AAA Configuration

Similar Questions

• Cannot console the device after AAA configuration

  I've implemented ISE in my environment and from the configuration of my devices to authenticate on the server I h ave not been able to connect to the devices using the connection to the Console.

  Here is an excerpt of the configuration of the device.

  username administrator local privilege 15 password 7 06205F334868591A1004

  AAA new-model

  !

  !

  RADIUS AAA server group ISE_Servers

  auth-port 1645 10.200.1.19 Server acct-port 1646

  auth-port 1645 10.200.2.19 Server acct-port 1646

  !

  Group AAA authentication login default local ISE_Servers

  the AAA authentication enable default group, select ISE_Servers

  Group default AAA authorization exec if-ISE_Servers local authenticated

  AAA accounting send stop-record an authentication failure

  AAA exec by default start-stop accounting ISE_Servers group

  AAA login by default start-stop accounting ISE_Servers group

  RADIUS-server host 10.200.1.19 auth-port 1645 acct-port 1646 borders 7 0231504919570126581E0754241411585951

  RADIUS-server host 10.200.2.19 auth-port 1645 acct-port 1646 borders 7 097B1A1B0B5419151F5C0A670A272B606077

  !

  Line con 0

  exec-timeout 0 0

  password 7 1068590B 013142081917

  line vty 0 4

  password 7 096A1E1B1D2347111E1F

  length 0

  line vty 5 15

  password 7 096A1E1B1D2347111E1F

  !

  Any help or advice would be greatly appreciated.

  Thank you

  ISE_Servers is a radius server group name. In fact, he applied a default method list.

  Group AAA authentication login default local ISE_Servers

  Jatin kone
  -Does the rate of useful messages-

• ISE and AAA configuration

  Hi guys,.

  I use that one server as primary and cisco ISE says there (ACS + NAC) features. I want to activate the AAA on the box rightnow ISE services.

  I used the ACS earlier and you want to configure the same functions in this regard.

  Authentication of devices in ISE when remote login for switch/router/firewall.

  Authorization of the form controls what ISE based on the user login

  Posting the details of command and connection and disconnection from the user.

  I have very basic knowledge of ISE but I used ACS througly.

  Please help in the question above.

  Thanks in advance

  Concerning

  You've probably used GANYMEDE + with your ACS; You cannot migrate this functionality to ISE does not support the ISE GANYMEDE +. You must take the device admin stuff on GBA.

• Cisco ASA 8.3 ldap AAA configuration Microsoft active directory server fails

  Hello

  I'm trying to implement authentication ldap for remote vpn ssl users like the image below:

  

  When I try the test button and enter a user name and password I get the message ' authentication rejected: user not found. "

  Why? Please help, I am running out of options here... Thank you much much in advance.

  Use the DN of connection according to the following format.

  [email protected]/ * / _name and let me know how it goes.

  If the suggestion above does not work then please run the debugging ldap 255 and paste the result here.

  Rgds, jousset

  The rate of useful messages-

• Need help with the configuration of the AAA

  I try to configure AAA on my network devices. I use GANYMEDE + with an ACS (3.2) server. I have groups of users of installation against two in the ACS, 1 voice server and allow privileges and the other without. I am able to get the AAA configuration to work when telnet in devices. However, when you connect in the port of the console, the user with privileges to activate Group do not go directly in the activation of the mode as do the users of telnetted. How to solve this problem?

  Hello

  You should not use the following command: -.

  authorization AAA console

  This command will not be displayed on the help.

  Kind regards

  Vivek

• Configuration of AAA to include local auth for Console connections

  Recently, during a maintenance window, that my AAA configurations are not configured to use local authentication if the AAA server is unavailable. Could use a little help in making sure I have the correct configuration. Here is what I set up today:

  AAA new-model
  AAA authentication login default group Ganymede +.
  the AAA authentication enable default group Ganymede +.
  AAA authorization auth-proxy by default group Ganymede +.
  orders accounting AAA 15 by default start-stop Ganymede group.

  RADIUS-server host x.x.x.x
  RADIUS-server timeout 120
  RADIUS-server application made
  radius-server key

  Good... If you want you will need configure a fallback option when you sign in aaa and enable authentication lines. Throw a 'local' keyword on the end of those, and that you will get what you are looking for.

  I'm a little worried that the "console aaa authentication" is not appear in your configuration. It makes me think that he will not survive until the next refill.

  Are you running the latest revision of your version of IOS?

• No AAA authentication for switch

  I'm intrigued by my question. I have a switch on 9 that cannot authenticate with our server GANYMEDE. The configurations are the same as any other switch, but when I try to open a session using the account GANYMEDE + access is denied. This is the configuration for the AAA/GANYMEDE on the switch.

  AAA new-model

  AAA authentication login default group Ganymede + local
  authorization AAA console
  AAA authorization exec default group Ganymede + local

  radius-server X.X.33.XX host
  radius-server key 7?

