AAA authentication and privilege-mode
I want to configure authentication aaa with accounts of local user on the switch. The idea is to come directly into the "privilege" without the enable command mode.
I have configured the following commands:
AAA new-model
AAA authentication login default local
What other commands (permission) are necessary to obtain the command of privilege?
Thank you
Pascal
Dear Sir
For the console you must issue to order more.
There is a hidden within IOS command you will need to apply: "authorization aaa console.
Who should fix it
Kind regards
~ JG
Note the useful messages
Tags: Cisco Security
Similar Questions
-
The AAA authentication and VRF-Lite
Hello!
I encountered a strange problem, when you use authentication Radius AAA and VRF-Lite.
The setting is as follows. A/31 linknet is configured between PE and THIS (7206/g1 and C1812), where the EP sub-si is part of a MPLS VPN and VRF-Lite CE uses to maintain separate local services (where more than one VPN is used..).
Access to the this, via telnet, console etc, will be authenticated by our RADIUS servers, based on the following configuration:
--> Config start<>
AAA new-model
!
!
Group AA radius RADIUS-auth server
Server x.x.4.23 auth-port 1645 acct-port 1646
Server x.x.7.139 auth-port 1645 acct-port 1646
!
AAA authentication login default group auth radius local
enable AAA, enable authentication by default group RADIUS-auth
...
touch of 1646-Server RADIUS host x.x.4.23 auth-port 1645 acct-port
touch of 1646-Server RADIUS host x.x.7.139 auth-port 1645 acct-port
...
source-interface
IP vrf 10 RADIUS ---> Config ends<>
The VRF-Lite instance is configured like this:
---> Config start<>
VRF IP-10
RD 65001:10
---> Config ends<>
Now - if I remove the configuration VRF-Lite and use global routing on the CE (which is OK for a simple vpn installation), AAA/RADIUS authentication works very well. "" When I activate transfer ip vrf "10" on the interface of the outside and inside, AAA/RADIUS service is unable to reach the two defined servers.
I compared the routing table when using VRF-Lite and global routing, and they are identical. All roads are correctly imported via BGP, and the service as a whole operates without problem, in other words, the AAA/RADIUS part is the only service does not.
It may be necessary to include a vrf-transfer command in the config of Group server as follows:
AAA radius RADIUS-auth server group
Server-private x.x.x.x auth-port 1645 acct-port
1646 key ww
IP vrf forwarding 10
See the document below for more details:
http://www.Cisco.com/en/us/partner/docs/iOS/12_4/secure/configuration/guide/hvrfaaa.html
-
4.2 ACS authentication and exec flank on router Test mode.
The goal is to have GBA authenticate my username via ssh and let me go once authenticated privileged exec mode. Details below.
I have ACS Solution engine 4.2 and I have a router to test with the following commands:
AAA new-model
AAA authentication login default group Ganymede + local
AAA - the id of the joint session
RADIUS-server host 10.4.4.21 single-connection
RADIUS-server key $# $& $* #.
The problem is the following. I can't SSH and login to the router using a user in the database of the CSA but the router does not allow me to use the enable command in exec mode. The error it gives me is:
AAA_ROUTER_CLIENT > activate
% Authentication failure.
AAA_ROUTER_CLIENT >
I must be missing something in the ACS. Any help would be appreciated.
You are missing this command
AAA authorization exec default group Ganymede + authenticated if
That's what you need on router
Router (config) # username [username] password]
GANYMEDE-host [ip]
radius-server [key] key
AAA new-model
AAA authentication login default group Ganymede + local
AAA authorization exec default group Ganymede + authenticated if
The GBA
Bring to users/groups at level 15
1. go to the user or to set up groups of ACS
2 down until "settings GANYMEDE +".
3. check "Shell (Exec).
