3550 no authentication GANYMEDE +.
Hello
I have a 3550 with ipservices 12.2 (44) updated since c3550-i5q3l2 - mz.121 - 22.EA4.bin when the charge is complete, the switch is no longer is authenticating with Ganymede and the lack of back to the local user and the password
Mini,
You define source for RADIUS authentication interface.
Custom router problem.
property intellectual Ganymede source interface fastethernet x / y, where interface would be the one mentioned in the radius server.
That should fix it.
Kind regards
~ JG
Note the useful messages
Tags: Cisco Security
Similar Questions
-
Problem setting 7606 router for authentication GANYMEDE +.
Hello community support.
I have two routers Cisco 7606 I tried in vain to have users authenticated using servers GANYMEDE +. As noted below, I have two servers (1.1.1.1 and 2.2.2.2) accessible via vrf OAM which is accessible from desktop to ssh login. The real IPS and FFS have been changed because it's a router of the company.
I use two servers to authenticate on a lot other devices Cisco network that they work properly.
I can reach the vrf servers and the source in use interface. I can also port telnet 49 if the source interface servers and the vrf.
The server key is hidden, but at the time of configuration, I can see that it is correct.
The problem is that after confuring for authentication RADIUS, the router always uses the password to enable instead of GANYMEDE. While debug output shows "incorrect password", why not the router authenticates using GANYMEDE? Why is he using the enable password?
Please review the outputs below and help point out what I may need to change.
PS: I have tried many other combinations, including obsolete without success, including the method proposed in this page.
http://www.Cisco.com/en/us/docs/iOS/sec_user_services/configuration/guide/sec_vrf_tacas_svrs.html
Please help I'm stuck.
ROUTER #sh running-config | s aaa
AAA new-model
AAA server Ganymede group + admin
Server name admin
Server name admin1
IP vrf forwarding OAM
Ganymede IP interface-source GigabitEthernet1
AAA authentication login admin group Ganymede + local activate
AAA - the id of the joint session
ROUTER #sh running-config | dry Ganymede
AAA server Ganymede group + admin
Server name admin
Server name admin1
IP vrf forwarding OAM
Ganymede IP interface-source GigabitEthernet1
AAA authentication login admin group Ganymede + local activate
GANYMEDE Server Admin
1.1.1.1 ipv4 address
button 7 XXXXXXXXXXXXXXXXXXXX
GANYMEDE Server admin1
2.2.2.2 ipv4 address
button 7 XXXXXXXXXXXXXXXXxxxx
line vty 0 4
authentication admin login
ROUTER #sh Ganymede
GANYMEDE + - public server:
Server name: admin
Server address: 1.1.1.1
Server port: 49
Opening of socket: 15
Firm grip: 15
Write-offs of socket: 0
Socket errors: 0
Socket timeouts: 0
Failed connection attempts: 0
Total packets sent: 0
Recv packets total: 0
GANYMEDE + - public server:
Server name: admin1
Server address: 2.2.2.2
Server port: 49
Opening of socket: 15
Firm grip: 15
Write-offs of socket: 0
Socket errors: 0
Socket timeouts: 0
Failed connection attempts: 0
Total packets sent: 0
Recv packets total: 0
Oct 22 12:38:57.587: AAA/BIND(0000001A): link i / f
22 Oct 12:38:57.587: AAA/AUTHENTIC/LOGIN (0000001 a): Select method list "admin".
Oct 22 12:38:57.587: AAA/AUTHENTIC/ENABLE(0000001A): action of treatment application LOGIN
Oct 22 12:38:57.587: AAA/AUTHENTIC/ENABLE(0000001A): reported GET_PASSWORD
Oct 22 12:39:02.327: AAA/AUTHENTIC/ENABLE(0000001A): action of treatment application LOGIN
Oct 22 12:39:02.327: AAA/AUTHENTIC/ENABLE(0000001A): reported FAIL - wrong password
