ASA 8.2 (3): can't 'turn on' GANYMEDE ACS4.2 user with the privilege level 10

I can't activate in ASA with a user privilege level of non - 15 set to 4.2 ACS (Ganymede).

When I activate in IOS device, it allows and "show the privilege" shows the level 10 as planned. ACS must be configured properly, as it works very well with IOS. The user is not defined with explicit parameters. Group is set to 'max activate level' 15 and 'shell level priv exec' 15. The enable password is set to the internal password ACS PAP. Works fine in the IOS.

When I activate in ASA, it fails to activate, and ACS journal indicates "Ganymede + activate the insufficient privileges. I suspect that ASA is trying to turn in level 15 explicitly. If I try the command "Activate 10" in ASA, it is said:

Allowing privilege levels is not allowed when it is configured for

Authentication of the AAA. Use 'activate' only.

My config (only with relevant orders):

AAA authentication telnet console LOCAL mmsacs01

enable authentication AAA console LOCAL mmsacs01

AAA authorization command LOCAL mmsacs01

AAA authorization exec-authentication server

Thank you!

Set the Options activate on the grp in

Max Priv for any customer of AAA

TO

Level 15

This will activate and also limit your options of Shell to 10 and the command set that you created

Tags: Cisco Security

Similar Questions

  • Can I turn on video greenscreen in video with a transparent background (instead of default black arr.plans

    Can I turn on video greenscreen in video with a transparent overlay on another video in another program background.  probably export to avi.     I know that I can't in sequels but uncomfortable with the first.   I basically want to turn the greenscreen of a black Windows to cs6 body transparent background

    [email address removed by the host of the forum]

    Prejudice is correct. It would be better to modify in the program where you hidden green. However, if you really must...

    DPX is one file per image. Although you are not able to open it from Windows, it is only because Windwos was told not to open them in Photoshop.

    The point of the whole of the DPX file is to have a storage visually without loss of your executives that is designed to be used between applications (just what you want to do): http://en.wikipedia.org/wiki/Digital_Picture_Exchange

    However, if you prefer to use another option you are most comfortable with, you can use the PNG.

    Or...

    If you insist on a single video, use the codec for Quicktime Animation.

    In all cases, you need to an image format or a video CODEC that can store an Alpha channel.

    Or...

    Export the video with black and use a Luma key in the next request.

    Or...

    Export the video with black and then export a video of just the alpha channel as a picture blabk and white where black is transparent when it is used as cache by approach, and then in the next application use video of the alpha channel as a cache by approach.

    Since you have not said what is the other application or why you want to use it, we have a little trouble with a specific solution.

  • How can you check if you have a problem with the ghost attack

    How can you check if you have a problem with the ghost attack.

    My ISP (Virgin) sent me a letter saying I could have an attack on my apps by the phantom virus.

    How is this true and what can do

    The XcodeGhost malware affects the apps, mainly Chinese, created using a red version of Xcode.  It is not a 'virus '.  (Look at the difference between computer viruses and malware).  Remove the Apple listed here and get updated with the latest versions of the App Store.

  • I have two vista windows oem sctatch disk at home. You can download it for me, these two are with the product key to the House.

    I have two vista windows oem sctatch disk at home. You can download it for me, these two are with the product key to the House.
    It is upgraded, the other is an integer telling Windows Vista;
    and the little hard up and down, mouse from left to right,.
    or can you please sent a copy of a disc to my address, this is the right path for fixed my windows vista online.
    (try to contact technical support of the direct Vista operating system)
    How about upgrading to windows 7? Give me the vista on 'the base drive OEM' continues for facilities?
    ----------------

    Replacement OEM or software support of system manufacturer in most cases, you must contact the OEM (OEM) manufacturer or the manufacturer of the system directly to replace Microsoft software that was distributed by your computer. However, an exception is made for operating system service pack media *, for which you can contact us directly.

    • Contact information for the manufacturer of the computer, see the Microsoft Web site at the following address:

      http://support.Microsoft.com/default.aspx?pr=oemphone (http://support.microsoft.com/default.aspx?pr=oemphone)
    • If the product has been distributed by an OEM or a system integrator, the product ID contains the letters "OEM". Visit the Microsoft Web site at the following address, select the appropriate product family, and then follow the steps to find the product ID:
      http://support.Microsoft.com/default.aspx?PR=notsureoem (http://support.microsoft.com/default.aspx?pr=notsureoem)
    • For OEM software, the certificate of authenticity (COA) lists the name of the manufacturer of the computer under the software version name. For more information on the certificate of authenticity, see the Microsoft Web site at the following address:
      http://www.Microsoft.com/resources/howtotell/ww/FAQ.mspx#1 (http://www.microsoft.com/resources/howtotell/ww/faq.mspx#1)

      If you have System Builder software, the COA lists "OEM software" or "OEM product" under the software version name.

