AAA problem

I have aaa server can be used to authenticate my router and switches, but all of a sudden when I tried to connect to some of my routers using ACS accounts I received this message "%1 is not a connection open" but when I remove the authentication using GBA, I can log on locally smothly with no problems

Hi Amira,

Yes, I can see this coming in your authorization Ganymede answer and I don't know why we push this value in autocmd. Also mark this thread resolved so that the other can take advantage out of it, in which case they are facing the same problem.

have a blessed day.

Jatin kone

-Does the rate of useful messages-

Tags: Cisco Security

Similar Questions

AAA problem when WAN is offline now

Hi all

I have a problem at the moment by connecting to a router while the Wan is offline. GANYMEDE + works fine when the Wan is in place, but when its down I get invited to a password that I enter and then get authorization failed...

Here is the config of AAA

AAA of default login authentication group Ganymede + activate

AAA authorization config-commands

AAA authorization exec default group Ganymede +.

AAA accounting exec default start-stop Ganymede group.

orders accounting AAA 1 by default start-stop Ganymede group.

orders accounting AAA 15 by default start-stop Ganymede group.

AAA accounting network default start-stop Ganymede group.

Default connection accounting AAA power Ganymede group.

AAA accounting system default start-stop Ganymede group.

Specifying the premises as a backup for authorization method may work around this problem, but no it does not require that the local user IDs and passwords be configured? Because the authentication connection did not use identifiers the as backup, I wonder about the logic to do it for approval. I had good success by configuring the authorization like this:

AAA authorization exec default group Ganymede + authenticated if

which will bypass authorization of transformation if GANYMEDE is not available and the user has been authenticated successfully.

HTH

Rick

AAA problem in access to the switch console

Hi all

I have configured the aaa as orders below:

RADIUS-server host xxxxxx
RADIUS-server application made
RADIUS-server key xxxxxx

AAA new-model

AAA new-model
AAA authentication login default local
AAA authentication login techop group Ganymede + local
the AAA authentication enable default group Ganymede + activate
AAA authorization exec default group Ganymede + local
AAA authorization commands 1 default group Ganymede + local
AAA authorization commands 15 default group Ganymede + local
AAA accounting exec default start-stop Ganymede group.
only AAA 1 default stop accounting controls group Ganymede +.
accounting AAA commands default 15 stop only Ganymede group.
AAA - the id of the joint session

line vty 0 15
connection of authentication techop

GANYMEDE works fine for ssh, but when I am trying to switch console
I am able to connect in exec mode but when go ask password enable
the switch does not take any password (either Ganymede or local credentials).
I am also able to connect via console by powers exec mode the
and not by the credentials of the RADIUS server.

Temp > en
password:
% Authentication failure.

Hey,.

Please share:

Debug aaa authentication

Debug aaa authorizarion

debugging Ganymede +.

Concerning

Ed

ASA VPN with ISE and different backends WBS for authentication

Hello

I have an AAA-problem I hope to have a few problems help.

The problem ultimately is: how the ASA via ISE send Radius Access requests to different given OTP backends provided a connection to a certain group of Tunnel.

BACKGROUND:

I'll try to give you a brief picture of the scenario, this is what I currently have.

A VPN system (ASA 8.4 (4)) where I let my users to choose among 3 different methods of authentication being

(1) certificate (on chip card)

(2) token - token of the OTP (One Time Password provided via the smartphone application: using pledge of Nordic OTP-Edge transport server)

(3) SMS - OTP token (Nordic OTP - Edge transport server SMS OTP)

The choice corresponds to different groups of profiles/Tunnel connection.

Today, all authentication requests go directly to the OTP server and authorization goes directly to the AD via LDAP.

THE PROBLEM:

The problem occurs when I try to put in the ISE in the mixture.

What I obviously (?) would like to do is have all the network authentication/authorization to go through my ISE platform to take advantage of a centralized administration, monitoring etc.

Again I would need to use data bases different backend such as AD and Nordic OTP - Edge server, but then mandated by ISE.

For me to be able to know what back-end AAA to the proxy system, to somehow be able to distinguish the incoming Radius Access-requests.

WHAT WE CALL:

At the time of the ASA 8.4.3 Radius access request contains 2 new attributes, the name of Group of Tunnel and the Type of customer, when a VPN user connects.

http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/ref_extserver.html#wp1802187

QUESTION:

The seams, that I can achieve what I want by looking at the access request attribute Radius "Tunnel Group Name" and forward my request to different backends OTP for the authentication part therefore in theory. But, how do I actually go ahead and set that up in ISE?

I don't see this attribute when I look at the details of Radius Authentication for an authentication AAA of the ASA at the ISE.

