several hosts aaa server for authentication vpn

ASA5510 - 7.2 (1)

Using the following configuration, I try to have several radius servers configured for authentication backup in case of failure of the primary vpn. This seems to work ok. But once the main server upward when the asa will begin to use it again. The release of "aaa-Server 172.25.4.20 host" said

Server status: FAILURE, server disabled at 08:04:25.

How do reactivate you it?

RADIUS protocol AAA-server adauth

adauth AAA-server 172.25.4.20

key *.

authentication port 1812

accounting-port 1813

adauth AAA-server 172.25.4.40

key *.

authentication port 1812

accounting-port 1813

tunnel-group group general attributes

address pool pool

authentication-server-group adauth

by default-group-policy

You can add the option in the Group aaa-server:

"reactivation in timed mode.

This causes a dead server is added to the pool after 30 seconds.

The following link has some good info on the options available. I suggest looking for the doc for the "reactivation".

http://www.Cisco.com/univercd/CC/TD/doc/product/multisec/asa_sw/v_7_2/cmd_ref/crt_711.PDF

-Eric

Be sure to note all the useful messages.

Tags: Cisco Security

capture.jpg


How is my password being encrypted and how strong is the encryption?

Another thing is how can I configure aaa authentication with mschapv2? The documentation I saw for mschapv2 uses the "ppp authentication ms-chap-v2" command, but I'm not using ppp I'm using aaa with a radius server.

Hello

RADIUS encrypts the password, but sends the username in clear. GANYMEDE encrypts the user name and password.

You can find the encryption used by RADIUS in the RFC scheme:

https://Tools.ietf.org/html/rfc2865#page-27

MS-Chap-V2 is used for the authentication of users such as the remote access and vpn, not management switch

Thank you

John

AAA of VPN3k authentication for accounts of Mgmt

I see that I can implement CS - ACS to authenticate the accounts of administration for my VPN3k (ver 4.x). A few questions if anyone knows.

1. What is the behavior if no AAA server is available? Access to the consoles of the is the only option, or it will revert to the accounting configured locally on the hub?

2. is there another way other than the restriction of access to the CS - ACS to limit admin? In other words, it seems that all those configured in CS - ACS with the level of privilege at an appropriate level and shell permissions will be able to administer VPN concentrators.

The level of privileges assigned to the user of the CSA must match the VPN3000 user privilege level, so that the user gets some privilege assigned in the GUI of 3000.

The configuration example is somewhat misleading for this, I've been after them to change it for a while. Basically, as soon as you add an AAA Admin Server in the config of 3000, then the 3000 will use this external server. The names of users on the 3000 (admin, config, isp, GIS, user) at this stage now mean nothing. The only thing that is checked is the privilege level assigned to the title of each of these users, and it is compared the level of privilege assigned on the RADIUS server. So basically, you go under the "admin" user 3000 and set the privilege level of say, 15 and the "config" user gets say, 11 and the user gets "div" say, 9. Then the server RADIUS configure you your users with permissions Exec (shell), and the privilege level of say, 15. When this user logs in the 3000, it gets the rights that the user "admin" has, because his level of privileel is the same. If on the RADIUS server, you set the level of privilege to 9, then he would get the rights available to the user 'div '. The username on the 3000 is meaningless, the only things that are being matched are the privilege level and from there, the permissions are affected accordingly.

Hope that makes sense. The sample configuration shows a user "admin" being added to the ACS server, but it is misleading because it makes people think that the GANYMEDE username must be equal to 3000 username, this is NOT the case. The GANYMEDE username can be anything, and that the user will get the permissions through the hub based on what the user 3000 has the EXACT same privilege level set in place.

DEP stops my host server for windows

A pop-up window shows, 'host server for windows has stopped working' and directs me to change DEP settings that do nothing at all, even after I have change the settings.

Hello

1. when exactly you receive the error message?

2. did you of recent changes on the computer?

Follow these steps:

Method 1:

Data Execution Prevention (DEP) is a security feature that protects against viruses and other security threats by analyzing your programs to make sure that they use the system safely memory.

If you choose to protect all programs, you can always turn off DEP for individual programs. If you think that a program does not run correctly when DEP is enabled, check for a compatible version of the DEP program or an update from the software publisher before you change your DEP settings.

