60
is referenced, but is an addition 8.02.
Does anyone know how to do the same thing in rel 7.2.2.x of the ASA code?
I have multiple AAA servers in State failure and need to restart/refresh their. If I do the command in aaa-server test, it works so I know that the AAA server is now online.
You can do this via ASDM. In ASDM, you can set the method with which the servers will be activated. The following link can help you
http://www.Cisco.com/en/us/docs/security/ASA/asa72/asdm52/user/guide/aaasetup.html#wp1160615
Tags: Cisco Security
Similar Questions
-
Nice day
Is it possible to configure the VPN Ipsec IKEv2 without AAA server? Or the use of any the less the ASA 5508 x as an AAA server for VPN users?
Hello
I have attached the screenshot ASDM to do LOCAL authentication and assignment of DHCP addresses for VPN users.
Kind regards
Aditya
Please evaluate the useful messages and mark the correct answers.
-
several hosts aaa server for authentication vpn
ASA5510 - 7.2 (1)
Using the following configuration, I try to have several radius servers configured for authentication backup in case of failure of the primary vpn. This seems to work ok. But once the main server upward when the asa will begin to use it again. The release of "aaa-Server 172.25.4.20 host" said
Server status: FAILURE, server disabled at 08:04:25.
How do reactivate you it?
RADIUS protocol AAA-server adauth
adauth AAA-server 172.25.4.20
key *.
authentication port 1812
accounting-port 1813
adauth AAA-server 172.25.4.40
key *.
authentication port 1812
accounting-port 1813
tunnel-group group general attributes
address pool pool
authentication-server-group adauth
by default-group-policy
You can add the option in the Group aaa-server:
"reactivation in timed mode.
This causes a dead server is added to the pool after 30 seconds.
The following link has some good info on the options available. I suggest looking for the doc for the "reactivation".
http://www.Cisco.com/univercd/CC/TD/doc/product/multisec/asa_sw/v_7_2/cmd_ref/crt_711.PDF
-Eric
Be sure to note all the useful messages.
-
AAA server group does not work
All,
I have an aaa server group set up on my router to use for Wells, AAA, but it doesn't work that way, but when I simply specify a server and not the list of group everything works. Any ideas why this is. I'm going to pos the config.
*****************************************************
version 12.2
horodateurs service debug datetime localtime
Log service timestamps datetime localtime
encryption password service
!
host BUSINESS name
!
AAA new-model
AAA server Ganymede group + TACSLOG
Server 192.x.x.x
Server 192.x.x.x
!
Group AAA authentication login default local TACSLOG
default AAA authorization exec TACSLOG local group
AAA exec by default start-stop accounting TACSLOG group
AAA commands 5 default start-stop accounting TACSLOG group
AAA commands 15 arrhythmic default accounting TACSLOG group
activate the password xxx
!
username password xxx xxx
username privilege 15 xxx
username xxx autocommand menu ADMIN1
IP subnet zero
!
!
IP - SBA.GOV domain name
!
!
call the rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
IP address 255.255.255.0 192.x.x.x
automatic duplex
automatic speed
!
interface Serial0/0
no ip address
Shutdown
!
IP classless
no ip address of the http server
!
!
ADMIN1 menu prompt ^ CSELECT YEAR OPTION PUNK ^ C
ADMIN1 1 SHO IP INTERFACE BRIEF text menu
by menu ADMIN1 1 SHOW IP INTERFACE BRIEF command
menu text ADMIN1 2 SHOW the INTERFACE FA0/0
order by menu ADMIN1 2 SHO INT FA0/0
menu text ADMIN1 3 SHOW RUN the INTERFACE FA0/0
order by menu ADMIN1 3 SHOW RUN INT FA0/0
menu ADMIN1 text 4 see THE ARP
4 ARP see by ADMIN1 menu command
ADMIN1 5 OUTPUT text menu
order by ADMIN1 5 LOGOUT menu
!
Dial-peer cor custom
!
!
!
!
privilege exec level 5 show ip interface brief
privilege exec level 5 show interface fa0/0
privilege exec level 5 show show passage interface fa0/0
show privileges exec level 5 show arp
!
