ACS 4.2 RSA Authentication and LDAP group mapping

Similar Questions

• ACS 4.2 Wired and wireless group mapping

  Hello

  User1 connects to the switch, it belongs to the Group AD Domain_user and are mapped to ACS Group1 wich send the radius attribute to change the VLAN, this part works fine.

  My problem is when the same user connects with its wifi card... He is still part of the domain_user and get still mapped to group1 on acs but now, RADIUS values are bad for the wireless.

  Wired production vlan = 20

  Prod wireless vlan = 120

  What I want to do, it is something like:

  ADGroupX Connect_type plus ACS Group1

  ADGroupX + Connect_type2 = ACS group2

  I tried to use the connection profile but the group mapping are not performed at this level. Ditto for NAR, my user must be able to log user wired or wireless and get the right vlan not get restricted by the NAR.

  Another way would be to set up a username/password wireless on the internal database and add it to the ACS group good but which involve password management and not all client 802 support auth password (without user intervention)

  Any idea?

  Hi... this scenario is exactly what network access profiles are designed to address. Essentially, NAP to create a complete configuration based on network service.

  So default ACS is a unique system of NAP (well I guess that 2 If you include RADIUS, and GANYMEDE) where any network service all RADIUS users would assume to use a single device type. NAP allows you to configure a service, the authentication, the mappings of groups and permissions Protocol.

  The first part of the PAN you have to differentiate requests for authentication for each network service. This could be as easy to use the ip address of the AAA Client or NDG. If this is not possible, you can start looking at the attributes in the RADIUS request to find the attribute values that are unique to the switch or wlan.

  Assuming you have managed to do is a matter of implementation of authenticattion and authorization policies-, but the main thing is that you will be able to send any returns RADIUS attributes to the device for the same user.

  The user interface can take a little usual, then read the docs online and stick to it!

  www.extraxi.com for all your reports ACS needs

• AnyConnect user using the user certificate authentication and LDAP authentication

  Hello

  I'm trying to implement the Anyconnect VPN for my office. Now, I want the user to authenticate the user certificate based (which is install user local system are we) CN value and LDAP authentication. A help how to achieve this requirement. We install Certificate ROOT and INTERMEDIATE Godaddy and even already installed ASA. Also, we have the user certificate installed on each system user to authenticate the user.

  Any help please.

  Hi subhasisdutta,

  This link will certainly help you with the configuration:

  http://www.Cisco.com/c/en/us/support/docs/security/AnyConnect-secure-mob...

  Hope this info helps!

  Note If you help!

  -JP-

• Cisco Secure ACS groups 5.1 Active Directory and RSA Authentication Manager 7.1 for profiles

  / * Style definitions * / table. MsoNormalTable {mso-style-name: "Table Normal" "; mso-knew-rowband-size: 0; mso-knew-colband-size: 0; mso-style - noshow:yes; mso-style-priority: 99; mso-style - qformat:yes; mso-style-parent:" ";" mso-padding-alt: 0 cm 0 cm 5.4pt 5.4pt; mso-para-margin: 0 cm; mso-para-margin-bottom: .0001pt; mso-pagination: widow-orphan; font-size: 11.0pt; font family: 'Calibri', 'sans-serif"; mso-ascii-font-family: Calibri; mso-ascii-theme-make: minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-make: minor-fareast; mso-hansi-font-family: Calibri; mso-hansi-theme-make: minor-latin ;}"}

  Hello

  I'm deploying an ACS connected to an RSA AuthManager (that is connected to an Active Directory domain)

  I create several groups within the Active Directory server, I try to give to users for their groups different access rights.

  I tried to define an access policy "NetOp/NetAdm" and two authorization rules:

  Rule-1 AD - AD1:ExternalGroups contains all dir. INTRA/groups/NETOP 'Auth for net operators' 0

  Rule 2 AD - AD1:ExternalGroups contains all dir. INTRA/groups/NETADM 'Auth net admin' 0

  Default: refuse

  In the identity, I have configured the RSA identity source, so that users get authenticated by the RSA Authentication Manager.

  But I still refuse to get access, RSA authentication is successful, but the group membership, active directory does not work, even with the unix attributes or group principal defined for the user.

  My question is this valid configuration scenario? Is there another way to define several profiles according to the Group of users of external source?

