Similar Questions

• How 2 Configure ACS 4.2 to delegate authentication to the radius server

  Hello

  We need run the following scenario:

  Cisco VPN client (or any connect, Cisco SSL VPN client)---> Cisco ASA 5520---> Cisco ACS 4.2---> CAT Authentication Server

  The CAT authentication server is a Radius server. It can receive Radius authentication requests and respond. It is used for strong authentication TFA WBS similar to RSA OTP tokens.

  The question is: how we set up the 4.2 ACS to delegate authentication request to another Radius server.

  Thnx

  Add the RSA server as an external database, configure the drop user profile or a group to authenticate on the new external database rather than ACS DB Local (or Windows DB).

  Easy as pie!

  Please rate if this is useful.

• Newbie question on access to the RADIUS server

  I've worked before on RADIUS servers running on Windows but not on Unix. I'm new to an environment without any documentation and I make sure I have access to the GANYMEDE/ACS config.

  I go to my config switch and I see that ' 10.0.0.1 radius-server.

  Then I ssh into ' 10.0.0.1' and I see the below after "method.

  From the bottom, you have an idea on how to access the configuration of the ACS in case I need to change any setting it? I tried http://10.0.0.1 but it does not work.

  -bash-3, $00 ls
  bin features core net sbin TT_DB
  Start the etc. opt system usr lib
  export of CDROM lost + found tftpboot var platform
  dev House Dem proc tmp flight-bash-3. $00 ls
  bin features core net sbin TT_DB
  Start the etc. opt system usr lib
  export of CDROM lost + found tftpboot var platform
  dev House Dem proc tmp flight

  Try http://10.0.0.1:2002 for ACS listening on port default 2002.

  Pete

• Secondary RADIUS server

  I need help on setting up a secondary RADIUS server. I have a primary and secondary school. I would like AAA sending requests to the secondary server when the primary is either down or stopped service on the primary. Any ideas?

  You should consider two methods:

  The old school one like that.

  AAA new-model

  AAA authentication login default group Ganymede + local

  !

  radius-server host 10.1.122.11

  radius-server host 10.2.32.13

  RADIUS-server key abcdef

  If not, try a method of group like this:

  AAA new-model

  AAA server Ganymede group + ABCGROUP

  Server 10.1.1.5

  10.1.1.13 Server

  !

  ABCGROUP line group AAA authentication login default

  !

  GANYMEDE-Server 10.1.1.5 host

  radius-server host 10.1.1.13

  RADIUS-server key abcdef

  !

  Because the shared key (secret) cannot be configured in the configuration group, you must define RADIUS servers again at the end of the config.

  !

  Make sure that you have connectivity at a time before testing. Stop the service on your primary ACS and keep an eye on the reports to see the authentications spent in vain.

  Here; s another tip:

  By fallback authentication 'line', you can immediately distinguish a line Login and Ganymede Login. GANYMEDE will show: "username:" and encourages you to line "password:

  !

  Let me know how things are going.

  See you soon

• Issue of operability of the ACS as RADIUS with ASA 5.0?

  Hello

  I'm trying my VPN to get authenticated user with RADIUS (ACS 5.0). and VPN users database is created in AD. Now when I am trying to connect through the Cisco VPN client, I am unable to do so. Infact, I get an error message (through debugging at the level of the SAA for aaa and isakmp) my RADIUS server is DOWN.

  Please let me know is there any compatibility issue with ACS 5.0 on it because everything was working fine on my version 4.2 of the ACS.

  Concerning

  Ritesh

  Ritesh,

  Yes, there is a lack of ACS 5.0 with vpn authentication.

  When you try to connect with the VPN client. you will not see any hits in the follow-up and the views.
  The ASDM logs: you'll see radius server is not accessible.
  Debugs you show RADIUS period.
  This will work with Ganymede.

  Access policy rule was does not. Also, could not use RADIUS as hit CSCsy17858

  http://cdetsweb-PRD.Cisco.com/apps/goto?identifier=CSCsy17858>; Used Ganymede + instead of RADIUS.

  If you want to use the RADIUS then you need to upgrade your version of acs to 5.1

  You can down load patch 9 (5-0-0-21 - 9.tar.gpg) and ADE-OS (ACS_5.0.0.21_ADE_OS_1.2_upgrade.tar.gpg) from the below path:

  Go to Cisco.com > support > download software > Security > Cisco Secure Access Control System 5.0 > Secure Access Control System Software 5.0.0.21 >

  Reference: update of the CSA since version 5.0 to 5.1:
  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.1/installation/guide/csacs_upg.html

  HTH

  Kind regards

  JK

  The rate of useful messages-

• How the device select radius-server

  Hi guys,.