Line con 0
line to 0
line vty 0 4
password xxx
!
end
When you define an AAA server group, you associate an IP address from the server on behalf of the group. You must always define the AAA server separately where you also set up the key that is used. In your case, you must add to your configuration:
RADIUS-server host 192.x.x.x Council key
RADIUS-server host 192.x.x.x Council key
HTH
Steve
-
How to use 2 AAA server to different connection end
Hello, could you help me?
It is a part of my setup; I would add another RADIUS server, witch should take care of the telnet at vty 0 4.
10,20,30,40 RADIUS server supports virtual access, and I have another RADIUS server which takes care of to connect to our network equipment.
! Cisco 7204 with system flash c7200-io3s56i - mz.121 - 4.bin
!
AAA new-model
AAA authentication login default group Ganymede +.
enable AAA authentication login no_tacacs
AAA authentication ppp default group Ganymede +.
AAA authorization exec default group Ganymede +.
AAA authorization network default group Ganymede +.
AAA accounting exec default start-stop Ganymede group.
AAA accounting network default start-stop Ganymede group.
Default connection accounting AAA power Ganymede group.
!
virtual-virtual-model profile 1
virtual - profile aaa
!
interface Serial2/0:15
ISDN30 description
no ip address
encapsulation ppp
no ip route cache
No keepalive
Dialer pool-Member 10
primary-net5 ISDN switch type
first request ISDN tei negotiation
XXXXXXX calling ISDN
no fair queue
compress the stac
No cdp enable
Chap PPP authentication protocol
multilink PPP Panel
!
interface virtual-Template1
IP unnumbered FastEthernet1/0
NAT outside IP
Chap PPP authentication protocol
!
host key 10,20,30,40 radius-server *.
!
Line con 0
exec-timeout 20 0
password *.
connection of authentication no_tacacs
transport of entry no
FlowControl hardware
line to 0
line vty 0 4
access-class 1
exec-timeout 60 0
password *.
connection of authentication no_tacacs
transport telnet entry
telnet output transport
If I just add
AAA authentication login vtymethod group Ganymede + activate
10.50.60.70 host key radius-server *.
line vty 0 4
connection of authentication vtymethod
My telnet request 10,20,30,40 and I refused! Could help you make a secure solution?
Thank you
Jens
I think that your solution would be to set up a group of different RADIUS servers with the new server of the new group and use the new group to authenticate your vty. The config might look like this:
AAA server Ganymede group + vty_TAC
Server 10.50.60.70
enable AAA authentication login vtymethod group vty_TAC
10.50.60.70 host key radius-server *.
I set up this kind of thing and it worked fine. When I set it up I have explicitly configured (so named) two different RADIUS server groups and referenced groups of specific servers for each authentication method. I did not understand if it works to keep the default group Ganymede + and use it for your authentication normal or if you may need to configure a default group for this.
Try it and tell us what is happening.
HTH
Rick
-
access to AAA server to remote problems
Hi all. I can ping and trace to this GANYMEDE server. but I can't authenticate my telnet users. I configured local AAA relief so that he tries the remote server several times and then returns to the local GANYMEDE. I noticed the logs show the TCP FINS. Which indicates that I am actually reach the remote server, but the server sends a TCP FIN or is the server simply is not available, as indicated by the newspapers. Why the server will be not not accessible if I can ping and trace it.
I also checked the NOC extranet firewall accepted my traffic through the RADIUS server. they took the newspapers showing that my traffic has been accepted.