Best regards

/ Mattias

I think you can hit the following problem:

CSCtz49846: ISE does not match the condition with VPN 146 Tunnel-Group-Name attribute

This issue is not specific to this attribute, as shown in the solution shown in the accompanying note

Workaround

Ensure that the attribute name does not include a '.' character. This also applies to some of the existing attributes in the dictionary of Cisco-VPN300. Attribute names should be changed so that they do not include a "." character.

Problem of AAA in ASA

Hi all

I had configured Ganymede on ASA, but the problem is when I m try to Telnet it authenticates me with my username & password on ACS, but I can't pass the privilege level 15 such that configured on ACS. Its asking me to activate password n not taking password is the GBA. I used the authorization of Shell for privilege 15. Done on ASA configuration is:

name 172.30.xx.xx DCC-1

name 172.30.yy.yy DCC-2

Ganymede + Protocol Ganymede + AAA-server

AAA-server Ganymede + host DCC-1

Cisco key

AAA-server Ganymede + host DCC-2

Cisco key

AAA authentication telnet console Ganymede + LOCAL

AAA authentication telnet console Ganymede + Ganymede +.

the AAA authentication console ssh Ganymede + LOCAL

AAA authentication enable console LOCAL + Ganymede

activate the encrypted password of V3VzjwYzTRfTLwOb

activate the encrypted password of V3VzjwYzTRfTLwOb

piyush vkCzRtKCaNG.HI6s encrypted privilege 15 password username

ideanoc encrypted S0qrUlXOHFcX7LCw privilege 15 password username

Even added my user name & password in the local data base on ASA as on ACS. Still no progress...

Can all give his suggestion on the same.

Kind regards

Piyush

I ask not for the level of private shell 15 but enable privileges. Which must be set to 15 GBA---> user configured---> options enable---> Max privilege for any customer AAA--> 15

AAA authorization problem

I have the following Setup on my way...

AAA new-model

AAA authentication login default group Ganymede + local

authentication connecting line CONSOLE of AAA.

AAA authorization config-commands

AAA authorization exec default group Ganymede + local

AAA authorization commands 1 default group Ganymede + authenticated if

AAA authorization commands by default 10 group Ganymede + authenticated if

AAA authorization commands 15 default group Ganymede + authenticated if

The problem is that when I log into the switch through the console port and enter these commands in, I instantly "Command authorization failed" on all orders get there. It's mind-boggling because there is no possible way that the switch is in talks with my Cisco ACS. I have not yet put in the radius-server key. I have to restart the box every time. What Miss me?

Thank you for your time. I use IOS Version 12.2 (25) SEB4.

-Andrew

Hello

Before proceeding with the configuration of Ganymede create a local user.

Add the following commands.

username cisco password cisco

AAA new-model

AAA authentication login default group Ganymede + local

AAA authorization commands 1 default group Ganymede + authenticated if

AAA authorization commands 15 default group Ganymede + authenticated if

AAA authorization config-commands

RADIUS-server host x.x.x.x

GANYMEDE-server key...

Please mark me if it helps you

access to AAA server to remote problems

Hi all. I can ping and trace to this GANYMEDE server. but I can't authenticate my telnet users. I configured local AAA relief so that he tries the remote server several times and then returns to the local GANYMEDE. I noticed the logs show the TCP FINS. Which indicates that I am actually reach the remote server, but the server sends a TCP FIN or is the server simply is not available, as indicated by the newspapers. Why the server will be not not accessible if I can ping and trace it.

I also checked the NOC extranet firewall accepted my traffic through the RADIUS server. they took the newspapers showing that my traffic has been accepted.