  The stages of monitoring:

  Measures

  Request for access received RADIUS 11001

  11017 RADIUS creates a new session

  Assess Service selection strategy

  15004 Matched rule

  Access to Selected 15012 - NetOp/NetAdm service policy

  Evaluate the politics of identity

  15004 Matched rule

  15013 selected identity Store - server RSA

  24500 Authenticating user on the server's RSA SecurID.

  24501 a session is established with the server's RSA SecurID.

  24506 check successful operation code

  24505 user authentication succeeded.

  24553 user record has been cached

  24502 with RSA SecurID Server session is closed

  Authentication 22037 spent

  22023 proceed to the recovery of the attribute

  24628 user cache not enabled in the configuration of the RADIUS identity token store.

  Identity sequence 22016 completed an iteration of the IDStores

  Evaluate the strategy of group mapping

  15006 set default mapping rule

  Authorization of emergency policy assessment

  15042 no rule has been balanced

  Evaluation of authorization policy

  15006 set default mapping rule

  15016 selected the authorization - DenyAccess profile

  15039 selected authorization profile is DenyAccess

  11003 returned RADIUS Access-Reject

  Thank you

  Christophe

  I think you need to do is to create a sequence of identity with RSA as a selection in

  Authentication and recovery research list of attributes and AD in the additional attribute list recovery research. Then select this sequence as a result of the politics of identity for the service

• Cisco ACS 5.1 and RSA Authentication Manager 6.1

  Hi all

  We recently had a Cisco Secure ACS 1120 and I improved the Unit 5.1 5.0 with all your support

  Now, I need to integrate Cisco ACS 5.1 with RSA Authentication Manager 6.1. I have config file of RSA ACE Server successfully downloaded and exported to 1120 ACS.

  I also added as NetOS Agent ACS in the RSA server during the process, I found a few warnings. The ACE Server is not able to resolve the IP address to the name (is it necessary?).

  I have not created any file of secret key for communication between FAC and RSA and I used encryption is FOR.

  Now, when I log into ACS and search for devices in the identity store sequences I am not able to get Sever Token RSA.

  Let me know what was wrong, where can I fix and also please tell me what is the communciaction between the RSA and ACS?

  Hoping that you guys help me as usual when I'm in a hurry...

  Sree

  Were you able to successfully create the RSA identity server. After selecting the sdconf.rec and you press on submit what happened? The RSA instance created OK?

  If you go to

  Users and identity stores > external identity stores > RSA SecurID Token servers, what do you see in the list?

• 4.2 ACS authentication and exec flank on router Test mode.

  The goal is to have GBA authenticate my username via ssh and let me go once authenticated privileged exec mode. Details below.

  I have ACS Solution engine 4.2 and I have a router to test with the following commands:

  AAA new-model

  AAA authentication login default group Ganymede + local

  AAA - the id of the joint session

  RADIUS-server host 10.4.4.21 single-connection

  RADIUS-server key $# $& $* #.

  The problem is the following. I can't SSH and login to the router using a user in the database of the CSA but the router does not allow me to use the enable command in exec mode. The error it gives me is:

  AAA_ROUTER_CLIENT > activate

  % Authentication failure.

  AAA_ROUTER_CLIENT >

  I must be missing something in the ACS. Any help would be appreciated.

  You are missing this command

  AAA authorization exec default group Ganymede + authenticated if

  That's what you need on router

  Router (config) # username [username] password]

  GANYMEDE-host [ip]

  radius-server [key] key

  AAA new-model

  AAA authentication login default group Ganymede + local

  AAA authorization exec default group Ganymede + authenticated if

  The GBA

  Bring to users/groups at level 15

  1. go to the user or to set up groups of ACS

  2 down until "settings GANYMEDE +".

  3. check "Shell (Exec).

  4 check 'Privilege level' and enter '15' in the adjacent field

  Kind regards

  ~ JG

  Note the useful messages

• Trying of authenticating to a LDAP group users - all users authenticated

  ASA successfully authenticates all users if they are in the OKCVPNAccess user group, and the ASA correctly sees the LDAP map attribute. There is that a single policy.