February 4, 2011 13:04:12: % ASA-7-609001: built internal local host: AAA_SERVER
February 4, 2011 13:04:12: % ASA-6-302013: built 24726 for inner outbound TCP connection: AAA_SERVER / 49 (AAA_SERVER/49) to identity:17.2.2.2/28055 (17.2.2.2/28055)
February 4, 2011 13:04:12: % ASA-6-113014: AAA authentication server unavailable: server = AAA_SERVER: user = vzz19
February 4, 2011 13:04:12: % ASA-6-302013: built 24727 for inner outbound TCP connection: AAA_SERVER / 49 (AAA_SERVER/49) to identity:17.2.2.2/32029 (17.2.2.2/32029)
February 4, 2011 13:04:12: % ASA-6-302014: TCP disassembly 24726 for interior connection: AAA_SERVER / 49 to identity:17.2.2.2/28055 duration 0: 00:00 bytes TCP fins 41
February 4, 2011 13:04:12: % ASA-6-113014: AAA authentication server unavailable: server = AAA_SERVER: user = vzz19
February 4, 2011 13:04:12: % ASA-6-302013: built 24728 for inner outbound TCP connection: AAA_SERVER / 49 (AAA_SERVER/49) to identity:17.2.2.2/39039 (17.2.2.2/39039)
February 4, 2011 13:04:12: % ASA-6-302014: TCP disassembly 24727 for interior connection: AAA_SERVER / 49 to identity:17.2.2.2/32029 duration 0: 00:00 bytes TCP fins 41
February 4, 2011 13:04:12: % ASA-6-113014: AAA authentication server unavailable: server = AAA_SERVER: user = vzz19
February 4, 2011 13:04:12: % ASA-6-302013: built 24729 for inner outbound TCP connection: AAA_SERVER / 49 (AAA_SERVER/49) to identity:17.2.2.2/33702 (17.2.2.2/33702)
February 4, 2011 13:04:12: % ASA-6-302014: TCP disassembly 24728 for interior connection: AAA_SERVER / 49 to identity:17.2.2.2/39039 duration 0: 00:00 bytes TCP fins 41
February 4, 2011 13:04:12: % ASA-6-113014: AAA authentication server unavailable: server = AAA_SERVER: user = vzz19
February 4, 2011 13:04:12: % ASA-2-113022: AAA marking GANYMEDE + Server AAA_SERVER aaa-server group MYGROUP as being broken
February 4, 2011 13:04:12: % ASA-4-409023: method of rescue attempt LOCAL AAA for authentication of user vzz19 request: inaccessible Server Auth MYGROUP group
February 4, 2011 13:04:12: % ASA-6-113015: rejected AAA user authentication: reason = invalid password: local database: user = vzz19
February 4, 2011 13:04:12: % ASA-6-611102: failed authentication user: Uname: vzz19
February 4, 2011 13:04:12: % ASA-6-605004: connection refused from 10.2.2.2/26089 to inside:17.2.2.2/telnet for the user "vzz19".
February 4, 2011 13:04:12: % ASA-6-302014: TCP disassembly 24729 for interior connection: AAA_SERVER / 49 to identity:17.2.2.2/33702 duration 0: 00:00 bytes TCP fins 41
February 4, 2011 13:04:12: % ASA-7-609002: duration of dismantling inside local host: AAA_SERVER 0:00:00Here is my config from aaa
AAA-server protocol Ganymede MYGROUP +.
Max - a failed attempts 4
AAA-server host AAA_SERVER MYGROUP (inside)
timeout 3
Console Telnet AAA authentication LOCAL MYGROUP
Console to enable AAA authentication LOCAL MYGROUP
privilege MYGROUP 15 AAA accounting commandI can ping AND trace on the RADIUS server
ATLUSA01-FW01 # ping AAA_SERVER
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to AAA_SERVER, wait time is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = ms 02/01/10
ATLUSA01-FW01 # trace AAA_SERVERType to abort escape sequence.
The route to 151.162.239.2391 17.2.2.3 0 ms 0 ms 0 ms
2 17.2.2.4 0 ms 0 ms 0 ms - extranet fire barrier
3 10.4.7.1 0 0 0 ms ms ms
4 10.4.7.13 0 0 0 ms ms ms
5 10.4.7.193 0 0 0 ms ms ms
6 AAA_SERVER (10.5.5.5) 0 ms 10 ms 10 msYou'll certainly need the assistance of the administrator of the AAA, troubleshooting on the AAA client side shows only a fraction of what's going on.
Ask him or her to do the following:
Much easier and the most important thing is to check an 'attempt' journal and watch if there is no entry at all for your ASA.
If there is an entry, it should be automatic explaining like "Unknown SIN" or "Ganymede key bad argument" - be convinced on a good config and check it are two different things.
I have seen weird things like walking into a key on an AAA server via remote desktop and keyboard settings were inconsistent: English/German, traded resulting from letters 'Y' and 'Z' - do not trust your config until it you checked.
If there is no entry at all then it could be a device on the way which is allowing ping/traceroute tcp/49 but drops or a device is to translate the address of the ASA (well in this case, you should see an "unknown SIN" in the failed attempts).