February 4, 2011 13:04:12: % ASA-7-609001: built internal local host: AAA_SERVER
February 4, 2011 13:04:12: % ASA-6-302013: built 24726 for inner outbound TCP connection: AAA_SERVER / 49 (AAA_SERVER/49) to identity:17.2.2.2/28055 (17.2.2.2/28055)
February 4, 2011 13:04:12: % ASA-6-113014: AAA authentication server unavailable: server = AAA_SERVER: user = vzz19
February 4, 2011 13:04:12: % ASA-6-302013: built 24727 for inner outbound TCP connection: AAA_SERVER / 49 (AAA_SERVER/49) to identity:17.2.2.2/32029 (17.2.2.2/32029)
February 4, 2011 13:04:12: % ASA-6-302014: TCP disassembly 24726 for interior connection: AAA_SERVER / 49 to identity:17.2.2.2/28055 duration 0: 00:00 bytes TCP fins 41
February 4, 2011 13:04:12: % ASA-6-113014: AAA authentication server unavailable: server = AAA_SERVER: user = vzz19
February 4, 2011 13:04:12: % ASA-6-302013: built 24728 for inner outbound TCP connection: AAA_SERVER / 49 (AAA_SERVER/49) to identity:17.2.2.2/39039 (17.2.2.2/39039)
February 4, 2011 13:04:12: % ASA-6-302014: TCP disassembly 24727 for interior connection: AAA_SERVER / 49 to identity:17.2.2.2/32029 duration 0: 00:00 bytes TCP fins 41
February 4, 2011 13:04:12: % ASA-6-113014: AAA authentication server unavailable: server = AAA_SERVER: user = vzz19
February 4, 2011 13:04:12: % ASA-6-302013: built 24729 for inner outbound TCP connection: AAA_SERVER / 49 (AAA_SERVER/49) to identity:17.2.2.2/33702 (17.2.2.2/33702)
February 4, 2011 13:04:12: % ASA-6-302014: TCP disassembly 24728 for interior connection: AAA_SERVER / 49 to identity:17.2.2.2/39039 duration 0: 00:00 bytes TCP fins 41
February 4, 2011 13:04:12: % ASA-6-113014: AAA authentication server unavailable: server = AAA_SERVER: user = vzz19
February 4, 2011 13:04:12: % ASA-2-113022: AAA marking GANYMEDE + Server AAA_SERVER aaa-server group MYGROUP as being broken
February 4, 2011 13:04:12: % ASA-4-409023: method of rescue attempt LOCAL AAA for authentication of user vzz19 request: inaccessible Server Auth MYGROUP group
February 4, 2011 13:04:12: % ASA-6-113015: rejected AAA user authentication: reason = invalid password: local database: user = vzz19
February 4, 2011 13:04:12: % ASA-6-611102: failed authentication user: Uname: vzz19
February 4, 2011 13:04:12: % ASA-6-605004: connection refused from 10.2.2.2/26089 to inside:17.2.2.2/telnet for the user "vzz19".
February 4, 2011 13:04:12: % ASA-6-302014: TCP disassembly 24729 for interior connection: AAA_SERVER / 49 to identity:17.2.2.2/33702 duration 0: 00:00 bytes TCP fins 41
February 4, 2011 13:04:12: % ASA-7-609002: duration of dismantling inside local host: AAA_SERVER 0:00:00

Here is my config from aaa

AAA-server protocol Ganymede MYGROUP +.
Max - a failed attempts 4
AAA-server host AAA_SERVER MYGROUP (inside)
timeout 3
Console Telnet AAA authentication LOCAL MYGROUP
Console to enable AAA authentication LOCAL MYGROUP
privilege MYGROUP 15 AAA accounting command

I can ping AND trace on the RADIUS server

ATLUSA01-FW01 # ping AAA_SERVER
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to AAA_SERVER, wait time is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = ms 02/01/10
ATLUSA01-FW01 # trace AAA_SERVER

Type to abort escape sequence.
The route to 151.162.239.239

1 17.2.2.3 0 ms 0 ms 0 ms
2 17.2.2.4 0 ms 0 ms 0 ms - extranet fire barrier
3 10.4.7.1 0 0 0 ms ms ms
4 10.4.7.13 0 0 0 ms ms ms
5 10.4.7.193 0 0 0 ms ms ms
6 AAA_SERVER (10.5.5.5) 0 ms 10 ms 10 ms

You'll certainly need the assistance of the administrator of the AAA, troubleshooting on the AAA client side shows only a fraction of what's going on.

Ask him or her to do the following:

Much easier and the most important thing is to check an 'attempt' journal and watch if there is no entry at all for your ASA.

If there is an entry, it should be automatic explaining like "Unknown SIN" or "Ganymede key bad argument" - be convinced on a good config and check it are two different things.

I have seen weird things like walking into a key on an AAA server via remote desktop and keyboard settings were inconsistent: English/German, traded resulting from letters 'Y' and 'Z' - do not trust your config until it you checked.

If there is no entry at all then it could be a device on the way which is allowing ping/traceroute tcp/49 but drops or a device is to translate the address of the ASA (well in this case, you should see an "unknown SIN" in the failed attempts).

You have the possibility to connect a device inside the network of the SAA as a laptop? If so, try Telnet for tcp/49 of the AAA server, you should see immediately, if it is allowed tcp/49 (get a blank screen immediately = connectivity, timeout = no connectivity)

That's all you can do on your side, unfortunately tha ASA isn't a telnet client.

