ASA AAA
Hello
I want to combine all the features of AAA we have today in different radius to an ISE installation servers.
I now wonder how to differentiate a connection of the administrative apparatus (SSH/ASDM) a VPN to the user, so the radius requests to the same server.
I see that nothing in the ASA - request - attributes Radius which differs depending on the use of Microsoft case. Any advice?
Best regards
/ Mattias
Mattias salvation,
at the time of the ASA 8.4.3 Radius access request contains 2 new attributes, the name of Group of Tunnel and the Type of customer, when a VPN user connects. Don't know if an admin access request must contain the customer Type = 0 or if it does not include this attribute.
But without doubt, you have even those which, as you can simply press the IETF service type attribute, cfr:
http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/access_aaa.html#wp1136429
HTH
Herbert
Tags: Cisco Security
Similar Questions
-
ACS 5.1 / ASA AAA local failover if unknown user
Hello
I know that the way to set the ASA to the relief of LOCAL authentication, if the Radius Server is not available.
Now, we want authenticate users, if the user is not in the ad. Is this possible and how do I set it up with new policies? I tested it with a 'fall' when the user is not in the ad, but then the Radius Server will be marked as 'dead' and other users of the AD can not connect during a given period. Perhaps we can set the timeout to 0, but it's not as nice as it could be.
Thank you very much in advance and consider better?
Dominic
This can be done by creating a sequence identity (users and identity stores > identity store sequences)
A sequence of identity store gives you access to several databases in sequence until the user authenticates
Create a sequence, and then select the database password, then AD1 followed by "Internal users" in the "authentication method list. Once created, the sequence is selectable so as the result of corresponding identity politics
-
HTTPS ASA AAA authentication rules prompt
I'm trying to configure a simple rule of AAA in my lab to allow access to the internet web server via authentication GANYMEDE + (see attached configuration).
This Setup seems to work fine when the authentication prompt is displayed using http, while the https login page seems to have some problems with a certificate error recognized from the browser with the message: SSL_ERROR_BAD_MAC_READ
It seems that https login page redirection is not allowed due to server address certificate incompatibility.
Advice and suggestions will be greatly appreciated.
Seems to be a known issue.
https://BST.cloudapps.Cisco.com/bugsearch/bug/CSCus27650/?reffering_site...
Kind regards
Jousset
~ Make rate of useful messages.
-
Hello
How to configure Ganymede for ASA 5550 with acs4.2. I have two asa, one is active and others in mode. pls tell me how to set up. I couldn't find any good docs either.
Thank you.
Hi Gavin,
Here is the sample config for ASA's telnet authentication from Tacacs: username admin password xxxxx privilege 15 aaa-server TEST protocol tacacs+ aaa-server TEST (inside) host x.x.x.x yyy [x.x.x.x is the ip address of the tacacs server and is reachable from the inside interface and yyy is the shared secret key.] aaa authentication telnet console TEST LOCAL [This will send the telnet authentication request to the tacacs server first and if it is not reachable then use the local database of the ASA] aaa authentication ssh console TEST LOCAL [same as above but for ssh session] aaa authorization exec authentication-server [this enables exec authorization for the telnet and ssh sessions.]
aaa authentication http console TEST LOCAL [for HTTP]
order of accounting AAA TEST [this helps accountants of the order for all orders entered in the telnet or ssh session.] On the Ganymede server we need to add this ASA as a RADIUS client with shared secret key yyy.You can find more details: -.
http://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/mgaccess.html#wp1042026
The GBA, you need to add ASA as device under config network with Protocol Ganymede.
Thank you
Vinay
If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.
-
Hello all, I have problem with an IPSec tunnel and always looking what is exatly the problem. Have 2 ASA AAA. AA. AAA. A and BBB. BB. BBB. B where BBB. BB. BBB. B has 2 interfaces LAN is another DSL modem. When there is no problem with LAN tunnel is ACTIVE, but when I ALS rocking a few errors on the tunnel:
IP = AAA. AA. AAA. One, received an INVALID_COOKIE unencrypted notify message, drop
IP = AAA. AA. AAA. A, package in double Phase 1 detected. Retransmit the last packet.
SH isakmp sa is:
ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 1
1 peer IKE: AAA. AA. AAA. A
Type: user role: initiator
Generate a new key: no State: MM_WAIT_MSG4
If the router is waiting for ack but not expected and there is no package.
At both ends, I deleted:
cry clear isa
cry clear ipsec
I checked the peer addresses are correct, what is bodering me, it's the missing package. I think that this packet is sent to the other interface which is down and so the other ASA cannot get the negotiation.