You have the possibility to connect a device inside the network of the SAA as a laptop? If so, try Telnet for tcp/49 of the AAA server, you should see immediately, if it is allowed tcp/49 (get a blank screen immediately = connectivity, timeout = no connectivity)
That's all you can do on your side, unfortunately tha ASA isn't a telnet client.
Rgds,
MiKa
-
Remote access to the network when AAA server is out of service help
Hi all, I have a Cisco ASA 5510. I configured Cisco Anyconnect to authenticate via IAS from Windows. We recently had a server crash and I tried to control it remotely and via anyconnect and couldn't. Once the IAS server came, I could come back in the network.
Y at - there a command that I'm missing that will allow me to connect to the network, even if my AAA server fell Anyconnect?
Here is my part of the config AAA command...
RADIUS protocol AAA-server WindowsIAS
Max - a attempts failed 5
AAA-server host 192.168.2.15 WindowsIAS (inside)
XXXXXXXXXX key
RADIUS-common-pw xxxxxxxxxx
Thanks in advance... Dan
Dan,
Try to add the LOCAL keyword to your authentication server group statement in your group of tunnel or group policy.
http://www.Cisco.com/en/us/docs/security/ASA/asa90/command/reference/A3...
Thank you
Sent by Cisco Support technique iPad App
-
ACS cannot remove the AAA server
I have an ACSSE which, for some reason, has two instances of itself listed under AAA servers. The first so-called "self" and watch a 127.0.0.1 address. The second shows it's real address. I am trying to remove the other, but there is no option to remove.
I think that it is causing my replication of database to fail. My primary ACSSE is listed under the screen of AAA servers. This machine, which has two cottages are listed does not allow replication of database saying invalid secret key. I have check that keys are the same.
Seth
You must be able to remove one of the servers, even if it is the one with the IP address, then run:
In order to solve the 127.0.0.1 problem free, you can back up and restore the. DMP file on a new installation of ACS for Windows 4.2 and change the 127.0.0.1 entry with the desired IP address.
http://www.Cisco.com/en/us/products/sw/secursw/ps2086/products_tech_note09186a00808d9199.shtml#RES
ACS v4.2.0.124 90-Days Evaluation Software
http://www.Cisco.com/cgi-bin/tablebuild.pl/ACS-win-eval
Once you restore the database fixed, please confirm your entries of Table of Distribution of Proxy.
The ACS server should be in the box send to.
-
External VPN groups on AAA server. strange behavior
Hi all
The other day I was setting up a test VPN 3000 with outside groups configured on a RADIUS server, let's call a SALES group with password 1234 group, which I configured it as well on the 3000 VPN as "external". I attributed to a few users to this group (we'll call Jack and Mary). So far no users can authenticate successfully (in the event of authentication failure).
After spending hours, solve the problem, I setup a new user whose name is SALES and password is 1234 (identical to the group) and assignes assigned to sales of the group, got this config of a model. After this, Jack and Mary can authenticate and establish the tunnel.
The problem is now resolved, but my question is why is this requirement? Does this mean that with each external group, I create, I create a user with the same name as this group and assign it to the group so that the rest of the users in this group can authenticate normally?
I tried looking for answers on the web, but so far I have found none.
Any explanation would be appreciated.
Thank you
MB
Yes, this is how its done. You must add the 'external' group sets on the VPNC / ASA as 'user' GBA. It is used to authenticate the "group" name/password itself. Take a look on:
http://www.Cisco.com/en/us/products/HW/vpndevc/ps2284/products_tech_note09186a00800948c1.shtml
Concerning
Farrukh
-
AAA / adding additional ACS server
Hello guys,.
You need to install AAA proposed plan as attaché. We used the current configuration for a very long time for our facilities and data centre devices. Now we want to add a more updated ACS apart from the existing two and need to point out all the data center on the new ACS server devices.
Is it possible to set up groups of many materials and separate ACS server for defined groups? If possible please let me know the commands, and if not, please let me know the two ways.
Hope you could understand my needs and the current configuration. PFA...
Thanks in advance!
Best regards
Anurag.K
Hi Anurag,
You can add the new ACS/Ganymede server and have this server in the upper part of the sequence.
10.16.2.10 RADIUS server host
10.16.2.8 RADIUS server host
10.16.2.9 RADIUS server host
GANYMEDE server key xxxxx
If you really want to create a separate group for the new ACS/Ganymede server then you must have under configuration shown.
