3550 no authentication GANYMEDE +.

Hello

I have a 3550 with ipservices 12.2 (44) updated since c3550-i5q3l2 - mz.121 - 22.EA4.bin when the charge is complete, the switch is no longer is authenticating with Ganymede and the lack of back to the local user and the password

Mini,

You define source for RADIUS authentication interface.

Custom router problem.

property intellectual Ganymede source interface fastethernet x / y, where interface would be the one mentioned in the radius server.

That should fix it.

Kind regards

~ JG

Note the useful messages

Tags: Cisco Security

Similar Questions

Problem setting 7606 router for authentication GANYMEDE +.

Hello community support.

I have two routers Cisco 7606 I tried in vain to have users authenticated using servers GANYMEDE +. As noted below, I have two servers (1.1.1.1 and 2.2.2.2) accessible via vrf OAM which is accessible from desktop to ssh login. The real IPS and FFS have been changed because it's a router of the company.

I use two servers to authenticate on a lot other devices Cisco network that they work properly.

I can reach the vrf servers and the source in use interface. I can also port telnet 49 if the source interface servers and the vrf.

The server key is hidden, but at the time of configuration, I can see that it is correct.

The problem is that after confuring for authentication RADIUS, the router always uses the password to enable instead of GANYMEDE. While debug output shows "incorrect password", why not the router authenticates using GANYMEDE? Why is he using the enable password?

Please review the outputs below and help point out what I may need to change.

PS: I have tried many other combinations, including obsolete without success, including the method proposed in this page.

http://www.Cisco.com/en/us/docs/iOS/sec_user_services/configuration/guide/sec_vrf_tacas_svrs.html

Please help I'm stuck.

ROUTER #sh running-config | s aaa

AAA new-model

AAA server Ganymede group + admin

Server name admin

Server name admin1

IP vrf forwarding OAM

Ganymede IP interface-source GigabitEthernet1

AAA authentication login admin group Ganymede + local activate

AAA - the id of the joint session

ROUTER #sh running-config | dry Ganymede

AAA server Ganymede group + admin

Server name admin

Server name admin1

IP vrf forwarding OAM

Ganymede IP interface-source GigabitEthernet1

AAA authentication login admin group Ganymede + local activate

GANYMEDE Server Admin

1.1.1.1 ipv4 address

button 7 XXXXXXXXXXXXXXXXXXXX

GANYMEDE Server admin1

2.2.2.2 ipv4 address

button 7 XXXXXXXXXXXXXXXXxxxx

line vty 0 4

authentication admin login

ROUTER #sh Ganymede

GANYMEDE + - public server:

Server name: admin

Server address: 1.1.1.1

Server port: 49

Opening of socket: 15

Firm grip: 15

Write-offs of socket: 0

Socket errors: 0

Socket timeouts: 0

Failed connection attempts: 0

Total packets sent: 0

Recv packets total: 0

GANYMEDE + - public server:

Server name: admin1

Server address: 2.2.2.2

Server port: 49

Opening of socket: 15

Firm grip: 15

Write-offs of socket: 0

Socket errors: 0

Socket timeouts: 0

Failed connection attempts: 0

Total packets sent: 0

Recv packets total: 0

Oct 22 12:38:57.587: AAA/BIND(0000001A): link i / f

22 Oct 12:38:57.587: AAA/AUTHENTIC/LOGIN (0000001 a): Select method list "admin".

Oct 22 12:38:57.587: AAA/AUTHENTIC/ENABLE(0000001A): action of treatment application LOGIN

Oct 22 12:38:57.587: AAA/AUTHENTIC/ENABLE(0000001A): reported GET_PASSWORD

Oct 22 12:39:02.327: AAA/AUTHENTIC/ENABLE(0000001A): action of treatment application LOGIN

Oct 22 12:39:02.327: AAA/AUTHENTIC/ENABLE(0000001A): reported FAIL - wrong password

22 Oct 12:39:04.335: AAA/AUTHENTIC/LOGIN (0000001 a): Select method list "admin".

Oct 22 12:39:04.335: AAA/AUTHENTIC/ENABLE(0000001A): action of treatment application LOGIN

