Authentication RADIUS and Cisco ACE load balancers?

Similar Questions

• 5.2 of the ACS and Cisco ACE RBAC does not...

  Would be grateful for help here if it can be provided.

  I am configuring GANYMEDE auth for a Cisco ACE through our 5.2 ACS server. I think that I installed everything correctly but when I connect with my GANYMEDE account it gives me only monitor network privileges.

  This is the Configuration of ACE, I use:

  XXXXXXXX, host 1.1.1.1 key radius-server

  XXXXXXXX, host 2.2.2.2 key radius-server

  RADIUS-server timeout 10

  RADIUS-server deadtime 30

  !

  AAA group Ganymede Server + ACS

  Server 1.1.1.1

  2.2.2.2 Server

  output

  !

  AAA authentication login default group local ACS

  AAA authentication login console Group local ACS

  Default accounting AAA group ACS

  !

  This is the Configuration of the ACS:

  

  When I connect to the ACE I see authenticating and pulling the right group of the ACS journal:

  Connected to the ACS status details user peripheral name server device name group Service identity store identity network access group

  Apr 8:57:40.566 30.13 AM xxxckxxx

  AFA-ACE-internal

  Device Type: all device Types: load balance devices, network, location: Cameron Enterprises: Oklahoma: Data Center - 1 unit Access.TACACS

  AD1 all groups: administrator - full HAPP-CSACS

  Apr 8:52:20.256 30.13 AM xxxckxxx

  AFA-ACE-internal

  Device Type: all device Types: load balance devices, network, location: Cameron Enterprises: Oklahoma: Data Center - 1 unit Access.TACACS

  AD1 all groups: administrator - full xxx movies

  Apr 8:43:43.276 30.13 AM xxxckxxx

  AFA-ACE-internal

  Device Type: all device Types: load balance devices, network, location: Cameron Enterprises: Oklahoma: Data Center - 1 unit Access.TACACS

  AD1 all groups: administrator - full xxx movies

  But when I log in AS and do a show users that I get:

  * xxxckxxx Dev_VC pts/2 Apr 30 09:57 (x.x.x.x) monitor-network-default domain

  I've searched for days to find a solution for this with no luck. Any help would be greatly appreciated.

  Thank you.

  Well, it should work effectively at the same time.

  Could you please check the GANYMEDE of ACS logs and check the newspaper correct PROFILE of SHELL (Shell Administrator profile-material) are selected.

  This can be checked by virtue:

  Monitoring & reports >

  Reports >

  Catalog >

  AAA Protocol > authorization Ganymede

  They provide an output of

  Field of Show running-config

  Would appreciate if you can share the result here.

  Jatin kone

  -Does the rate of useful messages-

• the ACS 5.1 and cisco ACE module

  Hello

  I would like to configure Ganymede + aaa Catalyst 6500 Cisco application control engine module. In the configuration guide for ACE it is advice that you need to configure additional parameters to be returned by the RADIUS server (shell:= ...) ) for authorization of virtual context Cisco ACE. My question is: where exactly should I put these settings in the ACS 5.1? Is there a document describing ACE + ACS 5.1 configuration Ganymede?

  Thank you

  WM

  Here is the doc.

  Post edited by: jkatyal

• MS RADIUS and Cisco VPN client

  We currently have with a Server Windows RAS and IAS authentication with PPTP to users.

  I want to move a hub (we have two not used) and the use of the Cisco VPN client with IPSEC 3005, also using the RADIUS (IAS) in Windows to authenticate against Active Directory.

  I have a config to work for the client and it performs authentication, but I'm afraid that you can't configure IAS to work with IPSEC, unless you configure the policy for

  "Unencrypted authentication (PAP, SPAP).

  on the Authentication tab

  and

  "No encryption".

  on the encryption tab.

  Are encrypted with IPSEC credentials to establish the tunnel of the Cisco VPN client?

  For RADIUS PAP authentication, the user name is clear and the password is encrypted with the RADIUS shared secret.