22 Oct 12:39:04.335: AAA/AUTHENTIC/LOGIN (0000001 a): Select method list "admin".
Oct 22 12:39:04.335: AAA/AUTHENTIC/ENABLE(0000001A): action of treatment application LOGIN
Oct 22 12:39:04.335: AAA/AUTHENTIC/ENABLE(0000001A): reported GET_PASSWORD
Oct 22 12:39:08.675: AAA/AUTHENTIC/ENABLE(0000001A): action of treatment application LOGIN
Oct 22 12:39:08.675: AAA/AUTHENTIC/ENABLE(0000001A): reported FAIL - wrong password
22 Oct 12:39:10.679: AAA/AUTHENTIC/LOGIN (0000001 a): Select method list "admin".
Oct 22 12:39:10.683: AAA/AUTHENTIC/ENABLE(0000001A): action of treatment application LOGIN
Oct 22 12:39:10.683: AAA/AUTHENTIC/ENABLE(0000001A): reported GET_PASSWORD
Oct 22 12:39:14.907: AAA/AUTHENTIC/ENABLE(0000001A): action of treatment application LOGIN
Oct 22 12:39:14.907: AAA/AUTHENTIC/ENABLE(0000001A): reported FAIL - wrong password
ROUTER #sh worm
Cisco IOS software, software of c7600rsp72043_rp (c7600rsp72043_rp-ADVIPSERVICESK9-M), Version 15.1 (3) S3, RELEASE SOFTWARE (fc1)
Technical support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Updated Saturday, March 30, 12 08:34 by prod_rel_team
ROM: System Bootstrap, Version 12.2 SRE (33r), RELEASE SOFTWARE (fc1)
BOOTLDR: Cisco IOS software, software c7600rsp72043_rp (c7600rsp72043_rp-ADVIPSERVICESK9-M), Version 15.1 (3) S3, RELEASE SOFTWARE (fc1)
The availability of ROUTER is 7 weeks, 5 days, 16 hours, 48 minutes
Availability for this control processor is 7 weeks, 5 days, 16 hours, 49 minutes
System returned to ROM by reload (SP by charging)
System restarted at 20:00:59 UTC Wednesday, August 28, 2013
System image file is "sup - bootdisk:c7600rsp72043 - advipservicesk9 - mz.151 - 3.S3.bin.
Last reload type: normal charging
Reload last reason: power
This product contains cryptographic features and is under the United States
States and local laws governing the import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third party approval to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. laws and local countries. By using this product you
agree to comply with the regulations and laws in force. If you are unable
to satisfy the United States and local laws, return the product.
A summary of U.S. laws governing Cisco cryptographic products to:
http://www.Cisco.com/WWL/export/crypto/tool/stqrg.html
If you need assistance please contact us by mail at
Processor CISCO7606 - S (M8500) Cisco (revision 1.1) with 3670016 K/K 262144 bytes of memory.
Card processor ID FOX1623G61B
PLINTH: RSP720
CPU: MPC8548_E, Version: 2.1 (0 x 80390021)
KERNEL: E500, Version: 2.2, (0 x 80210022)
CPU:1200 MHz, CCB:400 MHz, DDR:200 MHz,
L1: D-cache 32 KB active
I'm hiding active 32 KB
Last reset of tension
3 virtual Ethernet interfaces
76 of the gigabit Ethernet interfaces
8 ten interfaces Ethernet Gigabit
3964K bytes of non-volatile configuration memory.
500472K bytes of the map of PCMCIA ATA internal (512 bytes sector size).
Configuration register is 0 x 2102
To resolve this problem. Please replace the below listed order
AAA authentication login admin group Ganymede + local activate
with;
Enable AAA authentication login default local admin group
You have set the group name server as a list of methods and instead use admin as a group of servers, you used Ganymede +.
Note: Please ensure that you have local users and enable the password configured in the case of Ganymede inaccessible server.
~ BR
Jatin kone* Does the rate of useful messages *.
-
ACS 5.1 13030 GANYMEDE + authentication error Question
Hi all
I am trying to set up a new server GANYMEDE + and am trying to update all configurations of our network to point to the new server devices. Everything is fine looking up now, but on the ACS monitoring tool, two of our switches are constantly spamming '13030 request authentication GANYMEDE + lack a username' error. The network admin group have no problem is authenticating with these two switches and they confirm that it is not trying to connect. Does anyone know if ACS monitor will show any sauce to the IP addresses of these applications?
If you click on the detail in your authentication error message, you should be able to find the 'Remote-address' field, which should tell you the remote IP address.
If you haven't seen an IP in the address 'remote' field, you may need to check the console port / switch to see if something is connected to, what could cause the problem.
