-
ISE server receives requests for authentication of the bridge VLAN, not the IP Address of the switch management
Hello
A 3850 catalyst switch has VLAN 20 (10.18.4.32/29) defined on it, which has a 10.18.4.38 gateway:
D01-01-BWY #show ip short int vlan 20
Interface IP-Address OK? Method State Protocol
Vlan20 10.18.4.38 YES manual up up
A server of ISE (SNS3415) is connected to a port configured on VLAN 20, with IP address of 10.18.4.33.
01-BWY-D01 has to a management interface of 10.18.4.17.
I created this switch as a device network in ISE and activated the RADIUS config and then configured the switch with the following commands:
RADIUS attribute 6 sur-pour-login-auth server
RADIUS attribute 6 support-multiple server
Server RADIUS attribute 8 include-in-access-req
RADIUS attribute 25-application access server include
dead-criteria 5 tent 3 times RADIUS server
RADIUS-server host 10.18.4.33 auth-port 1812 acct-port 1813 borders 7 1521030916792F077C236436125657
RADIUS-server host 10.18.4.35 auth-port 1812 acct-port 1813 borders 7 02350C5E19550B02185E580D044653
radius of the IP source-interface GigabitEthernet1/0/1
The problem:
When I test the functionality of RADIUS using the following command, it fails. HOWEVER, the customer (switch) IP listed in the error log in the front door of the VLAN 20 (!):
test the aaa group RADIUS server 10.18.4.33 auth-port 1812 Capita123 user radius acct-port 1813! new-code
10.18.4.38 is the gateway IP address of the VLAN that hosts the servers of the ISE, I don't understand why its listed in error as IP device logs!
ource Timestamp |
2016-06-22 16:38:02.826 |
Receipt of timestamp |
2016-06-22 16:38:02.841 |
Policy Server |
GLS-ISE-01 |
Event |
5413, accounting RADIUS-Request dropped |
Reason for failure |
11007 could locate no device network or Client AAA |
Resolution |
Check if the device network or AAA client is configured in: Administration > network resources > network devices |
First cause |
Could not find the network device or the AAA Client while accessing NAS by IP during authentication. |
Type of service |
Box |
NAS IPv4 address |
10.18.4.38 |
|
Other attributes
ConfigVersionId |
118 |
Port of the device |
1646 |
DestinationPort |
1813 |
Protocol |
RADIUS |
ACCT-status-Type |
Update-intermediate |
ACCT-Delay-Time |
15 |
ACCT-Session-Id |
00000000 |
ACCT-Authentic |
RADIUS |
AcsSessionID |
GLS-ISE-01/255868885/32 |
IP address of the device |
10.18.4.38 |
|
If I reconfigure the switch to the ISE - peripheral network and give it the IP address of 10.18.4.38 (the ip of the gateway), my radius authentication tests suddenly becomes successful.
can someone clarify the situation what is happening here?
I need to be able to define multiple switches by their unique IP addresses.
Thanks for your time
m
Hello
The only time I saw that it was due to use a deprecated command: radius server host. There was a bug on the IOS XR platform as well.
Could you please reconfigure your order of RADIUS by using the new command: radius server? And test again?
The doc of Cisco for the new order:
http://www.Cisco.com/c/en/us/products/collateral/iOS-NX-OS-software/iDEN...
Thank you
PS: Please do not forget to rate and score as good response if this solves your problem
-
The AAA authentication configuration
We have ACS server 3.1 to AAA for authentication for all routers and switches. I want each person to connect the router using its own id, password password and activate. If the ACS server is unavailable, I want to have different id, password and enable password for console and telnet access. What is the right way to do this? I also want to follow all orders entered on the router.
That's what I have:
AAA new-model
AAA authentication login default group Ganymede + local
enable AAA authentication login no_tacacs
the AAA authentication enable default group Ganymede + line
AAA authorization exec default group Ganymede + local
AAA authorization commands 15 default group Ganymede + local
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.
!
username admin password 7 xxxxxxxxxxxxxxxx
!
!
Line con 0
connection of authentication no_tacacs
line to 0
line vty 0 4
password 7 xxxxxxxxxxxxxxxxxxxxxxxx
!