4 check 'Privilege level' and enter '15' in the adjacent field
Kind regards
~ JG
Note the useful messages
-
The AAA authentication not working method and 'by default' list
Guys,
I hope someone can help me here to the problem of the AAA. I copied the configuration and debugging below. The router keeps using username/password local name even if the ACS servers are accessible and functional. To debug, it seems he keeps using the method list 'default' ignoring GANYMEDE config. Any help will be appreciated
Config
**********************************
AAA new-model
!
username admin privilege 15 secret 5 xxxxxxxxxx.
!
AAA authentication login default group Ganymede + local
the AAA authentication enable default group Ganymede + activate
authorization AAA console
AAA authorization exec default group Ganymede + local
AAA authorization commands 15 default group Ganymede + local
AAA authorization default reverse-access group Ganymede + local
orders accounting AAA 0 arrhythmic default group Ganymede +.
orders accounting AAA 15 by default start-stop Ganymede group.
Default connection accounting AAA power Ganymede group.
!
AAA - the id of the joint session
!
RADIUS-server host x.x.x.x
RADIUS-server host x.x.x.x
RADIUS-server host x.x.x.x
RADIUS-server host x.x.x.x
RADIUS-server application made
RADIUS-server key 7 0006140E54xxxxxxxxxx
!
Ganymede IP interface-source Vlan200
***************************
Debugs
002344: 5 Dec 01:36:03.087 ICT: AAA/BIND (00000022): link i / f
002345: Dec 5 01:36:03.087 ICT: AAA/AUTHENTIC/LOGIN (00000022): choose method list "by default".
002346: Dec 5 01:36:11.080 ICT: AAA/AUTHENTIC/LOGIN (00000022): choose method list "by default".
core01 #.
002347: Dec 5 01:36:59.404 ICT: AAA: analyze name = tty0 BID type =-1 ATS = - 1
002348: Dec 5 01:36:59.404 ICT: AAA: name = tty0 flags = 0 x 11 type = 4 shelf = 0 = 0 = 0 = 0 = 0 channel port adapter slot
002349: Dec 5 01:36:59.404 ICT: AAA/MEMORY: create_user (0 x 6526934) user = "admin" ruser = "core01" ds0 = 0 port = "tty0" rem_addr = "async" authen_type = service ASCII = NONE priv = 15 initial_task_id = '0', vrf = (id = 0)
002350: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): Port = "tty0" list = "service = CMD
002351: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/CMD: tty0 (2162495688) user = "admin".
002352: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send service AV = shell
002353: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send cmd = AV set up
002354: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV terminal = cmd - arg
002355: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send cmd - arg = AV
002356: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): found the 'default' list
002357: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): method = Ganymede + (Ganymede +)
002358: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC +: (2162495688): user = admin
002359: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC +: (2162495688): send service AV = shell
002360: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC +: (2162495688): send cmd = AV set up
002361: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC +: (2162495688): send AV terminal = cmd - arg
002362: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC +: (2162495688): send cmd - arg = AV
Enter configuration commands, one per line. End with CNTL/Z.
core01 (config) #.
002363: Dec 5 01:37:04.261 ICT: AAA/AUTHOR (2162495688): permission post = ERROR
002364: Dec 5 01:37:04.261 ICT: tty0 AAA/AUTHOR/CMD (2162495688): method = LOCAL
002365: Dec 5 01:37:04.261 ICT: AAA/AUTHOR (2162495688): position of authorization = PASS_ADD
002366: Dec 5 01:37:04.261 ICT: AAA/MEMORY: free_user (0 x 6526934) user = "admin" ruser = "core01" port = "tty0" rem_addr = "async" authen_type = ASCII service = NONE priv = 15
core01 (config) #.
Ganymede + accessible servers use source vlan 200. Also in the Ganymede server + can you check if the IP address for this device is configured correctly and also please check the pwd on the server and the game of this device.
As rick suggested sh Ganymede would be good as well. That would show the failures and the successes
HTH
Kishore
-
FSCA - recording in privileged Mode
I configured a single client, the remote agent and ACSE. I am able to authenticate on the device via AD network. He invites me credentials, then I'm in user mode. I then issue the enable command to enter privileged mode. He invites then authenticate again. My question is how to configure ACS to make me enter directly into privileged mode, once I've authenticated? I do not want to be first in user mode then need to authenticate again to enter privileged mode. Any help would be greatly appreciated. Thank you!