-
RADIUS and GANYMEDE + authentication
We authenticate our systems through dot1x. I also need to be able to authenticate our Cisco admins using the same ACS server. I see how to configure a switch to make the two GANYMEDE + and RADIUS, but I do not see how implement GBA to allow a switch to use GANYMEDE + and RADIUS.
Can someone give me a pointer?
Thank you
You need to put in place once the authentication on the switch.
AAA authentication login default group local Ganymede
Group AAA dot1x default authentication RADIUS
AAA authorization exec default group Ganymede + authenticated if
Group AAA authorization network default RADIUS
Cisco RADIUS-server host 2.2.2.2 keys
Cisco GANYMEDE-server host 2.2.2.2 keys
The GBA, you must add the switch twice.
ACS---> network configuration---> add aaa-clinet
Host name switch1
IP: 3.3.3.3
With the help of authentic: RADIUS IETF
Add another switch
SWITCH2 host name
IP: 3.3.3.3
With the help of authentic: Ganymede +.
Kind regards
~ JG
Note the useful messages
-
I have configured the banner authentication aaa and aaa fail message on a router running 12.1 (15) - authentication is done by ACS 3.0.2 which works very well.
Problem - the banner of authentication does not appear (nothing is outside of "username:"-don't not even 'check' user access) If you enter a wrong password, but the failure message. If I console in and unplug the interface while the two messages very well.
Workaround solution - if I set up a connection "banner" then everything works fine too, but I can't work out why does not display the "banner of aaa authentication."
I suspect ACS prevents the message, but I can't work out how - can anyone suggest a solution?
Thank you very much!
By the way that the command "radius-server administration '? It doesn't seem to be documented, and it has no effect or not.
The banner command does not work if you make the RADIUS authentication, it will not work if you do a RADIUS/local/etc. This is normal, cause with Ganymede you can have the sending server banner and guests down (even if with all I don't think that you can do) and so if you have configured authentication GANYMEDE the router does not take into account the banner command and waits to see if she gets a new one from the server RADIUS itself. If it is not it will simply display the usual guests.
As for the 'radius-server admin' command, honestly, I have no idea, never seen anyone use. Online help says "start the daemon of Ganymede management administrative messages", but what really I don't know, maybe someone else can help.
-
Consumption of ISE GANYMEDE 2.0 license
Hi all
I was experimenting with GANYMEDE in ISE 2.0.1 and recognized that there is no basic licenses consumend when I connect a network configured device.
While when I connect with the RADIUS authentication, 1 base license is consumed per session.Is this behavior is intentional or a bug? As I intend to implement authentication GANYMEDE on a fairly large network, it would strongly reduce my costs when I do not have the device licenses.
GANYMEDE is a license of power. It consumes no basic licenses that apply to the area of RADIUS
-
Confgiure router IP interface special add.for GANYMEDE + Authenticate
How confgiure router to use the IP address of the specific interface for all communications with ACS server for authentication GANYMEDE +.
Thank you very much...
Use the command:
source-interface IP Ganymede
-
No AAA authentication for switch
I'm intrigued by my question. I have a switch on 9 that cannot authenticate with our server GANYMEDE. The configurations are the same as any other switch, but when I try to open a session using the account GANYMEDE + access is denied. This is the configuration for the AAA/GANYMEDE on the switch.
AAA new-model
AAA authentication login default group Ganymede + local
authorization AAA console
AAA authorization exec default group Ganymede + localradius-server X.X.33.XX host
radius-server key 7?I deleted the aaa configuration and then reconfigured it as well as the information from the server RADIUS and no authentication Ganymede. I gave the Ganymede interface should use, but same result. Any ideas?
Thank you
Robert
Robert,
Please make sure following
-Radius server is accessible from the switch and port 49 is not blocked.
S ' it is layer 3 switch, then make sure to configure the interface source ip Ganymede XXXX (Interface IP set in radius server)
-Check the secret key
If the problem is still there then please get
Debug aaa authentication
debugging Ganymede
Kind regards
~ JG
-
ACS 5.1 - AD authentication LDAP VS
Any help on this would be great
I can manage to get my account record in the thinking of Active Directory configuring cisco switch in the external identity stores but not my setup LDAP here are a few successful newspapers, log in and unsuccessful newspaper with ldap.