Yes, it's Joy on the right. Thank you, Renault
-
RADIUS authentication for the switch using ISE
Hi guys,.
Someone did he do Radius Authentication for switch cli connection using ISE?
We did it in our environment with ISE, but it is a challenge to give read-only access / Priv-1.
If some users know the enable password, they can use and earn full privilege.
Anyway to get around this other than to change the enable password?
We have thousands of switches and won't change on each of them.
If you have another method please advice.
Thank you in advance.
Well, you can set the "enable" function also be controlled via the AAA server with the following command:
AAA authentication enable... This way server AAA will be checked for authentication for the secret to activate and use the local database as a last resort
I hope this helps!
Thank you for evaluating useful messages!
-
Test command of the AAA for EAP - TLS authentication for wireless users
Hi all
Can anyone suggest me the test command to verify the eap - tls authentication for the Cisco WAP's wireless.
If it's an authetication jump we can use the command to test the connection below
Radius of group aaa Testwap-01 #test [email protected] / * / o4 & yJ) NoL$ new-code %0
Trying to authenticate with the server radius group
User successfully authenticated
But eap - tls is not delivered with the password. He insists that for the user name.
We strive for remote location then test remotely before production.
If someone help pls in that if we have a command to test or debug command to test this authentication.
EAP - TLS requires a client certificate. How can you have a simple command that analysis without loading any certificate on the router/switch? It does not exist. This is why eap - tls is not considered an easy to deploy eap method: because it can go wrong on several levels.
The aaa command test performs a PAP authentication, therefore, it tests the connectivity of the base RADIUS and name of user and password.
If it works, the only thing that can break for eap - tls are certificates, as well as the radius server will be able to tell if something worng.
-
the AAA authentication enable default group Ganymede + activate
I implement CSACS 4.0. First of all on the client, I will apply aaa authenticatio / authorization under vty. The issure if I use the followin command
the AAA authentication enable default group Ganymede + activate
What happens if I connect via the console? I need to enter a name of user and password?
Here is my configuration
AAA new-model
Group authvty of connection authentication AAA GANYMEDE + local
the AAA authentication enable default group Ganymede + activate
authvty orders 15 AAA authorization GANYMEDE + local
RADIUS-server host IP
Radius-server key
Ganymede IP source interface VLAN 3
AAA accounting send stop-record an authentication failure
AAA accounting delay start
AAA accounting exec authvty start-stop group Ganymede +.
orders accounting AAA 15 authvty power group Ganymede +.
AAA accounting connection authvty start-stop group Ganymede +.
line vty 0 15
connection of authentication authvty
authorization orders 15 authvty
authvty connection accounting
accounting orders 15 authvty
accunting exec authvty
Any suggestion will be appreciated!
It should work because it is a guest message.banner whenever you try to connect (console/vty). I set it up on my router.
If you have banner motd, it will appear as well (see below). So, I have to remove it to get only the aaa banner & prompt is displayed:
************************************************************
Username: cisco, password: cisco (priv 15f - local) *.
************************************************************
Any unauthorized use is prohibited.
Enter your name here: User1
Now enter your password:
Router #.
The configuration more or less looks like this:
AAA new-model
AAA authentication banner ^ is forbidden to use CUnauthorized. ^ C
AAA authentication password prompt "enter your password now:
AAA-guest authentication username "enter your name here:
Group AAA authentication login default RADIUS
local authentication AAA CONSOLE connection
HTH
AK
-
AAA RADIUS authentication for the only user group
Hello
I use ACS3.1 and tries to use authentication radius for all network switches in my company.
Meet the im problem now is how to restrict only a user group to access the connection/exec switches? It seems that all user IDS in my acs able to telnet (user access) to the switch (using their login credentials).
I would like to limit still from telnet by using their ID except administrator group.
Counsel on how this is possible.
TKS!
The GBA, you need admin users in their own ACS group separated, leaving other users in their own group also.
Change the group that contains the users you don't want to give access to and under the heading of restricted access network (OAN), in "Group defined Network Access Restrictions", check the "Define based on IP access restrictions", choose "Rejected the call point" and enter switches in the table below (put a * in the port and address).
