Authorization GANYMEDE - show arp

I'm not a network administrator, but I get a number of devices that have the ability to manipulate traffic. There are times when these devices fail and will have to update the tables of arp cache and cam on our Cisco equipment. Due to this point of contact, I need the ability to verify the accuracy of these tables.

Our team of Cisco uses GANYMEDE to manage access to our networking equipment. I had the ability to simply run the "show arp" and 'cam show' commands on a handful of devices, but have been informed that this is not possible because "show arp" is a privileged EXEC command.

Unfortunately, I'm not in a position to be able to confirm or deny this, since I'm not familiar with Cisco or GANYMEDE device management. I was hoping someone in this forum could:

(a) confirm that it is possible to allow individual orders without allowing all others

(b) give some details on what to do in GANYMEDE to facilitate.

All I need is to run these two commands - I don't need anything else. I suspect that our management team of GANYMEDE do simply not know how or do not want to implement this authorization. Your help to push would be appreciated.

Thank you.

"All I need is to run these two commands - I don't need anything else." I suspect that our management team of GANYMEDE do simply not know how or do not want to implement this authorization. Your help to push would be appreciated. »

It's a very simple installation. Everything they need

is the authorization of installation as follows:

user = {test}

Member = limited

Login = the xxxxxxx

name = "Scott Paul"

}

Group = {limited

by default the service = deny

cmd = {see the}

allowed "arp. * »

allowed "cam. * »

deny. *

}

}

With that, your account Ganymede may only

run "show arp * ' and ' cam show."

commands and nothing else.

Easy right?

Tags: Cisco Security

Similar Questions

  • Specific shell - ACS command authorization / GANYMEDE + on 2900XL

    Hello all-

    I was struggling with a particular issue here. I am running ACS 3.2 and tries to implement secure access to my switch. I have 'students' of my University I want to leave running specific functions, i.e. change the vlan port and write in memory, etc.

    I created with success the piece of the authorization, and my test account can connect. I have successfully assigned a privilege level of 7 also, that gives me a look of default base rights. Accountants strives also, indicating connections and commands me to come home.

    I want to do is use ACS to allow a particular group of controls, so I can change if needed in one place (ACS) and I not touch + 400 devices. ACS says can be done, but it doesn't seem to work. I created a Shell command group and specified commands, no luck. Even if I change the 'unmatched orders' rocking 'allow' (which should allow all orders, right?) it does not yet allow all orders. I added the Shell command group for the group, of which students are members...

    My AAA commands are as follows:

    AAA new-model

    AAA of default login authentication group local Ganymede +.

    Group AAA authorization exec default local Ganymede +.

    AAA authorization commands by default 7 Group Ganymede +.

    AAA accounting exec default start-stop Ganymede group.

    orders accounting AAA 7 by default start-stop Ganymede group.

    orders accounting AAA 15 by default start-stop Ganymede group.

    AAA accounting system default start-stop Ganymede group.

    Any ideas? Any thoughts?

    Thank you!

    Michael

    QU.edu

    Michael,

    You perform permission to order order that exist with a privilege level of 7. By default, the configuration commands have a privilege to 15. There are two ways you can go about solving this problem. The first would be to authorization of installation for level 15 command. The second would be to change the privilege level of the commands that you want your students to be able to run level 15 at level 7. This can be done with the command of privilege. Here is a link that shows the use of the technology locally within the unit. http://www.Cisco.com/warp/public/480/Priv.html

    I don't know if the ACS can push the configuration of the device on a per user basis, so the first option may be your best bet. Be sure to allow access to all controls for yourself.

    Steve

  • authorization GANYMEDE +.

    I can't control aaa authorization using win2k Ganymede +. I have the following commands on my router:

    AAA new-model

    AAA server Ganymede group + ciscosecure

    AAA authorization config-commands

    AAA authorization exec ciscosecure Ganymede group.

    AAA authorization network group Ganymede ciscosecure +.

    If the authentication that's good, I can even time of day login control. only permission issues, I need to define groups for users to belong

    Thank you

    Francis

    Hello Francois,.