Change Data Execution Prevention settings

http://Windows.Microsoft.com/en-us/Windows-Vista/change-data-execution-prevention-settings

Method 2:

I suggest you to download and run the latest Microsoft security on your computer Scanner and check if it helps:

http://www.Microsoft.com/security/scanner/en-us/default.aspx

Note: the data files that are infected must be cleaned only by removing the file completely, which means there is a risk of data loss.

Method 3:

Follow these steps and check if that helps.

Step 1:

I suggest to start the computer in Safe Mode and check if the problem persists.

http://Windows.Microsoft.com/en-us/Windows7/start-your-computer-in-safe-mode

Step 2:

You may also start your machine in a clean boot State to rule out the involvement of a third party software conflict.

How to troubleshoot a problem by performing a clean boot in Windows Vista or in Windows 7

http://support.Microsoft.com/kb/929135/en-us

Autonomous AP521 can be configured for authentication WPA/TKIP with no radius server?

The AP521 can be configured for authentication WPA/TKIP with no radius server?

the datasheet, wpa with tkip and wpa2 with aes are supported.

you want to use (no RADIUS) wpa - psk with tkip. WPA2-psk aes and tkip not use.

access to AAA server to remote problems

Hi all. I can ping and trace to this GANYMEDE server. but I can't authenticate my telnet users. I configured local AAA relief so that he tries the remote server several times and then returns to the local GANYMEDE. I noticed the logs show the TCP FINS. Which indicates that I am actually reach the remote server, but the server sends a TCP FIN or is the server simply is not available, as indicated by the newspapers. Why the server will be not not accessible if I can ping and trace it.

I also checked the NOC extranet firewall accepted my traffic through the RADIUS server. they took the newspapers showing that my traffic has been accepted.

February 4, 2011 13:04:12: % ASA-7-609001: built internal local host: AAA_SERVER
February 4, 2011 13:04:12: % ASA-6-302013: built 24726 for inner outbound TCP connection: AAA_SERVER / 49 (AAA_SERVER/49) to identity:17.2.2.2/28055 (17.2.2.2/28055)
February 4, 2011 13:04:12: % ASA-6-113014: AAA authentication server unavailable: server = AAA_SERVER: user = vzz19
February 4, 2011 13:04:12: % ASA-6-302013: built 24727 for inner outbound TCP connection: AAA_SERVER / 49 (AAA_SERVER/49) to identity:17.2.2.2/32029 (17.2.2.2/32029)
February 4, 2011 13:04:12: % ASA-6-302014: TCP disassembly 24726 for interior connection: AAA_SERVER / 49 to identity:17.2.2.2/28055 duration 0: 00:00 bytes TCP fins 41
February 4, 2011 13:04:12: % ASA-6-113014: AAA authentication server unavailable: server = AAA_SERVER: user = vzz19
February 4, 2011 13:04:12: % ASA-6-302013: built 24728 for inner outbound TCP connection: AAA_SERVER / 49 (AAA_SERVER/49) to identity:17.2.2.2/39039 (17.2.2.2/39039)
February 4, 2011 13:04:12: % ASA-6-302014: TCP disassembly 24727 for interior connection: AAA_SERVER / 49 to identity:17.2.2.2/32029 duration 0: 00:00 bytes TCP fins 41
February 4, 2011 13:04:12: % ASA-6-113014: AAA authentication server unavailable: server = AAA_SERVER: user = vzz19
February 4, 2011 13:04:12: % ASA-6-302013: built 24729 for inner outbound TCP connection: AAA_SERVER / 49 (AAA_SERVER/49) to identity:17.2.2.2/33702 (17.2.2.2/33702)
February 4, 2011 13:04:12: % ASA-6-302014: TCP disassembly 24728 for interior connection: AAA_SERVER / 49 to identity:17.2.2.2/39039 duration 0: 00:00 bytes TCP fins 41
February 4, 2011 13:04:12: % ASA-6-113014: AAA authentication server unavailable: server = AAA_SERVER: user = vzz19
February 4, 2011 13:04:12: % ASA-2-113022: AAA marking GANYMEDE + Server AAA_SERVER aaa-server group MYGROUP as being broken
February 4, 2011 13:04:12: % ASA-4-409023: method of rescue attempt LOCAL AAA for authentication of user vzz19 request: inaccessible Server Auth MYGROUP group
February 4, 2011 13:04:12: % ASA-6-113015: rejected AAA user authentication: reason = invalid password: local database: user = vzz19
February 4, 2011 13:04:12: % ASA-6-611102: failed authentication user: Uname: vzz19
February 4, 2011 13:04:12: % ASA-6-605004: connection refused from 10.2.2.2/26089 to inside:17.2.2.2/telnet for the user "vzz19".
February 4, 2011 13:04:12: % ASA-6-302014: TCP disassembly 24729 for interior connection: AAA_SERVER / 49 to identity:17.2.2.2/33702 duration 0: 00:00 bytes TCP fins 41
February 4, 2011 13:04:12: % ASA-7-609002: duration of dismantling inside local host: AAA_SERVER 0:00:00