  [54] memberOf: value = CN = VPNAccess-OKC, OR = Groups, OU = OU = xxx, xxx, DC = xxx, DC = local
  [54] mapped to IETF-RADIUS-class: value = LDAPPolicy

  I been through a lot of documentation on the web sites of Cisco but also looked at several forums, but I'm coming up with a blank as to what I can try next. I know that it will work with RADIUS and RADIUS I've used several times in the past, so this isn't an option. I was asked to do with LDAP. Any suggestions? I've included the part of the Setup, and I tried to sanitize it somewhat, so there may be an inconsistency of name here or there.

  Thank you

  LDAP attribute-map LDAPMAP
  name of the memberOf IETF-Radius-class card
  memberOf card-value CN = VPNAccess-OKC, OR = Groups, OU = xxx, OU = xxx, DC = xxx, DC is local LDAPPolicy
  dynamic-access-policy-registration DfltAccessPolicy
  AAA-Server LDAP protocol ldap
  AAA-Server LDAP (inside) host 10.12.34.248
  Server-port 389
  LDAP-scope subtree
  LDAP-naming-attribute sAMAccountName
  LDAP-login-password *.
  LDAP-connection-dn xxx\vpn.auth
  microsoft server type
  LDAP-attribute-map LDAPMAP

  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  Crypto-map dynamic outside_dyn_map 20 set pfs
  Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA
  crypto CRYPTO card - card 1000 ipsec-isakmp dynamic outside_dyn_map
  CRYPTO-card interface card crypto outside

  crypto isakmp identity address
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  crypto ISAKMP disconnect - notify

  internal CRYPTOGP group policy
  CRYPTOGP group policy attributes
  banner value of using this system is... Please log out immediately!
  value of 10.12.34.248 DNS server 10.129.8.136
  Protocol-tunnel-VPN IPSec
  enable PFS
  Split-tunnel-policy tunnelspecified
  value of Split-tunnel-network-list SPLITTUNNEL
  xxx.local value by default-field

  type tunnel-group CRYPTO-OKC-VPN remote access
  General-attributes of CRYPTO-OKC-VPN Tunnel-group
  LDAP authentication group-server
  IPPOOL address pool
  Group Policy - by default-CRYPTOGP
  LDAP authentication group-server
  tunnel-group CRYPTOOKC-VPN ipsec-attributes
  pre-shared-key *.

  In my view, using the map LDAP is just for an LDAP attribute to an appropriate group policy, you can control access user group policy.

  Here is an example.

  http://www.Cisco.com/en/us/partner/products/ps6120/products_configuration_example09186a008089149d.shtml

  After the user is connected, vpn can you use "show vpn-sessiondb" to check what group policy is used?

  Moreover, I did not see 'LDAPPolicy' has been defined in your configuration.

• authentication of remote access, vpn and ldap

  I have a test environment with 2 hours fireval 5505: the first firewall is remote access VPN server and the Interior of this firewall is a network of domain with a domain controller, DNS server and a workstation. DHCP is disabled and the PC have a static address.outside of the VPN server is attached outside the other ASA 5505 firewall. on the inside of the firewall, there is a workstation.the workstation would be to connect via vpn for remote access on the domain network. I have configured the VPN server for remote access through a wizard and his

  configuration is the following

  Result of the command: "show running-config"
  : Saved
  :
  ASA Version 8.2(1)
  !
  hostname ciscoasa
  domain-name dri.local
  enable password 8Ry2YjIyt7RRXU24 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  !
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.13.74.5 255.255.255.0
  !
  interface Vlan2
  nameif outside
  security-level 0
  ip address 192.168.30.1 255.255.255.0
  !
  interface Ethernet0/0
  switchport access vlan 2
  !
  interface Ethernet0/1
  !
  interface Ethernet0/2
  !
  interface Ethernet0/3
  !
  interface Ethernet0/4
  !
  interface Ethernet0/5
  !
  interface Ethernet0/6
  !
  interface Ethernet0/7
  !
  ftp mode passive
  dns server-group DefaultDNS
  domain-name dri.local
  access-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.240
  access-list outside_access_in extended permit tcp 192.168.50.0 255.255.255.240 10.13.74.0 255.255.255.0
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool vpnpool 192.168.50.1-192.168.50.10 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 192.168.30.2 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  action terminate
  dynamic-access-policy-record vpnldap
  network-acl inside_nat0_outbound
  aaa-server vpn protocol ldap
  aaa-server vpn (inside) host 10.13.74.20
  ldap-base-dn DC=DRI,DC=LOCAL
  ldap-group-base-dn cn=test,cn=users,dc=dri,dc=local
  ldap-scope subtree
  ldap-naming-attribute sAMAccountName
  ldap-login-password *
  ldap-login-dn cn=test,cn=users,dc=dri,dc=local
  server-type microsoft
  http server enable
  http 10.13.74.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  !
  dhcpd address 10.13.74.9-10.13.74.40 inside
  !
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy drivpn internal
  group-policy drivpn attributes
  dns-server value 10.13.74.20 10.8.2.5
  vpn-tunnel-protocol IPSec l2tp-ipsec
  default-domain value dri.local
  tunnel-group drivpn type remote-access
  tunnel-group drivpn general-attributes
  address-pool vpnpool
  authentication-server-group vpn
  default-group-policy drivpn
  tunnel-group drivpn ipsec-attributes
  pre-shared-key *
  !
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  policy-map type inspect dns preset_dns_map
  parameters
  message-length maximum 512
  policy-map global_policy
  class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  !
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:1fc23fb20a74f208b3cde5711633ad3d
  : end
  