    You must add the following line/lines for authorization on the router-

    AAA authorization commands default Ganymede group 0 +.

    AAA authorization commands by default 1 group Ganymede +.

    AAA authorization commands by default 15 group Ganymede +.

    Thank you

    Renault

  • Failure of the authorization GANYMEDE + ASR1001

    Hello

    I use the below command structure identical to all other routers. However, when I try to type commands that it says "Authorization failed". The only difference between this routers and our other is a Cisco ASR1001. Is there as a special system requirements for this router that I'm missing?

    AAA authentication login default group GANYMEDE-local SERVERS

    AAA authorization exec default group GANYMEDE-local SERVERS

    AAA authorization commands 1 room of GANYMEDE-SERVERS in default group

    AAA authorization commands by default 15 GANYMEDE-SERVERS local group

    AAA accounting exec by default start-stop group GANYMEDE-SERVERS

    orders accounting AAA 1 group of market-judgment by default GANYMEDE-SERVERS

    AAA accounting group orders of 15 by default arrhythmic GANYMEDE-SERVERS

    AAA accounting connect by default start-stop group GANYMEDE-SERVERS

    AAA system by default start-stop accounting GANYMEDE-SERVERS group

    When you log in the router you authenticate with your GANYMEDE credentials or with the local credentials? I'm guessing it's the local credentials and that the router is not authenticate or authorize with the RADIUS server. If that is correct, you should investigate and find the cause of the failure to use GANYMEDE.

    I also suggest a change that may be useful. Change this line to

    AAA authorization commands by default 15 GANYMEDE-SERVERS local group

    TO

    default group 15 AAA authorization commands GANYMEDE-SERVER authenticated if

    HTH

    Rick

  • Authentication/authorization GANYMEDE + based on the subnet of the user

    Hi guys/girls

    We have number of speeds of production, which are configured with Ganymede cisco + and all their work very well. But now I have an obligation to implement SSH-ver2 across the network, consist of about 8000 cisco gear.

    I need to develop a proof of concept (POC), that activate SSH to gears production will not affect Ganymede + existing and authorized user authentication.

    In our lab cisco gear, it was already configured with Ganymede + production for authentication and authorization server. Now, I am allowed to test SSH on these machines in the lab but I without disrupting other users who use the same laboratory-gears.

    So, I want to activate SSH version 2 on these machines in lab-however, when the user from a certain specific subnet, this user must be authenticated and authorized by the LABORATORY Ganymede +, but no production Ganymede +, however please note that lab-gears, that I'm testing with also already configured for production Ganymede + server as well. These devices in the laboratory must be able to do authentication and authorization of two different Ganymede + server based on subnet of users that he or she coming.

    Is - this plan is feasible? I am looking for documentation to implement the test of this method, is not successful.

    Your comments will be appreciated and evaluated.

    Thank you

    Rizwan James

    Adely,

    It won't work, the Ganymede authentication begins once the ssh connection is established, the n (router or switch) will open a Ganymede connection and send the start indicator to the RADIUS server in which the 'getusername' message is sent from the RADIUS server to the device and the user terminal. You cannot create an acl in order to choose which Ganymede servers you can authenticate either. When it comes to authenticate users from a specific subnet to a server specific RADIUS which is not the design of Ganymede, when you configure multiple servers in a group is to ensure high availability such that when a Ganymede server goes down you have a secondary school continue with authentication requests from the.

    Here is an example of how the RADIUS authentication is performed.

    http://www.Cisco.com/en/us/Tech/tk59/technologies_tech_note09186a0080094e99.shtml#comp_traffic

    Thank you and I hope this helps.

    Tarik Admani
    * Please note the useful messages *.

  • Problem with shell command authorization

    I came across this issue with ACS 3.1 and 3.2 of the ACS

    A shell command authorization set is created under the profile shared with the following components:

    Unmatched orders: refuse

    Permit of unmatched Args: UNCHECKED

    The order authorized is 'show' with the Arg "worm permit", "allow the interface" and "allowed to run.

    This permission set is then applied to the group, under the option "Assign a Shell command authorization on any device on the network."