This prevents standard users authentication to switches. You can add all your switches in a group of network devices (NDG) to this, then you have to add that, in the section NAR rather than adding each switch individually.
-
Excluding the lines of Terminal Server in the AAA authentication
Hi all
Hope you can help, I'm trying to find a solution to exclude only the following line port by using the AAA authentication (ACS GANYMEDE +) on a map of Terminal Server on a Cisco 2600 router. Does anyone know how to do this, or point me in the right direction to solve?
I've included the output below:
AAA authentication login default group Ganymede + local
AAA authorization exec default group Ganymede + local
AAA accounting exec default start-stop Ganymede group.
AAA accounting network default start-stop Ganymede group.
AAA accounting default connection group power Ganymede
AAA accounting system default start-stop Ganymede group.
AAA - the id of the joint session
line 41
session-timeout 20
decoder location - XXXXXX XXXXXX BT
No banner motd
No exec-banner
absolute-timeout 240
Modem InOut
No exec
transport of entry all
StopBits 1
Speed 38400
Is it a question of disabling the command line or using a defined group?
Thanks a lot for your help.
Jim.
Hi Jim
You may need to create another group for authentication to the and send your AAA configuration
line to 0
connection of authentication aux_auth
AAA authentication login aux_auth line
You can also configure a username local/pw and map it on the group to here...
Console and telnet would still use the configured default group, or you can specify specific groups:
Line con 0
console login authentication
line 4 vty0
vty authentication login
and specify the aaa authentication settings individually...
I hope this helps... all the best
REDA
-
The AAA authentication and VRF-Lite
Hello!
I encountered a strange problem, when you use authentication Radius AAA and VRF-Lite.
The setting is as follows. A/31 linknet is configured between PE and THIS (7206/g1 and C1812), where the EP sub-si is part of a MPLS VPN and VRF-Lite CE uses to maintain separate local services (where more than one VPN is used..).
Access to the this, via telnet, console etc, will be authenticated by our RADIUS servers, based on the following configuration:
--> Config start<>
AAA new-model
!
!
Group AA radius RADIUS-auth server
Server x.x.4.23 auth-port 1645 acct-port 1646
Server x.x.7.139 auth-port 1645 acct-port 1646
!
AAA authentication login default group auth radius local
enable AAA, enable authentication by default group RADIUS-auth
...
touch of 1646-Server RADIUS host x.x.4.23 auth-port 1645 acct-port
touch of 1646-Server RADIUS host x.x.7.139 auth-port 1645 acct-port
...
source-interface IP vrf 10 RADIUS
---> Config ends<>
The VRF-Lite instance is configured like this:
---> Config start<>
VRF IP-10
RD 65001:10
---> Config ends<>
Now - if I remove the configuration VRF-Lite and use global routing on the CE (which is OK for a simple vpn installation), AAA/RADIUS authentication works very well. "" When I activate transfer ip vrf "10" on the interface of the outside and inside, AAA/RADIUS service is unable to reach the two defined servers.
I compared the routing table when using VRF-Lite and global routing, and they are identical. All roads are correctly imported via BGP, and the service as a whole operates without problem, in other words, the AAA/RADIUS part is the only service does not.
It may be necessary to include a vrf-transfer command in the config of Group server as follows:
AAA radius RADIUS-auth server group
Server-private x.x.x.x auth-port 1645 acct-port
1646 key ww
IP vrf forwarding 10
See the document below for more details:
http://www.Cisco.com/en/us/partner/docs/iOS/12_4/secure/configuration/guide/hvrfaaa.html
-
The AAA authentication not working method and 'by default' list
Guys,
I hope someone can help me here to the problem of the AAA. I copied the configuration and debugging below. The router keeps using username/password local name even if the ACS servers are accessible and functional. To debug, it seems he keeps using the method list 'default' ignoring GANYMEDE config. Any help will be appreciated
Config
**********************************
AAA new-model
!
username admin privilege 15 secret 5 xxxxxxxxxx.
!
