RADIUS-server host command problem
Hi all
I have cisco 4506 e - 8 L - e sup with the latest IOS image, but host X.X.X.X command radius server is not available, I've heard that this order has been changed now, can someone tell me the new syntax of this command because I'm setting this switch to cisco ISE...
Kind regards
The syntax is:
radius server A-NAME-FOR-THE-SERVER address ipv4 10.10.10.10 auth-port 1812 acct-port 1813 key YOUR-KEY
Tags: Cisco Security
Similar Questions
-
I have a quick question for you... is there a limit on the radius-server how can I have on a router? I mean, right now, I have:
RADIUS-server host 192.168.11.10 single-connection
RADIUS-server host 192.168.21.53 single-connection
can I add another without killing something?
RADIUS-server host 192.168.51.27 single-connection
Warren,
Yes, add the serveur.27 to the already existing list of RADIUS Server won't kill anything. You can use more than one radius-server host command to specify additional hosts. The software Cisco IOS research hosts in the order in which specify you them.
http://www.Cisco.com/en/us/docs/iOS/12_3/Security/command/reference/sec_s1g.html#wp1100025
Kind regards
Arul
* Rate pls if it helps *.
-
How to account for the Radius Server cisco vpn client
Hello
I would like to realize vpn cisco customers
My config is:
AAA authentication login default local radius group
RADIUS AAA authentication login aaa_radius local group
RADIUS group AAA authorization exec default authenticated if
AAA authorization vpn LAN
failure to exec AAA accounting
action-type market / stop
RADIUS group
!
AAA accounting network aaa_radius
action-type market / stop
RADIUS groupRADIUS-server host x.x.x.x auth-port 1812 acct-port 1813 key xxxxx
No package of accounitng is sent to the server radius, only the packages autthetication
RADIUS server is freeradius
Thank you
Pet
Hello!
The sequence of commands you add to your configuration:
1. in the case of former card crypto
crypto-NAME of the customer accounting card card list aaa_radius
2. in the case of isakmp profiles
Profile of crypto isakmp PROFILE NAME
accounting aaa_radius
When the NAME of the map and the PROFILE NAME real names for you profile crypto map or isakmp respectively.
I hope this helps.
Best regards.
-
How the device select radius-server
Hi guys,.
We have the existing Ganymede configuration to form our devices and server ACS 2 did. the acs server are managed with other suppliers that the acs server is on their site. Now intended to manage the acs server. We installed a new server CSA of our location, we have thousand of the devices, if we move to the new server we just add the acs unit 2 Server? the new acs server will be are able to connect to the device? How a device chooses which acs primary or secondary server? Please notify.
Old configuration
AAA new-model
AAA authentication login vtymethod group Ganymede + local
AAA authorization config-commands
AAA authorization exec default group Ganymede + local authenticated by FIS
AAA authorization commands 0 default group Ganymede + local authenticated by FIS
15 AAA authorization commands default group Ganymede + local authenticated by FIS
AAA accounting send stop-record an authentication failure
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 0 arrhythmic default group Ganymede +.
orders accounting AAA 15 by default start-stop Ganymede group.
Default connection accounting AAA power Ganymede group.
AAA accounting system default start-stop Ganymede group.
Ganymede IP source-interface Loopback0
RADIUS-server host 10.x.x.x
RADIUS-server host 10.x.x.x
New config
AAA new-model
AAA authentication login vtymethod group Ganymede + local
AAA authorization config-commands
AAA authorization exec default group Ganymede + local authenticated by FIS
AAA authorization commands 0 default group Ganymede + local authenticated by FIS
15 AAA authorization commands default group Ganymede + local authenticated by FIS
AAA accounting send stop-record an authentication failure
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 0 arrhythmic default group Ganymede +.
orders accounting AAA 15 by default start-stop Ganymede group.
Default connection accounting AAA power Ganymede group.
AAA accounting system default start-stop Ganymede group.
Ganymede IP source-interface Loopback0
RADIUS-server host 10.x.x.x
RADIUS-server host 10.x.x.x
RADIUS-server host 100.x.x.x<-->-->
RADIUS-server host 100.x.x.x<-->-->
Hi m.,.
N ° not round robin.
It checks the first IP address. It checks only the following IP address if one has failed.
I hope it's clearer now
Rating of useful answers is more useful to say "thank you".
-
Cisco 1812 no contact to the Radius Server
Hi guys,.
IM pretty new to cisco and plays with an 1812 products... I am trying set up an easy VPN server, with the support of ray and I can see that I did everything right, but there is a problem, because the router do not contact the RADIUS server and the RADIUS server has been tested ok.