  To maximize security, you would use GANYMEDE + or IPSec transport mode and isolated VLAN. But for most of us, strong passwords and physical security prevents the RADIUS PAP to a significant weakness.

• Authentication Radius Cisco with Windows NAP with encrypted authentication

  I need authentication radius configuration for Cisco IOS devices for device management. My radius server is on Windows 2008 R2.

  Can I implement this with encrypted authentication? In the attached diagram, can what protocol I use for encrypted authentication?

  According to some sites, we need activate authentication in clear text. All those put in place secure as MSCHAP authentication?

  Hello

  You activate the text authentication (PAP) clear. Don't forget Ray sends the username in clear but encrypts the password. You can confirm this take a wireshark capture. You will also get the RADIUS encryption using a key to Ray long and complex.

  If you want to encrypt the user name and password, then you would use GANYMEDE

  Thank you

  John

• RADIUS and GANYMEDE + authentication

  We authenticate our systems through dot1x. I also need to be able to authenticate our Cisco admins using the same ACS server. I see how to configure a switch to make the two GANYMEDE + and RADIUS, but I do not see how implement GBA to allow a switch to use GANYMEDE + and RADIUS.

  Can someone give me a pointer?

  Thank you

  You need to put in place once the authentication on the switch.

  AAA authentication login default group local Ganymede

  Group AAA dot1x default authentication RADIUS

  AAA authorization exec default group Ganymede + authenticated if

  Group AAA authorization network default RADIUS

  Cisco RADIUS-server host 2.2.2.2 keys

  Cisco GANYMEDE-server host 2.2.2.2 keys

  The GBA, you must add the switch twice.

  ACS---> network configuration---> add aaa-clinet

  Host name switch1

  IP: 3.3.3.3

  With the help of authentic: RADIUS IETF

  Add another switch

  SWITCH2 host name

  IP: 3.3.3.3

  With the help of authentic: Ganymede +.

  Kind regards

  ~ JG

  Note the useful messages

• Authentication Radius 4.2 ACS and RADIUS Accounting

  Is it possible to configure 4.2 ACS to authenticate users of a wireless network (with autonomous APs) through RADIUS while I use the same ACS to provide the command represent the points of access via GANYMEDE +? This issue came out because when I configure the APs 'AAA Clients' under 'Network Configuration' of the ACS server (necessary config for authentication APs and end users), the authentication method used is the RADIUS (Cisco Aironet) and it prevents the generation GANYMEDE server command accounting reports under "reports and activities > GANYMEDE + Administration.

  Any idea on how to solve this problem?

  Thank you

  Antonio

  Hello

  Need to add a different hostname for the AP... IE, RPOS and APt, where you can use the same IP n but use radius for Ganymede and the other.

  Thank you

  Tarik Admani
  * Please note the useful messages *.

• For connection to the server load balancers and server security

  Did anyone used the Barracuda Load balancers in their view environment.  I'm at the point where I need the redundancy and load balancing.  I have used Barracuda b4 for webserver load balancing but seeks information associated with discover.

  Aside from that, what are your experiences with others like F5, Cisco or any other.

  Thank you!

  Larry B.

  We use virtual appliances of LB of Riverbed Stingray (previously ZXTM Zeus) for some time now for the view and many other services and never had any problems with them. They also offer the same thing in a tin can.

  They have a huge amount of functions of management traffic, GLB, Application aware, the unloading TCP & SSL, etc, etc..

  Here's a link: http://www.riverbed.com/us/products/stingray/

  Good luck finding the right solution for your needs!

• 802. 1 x authentication with Radius and win7 Mab

  Good afternoon!