AAA authentication login default group Ganymede + local
the AAA authentication enable default group Ganymede + activate
authorization AAA console
AAA authorization exec default group Ganymede + local
AAA authorization commands 15 default group Ganymede + local
AAA authorization default reverse-access group Ganymede + local
orders accounting AAA 0 arrhythmic default group Ganymede +.
orders accounting AAA 15 by default start-stop Ganymede group.
Default connection accounting AAA power Ganymede group.
!
AAA - the id of the joint session
!
RADIUS-server host x.x.x.x
RADIUS-server host x.x.x.x
RADIUS-server host x.x.x.x
RADIUS-server host x.x.x.x
RADIUS-server application made
RADIUS-server key 7 0006140E54xxxxxxxxxx
!
Ganymede IP interface-source Vlan200
***************************
Debugs
002344: 5 Dec 01:36:03.087 ICT: AAA/BIND (00000022): link i / f
002345: Dec 5 01:36:03.087 ICT: AAA/AUTHENTIC/LOGIN (00000022): choose method list "by default".
002346: Dec 5 01:36:11.080 ICT: AAA/AUTHENTIC/LOGIN (00000022): choose method list "by default".
core01 #.
002347: Dec 5 01:36:59.404 ICT: AAA: analyze name = tty0 BID type =-1 ATS = - 1
002348: Dec 5 01:36:59.404 ICT: AAA: name = tty0 flags = 0 x 11 type = 4 shelf = 0 = 0 = 0 = 0 = 0 channel port adapter slot
002349: Dec 5 01:36:59.404 ICT: AAA/MEMORY: create_user (0 x 6526934) user = "admin" ruser = "core01" ds0 = 0 port = "tty0" rem_addr = "async" authen_type = service ASCII = NONE priv = 15 initial_task_id = '0', vrf = (id = 0)
002350: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): Port = "tty0" list = "service = CMD
002351: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/CMD: tty0 (2162495688) user = "admin".
002352: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send service AV = shell
002353: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send cmd = AV set up
002354: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV terminal = cmd - arg
002355: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send cmd - arg = AV
002356: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): found the 'default' list
002357: Dec 5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): method = Ganymede + (Ganymede +)
002358: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC +: (2162495688): user = admin
002359: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC +: (2162495688): send service AV = shell
002360: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC +: (2162495688): send cmd = AV set up
002361: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC +: (2162495688): send AV terminal = cmd - arg
002362: Dec 5 01:36:59.404 ICT: AAA/AUTHOR/TAC +: (2162495688): send cmd - arg = AV
Enter configuration commands, one per line. End with CNTL/Z.
core01 (config) #.
002363: Dec 5 01:37:04.261 ICT: AAA/AUTHOR (2162495688): permission post = ERROR
002364: Dec 5 01:37:04.261 ICT: tty0 AAA/AUTHOR/CMD (2162495688): method = LOCAL
002365: Dec 5 01:37:04.261 ICT: AAA/AUTHOR (2162495688): position of authorization = PASS_ADD
002366: Dec 5 01:37:04.261 ICT: AAA/MEMORY: free_user (0 x 6526934) user = "admin" ruser = "core01" port = "tty0" rem_addr = "async" authen_type = ASCII service = NONE priv = 15
core01 (config) #.
Ganymede + accessible servers use source vlan 200. Also in the Ganymede server + can you check if the IP address for this device is configured correctly and also please check the pwd on the server and the game of this device.
As rick suggested sh Ganymede would be good as well. That would show the failures and the successes
HTH
Kishore
-
The AAA authentication: not configured
I have cisco 851 using ccp to configure EASY VPN
I click on TEST VPN SERVER, and then click Start the State shows successful
When I tried to connect a client I mm_no_state
When I considered the report of the test I found
The AAA authentication: not configured
My AAA
AAA new-model
!
!
AAA authentication login tgcsusers local
AAA authorization tgcsvpn LAN
!
AAA - the id of the joint session
I have also attached my config
Ideas or thoughts?
You will need to get my client work...
I logged by user name password you provided.
Please check the pictures I downloaded to you.
Good night, sleep tight.
Thank you
Rizwan James
-
AAA in switches routers vs (on Cisco IOS)
I have AAA with GANYMEDE + configured on a router in this way:
AAA login authentication default group Ganymede + local-case allow
the AAA authentication enable default group Ganymede + activate
Enter the same configuration on a switch (switches in general)?
