Authentication mode privilege using Ganymede for Cisco routers

I'm trying to set up a test environment where I need to be able to be requested for both a user name and password entering mode mode exec on a cisco IOS router. I was told the only way to do is through Ganymede. But I didn't all these configuration on Ganymede options to put in right place. Someone has already done an installation like this before. I'd appreciate any help on this. Thank you.

That's right, as I said in my previous post you can not accomplish what you're trying to do.  In IOS the username that you use to connect

the router is ALWAYS used when you are in enable mode.  If you want to change the user logged in as you will need log on the

router and log back in with the right user.

-Jesse

Tags: Cisco Security

Similar Questions

  • Direct Login mode with CAT OS using Ganymede +.

    Hello

    I use RADIUS for authentication on IOS, and switches CAT OS. When I connect the IOS ones, coming directly to the activation of the mode.

    When I connect to the switch CAT OS with the same user, I get only in exec mode. So, I have to enter the mode activate manually with the "Ganymede user password" as "enable password.

    My wish is to connect directly to the activation of the mode with switches CAT!

    Thanks in advance...

    IOS config:

    -----------

    AAA new-model

    RADIUS-server key xxxx

    RADIUS-server host a.b.c.d

    AAA of default login authentication group Ganymede + activate

    AAA authorization exec default group Ganymede + authenticated if

    AAA authorization commands 15 default group Ganymede + authenticated if

    AAA accounting exec default start-stop Ganymede group.

    orders accounting AAA 15 by default start-stop Ganymede group.

    line vty 0 4

    by default the authentication of connection

    Config from cat BONE:

    --------------

    define a.b.c.d primary RADIUS server

    Ganymede Set tent 5

    Disable directedrequest Set Ganymede

    Set Ganymede key xxxxxx

    the value of timeout Ganymede 5

    set authentication login Ganymede turn off the console

    set authentication login Ganymede activate telnet primary

    set authentication enable Ganymede turn off the console

    set authentication enable Ganymede activate telnet primary

    set the local connection authentication enable console

    set the local connection authentication enable telnet

    console game of authentication enable local enable

    set the local enable authentication enable telnet

    @rtogonon

    It is a command of IOS!

    Michael

  • NPS Windows Help for authentication of aaa for Cisco router - is it safe?

    I am very confused about how all this works and was hoping someone could help me.

    I followed a bunch of tutorials online for authentication RADIUS of installation on a Cisco router and he did to a NPS Windows Server. Now I can ssh into the router my AD account.

    Now that I got it to work, I go to the settings to make sure everything is secure.

    On my router, the config is pretty simple:

    aaa new-modelaaa group server radius WINDOWS_NPSserver-private 123.123.123.123 auth-port 1812 acct-port 1813 key mykeyaaa authentication login default local group WINDOWS_NPS

ip domain-name MyDomcrypto key generate rsa

(under vty and console)# login authentication default
    On the NPS Windows:
    • I created a new RADIUS client for the router.
      • 

    • Created a secret shared and specified Cisco as the name of the seller.
      • 

    • Created a new strategy of network with my desired conditions.
      • 

    • And now the frame of the configuration of the network policy that worries me:
    

    

So initially I thought my AD credentials were being sent over the wire in plain text, but I did a capture and saw this:


    


    
How is my password being encrypted and how strong is the encryption?

Another thing is how can I configure aaa authentication with mschapv2? The documentation I saw for mschapv2 uses the "ppp authentication ms-chap-v2" command, but I'm not using ppp I'm using aaa with a radius server.
 

    			 
    Hello
    

    RADIUS encrypts the password, but sends the username in clear. GANYMEDE encrypts the user name and password.
    

    You can find the encryption used by RADIUS in the RFC scheme:
    

    https://Tools.ietf.org/html/rfc2865#page-27
    

    MS-Chap-V2 is used for the authentication of users such as the remote access and vpn, not management switch
    

    Thank you
    

    John

  • Cisco Nexus to use authentication Radius AAA using Microsoft 2008 NPS

    I have a Nexus 7010 running

    I was wondering if you can help me with something. I'm having a problem with the approval of the order through our aaa config. We have not an authentication problem of command approval that does not work. From what I've seen and read Nexus NX - OS 6.x has not all orders for the aaa authorization, unless you configure GANYMEDE +. My basic config is below if you can help would be much appreciated.