    Select this group option is set to 'Max privilege for any customer of AAA, level 15.

    This configuration is then tested against two IOS switches, with orders from aaa as follows:

    AAA new-model

    AAA authentication login default group Ganymede + local

    the AAA authentication enable default group Ganymede + activate

    AAA authorization exec default group Ganymede + local

    AAA authorization commands 15 default group Ganymede + local

    The problem I have is that when a user who is part of this group connects, it can issue commands such as see the worm, see the race and show int just as I would expect. Any command that does not begin with a show... is denied. However, other show commands that do not appear in the arguments of will work, so that some don't. For example, "show arp" and "vlan" worked, while "show accountants ' and 'buffer' does not. What Miss me?

    commands that work without explicitly set them are of privilege more low level 15... for example; "show arp" is a command of Priv-1, so it is execuatbel without permission of command as you do not permission to order for private-1.

    Router > sh priv

    Current privilege level is 1

    Router >

    Router >

    Router > show arp

    Protocol of age (min) address Addr Type Interface equipment

    Internet 10.1.5.2 24 0000.abcd.abcd ARPA Ethernet0/0

    Internet 10.1.5.3 - 0003.abcd.abcd ARPA Ethernet0/0

    Router >

    Router >

  • Static ARP entry telnet command - techies check pls!

    Hello seniors,

    What TYPE telnet commpand to bind an IP (aka the static ARP entry) MAC address on most Linksys routers? I don't have GUI for it in the FW so telnet is hope.

    I do the straightforward matter with ahope that history is not quite necessary to renounce the thread to go astray

    I'm inside my telnet # on 192.168.1.1, I just need the usual command syntax.

    Thank you.

    Linksys X 3500:

    ARP add 192.168.1.xxx aabbccddeeff:

    ARP delete 192.168.1.xxx

    show ARP

  • Reference Dell PowerConnect 6024F get mac by ip with arp and more option

    Hello in the DELL community.

    I hava a little question, and hoping to find some answers here ;) I'm writing a small script, and in this script, I need to get the mac address is to link to Ip address of the ARP command. I am using telnet to connect to DELL. But the show arp command displays a lot of information, a huge list of ip. I tried to analyze, with the '' option and press etc., but it's a very slow procedure.

    Two main issues:

    1. how to get the mac address and link it to the IP by ARP command

    2 how to get rid of the option ''. I mean show cli without

    I thank the of to get answers.

    P. S.

    ===========================

    Switch: Dell PowerConnect 6024F

    # See the worm
    SW version 2.0.0.19 (date may 5, 2008 time 16:33:30)
    Start the version 1.0.0.13 (August 13, 2003 time 15:28:31)
    HW version 00.01.64
    #

    Show arp? -> watch only

    Show arp

    Terminal Server? -> watch only

    Terminal Server
    history

    He might have an OID you can pole for this info. all the OIDS are in the MIB that are included in the download for the firmware.

    www.dell.com/.../DriversDetails

    If you do not find one in the MIB, you might try a SNMP walk on the switch to see if you can identify an OID that will provide you with this info.

  • The PowerConnect 5524 ARP Cache size

    Does anyone know powerconnect 5524 size of the ARP cache? I used the command: "show arp" to the PowerConnect 6248 switch, I got information: cache size is 1024. I can't got the PowerConnect 5524 information. Thank you. Core-6248 #show arp age time (seconds)... Response time of 1200 (seconds)... 1 Retries........................................ Cache size to 4... 1024 Dynamics renew Mode... Disable the account Total entry / pic... 796 / 820 static entry configured Count / Active / Max... 0 / 0 / 64 5524-3F # display the status of address arp HW IP address of the Interface VLAN - vlan 1 dynamic gi1/0/11 10.xx.xx.xx xx article

    Hello

    The size of the arp cache is 1024, identical to the 6200 series.

  • the AAA authentication enable default group Ganymede + activate

    I implement CSACS 4.0. First of all on the client, I will apply aaa authenticatio / authorization under vty. The issure if I use the followin command

    the AAA authentication enable default group Ganymede + activate

    What happens if I connect via the console? I need to enter a name of user and password?