Bring to users/groups at level 15
1. go to the user or to set up groups of ACS
2 down until "settings GANYMEDE +".
3. check "Shell (Exec).
4 check 'Privilege level' and enter '15' in the adjacent field
Also make sure that we have enabled exec authorization.
AAA authorization exec default group Ganymede + authenticated if
Kind regards
~ JG
Note the useful messages
-
Activate the ASA system context AAA authentication
Hello!
We have ASA configured in multiplayer in context with 8.4 (2) software configured for AAA
Configuration is admin context as follows:
AAA-server TAC Protocol Ganymede +.
host of the TAC AAA-server 10.162.2.201 (management)
key *.
Console to enable AAA authentication LOCAL TAC
TAC LOCAL console for AAA of http authentication
AAA authentication serial console LOCAL TAC
authentication AAA ssh console LOCAL TAC
Because of the multiple context, after the connection we enter in the system context. Console port authentication works very well except access to the privileged mode when you connect through the console port.
After the show 'enable' command ASA accepts only configured activate secret in context and change ID of user system for enable_15, so we are unable to do accounting and authorization of user level control.
It seems that the ASA in the context of the system is not aware of all the configurations of AAA, and it is not a command to configure AAA in the context of the system.
Is there a way to configure enable AAA authentication in the context of the system?
Thanks in advance!
Hello
It looks like you hit this known issue that follows:
Admin context allow mode compared to the context system DB credentials Symptom:
In multi-mode configuration, the user to enter privileged mode credentials
(enable mode) via the serial console is not sent to an external server
role of authentication.Conditions:
ASA/PIX is in multi mode. serial console and activate the console authentication
are configured to use external aaa server in the context of the admin.Workaround solution:
Option 1: Configure enable password in the system context. Option 2: Avoid the use of the interface of the console series and rely on telnet
or ssh console access. SSH or telnet consoles, tries to enter
active mode is authenticated as specified by the configuration of aaa in
the context of "admin".
Other Description of the problem:When authentication is enabled for the serial console and activate console in
Executive admin via an external aaa Server (for example: radius or Ganymede +), series
Console OmniPass is against the external aaa server, but the mode
credentials are compared with enable db in the context of the system.Hope that clarifies it. Unfortunately there is no solution for this problem.
Kind regards.
-
AAA authentication in Cisco router
I want to create the user name and password with the level of prévilige for each user in the Cisco 3640 router. I don't have any authentication server, and I want to use the local database of the Cisco router to do this. Can someone suggest me how should I proceed.
Thanks in advance
Hello
If you want to create users in the local database of the router, you must use the following command
username cisco password privilege 5 test
AAA new-model
AAA authentic login default local
AAA exec default local author
Thank you
Sujit
-
AAA authorization and control logging show
Hello guys,.
I am running IOS 15 on some routers and using ACS version 5.3.0.40.5 for authentication and authorization.
I would like to have a group of users to not be able to access the configuration mode but deliver all show commands.
However, the show logging command doesn't seem to work in user mode.
Ideas or workarounds are welcome.
Thanks in advance.
Is your set command looks like him below listed link for read-only access
~ BR
Jatin kone* Does the rate of useful messages *.
-
GANYMEDE + authentication and authorization on IOS XR
Hi all
I tried to connect several devices IOS - XR on our laboratory (ASR, RSG and CRS) to our server GANYMEDE + (Cisco Secure ACS, release 4.2 (0)). The objective is that the GANYMEDE would achieve authentication authorization and control the user for all CLI connection non-console (telnet and SSH) types. I don't use any HTTP server to access devices and I want to keep the connection to the console to the powers the.
I have several devices connected to this GANYMEDE with the following configuration related to AAA. I would like to implement the same principles on the IOS - XR, but given that the command structure is different and I could not understand how to do this using the Manuel, I need your expert help:
AAA new-model
!
