ACS 5.6.0.22 GANYMEDE authentication issue

Similar Questions

• GANYMEDE + authentication on Juniper screen OS using ACS 5.3

  GANYMEDE authentication and authorization passed on ACS5.3, but enter username and password security (Juniper SSG5) gives access denied, joined Ganymede cfg.

  the value id GANYMEDE + auth-server 1

  Set-server GANYMEDE + 10.10.xx.yy server name

  put server GANYMEDE +-type of admin account

  Set-server GANYMEDE + type Ganymede

  Set-server GANYMEDE + secret Ganymede xxxx

  the value auth-server GANYMEDE + Ganymede port 49

  the admin server GANYMEDE value +.

  Set admin auth distance primary

  Remote admin auth root set

  Set admin privilege get set external auth-server GANYMEDE + id 1
  Set-server GANYMEDE + 10.10.xx.yy server name
  put server GANYMEDE +-type of admin account
  Set-server GANYMEDE + type Ganymede
  Set-server GANYMEDE + secret Ganymede xxxx
  the value auth-server GANYMEDE + Ganymede port 49
  the admin server GANYMEDE value +.
  Set admin auth distance primary
  Remote admin auth root set
  define outer-get administrator privileges

  Please advice

  I guess you posted a screenshot. I'm looking forward to having the file can be downloaded for analysis.

  ~ BR
  Jatin kone

  * Does the rate of useful messages *.

• Failure of GBA 4.2 GANYMEDE + authentic. Incompatibility of keys

  I have configured 10 switches(C3750-ADVIPSERVICESK9-M) of layer 2, Version 12.2 (40) SE), use GANYMEDE +. They are all using the same key and work correctly.  I went to another switch 3750 located through a point-to-point circuit, software C3750 Cisco (C3750-IPBASEK9-M), Version 12.2 (35) SE5. I entered the configuration routine and then entered the key and tried to connect as a user and get authentication failed. I checked the server and see key discrepancies in the reports and activity, the attempt failed.  I've removed the key, copied and pasted from Notepad, still does not work.  Removed the switch in the network device group ACS and then re - he added, stuck a new key, without special characters. No go.

  Here is the config.

  AAA new-model
  !
  !
  AAA of default login authentication group Ganymede + activate
  local NO_AAA AAA authentication login
  the AAA authentication enable default group Ganymede + activate
  AAA authorization exec default group Ganymede + authenticated if

  Ganymede IP source interface FastEthernet0/0

  GANYMEDE-server host 10.1.1.1
  RADIUS-server key 0 itspassword
  RADIUS-server application made

  Initially, the password is encrypted, so I changed it to erase the text by typing the password without the 0 and with 0.  None worked.  Also removed encryption service to see if that would do anything.

  I usually have SSH for router, so I changed it to accept telent.  That did not work.  Changed SSH, reset the rsa keys and modified so that it uses SSH2, which did not work.

  Here's what I get from newspapers

  August 12 at 11:43:24: TAC +: send worm package AUTHENTIC/START = 192 id = 97563278
  August 12 at 11:43:24: TAC +: using Ganymede server-group "Ganymede +" list by default.
  August 12 at 11:43:24: TAC +: opening TCP/IP 10.1.1.1/49 Timeout = 5
  August 12 at 11:43:24: TAC +: handle opened TCP/IP 0x3663CA0 to 10.219.1.1/49 using the 10.2.2.254 source
  August 12 at 11:43:24: TAC +: 10.1.1.1 (97563278) AUTHENTIC/START/CONNECTION/ASCII queued
  August 12 at 11:43:25: TAC +: (97563278) AUTHENTIC/START/CONNECTION/ASCII processed
  August 12 at 11:43:25: TAC +: received bad AUTHENTIC package: length = 6, should 80467
  August 12 at 11:43:25: TAC +: invalid package AUTHENTIC/START/CONNECTION/ASCII (control keys).
  August 12 at 11:43:25: TAC +: connection TCP/IP closing 0x3663CA0 to 10.1.1.1/49
  August 12 at 11:43:25: TAC +: using Ganymede server-group "Ganymede +" list by default.
  August 12 at 11:43:37: TAC +: send worm package AUTHENTIC/START = 192 id = 1015854339
  August 12 at 11:43:37: TAC +: using Ganymede server-group "Ganymede +" list by default.
  August 12 at 11:43:37: TAC +: opening TCP/IP 10.1.1.1/49 Timeout = 5
  August 12 at 11:43:37: TAC +: handle opened TCP/IP 0x366AF24 to 10.1.1.1/49 using the 10.2.2.254 source
  August 12 at 11:43:37: TAC +: 10.1.1.1 (1015854339) AUTHENTIC/START/CONNECTION/ASCII queued
  August 12 at 11:43:38: TAC +: (1015854339) AUTHENTIC/START/CONNECTION/ASCII processed
  August 12 at 11:43:38: TAC +: received bad AUTHENTIC package: length = 6, should 79092
  August 12 at 11:43:38: TAC +: invalid package AUTHENTIC/START/CONNECTION/ASCII (control keys).
  August 12 at 11:43:38: TAC +: connection TCP/IP closing 0x366AF24 to 10.1.1.1/49
  August 12 at 11:43:38: TAC +: using Ganymede server-group "Ganymede +" list by default.

