AAA feature

Similar Questions

• EEM to circumvent AAA

  Dear all,

  I'm running into a problem with an old script IOS and EEM like I can't do work around the AAA.

  So I have a script that needs to log config mode and close an interface if an event occurs. Write the scenario is not a problem.

  But to make it work! We have Ganymede + and to make it work on the router, I need a user authenticated. Or I have to log in to a router in a way that the Ganymede + is bypassed.

  The config does not support the feature known EEM 3.1 - event manager applet work around auth...

  I did the script and the ring road, by putting in place a the indicated below:

  !

  local EEMScript AAA authentication login

  activate the default AAA authentication no

  EEMScript AAA authorization exec no

  AAA authorization commands 0 EEMScript no

  AAA authorization commands 1 EEMScript no

  AAA authorization commands 15 EEMScript no

  !

  username secret privilege 15 EEMScript 5 XXXXXXXXXXXXXXXXXXXXXXXXXXX

  !

  line vty 0 2

  exec-timeout 1 0

  privilege level 15

  authorization controls EEMScript 0

  authorization controls 1 EEMScript

  authorization controls EEMScript 15

  exec authorization EEMScript

  authentication of the connection EEMScript

  length 0

  nun entry transportation

  transport of output no

  4

  Event manager session username EEMScript cli

  However, in this case, the problem is that if I connect to this router I either connected to the vty 0 - which means I can't be authenticated by the GANYMEDE as not his vty lines 0-2 set. Which means the router becomes unmanageable...

  On the other hand the solution works! Because if I'm not connected on the script will use the vty 0 by default, which as you see is 'proper' installation do not use AAA - but I need a little modification.

  That's the real question:

  Can I force my EEM script to use a specific vty line? as Vty 20 I will never use?

  The best solution or ideas would be appreciated!

  "HW is 1841 - c1841-advipservicesk9 - mz.124 - 17.bin".

  Once attempts are deferred on the RADIUS server group, how can set you a timer on the method list to be restored in the local user database?

  A problem I see is that the ACS server crashes and is accessible by intellectual property, however, he don't respond with an accept or reject.  Therefore, no one is able to connect to all devices.

  Thank you!

• AAA support on IPS modules

  Hello

  Anyone know if/when the aaa support will be added to the IPS software?

  Thank you

  Andrew.

  Not a technical reason; just a matter of resources.

  Not enough engineers to do the features both features should be a priority for each version. AAA has not made it to the top of the list of priorities at the moment.

• PIX 6.3, aaa accounting

  Hello

  I'm trying to understand how the following command:

  "accounting aaa include tcp/0 inside 1.1.1.1 255.255.255.255 2.2.2.2 255.255.255.255 GANYMEDE +".

  (1.1.1.1 is a former host, 2.2.2.2 is the PIX)

  I think I get 'include' (create a new rule) & "tcp/0"(the rule specifies all tcp ports).

  But 1.1.1.1 (including pix 6.3 ios doc called local_ip-"host or network of hosts that you want to be authenticated or authorized")-I think it would be customers. Is this fair?

  And 2.2.2.2 (called foreign_ip) is not clear at all - the doc called this foreign_ip - "hosts you want to access the address local_ip. As I have defined 2.2.2.2 as the PIX, it seems to the PIX to access customers. Yet if I flip the IP addresses, I get the PIX box I want to have authenticated, that does not seem fair...

  I am missing probably completely what circumstances this would be used for. On my network, to present all we use AAA for UAL telnet is in features and commands that are run on the devices, but I know that AAA is also used to allow users access to various things...

  (doc, that I'm looking is http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a3.html#wp1073208)

  TIA - Linnea

  You guessed it!

• Free RADIUS for the AAA authorization

  Hello

  Is there a Free\OpenSource RADIUS implementation that would work with permission of AAA Cisco and Accoutning features?

  I don't know if FreeRadius would be authorized to do?

  Thank you------Naman

  Try freeRADIUS (www.freeradius.org).

  It can manage all of the Cert-oriented Basic for EAP authentication.

  Good luck

  Scott

• Configuration guide benefits of Cisco context directory Agent (CDA) and AAA (on ASA)

  Hello

  I would like to set up and test AAA on a Cisco ASA (5505 or 5510).
  1 are there any other tools or server required to use this feature? And you have good configuration guides?

  I already tested a CDA of Cisco. He was able to show users active directory and their IP equivalent.
  2. do you have a brief explanation what kind of opportunities I have with this server/tool? It is perhaps usable for the AAA mentioned on the SAA?