AAA server Ganymede group + Group1
Server 10.16.2.8
Server 10.16.2.9
AAA server Ganymede group + group2
Server 10.16.2.10
AAA authentication login default group GROUP1 GROUP2 line
I want to knoiw if you have doubts.
~ BR
Jatin kone* Does the rate of useful messages *.
-
Remove the aaa in pix server configuration
I have pix 515 with version 6.x cisco and me configured RADIUS vpn connection client authenitcation. The radius server is windows 2003 and I have the following commands
RADIUS protocol AAA-server test
AAA-server test (inside) host x.x.x.x1 password timeout 10.
The vpn works great, now I want to change the radius server and I want to delete the order and add new, but I get errors of
When I give
clear the aaa-server test, Iget an error message
You must remove all corresponding entries before AAA
removing the last server in the test group
When I give
No server aaa test (inside) host x.x.x.x1 password timeout 10. I get
You must remove all corresponding entries before AAA
removing the last server in the test group
When I give
no RADIUS protocol aaa-server test I get
AAA servers configured! Cannot delete server_tag.
I'm in a loop. Can some one adivce me how to remove the aaa tag test the firewall server
Thanks in advance
you are probably still referencing it in the vpn setting somewhere.
for example
card crypto mymap TEST client authentication
You must remove this first
-
privilege level of the AAA RADIUS server control
I had the radius authentication on my switch, but I'm trying to allow two types of connection of users using Windows Active Directory. NetworkUsers that can display the configuration and NetworkAdmins who can do what either. I would like to NetworkAdmins when they log on, go directly to the privilege level 15 but could not get that part to work. Here is my configuration:
Domain controller for Windows 2008 R2 with NPS installed.
RADIUS client: I have the IP address of the switch as well as the key. I selected under the name of the Vendor tab in advance of cisco
Network policies:
NetworkAdmins which has the Group networkadmin in conditions and under settings I have nothing the standard and for the individual seller I have:
Cisco Cisco-AV-pair shell: priv-lvl = 15
My config switch:
AAA new-model
!
!
RADIUS AAA server group MTFAAA
Server name dc-01
Server name dc-02
!
Group AAA authentication login NetworkAdmins local MTFAAA
Group AAA authorization exec NetworkAdmins local MTFAAAdc-01 RADIUS server
address ipv4 10.0.1.10 auth-1645 acct-port of 1646
7 button *.
!
dc-02 RADIUS server
ipv4 10.0.1.11 address auth-1645 acct-port of 1646
7 button *.
!No matter what I do, it is not the default privilege level 15 when I login. All thoughts
You have specified the permission under line vty group? I think it is the authorization exec command. Something like that.
-
ISE has not found any AAA Client or network devices
During authentication using 802.1 x and MAB, I get a failure of authentication with the error 11007 (impossible to locate AAA Client or network device). The cause that ISE spits me is "Cannot find the network device or the AAA Client while accessing NAS by IP for authentication." I got almost everything by the book but instead use a loopback interface, I used a vlan with a defined ip address. Could it be the cause of the problem?
Here is the config of the port that I have tested on:
interface GigabitEthernet1/0/9
switchport access vlan 9
switchport mode access
switchport voice vlan 8
IP access-group ACL-LEAVE in
SRR-queue bandwidth share 1 30 35 5
queue-series 2
priority queue
authentication event fail following action method
action of death event authentication server reset vlan 4
action of death event authentication server allow voice
the host-mode multi-auth authentication
open authentication
authentication order dot1x mab
authentication priority dot1x mab
Auto control of the port of authentication
restrict the authentication violation
MAB
MLS qos trust device cisco-phone
MLS qos trust cos
dot1x EAP authenticator
dot1x tx-time 10
Auto qos voip cisco-phone
spanning tree portfast
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
endRegardless of the IP address you entered in ISE when adding this switch must match the IP address of the interface configured under your command "ip source RADIUS interface. In your first post you said you use an IVR for this but in your message later, I see that your being RADIUS packets come from "TenGigabitEthernet1/0/1 interface" Doublecheck cela and make sure things.
If you have a Loopback interface configured it is strongly recommended that use you for the source of these services it (Radius, GANYMEDE +, SNMP, Syslog, etc.).
Thank you for evaluating useful messages!