Here is my config from aaa

AAA-server protocol Ganymede MYGROUP +.
Max - a failed attempts 4
AAA-server host AAA_SERVER MYGROUP (inside)
timeout 3
Console Telnet AAA authentication LOCAL MYGROUP
Console to enable AAA authentication LOCAL MYGROUP
privilege MYGROUP 15 AAA accounting command

I can ping AND trace on the RADIUS server

ATLUSA01-FW01 # ping AAA_SERVER
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to AAA_SERVER, wait time is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = ms 02/01/10
ATLUSA01-FW01 # trace AAA_SERVER

Type to abort escape sequence.
The route to 151.162.239.239

1 17.2.2.3 0 ms 0 ms 0 ms
2 17.2.2.4 0 ms 0 ms 0 ms - extranet fire barrier
3 10.4.7.1 0 0 0 ms ms ms
4 10.4.7.13 0 0 0 ms ms ms
5 10.4.7.193 0 0 0 ms ms ms
6 AAA_SERVER (10.5.5.5) 0 ms 10 ms 10 ms

You'll certainly need the assistance of the administrator of the AAA, troubleshooting on the AAA client side shows only a fraction of what's going on.

Ask him or her to do the following:

Much easier and the most important thing is to check an 'attempt' journal and watch if there is no entry at all for your ASA.

If there is an entry, it should be automatic explaining like "Unknown SIN" or "Ganymede key bad argument" - be convinced on a good config and check it are two different things.

I have seen weird things like walking into a key on an AAA server via remote desktop and keyboard settings were inconsistent: English/German, traded resulting from letters 'Y' and 'Z' - do not trust your config until it you checked.

If there is no entry at all then it could be a device on the way which is allowing ping/traceroute tcp/49 but drops or a device is to translate the address of the ASA (well in this case, you should see an "unknown SIN" in the failed attempts).

You have the possibility to connect a device inside the network of the SAA as a laptop? If so, try Telnet for tcp/49 of the AAA server, you should see immediately, if it is allowed tcp/49 (get a blank screen immediately = connectivity, timeout = no connectivity)

That's all you can do on your side, unfortunately tha ASA isn't a telnet client.

Rgds,

MiKa

Customer remote cannot access the server LAN via VPN

Hi friends,

I'm a new palyer in ASA.

My business is small. We need to the LAN via VPN remote client access server.

I have an ASA5510 with version 7.0. I have configured remote access VPN and it can establish the tunnel with success. But I can not access the server.

Client VPN is 5.0.07.0290 version. Encrypted packages have increased but the decrypted packet is 0 in the VPN client statistics, after I connected successfully.

Next to the ASA, I show crypto ipsec sa, just deciphering the packets increase.

Who can help me?

Thank you very much.

The following configuration:

ASA Version 7.0(7)
!
hostname VPNhost
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 10
ip address 221.122.96.51 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.42.199 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
ftp mode passive
dns domain-lookup inside
access-list PAT_acl extended permit ip 192.168.42.0 255.255.255.0 any
access-list allow_PING extended permit icmp any any inactive
access-list Internet extended permit ip host 221.122.96.51 any inactive
access-list VPN extended permit ip 192.168.42.0 255.255.255.0 192.168.43.0 255.255.255.0
access-list VPN extended permit ip 192.168.43.0 255.255.255.0 192.168.42.0 255.255.255.0
access-list CAPTURE extended permit ip host 192.168.43.10 host 192.168.42.251
access-list CAPTURE extended permit ip host 192.168.42.251 host 192.168.43.10
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool testpool 192.168.43.10-192.168.43.20

arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list VPN
nat (inside) 1 access-list PAT_acl
route outside 0.0.0.0 0.0.0.0 221.122.96.49 10

username testuser password 123
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 3

no sysopt connection permit-ipsec
crypto ipsec transform-set FirstSet esp-des esp-md5-hmac
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp nat-traversal 3600
tunnel-group testgroup type ipsec-ra
tunnel-group testgroup general-attributes
address-pool testpool
tunnel-group testgroup ipsec-attributes
pre-shared-key *
telnet timeout 5

ssh timeout 10
console timeout 0

: end

Topology as follows:

Hello

Configure the split for the VPN tunneling.

Create the access list that defines the network behind the ASA.

ciscoasa(config)#access-list Split_Tunnel_List remark The corporate network behind the ASA. ciscoasa(config)#access-list Split_Tunnel_List standard permit 10.0.1.0 255.255.255.0

Mode of configuration of group policy for the policy you want to change.

ciscoasa(config)#group-policy hillvalleyvpn attributes ciscoasa(config-group-policy)#

Specify the policy to split tunnel. In this case, the policy is tunnelspecified.
```
ciscoasa(config-group-policy)#split-tunnel-policy tunnelspecified 
```

Specify the access tunnel split list. In this case, the list is Split_Tunnel_List.

ciscoasa(config-group-policy)#split-tunnel-network-list value Split_Tunnel_List

Type this command:

ciscoasa(config)#tunnel-group hillvalleyvpn general-attributes

Associate the group with the tunnel group policy

ciscoasa(config-tunnel-ipsec)# default-group-policy hillvalleyvpn

Leave the two configuration modes.

ciscoasa(config-group-policy)#exit ciscoasa(config)#exit ciscoasa#

Save configuration to non-volatile RAM (NVRAM) and press enter when you are prompted to specify the name of the source file.

Kind regards
Abhishek Purohit
CCIE-S-35269

AAA server group does not work

All,

I have an aaa server group set up on my router to use for Wells, AAA, but it doesn't work that way, but when I simply specify a server and not the list of group everything works. Any ideas why this is. I'm going to pos the config.

*****************************************************

version 12.2

horodateurs service debug datetime localtime

Log service timestamps datetime localtime

encryption password service

!

host BUSINESS name

!

AAA new-model

AAA server Ganymede group + TACSLOG

Server 192.x.x.x

Server 192.x.x.x

!

Group AAA authentication login default local TACSLOG

default AAA authorization exec TACSLOG local group

AAA exec by default start-stop accounting TACSLOG group

AAA commands 5 default start-stop accounting TACSLOG group

AAA commands 15 arrhythmic default accounting TACSLOG group

activate the password xxx

!

username password xxx xxx

username privilege 15 xxx

username xxx autocommand menu ADMIN1

IP subnet zero

!

!

IP - SBA.GOV domain name

!

!

call the rsvp-sync

!

!

!

!

!

!

!

!

interface FastEthernet0/0

IP address 255.255.255.0 192.x.x.x

automatic duplex

automatic speed

!

interface Serial0/0

no ip address

Shutdown

!

IP classless

no ip address of the http server

!

!

ADMIN1 menu prompt ^ CSELECT YEAR OPTION PUNK ^ C

ADMIN1 1 SHO IP INTERFACE BRIEF text menu

by menu ADMIN1 1 SHOW IP INTERFACE BRIEF command

menu text ADMIN1 2 SHOW the INTERFACE FA0/0

order by menu ADMIN1 2 SHO INT FA0/0

menu text ADMIN1 3 SHOW RUN the INTERFACE FA0/0

order by menu ADMIN1 3 SHOW RUN INT FA0/0

menu ADMIN1 text 4 see THE ARP

4 ARP see by ADMIN1 menu command

ADMIN1 5 OUTPUT text menu

order by ADMIN1 5 LOGOUT menu

!

Dial-peer cor custom

!

!

!

!

privilege exec level 5 show ip interface brief

privilege exec level 5 show interface fa0/0

privilege exec level 5 show show passage interface fa0/0

show privileges exec level 5 show arp

!