  Thanks in advance

  Best regards

  1. Yes, you need a Radius like Windows Server NPS or RADIUS server such as Cisco ACS/ISE server.

  2. He's just a man in the middle of the ADC, you will always need an AAA server: radius or Ganymede (see # 1).

• AAA w/RSA: "any type of permission...". »

  I've set up a router and a switch to AAA using a server RADIUS of RSA. Both are RSA 'Agent hosts' with identical configurations. Router (2621XM/EntServ Version 12.4 (18)) and switch (3560-24PS/IPBase - 12.2 (25) SEB2) have identical configs AAA, and RADIUS/RSA is very well regarding the access code will be accepted. But the switch won't let me:

  **********************

  User name:

  Password:

  PASSWORD accepted

  % Failed authorization.

  **************************

  When I do "deb radius authentication" on each, the outputs are the same until the last 2 lines. The router that works says:

  000055.: Jan 16 12:22:51 CEST: RADIUS (00000005): receipt of id 1645/3

  000056:. Jan 16 12:22:51 IS: RADIUS/DECODE: fragments of response Message, 19, total 19 bytes

  But the switch says:

  000284: Jan 16 12:20:47 UTC: RADIUS: saved the authorization for user 3030220 to 3034440 data

  000285: Jan 16 12:20:47 UTC: RADIUS: no type of permission for the user.

  The only other difference I can think of is that I use ssh for router and switch telent (IPBase apparently no habla "crypto", I could use another IOS I think.)

  Any clue? TIA

  Paul

  If I were you, I would like to 'disable' permission

  on the catalyst 3560. I n an identical

  Setup like yours on mine Catalyst 2960 and it

  works very well. See below:

  [[email protected] / * / root] # telnet 192.168.0.5

  192.168.0.5 by train...

  Connected to 192.168.0.5 (192.168.0.5).

  [Escape character is ' ^]'.

  C

  *****************

  User access audit

  Username: test4

  Password:

  Enter your new PIN, containing 4-8 digit.

  or

  to cancel the procedure of the new PIN:

  Please re - enter new PIN code:

  Wait for the code on your card to change, and then sign in with the new PIN code

  Enter the PASSWORD:

  C2960 #sh worm

  Cisco IOS software, software C2960 (C2960-LANBASEK9-M), Version 12.2 (25) SEE4, RELEASE SOFTWARE (fc1)

  Copyright (c) 1986-2007 by Cisco Systems, Inc.

  Updated Tuesday 16 July 07 02:53 by myl

  Image text-base: 0 x 00003000, database: 0x00CC0000

  ROM: Bootstrap program is C2960 boot loader

  BOOTLDR: C2960 Boot Loader (C2960-HBOOT-M) 12.2 (25r) the SEE1, release SOFTWARE (fc1)

  C2960 uptime is 2 weeks, 6 days, 14 hours, 10 minutes

  System to regain the power ROM

  System restarted at 23:20:30 GMT Wednesday, December 26, 2007

  System image file is "flash: c2960-lanbasek9 - mz.122 - 25.SEE4.bin".

  This product contains cryptographic features and is under the United States

  States and local laws governing the import, export, transfer and

  use. Delivery of Cisco cryptographic products does not imply

  third party approval to import, export, distribute or use encryption.

  Importers, exporters, distributors and users are responsible for

  compliance with U.S. laws and local countries. By using this product you

  agree to comply with the regulations and laws in force. If you are unable

  to satisfy the United States and local laws, return the product.

  A summary of U.S. laws governing Cisco cryptographic products to:

  http://www.Cisco.com/WWL/export/crypto/tool/stqrg.html

  If you need assistance please contact us by mail at

  [email protected] / * /.

  processor of WS-C2960G-24TC-L (PowerPC405) Cisco (revision B0) with 61440K / 4088K bytes of memory.

  Card processor ID FOC1036X0F1

  Last reset of tension

  2 virtual Ethernet interfaces

  24 gigabit Ethernet interfaces

  Password recovery mechanism is activated.

  64K bytes of memory simulated by flash not volatile configuration.

  Basic Ethernet MAC address: 00:19:55:1 B: D6:00

  Number of the motherboard: 73-10015-05

  Power supply part number: 341-0098-02

  Motherboard serial number: FOC10352NF2

  Power supply serial number: AZS103402ZF

  Revision number of the model: B0

  Motherboard revision number: B0

  Model number: WS-C2960G-24TC-L

  System serial number: FOC1036X0F1

  Top Assembly part number: 800-26673-02

  Top of page revision number of the Assembly: C0

  Version ID: V02

  CLEI Code number: COM3G00BRA

  Revision number of hardware consulting: 0x01

  SW Version SW Image model switch ports

  ------ ----- ----- ---------- ----------

  * 1 WS-C2960G-24TC-L 12.2 24 (25) SEE4 C2960-LANBASEK9-M

  Configuration register is 0xF

  C2960 #sh run | AAA Inc.