-
MAB authentication fails on the port of multi-domain: dead result of authentication "server."
Hi all
First of all, I have no experience with the configuration of Cisco switches (about half a year now) but I read loads and loads of documentation.
I am trying to configure several areas (MDA) authentication on our Cisco switches using mab and spin into something strange. Currently, single mab is asked by my employer.
Switch = 48-3560G IOS version 12.2 (55) SE1
RADIUS = Freeradius (version 2.1.10)
On port Gi0/29 a Cisco 7961 IP phone is connected and plugged into the phone that a laptop is connected
The switch configuration:
AAA new-model
!
Group AAA dot1x default authentication RADIUS
Group AAA authorization network default RADIUS
AAA accounting delay start
start-stop radius group AAA accounting dot1x default
start-stop radius group AAA accounting network default
!interface GigabitEthernet0/29
235 a description
switchport access vlan 4
switchport mode access
switchport voice vlan 2
load-interval 30
bandwidth share SRR-queue 10 10 60 20
queue-series 2
priority queue
action retry authentication event 0 failure allow vlan 7
action of death event authentication server allow vlan 4
living action of the server reset the authentication event
multi-domain of host-mode authentication
Auto control of the port of authentication
restrict the authentication violation
MAB
Auto qos voip cisco-phone
spanning tree portfast
service-policy input AutoQoS-Police-CiscoPhone
!dead-criteria 5 tent 5 times RADIUS server
RADIUS-server host 10.1.1.24 auth-port 1812 acct-port 1813
RADIUS server key 7 xxx
RADIUS vsa server send accounting
RADIUS vsa server send authenticationRadius response: (for the full reply see attached RADIUS - response.txt)
Sending acceptance of access to the port id 98 to 10.1.1.207 1645
Cisco-AVPair = "Tunnel-Type = VLAN.
Cisco-AVPair = "Tunnel-Medium-Type = 802.
Cisco-AVPair = "Tunnel-private-Group-ID = 7.
Cisco-AVPair = "Tunnel-preference.That's why access accept with assignment data VLAN
Debugging on the switch :
001776: * Mar 1 09:27:35.606: mab-ev(Gi0/29): context MAB received create from AuthMgr
001777: * Mar 1 09:27:35.606: mab-ev(Gi0/29): MAB authorizing MACAddress
001778: * Mar 1 09:27:35.606: mab-ev(Gi0/29): client context created MAB 0x2200000F
001779: * 09:27:35.606 Mar 1: mab: State has original mab_initialize enter
001780: * Mar 1 09:27:35.606: mab-ev(Gi0/29): sent to create a new context of EAP of MAB to 0x2200000F (MACAddress) event
001781: * Mar 1 10:27:35.606 THIS: % AUTHMGR-5-START: start "mab" for the customer (MACAddress) on the Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4AC
001782: * Mar 1 09:27:35.606: mab-sm(Gi0/29): the event received 'MAB_CONTINUE' on the 0x2200000F handle
001783: * 09:27:35.606 Mar 1: mab: during the mab_initialize State, had 1 (mabContinue) event
001784: * 09:27:35.606 Mar 1: @ mab: mab_initialize-> mab_authorizing
001785: * Mar 1 09:27:35.606: mab-ev(Gi0/29): MAC-AUTH-BYPASS boot for 0x2200000F (MACAddress)
001786: * Mar 1 09:27:35.614: mab-ev(Gi0/29): MAB received a Reject Access for 0x2200000F (MACAddress)
001787: * Mar 1 10:27:35.622 THIS: % MAB-5-FAIL: failure of authentication for the client (MACAddress) on the Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4AC
001788: * Mar 1 09:27:35.622: mab-sm(Gi0/29): the event received 'MAB_RESULT' on the 0x2200000F handle
001789: * 09:27:35.622 Mar 1: mab: during the mab_authorizing State, had 5 (mabResult) event
001790: * 09:27:35.622 Mar 1: @ mab: mab_authorizing-> mab_terminate
001791: * Mar 1 09:27:35.622: mab-ev(Gi0/29): removed the credentials of 0x2200000F (dot1x_mac_auth_MACAddress) profile
001792: * Mar 1 09:27:35.622: mab-ev(Gi0/29): AuthMGR for MACAddress sending event (2)
001793: * Mar 1 10:27:35.622 THIS: % AUTHMGR-7-RESULT: result "dead server" authentication "mab" for the customer (MACAddress) on the Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4AC
001794: * Mar 1 10:27:35.622 THIS: % AUTHMGR-5-VLANASSIGN: VLAN 4 assigned to Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4AC
001795: * Mar 1 10:27:36.512 THIS: % AUTHMGR-5-SUCCESS: authorization succeeded for client (MACAddress) on the Interface Gi0/29 AuditSessionID 0A0101CF0000007F0207A4ACSo RADIUS returns an Access_Accept and the switch treats it as a rejection of access and little esteem RADIUS as dead.