    Here is my configuration

    AAA new-model

    Group authvty of connection authentication AAA GANYMEDE + local

    the AAA authentication enable default group Ganymede + activate

    authvty orders 15 AAA authorization GANYMEDE + local

    RADIUS-server host IP

    Radius-server key

    Ganymede IP source interface VLAN 3

    AAA accounting send stop-record an authentication failure

    AAA accounting delay start

    AAA accounting exec authvty start-stop group Ganymede +.

    orders accounting AAA 15 authvty power group Ganymede +.

    AAA accounting connection authvty start-stop group Ganymede +.

    line vty 0 15

    connection of authentication authvty

    authorization orders 15 authvty

    authvty connection accounting

    accounting orders 15 authvty

    accunting exec authvty

    Any suggestion will be appreciated!

    It should work because it is a guest message.banner whenever you try to connect (console/vty). I set it up on my router.

    If you have banner motd, it will appear as well (see below). So, I have to remove it to get only the aaa banner & prompt is displayed:

    ************************************************************

    Username: cisco, password: cisco (priv 15f - local) *.

    ************************************************************

    Any unauthorized use is prohibited.

    Enter your name here: User1

    Now enter your password:

    Router #.

    The configuration more or less looks like this:

    AAA new-model

    AAA authentication banner ^ is forbidden to use CUnauthorized. ^ C

    AAA authentication password prompt "enter your password now:

    AAA-guest authentication username "enter your name here:

    Group AAA authentication login default RADIUS

    local authentication AAA CONSOLE connection

    HTH

    AK

  • Question of console GANYMEDE

    Hello

    I just put GANYMEDE on some IOS devices, I'm only using a default group that is configured to provide level 15 privileges. As I use the same default group on the vty and console I would expect access by 2 methods are the same, but when I telnet in I get 15 directly to the guest level of #, but when I console in I always get prompt for the secret to activate it.

    All ideas

    Concerning

    Chris Ayres

    Chris

    You can find a behavior that Cisco has done for a long time (and probably for good reason). The authentication/authorization GANYMEDE someone directly implement default privilege mode works on the vty and does not work on the console.

    The reasoning is that if you make a mistake in the configuration of the authentication/authorization (very easy to do - especially if your understanding of what you are doing is a little weak), it would be easy to lock you out of the unit. By default it works on vty and does not work on console (prividing far to recover from problems). There is a hidden command that allows you to also have it working on the console (be very careful that your config works correctly before you activate it on the console).

    If you want it, try this:

    authorization AAA console

    HTH

    Rick

  • When no Ganymede + available-> connection with enabel PW

    Hello

    When I try to telnet my switch and the Ganymede server + is not available, I get an "authorization failed" message after typing the password enable :-(

    Here is some info:

    config switch:

    --------------

    AAA new-model

    AAA of default login authentication group Ganymede + activate

    AAA authentication login vtyauth group Ganymede + activate

    the AAA authentication enable default

    AAA authorization exec default group Ganymede +.

    Select the secret xxxxxxxx

    !

    radius-server ACS_SERVER_IP host

    RADIUS-server key xxxxxxxx

    !

    line vty 0 4

    password 7 xxxxxxxx

    connection of authentication vtyauth

    Debug aaa authentication:

    -------------------------

    1w0d: AAA: analyze name = tty2 BID type =-1 ATS = - 1

    1w0d: AAA: name = tty2 flags = 0 x 11 type = 5 shelf = 0 = 0 = 0 = channel 2 = 0 port adapter slot

    1w0d: AAA/MEMORY: create_user (0x524CC4) user = "ruser =" port = "tty2" rem_addr = "MY_IP_ADRESS" authen_type = ASCII = priv = 1 CONNECTION service

    1w0d: AAA/AUTHENTIC/START (3157593126): port = list 'tty2' = "vtyauth" action = LOGIN = LOGIN service