Anyone who can see what I'm missing? Worked with this problem for 3 days now.
Here is my CONF.
Current configuration: 9170 bytes
!
! Last modification of the configuration to 13:44:49 UTC Tuesday, October 12, 2010
!
version 15.1
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
router host name
!
boot-start-marker
boot-end-marker
!
!
no set record in buffered memory
!
AAA new-model
!
!
AAA server radius sdm-vpn-server-group 1 group
auth-port 1645 90.0.0.245 Server acct-port 1646
!
AAA authentication login default local
AAA authentication login sdm_vpn_xauth_ml_1-passwd-expiry group sdm-vpn-server-group 1
AAA authorization exec default local
AAA authorization sdm_vpn_group_ml_1 LAN
!
!
!
!
!
AAA - the id of the joint session
!
Crypto pki token removal timeout default 0
!
Crypto pki trustpoint TP-self-signed-250973313
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 250973313
revocation checking no
!
!
TP-self-signed-250973313 crypto pki certificate chain
certificate self-signed 01
308201A 5 A0030201 02020101 3082023C 300 D 0609 2A 864886 F70D0101 04050030
2 040355 04031325 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 30312E30
69666963 32353039 37333331 33301E17 313031 30313230 39343333 0D 6174652D
395A170D 2E302C06 1325494F 03540403 32303031 30313030 30303030 5A 303031
532D 5365 6C662D53 69676E65 4365 72746966 69636174 652 3235 30393733 642D
06092A 86 4886F70D 01010105 33313330 819F300D 00308189 02818100 0003818D
BCF94FB0 77240E92 B703CE70 556D5D22 A57823E5 DD4CD4C4 12D639DE 5E97DB2D
81FBB304 9FA677A6 CAD84F96 9734081B F8F8FAAE 000B02FB AEF7C7B1 73AFA44B
7D27E112 8991F03B 3D4FD484 34E2EA9F BD426F73 48778F2A AD35AAD6 EC00805D
249B 8702 D545AEEA 40670DFD 3E6BEC29 EE48A0C6 CB7694FD 722D1A62 3A499CC5
02030100 01A 36630 03551 D 13 64300F06 0101FF04 05300301 01FF3011 0603551D
11040A 30 08820652 6F757465 72301F06 23 04183016 801462CB F6BD12F6 03551D
080C8A89 F9FBBDCE 9751528A FFFD301D 0603551D 0E041604 1462CBF6 BD12F608
0C8A89F9 FBBDCE97 51528AFF FD300D06 092 HAS 8648 01040500 03818100 86F70D01
ACA87977 CF 55225 6 9147E57E 8B5A8CA8 46348CAF 801D11C6 9DA57C69 14FA5076
6844F0CC 4CBEB541 136A483A 69F7B7F0 E44474E8 14DC2E80 CC04F840 B 3531, 884
F08A492D 8C3902C0 725EE93D AC83A29F 799AAE0F 5795484B B3D02F84 911DB135
5 189766 C30DA111 6B9B4E46 E999DA5B 202 21B0B9D4 HAS 6900 07A93D8D 41C7FD21
quit smoking
dot11 syslog
IP source-route
!
!
!
!
!
IP cef
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
!
license udi pid CISCO1812/K9 sn FCZ10232108
username admin privilege 15 secret 5 P677 $1$ $ Rggfdgt8MeD8letZDL08d.
!
!
!
type of class-card inspect correspondence sdm-nat-smtp-1
game group-access 101
smtp Protocol game
type of class-card inspect entire game SDM_AH
match the name of group-access SDM_AH
type of class-card inspect all sdm-cls-insp-traffic game
match Protocol cuseeme
dns protocol game
ftp protocol game
h323 Protocol game
https protocol game
match icmp Protocol
match the imap Protocol
pop3 Protocol game
netshow Protocol game
Protocol shell game
match Protocol realmedia
match rtsp Protocol
smtp Protocol game
sql-net Protocol game
streamworks Protocol game
tftp Protocol game
vdolive Protocol game
tcp protocol match
udp Protocol game
inspect the class-map match sdm-insp-traffic type
corresponds to the class-map sdm-cls-insp-traffic
type of class-card inspect all SDM-voice-enabled game
h323 Protocol game
Skinny Protocol game
sip protocol game
type of class-card inspect entire game SDM_IP
match the name of group-access SDM_IP
type of class-card inspect entire game SDM_ESP
match the name of group-access SDM_ESP
type of class-card inspect entire game SDM_EASY_VPN_SERVER_TRAFFIC
match Protocol isakmp
match Protocol ipsec-msft
corresponds to the SDM_AH class-map
corresponds to the SDM_ESP class-map
type of class-card inspect the correspondence SDM_EASY_VPN_SERVER_PT
corresponds to the SDM_EASY_VPN_SERVER_TRAFFIC class-map
type of class-card inspect all match sdm-cls-icmp-access
match icmp Protocol
tcp protocol match
udp Protocol game
type of class-card inspect correspondence sdm-invalid-src
game group-access 100
type of class-card inspect correspondence sdm-icmp-access
corresponds to the class-map sdm-cls-icmp-access
type of class-card inspect correspondence sdm-Protocol-http
http protocol game
!