Oct 22 12:39:04.335: AAA/AUTHENTIC/ENABLE(0000001A): reported GET_PASSWORD

Oct 22 12:39:08.675: AAA/AUTHENTIC/ENABLE(0000001A): action of treatment application LOGIN

Oct 22 12:39:08.675: AAA/AUTHENTIC/ENABLE(0000001A): reported FAIL - wrong password

22 Oct 12:39:10.679: AAA/AUTHENTIC/LOGIN (0000001 a): Select method list "admin".

Oct 22 12:39:10.683: AAA/AUTHENTIC/ENABLE(0000001A): action of treatment application LOGIN

Oct 22 12:39:10.683: AAA/AUTHENTIC/ENABLE(0000001A): reported GET_PASSWORD

Oct 22 12:39:14.907: AAA/AUTHENTIC/ENABLE(0000001A): action of treatment application LOGIN

Oct 22 12:39:14.907: AAA/AUTHENTIC/ENABLE(0000001A): reported FAIL - wrong password

ROUTER #sh worm

Cisco IOS software, software of c7600rsp72043_rp (c7600rsp72043_rp-ADVIPSERVICESK9-M), Version 15.1 (3) S3, RELEASE SOFTWARE (fc1)

Technical support: http://www.cisco.com/techsupport

Copyright (c) 1986-2012 by Cisco Systems, Inc.

Updated Saturday, March 30, 12 08:34 by prod_rel_team

ROM: System Bootstrap, Version 12.2 SRE (33r), RELEASE SOFTWARE (fc1)

BOOTLDR: Cisco IOS software, software c7600rsp72043_rp (c7600rsp72043_rp-ADVIPSERVICESK9-M), Version 15.1 (3) S3, RELEASE SOFTWARE (fc1)

The availability of ROUTER is 7 weeks, 5 days, 16 hours, 48 minutes

Availability for this control processor is 7 weeks, 5 days, 16 hours, 49 minutes

System returned to ROM by reload (SP by charging)

System restarted at 20:00:59 UTC Wednesday, August 28, 2013

System image file is "sup - bootdisk:c7600rsp72043 - advipservicesk9 - mz.151 - 3.S3.bin.

Last reload type: normal charging

Reload last reason: power

This product contains cryptographic features and is under the United States

States and local laws governing the import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third party approval to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. laws and local countries. By using this product you

agree to comply with the regulations and laws in force. If you are unable

to satisfy the United States and local laws, return the product.

A summary of U.S. laws governing Cisco cryptographic products to:

http://www.Cisco.com/WWL/export/crypto/tool/stqrg.html

If you need assistance please contact us by mail at

[email protected] / * /.

Processor CISCO7606 - S (M8500) Cisco (revision 1.1) with 3670016 K/K 262144 bytes of memory.

Card processor ID FOX1623G61B

PLINTH: RSP720

CPU: MPC8548_E, Version: 2.1 (0 x 80390021)

KERNEL: E500, Version: 2.2, (0 x 80210022)

CPU:1200 MHz, CCB:400 MHz, DDR:200 MHz,

L1: D-cache 32 KB active

I'm hiding active 32 KB

Last reset of tension

3 virtual Ethernet interfaces

76 of the gigabit Ethernet interfaces

8 ten interfaces Ethernet Gigabit

3964K bytes of non-volatile configuration memory.

500472K bytes of the map of PCMCIA ATA internal (512 bytes sector size).

Configuration register is 0 x 2102

To resolve this problem. Please replace the below listed order

AAA authentication login admin group Ganymede + local activate

with;

Enable AAA authentication login default local admin group

You have set the group name server as a list of methods and instead use admin as a group of servers, you used Ganymede +.

Note: Please ensure that you have local users and enable the password configured in the case of Ganymede inaccessible server.

~ BR
Jatin kone

* Does the rate of useful messages *.

ACS 5.1 13030 GANYMEDE + authentication error Question

Hi all

I am trying to set up a new server GANYMEDE + and am trying to update all configurations of our network to point to the new server devices. Everything is fine looking up now, but on the ACS monitoring tool, two of our switches are constantly spamming '13030 request authentication GANYMEDE + lack a username' error. The network admin group have no problem is authenticating with these two switches and they confirm that it is not trying to connect. Does anyone know if ACS monitor will show any sauce to the IP addresses of these applications?

