authorization for AAA and GANYMEDE unavailable server scenario

I installed a PIX for users authentication for telnet and enable access. I have permission to install a subset of users can run only display orders. This set works as expected.

The problem is when I simulate and network failure and try to get access the PIX console. I can't run the enable command because the command shall not be permitted. I have to use means of recovery of password to access the PIX. How to do this? Can I have permission to order processed locally? Can I associated with the command show a lower level of the priveledge? If so, how and how can I limit the user to this level of privilege (via GANYMEDE)? I confiscate doing?

Thank you


If the PIX is configured for GANYMEDE authentiaction and RADIUS server is unavailable for authentication, there is no way to rescue or get around this issue at this time.

You can configure the pix to get back to local authentication if Ganymede is not available.

Release then (I think 6.3 and above) who will be available.

Tags: Cisco Security

Similar Questions

  • AAA and GANYMEDE servers

    Hi all

    I want to download a free, yet reliable servers AAA and GANYMEDE , can you guide me? Also, I need help with their configuration for study purpose.

    Both of them are GANYMEDE, do you also need RADIUS (your post says AAA)?  Assuming you just need GANYMEDE:

    Probably the best known is:


    Also, the go RANCID.

    For a solution based on Windows you can also consult:


    If cela messages answers your question or is useful, please consider rating it and/or mark as answered.

  • same host for radius and Ganymede


    can I put a host (asa for example) twice in the acs Server? one for Ganymede to grant administrators access exec and the other for radius authenticate remote users.

    I don't want remote users to be able to get exec mode.

    Or how should I configure this?

    Yes, you can do it. Network configuration ON acs


    ASA--->> Auth using Ganymede +.

    ASA1-->> Auth using RADIUS

    Host name cannot be the same.

    Kind regards

    ~ JG

    Note the useful messages

  • Need to set up Windows mail for incoming and outgoing mail server

    I am trying to set up my mail in windows for the first time, can someone please help me with the details of the incoming and outgoing server (pop)

    I am trying to set up my mail in windows for the first time, can someone please help me with the details of the incoming and outgoing server (pop)

    Hey Kim Clement

    Contact your ISP (internet service provider).

    They offer your broad band/dial-up connection.

    Ask them to:

    password for your access broadband account / distance with them
    Server of incoming POP3 mail
    outgoing e-mail server

    and read this on how to set up windows mail on the microsoft below link

    Windows Mail: Setting up an account of end-to-end

    Walter, the time zone traveller

  • IBM DB2 as external database for device and Windows based Server vCenter vCenter?


    Post edited by: a.p. - updated the title (in capital letters)

    You will find an overview of the databases supported at by selecting "interoperability Solution/database.


  • Need for reports and the analysis down server move to a different server

    I lost my original for RA and re-installed server components on another server, however, when I try to access the workspace site, I get the message * "did not find a server Hyperion Reporting and analysis 'former name of the server running" at the port of 6800. Please check your connection string server and confirm that the server is configured. *

    I re - run the Setup and configuration without result. Is there a configuration file that I have to update somewhere?

    This essentially means that the HSS register always points to the old name of the server for the RA_FRAMEWORK component. You will need to check through the report of registry if there several instance of the RA registered (one with the old server) framework and the other with the new server. If Yes, you can remove the old a registry through the epmsys_registry command line tool and reconfigure with the new server.

    If you need help with the same, if it please raise a SR with Oracle support and should be able to guide you through.

  • Can I use an ACS as RADIUS and GANYMEDE to the same ASA Server?

    I want to GANYMEDE to make the accounting of the SAA, meanwhile, the ASA need RADIUS for authentication ssl vpn. Is it possible to reach this object with only a CSA?

    Yes, you can use both. Allows you to add ASA as radius and Ganymede.

    ACS-->---> aaa-client network configuration

    (1) ASA--->> authentic using Ganymede

    (2) ASA1--->> optout by radius

    Don't forget the host name cannot be the same.

    Kind regards

    ~ JG

    Note the useful messages

  • Urgent - Custom authentication and authorization for the application of the ADF

    Hi friends,

    Custom implementation for authentication and authorization for the application of the ADF

    My project to use the OID , authentication and authorization, we will need to support both OAM and DB tables ( according to the preferences of the client during the installation ).

    I am new to this and do not have a clue about the same.

    Please guide me how to set up both in JDeveloper 11 g + ADF

    Thanks in advance.

    The answers you got up to present every point in the right direction. ADF security see the authentication of WLS, even for business authorization with respect to user roles defined on the WLS server. During the deployment, ADF security defined application roles are mapped to the user enterprise groups

    Application developed using Jdeveloper ADF +.

    This would use WLS for authentication

    Users of authentication - LDAP (OID) - are stored in LDAP

    Use the OID authentication provider in WLS

    Authorization - OAM or database (authorization details are stored in the DB or OAM tables)

    You can't allow users without authentication. If you need create authentication providers additional if they exist for OAM and RDBMS (there is a supplier of existing RDBMA, that you can use to identify users and to assign membership user groups). Then, you set the optional flag so that when authentication fails for additional providers you can always start the application.