What accounting? I have the same accounting configured on the router and switch?
for the switch I need to allow angling of the console of accounting services?
example:
Line con 0
accounting of the default commands 15
accounting exec failure
so, in the configured router Ihave accounting but not applied to interfaces for example) console, vty... as soon as the accounting is enabled on the router, it is automatically applied to all interfaces if I use the default method list? and is it true for switches?
Hi Nathan,
Whether router/Switch commands AAA for both work sense.
And you have "default" reason means that it will be applied on all interfaces on routers, as well as on the switch. You do not have to specify explicitly as:
Line con 0
accounting of the default commands 15
accounting exec failure
There is no need, as you say once again to search the accounting list 'default', which if we have already set up will look the same.
Terefore only commands that you specify is:
Accouting AAA commands default 0 arrhythmic group Ganymede +.
AAA accouting orders 1 by default start-stop Ganymede group.
AAA accouting orders 15 by default start-stop Ganymede group.
As a default we orders on three levels of privilege on IOS devices. Level of 0.1 and 15.
It can be useful :)
-
The AAA reports
Hi, need to provide an ACS reports that will include all orders captured on barrier-lights/switches/routers.
Installation successfully acs for these network devices, basic AAA is work, can connect has failed/past authentications, different levels of authentication has been correctly configured, but I see only the orders that were denied in reports, (have tested different user levels). How can I configure the AAA sign orders enterend e.g. network device admins?
Hi Ganesh, thanks for reply.
Unfortunately i am still unable to see executed commands in tacacs+ accounting report. I have all report fields enabled, configuration is the same as you suggested but still no luck. I setup shell command authorization set and can see if readonly users (which has rights to run only commands in readonly authorization set) trying to execute commands they are not authorize to run but cannot see all commands executed on the switch.
This is really important to have a record who and when initiated what commands on network devices.
07/16/2010,09:18:30,AAAServer,GRoup,SWITCHES,CAT3560-T,UserName,192.168.182.1,start,15,,,,,,2,(Default),,,shell,,,,,,,,,,,,,,UTC,,,,,,,,,,,,,,,,,,,,,,,,No,Login,1,6,192.168.182.20,tty1
Any other suggestions?
Hello
If your version of ACS is 4.1 GANYMEDE + accounting command no longer works. No accounting is visible in the journal of Administration GANYMEDE + (bug CSCsg97429).
Click on this link if you use ACS Solution Engine: http://www.cisco.com/pcgi-bin/tablebuild.pl/acs-soleng-3des?psrtdcat20e2 and download:
applAcs_4.1.1.23_ACS - 4.1 - CSTacacs -CSCsg97429.zip
Hope to help!
Ganesh.H
Don't forget to note the useful message
-
The PowerConnect 6248 switch, RAY and selected methodological issues
I think this should be simple enough, but doesn't work that way. I have multiple 6248 and a handful of other switches in PC and I'm RADIUS deployment as primary authentication mechanism. I'm going through some preliminary tests here and a simple thing is not just to work this way. Profile networklist I put RAY first of all that the method of selection and LOCAL for the second. The RADIUS user authenticates very well, but while trying to search the LOCAL user, it is rejected. I thought that if the local user is not found by DEPARTMENT policy, he is sent to the next method? I'm only using telnet for the moment method before changing the HTTP methods. Any thoughts would be appreciated. Thank you!
Could answer my own question here, but I think that the NPS server should probably 'time' or not meet the demand of the initial authentication for the local aspect until you reach? have not tested, but may do so shortly.
-
prepare the config for the model/tool switches
Guys,
I'm trying to find out if there is a tool to prepare config Cisco routers/switches. I'm looking to prepare the basic config with some VLANS, static IP, etc. of the AAA. Should I use GNS3 as Simulator to simulate a router and configure it to serve as a model or if there is another free light weight tool where I can test config for typo errors or something.
Thanks in advance!
If you have existing switches just the running-config and get some simple editor like Notepad and change the IP addresses and other things
Add No. SHUTDOWN on the interfaces, because by default they are not upward, and when you do a show running-config it does not appear as no. SHUTDOWN.