!
type of policy-card inspect sdm-permits-icmpreply
class type inspect sdm-icmp-access
inspect
class class by default
Pass
type of policy-card inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-smtp-1
inspect
class class by default
drop
type of policy-map inspect sdm - inspect
class type inspect sdm-invalid-src
Drop newspaper
class type inspect sdm-insp-traffic
inspect
class type inspect sdm-Protocol-http
inspect
class type inspect SDM-voice-enabled
inspect
class class by default
Pass
type of policy-card inspect sdm-enabled
class type inspect SDM_EASY_VPN_SERVER_PT
Pass
class class by default
drop
type of policy-card inspect sdm-license-ip
class type inspect SDM_IP
Pass
class class by default
Drop newspaper
!
security of the area outside the area
safety zone-to-zone
ezvpn-safe area of zone
safety zone-pair sdm-zp-self-out source destination outside zone auto
type of service-strategy inspect sdm-permits-icmpreply
source of sdm-zp-out-auto security area outside zone destination auto pair
type of service-strategy inspect sdm-enabled
safety zone-pair sdm-zp-in-out source in the area of destination outside the area
type of service-strategy inspect sdm - inspect
sdm-zp-NATOutsideToInside-1 zone-pair security source outside the area of destination in the area
type of service-strategy inspect sdm-pol-NATOutsideToInside-1
in the destination box source sdm-zp-in-ezvpn1 ezvpn-pairs area security
type of service-strategy inspect sdm-license-ip
source of sdm-zp-out-ezpn1 of security area outside zone ezvpn-zone time pair of destination
type of service-strategy inspect sdm-license-ip
safety zone-pair sdm-zp-ezvpn-out1-source ezvpn-zone of destination outside the area
type of service-strategy inspect sdm-license-ip
safety zone-pair source sdm-zp-ezvpn-in1 ezvpn-area destination in the area
type of service-strategy inspect sdm-license-ip
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
!
Configuration group Sindby crypto isakmp client
key TheSommerOf03
90.0.0.240 DNS 8.8.8.8
win 90.0.0.240
SBYNET field
pool SDM_POOL_2
Max-users 15
netmask 255.255.255.0
ISAKMP crypto sdm-ike-profile-1 profile
identity Sindby group match
client authentication list sdm_vpn_xauth_ml_1
ISAKMP authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-model 1
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
Crypto ipsec transform-set esp-SHA2-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set esp-3des SHA3-ESP-3DES esp-sha-hmac
Crypto ipsec transform-set esp-3des SHA4-ESP-3DES esp-sha-hmac
Crypto ipsec transform-set esp-3des SHA5-ESP-3DES esp-sha-hmac
Crypto ipsec transform-set esp-3des SHA6-ESP-3DES esp-sha-hmac
Crypto ipsec transform-set esp-3des SHA7-ESP-3DES esp-sha-hmac
Crypto ipsec transform-set esp-3des SHA8-ESP-3DES esp-sha-hmac
Crypto ipsec transform-set esp-3des SHA9-ESP-3DES esp-sha-hmac
Crypto ipsec transform-set esp-3des SHA10-ESP-3DES esp-sha-hmac
!
Profile of crypto ipsec SDM_Profile1
game of transformation-ESP-3DES-SHA10
isakmp-profile sdm-ike-profile-1 game
!
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
Shutdown
!
interface FastEthernet0
Description $FW_OUTSIDE$
IP address 93.166.xxx.xxx 255.255.255.248
NAT outside IP
IP virtual-reassembly in
outside the area of security of Member's area
automatic duplex
automatic speed
!
interface FastEthernet1
no ip address
Shutdown
automatic duplex
automatic speed
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
FastEthernet6 interface
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
type of interface virtual-Template1 tunnel
IP unnumbered FastEthernet0
ezvpn-safe area of Member's area
ipv4 ipsec tunnel mode
Tunnel SDM_Profile1 ipsec protection profile
!
interface Vlan1
Description $FW_INSIDE$
IP 90.0.0.190 255.255.255.0
IP nat inside
IP virtual-reassembly in
Security members in the box area
!
local IP SDM_POOL_1 90.0.0.25 pool 90.0.0.29
local IP SDM_POOL_2 90.0.0.75 pool 90.0.0.90
IP forward-Protocol ND
IP http server
local IP http authentication
IP http secure server
IP http timeout policy inactive 600 life 86400 request 10000
!