  I watched autour forum for about 4 hours, try all other options that were given to other people with a similar problem.  The last key, in that I put has 123456.  You can not fat finger that is.  Switch journal said check the key, the firewall is configured to allow all traffic from the AAA client.

  Hi green2003 mg,.

  The substitution of key group (the NDG where your switch belongs to) the button. Have you checked that one?

  Greetz,

  Julia

• RADIUS and GANYMEDE + authentication

  We authenticate our systems through dot1x. I also need to be able to authenticate our Cisco admins using the same ACS server. I see how to configure a switch to make the two GANYMEDE + and RADIUS, but I do not see how implement GBA to allow a switch to use GANYMEDE + and RADIUS.

  Can someone give me a pointer?

  Thank you

  You need to put in place once the authentication on the switch.

  AAA authentication login default group local Ganymede

  Group AAA dot1x default authentication RADIUS

  AAA authorization exec default group Ganymede + authenticated if

  Group AAA authorization network default RADIUS

  Cisco RADIUS-server host 2.2.2.2 keys

  Cisco GANYMEDE-server host 2.2.2.2 keys

  The GBA, you must add the switch twice.

  ACS---> network configuration---> add aaa-clinet

  Host name switch1

  IP: 3.3.3.3

  With the help of authentic: RADIUS IETF

  Add another switch

  SWITCH2 host name

  IP: 3.3.3.3

  With the help of authentic: Ganymede +.

  Kind regards

  ~ JG

  Note the useful messages

• ACS 5.2 - Adding custom for Juniper Netscreen GANYMEDE + authentication attributes

  Hello

  I'm trying to add custom for authentication Juniper Netscreen GANYMEDE + an ACS v5.2 attributes. The notice is to add it to the group as follows:

  ervice = netscreen { vsys = root privilege = read-write }

  I know how this adds a version v4.x ACS

  

  However, I do not know how to apply this to the attribiutes custom to an ACS v5.x

  

  Can I add the vsys and privilege attribute separately or together? What should be the attribute name? NetScreen? Should it be mandatory?

  Advice please

  Make groups of different volumes and shell authorization profiles mapped to different profiles fixed my problem BTW.

  This is the configuration I did for Juniper. I'll try the netscreen (last photo) later today ' today/tomorrow

  

  

• Cisco ACS authentication issues

  Hi all

  I have just set up my ACS for Windows Server. It runs version 4.1 software. I have problems for authentication. I have my setup in the GUI of the ACS use Ganymede to authenticate the AAA Clients. I have the key in the switch and the corresponding keys to ACS server. I have facility users. Here's my config AAA on the switch...

  AAA new-model

  AAA authentication login default group Ganymede + local

  the AAA authentication enable default group Ganymede + activate

  Here is the information of debugging on Ganymede

  183757: 2 sep 10:14:22.131 edt: TAC +: send worm package AUTHENTIC/START = 192 id = 2789804961

  183758: 2 sep 10:14:22.131 edt: TAC +: using Ganymede server-group "Ganymede +" list by default.

  183759: 2 sep 10:14:22.131 edt: TAC +: opening TCP/IP 10.11.8.200/49 Timeout = 5

  183760: 2 sep 10:14:22.135 edt: TAC +: handle opened TCP/IP 0x80E767B8 to 10.11.8.200/49

  183761: 2 sep 10:14:22.135 edt: TAC +: 10.11.8.200 (2789804961) AUTHENTIC/START/CONNECTION/ASCII queued

  183762: 2 sep 10:14:22.335 edt: TAC +: (2789804961) AUTHENTIC/START/CONNECTION/ASCII processed

  183763: 2 sep 10:14:22.335 edt: TAC +: received bad AUTHENTIC package: length = 6 expected 128683

  WC2950-12 #.