  When I tried to workstation on the internal part of the second firewall (no remote access vpn server) to connect to the vpn, everything is ok. I used the cisco vpn client, but I can't ping domain controller, workstation, I can't use the shared folder on them. Why?

  Please help me

  Thank you

  Thanks for letting me know! Can you please give the station "answered"? Thank you!

• Separation of monitor only and Admin for Cisco ASDM (ASA) access for users authenticated via LDAP

  Hello

  We have two groups of ads on network Admins, one for the system administrators group. The network Admins will get Priv lvl 15 the other Priv lvl 3.

  This is the setup I use:

  TestASA # sh run ldap-attribute-map of test4
  Comment by card privileged-level name
  map-value comment fw - ro 5
  map-value comment fw - rw 15
  memberOf IETF Radius-Service-Type card name
  map-value memberOf "cn = s-FW-Admin, OR = security groups, DC = 802101, DC = local" 6
  map-value memberOf "cn = s-fw-ro, OR = security groups, DC = 802101, DC = local" 5

  The user in both groups can connect ssh and asdm but all users get the same rights priv lvl 15.

  Someone at - it an idea?

  You must visit the listed link below to configure ASA to only read access and access admin. not sure, if you have already been there.

  https://supportforums.Cisco.com/docs/doc-33843

  ~ BR
  Jatin kone

  * Does the rate of useful messages *.

• LDAP user authentication and database standard version

  Hello

  Is it possible to use authentication user LDAP (data of the user in OUD or ODSEE) for the standard version of Oracle database? We have license Services Plus directory but you don't want to buy the company database version to get only feature user security company for the management of users.

  Thank you

  Hello

  Epizootic ulcerative syndrome requires issuance of the DB EE. This is independent of the directory system of license services.

  See http://docs.oracle.com/cd/E11882_01/license.112/e47877.pdf for more details.

  Sylvain

• Cisco ACS. Two-factor authentication.

  Hello.

  We intend to use the connection diagram: cisco asa + cisco acs 5.4 + rsa securid.
  We use two groups on Cisco ACS. Group "A" must use two-factor authentication, and the 'B' group don't.
  How to create this rule?

  Perform the rule base identity selection with dap-tunnel-group-name as a selector.

  ASA will send auth request name of the tunnel group.

  Attached example.

• WEBVPN and AD group membership

  I desperately need some advice with my design of authentication of WEBVPN.

  How to restrict specific users to connect only to certain profile connection alias?

  For example. Let's say I have the GROUP A and GROUP B GROUP C as an alias, available in the drop down below to the SSL login screen. In AD, I have 3 groups of security, the same. How can I make sure that only members of the group a security group can authenticate to the GROUP a connection profile and not the others. Ideally, I'd like to achieve with the Radius Authentication, but I couldn't find an attribute that has been passed along that I can pre-selection against. Any suggestions are appreciated. Thank you.

  You can use the ldap mapping to authenticate your users against AD with ldap and retrieve the memberOf and this value map to the value of the IETF-class which includes the SAA this to activate Group locking, allowing only users belonging to a specific tunnel group strategy to connect to this strategy of tunnel group.