!
IP nat inside source static tcp 192.168.1.200 25 interface FastEthernet0 25
the IP nat inside source 1 interface FastEthernet0 overload list
IP route 0.0.0.0 0.0.0.0 93.166.xxx.xxx
!
SDM_AH extended IP access list
Remark SDM_ACL = 1 category
allow a whole ahp
SDM_ESP extended IP access list
Remark SDM_ACL = 1 category
allow an esp
SDM_IP extended IP access list
Remark SDM_ACL = 1 category
allow an ip
!
exploitation forest esm config
access-list 1 permit 90.0.0.0 0.0.0.255
Access-list 100 = 128 SDM_ACL category note
access-list 100 permit ip 255.255.255.255 host everything
access-list 100 permit ip 127.0.0.0 0.255.255.255 everything
access-list 100 permit ip 93.166.xxx.xxx 0.0.0.7 everything
Remark SDM_ACL category of access list 101 = 0
IP access-list 101 permit any host 192.168.1.200
!
!
!
!
!
!
RADIUS-server host 90.0.0.245 auth-port 1645 acct-port 1646
!
control plan
!
!
Line con 0
line to 0
line vty 0 4
transport input telnet ssh
!
end
Hello
Looks like you're missing the key from the radius server configuration "RADIUS-server host 90.0.0.245 auth-port 1645 1646 key your_keyacct-port»
Thank you
Wen
-
Dell Powerconnect 35xx series features Radius Server behaviorfin
Hello Dell Community,
I'm not able to find out how 35xx series switches handle 'server radius deadtime' parameter as described below:
In the config of switch, I use two hosts(for redundancy) radius. The first has priority of '1' configured RADIUS, the second server is priority '2 '. So normally, if the first sever(priority 1) RADIUS online, auth requests switch are sent to this server all the time. And they really are.
Now, I have also configured the 'deadtimet 10 radius server', meaning to jump on the radius server does not respond. Does that mean exactly?
If the radius with priority 1 server is offline for a few seconds, the switch instantly consider this as dead radius server and sent no auth request it for the "period deadtime ' 10 minutes (depending on configuration)? How often switch check for the availability of the radius server host?
config swtich:
IP address Port port Prio time - Ret-dead-source IP. Its use
AUTH Acct Out rans times
--------------- ----- ----- ------ ------ ------ --------------- ----- -----
10.10.10.10 1812 1813 global Global Global Global 1 all the
10.10.10.20 1812 1813 global Global Global Global every 2Global values
--------------Waiting period: 2
Broadcast: 5
Deadtime: 10
Source IP: 0.0.0.0
Source IPv6:Retransmission will say the switch many times in an attempt to authenticate to the RADIUS server before moving on to the second server. Timeout is indicative of the switch, the waiting time for a response. Deadtime will subsequently intervene in these two parameters have been exhausted.
Example config:
Server radius coverage of console (config) # 3
Console (config) # timeout 3 radius server
Deadtimet console (config) # 10 radius server
Result of config:
-The client tries to connect.
-switch attempts to authenticate the server 1.
-Switch means no RADIUS server 1 for 3 second.
-Switch waits 3 seconds.
-Switch attempts to authenticate to the RADIUS server 1 for the second time and does not return to server for 3 seconds.
-Switch waits 3 seconds.
-Switch attempts to authenticate to the RADIUS server 1 for the third time and does not return to server for 3 seconds.
-switch place RADIUS server, one in a State of low/dead for 10 minutes.
-switch attempts to authenticate to Server 2.
-
Setup
Cisco Catalyst 2960-S running 15.0.2 - SE8
Under Centos freeRadius 6.4 RADIUS server
Client (supplicant) running Windows 7
When Windows client is connected to the port (port 12 in my setup) with authentication of 802. 1 x active switch, show of Wireshark that catalyst sends ask EAP and the client responds with EAP response. But it made not the request to the Radius server. The RADIUS test utility 'aaa RADIUS testuser password new-code test group' works.
Here is my config running. Any advice would be greatly appreciated.