!
AAA Ganymede Server + acs servers group
Server
!
AAA authentication login default local
AAA authentication login local_vty local
AAA authentication local console connection
AAA authentication login acs acs-servers-group local group
AAA authorization exec default group Ganymede +.
AAA authorization commands 15 acs_cmds group Ganymede +.
AAA authorization commands 15 local_cmds no
!
!
!
!
!
AAA - the id of the joint session
!
Saute...
!
username * secret privilege 15 5 *.
!
Saute...
!
GANYMEDE server host
7 key RADIUS-server application made
!
Saute...
!
Line con 0
StopBits 1
line to 0
StopBits 1
line vty 0 4
exec-timeout 0 0
privilege level 15
authorization orders 15 acs_cmds
DCC connection authentication
preferred transport telnet
transport of entry all
line vty 5 15
exec-timeout 0 0
* Note: Device to IOS - XR run versions 4.1.2 and 4.2.0
Many thanks for any help that you could provide
Lior
Lior,
You must return the task ID and/or groups of task in order to make this work. According to my experience, working with these platforms is it is really unnecessary to proceed with approval of order if you trust the task-ID/groups, which are integrated in the ASR.
The flow for Ganymede command auth for these devices is a bit different than your IOS essentially traditional (unless something has changed in the last 6 months), if the user tries to run a command, the Ganymede auth command is triggered if the user executes a command that falls under the umbrella of task. If she's not here command permission is never triggered.
Here are some documents that I feel will help you:
https://supportforums.Cisco.com/docs/doc-15944
Thank you
Tarik Admani
* Please note the useful messages *. -
issue certificates of 802. 1 x authentication and X 509
Hello
Can someone please help me with the following question:
First off I am a guy from Windows Server/PKI/AD etc. rather than CISCO, even if I have a CCNA :)
I take care of PKI to my company and will work with the team CISCO that are the introduction of CISCO's ISE, we will use X 509 CERT on the suppliants (desktop/laptops Windows computers mainly)
What I want to know is something pretty basic, but I saw not written anywhere
Question 1:
First stop, I guess it's the AAA (ISE) server is the entity that verifies the pleading certificate X 509, rather than the AP (access wireless router for example point)? is that correct
Question 2:
As supplicants X 509 certificate is public (for example, it is not secure and anyone can ask what it is normal) I guess the AAA server must encrypt a (random number for example) value with the public key of supplicants (of the X 509 cert) then send this value to the supplicant by which the supplicant decrypts with its private key (that no one else has as usual). Then the supplicant figure the value even with servers AAA public key (which is held in servers announced AAA X 509 cert) cela send on the AAA server and once that deciphers AAA server (with its private key) if the value matches the value originally sent to the supplicant then the AAA server can continue with authentication etc.
The above assumption is correct?
If the above is correct, not ISE always act like that or can you lower the security and get just the ISE server to check whether he trusts the issuer of the certificate (CRL does OK) the pleading X 509 Cert and not bother to send the encrypted packet as described above (this of course would ensure not begging-1 is actually "supplicant" - 1).
Thank you very much in advance
Ernie
Answers:
1 - Yes, ISE verifies the certificate presented by the device of end-user (begging) against his PB of authority certificate TRUSTED internal to import in ISE root and intermediary certificates where you use CA non-public servers (this is my case for EAP - TLS) such as Verisign, Entrust, etc. UNFORTUNATELY, ISE allows you only to have 1 cert for the use of EAP in the list (PEAP, EAP - TLS, etc.), which means that you CAN not EAP - TLS and PEAP running on different SSID. The problem is now that Entrust for example use an intermediary called L1K Entrust which is not included in trust for the devices Apple and Win 7 CA. This causes a certificate not approved for IPADs warning then you need to trust this certificate but for Win 7 features the PEAP TLS Tunnel, Setup will fail if the connection cannot be established if you uncheck "VALIDATE SERVER" on Win 7 for this SSID profile.