I will be grateful if anyone can help, I'll debug and sniff for that.
Here are the configs and small on isakmp debug information
Router AAA. AA. AAA. A config:
outside_cryptomap_60 list of allowed ip extended access object-US-VPN VPN - US group object
Route outside 0.0.0.0 0.0.0.0 XXX. XX. XX.1 1
Crypto ipsec transform-set ESP-AES-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map 60 match address outside_cryptomap_60
game card crypto outside_map 60 peers BBB. BBB. BB. B CC. CCC. C.CCC
card crypto outside_map 60 value transform-set ESP-AES-SHA
life safety association set card crypto outside_map 60 28800 seconds
card crypto outside_map 60 set security-association life kilobytes 4608000
outside_map interface card crypto outside
ISAKMP allows outside
part of pre authentication ISAKMP policy 10
ISAKMP policy 10 3des encryption
ISAKMP policy 10 sha hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 86400
tunnel-group BBB. BBB. BB. B type ipsec-l2l
tunnel-group BBB. BBB. BB. B ipsec-attributes
pre-shared-key *.
ASA BBB. BB. BBB. B:
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto outside_map 1 match address outside_cryptomap_1
card crypto outside_map 1 set of AAA peers. AA. AAA. A
card crypto outside_map 1 the value transform-set ESP-SHA-3DES ESP-AES-SHA
outside_map interface card crypto outside
card crypto outside_map interface outsideadsl
crypto ISAKMP allow inside
crypto ISAKMP allow outside
ISAKMP crypto enable outsideadsl
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
ISAKMP crypto am - disable
debugging isakmp 127
28 Dec 11:58:01 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
28 Dec 11:58:01 [IKEv1]: IP = AAA. AA. AAA. A, IKE initiator: New Phase 1, Intf inside, IKE Peer AAA. AA. AAA. A local Proxy 192.168.0.0, address remote Proxy 192.167.0.0, Card Crypto (outside_map)
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Building ITS ISAKMP payload
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Payload has, worm 02 NAT-Traversal vid construction
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Payload has, worm 03 NAT-Traversal vid construction
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, building Fragmentation VID + load useful functionality
28 Dec 11:58:01 [IKEv1]: IP = AAA. AA. AAA. A, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + SA (1) the SELLER (13) + the SELLER (13), SELLER (13) + (0) NONE total length: 148
28 Dec 11:58:01 [IKEv1]: IP = AAA. AA. AAA. One Message RECEIVED from IKE_DECODE (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 108
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. ITS payload processing
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Oakley proposal is acceptable
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. VID payload processing
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, received Fragmentation VID
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, IKE Peer included IKE fragmentation capability flags: Main Mode: Mode aggressive True: True
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Construction ke payload
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Construction nonce payload
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Building Cisco Unity VID payload
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Xauth V6 VID payload construction
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, Send IOS VID
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A payload the IOS Vendor ID theft construction ASA (version: 1.0.0 capabilities: 20000001)
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Construction VIDEO payload
28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. One, send Altiga/Cisco VPN3000/Cisco ASA GW VID
28 Dec 11:58:01 [IKEv1]: IP = AAA. AA. AAA. A, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + KE (4) + (10) NUNCIO seller (13) + the seller (13) + the seller (13) + the seller (13) + (0) NONE total length: 256
28 Dec 11:58:07 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
28 Dec 11:58:07 [IKEv1]: IP = AAA. AA. AAA. A Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
28 Dec 11:58:09 [IKEv1]: IP = AAA. AA. AAA. One Message RECEIVED from IKE_DECODE (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 108
28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. ITS payload processing
28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Oakley proposal is acceptable
28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. VID payload processing
28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, received Fragmentation VID
28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, IKE Peer included IKE fragmentation capability flags: Main Mode: Mode aggressive True: True
28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Treatment IKE payload
28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, IKE SA proposal # 1, turn # 1 entry overall IKE acceptable matches # 2
28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Building ITS ISAKMP payload
28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, building Fragmentation VID + load useful functionality
28 Dec 11:58:09 [IKEv1]: IP = AAA. AA. AAA. A, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 108
28 Dec 11:58:09 [IKEv1]: IP = AAA. AA. AAA. A Message from FORWARDING IKE_DECODE (msgid = 0) with payloads: HDR + KE (4) + NUNCIO (10) + SELLER (13) + the SELLER (13) + the SELLER (13) + the SELLER (13) + (0) NONE total length: 256
28 Dec 11:58:10 [IKEv1]: IP = AAA. AA. AAA. One Message RECEIVED from IKE_DECODE (msgid = 0) with payloads: HDR + NOTIFY (11) + NONE (0) overall length: 68
28 Dec 11:58:10 [IKEv1]: IP = AAA. AA. AAA. One Message RECEIVED from IKE_DECODE (msgid = 0) with payloads: HDR + NOTIFY (11) + NONE (0) overall length: 68