If you click on the detail in your authentication error message, you should be able to find the 'Remote-address' field, which should tell you the remote IP address.

If you haven't seen an IP in the address 'remote' field, you may need to check the console port / switch to see if something is connected to, what could cause the problem.

RADIUS and GANYMEDE + authentication

We authenticate our systems through dot1x. I also need to be able to authenticate our Cisco admins using the same ACS server. I see how to configure a switch to make the two GANYMEDE + and RADIUS, but I do not see how implement GBA to allow a switch to use GANYMEDE + and RADIUS.

Can someone give me a pointer?

Thank you

You need to put in place once the authentication on the switch.

AAA authentication login default group local Ganymede

Group AAA dot1x default authentication RADIUS

AAA authorization exec default group Ganymede + authenticated if

Group AAA authorization network default RADIUS

Cisco RADIUS-server host 2.2.2.2 keys

Cisco GANYMEDE-server host 2.2.2.2 keys

The GBA, you must add the switch twice.

ACS---> network configuration---> add aaa-clinet

Host name switch1

IP: 3.3.3.3

With the help of authentic: RADIUS IETF

Add another switch

SWITCH2 host name

IP: 3.3.3.3

With the help of authentic: Ganymede +.

Kind regards

~ JG

Note the useful messages

banner of AAA authentication

I have configured the banner authentication aaa and aaa fail message on a router running 12.1 (15) - authentication is done by ACS 3.0.2 which works very well.

Problem - the banner of authentication does not appear (nothing is outside of "username:"-don't not even 'check' user access) If you enter a wrong password, but the failure message. If I console in and unplug the interface while the two messages very well.

Workaround solution - if I set up a connection "banner" then everything works fine too, but I can't work out why does not display the "banner of aaa authentication."

I suspect ACS prevents the message, but I can't work out how - can anyone suggest a solution?

Thank you very much!

By the way that the command "radius-server administration '? It doesn't seem to be documented, and it has no effect or not.

The banner command does not work if you make the RADIUS authentication, it will not work if you do a RADIUS/local/etc. This is normal, cause with Ganymede you can have the sending server banner and guests down (even if with all I don't think that you can do) and so if you have configured authentication GANYMEDE the router does not take into account the banner command and waits to see if she gets a new one from the server RADIUS itself. If it is not it will simply display the usual guests.

As for the 'radius-server admin' command, honestly, I have no idea, never seen anyone use. Online help says "start the daemon of Ganymede management administrative messages", but what really I don't know, maybe someone else can help.

Consumption of ISE GANYMEDE 2.0 license

Hi all

I was experimenting with GANYMEDE in ISE 2.0.1 and recognized that there is no basic licenses consumend when I connect a network configured device.
While when I connect with the RADIUS authentication, 1 base license is consumed per session.

Is this behavior is intentional or a bug? As I intend to implement authentication GANYMEDE on a fairly large network, it would strongly reduce my costs when I do not have the device licenses.

GANYMEDE is a license of power. It consumes no basic licenses that apply to the area of RADIUS

Confgiure router IP interface special add.for GANYMEDE + Authenticate

How confgiure router to use the IP address of the specific interface for all communications with ACS server for authentication GANYMEDE +.

Thank you very much...

Use the command:

source-interface IP Ganymede

No AAA authentication for switch

I'm intrigued by my question. I have a switch on 9 that cannot authenticate with our server GANYMEDE. The configurations are the same as any other switch, but when I try to open a session using the account GANYMEDE + access is denied. This is the configuration for the AAA/GANYMEDE on the switch.

AAA new-model

AAA authentication login default group Ganymede + local
authorization AAA console
AAA authorization exec default group Ganymede + local

radius-server X.X.33.XX host
radius-server key 7?

I deleted the aaa configuration and then reconfigured it as well as the information from the server RADIUS and no authentication Ganymede. I gave the Ganymede interface should use, but same result. Any ideas?