  183764: 2 sep 10:14:22.335 edt: TAC +: invalid package AUTHENTIC/START/CONNECTION/ASCII (control keys).

  183765: 2 sep 10:14:22.335 edt: TAC +: connection TCP/IP closing 0x80E767B8 to 10.11.8.200/49

  183766: 2 sep 10:14:22.339 edt: TAC +: using Ganymede server-group "Ganymede +" list by default.

  183767: 2 sep 10:14:22.339 edt: SSH1: password for wcromwell authentication failure

  I have the same keys on the AAA server as I do on my switch...

  Thank you

  Please check the secret key of NDG and main aaa clients. NDG substitute main aaa clients.

  Make sure you have the right key in NDG >

  Kind regards

  ~ JG

  Note the useful messages

• ACS 5.1 13030 GANYMEDE + authentication error Question

  Hi all

  I am trying to set up a new server GANYMEDE + and am trying to update all configurations of our network to point to the new server devices.  Everything is fine looking up now, but on the ACS monitoring tool, two of our switches are constantly spamming '13030 request authentication GANYMEDE + lack a username' error.  The network admin group have no problem is authenticating with these two switches and they confirm that it is not trying to connect.  Does anyone know if ACS monitor will show any sauce to the IP addresses of these applications?

  If you click on the detail in your authentication error message, you should be able to find the 'Remote-address' field, which should tell you the remote IP address.

  If you haven't seen an IP in the address 'remote' field, you may need to check the console port / switch to see if something is connected to, what could cause the problem.

• With Cisco Secure ACS for Windows GANYMEDE +, authentication fails with AD

  I'll put up a Cisco Secure ACS 4.2 server to act as a RADIUS server for switches and routers I use Windows 2003 server for the candidate countries.
  and an Active Directory of Windows 2003 server.  The ad server is very good, it is used for many other things.

  I've implemented ACS as defined nit it installation guide, including all the steps in the "Member Server" section of the installation guide
  When you use AD as an external database (e.g. setting up services to run with a domain administrator account, set up a machine called "CISCO"
  on the field, etc.).

  I've set the unknown user policy to use the database of Windows, if the internal database does not contain the details of the user.

  If I add a user to the internal database, authentication goes through fine, with an entry in the journal "Authentication," spent

  02-24-2010, 05:07:03, authentic failed, eXXXX, Network Administrators (NDG), X.X.X.X, (default), internal error, (get the internal error error message)

  I scoured google etc and just cannot come up with any reason why this should be the case.
  I followed all of the installation to the letter guides.  I need to get this up and running as soon as possible,
  so am eager to know if someone can help me with this one!

  Thanks and greetings

  Sharan

  George,

  Internal error is fairly generic, but a common situation, we see this error is when ACS is installed on a

  64-bit computer.  ACS would not work with the active Manager when it is installed on the 64-bit before machines

  ACS 4.2.1.

  -Jesse

• GANYMEDE + authentication errors

  I have problems to GANYMEDE + AAA working with my 3560 switches. I set up users, groups, and NDG on ACS SE, as per GBA CS course material and triple checked my keys to make sure they match. I have attached the debugging switch of authentication, authorization, and Ganymede. Can someone please tell me what I'm doing wrong?

  Oh, if its SE which is not working.

  To do this, ACS---> configuration network ===> table Proxy Dis---> click default ===> if you see delivenrance 1 to the aaa Server---> drag it to 'Prior to'---> and what is there under forward to---> Drag it server aaa--> submit + apply.

  It should work now.

  If you do not see distribution proxy option then go to GBA--->---> advanced option interface configuration---> enable the distributed array.

  Kind regards

  ~ JG

• First 2.2 and ACS5.6 - Radius - Login authentication issues

  Hello

  Anyone no matter which setting of first chance to use Radius Authentication for users in the administration against ACS5.6?

  Right now the ACS is back a successful authentication ' 11002 returned RADIUS Access-Accept"on a first attempt to connect although first returns the username/password incorrect name / access denied.

  Two schools of though that based on previous posts / online search;

  1. in the Access Service > tab allowed protocols > radio buttons "send as in the acceptance of access RADIUS user name."