28 Dec 11:58:10 [IKEv1]: IP = AAA. AA. AAA. One, received an INVALID_COOKIE unencrypted notify message, drop
28 Dec 11:58:10 [IKEv1]: IP = AAA. AA. AAA. A, exchanging information processing failed
No degDec 28 11:58:12 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0
28 Dec 11:58:12 [IKEv1]: IP = AAA. AA. AAA. A Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.
Don't know if that's the only issue, but to start you need a 'tunnel-group C.C.C.C' ASA A.
If there is still a problem, download him debugs on both sides at the same time please.
Also, what version of the software the ASA work, and how you simulate the failure on the main interface of B? Is it possible that in your test one can always happen to B through its main interface?
HTH
Herbert
-
ACS 5.4 ASA 8.2.5 disable AAA for the particular user
Hello!
I want to disable journaling Ganymede + for the particular user. This user is used only for automated (python script) pooling of vpn tunnel ASA (limited command set - permission on ACS) group to verify the number of users authenticated via VPN. The problem is that this user generate a bunch of logs according to authentication authorization and accounting on ACS. Is there a solution, disable Ganymede + newspapers on ACS for this particular user? Maybe it is possible to modify the AAA on ASA to not connect this particular user?
Thanks in advance.
Hi Pawel,
You can create filters collection for that specific user. When you configure monitoring filters & Report Viewer does not record these events in the database.
Navigate to: Configuration of the analysis > System Configuration > filters Collection > add a filter
What follows is the attributes that can be used. You must use the user.
-Access service
-User
-Mac-add
-Nas - IP
Example: We get several hits of ASA by 'user' and we want ACS to ignore it. Create a filter by using the user. ACS must now ignore any attempt from the IP Address of the NAS.
Jatin kone
-Does the rate of useful messages- -
Hello
I would like to set up and test AAA on a Cisco ASA (5505 or 5510).
1 are there any other tools or server required to use this feature? And you have good configuration guides?I already tested a CDA of Cisco. He was able to show users active directory and their IP equivalent.
2. do you have a brief explanation what kind of opportunities I have with this server/tool? It is perhaps usable for the AAA mentioned on the SAA?Thanks in advance
Best regards
1. Yes, you need a Radius like Windows Server NPS or RADIUS server such as Cisco ACS/ISE server.
2. He's just a man in the middle of the ADC, you will always need an AAA server: radius or Ganymede (see # 1).
-
AAA ACS RADIUS ASA administrative access
We have an ASA 8.2 we'd like to AAA to configure ssh access using a 5.5 running ACS RADIUS.
Can get users authenticate, but ASA retains user record in user EXEC instead level privileged EXEC.
Installation on the ASA:
RADIUS protocol Server AAA rad-group1
AAA-server host of rad-Group1 (inside_pd) rad-server-1
key *.
AAA-server host of rad-Group1 (inside_pd) rad-Server-2
key *.
authentication AAA ssh console LOCAL rad-group1
AAA authentication telnet console LOCAL rad-group1
HTTP authentication AAA console LOCAL rad-group1
AAA authorization exec-authentication serverHave you tried pushing various combinations of these attributes of the ACS:
Value CVPN3000/ASA/PIX7.x-Priviledge-Level = 15
Value of RADIUS-IETF Service-Type = administrative (6)
Cisco-av-pair value = "" shell: priv-lvl = 15 ""Hi Phil,
You are able to manage the privilege level is assigned to a user with Ganymede, however, you are not able to go to privilege level without enable authentication, unless you go to 9.1 (5) code.
-
ASA 5525 X AAA connect on EXEC by ISE mode
I use ISE 2.0 and have created a policy to connect to our ASA 5525 X worm 9.5.2 running using SSH.
I can log in the SAA to user exec mode, use activate and type in my password to access the exec priv mode.
I want to type a user name and password to access the exec priv mode directly.
That's what I have on our ASA
RADIUS protocol AAA-server vpnISE
allow only
Dynamics-authorization
vpnISE AAA-server (inside) host IP ADDRESS
key *.RADIUS protocol AAA-server vpnISE
vpnISE AAA-server (inside) host IP ADDRESS
LOCAL AAA authentication serial console
ssh vpnISE LOCAL console AAA authentication
AAA authentication http LOCAL console
AAA authentication enable console LOCAL vpnISEAAA authorization exec auto activate authentication server
I have an authorization profile
ASA_Access
Access type = ACCESS_ACCEPT
Cisco-av-pair = shell: priv-lvl = 15The authentication policy is PAP_ASCII for AD and local
The authorization policy:
NAS-port-type: virtual
Network Access Protocol: RADIUS
When I try to log in with this configuration it is said that password authentication failed. When I check the Logs I see that I have my authentication succeeded.