  AAA new-model

  AAA RADIUS local group authentication connection test

  AAA authentication login test1 group Ganymede + local

  AAA authentication login notac local

  Group AAA dot1x default authentication RADIUS

  AAA - the id of the joint session

  C2960 #.

  CCIE Security

• AAA accounting records to the RADIUS server

  Im trying to activate recods orders accounting to be send to my server ACS on all my devices, I activated this orders accounting for each level of privilege to follow who types what on my devices, now the problem is that the files are not displayed on my ACS accouting reports, I get everything except the records for the typed commands , any suggestions on what order the put value on my devices to enable this feature... ?

  http://Forum.Cisco.com/eForum/servlet/NetProf?page=NetProf&Forum=security&topic=AAA&TopicId=.ee6e1fe&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cbfe9b8

  The head about it. It points you to a patch for a 4.1 Setup that I assume that you are using.

  See you soon

• AAA to circumvent the password to enable on the Cisco ASA

  Hi all. I'm having a problem where I get authenticated by the AAA server, but after authentication, that I am placed in user mode. AAA admin (I have no access to the AAA server) told me that he had all the users configured with priv level 15, which will lead them directly in the mode privilege on routers.

  My question is how can I configure my Cisco ASA to get around using a password to enable. See below the configuration of my

  AAA-server protocol Ganymede MYGROUP +.
  Max - a failed attempts 4
  AAA-server host 2.2.2.2 MYGROUP (inside)
  timeout 3
  key *.
  Console Telnet AAA authentication LOCAL MYGROUP
  Console to enable AAA authentication LOCAL MYGROUP
  privilege MYGROUP 15 AAA accounting command

  Looks like you want to directly access the exec privileges mode. This feature is not supported by the ASA. This is only possible on IOS devices.

  Rgds, jousset

  Note the useful questions.

• AAA using microsoft IAS

  Hi all

  I'm looking for a little guidance. Aplogies if I'm not following the correct procedure, but I am a newbie to SCC so feel free to let me know if I'm not posting my question correctly. I'm a network administrator for a medium-sized company, running a variety of Cisco devices. Currently, all we have is authentication password user name local on the devices.

  I was in charge so that we can control who gets access to devices, what level of access they get to come up with a solution of AAA and logging of the business and ofwhat they played. In the current climate, we will not get the money to buy ACS or something similar, so my question is this.

  Can Microsoft Server IAS (Internet Authentication) provide me with a decent solution of AAA?

  What I really want to do is to allow network administrators full access to devices (privilege 15) and personal help desk some cut to the low level of access (still to be defined) with authentication that occur by using the Acive directory.

  From what I read the part of Authencation isn't too hard, but I want to connect in the authorization and accounting in the solution.

  Can someone give me a starting point or benefit from their experience?

  Thank you very much

  Tom

  Hi, Tom.

  IAS can be used. There are number of threads on the forums of the SCC on AAA on IAS.

  But IMHO, if the Cisco products are not an option because of the money, better turn to FreeRADIUS.

  If your bosses are still considering the budget, you can try the evaluation version of ACS (all features, free) and if you're going to love it - try to convince them to buy a normal.

  Also, you can watch ACS Express - it must also meet your needs.

  Cheers, iron

  --

  If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

• Import bulk of ACS - SE of AAA Clients

  Hi all, I know that there is a feature of AAA Client import bulk in ACS, using a csv and csutil.exe. Is there a way to do this in an ACS Solution engine? Some tell me that there is a way to do it via FTP, is it? Thanks in advance, Michael

  Not as far as I know, but rather than define each AAA clientindividually why not set them in groups using wildcards in IP addresses, for example; 192.168.10 *.

• Internal DB ACS4.2 replication - do not replicate the AAA clients

  I'm trying to set up a new server ACS4.2. ACS is installed, a partner of replication configured, etc. Master and slave new run every two ACS4.2 (0) Build 124. (Master shows 'Patch 12', slave shows any patch info)

  Replication on the new ACS server settings are identical to those on my current secondary ACS server that receives data replicated correctly.

  Problem: I have reproduce manually master ACS server on the new ACS server. Logs on both servers show a successful replication. Users, groups of users, network device groups (NDG) all reproduce them correctly. However, there are zero features in each of the NDG.