    > ip source interface mgmt radius 0

    > key RADIUS-server XXXXX

    > host X.X.X.X key radius server authentication XXXXX accountant

    > RADIUS-server host X.X.X.X XXXXX key authentication accountant aaa

    > authentication login default group aaa authentication Radius_Group

    > RADIUS server logon group console local aaa Radius_Group

    > server X.X.X.X

    > server X.X.X.X

    > mgmt0 interface-source

    Also nobody how to configure Microsoft 2008 NPS as Raduis server to work with Nexus? I read a few post that suggests to change the

    Shell: roles = "vdc-admin" in the value field of the attribute in the RADIUS server

    Anyone know if it works?

    Thank you

    I haven't used NPS before but sounds like you are on the right track. As Ed mentioned in his post, GBA, you can set the type of protocols that you will accept during an authentication session. Authentication Nexus sessions is considered as PAP/ASCII, so you should be good to go. I don't have a Nexus switch to test with, but if you can use wireshark to capture the session and see the exact protocol / method used. However, I am sure that PAP is the way to go:

    http://www.Cisco.com/c/en/us/TD/docs/switches/Datacenter/SW/4_1/NX-OS/se...

    I also found the link that you might find useful:

    http://www.802101.com/2013/08/Cisco-Nexus-and-AAA-authentication.html

    Thank you for evaluating useful messages!

  • Time-out for ARP cache on Cisco routers

    Hello

    I was reading a book on Cisco routers, in which the author said: "the router resets the age ARP meter to zero whenever he sees valid traffic from the corresponding device.» This ensures that the addresses of active devices are never emptied in the cache, regardless of how long they have been known. »

    I'm really surprised at this topic because I always thought the age counter ARP was an absolute of the meter and not compared to the last time a package was seen coming from the corresponding IP address. After reading this, I did a few tests that tend to confirm the age counter ARP is absolute and that he cares not if we have movement active in the corresponding period of INQUIRY or not.

    : Question 1 can someone confirm this please?

    I am unable to find clear statements in the Cisco documentation.

    QUESTION 2: when the router sends a new ARP request?

    For example, when the time-out of the ARP is 4 hours or 240 minutes (default value of Cisco), the router sends an ARP request reaching 239 minutes (1 minute before the expiration time). This value is a fixed (send us a 1 minute before aging ARP request) or is it a relative value (x % of the value of timeout)?

    Thanks for your help.

    Sam

    I have some additional information that might help. I found an ad of a Cisco engineer, which gives some information about the behavior of ARP in Cisco IOS. He said clearly (and is an example) that if Cisco receives an ARP to a host request it will use this request to refresh the ARP entry and reset the timer so that the entrance without making its own application ARP. Maybe that's the behavior they were trying to talk in the IOS Cookbook.

    It also speaks to a unicast ARP request 60 seconds before the expiration of the entry so that the entry can be updated. It does not specifically say, but I think that this interval is fixed.

    Here is the link if you want to see the details:

    http://puck.nether.NET/pipermail/Cisco-NSP/2005-February/017400.html

    Regarding the error in the book, I worked as an examiner on a few pounds and can tell you that the authors and reviewers are working hard to do the right thing. But sometimes mistakes are not captured and appear in the publication. With the amount of detail covered in the book some mistakes are bound to crawl through.

    HTH

    Rick

  • Firefox is very slow, been using IE for a month. Nothing works except start PC in safe mode. 2 times, also uninstalled profile. Reinstall, resets, etc.

    also, disabled addons. See above. On win7. IE and google earth normal run. Abandoned, using IE for a month. On another PC so site reads the wrong plugins.

    Start the computer in Mode safe mode with network support Windows (on the startup screen, press F8) as a test to see if that helps.

  • Is it better to put the computer in mode 'sleep' when using not for an hour or so?... or turn the system off

    Is it better to turn off the computer if only to use it for an hour or so?  orput it in 'sleep' mode I have Windows 7

    On Sunday, February 26, 2012 19:39:20 + 0000, Anthony.J wrote:

    Is it better to turn off the computer if only to use it for an hour or so?  orput it in 'sleep' mode I have Windows 7

    This question is asked on a regular basis and collects generally all kinds of
    fervent responses on both sides of the issue. Some people never
    turn off their computers, saying their deactivation can cause the
    material to fail early. Others turn them on and off several times
    every day, to save electricity.

    My opinion is that it doesn't matter much anyway, and you should
    do what suits you best. Personally, I turn on once a day, when I
    get up in the morning and turning off the power once a day, when I go to bed at
    night.

    Ken Blake, Microsoft MVP

  • I used CS6 for 2 years. He decided all of a sudden I'm in trial mode. What should I do?

