AAA Configuration
Hello
Can someone help me? I'm trying to implement the RADIUS authentication for my routers and Cisco switches. Could someone give me some examples of configuration or a tip of how to make my switches and routers on a RADIUS server and also to try RADIUS authentication. Only by using a locally configured account if RADIUS fails?
I tried the jerk after configuration but I am not shure if this is correct:
AAA new-model
AAA authentication login default local radius group
init-stop radius group AAA accounting network default
RADIUS-server host 10.132.100.1 auth-port 1812 1813 ciscosecure key acct-port
RADIUS server retransmit 3
Thank you
Fernanda
Hi Fernanda,
Your Setup seems to be OK.
more information you can find here:
It will be useful. If she does not please rate.
Kind regards
Rafael Lanna
Tags: Cisco Security
Similar Questions
-
Cannot console the device after AAA configuration
I've implemented ISE in my environment and from the configuration of my devices to authenticate on the server I h ave not been able to connect to the devices using the connection to the Console.
Here is an excerpt of the configuration of the device.
username administrator local privilege 15 password 7 06205F334868591A1004
AAA new-model
!
!
RADIUS AAA server group ISE_Servers
auth-port 1645 10.200.1.19 Server acct-port 1646
auth-port 1645 10.200.2.19 Server acct-port 1646
!
Group AAA authentication login default local ISE_Servers
the AAA authentication enable default group, select ISE_Servers
Group default AAA authorization exec if-ISE_Servers local authenticated
AAA accounting send stop-record an authentication failure
AAA exec by default start-stop accounting ISE_Servers group
AAA login by default start-stop accounting ISE_Servers group
RADIUS-server host 10.200.1.19 auth-port 1645 acct-port 1646 borders 7 0231504919570126581E0754241411585951
RADIUS-server host 10.200.2.19 auth-port 1645 acct-port 1646 borders 7 097B1A1B0B5419151F5C0A670A272B606077
!
Line con 0
exec-timeout 0 0
password 7 1068590B 013142081917
line vty 0 4
password 7 096A1E1B1D2347111E1F
length 0
line vty 5 15
password 7 096A1E1B1D2347111E1F
!
Any help or advice would be greatly appreciated.
Thank you
ISE_Servers is a radius server group name. In fact, he applied a default method list.
Group AAA authentication login default local ISE_Servers
Jatin kone
-Does the rate of useful messages- -
Hi guys,.
I use that one server as primary and cisco ISE says there (ACS + NAC) features. I want to activate the AAA on the box rightnow ISE services.
I used the ACS earlier and you want to configure the same functions in this regard.
Authentication of devices in ISE when remote login for switch/router/firewall.
Authorization of the form controls what ISE based on the user login
Posting the details of command and connection and disconnection from the user.
I have very basic knowledge of ISE but I used ACS througly.
Please help in the question above.
Thanks in advance
Concerning
You've probably used GANYMEDE + with your ACS; You cannot migrate this functionality to ISE does not support the ISE GANYMEDE +. You must take the device admin stuff on GBA.
-
Cisco ASA 8.3 ldap AAA configuration Microsoft active directory server fails
Hello
I'm trying to implement authentication ldap for remote vpn ssl users like the image below:
When I try the test button and enter a user name and password I get the message ' authentication rejected: user not found. "
Why? Please help, I am running out of options here... Thank you much much in advance.
Use the DN of connection according to the following format.
[email protected]/ * / _name and let me know how it goes.
If the suggestion above does not work then please run the debugging ldap 255 and paste the result here.
Rgds, jousset
The rate of useful messages-
-
Need help with the configuration of the AAA
I try to configure AAA on my network devices. I use GANYMEDE + with an ACS (3.2) server. I have groups of users of installation against two in the ACS, 1 voice server and allow privileges and the other without. I am able to get the AAA configuration to work when telnet in devices. However, when you connect in the port of the console, the user with privileges to activate Group do not go directly in the activation of the mode as do the users of telnetted. How to solve this problem?
Hello
You should not use the following command: -.
authorization AAA console
This command will not be displayed on the help.
Kind regards
Vivek
-
Configuration of AAA to include local auth for Console connections
Recently, during a maintenance window, that my AAA configurations are not configured to use local authentication if the AAA server is unavailable. Could use a little help in making sure I have the correct configuration. Here is what I set up today:
AAA new-model
AAA authentication login default group Ganymede +.
the AAA authentication enable default group Ganymede +.
AAA authorization auth-proxy by default group Ganymede +.
orders accounting AAA 15 by default start-stop Ganymede group.RADIUS-server host x.x.x.x
RADIUS-server timeout 120
RADIUS-server application made
radius-server keyGood... If you want you will need configure a fallback option when you sign in aaa and enable authentication lines. Throw a 'local' keyword on the end of those, and that you will get what you are looking for.
I'm a little worried that the "console aaa authentication" is not appear in your configuration. It makes me think that he will not survive until the next refill.
Are you running the latest revision of your version of IOS?