Rgds,

MiKa

Problem with MS IAS and AAA

I am AAA configuration. I'm setting up a router so that when users access using the vty line, they must be authenticated by Active Directory. I configured AAA on the router and on Microsoft Windows Server 2003 IAS. But when I type 'test group aaa AUTH administrator legacy xxxxxxx' it gives the following error

Test of authentication attempting AUTH server group using RADIUS

* 01:01:04.991 Mar 1: AAA: analyze IDB name = type =-1 ATS = - 1

* 01:01:04.991 Mar 1: AAA/MEMORY: create_user (0x6417FF80) = user tweak "Administrator" = "NULL" ds0 = 0 port = "rem_addr = 'NULL' = ASCII service CONNECTION priv = authen_type = 1 initial_task_id = '0', vrf = (id = 0) no answer authoritative of any server.

RTR #.

* 01:01:23.647 Mar 1: RADIUS-4-RADIUS_DEAD %: 172.16.1.243:1812, 1813 RADIUS server does not respond.

* 01:01:23.655 Mar 1: AAA/MEMORY: free_user (0x6417FF80) = user tweak "Administrator" = "NULL" port = "rem_addr = 'NULL' = ASCII service CONNECTION priv = authen_type = 1 vrf = (id = 0)

* 01:01:23.655 Mar 1: RADIUS-4-RADIUS_ALIVE %: 172.16.1.243:1812, 1813 RADIUS server is marked in life.

I also used the default ports for authentication, but still no use. I am able to ping router radius server and can ping router of the radius server.

The Radius in VMWARE Server installed on and the router is emulated in Dynampis.

Here is the configuration of the router

RTR #sh run

Building configuration...

Current configuration: 863 bytes

!

version 12.4

horodateurs service debug datetime msec

Log service timestamps datetime msec

no password encryption service

!

hostname RTR

!

boot-start-marker

boot-end-marker

!

!

AAA new-model

!

!

RADIUS AAA server AUTH group

ACCT-port of the server 172.16.1.243 auth-port 1812 1813

!

RADIUS authentication AUTH of AAA connection group.

!

AAA - the id of the joint session

memory iomem size 5

!

!

IP cef

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

interface Loopback1

no ip address

!

interface FastEthernet0/0

IP 172.16.1.241 255.255.255.0

automatic duplex

automatic speed

!

IP http server

no ip http secure server

IP route 0.0.0.0 0.0.0.0 172.16.1.1

!

!

!

radius of the IP source interface FastEthernet0/0

!

!

RADIUS-server host 172.16.1.243 auth-port 1812 acct-port 1813 key xxxxx

!

control plan

!

!

!

!

!

!

!

!

!

!

Line con 0

line to 0

line vty 0 4

authentication of connection AUTH

!

!

end

Do you see any hits on the 2003 event logs? If no request is not the RADIUS.

Do not forget that dynampis some time shows abnormal behavior. Since you are able to ping, then connectivity seems to be just fine here.

Check the shared secret key and make sure that the radius ports are open, check to see if there is a firewall between the two.

Kind regards

~ JG

AAA with Nexus problem

Hi there

I try to get the config directly on our nexus switches to use our local ACS server for authorization and authentication command. I want of course to yuse to a local user-database if the connection to the central server of ACS fails. But I can't properly syntax--some please see what I'm doing wrong here--is here - I set it on my nexus 5020:

I have defined a Ganymede group + named TACSRV

AAA server Ganymede group + TACSRV

Group AAA authentication login TACSRV default

AAA authentication local console connection

Group AAA authorization commands by default TACSRV

AAA authentication login error-enable

how it should look to first ask in TACSRV and if not properly the local database servers?

best regards /ti

Hello

You need to add at the end of each authentication and authorization, set the "local".

Like this:

Group AAA authentication login default local TACSRV
AAA config-commands to default local group TACSRV permissions
AAA authorization commands by default local group TACSRV

Dan

Problem download/save the photo with MHTML

When you upload a photo to my email in the box on my server (cogeco.ca) and savings to my documents, it is saved with an extension of the MHTML file that I can't open. I tried the photos from two different senders so the problem is my PC or server. I use Save as and the photos were jpeg or tiff, then added the MHTML. How to cause the pictures to be stored as just jpeg or tiff as Envoy?

Well, I communicate with your email provider and then ask what is this format. This isn't something that seems to be common to all.

Steve

wrote in message News: * e-mail address is removed from the privacy *...

Hi Steve;

Thanks for the quick response.

When you rename the file did not make a difference.

The name of the file is xxxx_jpt rather than xxxx.jpg, I expect. The description is MHTML Document and the size is between 1 & 2 meg.