    I used CS6 for 2 years. He decided all of a sudden I'm in trial mode. What should I do?

    Creative Cloud applications unexpectedly back in the test mode. CS6, CCM

    Log, activation, or connection errors. CS5.5 and later versions

    Mylenium

  • GANYMEDE for ASA 5550

    Hello

    How to configure Ganymede for ASA 5550 with acs4.2. I have two asa, one is active and others in mode. pls tell me how to set up. I couldn't find any good docs either.

    Thank you.

    Hi Gavin,

    Here is the sample config for ASA's telnet authentication from Tacacs: username admin password xxxxx privilege 15 aaa-server TEST protocol tacacs+ aaa-server TEST (inside) host x.x.x.x  yyy   [x.x.x.x is the ip address of the tacacs server and is reachable from the inside interface and yyy is the shared secret key.] aaa authentication telnet console TEST LOCAL   [This will send the telnet authentication request to the tacacs server first and if it is not reachable then use the local database of the ASA] aaa authentication ssh console TEST LOCAL    [same as above but for ssh session] aaa authorization exec authentication-server    [this enables exec authorization for the telnet and ssh sessions.] 
    aaa authentication http console TEST LOCAL [for HTTP]
    order of accounting AAA TEST [this helps accountants of the order for all orders entered in the telnet or ssh session.]  On the Ganymede server we need to add this ASA as a RADIUS client with shared secret key yyy.
    

    You can find more details: -.
    

    http://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/mgaccess.html#wp1042026
    

    The GBA, you need to add ASA as device under config network with Protocol Ganymede.
    

    Thank you
    

    Vinay
    

    If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

  • Access to the private during authentication mode

    When I connect to a Cisco device, I'm prompeted enter name of user and password. Once authenticated, I need to enter the 'enable' command, then my password again in order to have access to privileged mode. I want to be able to go directly to the priv mode.

    My AAA configuration looks like this:

    AAA authentication login default group Ganymede + local

    AAA authentication login ciscoadmins group Ganymede + local

    the AAA authentication enable default group Ganymede +.

    AAA authorization config-commands

    AAA authorization exec ciscoadmins group Ganymede + local authenticated by FIS

    AAA authorization commands 1 default group Ganymede + local

    AAA authorization commands 15 ciscoadmins group Ganymede + local

    AAA authorization network default group Ganymede +.

    the Group ciscoadmins of network authorization Ganymede AAA +.

    On my ACS SE (ver. 4.1.4.13), I the user and group configured setting the same thing for the GANYMEDE section + with SHELL (exec) checked and controlled level PRIV and the value 15.

    I can get this working with RADIUS but failed with GANYMEDE.

    Does anyone have a solution for this?

    Thank you

    Keith

    Keith

    I believe that the question involves this line of the config:

    AAA authorization exec ciscoadmins group Ganymede + local authenticated by FIS

    It creates a list of method named for permission. IOS wants to see this list of method specified on your lines (or he wants to use the list of default method). I suggest that you include this line under the vty lines:

    authorization exec ciscoadmins

    or use this line in the section of the aaa:

    AAA authorization exec default group Ganymede + local authenticated by FIS

    HTH

    Rick

  • can I use aaa for telnet access to a pix?

    It's a 6.2 (2) the 506e running. I have all my routers and switches use Ganymede authentication. is it possible on with the pix? useful links or instructions?

    Thank you

    YES, you can control access to pix via Ganymede or any aaa server. Here is the link perfact explaining config etc for

    http://www.Cisco.com/warp/customer/110/authtopix.shtml

  • Access mode privilege or giving access to some commands

    We have a tunnel vpn site-to-site for various offices and we generally use taacs as user name and password, and we want to give the privilege level of access to few people. and access to only a few commands in mode privilege by using the same password Ganymede, by cli and asdm?

    You kindly help me with this

    Thnx a lot

    Please visit this link

    http://www.Cisco.com/en/us/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

    You need permission to install command.

    Kind regards

    ~ JG

    Note the useful messages

  • Home-DOT1X authentication mode

    Question - which to choose?

    Scenarios with devices attached to 3850 s 150 - 1.EZ2, ISE v1.2

    1 IP Phone with PC connected in Garland

    2 dumb hub with several PC and IP phone

    multi-domain of host-mode authentication

    or

    the host-mode multi-auth authentication

    AND

    authentication violation replace

    or

    restrict the authentication violation

    Concerning

    For all of my tours, I used "host-mode multi-auth authentication" in this way, I generate a more generic model and not go back and touch ports that might have a switch connected to it. So I suggest to use this as well unless there is a pilot behing not to.