AD-SETUP
Selected identity store - AD1Current identity store does not support the authentication method; He jumps.GANYMEDE + will use the global configuration GANYMEDE password +.Returned GANYMEDE + authentication responseReceived authentication GANYMEDE + CONTINUE applicationUsing the previously selected Access ServicePolitical identity was assessed before; Sequence identity continuesAuthentication of user in Active DirectoryRecovery of the Active Directory user groups succeededActive Directory user authentication succeededAfter authenticationAccess policyAccess service:Default device Admin Identity store:CDsShell selected profile:Privilege modeActive Directory domain:Blah.com/results.htmGroup membership:Access matched Service selection rule:Rule-2Comparative political identity rule:By defaultSome identity stores:CDsApplication identity stores:The selected application identity stores:Mapping of matching rule group strategy:Matching rule permission policy:Rule-1The only problem with this configuration is that I can only add the domain blah.com/results.htm example and I get massive latency since the authentication process will over State to other domain instead of the local controllers.
I can tell by the STATUS of the AAA in track because of dashboard that latency is about 8000ms and the slow, log on to the switch.
LDAP-SETUP
In my LDAP configuration I have a primary host name and secondary closer to home to avoid latency I do a test of bind that returns successfully on both hosts. Configure my Orgainzation tab directory and do a test configuration to get a return of the Group > 100 > 100 topic.
I have reset my indenities to instead of AD LDAP stores and try again, but for some reason that I get 22056 object not found error! I can't just that work on here are the details
Corresponding ruleSelected Access Service - Admin default deviceEvaluate the politics of identityBy default matching ruleSelected - identity storeCurrent identity store does not support the authentication method; He jumps.GANYMEDE + will use the global configuration GANYMEDE password +.Returned GANYMEDE + authentication responseReceived authentication GANYMEDE + CONTINUE applicationUsing the previously selected Access ServicePolitical identity was assessed before; Sequence identity continuesSend the request to the primary LDAP serverUser authentication against the LDAP serverThe user's search ended with an errorMain server failover. Switching to the secondary serverSend the request to the secondary LDAP serverUser authentication against the LDAP serverUser not found in the LDAP serverObject was not found in the identity of the point of sale.The advanced option is configured for a unknown user is used.The option 'Refuse' Advanced is set in the case of a request for authentication has failed.Returned GANYMEDE + authentication responseAre there ideas, I can try so that it can find my account as the structure of the AD did? ideas please?
see you soon
HI Ed,
Try using a standard LDAP browser (www.ldapbrowser.com ) to view LDAP structure. Verify base DN used for searches matches
structure.Regards,
~JGDo rate helpful posts
-
AS with GANYMEDE + question
Try to get the module ACE and IOS devices to work with GANYMEDE. I have GBA v3.2.
The "optional" syntax does not work. No idea if the argument is valid for the version of the CSA?
Service = exec
Optional shell: Admin = domain Admin
I tried it with quotes, but which didn't work either.
Hello
This is a doc of reference for the configuration of the ACE for authentication Ganymede +,.
http://www.Cisco.com/en/us/docs/interfaces_modules/services_modules/ACE/v3.0
0_A1/configuration/Security/Guide/AAA.html#wp1321891
Under the custom for attribute Ganymede + we need to specify the attribute in the form,
Shell: Admin * ADMIN MYDOMAIN1
= means mandatory attribute
* Optional means
Information on the context/role/domain (virtualization on ACE):
http://www.Cisco.com/en/us/docs/interfaces_modules/services_modules/ACE/v3.0
0_A1/configuration/virtualization/guide/ovrview.html
Default 'role' on ACE:
http://www.Cisco.com/en/us/docs/interfaces_modules/services_modules/ACE/v3.0
0_A1/configuration/virtualization/guide/ovrview.html#wp1051297
HTH
JK
Please evaluate the useful messages-
-
Ganymede local when connection is up
I have my switch configured for tacas then local:
AAA authentication login default local group MYGROUP
And that works very well - I can connect via tacas and when the servers are down, I can connect via a local account.
However, it is possible to use local if you fail authentication Ganymede? For example, that the servers are up, but rejecting all authentications? I want to check the local credentials if it gets an access denied of Ganymede.
Thank you
However, it is possible to use local if you fail authentication Ganymede?
is not possible, because the server will send a message of rejection with auth failed and the unit will not return to the next method in the event of rejection.