  We have the existing Ganymede configuration to form our devices and server ACS 2 did. the acs server are managed with other suppliers that the acs server is on their site. Now intended to manage the acs server. We installed a new server CSA of our location, we have thousand of the devices, if we move to the new server we just add the acs unit 2 Server? the new acs server will be are able to connect to the device? How a device chooses which acs primary or secondary server?  Please notify.

  Old configuration

  AAA new-model

  AAA authentication login vtymethod group Ganymede + local

  AAA authorization config-commands

  AAA authorization exec default group Ganymede + local authenticated by FIS

  AAA authorization commands 0 default group Ganymede + local authenticated by FIS

  15 AAA authorization commands default group Ganymede + local authenticated by FIS

  AAA accounting send stop-record an authentication failure

  AAA accounting exec default start-stop Ganymede group.

  orders accounting AAA 0 arrhythmic default group Ganymede +.

  orders accounting AAA 15 by default start-stop Ganymede group.

  Default connection accounting AAA power Ganymede group.

  AAA accounting system default start-stop Ganymede group.

  Ganymede IP source-interface Loopback0

  RADIUS-server host 10.x.x.x

  RADIUS-server host 10.x.x.x

  New config

  AAA new-model

  AAA authentication login vtymethod group Ganymede + local

  AAA authorization config-commands

  AAA authorization exec default group Ganymede + local authenticated by FIS

  AAA authorization commands 0 default group Ganymede + local authenticated by FIS

  15 AAA authorization commands default group Ganymede + local authenticated by FIS

  AAA accounting send stop-record an authentication failure

  AAA accounting exec default start-stop Ganymede group.

  orders accounting AAA 0 arrhythmic default group Ganymede +.

  orders accounting AAA 15 by default start-stop Ganymede group.

  Default connection accounting AAA power Ganymede group.

  AAA accounting system default start-stop Ganymede group.

  Ganymede IP source-interface Loopback0

  RADIUS-server host 10.x.x.x

  RADIUS-server host 10.x.x.x

  RADIUS-server host 100.x.x.x<-->

  RADIUS-server host 100.x.x.x<-->

  Hi m.,.

  N ° not round robin.

  It checks the first IP address. It checks only the following IP address if one has failed.

  I hope it's clearer now

  Rating of useful answers is more useful to say "thank you".

• where is the secret field shared for the ACS 5.3 server itself?

  Hello

  We currently have a distributed PR and DR ACS 5.3 installation, implemented with Ganymede and a unit RADIUS.

  The RADIUS is AppResponse Xpert admin. used Opnet we try to intergrate AppResponse Xpert Admin with ACS.

  The GUI for AppResponse Xpert Admin request the ip address of the radius server - IE our ACS, RADIUS port - is to say 1812 and 'secret' - I assume that means the secret shared real AEC itself (not the shared secret used by network devices).

  On our ACS 4.2 systems, we have a field for a secret shared on the ACS itself Server (to allow replication?).

  With the help of the search function for "Shared Secret" in pdf format "the User Guide for Cisco Secure Access Conrol system 5.3" has only found references to define one for network devices and not a ground for GBA is.»

  A shared secret of the ACS server is still topical for the 5.x ACS system?

  Hi Stuart,

  To answer your question:

  There is no shared secret for the ACS itself.

  If the ACS needs to communicate with another device, you must define an AAA client and define a shared secret.

  ACS 4, used this secret shared to protect/secure replication, the ACS 5, secured by encryption replication and not shared secrets (hash).

  Rate if useful

• RADIUS server with no devices of the airport

  Is there a way I can set up a radius server by using the OS X application but not a Terminal airport at el capitan? Thank you

  See if that helps.

  Mavericks of OS X Server - setting up FreeRADIUS

• Dell Powerconnect 35xx series features Radius Server behaviorfin

  Hello Dell Community,

  I'm not able to find out how 35xx series switches handle 'server radius deadtime' parameter as described below:

  In the config of switch, I use two hosts(for redundancy) radius. The first has priority of '1' configured RADIUS, the second server is priority '2 '. So normally, if the first sever(priority 1) RADIUS online, auth requests switch are sent to this server all the time. And they really are.

  Now, I have also configured the 'deadtimet 10 radius server', meaning to jump on the radius server does not respond. Does that mean exactly?