    * Note Service pack support only includes what is associated with the service pack itself.

    More information: http://support.microsoft.com/kb/326246

    Regarding Windows 7 - frequently asked questions - Upgrade Options
    http://www.Microsoft.com/Australia/Windows/buy/offers/upgrade-FAQ.aspx TaurArian [MVP] 2005-2010 - Update Services

  • If I buy a person's computer and windows is registered in their name can I have register it in my name with the OEM for windows

    If I buy a person's computer and windows is registered in their name can I have register it in my name with the OEM for windows

    If I read your question correctly, this article should solve your problem for you:

    "How to change name and company information after you install Windows XP"
      <>http://support.Microsoft.com/kb/310441 >

    HTH,
    JW

  • Can we define a field value of contact with the CRM campaign settings ID campaign?

    Hello

    Can we define a field value of contact with the ID of CRM campaign?

    For example: LAST campaign SFDC ID (field of contact) = CRM campaign (campaign) No.

    The Eloqua campaign canvas has the possibility to update CRM directly with the status of the campaign on things like email send or clicks. IF you set these shares to be among the rules of the answer, then as they happen, they will create/update records of campaign in CRM directly responses. However, this will have an impact on information in Eloqua.

  • Can you after you have selected a picture with the magic wand just delete the background, leaving only the photo?

    Can you after you have selected a picture with the magic wand, just delete the background, leaving only the photo?

    Or should we use layers to achieve?

    I use Adobe Elements 8.

    Thank you

    Martin

    What is your intention to delete the background - replace the white background transparency or others?

    Keep in mind that if you delete on the background layer (the default name), deletion is replaced by the current color set in the chip of background color as shown in the toolbar. By default, it is white, so if you are selection and deletion of a white background you will end up with white again. If you want that transparency first change the background to a normal layer Layer renaming.

  • Can I get a renewal of my membership with the 2 month for free?

    Can I get a renewal of my membership with the 2 months free?

    Please contact support:

    Contact the customer service

    Concerning

    Megha Rawat

  • Can I install Acrobat 11 on my laptop with the same license as my original on my workstation installation?

    Can I install Acrobat 11 on my laptop with the same license as my original on my workstation installation?

    Hi Dennis,

    Yes, you can install the same license on the laptop as well.

    Contract (EULA) as directed by Adobe, you are allowed to install the license for retail sale on 2 machines at any instance.

    Kind regards

    Rave

  • How can I use a vector image to stretch with the background in Muse master pages?

    How can I use a vector image to stretch with the background in Muse master pages?

    Click on the 'Fill' text not the drop-down arrow.

  • User with DBA privilege can not display dba_indexes in pl/sql

    I have a user with the DBA privilege. The user can select any table in this role. However, when I create a cursor selection dba_indexes, Oracle complained that its unable to see this table. Any ideas?

    create or replace procedure
    AS
    exec_stmnt varchar2 (500);

    Cursor cur_all IS
    Select index_name dba_indexes;

    Start

    For cur_rec in cur_all loop
    dbms_output.put_line (cur_rec.index_name);
    End loop;


    EXCEPTION
    WHILE OTHERS THEN
    dbms_output.put_line (SQLERRM);

    end;
    /
    See the err

    LINE/COL ERROR
    -------- -----------------------------------------------------------------
    6/5 PL/SQL: statement ignored
    6/28 PL/SQL: ORA-00942: table or view does not exist

    Hello

    DBA is a role.
    Roles do not count in the AUTHID DEFINE stored (including functions) procedures.
    Give the user the necessary privileges directly.

  • Sanchez took control of my ipad.  Can not turn it off or take control of the centre; any suggestions?

    How can I get access to my ipad.  Seri is active and I can't stop the machine to restart. Cannot get to the control panel.  The screen is black and Seri will speak and react, but can not get the program to terminate.  Help

    Try resetting your device. This will not erase your data stored on that device.

    • Press and hold the sleep/wake button
    • Press and hold the Home button
    • Press and hold both buttons until the display turns off and on again with the Apple logo on the subject.