Line con 0

line to 0

line vty 0 4

password xxx

!

end

When you define an AAA server group, you associate an IP address from the server on behalf of the group. You must always define the AAA server separately where you also set up the key that is used. In your case, you must add to your configuration:

RADIUS-server host 192.x.x.x Council key

RADIUS-server host 192.x.x.x Council key

HTH

Steve

How to use 2 AAA server to different connection end

Hello, could you help me?

It is a part of my setup; I would add another RADIUS server, witch should take care of the telnet at vty 0 4.

10,20,30,40 RADIUS server supports virtual access, and I have another RADIUS server which takes care of to connect to our network equipment.

! Cisco 7204 with system flash c7200-io3s56i - mz.121 - 4.bin

!

AAA new-model

AAA authentication login default group Ganymede +.

enable AAA authentication login no_tacacs

AAA authentication ppp default group Ganymede +.

AAA authorization exec default group Ganymede +.

AAA authorization network default group Ganymede +.

AAA accounting exec default start-stop Ganymede group.

AAA accounting network default start-stop Ganymede group.

Default connection accounting AAA power Ganymede group.

!

virtual-virtual-model profile 1

virtual - profile aaa

!

interface Serial2/0:15

ISDN30 description

no ip address

encapsulation ppp

no ip route cache

No keepalive

Dialer pool-Member 10

primary-net5 ISDN switch type

first request ISDN tei negotiation

XXXXXXX calling ISDN

no fair queue

compress the stac

No cdp enable

Chap PPP authentication protocol

multilink PPP Panel

!

interface virtual-Template1

IP unnumbered FastEthernet1/0

NAT outside IP

Chap PPP authentication protocol

!

host key 10,20,30,40 radius-server *.

!

Line con 0

exec-timeout 20 0

password *.

connection of authentication no_tacacs

transport of entry no

FlowControl hardware

line to 0

line vty 0 4

access-class 1

exec-timeout 60 0

password *.

connection of authentication no_tacacs

transport telnet entry

telnet output transport

If I just add

AAA authentication login vtymethod group Ganymede + activate

10.50.60.70 host key radius-server *.

line vty 0 4

connection of authentication vtymethod

My telnet request 10,20,30,40 and I refused! Could help you make a secure solution?

Thank you

Jens

I think that your solution would be to set up a group of different RADIUS servers with the new server of the new group and use the new group to authenticate your vty. The config might look like this:

AAA server Ganymede group + vty_TAC

Server 10.50.60.70

enable AAA authentication login vtymethod group vty_TAC

10.50.60.70 host key radius-server *.

I set up this kind of thing and it worked fine. When I set it up I have explicitly configured (so named) two different RADIUS server groups and referenced groups of specific servers for each authentication method. I did not understand if it works to keep the default group Ganymede + and use it for your authentication normal or if you may need to configure a default group for this.

Try it and tell us what is happening.

HTH

Rick

Devices configured for authentication under ACS

Hi friends,

Would like to know how many devices can be configured for authentication under ACS version 5.6.0.22 (Cisco Secure Network Server 3415).

I'm not able to find the same everywhere.

Concerning

JN

Hello

It depends on the license that you install on the ACS 5.6.

All deployments of 5.6 ACS supports customers AAA 100 000, 10,000 network, 300,000 users and 150 000 host device groups. 5.6 ACS collector server log can handle 2 million records per day and 750 messages per second for stress sent by the various nodes of ACS in the deployment on the server of log collector.

Please visit this link:

http://www.Cisco.com/c/en/us/TD/docs/net_mgmt/cisco_secure_access_contro...

With the Base license, a Cisco Secure ACS 5.6 appliance or virtual machine software can support the deployment of up to 500 devices of access network (DNA) such as routers and switches. These are not authentication, authorization and accounting clients (AAA). The number of network devices is based on the number of unique IP addresses that are configured. The limit of 500-device is not a limit for each individual device or the instance, but a limit of scale that applies to a set of instances of Cisco Secure ACS (primary and secondary instances) that are configured for replication.

The optional add-on of large deployment license allows deployment to support over 500 network devices. Only one major deployment license is required by the deployment because it is shared by all instances.

Please visit this link:

http://www.Cisco.com/c/en/us/products/collateral/security/secure-access-...

Kind regards

Aditya

Please evaluate the useful messages.

several hosts aaa server for authentication vpn

Similar Questions

capture.jpg

Maybe you are looking for