2 - you can create a condition that validates the issuer cert but the authorized Protocol is EAP - TLS or PEAP so that the actual process for one of these protocols, based on my understanding is actually. For example, Protocol PEAP, the configuration of the TLS Tunnel is the 1st step, so once the configured secure tunnel then the inside MSChapv2 + EAPOL is performed and finally the data passes through the tunnel
-
I have configured the banner authentication aaa and aaa fail message on a router running 12.1 (15) - authentication is done by ACS 3.0.2 which works very well.
Problem - the banner of authentication does not appear (nothing is outside of "username:"-don't not even 'check' user access) If you enter a wrong password, but the failure message. If I console in and unplug the interface while the two messages very well.
Workaround solution - if I set up a connection "banner" then everything works fine too, but I can't work out why does not display the "banner of aaa authentication."
I suspect ACS prevents the message, but I can't work out how - can anyone suggest a solution?
Thank you very much!
By the way that the command "radius-server administration '? It doesn't seem to be documented, and it has no effect or not.
The banner command does not work if you make the RADIUS authentication, it will not work if you do a RADIUS/local/etc. This is normal, cause with Ganymede you can have the sending server banner and guests down (even if with all I don't think that you can do) and so if you have configured authentication GANYMEDE the router does not take into account the banner command and waits to see if she gets a new one from the server RADIUS itself. If it is not it will simply display the usual guests.
As for the 'radius-server admin' command, honestly, I have no idea, never seen anyone use. Online help says "start the daemon of Ganymede management administrative messages", but what really I don't know, maybe someone else can help.
-
the AAA authentication enable default group Ganymede + activate
I implement CSACS 4.0. First of all on the client, I will apply aaa authenticatio / authorization under vty. The issure if I use the followin command
the AAA authentication enable default group Ganymede + activate
What happens if I connect via the console? I need to enter a name of user and password?
Here is my configuration
AAA new-model
Group authvty of connection authentication AAA GANYMEDE + local
the AAA authentication enable default group Ganymede + activate
authvty orders 15 AAA authorization GANYMEDE + local
RADIUS-server host IP
Radius-server key
Ganymede IP source interface VLAN 3
AAA accounting send stop-record an authentication failure
AAA accounting delay start
AAA accounting exec authvty start-stop group Ganymede +.
orders accounting AAA 15 authvty power group Ganymede +.
AAA accounting connection authvty start-stop group Ganymede +.
line vty 0 15
connection of authentication authvty
authorization orders 15 authvty
authvty connection accounting
accounting orders 15 authvty
accunting exec authvty
Any suggestion will be appreciated!
It should work because it is a guest message.banner whenever you try to connect (console/vty). I set it up on my router.
If you have banner motd, it will appear as well (see below). So, I have to remove it to get only the aaa banner & prompt is displayed:
************************************************************
Username: cisco, password: cisco (priv 15f - local) *.
************************************************************
Any unauthorized use is prohibited.
Enter your name here: User1
Now enter your password:
Router #.
The configuration more or less looks like this:
AAA new-model
AAA authentication banner ^ is forbidden to use CUnauthorized. ^ C
AAA authentication password prompt "enter your password now:
AAA-guest authentication username "enter your name here:
Group AAA authentication login default RADIUS
local authentication AAA CONSOLE connection
HTH
AK
-
The AAA authentication configuration
We have ACS server 3.1 to AAA for authentication for all routers and switches. I want each person to connect the router using its own id, password password and activate. If the ACS server is unavailable, I want to have different id, password and enable password for console and telnet access. What is the right way to do this? I also want to follow all orders entered on the router.
That's what I have:
AAA new-model
AAA authentication login default group Ganymede + local
enable AAA authentication login no_tacacs
the AAA authentication enable default group Ganymede + line
AAA authorization exec default group Ganymede + local
AAA authorization commands 15 default group Ganymede + local
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.
!
username admin password 7 xxxxxxxxxxxxxxxx
!
!