#show running mySwitch-
mySwitch #show running-config
Building configuration...Current configuration: 2094 bytes
!
version 12.2
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname myswitch
!
boot-start-marker
boot-end-marker
!
activate the password secret 5 $1$ Z1z6$ kqvVYRQdVRZ0h8aDTV5DR0 enable password!
!
!
AAA new-model
!
!
AAA dot1x group group radius aaa accounting dot1x default start-stop radius authentication group!
!
!
AAA - the id of the joint session
1 supply ws-c2960s-24ts-l switch
!
!
!
!
!
control-dot1x system-auth
pvst spanning-tree mode
spanning tree extend id-system
!
!
!
!
internal allocation policy of VLAN no ascendant interface FastEthernet0 no stop ip address!
GigabitEthernet1/0/1 interface
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface GigabitEthernet1/0/5
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
switchport mode access
Auto control of the port of authentication
dot1x EAP authenticator
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
IP 10.1.2.12 255.255.255.0
!
IP http server
IP http secure server
activate the IP sla response alerts
recording of debug trap
10.1.2.1 host connection tcp port 514 RADIUS-server host 10.1.2.1 transport auth-port 1812 acct-port 1646 timeout 3 retransmit testing123 key 3.
Line con 0
line vty 0 4
password password
line vty 5 15
password password
!
endinterface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20Have you run wireshark on the server because the request to switch? If so you make sure that there is a response from the server? For Windows network POLICY Server (I've never tried Centos), you must ensure that the request is related to a policy which then authenticates, or denies access. Usually, it is a matter of such attributes and the seller.
Regarding the configuration, it seems a bit out of the AAA. Try to remove the:
line "aaa dot1x group service radius authentication" and this by using instead:
"aaa dot1x default radius authentication group". After the dot1x word you are supposed to provide a list of the authentication or the default Word if you do not want to use a list.
-
I need help on setting up a secondary RADIUS server. I have a primary and secondary school. I would like AAA sending requests to the secondary server when the primary is either down or stopped service on the primary. Any ideas?
You should consider two methods:
The old school one like that.
AAA new-model
AAA authentication login default group Ganymede + local
!
radius-server host 10.1.122.11
radius-server host 10.2.32.13
RADIUS-server key abcdef
If not, try a method of group like this:
AAA new-model
AAA server Ganymede group + ABCGROUP
Server 10.1.1.5
10.1.1.13 Server
!
ABCGROUP line group AAA authentication login default
!
GANYMEDE-Server 10.1.1.5 host
radius-server host 10.1.1.13
RADIUS-server key abcdef
!
Because the shared key (secret) cannot be configured in the configuration group, you must define RADIUS servers again at the end of the config.
!
Make sure that you have connectivity at a time before testing. Stop the service on your primary ACS and keep an eye on the reports to see the authentications spent in vain.
Here; s another tip:
By fallback authentication 'line', you can immediately distinguish a line Login and Ganymede Login. GANYMEDE will show: "username:" and encourages you to line "password:
!
Let me know how things are going.
See you soon
-
Hi all
I configured a radius server on my sbs2008 server. I am able to test successfully, the ASA, but when I try to connect with the Anyconnect client I get a connection failure. When I check the logs I see that the VPN is trying to authenitcate against the local database and not my RADIUS server evern if I set authentication server group. I also rebooted the thought of the asa that was the issue.
Here is my config:
WebVPN
port 444
allow outside
SVC disk0:/anyconnect-win-3.1.03103-k9.pkg 1 image
enable SVC
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec l2tp ipsec
internal OAC group policy
OAC group policy attributes
value of 192.168.2.2 WINS server
value of server DNS 192.168.2.2
VPN-tunnel-Protocol svc webvpn
group-lock value OAC
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value OAC
value by default-field OAC. LOCAL
remote access to OAC tunnel-group type
attributes global-tunnel-group OAC
address vpnpool pool
authentication-server-group OAC
Group Policy - by default-OAC
Thanks for any help,
Leon
Leon,
Looks like your connection is down on the Group of the DefaultWebvpn tunnel. You must set the list of groups to choose
OAC as a tunnel for the connection group. Here's what to be configured:
WebVPN
tunnel-group-list enable
!
tunnel-group OAC webvpn-attributes
group-alias OAC enable
Users will connect to the correct tunnel OAC group for authentocated of the radius server.
Kind regards
Bad Boy
P.S. Please mark this message as 'Responded' If you find this information useful so that it brings goodness to other users of the community
-
Problem loading XML file on the server hosting
I have a question wher the lods of XML data very well file and displays on my server testingg but returns "undefined" when uploaded to the server hosting.