  Currently defined as the "main username", which as I understand it provides the name of the certificate, 'query access RADIUS User-Name' would make more sense?

  2. requirement to attribute RADIUS

  Post, but this is GANYMEDE + attributes - export to-do lists

  https://supportforums.Cisco.com/discussion/12394496/Cisco-Prime-RADIUS-u...

  A similar task needed to be completed to the RADIUS?

  Thank you

  You will need to send attributes for radius authentication work. For example, the permissions of the super user for the virtual domain to the root, to the following:

  Cisco-av-pair is NCS:role0 is Super users

  Cisco-av-pair = NCS: virtual-domain0 = ROOT-DOMAIN

  In the user group list, you will see next to each group, you will see links of list of tasks. Usually you just put in the role and the virtual domain.

• Peap in ACS configuration affect my connections Ganymede?

  So I've just set up peap (certs and eap - tls) on ACS 4.0. However since I can't connect to my routers more. I see the authentication on the ACS logs, but the router always tells me it's authentication has failed. I have a local user name and password, but who all of a sudden stopped working too. If I restart the ACS server I can connect to my routers then while it's down. Once he returns to the top, the authentication will fail again... ideas?

  It is a known issue, workaround is to disable the remote logging feature entirely.

  Bug have been collected for that matter,

  http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?caller=pluginredirector&method=fetchBugDetails&bugId=CSCeg40355

  CSCeg40355 Details of bug

  Authentication failures when remote logging fails.

  Kind regards

  ~ JG

  Note the useful messages

• GANYMEDE + authentication and authorization on IOS XR

  Hi all

  I tried to connect several devices IOS - XR on our laboratory (ASR, RSG and CRS) to our server GANYMEDE + (Cisco Secure ACS, release 4.2 (0)). The objective is that the GANYMEDE would achieve authentication authorization and control the user for all CLI connection non-console (telnet and SSH) types. I don't use any HTTP server to access devices and I want to keep the connection to the console to the powers the.

  I have several devices connected to this GANYMEDE with the following configuration related to AAA. I would like to implement the same principles on the IOS - XR, but given that the command structure is different and I could not understand how to do this using the Manuel, I need your expert help:

  AAA new-model

  !

  !

  AAA Ganymede Server + acs servers group

  Server

  !

  AAA authentication login default local

  AAA authentication login local_vty local

  AAA authentication local console connection

  AAA authentication login acs acs-servers-group local group

  AAA authorization exec default group Ganymede +.

  AAA authorization commands 15 acs_cmds group Ganymede +.

  AAA authorization commands 15 local_cmds no

  !

  !

  !

  !

  !

  AAA - the id of the joint session

  !

  Saute...

  !

  username * secret privilege 15 5 *.

  !

  Saute...

  !

  GANYMEDE server host 7 key

  RADIUS-server application made

  !

  Saute...

  !

  Line con 0

  StopBits 1

  line to 0

  StopBits 1

  line vty 0 4

  exec-timeout 0 0

  privilege level 15

  authorization orders 15 acs_cmds

  DCC connection authentication

  preferred transport telnet

  transport of entry all

  line vty 5 15

  exec-timeout 0 0

  * Note: Device to IOS - XR run versions 4.1.2 and 4.2.0

  Many thanks for any help that you could provide

  Lior

  Lior,

  You must return the task ID and/or groups of task in order to make this work. According to my experience, working with these platforms is it is really unnecessary to proceed with approval of order if you trust the task-ID/groups, which are integrated in the ASR.

  The flow for Ganymede command auth for these devices is a bit different than your IOS essentially traditional (unless something has changed in the last 6 months), if the user tries to run a command, the Ganymede auth command is triggered if the user executes a command that falls under the umbrella of task. If she's not here command permission is never triggered.

  Here are some documents that I feel will help you:

  https://supportforums.Cisco.com/docs/doc-15944

  Thank you

  Tarik Admani
  * Please note the useful messages *.

• ISE GANYMEDE authentication - connect before you decide if you should have access

  I'm away Cisco ACS to ISE Cisco version 2.1 to control GANYMEDE of my network devices.  I opened a proof with TAC but the answer, I seem to fly intuitive and hope for verification of this is now the way that Cisco or I just need to set up my policy defines differently.