Line con 0
connection of authentication no_tacacs
line to 0
line vty 0 4
password 7 xxxxxxxxxxxxxxxxxxxxxxxx
!
Yes, it's Joy on the right. Thank you, Renault
-
http using aaa authentication when Ganymede server is down
I installed AAA using Ganymede and everything works well except for authentication http through a browser or a network Assistant when the RADIUS server is down. For console and telnet connections, the default authentication line when Ganymede is out of service.
AAA new-model
AAA authentication login default group Ganymede + line
AAA authorization exec default group Ganymede + authenticated if
AAA accounting update newinfo
AAA accounting exec default start-stop Ganymede group.
only AAA 0 default stop accounting controls group Ganymede +.
only AAA 1 default stop accounting controls group Ganymede +.
accounting AAA commands default 15 stop only Ganymede group.
!
aaa IP http authentication
!
radius-server host 10.161.161.20
111111 radius-server key
It must be something with the fact that on http or ANC, it connects to the router at level 15, but I have played with all sorts of orders of different authorization and cannot operate.
Paul
What you want to do for authentication if the RADIUS server is down? For telnet and console access you can use the line as a backup method because it is possible to configure a password for the line on the console and vty ports. Which type of backup method you want for HTTP? The one that seems most logical to me would be to a local authentication in order to cover the situation where the server is down.
To use local authentication, you must do the following:
-create a definition of the local user (maybe more if you need extended security).
-specify a special method for authentication of the aaa.
-specify that http, using the special method.
The configuration might look like this:
password user tech1 tech1
AAA authentication login http_auth group Ganymede + local
IP http authentication aaa - authentication of the connection http_auth
Or you can decide to use the secret to activate (or password that is configured in office). The config might look like this:
AAA authentication login http_auth group Ganymede + activate
IP http authentication aaa - authentication of the connection http_auth
If you want a different backup method, let us know what it is and we'll see how it could be implemented.
HTH
Rick
-
No AAA authentication for switch
I'm intrigued by my question. I have a switch on 9 that cannot authenticate with our server GANYMEDE. The configurations are the same as any other switch, but when I try to open a session using the account GANYMEDE + access is denied. This is the configuration for the AAA/GANYMEDE on the switch.
AAA new-model
AAA authentication login default group Ganymede + local
authorization AAA console
AAA authorization exec default group Ganymede + localradius-server X.X.33.XX host
radius-server key 7?I deleted the aaa configuration and then reconfigured it as well as the information from the server RADIUS and no authentication Ganymede. I gave the Ganymede interface should use, but same result. Any ideas?
Thank you
Robert
Robert,
Please make sure following
-Radius server is accessible from the switch and port 49 is not blocked.
S ' it is layer 3 switch, then make sure to configure the interface source ip Ganymede XXXX (Interface IP set in radius server)
-Check the secret key
If the problem is still there then please get
Debug aaa authentication
debugging Ganymede
Kind regards
~ JG
Maybe you are looking for
-
I have a hp laptop laptop hp15-f211wm I would like to know how much memory I can install or upgrade to
-
Record time from start to trigger
Hello I have a program that uses analog channels N to record data, they begin taking data (either finite or continuous) a trigger. I use the built in digital triggering but a software analog trigger (works well if). For now we'll just worry about dig
-
Restoration of style and colors of the Windows XP taskbar
I've been customize my desktop and changed the main Windows task bar somehow. I guess I chose the classic theme. I immediately chose the XP theme again, but the taskbar are now the boxy style, monotone of the classic theme and I can't do anything to
-
How to connect a HP722C via Netgear PS101 to a Windows 7 PC?
When I try to set up the Netgear PS101, laptop computer Windows 7 does not. A desktop computer Windows 2000 recognizes the server. I also suspect that the drivers for the HP722C may not be compatible Win 7.
-
Problem with the HP Laserjet p1102w printer
Hello I have the problem that my printer HP LaserJet p1102w (wireless) still print on the same page, no matter what I send to print. Curretly I can't print at all because every time when I turn on the printer starts infinitely print the same page...