  I deleted the aaa configuration and then reconfigured it as well as the information from the server RADIUS and no authentication Ganymede. I gave the Ganymede interface should use, but same result. Any ideas?

  Thank you

  Robert

  Robert,

  Please make sure following

  -Radius server is accessible from the switch and port 49 is not blocked.

  S ' it is layer 3 switch, then make sure to configure the interface source ip Ganymede XXXX (Interface IP set in radius server)

  -Check the secret key

  If the problem is still there then please get

  Debug aaa authentication

  debugging Ganymede

  Kind regards

  ~ JG

• Excluding the lines of Terminal Server in the AAA authentication

  Hi all

  Hope you can help, I'm trying to find a solution to exclude only the following line port by using the AAA authentication (ACS GANYMEDE +) on a map of Terminal Server on a Cisco 2600 router.  Does anyone know how to do this, or point me in the right direction to solve?

  I've included the output below:

  AAA authentication login default group Ganymede + local
  AAA authorization exec default group Ganymede + local
  AAA accounting exec default start-stop Ganymede group.
  AAA accounting network default start-stop Ganymede group.
  AAA accounting default connection group power Ganymede
  AAA accounting system default start-stop Ganymede group.
  AAA - the id of the joint session

  line 41
  session-timeout 20
  decoder location - XXXXXX XXXXXX BT
  No banner motd
  No exec-banner
  absolute-timeout 240
  Modem InOut
  No exec
  transport of entry all
  StopBits 1
  Speed 38400

  Is it a question of disabling the command line or using a defined group?

  Thanks a lot for your help.

  Jim.

  Hi Jim

  You may need to create another group for authentication to the and send your AAA configuration

  line to 0

  connection of authentication aux_auth

  AAA authentication login aux_auth line

  You can also configure a username local/pw and map it on the group to here...

  Console and telnet would still use the configured default group, or you can specify specific groups:

  Line con 0

  console login authentication

  line 4 vty0

  vty authentication login

  and specify the aaa authentication settings individually...

  I hope this helps... all the best

  REDA

• Confusion of the AAA

  In the AAA configuration guide, it says you must apply the method of access to lines and interfaces, but if I use the aaa authentication login apparently apply the authentication method for all methods of login anyway?

  Is it because I'm using a default method list?, and I only need to apply the method defined lists of interfaces or lines? but as I don't have the default value is used.

  When we use by default it is applied to all lines. If there is no list of methods defined on the default interface will not take effect.

  Kind regards

  ~ JG

• Problem with MS IAS and AAA

  I am AAA configuration. I'm setting up a router so that when users access using the vty line, they must be authenticated by Active Directory. I configured AAA on the router and on Microsoft Windows Server 2003 IAS. But when I type 'test group aaa AUTH administrator legacy xxxxxxx' it gives the following error

  Test of authentication attempting AUTH server group using RADIUS

  * 01:01:04.991 Mar 1: AAA: analyze IDB name = type =-1 ATS = - 1

  * 01:01:04.991 Mar 1: AAA/MEMORY: create_user (0x6417FF80) = user tweak "Administrator" = "NULL" ds0 = 0 port = "rem_addr = 'NULL' = ASCII service CONNECTION priv = authen_type = 1 initial_task_id = '0', vrf = (id = 0) no answer authoritative of any server.

  RTR #.

  * 01:01:23.647 Mar 1: RADIUS-4-RADIUS_DEAD %: 172.16.1.243:1812, 1813 RADIUS server does not respond.

  * 01:01:23.655 Mar 1: AAA/MEMORY: free_user (0x6417FF80) = user tweak "Administrator" = "NULL" port = "rem_addr = 'NULL' = ASCII service CONNECTION priv = authen_type = 1 vrf = (id = 0)

  * 01:01:23.655 Mar 1: RADIUS-4-RADIUS_ALIVE %: 172.16.1.243:1812, 1813 RADIUS server is marked in life.

  I also used the default ports for authentication, but still no use. I am able to ping router radius server and can ping router of the radius server.

  The Radius in VMWARE Server installed on and the router is emulated in Dynampis.

  Here is the configuration of the router

  RTR #sh run

  Building configuration...

  Current configuration: 863 bytes

  !

  version 12.4

  horodateurs service debug datetime msec

  Log service timestamps datetime msec

  no password encryption service

  !

  hostname RTR

  !

  boot-start-marker

  boot-end-marker

  !

  !

  AAA new-model

  !

  !

  RADIUS AAA server AUTH group

  ACCT-port of the server 172.16.1.243 auth-port 1812 1813

  !

  RADIUS authentication AUTH of AAA connection group.

  !

  AAA - the id of the joint session

  memory iomem size 5

  !

  !

  IP cef

  !

  !