Thank you

Robert

Robert,

Please make sure following

-Radius server is accessible from the switch and port 49 is not blocked.

S ' it is layer 3 switch, then make sure to configure the interface source ip Ganymede XXXX (Interface IP set in radius server)

-Check the secret key

If the problem is still there then please get

Debug aaa authentication

debugging Ganymede

Kind regards

~ JG

ACS 5.1 - AD authentication LDAP VS

Any help on this would be great

I can manage to get my account record in the thinking of Active Directory configuring cisco switch in the external identity stores but not my setup LDAP here are a few successful newspapers, log in and unsuccessful newspaper with ldap.

AD-SETUP

Selected identity store - AD1

Current identity store does not support the authentication method; He jumps.

GANYMEDE + will use the global configuration GANYMEDE password +.

Returned GANYMEDE + authentication response

Received authentication GANYMEDE + CONTINUE application

Using the previously selected Access Service

Political identity was assessed before; Sequence identity continues

Authentication of user in Active Directory

Recovery of the Active Directory user groups succeeded

Active Directory user authentication succeeded

After authentication

Access policy
Access service:	Default device Admin
Identity store:	CDs
Shell selected profile:	Privilege mode
Active Directory domain:	Blah.com/results.htm
Group membership:
Access matched Service selection rule:	Rule-2
Comparative political identity rule:	By default
Some identity stores:	CDs
Application identity stores:
The selected application identity stores:
Mapping of matching rule group strategy:
Matching rule permission policy:	Rule-1

The only problem with this configuration is that I can only add the domain blah.com/results.htm example and I get massive latency since the authentication process will over State to other domain instead of the local controllers.

I can tell by the STATUS of the AAA in track because of dashboard that latency is about 8000ms and the slow, log on to the switch.

LDAP-SETUP

In my LDAP configuration I have a primary host name and secondary closer to home to avoid latency I do a test of bind that returns successfully on both hosts. Configure my Orgainzation tab directory and do a test configuration to get a return of the Group > 100 > 100 topic.

I have reset my indenities to instead of AD LDAP stores and try again, but for some reason that I get 22056 object not found error! I can't just that work on here are the details

Corresponding rule

Selected Access Service - Admin default device

Evaluate the politics of identity

By default matching rule

Selected - identity store

Current identity store does not support the authentication method; He jumps.

GANYMEDE + will use the global configuration GANYMEDE password +.

Returned GANYMEDE + authentication response

Received authentication GANYMEDE + CONTINUE application

Using the previously selected Access Service

Political identity was assessed before; Sequence identity continues

Send the request to the primary LDAP server

User authentication against the LDAP server

The user's search ended with an error

Main server failover. Switching to the secondary server

Send the request to the secondary LDAP server

User authentication against the LDAP server

User not found in the LDAP server

Object was not found in the identity of the point of sale.

The advanced option is configured for a unknown user is used.

The option 'Refuse' Advanced is set in the case of a request for authentication has failed.

Returned GANYMEDE + authentication response

Are there ideas, I can try so that it can find my account as the structure of the AD did? ideas please?

see you soon

HI Ed,

Try using a standard LDAP browser (www.ldapbrowser.com ) to view LDAP structure. Verify base DN used for searches matches
structure.

Regards,
~JG

Do rate helpful posts

AS with GANYMEDE + question

Try to get the module ACE and IOS devices to work with GANYMEDE. I have GBA v3.2.

The "optional" syntax does not work. No idea if the argument is valid for the version of the CSA?

Service = exec

Optional shell: Admin = domain Admin

I tried it with quotes, but which didn't work either.