I tried to rename aaaa and it does not open

I tried to rename it yyyy.jpg and it does not open

I tried to rename it yyyy.mht and it does not open

Any ideas?

Voice recorder problem - 4 GB Sansa Clip V01.02.15A

UM mean throughout all the records/reading on each device Sansa or what xferred for PC.

has anyone else had this problem or can get ideas?

The Zoom H1 gets only about 10 hours of battery life with an AA battery. The Olympus ws700m gets about 25 hours of battery life with an AAA battery!

Problems with NAT? Can't access internet from inside the network?

I was intrigued with this problem for a few days now. I'm stuck on what could be the issue. The problem is that I can ping my router, G0/0 and G0/1, to the internet. However, since the switch and my PC, I can not ping Internet. I'm sure that everything is configured correctly, but here is my setup for the switch and the router:

Router 1:

version 15.1
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
hostname LAN_Router_1
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 *.
!
No aaa new-model
!
no location network-clock-participate 3
!
dot11 syslog
no ip source route
!
IP cef
!
!
!
!
domain IP MyTestLab.com
8.8.8.8 IP name-server
IP-server names 8.8.4.4
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
!
!
!
voice-card 0
!
!
!
!
!
!
!
Crypto pki token removal timeout default 0
!
!
!
!
license udi pid CISCO3845-MB sn FOC105013BA
username * secret privilege 15 5 *.
!
redundancy
!
!
property intellectual ssh time 60
property intellectual ssh authentication-2 retries
property intellectual ssh event logging
property intellectual ssh version 2
!
!
!
!
!
!
!
!
interface Loopback0
192.168.254.1 IP 255.255.255.255
!
interface GigabitEthernet0/0
DHCP IP address
penetration of the IP stream
stream IP output
NAT outside IP
IP virtual-reassembly in
automatic duplex
automatic speed
media type rj45
!
interface GigabitEthernet0/1
the IP 192.168.0.1 255.255.255.248
penetration of the IP stream
stream IP output
IP nat inside
IP virtual-reassembly in
GLBP 100 ip 192.168.0.4
priority GLBP 100 115
GLBP 100 preempt
automatic duplex
automatic speed
media type rj45
!
ospf Router 5
router ID - 192.168.254.1
network 192.168.0.1 0.0.0.0 area 1
192.168.254.1 network 0.0.0.0 area 0
!
IP forward-Protocol ND
no ip address of the http server
no ip http secure server
!
!
IP nat inside source list 10 interface GigabitEthernet0/0 overload
IP route 0.0.0.0 0.0.0.0 dhcp
!
access-list 10 permit 192.168.94.32 0.0.0.15 connect
access-list 10 permit 192.168.17.0 connect 0.0.0.7
access-list 10 permit 192.168.52.0 connect 0.0.0.7

access-list 10 permit 192.168.0.0 0.0.0.7 connect
access-list 10 deny any newspaper
!
!
!
!
!
!
control plan
!
!
!
!

profile MGCP default
!
!
!
!
!
connection of the banner ^ C
W A R N I N G

THIS IS A PRIVATE COMPUTER SYSTEM.

This computer system, including all related equipment, network devices
(specifically including Internet access), are provided only for
authorized used.

All computer systems may be monitored for all lawful, including purpose
to ensure that their use is authorized, for management of the system, to
facilitate protection against unauthorized access, and to verify security
survival and operational security procedures.

Monitoring includes active attacks by authorized personnel and their
entities to test or verify the security of the system. During the surveillance,.
information may be examined, recorded, copied and used for authorized
purposes.

All information, including personal information, placed on or sent over
This system may be monitored. Uses of this system, authorized or
unauthorized, constitutes consent to monitoring of this system.

Unauthorized use may subject you to criminal prosecution. Evidence of
any unauthorized use collected during monitoring may be used for
administrative, criminal or other adverse action. Use of this system
constitutes a consent to monitoring for these purposes.
^ C
!
Line con 0
Synchronous recording
local connection
line to 0
line vty 0
local connection
entry ssh transport
output transport ssh
line vty 1 4
opening of session
transport of entry all
!
Scheduler allocate 20000 1000
NTP 198.60.73.8 Server
NTP 13.85.70.43 Server
SaveRunConfig event manager applet
cron cron-event timer entry ' 0 0 * * ".
command action 1.0 cli 'enable '.
cli 2.0 action command "RAM".

Router 2:

version 15.1
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
hostname LAN_Router_2
!
boot-start-marker
boot-end-marker
!
!
! card order type necessary for slot 1
Monitor logging warnings
enable secret 5 *.
!
No aaa new-model
!
clock timezone CST - 5 0
!
dot11 syslog
IP source-route
!
IP cef
!
!
!
!
domain IP MyTestLab.com
8.8.8.8 IP name-server
IP-server names 8.8.4.4
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
!
!
type of parameter-card inspect global
Select a dropped packet newspapers
!
voice-card 0
!
!
!
!
!