    1w0d: AAA/AUTHENTIC/START (3157593126): found the list vtyauth

    1w0d: AAA/AUTHENTIC/START (3157593126): method = Ganymede + (Ganymede +)

    1w0d: TAC +: send worm package AUTHENTIC/START = 192 id = 3157593126

    1w0d: AAA/AUTHENTIC (3157593126): status = ERROR

    1w0d: AAA/AUTHENTIC/START (3157593126): method = ENABLE

    1w0d: AAA/AUTHENTIC (3157593126): status = GETPASS

    1w0d: AAA/AUTHENTIC/CONT (3157593126): continue_login (user = '(undef)')

    1w0d: AAA/AUTHENTIC (3157593126): status = GETPASS

    1w0d: AAA/AUTHENTIC/CONT (3157593126): method = ENABLE

    1w0d: AAA/AUTHENTIC (3157593126): status = PASS

    1w0d: % LOGGER_FLUSHED-3-SYS: System was suspended from 00:00:00 for the console to debug output.

    1w0d: AAA/DISC/EXT tty2: 1002 / 'unknown '.

    1w0d: AAA/MEMORY: free_user (0x524CC4) user = "ruser =" port = "tty2" rem_addr = "MY_IP_ADDRESS" authen_type = ASCII = priv = 1 CONNECTION service

    Thank you!

    I would like to clarify a few permission options.

    Activate the mode is priv 15.

    Because of the line "exec authorization default aaa group Ganymede +" router wil request ACS to check that the user has private level 15, no matter it's the fallback solution. Your options are:

    1 set the Group of users in ACS to access a shell and especially of level 15 privileges.

    2. change your router config "default aaa authorization exec no" this is however less sure and not recommended.

    You can take "enable default of enable aaa authentication ' out of the config because you use Ganymede +, because as I said, if you use the authorization Ganymede + it's going to always check with ACS for this level of 15 private.

    See the attachment for a view where you enter at this level. By default, only the group can be configured like this, but there is a way to apply it to a user - this can be done by checking this attribute via the "interface Configuration" - then "Ganymede" options.

    Hope this helps, let us know the results.

  • ACS command authorization mode t conf report

    Hi, this is probably a quick, but I couldn't find a solution so far.

    We use authorization to order through ACS and are thus able to see (in the case of problems) which concluded the orders at that point on which device. But it doesn't work until someone goes into mode t conf. After that I get log entries in the ACS (Version 5). I can see all the orders and who entered the configuration mode, but nothing after that. Excerpt from the configuration:

    AAA new-model
    connection of AAA 5 authentication attempts
    enable AAA authentication login default group Ganymede + local line
    the AAA authentication enable default group Ganymede + activate
    AAA authorization exec default group Ganymede + local
    AAA authorization commands 1 default group Ganymede + local
    AAA authorization commands 15 default group Ganymede + local
    AAA accounting exec default start-stop Ganymede group.
    orders accounting AAA 1 by default start-stop Ganymede group.
    orders accounting AAA 15 by default start-stop Ganymede group.
    AAA - the id of the joint session

    My guess is that I'm hosting orders with that and so no permission is necessary.

    Any idea?

    Thank you

    Chris

    Hello

    What do you watch? Take a look at RADIUS accounting and authorization Ganymede reports.

    Thank you

    John

  • Failed authorization

    Nice day.

    Have a problem with authorization Ganymede +.

    config:

    AAA server Ganymede group + Ganymede-GDP

    10.0.255.18 private server key single-connection 123

    IP vrf forwarding mgmt

    Ganymede IP source interface FastEthernet0/2/0

    !