The page can be found at http://www.merryheartpuppets.com/index3.html
The ActionScript for the clip is included below:
The SWF works! and the xml data are read and displayed correctly. I always get an error when you try to view the slideshow.xml in the browser even with the changes.
I think that the happy ending is the result of several things:
1 make the changes suggested by GWD and
2 pointing the domain to the appropriate folder. For some reason, the hosting server was not pointing to the folder to which I had originally put in it. Then, I changed it. But the change doesn't take effect for some reason any. In any case, after further investigation, I got the domain pointing to the appropriate subfolder and the swf file is working now.Thank you all for your patience to input and advice. I could not successfully achieved this without your intervention. TX!
-
GANYMEDE + records of command problems
All,
Working on a problem I'll have get record installation for my switch / router infrastructure. Here's my config authentication works, the two console & SSH. Authorization is also working. Some of my accounting functions work, like GANYMEDE + successful connections, but all my logging features of command do not work correctly.
I am running ACS V4.1. In addition, what is the difference between using named auth / accounting of lists and by default? Is it fair that I need to apply some interfaces, where the default value is applied to all interfaces?
Configs:
AAA new-model
AAA SSH authentication connection group Ganymede + local
local authentication AAA CONSOLE connection
authorization AAA console
local CONSOLE AAA authorization exec
exec authorization AAA SSH group Ganymede +.
network of local AAA CONSOLE authorization
authorization for AAA network SSH group Ganymede +.
exec accounting AAA SSH start-stop group Ganymede +.
AAA accounting command 0 SSH start-stop group Ganymede +.
AAA accounting command SSH 1 start-stop Ganymede group.
AAA accounting command SSH 15 group arrhythmic Ganymede +.
network accounting AAA SSH start-stop group Ganymede +.access-list 1 permit X.X.56.0 0.0.0.255
GANYMEDE-server host X.X.X.X XXXXXXXXXXXXX key
RADIUS-server timeout 30
RADIUS-server application made
!
control plan
!
!
Line con 0
session-timeout 10
exec authorization CONSOLE
the CONSOLE connection authentication
line vty 0 4
session-timeout 10
access-class 1
exec authorization SSH
accounting of the SSH commands 0
accounting controls 1 SSH
SSH 15 orders accounting
accounting SSH exec
the SSH connection authentication
entry ssh transport
line vty 5 15
session-timeout 10
access-class 1
exec authorization SSH
accounting of the SSH commands 0
accounting controls 1 SSH
SSH 15 orders accounting
accounting SSH exec
the SSH connection authentication
entry ssh transportAny help is appreciated.
Thank you!
Jon
Hi Jon,
Could you let us know the exact version of the CSA? If it's the ACS 4.1.1.23, then you would have to apply the latest patch from FAC as there is a bug in ACS 4.1.1.23 in what order accountant does not work.
Here is the information about the bug:
CSCsg97429:
GANYMEDE + accounting command does not work in ACS 4.1 Build 23 (1).
Symptom:
GANYMEDE + accounting command does not work in ACS 4.1 Build 23 (1).
No accounts appear in the log of Administration GANYMEDE +.Conditions:
Accounting command is configured on the NAS server. After the seizure of the orders on the NAS
no record is visible in the Administration GANYMEDE log file +. Debugs on the show NAS
files sent and they get to the ACS server, but if
log file is not updated. -
Hello
Anyone know if you can configure a PIX to use another RADIUS server if the primary one fails? For example, a customer authenticates their VPN clients using a RADIUS server with the command of PIX:
AAA-server ISA SERVER (host 10.222.180.10 b1bbyrad1u5 timeout 10 Interior)
If the RADIUS server fails (as it did recently) the PIX allows another backup radius server?
Hai David,
The first server in the config of wil be to conclude. If it does not respond (no connection can be made) that after the timeout will be connected to the second server.
Greetings,
René
-
switch 3750 EAPoL transmission RADIUS server
I have a running version of the 3750 switch stack 12.2 (53) SE2 IPBASEK9-M. I have dot1x configured on the switch and a Windows 7 PC, connected with 802. 1 x configured on the interface. I see the EAPoL start message from the PC, but I do not see the packets from the switch to the RADIUS server RADIUS. I have a config simple dot1x just to try to make it work before adding additional features such as comments - vlan...
Config and debug of attached file.
I don't know if the configuration ip dhcp snooping and arp of inspection is cause a problem with that or not. I see the EAPoL packet received on the switch, as shown in the attachment of debugging, but I never see the RADIUS packet. I've defined both trust on the interface, but always the same result. I can't turn it off because there is a switch of production with a test interface.