!
!
Crypto pki token removal timeout default 0
!
!
!
!
license udi pid CISCO3845-MB sn FOC1411592J
username * secret 5 *.

!
redundancy
!
!
property intellectual ssh time 60
property intellectual ssh authentication-2 retries
property intellectual ssh event logging
property intellectual ssh version 2
!
!
!
!
!
!
!
!
interface Loopback0
192.168.254.2 the IP 255.255.255.255
!
interface GigabitEthernet0/0
DHCP IP address
penetration of the IP stream
stream IP output
NAT outside IP
IP virtual-reassembly in
automatic duplex
automatic speed
media type rj45
!
interface GigabitEthernet0/1
IP 192.168.0.2 255.255.255.248
penetration of the IP stream
stream IP output
IP nat inside
IP virtual-reassembly in
GLBP 100 ip 192.168.0.4
priority GLBP 100 110
automatic duplex
automatic speed
media type rj45
!
ospf Router 5
router ID - 192.168.254.2
network 192.168.0.2 0.0.0.0 area 1
0.0.0.0 network 192.168.254.2 area 0
!
Default IP gateway 192.168.0.1
IP forward-Protocol ND
no ip address of the http server
no ip http secure server
!
!
IP nat inside source list 10 interface GigabitEthernet0/0 overload
IP route 0.0.0.0 0.0.0.0 dhcp
!
SSH extended IP access list
permit tcp host 192.168.52.2 any eq 22 log
permit tcp 192.168.10.0 0.0.0.255 any eq 22 log
permit tcp host 192.168.17.18 any eq 22 log
any eq 22 host tcp 192.168.0.1 newspaper permit
permit tcp host 192.168.0.2 any eq 22 log
permit tcp host 192.168.0.3 any eq 22 log
permit tcp host 192.168.0.5 any eq 22 log
denyip a session
!
access-list 10 permit 192.168.94.32 0.0.0.15 connect
access-list 10 permit 192.168.17.0 connect 0.0.0.7
access-list 10 permit 192.168.52.0 connect 0.0.0.7
access-list 10 permit 192.168.0.0 0.0.0.7 connect
access-list 10 deny any newspaper
!
!
!
!
!
!
control plan
!
!
!
!
profile MGCP default
!
!
!
!
!
connection of the banner ^ C
W A R N I N G

THIS IS A PRIVATE COMPUTER SYSTEM.

This computer system, including all related equipment, network devices
(specifically including Internet access), are provided only for
authorized used.

Unauthorized use may subject you to criminal prosecution. Evidence of
any unauthorized use collected during monitoring may be used for
administrative, criminal or other adverse action. Use of this system
constitutes a consent to monitoring for these purposes.
^ C
!
Line con 0
session-timeout 360
exec-timeout 360 0
7 password *.
Synchronous recording
local connection
line to 0
opening of session
line vty 0 4
SSH access class in
Synchronous recording
local connection
entry ssh transport
output transport ssh
!
Scheduler allocate 20000 1000
NTP 198.60.73.8 Server
NTP 13.85.70.43 Server
SaveRunConfig event manager applet
cron cron-event timer entry ' 0 0 * * ".
command action 1.0 cli 'enable '.
cli 2.0 action command "RAM".

Switch:

version 12.2
no service button
tcp KeepAlive-component snap-in service
a tcp-KeepAlive-quick service
horodateurs service debug uptime
Log service timestamps uptime
encryption password service
!
hostname LAN_Switch
!
boot-start-marker
boot-end-marker
!
!
username * secret privilege 15 5 *.
!
!
!
No aaa new-model
clock timezone CST - 6
1 supply ws-c3750-24ts switch
mtu 1500 routing system
IP routing
IP - domain name MyTestLab.com
8.8.8.8 IP name-server
IP-server names 8.8.4.4
!
!
!
!
!
!
!
!
!
spanning tree mode rapid pvst
spanning tree logging
spanning tree extend id-system
!
internal allocation policy of VLAN ascendant
!
property intellectual ssh time 60
property intellectual ssh authentication-2 retries
property intellectual ssh event logging
property intellectual ssh version 2
!
!
interface Loopback0
192.168.254.5 the IP 255.255.255.255
!
interface FastEthernet1/0/1
switchport access vlan 17
switchport mode access
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/2
switchport access vlan 10
switchport mode access
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/3
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/4
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard

!
interface FastEthernet1/0/5
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/6
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/7
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/8
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/9
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/10
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/11
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/12
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/13
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/14
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/15
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/16
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/17
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/18
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/19
Description # PC #.
switchport access vlan 10
switchport mode access
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/20
Description # X_BOX #.
switchport access vlan 666
switchport mode access
Shutdown
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/21
switchport access vlan 94
switchport mode access
spanning tree portfast
spanning tree enable bpduguard
!
interface FastEthernet1/0/22
switchport access vlan 5
switchport mode access
!
interface FastEthernet1/0/23
switchport access vlan 5
switchport mode access
!
interface FastEthernet1/0/24
switchport access vlan 5
switchport mode access
!
GigabitEthernet1/0/1 interface
switchport access vlan 666
Shutdown
!
interface GigabitEthernet1/0/2
switchport access vlan 666
Shutdown
!
interface Vlan1
no ip address
Shutdown
!
interface Vlan5
IP 192.168.0.5 255.255.255.248
!
interface Vlan10
address 192.168.10.2 255.255.255.0
!
interface Vlan17
IP 192.168.17.17 255.255.255.248
!
interface Vlan52
IP 192.168.52.1 255.255.255.248
!
interface Vlan94
IP 192.168.94.33 255.255.255.240
!
ospf Router 5
router ID - 192.168.254.5
Log-adjacency-changes
network 192.168.0.5 0.0.0.0 area 1
network 192.168.10.2 0.0.0.0 area 2
network 192.168.17.17 0.0.0.0 area 2
network 192.168.52.1 0.0.0.0 area 2
network 192.168.94.33 0.0.0.0 area 2
0.0.0.0 network 192.168.254.5 area 0
!
IP classless
IP route 0.0.0.0 0.0.0.0 192.168.0.4 permanent
no ip address of the http server
no ip http secure server
!
!
SSH_IN extended IP access list
permit tcp host 192.168.52.2 any eq 22 log
permit tcp 192.168.10.0 0.0.0.255 any eq 22 log
permit tcp host 192.168.17.18 any eq 22 log
any eq 22 host tcp 192.168.0.1 newspaper permit
permit tcp host 192.168.0.2 any eq 22 log
permit tcp host 192.168.0.3 any eq 22 log
permit tcp host 192.168.0.5 any eq 22 log
deny ip any any newspaper
!
!
connection of the banner ^ C
W A R N I N G
THIS IS A PRIVATE COMPUTER SYSTEM.
This computer system, including all related equipment, network devices
(specifically including Internet access), are provided only for
authorized used.
All computer systems may be monitored for all lawful, including purpose
to ensure that their use is authorized, for management of the system, to
facilitate protection against unauthorized access, and to verify security
survival and operational security procedures.
Monitoring includes active attacks by authorized personnel and their
entities to test or verify the security of the system. During the surveillance,.
information may be examined, recorded, copied and used for authorized
purposes.
All information, including personal information, placed on or sent over
This system may be monitored. Uses of this system, authorized or
unauthorized, constitutes consent to monitoring of this system.
Unauthorized use may subject you to criminal prosecution. Evidence of
any unauthorized use collected during monitoring may be used for
administrative, criminal or other adverse action. Use of this system
constitutes a consent to monitoring for these purposes.
^ C
!
Line con 0
session-timeout 60
exec-timeout 60 0
Synchronous recording
local connection
line vty 0
access-class SSH_IN in
local connection
line vty 1 4
access-class SSH_IN in
opening of session
line vty 5 15
access-class SSH_IN in
opening of session
!
NTP 198.60.73.8 Server
Event Manager environment suspend_ports_config flash: / susp_ports.dat
Event Manager environment suspend_ports_days 7
Event Manager user Directorystrategie "flash: / policies /.
Event manager session cli username "stw".
political event manager sl_suspend_ports.tcl
political event manager tm_suspend_ports.tcl
SaveRunConfig event manager applet
cron cron-event timer entry ' 0 0 * * ".
command action 1.0 cli 'enable '.
cli 2.0 action command "RAM".

Well, I totally forgot the keyword "log" and NAT:

Cisco IOS NAT support ACLs with a keyword "log"?

A. When you configure Cisco IOS NAT translation dynamic NAT, an ACL is used to identify the packages that can be translated. The current NAT architecture does not support the ACL with a keyword "log".

http://www.Cisco.com/c/en/us/support/docs/IP/network-address-translation...

If your problem is not the mask with joker, but the command "log"...

Cisco 871 routing problem

Hello.