-
No AAA authentication for switch
I'm intrigued by my question. I have a switch on 9 that cannot authenticate with our server GANYMEDE. The configurations are the same as any other switch, but when I try to open a session using the account GANYMEDE + access is denied. This is the configuration for the AAA/GANYMEDE on the switch.
AAA new-model
AAA authentication login default group Ganymede + local
authorization AAA console
AAA authorization exec default group Ganymede + localradius-server X.X.33.XX host
radius-server key 7?I deleted the aaa configuration and then reconfigured it as well as the information from the server RADIUS and no authentication Ganymede. I gave the Ganymede interface should use, but same result. Any ideas?
Thank you
Robert
Robert,
Please make sure following
-Radius server is accessible from the switch and port 49 is not blocked.
S ' it is layer 3 switch, then make sure to configure the interface source ip Ganymede XXXX (Interface IP set in radius server)
-Check the secret key
If the problem is still there then please get
Debug aaa authentication
debugging Ganymede
Kind regards
~ JG
-
Excluding the lines of Terminal Server in the AAA authentication
Hi all
Hope you can help, I'm trying to find a solution to exclude only the following line port by using the AAA authentication (ACS GANYMEDE +) on a map of Terminal Server on a Cisco 2600 router. Does anyone know how to do this, or point me in the right direction to solve?
I've included the output below:
AAA authentication login default group Ganymede + local
AAA authorization exec default group Ganymede + local
AAA accounting exec default start-stop Ganymede group.
AAA accounting network default start-stop Ganymede group.
AAA accounting default connection group power Ganymede
AAA accounting system default start-stop Ganymede group.
AAA - the id of the joint sessionline 41
session-timeout 20
decoder location - XXXXXX XXXXXX BT
No banner motd
No exec-banner
absolute-timeout 240
Modem InOut
No exec
transport of entry all
StopBits 1
Speed 38400Is it a question of disabling the command line or using a defined group?
Thanks a lot for your help.
Jim.
Hi Jim
You may need to create another group for authentication to the and send your AAA configuration
line to 0
connection of authentication aux_auth
AAA authentication login aux_auth line
You can also configure a username local/pw and map it on the group to here...
Console and telnet would still use the configured default group, or you can specify specific groups:
Line con 0
console login authentication
line 4 vty0
vty authentication login
and specify the aaa authentication settings individually...
I hope this helps... all the best
REDA
-
In the AAA configuration guide, it says you must apply the method of access to lines and interfaces, but if I use the aaa authentication login apparently apply the authentication method for all methods of login anyway?
Is it because I'm using a default method list?, and I only need to apply the method defined lists of interfaces or lines? but as I don't have the default value is used.
When we use by default it is applied to all lines. If there is no list of methods defined on the default interface will not take effect.
Kind regards
~ JG
-
I am AAA configuration. I'm setting up a router so that when users access using the vty line, they must be authenticated by Active Directory. I configured AAA on the router and on Microsoft Windows Server 2003 IAS. But when I type 'test group aaa AUTH administrator legacy xxxxxxx' it gives the following error
Test of authentication attempting AUTH server group using RADIUS
* 01:01:04.991 Mar 1: AAA: analyze IDB name =
type =-1 ATS = - 1 * 01:01:04.991 Mar 1: AAA/MEMORY: create_user (0x6417FF80) = user tweak "Administrator" = "NULL" ds0 = 0 port = "rem_addr = 'NULL' = ASCII service CONNECTION priv = authen_type = 1 initial_task_id = '0', vrf = (id = 0) no answer authoritative of any server.
RTR #.
* 01:01:23.647 Mar 1: RADIUS-4-RADIUS_DEAD %: 172.16.1.243:1812, 1813 RADIUS server does not respond.
* 01:01:23.655 Mar 1: AAA/MEMORY: free_user (0x6417FF80) = user tweak "Administrator" = "NULL" port = "rem_addr = 'NULL' = ASCII service CONNECTION priv = authen_type = 1 vrf = (id = 0)
* 01:01:23.655 Mar 1: RADIUS-4-RADIUS_ALIVE %: 172.16.1.243:1812, 1813 RADIUS server is marked in life.
I also used the default ports for authentication, but still no use. I am able to ping router radius server and can ping router of the radius server.
The Radius in VMWARE Server installed on and the router is emulated in Dynampis.
Here is the configuration of the router
RTR #sh run
Building configuration...
Current configuration: 863 bytes
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname RTR
!
boot-start-marker
boot-end-marker
!
!
AAA new-model
!
!
RADIUS AAA server AUTH group
ACCT-port of the server 172.16.1.243 auth-port 1812 1813
!
RADIUS authentication AUTH of AAA connection group.
!
AAA - the id of the joint session
memory iomem size 5
!
!
IP cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback1
no ip address
!
interface FastEthernet0/0
IP 172.16.1.241 255.255.255.0
automatic duplex
automatic speed
!
IP http server
no ip http secure server
IP route 0.0.0.0 0.0.0.0 172.16.1.1
!
!
!
radius of the IP source interface FastEthernet0/0
!
!