  I have a question about 802.1 x I've set up a laboratory in which I have configured authentication mab with 802. 1 x, but I have a weird behavior of my network controller. On the switch (4948e), I see that the user is authenticated and authorized, and I can see my switch these outputs:

  21 April 15:13:30.263: % AUTHMGR-5-START: start "mab" for the customer (a01d.48ac.b7f
  (5) on the Interface item in gi1/11 AuditSessionID C0A8DF9C0000002E002F3DAC
  * Apr 21 15:13:30.267: % MAB-5-SUCCESS: authentication successful for the client (a01d
  . 48AC.B7F5) on the Interface item in gi1/11 AuditSessionID C0A8DF9C0000002E002F3DAC
  * April 21 15:13:30.267: % AUTHMGR-7-RESULT: authentication result 'success' of me
  ab' for the client (a01d.48ac.b7f5) on the Interface item in gi1/11 AuditSessionID C0A8DF9C00000
  02E002F3DAC
  * Apr 21 15:13:31.299: % AUTHMGR-5-SUCCESS: authorization succeeds in for the customer (a0
  1d.48AC.B7F5) on the Interface item in gi1/11 AuditSessionID C0A8DF9C0000002E002F3DAC

  If I type "see the authentication session", the corresponding output.

  Switch #show authentication sessions

  Interface MAC address method ID of Session of field status
  Item in gi1/11 a01d.48ac.b7f5 mab DATA Authz success C0A8DF9C0000002E002F3DAC

  The thing is that when I check my network controller, it said "authentication failure". That's what I've done so far:

  1. I restarted my pc, the same behavior.

  2. I disabled and enabled my network controller, the same behavior.

  3. I rebooted the switch and re-configured. Same behavior.

  4. I tried with another PC configuration. Same behavior.

  5. I changed the configuration of "user authentication" using dot1x EAP authenticator and it worked.

  This is the configuration I have on my switch:

  AAA new-model
  Group AAA dot1x default authentication RADIUS
  Group AAA authorization network default RADIUS
  start-stop radius group AAA accounting dot1x default
  AAA - the id of the joint session

  !

  control-dot1x system-auth

  !

  Switch #show run gigabitEthernet int 1/11
  Building configuration...

  Current configuration: 128 bytes
  !
  interface GigabitEthernet1/11

  Cx-to-Host description
  switchport access vlan 223
  switchport mode access
  Auto control of the port of authentication
  MAB
  end

  This is the first time I'll put up a configuration 802. 1 x. I'm doing something wrong?

  I really hope that I am not the only one with this kind of behavior!

  Thank you for any assistance you can give me!

  Status: Authz success

  This means that the port is open. Is this permanent? Keep looking at the output of the show a few minutes see if it tries to dot1x too. Can you ping from the PC?

  As authentication of 802. 1 X is enabled in the properties of the map NETWORK PC that you can expect dot1x method runs on the switch and eventually respond to the computer with auth fail. Authentication in the PC box is not necessary for MAB.

  What type of RADIUS server you use and there 802.1 policy X in addition to MAB policy?

  IP address: unknown

  This means that the switch did not recognize the IP address of the host, probably due to the lack of

  analysis of IP device

  command. But it is not necessary for the plain MAB or dot1x.

• The ACE IPS Cisco and Cisco ASA AIP - SSM (IPS)

  Is there a difference between the features offered by the Cisco ACE IPS and Cisco ASA AIP - SSM (IPS) devices?

  Can we do without Cisco ASA AIP - SSM (IPS) of 'only' configuration/implementation Cisco ACE IPS.

  Cisco AVS/ACE emphasis on commissioning and to secure web-based applications. IP addresses do not focus on just the web applications and trying to get the multiple layers of the OSI stack. Consider the IPS as a general practitioner and the ACE/AVS as an eye surgeon, or something :)

  Here is the response from Cisco itself:

  http://www.Cisco.com/en/us/prod/collateral/modules/ps2706/ps6906/prod_qas0900aecd8045867c_ps6492_Products_Q_and_A_Item.html

  Q: how is Cisco AVS Firewall application differs from an intrusion prevention system (IPS)?