    When running Admin users - create users from roles to create and assign permission privileges to the role (for pages and workflows)
    assign (or remove) the roles to/to leave users.

    ADF security uses JAAS to permissions that you can change using Enterprise Manager when running. Permissions are granted to the application roles and application roles are granted to business roles that which then has users become members of the. If you want to change the status of user account, then you don't do this the ADF or EM, but use a direct access to the provider of the user (for example, access OID, RDBMS access etc.) There is no unified administration API available that would allow you to do this via WLS (which uses OPSS).

    If your question is in the context of the ADF, the documentation, with that you should follow is OPSS and WLS authentication providers.


  • Update for Windows XP (KB2718704) and Microsoft SQL Server 2005 Express Edition Service Pack 4 (KB2463332) will be without installation

    ORIGINAL TITLE: updates XP

    Update for Windows XP (KB2718704) and Microsoft SQL Server 2005 Express Edition Service Pack 4 (KB2463332) will BE WITHOUT INSTALLATION

    Please answer each of the following [admittedly tedious] diagnostic questions in a numbered list type in your very next answer (no need to quote this post):

    1. What is the full name of your application or the installed antivirus security suite and when (date about) is your subscription current expires?  What (other than Defender) anti-spyware applications are installed?  What third-party firewall (if applicable)?

    2 a Norton or McAfee application ALREADY installed on the computer?

    3. do you have a free trial Norton or a test of free McAfee [CHOOSE ONE ANSWER] come preinstalled on the computer when you bought it? (No matter if you have never used or activated).

    4. open Add/Remove Programs and make sure that Show updates at the top is checked (and leave it checked); then select the name in the box sort by on the right. Now do scroll down & tell me if ALL the other updates following up-to-date are listed?

    (a) KB2676562,262, KB2686509 & KB2695962KB2659;

    (b) KB2675157, KB2653956 & KB2621440;

    (c) KB2661637, KB2598479, KB2631813 & KB2585542;

    (d) KB2633171, KB2393802 and especially KB971029

    Most will appear as Windows XP security update , followed by the number in brackets.

    If IE8 is installed, two 2 will appear as a security for Windows Internet Explorer 8 update , followed by the number in brackets.

    5. is Firefox, Chrome or any other alternative browser installed?

    6. what version of Java is installed?  TEST HERE in USING IE (only!)-online

    7. are you familiar with "Registry cleaners" (e.g., Registry Mechanic;) System Mechanic; RegCure; RegClean Pro. Advanced SystemCare. Registry Booster; McAfee QuickClean. AVG PC TuneUp. Norton Registry Cleaner; PCTools optimizer; SpeedUpMyPC; Advanced System Optimizer. TuneUp Utilities; WinMaximizer; WinSweeper; CCleaner)?

    8 have you ever had the opportunity to do a repair install or clean install of Windows XP for some reason any?

    Note: KB2463332 is a update optional, not security. Feel free to hide it.

  • Installation of Hyperion for all foundation and weblogic admin server on Linux and HFM on the window


    We have planned the implementation of several node, where a server under Linux OS has foundation, OSH and weblogic domain.  Server B on window has HFM.  We know now that we can have single domain web-logic since HFM has no binary for Linux (and we must at least HFM web - app to install if we want common weblogic domain).  In this case, what is the common practice.  Should we local domain web-logic on the server HFM window?  Is there a better way?

    Thank you.

    My understanding is that you need one,

    #Separate Weblogic domain for the components installed on the Linux box (Foundation)

    #Separate Weblogic domain for the HFM components installed on the Windows machine

    Such as Weblogic in Linux can't talk to the components installed on the Windows machine.

    Kind regards

    Deker P.

  • Where to increase Java Heap for Admin settings and the managed server.

    Hello Experts

    I have issues with the JVM arguments of memory expansion for the Admin and managed servers. I tried in some places to increase the arguments of memory (Xms and Xmx 1024 m) but is not effective. When I start the Server Admin Server and managed, I don't see the segment increased memory settings. Here's what I see-

    "From WLS line: / oracle/app/bi/Oracle_BI1/jdk/java - Server - Xms256m-Xmx512m - XX: MaxPermSize = 512 m.

    I have the following arguments of memory in the located in < DOMAIN_HOME > / bin

    XMS_SUN_64BIT = "2048".

    export XMS_SUN_64BIT

    XMX_SUN_64BIT = "2048".

    export XMX_SUN_64BIT

    It looks that it did not work, so I added an entry in the file in the hope to increase the memory of Java, but that does not work either. Here is the file.


    Really, try to understand where and how the JVM settings are controlled from. Please guide me.

    Enjoy your time.