I have a Cisco 871 router with this network diagram

10.218.10.117 host - 10.218.10.118 4 | CISCO 871 | 172.18.122.5-FE0 - 172.18.122.6 host

I want the 172.18.122.6 host can do ping to the 10.218.10.117 host at the other end of the router, but its does not work, what is the problem with this config? could someone give me a hand?

With the help of 1222 off 131072 bytes

!

version 12.4

no service button

horodateurs service debug datetime msec

Log service timestamps datetime msec

no password encryption service

!

hostname ALCALÁ-CNT-UIO

!

boot-start-marker

boot-end-marker

!

enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

activate the password XXXXXXXXXXXXXXX

!

No aaa new-model

!

resources policy

!

IP subnet zero

IP cef

!

!

!

!

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

IP 10.218.10.118 255.255.255.252

automatic speed

full-duplex

!

interface Vlan1

IP 172.18.122.5 255.255.255.0

!

router RIP

redistribute connected

10.0.0.0 network

network 172.18.0.0

!

IP classless

!

!

no ip address of the http server

no ip http secure server

!

Dialer-list 1 ip protocol allow

!

!

control plan

!

!

Line con 0

no activation of the modem

line to 0

line vty 0 4

password XXXXXXXXXXXX

opening of session

!

max-task-time 5000 Planner

end

Better compliance

The f

Jeff,

Each host can ping their side? You have default gateways configured on the hosts?

HTH,
John

Please note all useful messages *.

EEM to circumvent AAA

Dear all,

I'm running into a problem with an old script IOS and EEM like I can't do work around the AAA.

So I have a script that needs to log config mode and close an interface if an event occurs. Write the scenario is not a problem.

But to make it work! We have Ganymede + and to make it work on the router, I need a user authenticated. Or I have to log in to a router in a way that the Ganymede + is bypassed.

The config does not support the feature known EEM 3.1 - event manager applet work around auth...

I did the script and the ring road, by putting in place a the indicated below:

!

local EEMScript AAA authentication login

activate the default AAA authentication no

EEMScript AAA authorization exec no

AAA authorization commands 0 EEMScript no

AAA authorization commands 1 EEMScript no

AAA authorization commands 15 EEMScript no

!

username secret privilege 15 EEMScript 5 XXXXXXXXXXXXXXXXXXXXXXXXXXX

!

line vty 0 2

exec-timeout 1 0

privilege level 15

authorization controls EEMScript 0

authorization controls 1 EEMScript

authorization controls EEMScript 15

exec authorization EEMScript

authentication of the connection EEMScript

length 0

nun entry transportation

transport of output no

4

Event manager session username EEMScript cli

However, in this case, the problem is that if I connect to this router I either connected to the vty 0 - which means I can't be authenticated by the GANYMEDE as not his vty lines 0-2 set. Which means the router becomes unmanageable...

On the other hand the solution works! Because if I'm not connected on the script will use the vty 0 by default, which as you see is 'proper' installation do not use AAA - but I need a little modification.

That's the real question:

Can I force my EEM script to use a specific vty line? as Vty 20 I will never use?

The best solution or ideas would be appreciated!

"HW is 1841 - c1841-advipservicesk9 - mz.124 - 17.bin".

Once attempts are deferred on the RADIUS server group, how can set you a timer on the method list to be restored in the local user database?

A problem I see is that the ACS server crashes and is accessible by intellectual property, however, he don't respond with an accept or reject. Therefore, no one is able to connect to all devices.

Thank you!

banner of AAA authentication

I have configured the banner authentication aaa and aaa fail message on a router running 12.1 (15) - authentication is done by ACS 3.0.2 which works very well.

Problem - the banner of authentication does not appear (nothing is outside of "username:"-don't not even 'check' user access) If you enter a wrong password, but the failure message. If I console in and unplug the interface while the two messages very well.

Workaround solution - if I set up a connection "banner" then everything works fine too, but I can't work out why does not display the "banner of aaa authentication."

I suspect ACS prevents the message, but I can't work out how - can anyone suggest a solution?

Thank you very much!

By the way that the command "radius-server administration '? It doesn't seem to be documented, and it has no effect or not.

The banner command does not work if you make the RADIUS authentication, it will not work if you do a RADIUS/local/etc. This is normal, cause with Ganymede you can have the sending server banner and guests down (even if with all I don't think that you can do) and so if you have configured authentication GANYMEDE the router does not take into account the banner command and waits to see if she gets a new one from the server RADIUS itself. If it is not it will simply display the usual guests.

As for the 'radius-server admin' command, honestly, I have no idea, never seen anyone use. Online help says "start the daemon of Ganymede management administrative messages", but what really I don't know, maybe someone else can help.

AAA problem

Similar Questions

Maybe you are looking for