  A. IPSs are solid solutions of protection against targeted attacks of known vulnerabilities in major platforms such as Windows, Solaris, Apache or Microsoft Internet Information Services (IIS). Cisco AVS excels to protect against targeted attacks Web sites or enterprise applications. These applications can be built custom internal applications or software vendor. Signatures and security patches are generally not available for these types of applications, and building these security levels in each application, it would be almost impossible.

  Q: how is Cisco AVS Firewall application differs by a network firewall?

  A. The Cisco AVS 3120 and Firewall network such as the Firewall of Cisco PIX® and Cisco ASA 5500 Series Adaptive Security appliances are complementary products. The application Cisco AVS Firewall secures Web applications; excellent network in the network security firewall. and the Cisco AVS provides defense in depth for Web applications.

  Firewall network apply policy networks, IP addresses and ports; they have a wide range of application for many different protocols layer features. The firewall can and will be deployed in many locations, including the edge, edge of the enterprise network, branch, etc. Cisco AVS imposed the policy on data HTTP as URL, headers and parameters. Cisco AVS is deployed in the data center in front of Web applications

  Concerning

  Farrukh

• Authentication for 802.1 x and Cisco ISE printer

  Hello

  What is the best practice to authenticate a 802 printer. 1 x in Cisco ISE?

  The printer can store a certificate for authentication and support EAP - TLS.

  Thanks for the reply.

  Marco

  Please refer to the rules of authentication

  www.Cisco.com/c/en/US/TD/docs/Security/ISE/1-2/user_guide/ise_user_guide...

• VMWare View 5.1 and authentication RADIUS - password problem

  I use Trustwave for 2-factor authentication on a Server View 5.1.1.  The Server Proxy of Trustwave requires that you enter your password to Active Directory followed by a comma, then the access provided by Trustwave code.  After that, you get the VMWare View normal login where you have to put your password in Active Directory.  Is there a way to remove the comma and the password of the first login box and simply pass the Active Directory password for the 2nd dialog box?  See the following two dialog boxes.

  NOTE: All works fine, but it is confusing for the user to enter his password to Active Directory twice.

  NOTE: When I check the box in the authenticators, manage, use the same username and password for Windows and RADIUS authentication, I naturally get an error because it is passing the password to Active Directory, the comma and the password of Trustwave at the 2nd fret of the connection.

  taopiglet wrote:

  ... Is there a way to remove the comma and the password of the first login box and simply pass the Active Directory password for the 2nd dialog box?

  ...

  Laughing out loud

  What happens with multiple RADIUS servers, is that the first guest username and password in AD. There is then a Challenge to get the access token code. In this case, you can configure view to ignore the next AD password prompt that the view can take the original RADIUS (AD password) authentication code and use it for the part of the AD authentication.

  A certain RADIUS vendors operate in this way.

  If the RADIUS of Trustwave server can be configured to do a Challenge of access, it would be a more standard approach to try to analyze the fields password in this way.

  I can see why this would not be irritating to users.

  Select this option.

• NIC teaming + with leaves HP VirtualConnect and Cisco load balancing

  Hello

  I configure ESX infrastructure running on the blades HP (c7000 enclosure), VirtualConnect and Cisco 3750 switches for the uplink. My network configuration is based on the HP VirtualConnnect Cookbook, scenario 11.

  On the ESX Server, I configured a vSwitch with two NICs grouped. Each card can see a different network of VirtualConnect. Each VC network has active SmartLink.

  Each network of VirtualConnect is associated with two ports on a Bay of VC. These two ports are the uplinks in Cisco 3750 switches. Cisco switches are configured in a pile, and each port associated with the VC network is configured with LACP.

  Here are the facts:

  -Each network (Host A and host B) is properly configured for the LACP Protocol, in other words, the links are shown as active/active in the VC Manager.

  -Communication of ESX is good.

  -Failover and failback function OK.

  The problem: I can't get the load balancer to work. All virtual machines use a single bear. I tried different algorithms on the server ESX (source port ID, mac, IP hash hash) and the configuration of the equivalent from Cisco.

  I have attached a diagram of the physical network, but also the setting to ports.