Hello

This is a doc of reference for the configuration of the ACE for authentication Ganymede +,.

http://www.Cisco.com/en/us/docs/interfaces_modules/services_modules/ACE/v3.0

0_A1/configuration/Security/Guide/AAA.html#wp1321891

Under the custom for attribute Ganymede + we need to specify the attribute in the form,

Shell: Admin * ADMIN MYDOMAIN1

= means mandatory attribute

* Optional means

Information on the context/role/domain (virtualization on ACE):

http://www.Cisco.com/en/us/docs/interfaces_modules/services_modules/ACE/v3.0

0_A1/configuration/virtualization/guide/ovrview.html

Default 'role' on ACE:

http://www.Cisco.com/en/us/docs/interfaces_modules/services_modules/ACE/v3.0

0_A1/configuration/virtualization/guide/ovrview.html#wp1051297

HTH

JK

Please evaluate the useful messages-

Ganymede local when connection is up

I have my switch configured for tacas then local:

AAA authentication login default local group MYGROUP

And that works very well - I can connect via tacas and when the servers are down, I can connect via a local account.

However, it is possible to use local if you fail authentication Ganymede? For example, that the servers are up, but rejecting all authentications? I want to check the local credentials if it gets an access denied of Ganymede.

Thank you

However, it is possible to use local if you fail authentication Ganymede?

is not possible, because the server will send a message of rejection with auth failed and the unit will not return to the next method in the event of rejection.

Now, there are always slight catch with Cisco Ganymede + server, if you have one, I can show you that.

Rate if useful :)

Knowledge sharing makes you immortal.

Kind regards

Ed

GANYMEDE and WCS

I'm looking for documents for the configuration of controllers of WCS to use authentication GANYMEDE +. The current controllers use authentication GANYMEDE + but we have two new controllers that we want to install use GANYMEDE +. Tried to add the GANYMEDE authentication + and permission, but it does not work. Someone else put in place the current controllers. Running 6.x WCS.

Hello

I understand that you mean WLC (Controller) and not the WCS (management software).

Configuration Ganymede + on wlc: http://www.cisco.com/en/US/docs/wireless/controller/6.0/configuration/guide/c60sol.html#wp1697872

I hope this helps.

Nicolas

===

Remember responses of the rate that you find useful

5.2 ACS with different RADIUS authentication servers

Hello

I want to migrate from ACS ACS 5.2 4.1. I have already configured authentication GANYMEDE +, but now I've stuck to the RADIUS authentication for remote access WebVPN configuration. Please see the following diagram:

I want to configure ACS to use Server Token WBS first. If authentication fails or the user is not found, ACS must use IAS in Windows Server. If this server fails also ACS must use internal DB. Additional attributes as belonging to a group or ACL downloadable should be taken from internal ACS DB.

Is it possible to configure ACS like that? ACS 4.1 it is very easy to configure by selecting the per user authentication method.

Thanks for your help!

There is an option in the Advanced tab of definition 'RADIUS Identity server' th:

This storage of identity differentiates between 'authentication failed' and 'user not found' when an authentication attempt is rejected. Among the options below, select how a rejection of authentication of the identity store must be interpreted by FAC for the politics of identity of treatment and reports.
Releases to treat as 'authentication failed' treat dismisses them as "user not found".

In order to continue in the sequence, I think you have to select the option "user not found".

the ACS 5.1 stopped authentication logs after restart!

Hi all

I recorded the configuration running on first startup and restarted the ACS 5.1. Since then he stopped authentication logs, if I can connect to network devices using Ganymede connection, but I get no logs of authentication Ganymede? Your prompt response will be appreciated

Rgds

HK

Hello

Can you please access the ACS CLI through SSH or Console and run "display the acs application state? Are all ACS services running or some hang on the State "Initializing" or "not tested"?

If so, you might want to try a restart of services ACS with 'stop acs', then 'start acs '.

If the reports are not displayed on the follow-up and reports it is generally considered a problem with ACS View services.

I hope this helps.

Kind regards.

RADIUS authentication fails for one of our network device

5.1 of the ACS is default for authentication authentication Ganymede to the ASA firewall, becomes

That's what I suspected. You will have to write off the primary secondary ACS. Configure the appropriate ACS secondary clock and time zone to match both domain controllers. Both the change in the clock and time zone change will restart the ACS secondary services for the changes to take effect.

After you have configured the time comes, we should "Test connection" against AD from the ACS on the secondary interface. As soon as he gets that we can go ahead and save changes and also register for the secondary back to the primary.

This should solve the problem.

Kind regards.

3550 no authentication GANYMEDE +.

Similar Questions

Maybe you are looking for