    Alternatively, you can go to settings - general - reset - Reset all settings

    If that doesn't work, restore your device to factory settings. Please note that this will delete the data on your device.

    Take a look this Apple Support article: use iTunes to restore the iPhone, iPad or iPod to factory settings - Apple Support.

  • How can I get voice and data to work with the ASA 5505?

    Here's the issue I'm having.   Can I get a Cisco 7940 to work behind one site to another configured ASA 5505 and I can also get data to work behind it.  However, when I try to create a separate Vlan for voice and data, it does not work.  Our voice VLANs on our remote sites are 172.30 and data are 172.31, when I put the inside interface with 172.31 data will work and when I on it 172.30 voice will work.  I upgraded to a security more license and tried vlan3 created as voice.  I have the data to the top and work but I can't get vlan3 to work.   Any help would be greatly appreciated.  Thank you

    Here is my current config:

    hostname TESTvpn
    activate the password xxxxx

    passwd xxxxx

    username admin password xxxxx privilege 15

    name Corp_LAN 10.0.0.0
    name 192.168.64.0 Corp_Voice
    name 172.31.155.0 TESTvpn

    object-group network SunVoyager
    host of the object-Network 64.70.8.160
    host of the object-Network 64.70.8.242

    the Corp_Networks object-group network
    network-object Corp_LAN 255.0.0.0
    object-network Corp_Voice 255.255.255.0

    interface vlan2
    nameif outside
    security-level 0
    IP address dhcp setroute
    No tap

    interface vlan1
    nameif inside
    security-level 100
    IP 172.31.155.1 255.255.255.0
    No tap

    interface vlan3
    nameif Corp_Voice
    security-level 100
    IP 172.30.155.1 255.255.255.0
    No tap

    output
    interface Ethernet0/0
    switchport access vlan 2
    No tap

    interface Ethernet0/7
    switchport access vlan 3
    No tap

    output

    dhcpd allow inside
    dhcpd address 172.31.155.10 - 172.31.155.30 inside
    dhcpd dns 10.10.10.7 10.10.10.44 interface inside
    dhcpd sun.ins area inside interface
    dhcpd allow inside

    enable Corp_Voice dhcpd
    dhcpd address 172.30.155.10 - 172.30.155.30 Corp_Voice
    dhcpd dns 10.10.10.7 10.10.10.44 interface Corp_Voice
    dhcpd interface of sun.ins of the Corp_Voice domain
    enable Corp_Voice dhcpd
    dhcpd option 150 ip 192.168.64.4 192.168.64.3

    Enable logging
    exploitation forest buffer-size 10000
    monitor debug logging
    logging buffered information
    asdm of logging of information

    outside_access_in list extended access allow all unreachable icmp
    outside_access_in list extended access permit icmp any any echo response
    outside_access_in list extended access permit icmp any one time exceed
    access extensive list ip 172.31.155.0 inside_access_in allow 255.255.255.0 any
    inside_access_in list extended access allow icmp 172.31.155.0 255.255.255.0 any
    Access extensive list ip 172.30.155.0 Corp_Voice_access_in allow 255.255.255.0 any
    Corp_Voice_access_in list extended access allow icmp 172.30.155.0 255.255.255.0 any

    VPN access list extended deny ip 172.31.155.0 255.255.255.0 object-group SunVoyager
    extended VPN ip 172.31.155.0 access list allow 255.255.255.0 any

    inside_access_in access to the interface inside group
    Access-group outside_access_in in interface outside
    Access-group Corp_Voice_access_in in the Corp_Voice interface

    Global 1 interface (outside)
    NAT (inside) 0-list of access VPN
    NAT (inside) 1 172.31.155.0 255.255.255.0

    Enable http server
    http 172.31.155.0 255.255.255.0 inside
    http 172.30.155.0 255.255.255.0 Corp_Voice
    http 192.168.64.0 255.255.255.0 Corp_Voice
    http 10.0.0.0 255.0.0.0 inside
    http 65.170.136.64 255.255.255.224 outside
    SSH 10.0.0.0 255.0.0.0 inside
    SSH 172.31.155.0 255.255.255.0 inside
    SSH 65.170.136.64 255.255.255.224 outside
    SSH timeout 20

    management-access inside

    dhcpd outside auto_config

    Crypto ipsec transform-set esp-3des esp-md5-hmac VPN
    crypto map outside_map 1 is the VPN address
    peer set card crypto outside_map 1 66.170.136.65
    card crypto outside_map 1 the value transform-set VPN
    outside_map interface card crypto outside
    crypto isakmp identity address
    crypto ISAKMP allow outside
    crypto ISAKMP policy 1
    preshared authentication
    3des encryption
    md5 hash
    Group 2
    lifetime 28800

    tunnel-group 66.170.136.65 type ipsec-l2l
    IPSec-attributes tunnel-group 66.170.136.65
    pre-shared-key xxxxx

    output
    int eth 0/1
    close
    No tap
    int eth 0/2
    close
    No tap
    int eth 0/3
    close
    No tap
    int eth 0/4
    close
    No tap
    int eth 0/5
    close
    No tap
    int eth 0/6
    close
    No tap
    int eth 0/7
    close
    No tap