• LDAP group does not map synchronization

  I have problems of LDAP group synchronization maps for UCS central to allow access for UCS - M connection. They are not properly synchronized.

  Hi Mark,

  Hope your week is going well. If you could answer the following questions that would help me greatly.

  We have other issues with UCSM communication plant or just this LDAP configuration?
  Do you have any configuration of pre-existing LDAP who works, or is the first implementation of LDAP?
  You apply the LDAP configuration in the root with the central organizing?

  If you can go ahead and go to the operations management-->--> security--> local make operational policies you there organizations affected, if it does not it will not work.

  So if this is the case, go to--> user Administration and authentication--> local--> properties--> Assign/Unassign organization--> make sure that the Organization and the root are there. If only the ROOT is there it will not work and vice versa if just the organization is there, it won't work.

  Once you do that try to re - connect to central and refresh and check that the operations management tab shows in your organization.

  I hope this helps.

  Qiese Sa'di

• Cisco Secure ACS 4.2 Windows authentication of different domain

  Hello

  I have a Cisco Secure ACS for Windows Server 4.2. The server belongs to a domain and the domain, the users belonging to a certain group are authenticated.

  Now, I have to change the configuration of the server and reassign it to another area. There is no trust relationship between two domains and I would like to know if users can always be authenticated against the previous domain.

  Hello

  First of all, take backup (by measure of precaution in order to restore config if something goes wrong) then continue witht the following:

  -Remove the configuration of the windows domain (group... mapping etc) from the server before changing the field.

  -Change the domain membership, and then restart.

  -follow the missions post-disiez for ACS (see this link): http://tiny.cc/zr6huw.

  -Configure the external database again on GBA (group mapping, strategy unknown user... etc).

  You should note that if the new domain controller is Windows Server 2008 R2, which is not supported by ACS 4.x.

  HTH

  Amjad

  Rating of useful answers is more useful to say "thank you".

• GANYMEDE + authentication and authorization on IOS XR

  Hi all

  I tried to connect several devices IOS - XR on our laboratory (ASR, RSG and CRS) to our server GANYMEDE + (Cisco Secure ACS, release 4.2 (0)). The objective is that the GANYMEDE would achieve authentication authorization and control the user for all CLI connection non-console (telnet and SSH) types. I don't use any HTTP server to access devices and I want to keep the connection to the console to the powers the.

  I have several devices connected to this GANYMEDE with the following configuration related to AAA. I would like to implement the same principles on the IOS - XR, but given that the command structure is different and I could not understand how to do this using the Manuel, I need your expert help:

  AAA new-model

  !

  !

  AAA Ganymede Server + acs servers group

  Server

  !

  AAA authentication login default local

  AAA authentication login local_vty local

  AAA authentication local console connection

  AAA authentication login acs acs-servers-group local group

  AAA authorization exec default group Ganymede +.

  AAA authorization commands 15 acs_cmds group Ganymede +.

  AAA authorization commands 15 local_cmds no

  !

  !

  !

  !

  !

  AAA - the id of the joint session

  !

  Saute...

  !

  username * secret privilege 15 5 *.

  !

  Saute...

  !

  GANYMEDE server host 7 key

  RADIUS-server application made

  !

  Saute...

  !

  Line con 0

  StopBits 1

  line to 0

  StopBits 1

  line vty 0 4

  exec-timeout 0 0

  privilege level 15

  authorization orders 15 acs_cmds

  DCC connection authentication

  preferred transport telnet

  transport of entry all

  line vty 5 15

  exec-timeout 0 0

  * Note: Device to IOS - XR run versions 4.1.2 and 4.2.0

  Many thanks for any help that you could provide

  Lior

  Lior,

  You must return the task ID and/or groups of task in order to make this work. According to my experience, working with these platforms is it is really unnecessary to proceed with approval of order if you trust the task-ID/groups, which are integrated in the ASR.

  The flow for Ganymede command auth for these devices is a bit different than your IOS essentially traditional (unless something has changed in the last 6 months), if the user tries to run a command, the Ganymede auth command is triggered if the user executes a command that falls under the umbrella of task. If she's not here command permission is never triggered.

  Here are some documents that I feel will help you:

  https://supportforums.Cisco.com/docs/doc-15944

  Thank you

  Tarik Admani
  * Please note the useful messages *.