  !

  !

  !

  !

  !

  !

  !

  !

  !

  !

  !

  !

  !

  !

  !

  !

  !

  !

  !

  !

  !

  interface Loopback1

  no ip address

  !

  interface FastEthernet0/0

  IP 172.16.1.241 255.255.255.0

  automatic duplex

  automatic speed

  !

  IP http server

  no ip http secure server

  IP route 0.0.0.0 0.0.0.0 172.16.1.1

  !

  !

  !

  radius of the IP source interface FastEthernet0/0

  !

  !

  RADIUS-server host 172.16.1.243 auth-port 1812 acct-port 1813 key xxxxx

  !

  control plan

  !

  !

  !

  !

  !

  !

  !

  !

  !

  !

  Line con 0

  line to 0

  line vty 0 4

  authentication of connection AUTH

  !

  !

  end

  Do you see any hits on the 2003 event logs? If no request is not the RADIUS.

  Do not forget that dynampis some time shows abnormal behavior. Since you are able to ping, then connectivity seems to be just fine here.

  Check the shared secret key and make sure that the radius ports are open, check to see if there is a firewall between the two.

  Kind regards

  ~ JG

• AAA with RADIUS of ASA

  Hey everybody,

  I'm with RADIUS AAA configuration on our Firewall remote ASA.  It's pretty simple, but I have some firewall that does not work on.  I upgraded the IOS image on the ASA 5510 to ASA804-K8. BIN on each of them.  The weird part is some of them work and some of them do not work.

  I was wondering if anyone else has encountered this before and what information do you need to give me a reference to help.

  Thanks in advance,

  Kimberly

  Hi Kimberly,

  just curious: why 8.0.4 and not 8.0.5?

  What you use radius for? What is the radius server? You have configured all the ASAs of the radius servers? Did you use the right shared secret?

  Is there something different between the ASAs working and does lack those? Configuration, location in the network, etc.?

  If the above does not help, please post the config of ASA failure (or at least the relevant items and be sure to remove all sensitive data) and the output of:

  Debug RADIUS

  Debug aaa authentic

  Debug aaa 254 Commons

  You can test only the part of RADIUS with the command «test aaa-server authentication cli...» »

  HTH

  Herbert

• Why I can't command show running on cisco switch

  On a single switch, I found that some commands because they show execution or copy running-config tftp: on cisco switch WS-C2960X-24TS-L does not work it see more below. How I can use the command then show generally. Thank you.

  Building1_FAA_6F_SW3 #sh run
  Building configuration...

  Current configuration: 100 bytes
  !
  ! No change since the last restart configuration
  !
  boot-start-marker
  boot-end-marker
  !
  !
  !
  !
  !
  !
  end

  ---------------------------------------------------

  Building1_FAA_6F_SW3 #copy running-config tftp:
  ^
  Invalid entry % detected at ' ^' marker.

  OK, so the information you provided in your latest messages confirm that the privilege level you get via telnet/vty is different from the one you get via the console. This is due to the configuration of AAA which applies to the vty ports but not on the console port.

  So if you want the same rules apply to the console port, then you must configure the port console for AAA as well.

  If you don't want these rules then you need to remove the AAA configurations. The best way to remove these is by typing 'no new aaa - model' However, careful not to lock you out of the unit. Make sure you have local accounts with the privilege level 15 and you also know the active password/secret.

  I hope this helps!

  Thank you for evaluating useful messages!

• Why this SSID is not visible from my laptop?

  Cisco Aironet 1200 installed on the test network. My laptop is picking the signals emitted by the 3 other access points, but not the 'TEST' one.

  Please find attached an access point running-config. Can you help me and advise please why this SSID is not visible?

  I am aware that portion of Cisco ACS/AAA configuration may have to be fine tuned as well, but whatever the configuration of my CSA I should still be able to see the SSID brodcasted in my laptop, isn't that right?

  under your SSID on the DotRadio11 0 interface, add the guest mode command. This allows the SSID be in messages so that your customer can see.

• Slow speed on line vty

  Hi all

  I notice on the vty lines too slowly.  Nobody knows who can be caused and how to fix it?

  Thank you

  DOH, my bad. My eyes read "vty. My mind has been 'console '. Please ignore my previous post.

  So do you feel slow through the console as well, or only via SSH?

  This new router is configured to use any external AAA, such as RADIUS or GANYMEDE backend? Can you post the 'show version' and the AAA configuration bits, if any?

  Can 'show you after proc cpu sort' while it is slow?

• SNS... automatic or manual registration?

  Hello

  If I want to add alements to my network and I want also that they authenticate on an ACS server, full registration to the AEC must be done manually, or is it done by changing just my aaa on the router config? .. .thanks

  both. You must change "Network Configuration" in ACS (do not have bad surprises!) first then aaa configuration in the router.

  Serhat