  For a switch using ACS for the administration, a user will be SSH to the machine and if they are not in good AD security group, the user will receive a response from denial of access

  With ISE GANYMEDE to the administration, the user will be SSH to the machine and because they are a member of the AD domain they authenticate and connect the device actually get a command prompt.  Now this same user if they are not in the right group of safety AD that they will not be allowed to do anything on the switch.

  According to my TAC, ISE needs to identify the user, before he can decide if that user is allowed to access the device.  It is not fine with me because basically, anyone in my company can now connect on these devices.  Outside put ACLs on the switches that allow access only from certain computers, what are others doing to mitigate this risk?

  Thank you

  Hi Ken,
  In the event that you have configured your ISE with a new 2.1 installation, follow these steps:

  To the "device Admin defined strategy", leave the part "Authentication" of a rule as it is.
  In the "Authorization" section, add your security AD as conditions groups (select the box on the right under the conditions of-> create new condition-> to 'select attribute': 'AD login name'-> ExternalGroups-> 'equal'-> name of group to choose AD) and the right set of commands and the Shell profile for each security group.

  Now the importand part: the last rule is the default rule that will be used if the user is not a member of a security group that was the condition of an old rule.
  Here, you should make sure that the profile ' refuse of all Shell "is selected, it means that if this rule should be used, the user will be blocked from access.

  In case you went from 2.0 to 2.1, you may be suffering from this bug here:
  https://BST.cloudapps.Cisco.com/bugsearch/bug/CSCva04654/?referring_site=bugquickviewredir Then you simply do not have a profile ' refuse of all Shell "as an option.
  I'm building a work around for my system:
  I created a new profile of shell, which has a "disconnect" as command 0 privielege max level and auto.
  I loaded this profile of shell in the default rules.
  Maybe this isn't the best solution, but it does what it should do.

  Let me know if it worked and it please note useful responses!

  Greetings,
  Max

  Edit: spelling mistakes

• Design of authentication issues and wireless security

  Wireless newbie here... I had to quicky throws a wireless deployment in a new office/warehouse building. I have the basic net upward and the work. My remote access point associated the 2106 in the main office and users can associate and authenticate to the AP 1130 G and can access the office network. I did the basic configs and now seeks to tighten security. My questions are the following:

  (1) the user clients are Dell laptops with built-in radio. They authenticate using JUMP... How to migrate to EAP or I have to. I have a Cisco ACS as RADIUS authentication.

  (2) can I use sort of a supplicant client on laptops?

  (3) how to filter mac while rogue AP and clients of thugs can not try and associate.

  (4) am I correct in assuming the connections between the AP 1130 and 2106 are secure and if so what I need to change anything to strengthen them?

  (5) I have an AP in the main building, I want Setup to detect rogue AP I associate him as a regular access point and push a kind of policy so that it becomes a detector?

  I have attached a diagram to explain. Any help would be appreciated.

  v/r

  Chad

  1 JUMP is a form of EAP, so you already have something to terminate your EAP sessions. The WLC can do to an extent, or ACS. We chose you will be based on your needs for the rich functionality, scalability, and manageability. I would say that PEAP-MSCHAPv2 offers a good compromise between ease of use and safety and that it is significantly better than LEAP.

  2 No, begging stick with Windows XP SP2. This can be configured by using the domain policy (2 k 3 SP1 or higher) and is pretty good. Just make sure that your laptops have new Intel drivers on them. Dell in particular have been pretty bad with sends former pilots in the builds.

  3 MAC authentication is now lergely, considered to be a waste of time. It's so easy to spoof a MAC address, it is ridiculous, and there is a fair amount of work for the privΘ.

  4. the tunnel LWAPP crypt all management / config / traffic safety between the AP and WLC, while user data are simply wrapped in LWAPP, so it can potentially be read if the packets are captured.

  5. any will to detecting rogue APs, must really dedicated APs unless you are REALLY paranoid. The major advantage is the fastest detection, but the downside is that the "detector" AP do service customers.

  Kind regards

  Richard

• Upgrade ACS 4.1 and 4.2 authentic session expired: challenge not supplied by the customer

  Hello

  I upgraded Cisco ACS 4.1 to 4.2, I device Cisco Access Control 1113, as soon as I upgraded I get error in newspapers failed

  "Authentic session expired: challenge not supplied by the customer ', what is wring with that? Plesae help me

  Thank you

  I would really appriciate if mark you this topic as resolved so that the other can take advantage out of it.

  Kind regards
  Jousset