  If the radius with priority 1 server is offline for a few seconds, the switch instantly consider this as dead radius server and sent no auth request it for the "period deadtime ' 10 minutes (depending on configuration)? How often switch check for the availability of the radius server host?

  config swtich:

  IP address Port port Prio time - Ret-dead-source IP. Its use
  AUTH Acct Out rans times
  --------------- ----- ----- ------ ------ ------ --------------- ----- -----
  10.10.10.10 1812 1813 global Global Global Global 1 all the
  10.10.10.20 1812 1813 global Global Global Global every 2

  Global values
  --------------

  Waiting period: 2
  Broadcast: 5
  Deadtime: 10
  Source IP: 0.0.0.0
  Source IPv6:

  Retransmission will say the switch many times in an attempt to authenticate to the RADIUS server before moving on to the second server. Timeout is indicative of the switch, the waiting time for a response. Deadtime will subsequently intervene in these two parameters have been exhausted.

  Example config:

  Server radius coverage of console (config) # 3

  Console (config) # timeout 3 radius server

  Deadtimet console (config) # 10 radius server

  Result of config:

  -The client tries to connect.

  -switch attempts to authenticate the server 1.

  -Switch means no RADIUS server 1 for 3 second.

  -Switch waits 3 seconds.

  -Switch attempts to authenticate to the RADIUS server 1 for the second time and does not return to server for 3 seconds.

  -Switch waits 3 seconds.

  -Switch attempts to authenticate to the RADIUS server 1 for the third time and does not return to server for 3 seconds.

  -switch place RADIUS server, one in a State of low/dead for 10 minutes.

  -switch attempts to authenticate to Server 2.

• RADIUS Server - Windows server 2008

  Hello world

  We use the windows 2008 standard server to our domain controller. We have been in for the last two years radius server in our campus. I could see that we can configure the client only 50 radius in NPS. Is it possible to add a plus in windows 2008 standard?

  Please help me

  Teckzx

  This issue is beyond the scope of this site and must be placed on Technet or MSDN
  http://social.technet.Microsoft.com/forums/en-us/home

  http://social.msdn.Microsoft.com/forums/en-us/home

• Cisco Catalyst 2960-S switch configured for 802. 1 x sends a query to access the Radius Server Radius

  Setup

  Cisco Catalyst 2960-S running 15.0.2 - SE8

  Under Centos freeRadius 6.4 RADIUS server

  Client (supplicant) running Windows 7

  When Windows client is connected to the port (port 12 in my setup) with authentication of 802. 1 x active switch, show of Wireshark that catalyst sends ask EAP and the client responds with EAP response. But it made not the request to the Radius server. The RADIUS test utility 'aaa RADIUS testuser password new-code test group' works.
  Here is my config running. Any advice would be greatly appreciated.
  #show running mySwitch-
  mySwitch #show running-config
  Building configuration...

  Current configuration: 2094 bytes
  !
  version 12.2
  no service button
  horodateurs service debug datetime msec
  Log service timestamps datetime msec
  no password encryption service
  !
  hostname myswitch
  !
  boot-start-marker
  boot-end-marker
  !
  activate the password secret 5 $1$ Z1z6$ kqvVYRQdVRZ0h8aDTV5DR0 enable password!
  !
  !
  AAA new-model
  !
  !
  AAA dot1x group group radius aaa accounting dot1x default start-stop radius authentication group!
  !
  !
  AAA - the id of the joint session
  1 supply ws-c2960s-24ts-l switch
  !
  !
  !
  !
  !
  control-dot1x system-auth
  pvst spanning-tree mode
  spanning tree extend id-system
  !
  !
  !
  !
  internal allocation policy of VLAN no ascendant interface FastEthernet0 no stop ip address!
  GigabitEthernet1/0/1 interface
  !
  interface GigabitEthernet1/0/2
  !
  interface GigabitEthernet1/0/3
  !
  interface GigabitEthernet1/0/4
  !
  interface GigabitEthernet1/0/5
  !
  interface GigabitEthernet1/0/6
  !
  interface GigabitEthernet1/0/7
  !
  interface GigabitEthernet1/0/8
  !
  interface GigabitEthernet1/0/9
  !
  interface GigabitEthernet1/0/10
  !
  interface GigabitEthernet1/0/11
  !
  interface GigabitEthernet1/0/12
  switchport mode access
  Auto control of the port of authentication
  dot1x EAP authenticator
  !
  interface GigabitEthernet1/0/13
  !
  interface GigabitEthernet1/0/14
  !
  interface GigabitEthernet1/0/15
  !
  interface GigabitEthernet1/0/16
  !
  interface GigabitEthernet1/0/17
  !
  interface GigabitEthernet1/0/18
  !
  interface GigabitEthernet1/0/19
  !
  interface GigabitEthernet1/0/20
  !
  interface GigabitEthernet1/0/21
  !
  interface GigabitEthernet1/0/22
  !
  interface GigabitEthernet1/0/23
  !
  interface GigabitEthernet1/0/24
  !
  interface GigabitEthernet1/0/25
  !
  interface GigabitEthernet1/0/26
  !
  interface GigabitEthernet1/0/27
  !
  interface GigabitEthernet1/0/28
  !
  interface Vlan1
  IP 10.1.2.12 255.255.255.0
  !
  IP http server
  IP http secure server
  activate the IP sla response alerts
  recording of debug trap
  10.1.2.1 host connection tcp port 514 RADIUS-server host 10.1.2.1 transport auth-port 1812 acct-port 1646 timeout 3 retransmit testing123 key 3.
  Line con 0
  line vty 0 4
  password password
  line vty 5 15
  password password
  !
  end