Now, there are always slight catch with Cisco Ganymede + server, if you have one, I can show you that.
Rate if useful :)
Knowledge sharing makes you immortal.
Kind regards
Ed
-
I'm looking for documents for the configuration of controllers of WCS to use authentication GANYMEDE +. The current controllers use authentication GANYMEDE + but we have two new controllers that we want to install use GANYMEDE +. Tried to add the GANYMEDE authentication + and permission, but it does not work. Someone else put in place the current controllers. Running 6.x WCS.
Hello
I understand that you mean WLC (Controller) and not the WCS (management software).
Configuration Ganymede + on wlc: http://www.cisco.com/en/US/docs/wireless/controller/6.0/configuration/guide/c60sol.html#wp1697872
I hope this helps.
Nicolas
===
Remember responses of the rate that you find useful
-
5.2 ACS with different RADIUS authentication servers
Hello
I want to migrate from ACS ACS 5.2 4.1. I have already configured authentication GANYMEDE +, but now I've stuck to the RADIUS authentication for remote access WebVPN configuration. Please see the following diagram:
I want to configure ACS to use Server Token WBS first. If authentication fails or the user is not found, ACS must use IAS in Windows Server. If this server fails also ACS must use internal DB. Additional attributes as belonging to a group or ACL downloadable should be taken from internal ACS DB.
Is it possible to configure ACS like that? ACS 4.1 it is very easy to configure by selecting the per user authentication method.
Thanks for your help!
There is an option in the Advanced tab of definition 'RADIUS Identity server' th:
This storage of identity differentiates between 'authentication failed' and 'user not found' when an authentication attempt is rejected. Among the options below, select how a rejection of authentication of the identity store must be interpreted by FAC for the politics of identity of treatment and reports.
Releases to treat as 'authentication failed' treat dismisses them as "user not found".In order to continue in the sequence, I think you have to select the option "user not found".
-
the ACS 5.1 stopped authentication logs after restart!
Hi all
I recorded the configuration running on first startup and restarted the ACS 5.1. Since then he stopped authentication logs, if I can connect to network devices using Ganymede connection, but I get no logs of authentication Ganymede? Your prompt response will be appreciated
Rgds
HK
Hello
Can you please access the ACS CLI through SSH or Console and run "display the acs application state? Are all ACS services running or some hang on the State "Initializing" or "not tested"?
If so, you might want to try a restart of services ACS with 'stop acs', then 'start acs '.
If the reports are not displayed on the follow-up and reports it is generally considered a problem with ACS View services.
I hope this helps.
Kind regards.
-
RADIUS authentication fails for one of our network device
5.1 of the ACS is default for authentication authentication Ganymede to the ASA firewall, becomes
That's what I suspected. You will have to write off the primary secondary ACS. Configure the appropriate ACS secondary clock and time zone to match both domain controllers. Both the change in the clock and time zone change will restart the ACS secondary services for the changes to take effect.
After you have configured the time comes, we should "Test connection" against AD from the ACS on the secondary interface. As soon as he gets that we can go ahead and save changes and also register for the secondary back to the primary.
This should solve the problem.
Kind regards.
Maybe you are looking for
-
Windows 8 Upgrade Assistant failed on Satellite P775 program
I tried to start the Wizard Windows 8 on my P775 upgrade program Satellite. He began by displaying Verification of components; Download Windows 8 components data. ...Components of reading.TOSHIBA Wireless LAN indicator consisting... etc...Got TOSHIBA
-
I lost everything in the top menu bar and I can't find a way to recover
I don't know what I've done, but all of a sudden I lost everything at the top of the page record to a string that contains 'Bing' yuck, MSN, news, video, and other things I didn't and never use. But I can find a way to regain its default format of Mo
-
How to send the picture of u with labview
Hello How to send table unsigned 32-bit via UDP. How to convert the 32-bit unsigned byte array table.
-
Hello I bought a MacBook Air and try to install Windows 7 Professional on this topic. I have problems because there is an error message: Boot Camp supports only Windows 8 or later installation on that platform. Please use an ISO for a later installat
-
can't Windows 7, Dell 720 printer
I recently installed Windows 7. I can't get my Dell 720 printer. The computer reconizes it, but when I hit print it will send it not at all or an error 0 x 00000006 rises. I called dell and they said that my printer is not compatible... is there a wa