Help would be appreciated!
Chris
Hi Chris,
In response to your last post, assignment of vlan dynamic could be achieved with the help of the IETF RADIUS attributes according to the link:
http://Tools.Cisco.com/Squish/d1791or using the pair of cisco-av according to the link:
http://Tools.Cisco.com/Squish/8Bd61As for free using the Radius and cisco-av pairs. Please can you activate debug on switch output and reproduce the problem with the attempt to authentiation of customer:
Debug RADIUS
Debug authentication of all the
debug functionality of authentication allAs a result the customer authentication event, also benefit from the following switch:
display the interface authentication sessionsI met problems with respect to the case of the pair of cisco-av. assignment of vlan for example work using the sensitive tiny "tunnel-private-group-id (# 81) = vlanid ' instead of ' tunnel-private-group-ID (# 81) = vlanid.
When testing with the 'tunnel-private-group-ID(#81) = vlanid', I get an error:
RADIUS/DECODE: parse cisco unknown vsa 'tunnel-private-group-ID' - FAIL
So the 2nd link, with the changes:
Cisco-avpair = "tunnel-type(#64) = VLAN (13).
Cisco-avpair = "tunnel-medium-type(#65) = 802 media (6).
Cisco-avpair = "tunnel-private-group-id(#81) = vlanid.If you still have a question, please include the output of debug/display above which will shed light on the problem.
Thank you
Alex -
Unable to connect to an smtp server
My OS is ubuntu LTS 14.10, I use Thunderbird version 38.4.0.
I have 2 accounts, a gmail account and an e-mail office365 account.
Until yesterday, I could send and receive emails on both accounts, however now it fails with the following error:The message send failed.
The message cannot be sent because the connection to the server failed outgoing (SMTP) smtp.googlemail.com . The server is may be unavailable or refuses the outgoing (SMTP) server connections. Check that your outgoing (SMTP) server settings are correct and try again.(Or a similar message when connecting to the server smtp office 365.)
I restarted the computer, confirmed the address of server, reset passwords, confirmed that I can ping the servers.
Any help would be greatly appreciated.
Thank you
Chris
The parameters of your server for Gmail seem good. I'm not really familiar with Office365, but they are probably ok as well.
Are there external firewall or proxy, you have to go?
You have all this computer's Internet access?What is suspicious, that the two accounts are not at the same time. So my best guess is that the cause is rather external and not Thunderbird.
Maybe you are looking for
-
I went to FIREFOX, CONFIGURE the SYNCHRONIZATION. I created a new account (address email, password twice, box for the General conditions of privacy, anti-robot box). On a separate tab, a screen appears with the message "Set up complete! I've closed t
-
Firefox has a lock box and Red around him
I downloaded Firefox on my desktop, when I look at the icon, it is this which seems to be a lock, when I open ff, it is surrounded by a red box, outline in red around the browser window...
-
We are upgrading all computers and the Windows 7 OS with 64 bit. The M & A does not recognize the interface PCI, but Windows doesn't. With the help of CVI 9.0 and NI_DAQ 8,9. Looking at other posts, it appears that NEITHER does not support Windows 7
-
File analysis lage wireless HP OfficeJet 6700
I have installed my HP Officejet 6500 to the HP Officejet 6700 new mainly for convenience in printing and scanning wireless. Since upgraded the old 6500, I naturally expect performance to be better. But the issue of scanning wireless is really frustr
-
TouchSmart USB "had a problem starting," stop touch screen
TouchSmart 23-f250 H5p59AA #ABA Screen touch quit responding to touch. He had worked during the 6 months that I have owned the computer. The first problem with this computer was at updates would not treat. Then the touch screen stop - although I ca