  What Miss me? Thank you very much

  Pablo

  Because you want to create technically not a channel in an ESX perspective, you do want to use the hash of the IP.  If ESX attempts to send traffic through the two network cards, the cisco switch should drop this package as part of its loop avoidance algorithms.  You should be able to check that out in the switch port statistics.  You should not use the switch port ID.

  Not sure about the promiscuous mode.  Who do not have any account, as far as load balancing is concerned, unless the portgroup was not properly inherit the vSwitch properties?

  -KjB

  VMware vExpert

• WAAS for RADIUS and Windows Server 2012 NPS server configuration

  I have trouble getting our WAAS to authenticate devices and connection via RADIUS.  Running NPS on Windows Server 2012.  Confirmed that my device WAAS can ping the IP address of the RADIUS server.  Using the attribute Type of administrative service under network policies.  Look in the event viewer, I get an error with event ID 15, "a malformed RADIUS message has been received of the xxxx-WAAS-01 customer. The data is the RADIUS message. »

  Right now, I can connect with only the local default user and password name.  Here are a few config for WAAS, running version 6.2.1:

  RADIUS server key *.
  Server RADIUS auth-host 10.194.10.13 port 1645
  !
  connection of local authentication enable secondary
  enable login authentication RADIUS primary
  local authentication configuration enable secondary
  Service radius Authentication configuration Select primary
  failover of authentication server unavailable

  I confirmed that my shared key is entered correctly on the WAAS and the NPS.  I have the switches/routers Cisco works well on the same RADIUS server.

  Someone had a bit of luck plug their WAAS to RADIUS devices using Windows Server 2012 and NPS?  If so, please share additional measures you have taken to get things to work.

  Hi Paul,.

  Based on the RADIUS error you probably experience failure CSCva14731. This was discovered with Cisco ACS, but can affect other RADIUS servers.

  To confirm, you can check the corresponding error in syslog WAAS:

  authenticate: % WAAS-UNKNOWN-3-899999: pam_radius_auth: talk_radius: RADIUS server did not respond (timeout 5 (sec))

  Also, this defect would not affect peripheral on software 5.x WAAS.

  The problem will be solved in 6.2.3 to come free.

• Setting up authentication Radius ACS 4.0.2

  Dear Experts,

  I have GBA 4.0.2 to my network, I want to use for 802. 1 x Radius for customers on the methodology of PEAP-MSCHAPv2 authentication.

  According to the documentation "" EAP authentication with RADIUS server ", Doc ID: 44844 "

  I have configured Network Configuration and populated by AAA client IP address range and the key secret.

  Question 1:

  Under option to authenticate using, there are various flavors available for the selection RANGE. For a Non AAA Cisco client, choose IETF RADIUS?

  

  Question 2:

  In the snapshot above, it has an option called Global authentication configuration, where we can configure EAP configuration. Under subsection PEAP, there is an option to 'allow EAP-MSCHAPv2' checkbox.

  After checking that a restart is required on the ACS server? It would cause disruptions to existing services on GBA?

  Kindly help that she is not mentioned in the documentation available with me.

  Kind regards

  Knockaert

  Hello

  Question 1:

  3 rd-Party devices should generally conform to the RADIUS standards. In this case select RADIUS (IETF) should be fine. If specific attributes of 3rd-party (for example the VLAN ID) are required and then contact support for 3rd - Party device to confirm if a RADIUS dictionary must be added to the RADIUS server in order to send vendor specific attributes.

  NOTE: We can add dictionaries of RADIUS for GBA in the case described above, but you will need to file the appropriate dictionary usually provided by 3rd - Party device support.

  Question 2:

  To enable PEAP or EAP 4.x GBA any other method, we need to use the option send + apply. ACS services will be restarted (RADIUS and Auth services). It should take less than a minute on a common scenario for the candidate countries to apply the changes. It is not a reboot of the server, but a restart of the services instead.

  I hope this helps.

  Kind regards.