Any ideas?
Thank you
Mark
I had the same problem and solved it is enough to configure the switch as authenticator instead of "supplicant". "Supplicant" means customer, "authenticator" means in fact the switch acts as an authenticator to pass through, it will forward the requests to the auth server, for example, host of RADIUS.
-
change the IP address of the RADIUS server
Hi all
I'm looking to reloacte a Ganymede server + inside the demilitarized zone and, consequently, the server will be on a new IP range.
I will seek the role these command using chat tools that I have a large number of switches
the configuration of switches is less than
existing Ganymede:
host key 10.11.11.40 radius-server 9090897979800090908
Now I move the server to a new IP 10.99.1.40
If I put the command
host key 10.99.1.40 radius-server 9090897979800090908
the configuration looks like this:
host key 10.11.11.40 radius-server 9090897979800090908
host key 10.99.1.40 radius-server 9090897979800090908
I need to confirm that when I switch the server again this IP switches will turn to the new ip address of 10.99.1.40 and I do after all, that is, remove the old line: no host key 10.11.11.40 radius-server 9090897979800090908
Or it will work now and I have to set up a group that is located at the bottom of the page from the link below
http://www.Cisco.com/c/en/us/TD/docs/iOS/12_2/security/configuration/guide/fsecur_c/scftplus.html
Thank you very much
The method explained in the linked document is the most recent. On IOS 15.x the previous method (which still works) generates a message in the cli parser that it was withdrawn and Cisco recommends to the new method.
That said, each method should work. The new method should be good all switches or routers with IOS 12.0 +.
When there are two servers configured, IOS them will try in order and, if a response is not received in three trials (each in the case of multiple servers), it may fall to another configured method aaa (or fails aaa if no second method has been defined)
-
access to AAA server to remote problems
Hi all. I can ping and trace to this GANYMEDE server. but I can't authenticate my telnet users. I configured local AAA relief so that he tries the remote server several times and then returns to the local GANYMEDE. I noticed the logs show the TCP FINS. Which indicates that I am actually reach the remote server, but the server sends a TCP FIN or is the server simply is not available, as indicated by the newspapers. Why the server will be not not accessible if I can ping and trace it.
I also checked the NOC extranet firewall accepted my traffic through the RADIUS server. they took the newspapers showing that my traffic has been accepted.
February 4, 2011 13:04:12: % ASA-7-609001: built internal local host: AAA_SERVER
February 4, 2011 13:04:12: % ASA-6-302013: built 24726 for inner outbound TCP connection: AAA_SERVER / 49 (AAA_SERVER/49) to identity:17.2.2.2/28055 (17.2.2.2/28055)
February 4, 2011 13:04:12: % ASA-6-113014: AAA authentication server unavailable: server = AAA_SERVER: user = vzz19
February 4, 2011 13:04:12: % ASA-6-302013: built 24727 for inner outbound TCP connection: AAA_SERVER / 49 (AAA_SERVER/49) to identity:17.2.2.2/32029 (17.2.2.2/32029)
February 4, 2011 13:04:12: % ASA-6-302014: TCP disassembly 24726 for interior connection: AAA_SERVER / 49 to identity:17.2.2.2/28055 duration 0: 00:00 bytes TCP fins 41
February 4, 2011 13:04:12: % ASA-6-113014: AAA authentication server unavailable: server = AAA_SERVER: user = vzz19
February 4, 2011 13:04:12: % ASA-6-302013: built 24728 for inner outbound TCP connection: AAA_SERVER / 49 (AAA_SERVER/49) to identity:17.2.2.2/39039 (17.2.2.2/39039)
February 4, 2011 13:04:12: % ASA-6-302014: TCP disassembly 24727 for interior connection: AAA_SERVER / 49 to identity:17.2.2.2/32029 duration 0: 00:00 bytes TCP fins 41
February 4, 2011 13:04:12: % ASA-6-113014: AAA authentication server unavailable: server = AAA_SERVER: user = vzz19
February 4, 2011 13:04:12: % ASA-6-302013: built 24729 for inner outbound TCP connection: AAA_SERVER / 49 (AAA_SERVER/49) to identity:17.2.2.2/33702 (17.2.2.2/33702)
February 4, 2011 13:04:12: % ASA-6-302014: TCP disassembly 24728 for interior connection: AAA_SERVER / 49 to identity:17.2.2.2/39039 duration 0: 00:00 bytes TCP fins 41
February 4, 2011 13:04:12: % ASA-6-113014: AAA authentication server unavailable: server = AAA_SERVER: user = vzz19
February 4, 2011 13:04:12: % ASA-2-113022: AAA marking GANYMEDE + Server AAA_SERVER aaa-server group MYGROUP as being broken
February 4, 2011 13:04:12: % ASA-4-409023: method of rescue attempt LOCAL AAA for authentication of user vzz19 request: inaccessible Server Auth MYGROUP group
February 4, 2011 13:04:12: % ASA-6-113015: rejected AAA user authentication: reason = invalid password: local database: user = vzz19
February 4, 2011 13:04:12: % ASA-6-611102: failed authentication user: Uname: vzz19
February 4, 2011 13:04:12: % ASA-6-605004: connection refused from 10.2.2.2/26089 to inside:17.2.2.2/telnet for the user "vzz19".