Am I need to change my attributes to something else to make it work.
Two questions:
1. confirmed that the appropriate rule is now struck in ISE
2. are - that return you the correct RADIUS attribute? For ASAs, you must go back:
Radius:Service-Type = Administrative
Thank you for evaluating useful messages! -
AAA to circumvent the password to enable on the Cisco ASA
Hi all. I'm having a problem where I get authenticated by the AAA server, but after authentication, that I am placed in user mode. AAA admin (I have no access to the AAA server) told me that he had all the users configured with priv level 15, which will lead them directly in the mode privilege on routers.
My question is how can I configure my Cisco ASA to get around using a password to enable. See below the configuration of my
AAA-server protocol Ganymede MYGROUP +.
Max - a failed attempts 4
AAA-server host 2.2.2.2 MYGROUP (inside)
timeout 3
key *.
Console Telnet AAA authentication LOCAL MYGROUP
Console to enable AAA authentication LOCAL MYGROUP
privilege MYGROUP 15 AAA accounting commandLooks like you want to directly access the exec privileges mode. This feature is not supported by the ASA. This is only possible on IOS devices.
Rgds, jousset
Note the useful questions.
-
About AAA ASA 8.2 (1)
I'm trying to implement AAA on a new ASA 8.2 running (1), and I can't get the ACS (4.2 (0) Build 124 Patch 6) and the ASA to GANYMEDE keys +. I've done this before on a lot of systems and it has always been a typo, but I put the two ends to a touch of 'a' and it still does not work. I get this in the newspapers of the ASA:
4 sep 29 2009 22:03:48 109027 [GANYMEDE] Unable to decypher response Server = x.y.z.a user = blah message
3 sep 29 2009 22:03:48 109026 digest response invalid [GANYMEDE] received; key server shared may be incompatible.
and in the GBA box, I get:
2009-09-29 22:03:48 authentic failed... by default... Incompatibility of keys...... .. b.c.d.e
The adjustment on both sides correspond to what other treatments ASAs have. Is there something to 8.2 (1) changing something?
Thank you
Hello
As you are sure that the key is correct on both sides. I would like you to check this box:
The GBA > go to network settings > select the network device group (NDG) in which we have ASA added as a client of the AAA.
Once we are in the decision-making group of network devices, a glance at the bottom of the page, you will see an option that says "Edit properties", click on that background,
If sure we don't set to "Shared Secret", if we have something, remove it and make this field empty and then press 'submit '.
Then try to authenticate.
Any key defined in section above replaces the key defined on basis by device.
For more details, please see,
HTH
JK
-
A reason any AAA limited in ASA 16 groups of servers?
I wonder why there is a limit on all Cisco ASA models when it comes to limit the number of AAA server groups to only 16? I guess it shouldn't be that difficult allow the BONE to the ASA allow several groups of AAA servers and servers by device? Is this just because of marketing reasons or what? :)
Oscar
An enhancement request has been made to increase this value.
If you open a tac case and ask that it be attached to the bug:
CSCsh23977 Capacity of more than 15 groups of servers AAA on the SAA
This will put more weight on this improvement and it is more likely to be processed quickly.
That should help with your problem.
-
AAA 'Broken' between ASA 5505 and MS - AD
I have my MS - AD for the VPN domain controller installation connection my ASA5505 AAA (SSL and client). He worked, however, the failure of the connection between the two last week and I can't back up again.
I checked the password, usernames, locations of object etc., but to no avail. When I do a test auth, it's 225 ldap debug output:
Starting a session [722]
[722] New request Session, framework 0xd4e225c8, reqType = 1
[722] fiber began
[722] LDAP context with uri = ldap://w.x.y.z:389
[722] to connect to the LDAP server: ldap://w.x.y.z:389, status = success
[722] supportedLDAPVersion: value = 3
[722] supportedLDAPVersion: value = 2
[722] binding as admin
[722] authentication Simple running to FirewallTest to w.x.y.z.
[722] simple authentication for FirewallTest returned the code of invalid credentials (49)
[722] impossible to link the administrator returned code-(1) can't contact the LDAP server
[722] output fiber Tx = 253 bytes of Rx = 583 bytes, status =-2
End of session [722]
I tried the fix 'remove and re-add' secular, but it did not work.