    Under the you will also find the tag server administrator to increase settings in jvm in there too. Depending on your version of the seller and little Java (Sun, Oracle, IBM, HP and vs 32 - bit 64-bit) so change accordingly

    for example:

    If the server group is not Olivier then we can assume that it is the server administrator

    If ["${JAVA_VENDOR}" = "Sun"]; then

    # - UseSSE42Intrinsics required for the server running EM

    If ["${JAVA_USE_64BIT}" = "true"]; then

    # Server Admin memory for 64-bit Sun JVM args

    SERVER_MEM_ARGS = ""-Xms256m - Xmx1024m - XX: MaxPermSize = 512 m - XX:-UseSSE42Intrinsics ""

    export SERVER_MEM_ARGS

    Similarly, in, you will find the args as below:

    XMX_SUN_64BIT = '512 '.

    export XMX_SUN_64BIT

    XMS_SUN_64BIT = "256".

    export XMS_SUN_64BIT

    If ["${JAVA_VENDOR}" = "Sun"]; then

    WLS_MEM_ARGS_64BIT = "- Xms256m - Xmx512m".

    export WLS_MEM_ARGS_64BIT

    WLS_MEM_ARGS_32BIT = "- Xms256m - Xmx512m".

    export WLS_MEM_ARGS_32BIT

    After setting their just executer./ et./ and then try to start the admin and managed servers and see the processes running with the updated values.

  • packages and custom DB for authentication and authorization tables

    I would like to build custom for my APEX 4.1 application authentication.
    I need only a few basic actions and features.
    My idea:
    on these tables the tables USER, ROLES, the USER_ROLES and some package of action and pages (create user, grant the role, authenticate, change password, activate/deactivate the account etc...)

    Before starting to write this litle "authentication framework", that I would like to ask you if you know existing solutions.

    I would use some existing framework, checked the solution and save time :-)

    Thanks for some tips...

    No. I have not found an existing solution. I have developed my own simple solution for authentication and authorization.

    I recommend you do the same thing.

  • How to plan the windows Server 2008 for stopping and waking up

    Hello everyone

    I want t set hours that turn on and off the machine during business hours (09:00 to 17:00)

    Could you please let me know how can I do this with windows scheduled task?


    This issue is beyond the scope of this site (for consumers) and to be sure, you get the best (and fastest) reply, we have to ask either on Technet (for IT Pro) or MSDN (for developers)
  • Nexus, authorization to order with GANYMEDE.


    Can anyone provide an example of configuration to use Cisco Secure ACS 4.2 to enable permission to order with GANYMEDE.

    Thank you.

    Kind regards.


    Hello Andrea,

    We moved to GBA 5.3 now - but we had our 5520 Nexus running against our old 4.2 ACS before this - so I chose the relevant bits of the config below:

    username admin password network-admin role; user local administrator

    feature Ganymede +; turn on Ganymede

    radius-server host key; set the key for RADIUS server
    AAA server Ganymede group + Ganymede; create the group called "Ganymede".
    Server; set the IP address of the RADIUS server
    the vrf use management; tell him to use the default 'management' vrf to send queries for Ganymede
    source-interface mgmt0;... .and send mgmt interface

    AAA authentication login default group Ganymede; Use Ganymede for auth login
    AAA authentication login console Group Ganymede; Use Ganymede for auth login console
    AAA authorization config-commands by default local group Ganymede; use Ganymede for permission to config command
    AAA authorization by default Ganymede local group orders; use Ganymede for normal control authorization
    Default accounting AAA group Ganymede; Send documents to Ganymede

    I hope that works for you!

    (This may change a bit, when you move to ACS 5.x - that we chose not to do complex auth command (using only shell profiles) to remedy this you go back as a nexus for the 5 k - and it makes the command auth (operator network vs network-admin) based on the one - if you just do not configure authorization to order aaa on the 5 k)


  • WLC with ACS 5.1 (RADIUS) for management * AND * Network users


    I have authentication RADIUS of installation for the users of the network AND management on my NM - WLC (5.2 ongoing execution) against ACS 5.1

    My Question is:-

    For users to log in to Admin, I need to come back "Service-Type = Administrative - User" in order to make it work.

    Because the ACS sees all applications from the same device (WLC) for Admin and network users,

    the way I am currently treats it is by creating a filter based on the user name

    Thus, users that contain 'admin' in their ID, use a set of

    Network access policy authorization, who has an authorization associated with the attributes RADIUS profile.

    Normal users have a ' network access policy authorization different rule ", with a different profile.

    While this DOES WORK fine, still me I was wondering if there is a better way to do it, rather than create a rule

    based on the user name.

    I could use GANYMEDE + for the management, but I don't think that ACS allows the same client AAA (WLC) to use both protocols.

    Thank you

    I think it's something very common for things to do

    You may notice that ACS 5 comes preinstalled with a selection policy of service that differentiates them the Protocol-based queries and orders or service 'Access to the network by default' or "Default Device Admin" out of the box

    If you want only to RAY can either disable or delete the rule for applications of GANYMEDE + or not choose GANYMEDE + in the definitions of the unit

Maybe you are looking for