  Master is set to send, new slave set to receive:

  User and group database

  Network device Configuration tables

  WBS

  Configuration of the interface

  Interface security settings

  Password validation settings

  I also tried to reproduce the network access profiles instead of peripheral Network Configuration tables. Still no customer AAA in the NDG.

  I need my replicated AAA clients.  Should I be reproducing different or additional components? Am I missing some settings elsewhere in ACS?

  Hello

  Please apply patch 12 on slave ACS as well.

  Try the replication and let me know the results.

  Also on the Configuration of the network see the name NDG? or just no customer AAA under each NDG.

  Kind regards

  Anisha

• Restricting access via AAA auth group AnyConnect IKEV2

  Hello world

  I have config ASA with 2 groups of connection

  Say Group 1 and 2.

  Both are currently assigned to the same Auth AAA group

  One of our external suppliers has access to these two files group of connections 1 and 2 XM...

  If I want the seller must only connect to connect to the Group 2 should I change the Group AAA auth for Group 2 of the connection?

  Then, even if he tries to connection group 1 should not function as a group AAA Auth will only affect Group 2 right?

  Concerning

  Mahesh

  Mahesh

  If you have a single authentication server (or a pair of servers in operation HA), then it would seem that the seller would be authenticated any group, they are trying to access.

  I have a client who was using the function of blocking the group to accomplish something similar to what you describe. They used the RSA authentication two factors as you do so. They had the air was to send the authentication request to a Radius server. The Radius server would send the ID and code is entered at the RSA to do the authentication to the Radius Server and two factors would also querry Active Directory to learn more about membership in a user group. The Radius server then would return the results of the RSA and ED to the ASA group that would use the group lock feature to ensure that the user entered the right group. Maybe something like that might work for you?

  HTH

  Rick

• AAA router Config

  I found the following config on one of the routers. Are RADIUS server defined two groups as well as individually. That we can remove?

  AAA server Ganymede group + mytacgrp
  Server X.X.80.55
  Server Y.Y.126.50

  AAA authentication login default group Ganymede + local
  AAA authentication login relief group Ganymede + activate
  AAA accounting exec default start-stop Ganymede group.
  orders accounting AAA 0 arrhythmic default group Ganymede +.
  orders accounting AAA 1 by default start-stop Ganymede group.
  orders accounting AAA 15 by default start-stop Ganymede group.
  AAA accounting system default start-stop Ganymede group.
  AAA - the id of the joint session

  radius-server X.X.80.55 host
  radius-server Y.Y.126.50 host
  RADIUS-server application made
  RADIUS-server key 7 XXXXXXXXXXXX

  The AAA server-group feature introduces a way to group existing server hosts. The feature enables you to select a subset of the configured server hosts and use them for a particular service

  you use global "Ganymede +" group of servers so

  AAA server Ganymede group + mytacgrp can be deleted (its unused)

  If you for example 'aaa authentication login default group local mytacgrp', you would use it. What more this group has exactly the same servers that global is not necessary

  concerning

  Przemek

• PIX, PDM and AAA issues

  I have a PIX 520 in the laboratory running 6.3.3 and PDM 3.0. I tested AAA authentication and authorization to our ACS server and run into problems.

  I have two groups put in place on our ACS server. A group can be accessed freely, the other group is set to the top with a Shell command authorization set that limit orders so that they can watch the running-config and a few other things. Users of both groups can connect to the PDM or SSH/telnet/series in the unit and are authenticated and authorized correctly.

  The configuration below works fine, until I pull the ACS server off the network. Because it is not any backup authentication or authorization to order method I am dead in the water. When this happens, I can always connect via the serial console, by using the 'pix' username and password enable, I just cannot run the command 'Enable' mode privlieged or any other control besides. (I get an error "Permission has no orders").

  Here's a current configuration:

  GANYMEDE + Protocol Ganymede + AAA-server

  AAA-server GANYMEDE + (inside) host 1.2.3.4 123456 timeout 5

  Console telnet authentication GANYMEDE AAA +.

  the AAA console ssh GANYMEDE authentication +.

  AAA authentication GANYMEDE serial console +.

  AAA authentication enable console GANYMEDE +.

  Console AAA authentication http GANYMEDE +.

  order of AAA for authorization GANYMEDE +.

  Is it possible to set up a backup method for approval of authentication and control? If not, is there any other way the problem I'm running into?

  Let me know if you need more info. Thank you!

  Hello

  Sorry, I missed this earlier. There is a failure on the PIX for this and we have an open enhancement request to add several methods of authorization to the PIX - CSCea04538. At this point, your best bet is to bug of your account team to get this feature added to the code of PIX to come. Sorry for the inconveinence.

  Scott