Any thoughts?
Have you checked the user account used to bind to the LDAP (AD) has not change its privileges, I remember that after application of a fix to an ad server most of the Admin accounts have been changed in local admin rather than domain administrator accounts.
Also, try to reset the password for this account and see if you have the correct connection-dn, get the "dsquery user-name"and compare it to your ASA.»
-
Hi all
I had configured Ganymede on ASA, but the problem is when I m try to Telnet it authenticates me with my username & password on ACS, but I can't pass the privilege level 15 such that configured on ACS. Its asking me to activate password n not taking password is the GBA. I used the authorization of Shell for privilege 15. Done on ASA configuration is:
name 172.30.xx.xx DCC-1
name 172.30.yy.yy DCC-2
Ganymede + Protocol Ganymede + AAA-server
AAA-server Ganymede + host DCC-1
Cisco key
AAA-server Ganymede + host DCC-2
Cisco key
AAA authentication telnet console Ganymede + LOCAL
AAA authentication telnet console Ganymede + Ganymede +.
the AAA authentication console ssh Ganymede + LOCAL
AAA authentication enable console LOCAL + Ganymede
activate the encrypted password of V3VzjwYzTRfTLwOb
activate the encrypted password of V3VzjwYzTRfTLwOb
piyush vkCzRtKCaNG.HI6s encrypted privilege 15 password username
ideanoc encrypted S0qrUlXOHFcX7LCw privilege 15 password username
Even added my user name & password in the local data base on ASA as on ACS. Still no progress...
Can all give his suggestion on the same.
Kind regards
Piyush
I ask not for the level of private shell 15 but enable privileges. Which must be set to 15 GBA---> user configured---> options enable---> Max privilege for any customer AAA--> 15
-
Activate the ASA system context AAA authentication
Hello!
We have ASA configured in multiplayer in context with 8.4 (2) software configured for AAA
Configuration is admin context as follows:
AAA-server TAC Protocol Ganymede +.
host of the TAC AAA-server 10.162.2.201 (management)
key *.
Console to enable AAA authentication LOCAL TAC
TAC LOCAL console for AAA of http authentication
AAA authentication serial console LOCAL TAC
authentication AAA ssh console LOCAL TAC
Because of the multiple context, after the connection we enter in the system context. Console port authentication works very well except access to the privileged mode when you connect through the console port.
After the show 'enable' command ASA accepts only configured activate secret in context and change ID of user system for enable_15, so we are unable to do accounting and authorization of user level control.
It seems that the ASA in the context of the system is not aware of all the configurations of AAA, and it is not a command to configure AAA in the context of the system.
Is there a way to configure enable AAA authentication in the context of the system?
Thanks in advance!
Hello
It looks like you hit this known issue that follows:
Admin context allow mode compared to the context system DB credentials Symptom:
In multi-mode configuration, the user to enter privileged mode credentials
(enable mode) via the serial console is not sent to an external server
role of authentication.Conditions:
ASA/PIX is in multi mode. serial console and activate the console authentication
are configured to use external aaa server in the context of the admin.Workaround solution:
Option 1: Configure enable password in the system context. Option 2: Avoid the use of the interface of the console series and rely on telnet
or ssh console access. SSH or telnet consoles, tries to enter
active mode is authenticated as specified by the configuration of aaa in
the context of "admin".
Other Description of the problem:When authentication is enabled for the serial console and activate console in
Executive admin via an external aaa Server (for example: radius or Ganymede +), series
Console OmniPass is against the external aaa server, but the mode
credentials are compared with enable db in the context of the system.Hope that clarifies it. Unfortunately there is no solution for this problem.
Kind regards.
Maybe you are looking for
-
I downloaded one app the other week that scanned your mac and gave a diagnostic report on the State of your hardware, but also malware etc. The app logo was a yellow circle with a red check mark inside. Very basic, but very practical. I think that th
-
I went to check out Help & Support center and I followed the steps, and I converted the disk to a dynamic disk to create a simple volume. When I went to right click on the dynamic disk, I should click on "New Volume" so I can complete the wizard. But
-
How can I get Windows to remember my main log on password? I've done this before, but I do not remember how to set up. Connor black
-
I am tryimg to upgrade Vista to Windows 7 and don't have a link to upgrade to click.
I don't have a disc just a piece of cardboard that I bought from future shop that includes instructions and key. He told me to get windows anytime upgrade into the search box. ; Click windows anytime upgrade, then click on enter an upgrade key. When
-
How can I reset ms host files in windows 8
Microsoft tried to reset the program host file but I get a promt saying it's nit supported by my system is windows 8