RADIUS-server host 172.16.1.243 auth-port 1812 acct-port 1813 key xxxxx
!
control plan
!
!
!
!
!
!
!
!
!
!
Line con 0
line to 0
line vty 0 4
authentication of connection AUTH
!
!
end
Do you see any hits on the 2003 event logs? If no request is not the RADIUS.
Do not forget that dynampis some time shows abnormal behavior. Since you are able to ping, then connectivity seems to be just fine here.
Check the shared secret key and make sure that the radius ports are open, check to see if there is a firewall between the two.
Kind regards
~ JG
-
Hey everybody,
I'm with RADIUS AAA configuration on our Firewall remote ASA. It's pretty simple, but I have some firewall that does not work on. I upgraded the IOS image on the ASA 5510 to ASA804-K8. BIN on each of them. The weird part is some of them work and some of them do not work.
I was wondering if anyone else has encountered this before and what information do you need to give me a reference to help.
Thanks in advance,
Kimberly
Hi Kimberly,
just curious: why 8.0.4 and not 8.0.5?
What you use radius for? What is the radius server? You have configured all the ASAs of the radius servers? Did you use the right shared secret?
Is there something different between the ASAs working and does lack those? Configuration, location in the network, etc.?
If the above does not help, please post the config of ASA failure (or at least the relevant items and be sure to remove all sensitive data) and the output of:
Debug RADIUS
Debug aaa authentic
Debug aaa 254 Commons
You can test only the part of RADIUS with the command «test aaa-server authentication cli...» »
HTH
Herbert
-
Why I can't command show running on cisco switch
On a single switch, I found that some commands because they show execution or copy running-config tftp: on cisco switch WS-C2960X-24TS-L does not work it see more below. How I can use the command then show generally. Thank you.
Building1_FAA_6F_SW3 #sh run
Building configuration...Current configuration: 100 bytes
!
! No change since the last restart configuration
!
boot-start-marker
boot-end-marker
!
!
!
!
!
!
end---------------------------------------------------
Building1_FAA_6F_SW3 #copy running-config tftp:
^
Invalid entry % detected at ' ^' marker.OK, so the information you provided in your latest messages confirm that the privilege level you get via telnet/vty is different from the one you get via the console. This is due to the configuration of AAA which applies to the vty ports but not on the console port.
So if you want the same rules apply to the console port, then you must configure the port console for AAA as well.
If you don't want these rules then you need to remove the AAA configurations. The best way to remove these is by typing 'no new aaa - model' However, careful not to lock you out of the unit. Make sure you have local accounts with the privilege level 15 and you also know the active password/secret.
I hope this helps!
Thank you for evaluating useful messages!
-
Why this SSID is not visible from my laptop?
Cisco Aironet 1200 installed on the test network. My laptop is picking the signals emitted by the 3 other access points, but not the 'TEST' one.
Please find attached an access point running-config. Can you help me and advise please why this SSID is not visible?
I am aware that portion of Cisco ACS/AAA configuration may have to be fine tuned as well, but whatever the configuration of my CSA I should still be able to see the SSID brodcasted in my laptop, isn't that right?
under your SSID on the DotRadio11 0 interface, add the guest mode command. This allows the SSID be in messages so that your customer can see.
-
Hi all
I notice on the vty lines too slowly. Nobody knows who can be caused and how to fix it?
Thank you
DOH, my bad. My eyes read "vty. My mind has been 'console '. Please ignore my previous post.
So do you feel slow through the console as well, or only via SSH?
This new router is configured to use any external AAA, such as RADIUS or GANYMEDE backend? Can you post the 'show version' and the AAA configuration bits, if any?
Can 'show you after proc cpu sort' while it is slow?
-
SNS... automatic or manual registration?
Hello
If I want to add alements to my network and I want also that they authenticate on an ACS server, full registration to the AEC must be done manually, or is it done by changing just my aaa on the router config? .. .thanks
both. You must change "Network Configuration" in ACS (do not have bad surprises!) first then aaa configuration in the router.
Serhat
Maybe you are looking for
-
How can I change the display/site when I opened a new tab
When I open a new tab I have AVG Search. I want to go to google when I open a tab, but I can't figure out how to do this. Your help section doesn't make it easy to find this info.
-
How can I delete all emails read in my accounts?
-
Satellite A200 - 19K: double keyboard lights up and the mouse no longer works
Hello I just brought a notebook a200 19 k and the double keyboard lights up and the mouse no longer works.I can't find why it does this in the manual and what is the purpose of light with symbols on it. The symbols have a purpose. Thank you very much
-
How to back up an SD card in Windows 8?
I have a 128 GB Microsoft Surface Pro (win pro 8) with a map of 64 GB inserted microSXDC. The card has been formatted using NTFS with the Pro Surface and mounted as NTFS folder, that I am able to read/write in the card without problem, but the volum
-
Three hosts ESXi and two Clusters VSA
Is it possible / is there a problem with it? I know a single cluster VSA is designed to work with two or three nodes, but is it possible to have two clusters VSA on three nodes (one of the three nodes would be two VSA groups on both nodes at the sam