    Peter,

    Note that access list names are case-sensitive, so you've actually done something different from what I proposed.

    Please do:

    no nat (Corp_Voice) 0-list of access vpn

    No list of vpn access extended permitted ip TESTvpn 255.255.255.0 everything
    IP 172.30.155.0 255.255.255.0 extended vpn access do not allow any list all

    extended VPN ip 172.30.155.0 access list allow 255.255.255.0 any

    NAT (Corp_Voice) 0-list of access VPN

    In the case where you did deliberately, for example to separate the 2 acl: note that acl VPN (upper case) is also used in the encryption card, where you cannot add a second LCD.

    So if you want to separate you, you will need 3 access lists:

    list of access data-vpn ip TESTvpn 255.255.255.0 allow one

    voice-vpn ip 172.30.155.0 access list allow 255.255.255.0 any

    access-list all - vpn ip TESTvpn 255.255.255.0 allow one

    access-list all - vpn ip 172.30.155.0 allow 255.255.255.0 any

    NAT (inside) 0-list of access vpn data

    NAT (Corp_Voice) - access list 0 voice-vpn

    outside_map 1 match address all vpn crypto card

    Don't know if this was also clearly to my previous message, I recommend you to replace the "all" (in each of the ACL lines) to something more specific (i.e. a remote network, or group of objects that contain the remote networks).

    HTH

    Herbert

  • I just updated my norton 360 and now I can't turn on my help and I support the restoration. chgeck brand to make it off-guard being there. Help, please.

    I have just updatedmy norton 360 with the help of Norton and there are some points that kept coming, now disabled. There is none to or viruses in the system but now my help site and catering support is disabled and the box so that it is turned off is still in the box... How do I turn on my system restore?  Thank you daniel crafton

    Hi Daniel,.

    I recommend you uninstall Norton 360 temporarily computer & check if the problem persists.

    Download and run the Norton removal tool to uninstall your Norton product


    Note:     later, install the application after checking.

    Hope the helps of information.

  • Why can't turn and back up your photos with photo view for photos taken with an ipod or an iphone?

    I shoot photos of a lot of memory cards to download on a corporate Web site and have been struggling to save pictures of iphones and ipods once I have turn them.  It is said that they cannot be saved due to a problem with the properties of the file.  Happened to every single iphone photo, but they always give me trouble.

    Thank you.

    Right-click on the file and point to open with and click on the paint,

    Using wallpaper Rotate.

    pus

    Property restrictions stripper iphone 4s,

    http://www.SteelBytes.com/?mid=30&cmd=download&PID=15

Maybe you are looking for

  • Recovery on Equim A100-337

    Hello My wifes laptop has corrupted and I tried to reinstall with the product recovery disc. (Vista Premium) I booted from the DVD. However after seeing - loading windows and then, seeing the small chart with the yellow blocks to run through it, it w

  • How import and continue working with old projects iDVD?

    I have some old files of project iDVD since 2008.  I never burned real DVD on their part.  At the time I played against them directly on the mobile phone. Today, I have an iMac with El Capitan OS X Version 10.11.3.  There iDVD 7.1.2 version (1158). I

  • Satellite L30 PSL33E won't start at all - the LED blinks 6 times

    Hello My poor mother is quite upset! Its Satellite L30 PSL33E just died. It completely off and now won't start at all.Orange light flashes six times when you press the power button.No hard drive, fan, screen or any other noise / activity. She tried w

  • stop the script with labview

    Let's say that I run a script using the "DIAdem"run script.vi"due to the demand of the user.  Later, the user wants to cancel because it took longer than expected. How to stop the script using labview tools? Jim

  • transposed matrix form?

    How will I know what form a table is a long section of the mathscript code? IE is a table one row or column, or a matrix. Often, I get the error that produced the home, regardless of what form, I develop controls in. I really need an accurate way to