February 4, 2011 13:04:12: % ASA-6-302014: TCP disassembly 24729 for interior connection: AAA_SERVER / 49 to identity:17.2.2.2/33702 duration 0: 00:00 bytes TCP fins 41
February 4, 2011 13:04:12: % ASA-7-609002: duration of dismantling inside local host: AAA_SERVER 0:00:00Here is my config from aaa
AAA-server protocol Ganymede MYGROUP +.
Max - a failed attempts 4
AAA-server host AAA_SERVER MYGROUP (inside)
timeout 3
Console Telnet AAA authentication LOCAL MYGROUP
Console to enable AAA authentication LOCAL MYGROUP
privilege MYGROUP 15 AAA accounting commandI can ping AND trace on the RADIUS server
ATLUSA01-FW01 # ping AAA_SERVER
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to AAA_SERVER, wait time is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = ms 02/01/10
ATLUSA01-FW01 # trace AAA_SERVERType to abort escape sequence.
The route to 151.162.239.2391 17.2.2.3 0 ms 0 ms 0 ms
2 17.2.2.4 0 ms 0 ms 0 ms - extranet fire barrier
3 10.4.7.1 0 0 0 ms ms ms
4 10.4.7.13 0 0 0 ms ms ms
5 10.4.7.193 0 0 0 ms ms ms
6 AAA_SERVER (10.5.5.5) 0 ms 10 ms 10 msYou'll certainly need the assistance of the administrator of the AAA, troubleshooting on the AAA client side shows only a fraction of what's going on.
Ask him or her to do the following:
Much easier and the most important thing is to check an 'attempt' journal and watch if there is no entry at all for your ASA.
If there is an entry, it should be automatic explaining like "Unknown SIN" or "Ganymede key bad argument" - be convinced on a good config and check it are two different things.
I have seen weird things like walking into a key on an AAA server via remote desktop and keyboard settings were inconsistent: English/German, traded resulting from letters 'Y' and 'Z' - do not trust your config until it you checked.
If there is no entry at all then it could be a device on the way which is allowing ping/traceroute tcp/49 but drops or a device is to translate the address of the ASA (well in this case, you should see an "unknown SIN" in the failed attempts).
You have the possibility to connect a device inside the network of the SAA as a laptop? If so, try Telnet for tcp/49 of the AAA server, you should see immediately, if it is allowed tcp/49 (get a blank screen immediately = connectivity, timeout = no connectivity)
That's all you can do on your side, unfortunately tha ASA isn't a telnet client.
Rgds,
MiKa
Maybe you are looking for
-
on every 30 sec or so my mouse freezes and im page viewing.
-
This mini would be able to push a monitor 1440 p smoothly?
So with these specs I can output to a monitor 2560 x 1440, and if yes, it would be able to run it without a problem, I do things like browsing the web, watching movies and listening to music, things so lite. I see never any lag in things like animati
-
I use Nero Burning Rom, with a brand new Lenovo W500. I have Vista Business 64 on a new installation. I get an error of calibration of power when burning a DVD using Nero and the DVD-RAM internal drive (MAST * beep * A DVD-RAM UJ862A). I don't get th
-
Luminaire 3s 8962. Cannot use the GPIO C pins as a source of disruption.
I'm trying to use GPIO C-5 as the source of interruption to run a vi and get this error Building target "LabVIEW".compilation of ARM_irq.c..... \Drivers\Interrupt\ARM_irq.c(313): error: #20: identifier 'LM3Sxxxx_GPIOCHandlerP' is not definedTarget no
-
Change of ownership and company registered in LabVIEW
Hello! We outsource our IT and my laptop has recently needed a reinstall of Windows. They used their company name as my owner name in Windows and I did not change it until I installed LabVIEW. LabVIEW has now entered the fault of the owner and ther