    AAA authentication login default local group Ganymede-GDP

    enable AAA, enable authentication by default group Ganymede-GDP

    authorization AAA console

    AAA authorization config-commands

    AAA authorization exec default local group Ganymede-GDP

    AAA authorization commands 15 default local group Ganymede-GDP

    AAA authorization network default local group Ganymede-GDP

    AAA accounting exec default group power Ganymede-GDP

    AAA accounting command 15 by default start-stop Ganymede-GDP group

    Debug:

    HIGHER (000002FC) / 0/READING: read all header 12-byte (wait 16 bytes)

    HIGHER (000002FC) / 0/READING: read all the reply 28 bytes

    HIGHER (000002FC) / 0/15D4A80C: treat the response packet

    MORE: Received the authentic GET_PASSWORD response status (8)

    HIGHER (000002FC) / 0/no: started 120 sec timeout

    MORE: Queuing request 764 AAA authentication processing

    MORE: treatment authentication continue id request 764

    MORE: Authentication continue package generated for 764

    HIGHER (000002FC) / 0/no: timer collapsed

    HIGHER (000002FC) / 0/WRITING/15D4A80C: started 5 sec timeout

    HIGHER (000002FC) / 0/WRITING: wrote together 24 bytes of the request

    HIGHER (000002FC) / 0/READING: read all 12 byte header (allow 6 bytes)

    HIGHER (000002FC) / 0/READING: read all the reply 18 bytes

    HIGHER (000002FC) / 0/15D4A80C: treat the response packet

    MORE: Received the status of response authentic PASS (2)

    MORE: Queuing request for AAA 764 transformation

    MORE: treatment authorization request id 764

    MORE: Protocol is set to None. Jump

    MORE: Sending service AV = shell

    MORE: Sending AV cmd *.

    MORE: Application created to 764 (ingener)

    MORE: previously set server group Ganymede-GDP 10.0.255.18

    HIGHER (000002FC) / 0/IDLE/15D4A80C: got immediately connect on the new 0

    HIGHER (000002FC) / 0/WRITING/15D4A80C: started 5 sec timeout

    HIGHER (000002FC) / 0/WRITING: wrote requests to 64 bytes

    MORE: Error in package header reading, stop the single sign-on

    HIGHER (000002FC) / 0/15D4A80C: treat the response packet

    MORE: Received invalid customer information in entry

    And another question-

    Why all the usernames on top of case?

    username ADMIN privilege 15 secret *.

    You can try without single-connection:

    AAA server Ganymede group + Ganymede-GDP

    10.0.255.18 private server

    ~ BR
    Jatin kone

    * Does the rate of useful messages *.

  • ARP

    When "show arp" switch cisco, the arp table only contain the information on the neighbors of switch, but without guests, why?

    Eric

    Assuming that HostA and HostB are in the same subnet.

    Because the hostA will arp on the mac address of host b. If hostA broadcast on the local subnet syaing who owns this IP address IE. the IP address of host B.

    Host B repsonds with HostA mac address. The switch if it is a pure layer 2 switch only cares about the mac address and the port, he came above and it should save that it in the mac address table is.

    Do you mean that you do not see the mac address of the HostB in the mac address table?

    Keep in mind that entered mac address get timed in the cache switch.

    Jon

Maybe you are looking for

  • Need a SIM card for iPhone

    Somewhere along the line, I want my iPod. My daughter had a couple of old iPhones and gave me a 4 s. I reset & authorized and trying to turn it back on it says I need a SIM card. I'll use it as a repository for my iTunes and activate not to a carrier

  • Keyboard driver Qosmio G20 preventing standby / Hibernation

    I can't get my G20 to go to sleep more. Error, said 101 keyboard standby preventing driver. I've deleted and reinstalled several times. Also tried the latest driver from Microsoft, but one installed is the most recent. It was working until I installe

  • Service/Tech Support scam?

    Topic: SRX1331409285ID - your Microsoft technical support request 1. enter a detailed description of your problem:go says my Microsoft account has been hacked and used in several countries. said my account had to be closed and they would send a new r

  • Change THE Memory Allocation 6.0.

    I own a 7 '' netbook Sylvania, with 128 MB of RAM and Windows CE 6.0 OS. There the cursor to change the memory allocation between the PROGRAM and the STORAGE, but it won't budge. To get YouTube running on this thing, I need to go 68 MB of RAM allocat

  • get a windows installation error is not installed correctly during the installation of a 3rd - party in Windows Vista software

    I get an error message: windows install is not installed correctly during the installation of software 3 rd-party on Windows Vista Home Edition. Why I get this error and how to fix it?