  interface GigabitEthernet1/0/16
  !
  interface GigabitEthernet1/0/17
  !
  interface GigabitEthernet1/0/18
  !
  interface GigabitEthernet1/0/19
  !
  interface GigabitEthernet1/0/20

  Have you run wireshark on the server because the request to switch? If so you make sure that there is a response from the server? For Windows network POLICY Server (I've never tried Centos), you must ensure that the request is related to a policy which then authenticates, or denies access. Usually, it is a matter of such attributes and the seller.

  Regarding the configuration, it seems a bit out of the AAA. Try to remove the:

  line "aaa dot1x group service radius authentication" and this by using instead:

  "aaa dot1x default radius authentication group". After the dot1x word you are supposed to provide a list of the authentication or the default Word if you do not want to use a list.

• Backup RADIUS server

  Hello

  Anyone know if you can configure a PIX to use another RADIUS server if the primary one fails? For example, a customer authenticates their VPN clients using a RADIUS server with the command of PIX:

  AAA-server ISA SERVER (host 10.222.180.10 b1bbyrad1u5 timeout 10 Interior)

  If the RADIUS server fails (as it did recently) the PIX allows another backup radius server?

  Hai David,

  The first server in the config of wil be to conclude. If it does not respond (no connection can be made) that after the timeout will be connected to the second server.

  Greetings,

  René

• How to restrict Internet access by using the RADIUS server via switch Catalyst 3560

  Dear all,

  I need a configuration using any. I have a small network of 15 users a 3560, which is in turn connected to a router ISR 2811. Interface fastethernet 0/24 switch 3560 I intend to connect to a unix based server RADIUS. ISP is connected on the opposite side of the 2811 to the fa0/0 interface.

  I want to make is that if someone among the 15 users tries to access the internet, they must be validated in the RADIUS server by their pre-configured user credentials. (I'm going to store 15 user credentials here). If someone else tries to connect (except those 15) he or she should be denied internet access.

  The RADIUS server will be having a login page to type the name of user and password.

  Please guide based on what commands I should inject into the 3560 or what specifically, I need to have to run this task.

  Thanks in advance!

  Samrat.

  I only did this in a very long time, but you probably want to do is activate the web authentication.

  http://www.Cisco.com/c/en/us/TD/docs/switches/LAN/catalyst3560/software/release/12-2_52_se/configuration/guide/3560scg/swwebauth.html

• switch 3750 EAPoL transmission RADIUS server

  I have a running version of the 3750 switch stack 12.2 (53) SE2 IPBASEK9-M. I have dot1x configured on the switch and a Windows 7 PC, connected with 802. 1 x configured on the interface. I see the EAPoL start message from the PC, but I do not see the packets from the switch to the RADIUS server RADIUS. I have a config simple dot1x just to try to make it work before adding additional features such as comments - vlan...

  Config and debug of attached file.

  I don't know if the configuration ip dhcp snooping and arp of inspection is cause a problem with that or not. I see the EAPoL packet received on the switch, as shown in the attachment of debugging, but I never see the RADIUS packet. I've defined both trust on the interface, but always the same result. I can't turn it off because there is a switch of production with a test interface.

  Any ideas?

  Thank you

  Mark

  I had the same problem and solved it is enough to configure the switch as authenticator instead of "supplicant". "Supplicant" means customer, "authenticator" means in fact the switch acts as an authenticator to pass through, it will forward the requests to the auth server, for example, host of RADIUS.

• Primary/secondary RADIUS server

  Hey all,.

  I tried to find out for awhile how primary and secondary RADIUS servers work about WLC 4400 s. If the primary RADIUS server goes down, and the secondary image is used, when the controller will return to the primary once it is up? He waits until the secondary breaks down, or done immediately switch back to the primary when it becomes available?

  Thanks in advance!

  The f

  On versions 4.2 and earlier, if the principal fails, then the secondary image is used until the secondary level is not available. So if you want the main for the radius server to use purpose, restart the secondary image. Then the tertiary then back to the primary. 5.0 has a feature in which you can define a Dungeon alive so that when the primary comes back upward, the primary will be used again. 5.0 code not a version of good code, however.