    Be careful with 'silent hubs' connection to a port 802. 1 x active. I've run into situations where the hub/switch mute would leave dot1x authenticatons pass but then wouldn't the logg-off EAPoL message, thus causing problems when connecting a new device. I guess in such situation, the "authentication violation replace" might help, but you can then run other unforeseen issues. I had a couple of deployments where EAPoL traffic was completely abandoned and never reached the Radius server. So I had the chance to convince my clients to replace those who have a "compact" version of the family of Cisco (2960c, 3560 c) switches, so I've always used "Restrict authentication violation".

    I know that that does not answer your questions directly, but I hope it helps

    Thank you for evaluating useful messages!

  • Certificate authentication mode?

    I want to try to build a more secure LAN. I want that every client (with or without wire) to connect the network used a certificate not a username/password pair.

    But now, as I am a newbie, I don't know what to choose between GANYMEDE + and RADIUS. Because I have a Mac mini, RAY is perhaps more appropriate, but I don't know how to establish the certification authority.

    Any help or suggestion will be appreciated!

    More generally, we do this in the context of the implementation of a product as of Cisco Identity Services Engine (ISE). ISE uses 802. 1 x and has the ability to check clients for things such as a certificate during authentication / posture assessment / remediation process.

    Also, it acts as a RADIUS server, and can dynamically remove permission (CoA) change to the authenticator (i.e. switch or wireless controller) to control things like the assignment of VLAN client and everything you can apply access lists.

    Client side, a supplicant is used to interact with the authenticator. You can use native supplicants to OS X or Windows, etc, but we generally recommend use of the Cisco AnyConnect Secure Mobility client with its access network (NAM) Module, because it is much more complete for this purpose.

    You could also make 802. 1 x with certificate authentication and use an authentication server different backend (like a regular Cisco ACS or Microsoft Network Policy Server), but you get only basic authentication more vs rich functionality what ISE gives (although ISE is much more ;)).

    Take a look at this Youtube video for an example of setting up certificates of authentication on ACS:

    https://www.YouTube.com/watch?v=U7qWJ7bIMHA

  • GANYMEDE on Cisco WLC question

    I just installed a Cisco 5508 WLC on our network.  I have the IP address of management in the VLAN management and the controller I set up "no label".  WLC has two ports connected to a Cisco 4507 switch in the config of the channel port.

    I ping the controller of the network very well, I ping the server RADIUS of the controller.  I have the setup of the priority as "GANYMEDE + LOCAL."  However when I try to connect in the WLC and look at the debug, it shows I'm authentication and that's all, for some reason any traffic authorization is failed.  Using wireshark I confirmed that the request comes from the IP Management Interface.

    I followed the instructions in this link:

    http://www.Cisco.com/en/us/customer/docs/wireless/controller/5.0/Configuration/Guide/c5sol.html

    Any ideas?

    Hello

    It seems that you have not configured the ACS correctly.

    The AEC must return the required attributes.

    Please follow the http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml#topic3document.

    HTH,

    Tiago

    --

    If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

Maybe you are looking for

  • long time to load and cannot change home page

    I live in France and my ISP is Orange. I have a LIVEBOX 2 and have used Orange for the last year and a half. Until a few days ago, Forefox only took about 10 seconds to load on my home page which was www.google.co.uk A few days ago, Firefox took abou

  • Static VI reference

    I dynamically call a VI so I used the call by reference and dragged the inside VI, the question is if I use the reference open VI or not because I fell twice, handmade VI using the reference open VI the call by reference and the path of the VI of wir

  • I do not have the new GUI Windows Update for Vista

    My friends computer which has Vista: Home Premium SP1 has the new graphical interface of Windows Update.  I have Vista: Home Premium SP2, how do I do not have the new GUI interface? -Mike

  • Hp5940 DeskJet not print envelopes but will be printed on plain paper

    I used an old win98 computer with my HP5940 printer and it worked fine.  Now I have a win XP computer and downloaded and installed the appropriate drivers. The printer works fine except it does not print envelopes. It will be however print address an

  • Or is the firmware of the cisco SRP527W please?

    Hello Now everything is in the title, indeed after a google search I find this page here: https://supportforums.cisco.com/docs/DOC-13853, I think that it is the privilege downloads Firmware SRP520 but it's 404 error. I'm afraid of being mistaken as t